Identity-Based Proxy Signature with Message Recovery over NTRU Lattice

Proxy signature is one of the important primitives of public-key cryptography and plays an essential role in delivering security services in modern communications. However, existing post quantum proxy signature schemes with larger signature sizes might not be fully practical for some resource-constrained devices (e.g., Internet of Things devices). A signature scheme with message recovery has the characteristic that part or all of the message is embedded in the signature, which can reduce the size of the signature. In this paper, we present a new identity-based proxy signature scheme over an NTRU lattice with message recovery (IB-PSSMR), which is more efficient than the other existing identity-based proxy signature schemes in terms of the size of the signature and the cost of energy. We prove that our scheme is secure under a Short Integer Solution (SIS) assumption that is as hard as approximating several worst-case lattice problems in the random oracle model. We also discussed some application scenarios of IB-PSSMR in blockchain and Internet of Things (IOT). This paper provides a new idea for the design of lattice signature schemes in low resource constrained environments.


Introduction
Proxy signature scheme is an emergency backup strategy of digital signatures, which can designate an agent to continue to perform signature verification in the absence of the signer. It was first proposed by Mambo, Usuda, and Okamoto et al. [1] in 1996. Subsequently, proxy signatures have been widely used in many scenarios, such as anonymous voting, electronic cash, mobile agents, etc. In the design of the construction scheme, most of the construction ideas are based on the difficult problems of traditional number theory, such as the difficult problems of (Elliptic Curve) discrete logarithms and factorization of large integers [2,3]. However, in the era of quantum computers, we need to find solutions based on other difficult problems, because these traditional schemes will be cracked by quantum algorithms in polynomial time [4]. Under this threat, many scholars began to study post quantum cryptography to prevent many important cryptosystems from failing directly after the advent of quantum computers. In the specific structure, there are mainly the following categories: lattice cryptography, multivariable cryptography, code-based cryptography, and Hash-based cryptography. Accordingly, some proxy signatures with post quantum security have been proposed, such as [5][6][7][8][9].
Lattice-based signature schemes have attracted many scholars' attention, as their difficulty assumptions rely on some math problems that have been widely studied and come with uniquely strong security guarantees where lattice cryptosystems, on average (i.e., with randomly chosen keys), are as hard as the hardest problem of the underlying lattice problem [10]. Furthermore, In lattice cryptography, the operations involved in key generation, encryption, or signature usually involve only vector multiplication or modular addition over the integer ring, which makes the implementation of the scheme relatively simple. However, most lattice-based proxy signatures have large signature sizes, which makes lattice-based proxy signatures unsuitable in resource-constrained environments. Reducing the signature length is the most difficult problem in the practical application of lattice signatures, and how to solve and improve this problem is a critical question.
Traditional digital signature schemes usually need to bind messages and signatures to facilitate verifiers to verify them. This may incur additional bandwidth costs, especially when the message and signature sizes are relatively large. Scholars began to think about how to compress the size of messages and signatures as much as possible to reduce bandwidth consumption. The concept of message recovery was born in this case. Through message recovery, messages will be embedded in the signature. The sender sends the embedded signature to the receiver. After receiving the signature, the receiver can recover the original message from the signature and then perform signature verification. This construction method is very suitable for environments where signature size is required or bandwidth is limited [11,12]. In 1993, Nyberg and Ruppel modified the Digital Signature Algorithm (DSA) to support message recovery. It was the first signature scheme to support message recovery [13]. This has caused many scholars to pay attention to message recovery. Based on the lattice-based signature scheme of Lyubashevsky et al. [14], Tian et al. [15] constructed a scheme supporting message recovery on the lattice, allowing them to have more advantages in communication bandwidth than Lyubashevsky et al., but Tian et al.'s scheme does not support proxy for signing rights. In 2017, Faguo Wu et al. [16] considered the problem of signature authority proxy and constructed the first lattice based proxy signature scheme using public key infrastructure. In addition, their scheme supports message recovery, and then has a good performance in communication overhead. In 2019, Xiuhua Lu et al. [17] considered identity-based settings and constructed a proxy signature with message recovery over lattices. However, Refs. [16,17] are based on inefficient lattice structures, and these schemes are trapped in large signature sizes. People naturally think about how to construct efficient schemes with lattices. As far as we know, the NTRU lattice is the most efficient lattice. At present, it is still an open question whether the NTRU lattice can be used to construct a signature scheme with message recovery.
