Practical NTRU Signcryption in the Standard Model

Based on the NTRU trapdoor used in NIST’s Falcon, a signcryption scheme following the sign-then-encrypt paradigm is constructed. The existing partitioning technique based on Waters hash over the lattice can not complete the security reduction in the standard model for the signature part due to the “partiality” of the pre-image generated with the NTRU trapdoor. To address this, a variant of Waters hash over small integers is proposed and, the probability of the successful reduction is analyzed. The resulting signcryption achieves existential unforgeability under the adaptive chosen-message attacks. By utilizing the uniqueness of the secret and the noise in an NTRU instance, the tag used in encryption is eliminated. Furthermore, a method to construct tamper-sensitive lattice public key encryption is proposed. This approach implants the ciphertext-sensitive information into the lattice public key encryption and binds it to the encrypted information. The malleability to the public key ciphertext triggers the change of the message–signature pair so that the IND-CCA2 security of the entire ciphertext can be guaranteed by the signature for the message. Thanks to the rational design and the efficiency of the NTRU trapdoor, the computational overhead of the proposed scheme is reduced significantly compared to the existing lattice-based signcryption scheme, reaching orders of magnitude improvement in efficiency. The experiment shows that the proposed scheme is efficient.


Introduction
Network interaction in complex scenarios provides better services and more convenience for people to live, work, and study.The information security issues in complex scenarios have also become a thorny issue for network workers.In general, a common requirement for information security in complex scenarios is to ensure the comprehensive security of information: confidentiality, integrity, authentication, and non-repudiation.The signcryption due to Zheng [1] can simultaneously guarantee the above-integrated security at a low cost.Designing a secure signcryption scheme has become a research hotspot.Cryptographers have conducted a lot of in-depth research on signcryption based on the number theory and have achieved a series of good results.However, the rapid development of quantum computing [2] has posed a serious threat to the security foundation of traditional cryptography based on number theory.Lattice-based cryptography is becoming the backbone of quantum-resistant cryptography, due to its advantages in efficiency, flexibility, and security in the average case.It has become a common concern to construct a signcryption scheme based on the lattice.

Related Works
To resist quantum attacks, Li et al. proposed the first lattice-based signcryption [3].After that, the lattice signcryption is developed in three directions: different security models, advanced primitives, and specific applications.Regarding the applications, the signcryption applied to the management of health records has been studied in depth [4,5].In terms of advanced signcryption primitives, the identity-based signcryption scheme [6], attributebased signcryption scheme [7] (to support non-interactive fine-grained access control), and multi-recipient scheme [8] were constructed.For the security model, the schemes under the random oracle [9][10][11][12][13], in which [11] is the most efficient due to drawing lessons from the signcryption on Schnorr signature from [14] and the compression technique [15,16], and some schemes under the standard model were constructed.
In 2013, Yan et al. constructed a secure lattice signcryption scheme [17] under the standard model (YWW+13 [17] for short) based on the MP trapdoor [18].This scheme follows the sign-then-encrypt (StE) paradigm, and the security of the ciphertext must be shifted to a reliance on the unforgeability of the signature with the help of the message authentication code (MAC).In fact, the MAC itself has the ability to improve IND-CCA1 security to IND-CCA2 security.Since the tag used for encryption is generated with the signature value, the lattice-based chameleon hash function is required in the process to vanish the trapdoor for completing the security reduction, which increases the computational overhead and the size of the public key.In 2018, Sato et al. made great progress in proposing a secure signcryption scheme [19] (SS18 [19] for short) under the standard model also based on the MP trapdoor.The lattice-based public key encryption (PKE) is actually an instance of learning with errors (LWE), c = [A u] t s + e , plus the encoding of the message [0 µ] q/2 .The malleability of the ciphertext lies in the homomorphic computational property of the LWE instance and that of the message.That is, it will affect the decryption, adding [A u] t s to the LWE instance, appending a small error e to the LWE instance or superimposing additional information to the message.To eliminate the malleability of the ciphertext, the LWE instance is signed along with the original message in SS18 [19].Meanwhile, the homomorphic malleability to the plaintext code will of course break the signatures.In this sense, the scheme belongs to the encrypt-then-sign (EtS) paradigm instead of the StE paradigm, as they claim.In 2019, Yang et al. constructed a signcryption scheme [20] (YCL+19 [20] for short) under the standard model based on ring learning with errors (RLWE) [21].YCL+19 uses the key exchange [22,23] rather than the public key encryption to generate the key for the symmetric encryption, which reduces the size of the public key encryption.The hint information of the lattice-based key exchange is naturally immune to tampering due to its sensitivity to key recovery.However, it incurs a security risk to expose another part of the key exchange.Liu et al. proposed an NTRU-based signcryption [24] (LTTM19 [24] for short) by adopting NTRU-based key encapsulation [25] and an NTRU-based signature [26].However, the unsigncryption queries can not be implemented in the security reduction under the standard model, so the scheme is not IND-CCA2 secure as they claimed.In the sign-then-encrypt (StE) paradigm, the signature seems more natural than that in encryptthen-sign (EtS) paradigm since it is signed only for the message.Moreover, the construction of signcryption under the StE paradigm is more concerned with cryptographers [27,28].It is also a problem of great importance to design a secure lattice-based signcryption scheme following the StE paradigm.
To address the quantum threat to cryptography based on number theory, in 2017, the National Institute of Standards and Technology (NIST) began collecting the post-quantum public key cryptography algorithms through an open, competitive process.The postquantum cryptographic (PQC) algorithm should meet the following five requirements: secure under the existing computing conditions and quantum computers, fast operation, reasonable communication overhead, can be used as a direct replacement for the existing algorithms and protocols, and broad application scenarios.After many rounds of rigorous screening, NIST announced the screening results of the third round of post-quantum cryptographic algorithm standardization in July 2022.In the four post-quantum algorithms, there are two lattice-based signature algorithms, CRYSTALS-Dilithium [29] and Falcon [30], and they are more efficient than the hash-based signature.In fact, in May 2022, the scientists from Google published the latest research results [31] in the journal "Nature" to illustrate the importance of post-quantum cryptography (PQC) and appeal to transition to PQC.Thus, it is a natural question: Can an efficient signcryption scheme following the StE paradigm be designed based on the NIST standard, which is secure in the standard model and does not require MAC transferring?

