Research on Quantum-Attack-Resistant Strong Forward-Secure Signature Schemes

The security of digital signatures depends significantly on the signature key. Therefore, to reduce the impact of leaked keys upon existing signatures and subsequent ones, a digital signature scheme with strong forward security could be an effective solution. Most existing strong forward-secure digital signature schemes rely on traditional cryptosystems, which cannot effectively resist quantum attacks. By introducing lattice-based delegation technology into the key-iteration process, a two-direction and lattice-based key-iteration algorithm with strong forward security is proposed. In the proposed algorithm, a unique key pair is assigned to the signer in every period. Based on the proposed algorithm, a strong forward-secure signature scheme is further put forward, which achieves resistance to quantum attacks. Performance analysis shows that under the security assumption of the SIS problem on the lattice, the proposed strong forward-secure signature scheme is existentially unforgeable under the random oracle model. Ultimately, based on the proposed strong forward-secure signature scheme, a remote identity-authentication scheme that is resistant to quantum attacks is proposed, ensuring post-quantum security in the user-authentication process.


Introduction
As one of the essential tools of digital authentication, digital signatures are widely applied to e-commerce and network communication. The security of digital signatures depends largely on the signature key. Leaked keys threaten entire signature systems, and entire systems can collapse due to key leakage. Leaked private keys render all signatures generated by them untrustworthy. Therefore, to ensure the legitimacy of the signature, the signer must invalidate previous signatures and rebuild a new signature system before signing.
To address the above problems, Anderson proposed the concept of forward security at the ACM CSS conference in 1997 [1]. They achieved forward security by updating the keys. In 2000, Anderson further produced the concept of backward security [2]. Backward security ensures that the leakage of the current key will not hamper future signing. In 2001, Burmester et al. put forward the concept of strong forward security [3], which further improves the security of the signature system. A strong forward-secure signature scheme can ensure both forward security and backward security.
Since then, the strong forward-secure signature scheme has been deeply studied. Cheng Yage et al. proposed a dynamic threshold signature scheme with strong forward security [4]. Li Fengyin et al. put forward a privacy-aware PKI model with strong forward security [5]. Yoneyama put forward a one-round authenticated key exchange with strong forward secrecy in the standard model against a constrained adversary [6]. The above signature schemes are, respectively based on the Chinese remainder theorem, RSA, and the Diffie-Hellman difficult problem, which cannot resist quantum attacks.
Identity-based Cryptography (IBC) has received great attention due to its efficiency in key management [7]. To ensure the security of signatures in the case of key leakage, Figure 1. The private key-iteration process of the strong forward-secure signature scheme.

Security Model
The identity-based strong forward-secure signature scheme is existentially unforgeable under adaptive chosen-message attack. The security of the model is defined using a game in which challenger C and adversary A interact.
Parameter establishment: The challenger runs the parameter generation algorithm and sends the generated public parameter PP to the adversary while keeping the master key msk and user master key usk for itself.
Queries: Adversary A adaptively issues many different following queries to the challenger: 1. Key query: A own the ability to ask any identity ID (k = 1,2,...,N) for the key of any period i (i ≤ T), and C generates the key SK || of identity ID in period i and sends it to A.

Security Model
The identity-based strong forward-secure signature scheme is existentially unforgeable under adaptive chosen-message attack. The security of the model is defined using a game in which challenger C and adversary A interact.
Parameter establishment: The challenger runs the parameter generation algorithm and sends the generated public parameter PP to the adversary while keeping the master key msk and user master key usk for itself.
Queries: Adversary A adaptively issues many different following queries to the challenger: 1.
Key query: A own the ability to ask any identity ID U k (k = 1,2,. . .,N) for the key of any period i (i ≤ T), and C generates the key SK ID U k ||i of identity ID U k in period i and sends it to A. 2.
Signature query: A can inquire about the signature of any identity ID U k in any period i (i ≤ T), and C generates the signature e i of the identity ID U k in period i and sends it to A.
Forgery: A outputs an identity ID * U k , period i * , message m * and signature e i * . If the ID * U k has not been subjected to key inquiry and signature inquiry, and the signature e i * will be verified to pass, then A wins the game. The advantage of A winning is:

Lattices and Hardness Assumptions
Definition 1 ([23] Lattice). Lattice is a collection of linear combinations of all integer coefficients of n linearly independent vector groups = L(x 1 , x 2 , · · · · · · x n ) = {∑ n i=1 a i b i |a i ∈ Z}, namely: x 1 , x 2 , · · · · · · x n . Definition 2 ([24] Full-rank lattice). Define the m-dimensional full-rank q-ary lattice as: Among them, q is a prime number, m and n are positive integers, matrix A ∈ Z n×m q , and vector u ∈ Z n q .
⊥ q (A) and u q (A) can be abbreviated as ⊥ (A) and u (A).

Definition 3 ([24] SIS problem)
. Given an integer q, a matrix A ∈ Z n×m q and a real number β, find a non-zero vector e such that Ae = 0 mod q 0 <||e||≤ β and such a problem is called an SIS problem. The SIS problem is considered to be a difficult computational problem, where a solution that satisfies the conditions cannot be found within the effective time. Based on this difficult assumption, the SIS problem is widely used to construct lattice-based Cryptography schemes.