In terms of signature schemes designed based on quantum computing, Feng et al. [18] proposed a new quantum group signature scheme to enhance the non-repudiation of signatures. Lu et al. [19] proposed a verifiable arbitration quantum signature scheme based on controlled quantum teleportation, which can realize eavesdropping detection and identity authentication. Chen et al. [20] proposed a quantum multi-proxy blind signature based on cluster states to achieve blindness, non-repudiation and unforgeability. Feng et al. [21] studied an arbitrated quantum signature protocol based on boson sampling, which can resist forgery attack and denial attack. Feng et al. [22] proposed a quantum signature scheme for teleportation arbitration based on quantum walks, in which the entangled state is generated at the signature stage through quantum walks.
For the concrete application, Fang et al. [23] surveyed the application of proxy signatures in blockchain and investigated their usage in payment and integrity verification. In order to meet the challenges of data authentication and integrity in the Internet of Things environment, Verma et al. [24] proposed the first certificate-based proxy signature scheme without pairing. The proposed scheme is suitable for the Internet of Things in terms of computational cost. In the edge computing environment of the Internet of Things, resources are usually limited. Zhang et al. [25] proposed an ID-PRS scheme in the architecture of the Internet of Things, which also does not use pairing operations with high resource consumption, and supports non-interactive design. To address security and privacy issues in the Unmanned Aerial Vehicles (UAV) environment and mitigate various attacks, Verma and Singh et al. [26] proposed a short proxy signature scheme based on certificate setting, which has advantages in signature length and computational efficiency.
In this paper, inspired by the lattice-based signature schemes [15,16,27,28], we first propose an identity-based proxy signature with message recovery over the NTRU lattice.
In the random oracle model, our scheme can achieve delegation information and signature existential unforgeability under adaptive chosen warrant and identity attacks. Since our signature scheme adopts message recovery technology, compared with some existing proxy signature schemes, our scheme has better performance in communication overhead and signature size. Finally, when we consider the actual application [29], we find that this scheme performs well in terms of energy consumption, which means that our scheme is very suitable for resource constrained and low bandwidth environments. Due to the hardness assumption of SIS over the NTRU lattice, we formally constructed a lattice-based message recovery proxy signature scheme that can provide post quantum security in the quantum era.
The rest of the article is arranged as follows. In Section 2, we provide necessary preliminaries of our scheme. In Section 3, we give a detailed description of the syntax model and security model of our identity-based proxy signature with message recovery. In Section 4, we formally show how we construct the basic message recovery proxy signature. In Section 5, we present the formal security analysis of our scheme. In Section 6, we introduce detailed comparisons between our scheme and some existing proxy schemes. In Section 7, we discuss some application scenarios of our proposed IB-PSSMR scheme. Finally, we conclude our paper in Section 8.

Notations
In this article, we agree that these tokens represent the following specific meanings: • | x | l 1 denotes the first left l 1 bits of x.
• | x | l 2 denotes the first right l 2 bits of x. • x y denotes string concatenation. It means append string y at the behind of string x

NTRU Lattice
Let R q be the ring Z [x]/(x N + 1), and f ,g be the polynomials in R q . Let h be the polynomial convolution of f −1 and g. In other words, h,q is a full rank lattice in Z 2N generated by the rows of where A N (h) is an anticirculant matrix whose ith row consists of the coefficients of the polynomial hx i mod (X N + 1). Additionally I N is the N × N unit matrix, O N is the N × N null matrix. We emphasize that NTRU lattices have some excellent properties: their Gram-Schmidt norm can be small and they can be computed quickly.