Proposed Design
To resist quantum attacks, we construct a signcryption scheme based on NTRU, referred to as SC-NTRU.Our contribution can be summarized in two main points.First, we introduce an approach to improve the security of the encryption segment using the signature segment for the messages in the signcryption.The signature security can be appropriately decreased compared with that in the EtS paradigm.Second, we construct a new abort-resistant hash to adapt to the approximate pre-image scenario, and utilize it to build an NTRU signature secure in the standard model.The reasonable design and efficient trapdoor of SC-NTRU lead to a significant reduction in computational overhead, surpassing existing lattice-based signcryption methods by several orders of magnitude.
We have developed a method to achieve IND-CCA2 security in signcryption by combining three techniques.Firstly, we leverage the uniqueness of the secret and noise used in lattice-based encryption to transform tag-based encryption into general encryption.Secondly, we embed sensitive information related to the ciphertext itself into the ciphertext, binding it to the information to be encrypted using public key encryption (PKE).As the entire encryption is a hybrid encryption, the plaintext hidden in PKE serves as a key for symmetric encryption.Any modification to the ciphertext will consequently modify the key of the symmetric encryption due to their interdependence.Thirdly, we exploit the one-to-one property of symmetric encryption, such that a modified public key ciphertext will produce a modified message-signature pair.Subsequently, the unforgeability of the signature can be utilized to check the malleability and enhance the IND-CCA2 security of the complete ciphertext.It is important to note that the signature here does not need to achieve strong unforgeability while the strong unforgeability for a signature is necessary in the general construction of the IND-CCA2 secure encryption scheme.Since the messagesignature pair here is encrypted and concealed from potential adversaries, any attempt to forge a signature would result in a new signature.In summary, the requirement for the signature to enhance encryption to IND-CCA2 security is diminished.Even a strong forgery of the signature supplies no help to unsigncrypting.
A common approach to constructing a secure lattice signature scheme in the standard model is through a partitioning technique based on Waters hash [32].In [33], this hash function takes the form it is also referred to as an abort-resistant hash function.The probability of the hash not aborting is demonstrated using the concept of the hyperplane in [34].However, we find that this hash proposed in [34] can not help us complete the security reduction for the signature component involved in the signcrytion.The pre-image generated by the NTRU trapdoor exhibits a certain level of "partiality".The entire NTRU trapdoor does not fall into the category of approximate trapdoors, such as that constructed by Chen [35] based on [18], and the pre-image generated by NTRU trapdoor can be exact in its entirety.However, the checkout polynomial only operates on a subset of the pre-image, which is reflected in its form s 1 + s 2 * h f = 0 (refer to Algorithm 2).In other words, the pre-image corresponding to the checkout polynomial is merely an approximate pre-image, as there exists a small error vector x = y − h f x.The range of the existing abort-resistant hash is Z q .When the hash value operates on the checkout polynomial, the product of the hash value and the short error vector x results in a vector close to the uniform distribution over Z n q .Consequently, this product vector makes it impossible to simulate the signature in security reduction.To address this issue, we modify the hash range to a space with a small value.However, this modification leads to a significant increase in the abort probability, which hinders secure reduction.To overcome this issue, we introduce a new random variable that cyclically selects random numbers when the abort condition is met.This helps to avoid premature abandonment.Subsequently, we need to evaluate the probability of successfully completing reduction when an adversary forges a signature.However, this evaluation is not trivial since the hyperplane model for the abort-resistant hash defined over a ring (Z q ) is inadequate for the hash over small integers.

Preliminaries
In this paper, the notations are as follows.Z: the set of integers; Z + : the set of positive integers; R: the ring R: = Z[x]/(1 + x n ); for a prime q, R q : = R/q; the bold lowercase letter: polynomial or the vector composed of the coefficients of the polynomial; the bold uppercase letter: matrix; B: Gram-Schmidt orthogonalization of the matrix B; x : the twonorm of a vector named x; X : the maximum of the column vectors, X = max i { X i }.

NTRU Lattice and Hard Problem
Definition 1 (NTRU Lattice).Let R: = Z[x]/(1 + x n ) for some power-of-two integer n.Let h = g * f −1 mod q for f, g ∈ R and q ∈ Z + .The corresponding NTRU lattice to h, f is defined as Λ h,q is a full-rank lattice over Z 2n linearly spanned by the row vectors of A h,q = −A N (h) where A N (h) denotes the anti-circulant matrix generated by the vector h.
Definition 2 (Decisional Small Polynomial Ratio: DSPR [36]).Let R: For g, f ∈ R with small coefficients and f invertible over R q , the distinguishing problem between the distribution of h = gf −1 mod q and that of h $ ← R q is defined as the decisional small polynomial ratio problem.
The hardness of the search version of DSPR has been studied in [37].
Definition 3 (Search Learning with Errors in a Ring of Integers).Let Ψ be a family of distributions over K R and 2 < q ∈ Z.The RLWE problem RLWE q,Ψ is to find s ∈ R ∨ q by allowing access to arbitrarily many samples from A s,Ψ for ψ ∈ Ψ.

Trapdoor Generation and Pre-Image Sample Algorithm
Proposition 2 (NTRU Key Generation).Inputting dimension n and modulus q, there is an efficient keyGen algorithm to output public key h and the trapdoor such that h is computationally indistinguishable from the uniform distribution over R, B ≤ 1.17 √ q, and g, f ← D Z n ,η for η ≤ 1.17 q/(2n).

Signcryption: Syntax and Security Models
In this section, the syntax and security models of signcryption are presented.

Syntax of Signcryption
A signcryption scheme is composed of the following four algorithms: • Setup (λ): This algorithm takes a security parameter λ as input, then returns the public parameter PP.