Definition 4 ([24]
Gaussian distribution). For any positive parameter σ ∈ R and any vector a ∈ R n , there is ρ σ,a (x) = exp −π ||x−a|| 2 σ 2 . Definition 5 ([24,25] Trapdoor-Generation Algorithm). There is a PPT algorithm, given a prime number q ≥ 3, positive integer m ≥ 6 nlogq, security parameter n, run algorithm TrapGen(q,n) → (A,T), output a set of bases T ∈ Z m×m of matrix A ∈ Z n×m q and lattice ⊥ (A), so that the distribution of A and the uniform distribution on Z n×m q are statistically Indistinguishable, and the conditions ||T|| ≤ O(nlbq) and || , represents the basis after Gram-Schmidt orthogonalization of T. Trapdoor is a special type of key, usually generated in a public-key cryptosystem, which can achieve specific security functions such as encryption, signature, identity authentication, etc.

Definition 6 ([26]
Lattice-basis delegation algorithm). Let A∈Z n×m q be a full-rank matrix, matrix R ∈ D m×m , T is a set of bases of lattice ⊥ (A), Gaussian parameters satisfy σ > || i (i ≤ T), and C generates the signature e of the identity ID in period i and sends it to A.
Forgery: A outputs an identity ID * , period i * , message m * and signature e * . If the ID * has not been subjected to key inquiry and signature inquiry, and the signature e * will be verified to pass, then A wins the game. The advantage of A winning is:

Definition 3 ([24] SIS problem). Given an integer q, a matrix ∈ ×
and a real number β, find a non-zero vector e such that Ae=0 mod q 0 < || || ≤ and such a problem is called an SIS problem. The SIS problem is considered to be a difficult computational problem, where a solution that satisfies the conditions cannot be found within the effective time. Based on this difficult assumption, the SIS problem is widely used to construct lattice-based Cryptography schemes. There is a PPT algorithm, given a prime number q≥3, positive integer m ≥ 6 nlogq, security parameter n, run algorithm TrapGen(q,n) → (A,T), output a set of bases ∈ × of matrix ∈ × and lattice ⋀ ( ), so that the distribution of A and the uniform distribution on × are statistically Indistinguishable, and the conditions || || ≤ (nlbq) and ||₸|| ≤ ( ) hold. where ₸ represents the basis after Gram-Schmidt orthogonalization of T. Trapdoor is a special type of key, usually generated in a public-key cryptosystem, which can achieve specific security functions such as encryption, signature, identity authentication, etc.

Definition 6 ([26]
Lattice-basis delegation algorithm). Let A∈ × be a full-rank matrix, matrix ∈ × , T is a set of bases of lattice ⋀ ( ), Gaussian parameters satisfy > ||₸|| • √ • ( / ) . The Gaussian parameter satisfies = • (√ ) , × represents the matrix distribution in × that satisfies ( ) and the modulo q is invertible. Then there is a PPT algorithm BasisDel(A,R,T, ) that can output a set of bases for the lattice ⋀ ( ), such that || || < / ( ). The generation of a set of lattice trapdoors is a relatively complex process. In some cases, when multiple pairs of lattice trapdoors are required, the lattice-basis delegation algorithm can be utilized to quickly generate another pair of related new lattice bases from a known pair.

Definition 7 ([24]
Difficulty specification of small integer solution problems). Knowing any polynomial bounded real number m, = ( ) and prime numbers ≥ • (√ ), the difficulty of solving the SIS problem with average instances is comparable ||·σ R √ m·ω lb 3/2 m . The Gaussian parameter σ R satisfies σ R = nlbq·ω √ lbm , D m×m represents the matrix distribution in Z m×m that satisfies D m σ R m and the modulo q is invertible. Then there is a PPT algorithm BasisDel(A,R,T,σ) that can output a set of bases T B for the lattice ⊥ AR −1 , such that T B < σ/ω lbmq . The generation of a set of lattice trapdoors is a relatively complex process. In some cases, when multiple pairs of lattice trapdoors are required, the lattice-basis delegation algorithm can be utilized to quickly generate another pair of related new lattice bases from a known pair.

Definition 7 ([24]
Difficulty specification of small integer solution problems). Knowing any polynomial bounded real number m,β = poly(n) and prime numbers q ≥ β·ω √ nlbn , the difficulty of solving the SIS problem with average instances is comparable to that of solving the approximate shortest independent vectors problem with the worst-case on the lattice (shortest independent vectors problem, SIVP γ ), where γ = β·O √ n .
If I = I ' and h =h', output (1, σ, σ''); otherwise output (0, ε, ε), let frk=Pr[b=1,x←IG; The random oracle model (ROM) is a universal model for proving the security of digital signature schemes. Under the ROM model, an important technology to prove the security of the scheme is the random oracle replay technology, i.e., to solve a hard problem of consciousness by replaying the hash value. The theoretical basis of this technique is the Fork Lemma.