Definition 1.
Given integers q, m, n and a matrix A ∈ Z n×m q , the q − ary lattices are defined as follows

Gaussian on Lattice
In this section, we introduce an algorithm to sample the discrete Gaussian distribution, and the output result is a vector obeying the discrete Gaussian distribution. As shown in Algorithm 1.
According to Lyubashevsky's discussion on Lattice trapdoor [28] construction, consider the discrete Gaussian distribution in dimension m and let its standard deviation be σ, he proposed some important properties of Discrete Gaussian distribution. We refer it as Lemma 1.
For any v ∈ Z m and any positive real α, if σ = ω( v logm), then we have the following probability relation.
Additionally ω(.) is the non-asymptotic tight lower bound. More specifically, for a given quantity relationship, If σ = α v , we can obtain the following inequality relation.

Rejection Sampling Technique
The Rejection Sampling Technique [10] is mainly used to eliminate the relationship between the signing key and output signature. The algorithm is described below.
If the signer follows the steps in Algorithm 2, then the distribution of the outputted signatures is min( MD Sc,σ (z) , 1) and the expected number of times that this process will output a signature is M.

Hardness Assumption
We assume the SIS problem is hard in the NTRU lattice, and referring to [34], when we choose f and g in key generation properly, the distribution of h = f −1 g and uniform distribution of R * are statistically close to each other, which means they are indistinguishable.
Here we recall the definition of the SIS problem.

Definition 2.
(Small Integer Solution problem (SIS)) Let n and q be integers, where n stands for the security parameter. Typically q is a polynomial of n. Let β > 0. Given a uniformly random matrix A ∈ Z n×m q where m also satisfies m = poly(n), the goal is to find a non-zero vector e ∈ Z m , such that Ae = 0 mod q and e < β.
Definition 3. Given f , g, h in NTRU's key pair generation, n, q, β is defined the same as in Definition 2. The SIS problem over NTRU lattice is to find a non-zero vector (z 1 , z 2 ), such that it satisfies A h,q (z 1 , z 2 ) = 0 mod q and (z 1 , z 2 ) < β.
Assume that (s 1 , s 2 ) is any of the vectors in the A h,q , the γ − SVP problem on the A h,q is to find the vector (z 1 , Among which θ is the shortest length of the vector in lattice A h,q . Therefore, when γ = β/θ, solving SIS over the NTRU lattice is as hard as solving the shortest vector problem in the NTRU lattice. Hence, we claim that our proposed scheme also relies on the hardness of γ − SVP. Note that the γ − SVP problem is NP-hard when the approximate factor γ < 1 + 1/n ε [35].

Message Recovery
Message recovery is a function extension of the signature scheme, allowing all or part of the messages to be embedded in the signature. The key generation, signature, verification algorithms, and message recovery process are shown in the  Gen, Sign, and Ver are the Key generation algorithm, signature and verification algorithm, SK is the secret key and PK is the public key. Message u to be signed is divided into two parts u = u 1 u 2 . u 1 is the recoverable part that is embedded in the signature and can be recovered from the signature during the verification process, and the non-recoverable part u 2 can be sent or stored with the signature.

Syntax and Security Model for Identity-Based Proxy Signature Scheme with Message Recovery
In this section, we will first give the syntax model, i.e, we describe the participants in our scheme, and the algorithms in our scheme. Then, we introduce the security model of our lattice-based proxy signature scheme with message recovery(IB-PSSMR).

Definition 4.
There are four types of participants in our identity-based proxy signature with message recovery over the NTRU lattice: Key generation center (KGC) in the system.

1.
Setup: The algorithm Setup takes a security parameters N as input, and then it outputs the system's public parameters par, KGC's public and secret key (mpk, msk), that is (par, (msk, mpk)) ← Setup(n).