Security Models of Signcryption
To clarify the confidence of the signcryption, an IND-CCA2 game is introduced (Table 1).
• Initial: The challenger C runs the setup and key generation algorithms to generate public parameters PP, the receiver's keys (Pk r , SK r ), and the sender's keys (Pk s , SK s ), followed by giving (PP, Pk r , Pk s , SK s ) to an adversary A.   Definition 4 (Confidentiality of Signcryption).A signcryption scheme is said to be indistinguishable against inner choose ciphertext attacks (IND-CCA2) if there exists no probabilistic polynomial time inner adversary who can win Game IND-CCA2 with a non-negligible advantage.
To capture the unforgeability of the signcryption, an EUF-CMA game is introduced (Table 2).Then, the advantage of A to win Game EUF-CMA is defined as where N denotes the fact that σ is a valid signature for µ not discoved by the unsigncryption queries.

Definition 5 (Existential Unforgeability of Signcryption).
A signcryption scheme is said to be existentially unforgeable against inner chosen message attacks (EUF-CMA) if no probabilistic polynomial time forgery can win Game UF-CMA with a non-negligible advantage.

Signcryption Based on NTRU
In this section, a signcryption scheme based on NTRU is proposed, followed by its correctness and parameter settings.

Construction
The symmetric encryption ENC involved in the proposed scheme is IND-OT secure and one-to-one.That is, for a plaintext µ and symmetric key k, there is only one ciphertext c satisfying DEC k (c) = µ.

•
Setup(1 λ ): On inputting a security parameter 1 λ , generate the public parameters and hash functions.
publish public parameters (y, u, {z i } ℵ i=1 ).• KeyGen(1 ): User i generates it own public key and private key.
Publish (b, d, h) as public key and keep B as private key.Namely, the sender's (resp.receiver's) public and private key are

Correctness
In the proposed scheme, we draw lessons from [43] to use the ciphertext generated in the previous step (i.e., c 0 ) as the tag to produce the subsequent ciphertext.On the one hand, it can transform a tag encryption to a normal encryption.On the other hand, when c 0 is determined, the rest of the ciphertexts are relatively determined except for the influence of errors and the value to be encrypted, which is important for the security reduction (reference to Theorem 1).We give the unique witness for NTRU as follows.

•
The pre-image sample algorithm works well, [38], where B is the corresponding basis of a lattice (Proposition 3).

•
In the security reduction, a simulated trapdoor (Algorithm 1) can be used for sampling (Proposition 3).

•
The correctness of the unsigncryption requires that both the error in the public key encryption and the error in the signature are small enough to guarantee security.
Therefore, the Gaussian parameter and the modulus can be set as follows.η 2 : Gaussian parameter for decryption; η 1 : Gaussian parameter for signature.The correctness of the proposed scheme is implied in Lemmas 11 and 16.

Security and Performance
The confidentiality and unforgeability of SC-NTRU are demonstrated in Section 5.1.The efficiency of the SC-NTRU is evaluated by analyzing the numbers of different kinds of computations in Section 5.2.An experiment for SC-NTRU is presented in Section 5.3.

Security
The IND-CCA2 security of the proposed scheme is based on a variant of the search RLWE implied in [38].We formalize it as follows.
Definition 6 (Variant of Search RLWE).Let , t be small integers, s ∈ R q with s ∞ ≤ .Let denote a positive integer, and Ψ be a family of distributions over K R .For Remark 1.The variant is as hard as the standard search LWE.Suppose there exists an adversary A who can find the correct k.Then, A can compute c +1 = a +1 s + e +1 due to k q/2 t hidden by c +1 .That is, A has the ability to compute c +1 from {c i } i=1 .One method is that A learns r from {c i } i=1 , then A uses the same r to get k from c +1 .This means that the variant of the search RLWE can be reduced to the standard search RLWE in polynomial time.The other method is that A can find the mapping from {a i } i=1 to a +1 .The mapping must have the form as a +1 = ∑ i=1 x i a i + y, where x i , y are sampled from R q with small coefficients.Otherwise, a +1 = ∑ i=1 x i a i κ i + y, 1 = κ i ∈ Z.When the mapping is applied to {c i } i=1 , the error will increase almost to the uniform distribution, which leads to failing to obtain k from c +1 .In fact, it is also a search RLWE problem to find the mapping a +1 = ∑ i=1 x i a i κ i + y.

Theorem 1 (IND-CCA2
).Under the parameter settings as in Equation ( 1), the proposed signcryption scheme is IND-CCA2 secure against inner adversaries in the standard model, as long as the RLWE n,m,q problem and DSPR problem are computationally intractable.
Proof.The theorem can be proven by a series of games G 0 , G 1 , • • • , G 13 .In each game, the adversary A's probability of success is , the challenge ciphertexts are all hybrid encryption ciphertexts.It is proven that the successive games satisfy the indistinguishability or the game transitions based on failure events to A. Thus, the difference between attacking in G 0 and attacking in G 10 is guaranteed to be negligible.Due to the security of the symmetric encryption involved, the ciphertext of the symmetric encryption c 3 does not reveal any information about the plaintext and the corresponding signature.Only using symmetric encryption, a direct attack on the message-signature pair is no less difficult than an attack on the symmetric key.According to the unforgeability of the signature and the security of the symmetric encryption, it is proven that it is impossible to manipulate c 3 to obtain a valid ciphertext to help the attack.Therefore, ignoring the ciphertext c 3 in the challenge ciphertext of G 11 , the transformation does not increase the hardness of the adversary's attack.Following that, it is shown that the game transitions based on failure events are satisfied from game G 11 to G 13 .In G 13 , the challenge ciphertext is an RLWE instance, and the probability that the adversary succeeds to obtain the information encrypted by the public key is negligible.Thus, the A's success probability to attack in G 0 is also negligible.This means that the proposed scheme is IND-CCA2 secure.The games are as follows.
• G 0 : The game G 0 is the original IND-CCA2 game, namely, h r ← KeyGen, b r , d r ← Z n q .-Setup: Choose hash functions: R q × R q → {0, 1, 2, 3} * , and public parameters y, u $ ← R q .-KeyGen: Generate the public and private keys: (B s , h s ) ← KeyGen(n, q), (B r , h r ) In the game G 3 , C continues changing b r as b r = h r p + e − H 0 (c * 0 )d r where the method to generate p, e is identical to that in G 2 .
• G 4 : The game G 4 is the same as G 3 , except for the approach to produce d r .) is completely hidden from A. In the view of A, it makes no difference whether or not some challenge ciphertext has been generated before the public key is published.That is, the difference between G 2 and G 1 is only the difference in concept.Consequently, the lemma holds.Proof.First, in the game G 5 , C may reply to all the unsigncryption queries normally except for the queried ciphertexts (c 0 , c 1 , c 2 , c 3 ) with c 0 = c * 0 .Therefore, the behavior of C is identical in games G 5 and G 4 , when E 5 does not happen.That is, A learns exactly the same knowledge form C, when not considering the event E 5 .
Second, in the games G 5 and G 4 , c * 0 is hidden from A in phase I. Whether c * 0 is obtained by evaluating rh r + e 0 or by guessing, the probability that A computes a ciphertext with the form (c * 0 , c 1 , c 2 , c 3 ) is q −n .That is to say, the probability that C can not correctly answer the valid unsigncryption queries is no more than q −n , which is negligible.The difference is that C deliberately answers the query E 5 with ⊥ in G 5 instead of unsigncrypting normally as in G 4 .In summary, the reduction for the attack capability learned in G 5 compared to that in G 4 is negligible.
Lemma 7. Let E 6 denote the events that A makes the unsigncryption queries with the ciphertexts Proof.First, in G 6 , the approach of C to answer the unsigncryption queries is totally identical when the queried ciphertexts (c 0 , c 1 , c 2 , c 3 ) satisfy c 0 = c * 0 and H 1 (c 0 ) = H 1 (c * 0 ).Therefore, the knowledge learned from G 6 and G 5 is the same, when not considering the event E 6 .
Second, for a known c * 0 , A finds a c 0 satisfying c 0 = c * 0 but H 0 (c 0 ) = H 0 (c * 0 ), which means A discovers a hash collision.We set the hash function to satisfy the security intensity of the proposed signcryption system, namely, the probability that hash collision occurs is no more than a negligible probability 2 −λ .In fact, c * 0 is hidden in phase I, then the probability that A just computes a ciphertext with c 0 = c * 0 and H 0 (c 0 ) = H 0 (c * 0 ) is also no more than the above probability 2 −λ .Thus, even though the attack power of A obtained in G 6 is less than that in G 5 , the difference is negligible.Lemma 8. Let E 7 denote the events that A set the unsigncryption queries with the type of ciphertext Proof.The ciphertext elements (c 0 , c 1 , c 2 ) constitute the ciphertext of the public key encryption.Once the elements are determined, the plaintext k involved in the public key encryption is determined and unique.That is, the key used for the symmetric encryption is fixed.According to the one-to-one property of the symmetric encryption ENC, modifying c 3 will yield a distinct message-signature pair (x , µ ) = Dec k (c 3 ) (relative to (x, µ)).The probability of the new message-signature pair successfully passing the signature verification is negligible.We prove this conclusion through a classification discussion.It can be divided into two cases.

•
Case 1: A generates the ciphertext c 3 by its signature for some message µ.As an inner adversary, A has the ability to yield signatures by itself.However, the procedure to generate c 3 requires k * .The probability of obtaining k * from (c * 0 , c * 1 , c * 2 ) is negligible due to the security of the public key encryption part.Please refer to Lemma  Proof.This lemma can be argued by a classification discussion.Let k, k * be the keys concealed in c 2 , c * 2 , respectively.• Case 1: k * remains unchanged, i.e., k = k * .To guarantee the validity of the ciphertext, the information hidden by c 2 should be (H(c 1 , c 2 ) ⊕ k * ) q/8 /2 .To fulfill this requirement, there are only two possible subcases.
-A generates c 2 through encryption.On one hand, A does not know the k * concealed in c * 2 .On the other hand, A chooses a r distinct from the secret r used in the c * 0 , which will lead to an invalid public key ciphertext.Thus, the probability of this subcase occurring is negligible.

-
A produces c 2 by falsifying c * 2 .For this, A should have the ability to compute The probability of this event is negligible since c * 2 and k involved in c * 2 are hidden from A.
• Case 2: k = k * and c 3 remains unchanged.In this case, due to the one-to-one property of the symmetric encryption, the message-signature pair (µ, k, x) extracted from c 3 is completely random.As a result, the probability of (µ, k, x) passing signature verification is negligible.• Case 3: k = k * and c 3 = c * 3 .The case can be divided into two subcases.

-
In the procedure to generate c 3 , the plaintext µ corresponding to it is not known to A. Consequently, the probability (c * 1 , c 2 , c 3 ) being a valid ciphertext is negligible.The argument is the same as that of case 2 in the proof of Lemma 8.