2.
KeyExtract: The algorithm KeyExtract takes the system's public parameters par, KGC's secret key msk and public key mpk, user's identity (i.e., user's public key pk) ID u as input, and then it outputs the user ID u 's secret key sk ID , that is, sk ID ← KeyExtract(par, msk, ID u ).

3.
DelGen: The algorithm DelGen's input consists of the system's public parameters par, KGC's public key mpk, a warrant W where W = (pk ID o , pk ID p , T), T is valid time period of W, original signer's secret and public key (sk ID o , pk ID o ), original signer computes the delegation, it outputs the delegation information d g , that is, {d g } ← DelGen(par, W, mpk, sk ID o , pk ID o ).

4.
DelVer: On input the system's public parameters par, KGC's public key mpk, original signer's public key pk ID o , warrant W and its delegation d g , he verifies the legality of delegation information d g , If delegation d g satisfied, the output is 1, and the delegation is accepted; otherwise, the output is 0, and the delegation is rejected, that is, {0, 1} ← DelVer(par, W, d g , mpk, pk ID o , pk ID p ).

5.
Psign: Given the system's public parameters par, KGC's public key mpk, original signer's public key pk ID o , proxy signer's secret and public key (sk ID p , pk ID p ), delegation key (sk d , pk d ), warrant W and delegation information d g , and the message m to be signed, the algorithm Psign outputs the identity-based proxy signature(IB-PS) on behalf of the original signer, that is, sig ← Psign(par, m, W, mpk, pk ID o , sk ID p , pk ID p , sk d , pk d ).

6.
Pver: For a verifier in our IB-PSSMR system, he first recovers the message m embedded in the signature sig. Then, the algorithm Pver takes the public key pk ID o of the original signer, the public key pk ID p of the proxy signer, and the public delegation key pk d as input.

Security Model for IB-PSSMR
For the security issue of identity-based proxy signature scheme with message recovery (IB-PSSMR) over NTRU lattice, there are two things we should concern about. First, the delegation is the proxy signer's signature on the message m, which is made on behalf of the original signer. Second, the warrant is a kind of timestamp restriction of message and contains the valid period of time. Considering this, Unforgeability, Verifiability, Strong identifiability, Strong undeniability, and Key dependence are naturally satisfied. Therefore, the security model of this IB-PSSMR over NTRU lattice is existential unforgeable under adaptive chosen-message attacks. We define the security model of our IB-PSSMR by a game, or an experiment, run between a challenger C and an adversary A(forger).
In regard to the unforgeability of our IB-PSSMR over NTRU lattice, we should take two types of adversary into consideration: Type(i): Adversary A can obtain access to the original signer's public key pk ID o , proxy signer's public key pk ID p ,original signer's secret key sk ID o .
Type(ii) : Adversary A can not obtain access to the original signer's secret key sk ID o , proxy signer's secret key sk ID p .
It is evident that the adversary in Type(i) is more powerful than the adversary in Type(ii), thus we will only consider the Type(i) adversary.
The security game of the IB-PSSMR is defined by the interactions between a challenger C and an adversary A. Additionally, the interactions consist of the following phases: 1.
Initial Phase: the challenger C runs the Setup(n) algorithm to generate the system public parameters par and then C sends them to the adversary A.

2.
Query Phase: in the Query Phase, the adversary A can adaptively issue some query (also known as query the oracles). The number of queries is polynomial bounded.
• KeyExtract-query: given an ID, the adversary A can issue a query to obtain the corresponding secret key. The challenger C runs the algorithm sk ID ← DelGen(par, W, mpk, sk ID o , pk ID o ), and returns A with sk ID . • DelGen-query: for some interested delegation information d g , the adversary A issues query with two secret key corresponding to the identity ID o and ID p as input. Once upon receiving the query, the challenger C runs d g ← DelGen(par, W, mpk, sk ID o , pk ID o ). Additionally, C returns d g to A. • Psign-query: if A is interested in the proxy signature of message m under ID p , he issues such a query to the challenger. C runs the algorithm sig ← Psign(par, m, W, mpk, pk ID o , sk ID p , pk ID p ), and delivers sig to A.