-
The ciphertext c 3 is generated based on a valid message-signature pair produced by A.
q/8 /2 without knowing k * , and the probability of this event is negligible.
Proof.First, we argue that the multiplication of [h r b r + τd r ] and (x 0 , x 1 ) is close enough to u.
Second, we demonstrate that (x 0 , x 1 ) is short.
Here, x 0 takes up most of the length of the whole vector [x 0 , x 1 ].That is, From the above, the private key and the error are of the same magnitude, differing only by a constant factor.In fact, we can use Lemma 3 of [43] to reduce the length of the private key and the error by the factor √ n, so that the modulus q can also be reduced by √ n.
Lemma 11.In the adversary A's view, the games G 9 and G 8 are totally identical.Furthermore, Proof.First, the public keys in the games G 9 and G 8 are identical.Second, C does not reply to the unsigncryption queries for the ciphertexts with c 0 = c * 0 in the games G 9 and G 8 .Third, we argue that C can correctly unsigncrypt with the private key produced in Algorithm 1, when ) q, the simulated private key can be used to correctly decrypt the public-key ciphertext.In summary, the games G 9 and G 8 are identical in A's view.Therefore, A has the same ability to attack the proposed schemes in G 9 and G 8 .Lemma 12.In the adversary A's view, the games G 10 and G 9 are identical.It is reasonable that C needs A to return (µ, k, x).Moreover, Pr[F 10 ] = Pr[F 9 ].
Proof.In the games G 10 and G 9 , the difference is that µ is chosen by O sign , and the signature (k, x) and the ciphertext c * 3 are also generated by O sign in G 10 , while they are all generated by C in G 9 .However, the public keys and private keys for the signature are identical, and the procedure for generating (µ, k, x) is executed strictly according to the signcryption algorithm.Therefore, the distribution of the challenge ciphertexts and the signatures involved in them are also identical in both games.In a word, the difference between the two games is only conceptual, and A's view in the games G 10 and G 9 are completely the same.Therefore, what A can learn in the two games is identical.
Next, we demonstrate by contradiction that it is reasonable to require A to return (µ, k, x) in G 10 .Suppose that A does not know the information of k, but it can recover (µ, x).That is, A computes the correct µ without knowing (c * 0 , c * 1 , c * 2 ).Due to (µ, x) = DEC K (c 3 ), A obtaining (µ, x) from c 3 without k is contradictory to the security of the symmetric encryption.That is, A knows k with the same probability to recover (µ, x).Therefore, it is equivalent to computing (µ, x) and computing (µ, k, x) from the challenge ciphertext.Thus, C requiring A to return (µ, k, x) does not increase the hardness to attack the scheme.Proof.First, as proven in Lemma 12, if A can guess the k encrypted in c 2 , then it can compute the corresponding message and signature when given c 3 .From this perspective, the crux of cracking the proposed scheme lies in obtaining k.
Second, c 3 does not provide any assistance in obtaining k.Firstly, it is impossible to directly obtain k from c 3 .Since the symmetric encryption used in this scheme is IND-OT secure and one-to-one, c 3 does not leak any information of H 3 (k) to A. Therefore, c 3 does not disclose any information of k.Secondly, as proven in Lemma 8, the probability of obtaining assistance in computing k by changing c 3 is negligible.
Third, in the absence of c 3 , it will not increase the probability of obtaining k by falsifying (c * 0 , c * 1 , c * 2 ).Although the message and signature (µ, x) concealed in c 3 can help to verify the correctness of k, the information of k can not also be changed without c 3 .As proven in Lemma 7, the probability that A gets assistance to obtain k by changing c * 0 is negligible.The probability of A receiving assistance to obtain k by changing (c * 1 , c * 2 ) is also negligible, as proven in Lemma 9.
In conclusion, the hardness of winning the games G 11 and G 10 is identical whether c 3 is known or not.
) can be decrypted correctly with the valid private key.Suppose that (s 0 , s 1 ) is a valid private key for the ciphertext, i.e., (s 0 , s 1 ) is short enough.It might be good to set the key (s 0 , s 1 ) to an equal element size to that of the simulated key.The simulated key can decrypt well, although in the two kinds of known keys, the element size of the simulated key is a little larger than that of the real key.That is, ).Second, the challenge ciphertext is c * 0 = z 0 = ra 1 + e 0 for some r, e 0 ← {−1, 0, 1} n , according to the definition of LWE.Due to z 2 = ra 2 + e 2 , c * 2 = z 2 + k q/2 = ra 2 + e 2 + k q/2 .The c * 1 is as follows.
Obviously, the challenge ciphertext c * is exactly the challenge ciphertext in game G 12 .In this case, A's advantage to distinguish the two games is zero.
When the LWE oracle is the real random case O = O $ , the challenge ciphertext is uniformly distributed.In the challenge ciphertext, c * 0 = z 0 obeys the uniform distribution.Due to z 1 is distributed uniformly.On the other hand, the generation method for c * 1 stays the same as in game G 12 .c * 1 = (z 1 p + e 1 ) − e 0 p + re.(z 1 p + e 1 ) is computationally indistinguishable from the uniform distribution over Z n q , and −e 0 p + re is restricted to a small range.Therefore, c * 1 is computationally indistinguishable from the uniform distribution over Z n q .That is to say, in terms of distinguishing the games G 12 and G 11 , c * 1 is no more effective than (c * 0 , c * 2 ).C uses the guess from A as the answer for the LWE oracle.Therefore, the advantage of A in distinguishing the two games is an adversary's advantage in attacking RLWE, which is negligible.
Therefore, y − h s (x 0 + px 1 ) and x 0 + px 1 is short enough, and they form a solution for the RLWE instance (h s , y) under the parameter settings in Equation (1).
Proof.First, we evaluate the probability Pr[1 + ∑ ℵ i=1 (−1) . The mean and variance are E[(−1) , according to the Central Limit Theorem.Then, This probability is non-negligible.Next, we evaluate the probability that the simulation normally completes the signature queries and forgery with the affine subspaces method, as in [34].Since f i = h s p i + e i + p i h f , At the beginning of the game, the values of p i s are completely hidden from A by the LWE instances h s p i + e i .Even though A knows the calculation form of f i , some information is 2.
C samples p i , e i A submits a randomly chosen message µ ∈ {0, 1} * to C to query.C replies to the query by generating the corresponding signature as follows.
return x as the signature.
Forgery.C receives a forgery x signature on a new message µ, then constructs the solution for ISIS as follows.
Firstly, according to Lemma 16, the simulated signatures generated during the query phase are valid and indistinguishable from the real signatures.That is, C creates a simulated environment, indistinguishable from reality for adversaries.This will lead A to complete the reduction game.
Secondly, according to Lemma 17, the coefficient vector of y − h s (x 0 + px 1 ) is short enough under the parameter settings in Equation (1).Therefore, the polynomials generated in step 4 of the forgery phase form a solution for the RLWE instance (h s , y).
Finally, according to Lemma 18, the simulation can successfully complete both signature queries and forgery without aborting, with non-negligible probability.
In summary, C can obtain a solution for an RLWE instance with non-negligible probability, if A has the ability to forge a valid signature for the SC-NTRU scheme.

Require:
public keys h s , h f ∈ R q and syndrome u ∈ R q , in which h f ← KeyGen, b r = h r p + e for p, e ← {−1, 0, 1} n ; a pair of un-equivalent tags τ, τ * ; a syndrome u ∈ R q ; a basis B f for h f .Ensure: A private key (x 1 , x 2 ).(x 1 , x 1 ): = (g f i , t f i ) where (g f i , t f i ) is a basis vector of Λ f,q 12: x 0 = −px 1 13: end if 15: if b is linearly independent with the vectors in Γ then 16: end if 18: until |Γ| = 2n 19: covert 2n linearly independent vectors in Γ to a basis B of (h s f) with the algorithm in Lemma 7.1 of [44].

Performance
In the existing lattice-based signcryption schemes, some building blocks are often used, such as the algorithm SampleD of [18], Inver of [18], SamplePre of [41], inverting matrix and solving system of linear equations, etc.To facilitate the performance comparison, we summarize some basic conclusions about the computational cost for these building blocks.In order to clearly state these conclusions, we introduce some notations for the basic mathematical operations.Let × Z , × Z q , × R denote the multiplication operation over Z, Z q , R, respectively.Let + Z , + Z q , + R denote the addition operation over Z, Z q , R, respectively.
The computational overhead of matrix inversion and solving systems of linear equations can be evaluated by regular computation.Proposition 5.The computational cost to invert an n-dimensional matrix over Z q is about 2 3 n(n 2 + 3n − 1) multiplications over Z q .Proposition 6.The computational cost of solving n × m-dimension nonhomogeneous linear equations over Z q is about 1 2 n(n + 1)(m + 1) + 1 6 (n − 2)(n − 1)(n + 3) multiplications and additions over Z q , and 2nO(log q) inversion over Z q .Here, the equation substitution is mn − 1 2 n(n − 1) multiplications and mn + 1 2 n(n + 1) additions over Z q and O(log q) inversion over Z q .
Micciancio and Peikert presented a pre-image sample algorithm named SampleD O , specifically designed for the MP trapdoor [18].For more details, please refer to [18].The computational overhead of the algorithm can be broken down into the following steps: • Step 1: Generating (2n log q)-dimension DGS.

•
Step 2: Performing (n 2 log 2 q + n 2 log q) × Z and + Z , as well as (n 2 log q) × Z q and + Z q .• Step 3: Conducting (n 2 ) × Z and + Z , (n 2 ) × Z q and + Z q , and utilizing n log q-dimension DGS.
Therefore, the overall computational overhead of SampleD O is summarized as follows.
Proposition 7. The computational cost of Algorithm SampleD O of [18] is about 3n log q discrete Gaussian samples (DGS), 2n 2 log 2 q + n 2 log q + n log q multiplications and additions over Z, n 2 log q + n 2 multiplications and additions over Z q .The overhead to compute the Gaussian parameter is 3n 3 log 3 q, which can be precomputed.
Except for SampleD, the computational cost of signcryption of [17] is about 5n log q DGS, 8n 2 log q multiplications over Z q , (λ + 8)n 2 log q + n log q − n additions over Z q , n 2 log 2 q + n log q multiplications over Z, n 2 log 2 q − n log q additions over Z.
In [18], an inversion algorithm called Inver is presented for the MP trapdoor.The computational overhead of the steps is described as follows.

•
Step 2: Includes (n log q) × Z and + Z , as well as (n log q) × Z q and + Z q .

•
Step 3: Requires (2n 2 log q + n 2 ) × Z q and + Z .Therefore, the total computational overhead of Algorithm Inver is as follows.
Proposition 8.The computational cost of Algorithm Inver of [18] is about n 2 log 2 q + 2n 2 log q + n 2 + n log q multiplications and n 2 log 2 q + 2n 2 log q + n 2 −2n additions over Z q , 2n log q multiplications and additions over Z.In the process, the cost of the inversion oracle is 2n log q multiplications and additions over Z.
In addition to solving system of linear equations, Algorithm SamplePre also involves executing the randomized nearest-plane algorithm.The computational cost of its steps is as follows.The procedure is carried out m times.Consequently, the total computational cost of SamplePre without solving equations is calculated as follows.
Proposition 9. Except for solving equations, the computational cost of Algorithm SamplePre of [41] is about 2 m 2 multiplications and additions over R, m 2 multiplications and 2 m 2 additions over Z and m DGS.
The operations involved in Algorithm Gaussian_Sampler of [38] are almost identical to those in Algorithm SamplePre except for the solving equations part.However, the dimension of the basis used in Gaussian_Sampler is 2n × 2n.Consequently, its computational overhead includes (8n 2 ) × R and + R , (4n 2 ) × Z and (8n 2 ) + Z , and 2n DGS.However, the circulant property of the basis matrix allows for the use of fast Fourier orthogonalization, which can speed up the procedure significantly [45].According to [45], when adopting fast Fourier orthogonalization, the complexity of the Gaussian_Sampler is given as follows.
Proposition 10.The computational cost of Algorithm Gaussian_Sampler of [38] is about 2n DGS, 4Θ(n log n) multiplications and additions over R, 4Θ(n log n) multiplications and additions over Z.
In Table 3, the sizes of public parameters, public key, private key, ciphertext, and security are compared.The sizes of the public parameters and the public key of SC-NTRU are approximately in the order of magnitude of 1/(n log q) of those of YWW+13 [17], SS18 [19], and YCL+19 [20].The private key size of SC-NTRU is roughly in the order of magnitude of 2/(n log 2 q) of those of YWW+13 [17] and SS18 [19], and 4/(n log 2 q) of that of YCL+19 [20].Except for the plaintext length, the ciphertext size of SC-NTRU is about at the order of magnitude of 1/ log q of those of YWW+13 [17], SS18 [19], and YCL+19 [20].Regarding security, the proposed scheme achieves IND-CCA2 security against adaptively chosen ciphertext attacks, similar to the other schemes in the table.However, when facing adaptively chosen message attacks, the proposed scheme is EUF-CMA secure instead of SUF-CMA security, as in YWW+13 [17] and SS18 [19].Our intention is to demonstrate that a EUF-CMA secure signature component is sufficient to guarantee the IND-CCA2 security of the signcryption ciphertext.
Finally, the cost of unsigncryption is compared.The numbers of × Z q and + Z q operations of SC-NTRU are in the order of magnitude of 1/n and 1/(n log q + ) of those of YWW+13 [17] and SS18 [19], respectively.The numbers of × Z and + Z operations of SC-NTRU are in the order of magnitude of 1/(n log q) and 1/(n log q ) of those of YWW+13 [17] and SS18 [19], respectively.Compared with YWW+13 [17], SC-NTRU needs 3n additional DGS; however, it is only 1/(k ) of that of SS18 [19].The numbers of DGS, × Z q and + Z q , × Z and + Z , × R and + R of SC-NTRU are in the order of magnitude of 3/(2 log q), 1/ log q, 4/ log q, and 4/ log q of those of YCL+19 [20].In summary, since YCL+19 [20] adopts the ideal lattice, the performance of the unsigncryption greatly outperforms YWW+13 [17] and SS18 [19]; however, its overheads are log q/4 to 2 log q/3 of those of SC-NTRU.
To sum up, due to the efficiency of the NTRU trapdoor and reasonable construction, the proposed scheme achieves orders of magnitude of improvement in computation cost over the existing signcryption schemes.