3.
Forgery Phase: through the query phase above, the adversary A tries to forge a proxy signature to win the game. Given a message m and an identity ID p as the proxy signer, A needs to generate a valid sig to make it pass the verification. The following conditions should naturally be satisfied: (a) Pver(par, pk ID o , pk ID p ) = 1.
In the Psign-query phase, m has never been signed. (c) In the KeyExtract-query phase, the secret key of ID p has not been queried.
Definition 6. If the advantage of any PPT adversary A wins the security game above is negligible, then the Identity-based proxy signature with message recovery(IB-PSSMR) over NTRU lattice is regarded as existential unforgeable.

Our Identity-Based Proxy Signature Scheme with Message Recovery
The identity-based proxy signature scheme with message recovery (IB-PSSMR) over NTRU lattice we proposed is discussed in this section. There are four participants in our scheme: KGC starts the algorithm MasterKeygen to output the system's master key (msk, mpk), which is described in Algorithm 3. • Finally, KGC publishes par = (N, q, H 1 , H 2 , H 3 ) as public parameters of our IB-PSSMR system.

2.
KeyExtract: KGC takes the public parameters par and system's master secret key msk as the algorithm's input, then KGC works as follows:

3.
DelGen: original signer generates the delegation on warrant W where W = (pk ID o , pk ID p , T), T is the valid time period of W, and delegation information d g on W is described as Algorithm 4.

4.
DelVer: when the proxy signer receives the warrant W and its delegation d g = (z 1 , z 2 ), he first checks if (z 1 , z 2 ) ≤ 2σ √ 2N and H 2 (hy 2 + y 1 − H 1 (ID O ) * W, W) both are true. If the conditions hold, then proxy signer ID p can take the warrant as his lawful authority from the original signer; otherwise, he should reject it.

5.
Psign: after confirming the legitimacy of the signer, given a message u, the proxy signer with ID p can generate a proxy signature for it by Algorithm 4.

6.
Pver: given the public parameters par, for a a user in the system who wants to verify the legitimacy of the proxy signature, he performs the steps described in Algorithm 5.

Theorem 1. The IB-PSSMR we proposed satisfies correctness.
Proof. From the Algorithms 3-5's detailed construction, we can easily have the following equations.

Algorithm 3 Master Keygen
Input: Security parameter N, prime q, σ Output: KGC's public key mpk and secret key msk. 17 √ g then 6: Restart 7: end if 8: R f = resultant( f , X N + 1) and R g = resultant(g, X N + 1), respectively. The resultant of f can be straightforwardly calculated as The details of the resultant operation can refer to [36] 9: Compute ρ f , ρ f satisfy ρ f f + k f (X N + 1) = R f , ρ g f + k g (X N + 1) = R g by the Extended Euclidean Algorithm where k f and k g are integers. 10: if (R f , R g ) = 1 then

Security Analysis
In this section, we give a formal proof to show that our proxy signature is unforgeable. If not, the adversary can break the hardness problem SIS in the NTRU lattice.