Experiment
To assess the actual performance of SC-NTRU, we conducted experiments using the C programming language.The experimental environment is set up on a Ubuntu platform with 4 GB of memory.The dimension of the NTRU lattice has a significant impact on security.Therefore, we choose three sets of typical parameters: n = 256, 512, and 1024, corresponding to low, medium, and high levels of security, respectively.We run the experiment 1000 times and calculate the average time.The experimental data are presented in Table 5.According to the data in the table, the running time of key generation, signcrypt, and unsigncrypt exhibit running times on the order of milliseconds.Notably, the running time of signcrypt (and unsigncrypt) ranges between 1.3 and 6.2 (1.1 and 5.5), demonstrating the efficiency of SC-NTRU.

Conclusions
In this paper, a signcryption scheme following the StE paradigm is proposed based on the intractability of the NTRU lattice and RLWE, which serves as the security foundation of Falcon in NIST PQC.First, it is shown how to embed some sensitive information into a general lattice-based public key encryption (PKE) and bind it with the message being encrypted by PKE.The malleability to the ciphertext ultimately leads to the modification in the message-signature pair.Consequently, the signature for the message can also be utilized to verify and guarantee the IND-CCA2 security of the ciphertext.Thus, the need for the MAC to transfer from the public key to the signature is eliminated.
Secondly, a new abort-resistant hash is proposed to match the "partiality" of the pre-image in relation to the checkout polynomial, so that an NTRU signature secure in the standard model can be built with it.The computational overhead analysis demonstrates a significant improvement in the efficiency of SC-NTRU, surpassing existing lattice-based signcryption methods by orders of magnitude.The experiment shows that SC-NTRU is very efficient.

8 : 9 : 3 = 1 is computed as c * 1 = c * 0 p + e 1 where e 1 $ 13 :Lemma 3 .
C generates d r by KeyGen algorithm, d r ← KeyGen, instead of d r $ ← R q .•G 5: C answers with ⊥ to the unsigncryption queries with the kind of ciphertext (c * 0 , c 1 , c 2 , c 3 ) in phase I.The others remain the same as in the game G 5 .• G 6 : In this game, in phase I, C answers all the unsigncryption queries normally, but C replies with ⊥ to the queries with ciphertext (c 0 , c 1 , c 2 )satisfying c 0 = c * 0 but H 1 (c 0 ) = H 1 (c * 0 ).• G 7 : In phase II,C answers with ⊥ to unsigncryption queries with the kind of ciphertext (c * 0 , c * 1 , c * 2 , c 3 ) meeting c 3 = c * 3 .Except for the cases above, C responds to the unsigncryption queries as in G 6 .• G In phase II, C responds with ⊥ to the unsigncryption queries with the form (c * 0 , c 1 , c 2 , c 3 ), satisfying (c 1 , c 2 ) = (c * 1 , c * 2 ).Replying to the other unsigncryption queries keeps the same as in G 7 .• G In this game, C produces h r ← Z n q instead of h r ← KeyGen.Moreover, C will use d r to answer the unsigncryption queries.The others are identical to the game G 8 .• G 10 : In this game, C produces the challenge ciphertext by collaborating with a signer, which for convenience will be called signature oracle O sign .First, C generates (c * 0 , c * 1 , c * 2 ) normally as in G 9 , followed by giving (c * 0 , c * 1 , c * 2 ) to O sign .Then, O sign randomly chooses a message µ and k $ ← {0, 1, 2, 3} n , and produces a signature (x, k) for µ.Next, O sign generates c * Enc k (µ, x) and gives it to C. Lastly, C gives (c * 0 , c * 1 , c * 2 , c * 3 ) to A as the challenge ciphertext and waits to get (µ, k, x) from A. • G 11 : C changes the challenge ciphertext a little.C does not give k to O sign and does not need to get c 3 from O sign .C just gives the ciphertext (c * 0 , c * 1 , c * 2 ) generated by itself to A as the challenge ciphertext.If A is able to obtain the plaintext k in c * 2 with non-negligible probability, C admits that A wins the game with the same probability.• G 12 : This game is identical with the game G 11 except that the challenge ciphertext c * C queries the variant RLWE oracle to fetch an instance a publishes the public keys as h r = a 1 , u = a 2 .C and sets the challenge ciphertext as follows c * 0 = z 1 , c * 2 = z 2 .The construction method for c * 1 remains identical with that in G 12 , that is c * 1 = c * 0 p + e 1 .Lemma 2. The games G 1 and G 0 are computationally indistinguishable when = 20 log n.Proof.This lemma can be proven by hybrids.First, C chooses h $ ← R q and calculates b r = h p + e where p $ ← {−1, 0, 1} n , e $ ← {− , • • • , } n .The infinity norm of the error e is set at 20 log n, which satisfies the constraint for errors in RLWE, i.e., the Gaussian parameter αq ≥ ω( log n) (see Proposition 1).According to the intractability of RLWE, b r and b r $ ← R q are computationally indistinguishable.Next, C continues modifying b r as b r = h r p + e.Since h r and h are statistically indistinguishable according to the uniform property of the algorithm KeyGen, the new b r is computationally indistinguishable with b r $ ← R q .Given all this, the games G 1 and G 0 are computationally indistinguishable.The games G 2 and G 1 are identical from the view of A. Proof.Since the computation procedure for (c * 0 , c * 1 , c * 2 , c * 3