Theorem 2.
The proposed IB-PSSMR over NTRU lattice is existential unforgeable against adaptive chosen message and address attacks in the random oracle model under the hardness assumption of SIS problem over NTRU lattice.
Proof. We prove the security of our scheme by contradiction. Suppose that if there is a PPT adversary A who can break our IB-PSSMR over NTRU lattice with non-negligible probability, we show that the adversary A can then solve the SIS problem over NTRU lattice.
The security game can be described between a challenger C and an adversary A. We simulate the interaction between challenger C and adversary A as follows: Initial Taking λ as the security parameter, the algorithm C first randomly picks a matrix h, three secure hash functions Queries: The adversary A issues the following queries adaptively.
• H 1 -query: to make use of the H 1 oracle response, the challenger C builds a list L 0 to store the query response information. It is initialized as an empty set. Given the adversary's H 1 query with ID i , C first check if it is in the list L 0 . If there is a value corresponding to H 1 (ID i ), then return it to the adversary. Otherwise the challenger randomly chooses H 1 (ID i ) ∈ Z N q , then updates the H 1 list L 0 as L 0 = (L 0 , {ID i , H 1 (ID i )}), and finally outputs H 1 (ID i ) as the response.
• H 2 -query: the challenger C maintains the H 2 list which is a list of tuples L 1 = (α i , y i1 + y i2 h), and the initial value is null, when the adversary A issues a H 2 query on a vector y i1 + y i2 h ∈ Z N q , the challenger C looks it up in the H 2 list, if the challenger C finds a matched tuple (α i , y i1 + y i2 h), he returns α i to adversary A as the query response. If not, C randomly selects string α i ∈ {0, 1} l 1 +l 2 , then updates the H 2 list L 1 as L 1 = (L 1 , {α i , y i1 + y i2 h}), and finally outputs α i as the response. • F 1 -query: the challenger C maintains a F 1 list L 2 = (u i1 , F 1 (u i1 )), and set it empty in the beginning. When there is a F 1 query for u i1 from the adversary A, the challenger C first checks if it is in the L 2 list. If there is a corresponding pair (u i1 , F 1 (u i1 )) in list L 2 , then send F 1 (u i1 ) back to A as the query response. Otherwise, C randomly picks F 1 (u i1 ) ∈ {0, 1} l 1 , then updates the list L 2 = (L 2 , (u i1 , F 1 (u i1 ))), and finally outputs F 1 (u i1 ) ∈ {0, 1} l 1 as the response. • F 2 -query: the challenger C maintains a F 2 list L 3 = (F 1 (u i1 ), F 2 (F 1 (u i1 )), and set it empty in the beginning. When there is a F 1 query for u i1 from adversary A, the challenger C firstly checks if it is in the L 4 list. If there is a corresponding pair (F 1 (u i1 ), F 2 (F 1 (u i1 )), return F 2 (F 1 (u i1 )), otherwise, challenger randomly chooses F 2 (F 1 (u i1 ) ∈ {0, 1} l 2 , then updates the list L 3 = (L 3 , (F 1 (u i1 ), F 2 (F 1 (u i1 ))), and finally outputs F 2 (F 1 (u i1 )) ∈ {0, 1} l 2 as the response. • H 3 -query: the challenger C maintains a H 3 list L 4 = (r i , u i2 , C i ), and also sets the list as an empty set in the initial phase. When there is a query for (r i , u i2 ), the challenger C firstly checks if it is in the list. If it exists, then return the corresponding array (r i , u i2 , C i ) to A. Otherwise, C randomly selects vector C i ∈ {−1, 0, 1} N×N , then updates the list L 4 = (L 4 , (r i , u i2 , C i )), and finally outputs C i as the response. • KeyExtract-query: the challenger C maintains a KeyExtract list L 5 = (ID i , sk ID i ), and makes the list an empty set in the beginning. Now if the adversary A initiates a request for the private key associated with an identity ID i , the challenger C checks if it is already in the L 5 list. If there exists the corresponding pair (ID i , sk ID i ), then the challenger C returns sk ID . Otherwise C recovers the corresponding (ID i , H 1 (ID i )) from the L 0 list, then C runs GaussianSampler(c, σ, H 1 (ID i ), 0)) to obtain sk ID i = (s i 1 , s i 2 ), then updates the list L 5 = (L 5 , ID i , sk ID i ). • DelGen-query: the challenger C maintains a DelGen list L 6 = (y i 1 , When the adversary A issues a DelGen query for delegation of warrant W i , the challenger C i searches it in L 6 list first, if there exist corresponding tuple (y i 1 , y i 2 , u o 2 , z i 1 , z i 2 ), return z i 1 , z i 2 , otherwise, the adversary A executes z i 1 = s o i 1 C o + y i 1 , z i+1 = s o i 2 C o + y i 2 to obtain a valid delegation signature, then updates the list L 6 = (L 6 , y i 1 , y i 2 , u o 2 , z i 1 , z i 2 ). • Psign-query: the challenger C maintains a Psign list L 7 = (y i 3 , y i 4 , u p 2 , z i 3 , z i 4 ) where message U = u p 1 u p 2 , when the adversary A issues a Psign query for the proxy signature of message U, the challenger C searches it in the L 7 list first, if there exists a corresponding tuple (y i 3 , y i 4 , u p 2 , z i 3 , z i 4 ), return (z i 3 , z i 4 ). Otherwise, the adversary A executes z i 3 = s p i 1 C p + y i 3 , z i+1 = s p i 2 C p + y i 4 to obtain a valid proxy signature, then updates the list L 7 = (L 7 , y i 3 , y i 4 , u p 2 , z i 3 , z i 4 ).
Forgery After the interactions and queries, the adversary A outputs a valid forgery (u o 2 , u p 2 , z i 1 , z i 2 , z i 3 , z i 4 ) with non-negligible probability on warrant W, message U, original signer identity ID o and proxy signer identity ID p . We show that if A can do this forgery correctly then he is able to obtain a short non-zero solution of a SIS instance over NTRU lattice, i.e., the equation system A h,q (z 1 , z 2 ) = 0 mod q where (z 1 , z 2 ) < β. The Queries phase can be executed again by A. According to the Forking lemma in [37] to generate another valid signature (u * The following equation is true unless we can find a collision of the hash function H 2 , which is hard in the random oracl model. So we can ensure their preimage is same.
Rearranging the two sides in the two equations, we obtain Then, we write the equations in matrix form, which are it means that we can find an meaningful non-zero solution for a SIS instance in the NTRU lattice with overwhelming chance. Given Property 4 in [28] for Collision-Resistant preimage sampleable functions, the probability that algorithm C breaks the Short Integer Solution problem over the particular NTRU lattice is at least (1 − 2 ω( √ logN) )ε. Therefore, assuming we are in random oracle model (ROM), if there is a PPT adversary A that can break the proposed IB-PSSMR over NTRU lattice with a non-negligible probability . Then we can use the algorithm A to construct a new PPT algorithm C to find a solution for the SIS problem in NTRU lattice. Additionally, which can be reduced to SVP problem over the NTRU lattice. So, assume the hardness of SVP problem, we claim our IB-PSSMR scheme is unforgeable. Given there is no known quantum algorithm for SVP, we can that claim our IB-PSSMR is also quantum resistant.
Furthermore, it is not difficult to prove that our IB-PSSMR scheme is identifiability, strong undeniability, key dependence, and verifiability, for simplicity, we omit it here.