Lemma 4 .Lemma 5 .Lemma 6 .
The game G 3 is statistically indistinguishable with the game G 2 .Proof.The only difference between the games G 3 and G 2 is b r .In G 3 , C calculates b r = h r p + e − H 0 (c * 0 )d r , while in G 2 b r = h r p + e.Since c * 0 is fixed and d r submits to the uniform distribution.Therefore, the b r is statistically indistinguishable with the b r in the game G 2 .Due to the uniform property of the public keys generated by the KeyGen algorithm, we have the following lemma.The game G 4 is statistically indistinguishable with the game G 3 .It is difficult to directly prove the statistical indistinguishability between the games G 5 and G 4 .However, the game sequences can be continued by the game transitions based on failure events.Let E 5 denote the event that A makes the unsigncryption queries with the ciphertexts (c 0 , c 1 , c 2 , c 3 ) meeting c 0 = c * 0 in phase I. From the point of view of A, the games G 5 and G 4 are totally the same, when E 5 does not occur.Furthermore, Pr[A 5 |¬E 5 ] = Pr[A 4 |¬E 5 ], and Pr[E 5 ] is negligible.

Lemma 13 .
The modification to the game is rational, and the hardness of winning the game G 11 is the same as that of winning G 10 , in A's view.Furthermore, Pr[F 11 ] = Pr[F 10 ].

Table 1 . Game IND-CCA2 between
C and A.

•
Initial: The challenger C runs the setup and key generation algorithms to generate public parameters, the keys for the receiver and sender are as in the IND-CCA2 Game.Subsequently, C gives (PP, Pk s , Pk r , SK r ) to A.

Table 2 . Game EUF-CMA between
C and A.
− y ≤ 1 2π 3 ℵn 5/2 (ln (2 (7+λ)/2 n)) 3/2 , C returns the message µ, otherwise it returns ⊥. -Challenge: After a polynomial round of interaction with C, A gives a satisfied signal to C. C randomly chooses a message µ and generates the challenge ciphertext c If the ciphertext for unsigncryption from A is c * , C replies with ⊥ directly.Otherwise, C unsigncrypts the querying ciphertext as in Phase I. • G 1 :In the game G 1 , only the producing method of b r is changed.Let b r = h r p + e where p ← {−1, 0, 1} n , e ← {− , • • • , } n .Since C has the normal private key, the unsigncryption approach is the same as in G 0 .• G 2 : Before publishing the public keys, C generates a challenge ciphertext c * b s , d s , h s , h r ) as the public key and keep B s and B r as private keys.-Phase I: Upon receiving an unsigncryption query from A, C uses the private key B r to unsigncrypt as in the proposed scheme.If the signature satisfies the constraint (h s , z)x * * to A. -Phase II: The games G 6 and G 5 are identical in the adversary A's view, when E 6 does not happen, Pr[A 6 |¬E 6 ] = Pr[A 5 |¬E 6 ].Moreover, Pr[E 6 ] is negligible.
3 in phase II.In the adversary A's view, the games G 7 and G 6 are identical, when E 7 does not happen.Namely, Pr[A 7 |¬E 7 ] = Pr[A 6 |¬E 7 ].Furthermore, Pr[E 7 ] is negligible.
• Case 2: A generates the ciphertext c 3 randomly.According to the one-to-one property of the symmetric encryption, a random message-signature pair (µ, x) is unsigncrypted from c 3 .Since A does not possess knowledge of µ, it cannot generate a valid signature for it despite having the private key for signature generation.Consequently, the probability (µ, k, x) passing signature verification is negligible.Lemma 9. Let E 8 denote the event that in phase II, A makes the unsigncryption queries with the form of the ciphertext as (c * 0 , c 1 , c 2 , c 3 ) and (c 1 , c 2 ) = (c * 1 , c * 2 ).
It can be further divided into two subcases.(1) c 2 is obtained though encrypting by A. The argument to this subcase is identical to subcase 1 of case 1 in this Lemma 9. Due to the uniqueness of LWE (see Lemma 1), r has already been determined by c * 0 .The probability of A choosing r used in c * 0 is negligible.The the distinct r yields an invalid ciphertext.(2) c 2 is falsified from c * 2 by A. This is similar to the demonstration in subcase 2 of case 1 of Lemma 9. A needs to compute c 2 Lemma 15.In A's view, the games G 13 and G 12 are computationally indistinguishable.Furthermore, Pr[F 13 |¬E 13 ] = Pr[F 12 |¬E 12 ], and Pr[E 13 ] = Pr[E 12 ] is negligible.Reduction from LWE.When the LWE oracle is O = O s , namely the pseudorandom case, the challenge ciphertext has the same distribution as in the game G 12 .First, the public keys used directly to encrypt the challenge ciphertext are

Table 3 .
Comparison of the key size, public parameter size, and security of the related schemes.

Table 4 .
Comparison of the computation overhead of the related signcryption schemes.

Table 5 .
Actual performance of SC-NTRU under different parameters.