Efficiency Analysis
At present, there are two kinds of security models for signature schemes, Random Oracle Model and Standard Model. Mostly, the more efficient lattice-based proxy signature schemes are those that proved secure in the random oracl model. Agrawal et al. [38] proposed a secure identity-based encryption scheme under the standard model, but their scheme is inefficient and can only encrypt one plaintext bit.

Message Recovery Delegation
Signature's Size [39] No Yes | u o2 | + | u p2 |+2l 2 +4Nlog(12σ)+2N(logλ+1) [40] No No N log q Ours Yes Yes | u o2 | + | u p2 | +2l 1 + 2l 2 +4Nlog(12σ) Ducas et al. [40] proposed an efficient identity-based encryption (IBE) scheme based on NTRU lattice and a method to convert it into an identity-based signature (IBS) under the same framework. Compared with the scheme of [40], this paper adds the signature proxy authority and message recovery function. By constructing message recovery, in terms of transmission efficiency, our scheme can save communication bandwidth and only increase a small amount of computing resource consumption.
When we let security parameter N = 512, we present the concrete instances of communication overhead reduction between our scheme and [39] in Table 2. Furthermore, the energy consumption in transmission and computation is different. It is shown that a 32-bit computation requires less energy than a bit of transmission [29]. In our IB-PSSMR scheme, even if we make use of some more simpler computations, e.g., XOR and hash, in message recovery technology, we still obtain much less energy consumption than in the practical case [39].
Given the analysis above, we can conclude that the IB-PSSMR we refer to is more efficient than other lattice-based schemes in terms of communication and energy consumption.

Application of The IB-PSSMR
In this section, we discuss some application scenarios of our proposed IB-PSSMR scheme. Mostly, we will discuss its application in blockchain and Internet of Things.
For the proxy signature scheme, it is mainly about delegation authority. In the blockchain, the transfer of authority is often involved, such as transfer authority and certificate deposit authority [41]. In the cryptocurrency blockchain system, the private key of a wallet is usually held by a single node. However, in some cases, the currency of a wallet is publicly owned by an organization member, or it is necessary to give some proxy permissions to other nodes, which can exercise the same transfer permissions. At this time, the use of a proxy signature is needed. The frame diagram is shown in Figure 2. The wallet owning node will authorize the nodes within the organization with signature authority. The nodes that receive the legal proxy authorization can sign the transaction. After the signed transaction enters the transaction pool, it will be authenticated by the mining node to complete the confirmation of the transaction process. In the blockchain, to maintain the scalability of the blockchain, the block size of the blockchain will be strictly controlled. Therefore, the signature size of the transaction will also have an important impact on the performance of the blockchain. The IB-PSSMR scheme we proposed can compress the size of the signature well and can be used as an alternative signature algorithm for the post-quantum blockchain design. In the Internet of Things environment, data authentication is of great significance [24,42,43]. Failure to perform integrity verification and authentication of data will lead to serious consequences. However, some edge nodes often have the problem of insufficient resource efficiency. Therefore, it is urgent to use a signature scheme that consumes fewer storage resources in the Internet of Things environment. Our proposed IB-PSSMR scheme can be used in future quantum computing environments in the Internet of Things scenario. For example, in the Internet of Things environment, an organization has many devices, one of which is the main device, and the other devices are also under the organization. At the same time, they share an identity. The proxy signature scheme can be used to authorize the affiliated devices. The traffic sent from the organization is the same identity. As shown in Figure 3, in the Internet of Things, the master device in the group can authorize the slave device by proxy. After the traffic sent by the slave device is signed by the proxy, it can be authenticated by other groups, and it can be attributed to the traffic of the same organization. Similarly, in this process, we need to control the size of the signature within a reasonable range, otherwise it will cause congestion to the traffic of the Internet of Things. The IB-PSSMR scheme can be used as an alternative to the post-quantum scheme in this Internet of Things environment to enhance data authentication.

Conclusions
Bandwidth is more precious than gold, especially in resource-constrained environments. In the era of quantum computing, it is necessary for us to construct an efficient proxy signature that is quantum safe. Because there are many post quantum schemes that use heavy computation and their signature size is not compact. The lattice-based architecture is the most attractive. In this paper, we construct an efficient identity-based proxy signature scheme with message recovery (IB-PSSMR) over the NTRU lattice under the standard Gentry-Peikert-Vaikuntanathan (GPV) framework [44]. In spite of the wellstudied security proof, our scheme also benefits the excellent computation performance in NTRU lattice and can achieve the message recovery function in the sign phrase. We also give a formal security proof of our proposed scheme, and the efficiency analysis is compared with some related proxy signature construction. In the future, we will continue to improve the usability of our scheme and survey the concrete application scenario of our scheme.

Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.

Data Availability Statement:
No new data were created or analyzed in this study. Data sharing is not applicable to this article.