A Strong Forward-Secure Signature Scheme Based on Identity on Lattice
To achieve quantum-attack-resistant security, this section introduces a lattice-basis delegation technology into the key-iteration process and proposes a key-iteration algorithm. This algorithm divides the key into T periods and assigns a unique key pair to each period through forward and backward iterations of two initial keys, which ensures strong forward security of the key. Then, an identity-based signature scheme with strong forward security that can resist quantum attacks is constructed using the proposed key-iteration algorithm.

Strong Forward-Security Key-Iteration Algorithm
Generating a set of lattice bases is relatively complex using the trapdoor-generation algorithm. However, when multiple pairs of lattice bases are needed, the lattice-delegation technology can quickly generate another pair of related new lattice bases based on a known pair. To ensure the security of signatures after the private key is leaked, this section introduces lattice-delegation technology into the key-iteration process, and proposes a bidirectional key-iteration algorithm with strong forward security. The proposed algorithm assigns a unique key pair for each period, therefore ensuring the forward security and backward security of the key. Specifically, in the key-iteration process, PKG divides the key into T periods, the signatures of different periods are relatively independent, and it is impossible to generate keys of other periods from the keys of a certain period. This solves the problem of whether the signature is still legal after the private key is leaked. The key-iteration algorithm for strong forward security is as follows:

Symbol Description
The specific meanings of the symbols used in the strong forward-security signature scheme constructed in this paper are shown in Table 1.

Symbol
Meaning User K's master public key sk ID U k ||0 User K's initial forward private key sk' ID U k ||0 User K's initial backward private key SK ID U k ||t The private key of user K in period t PK ID U k ||t The public key of user K in period t PKG key generation center e i signature

System Initialization
The strong forward-secure key-iteration algorithm has two entities: PKG and user. First, PKG performs parameter generation and master key generation, then publishes the parameters and sends the master key to the user through a secure channel. Users use the master key and the user key for key iteration and update.

1.
System parameter generation PKG generates parameters, Setup(n) → PP:PKG inputs security parameter n, then randomly selects a prime number q, the prime m > 64 + nlogn/log3, a Gaussian parameter σ R satisfies the relation σ R = nlbq·ω √ lbm , and a hash function H 1 . Then PKG publishes the parameters PP = (n, q, m, σ R , H 1 ).

2.
Master key generation PKG generates master key, KeyGen(PP) → M U k A 0 , M U k T A 0 , M U k B 0 , M U k T B 0 : PKG inputs the public parameter PP, and generates the master key through the trapdoorgeneration algorithm.
and M U k T B 0 are the user's master private key i.e., msk = M U k T A 0 , M U k T B 0 ,M U k A 0 and M U k B 0 are the user's master public key i.e., mpk = M U k A 0 , M U k B 0 . PKG transmits msk and mpk to users through a secure channel.

User master key generation
User U k (k = 1,2,. . .,N) generates user master key using public parameter PP. KeyGen(PP) → U kA 0 , U kT A 0 , U kB 0 , U kT B 0 }: The user U k inputs the public parameter PP, and generates the user master key through the trapdoor-generation algorithm. TrapGen(q, n) → U kA 0 , U kT A 0 , TrapGen(q, n) → U kB 0 , U kT B 0 , where U kT A 0 and U kT B 0 are the user master private key i.e., usk = U kT A 0 , U kT B 0 , U kA 0 and U kB 0 are the user master public key i.e., upk = U kA 0 , U kB 0 . In addition, the user U k selects two sets of Gaussian parameters σ = are, respectively, the basis of U kT A 0 , U kT B 0 after Gram-Schmidt orthogonalization.

Key-Iteration Algorithm
User U k performs key iteration using identity and master public and private key pair. the user master private key U kT A 0 , U kT B 0 and the identity ID U k of the user U k . During the key-iteration process, the user performs the following operations:

1.
Forward private key iterative algorithm The user U k generates the initial forward private key at period t = 0: is the initial forward private key with forward security; The user U k iterates the forward private key from period i − 1 to period i: , since the forward private key sk ID U k ||i of the i-th period is generated by the forward private key sk ID U k ||i−1 of the i − 1 period through the hash function and lattice-basis delegation algorithm, which ensures that the forward private keys sk ID U k ||0 , · · · · · · , sk ID U k ||i−1 , sk ID U k ||i , · · · · · · , sk ID U k ||T have forward-secure.

2.
Backward private key-iteration algorithm The user U k generates the initial backward private key in the period t=T: The user U k iterates the backward private key from period i to period i − 1: R' ID U k ||i = since the backward private key sk' ID U k ||i−1 of the i − 1th period is generated by the backward private key sk' ID U k ||i of the i-th period through the hash function and lattice-basis delegation algorithm, which ensures the backward private keys sk' ID U k ||0 , · · · · · · , sk' The private key of the user U k in period i is SK ID U k ||i = sk ID U k ||i + sk' ID U k ||i . SK U k = SK ID U k ||0 , SK ID U k ||1 , · · · · · · , SK ID U k ||T as all the private keys of the user U k in T periods, the user U k generates all the private keys and stores the private key set SK U k . Then calculatē A ID U k ||i = A ID U k ||i + A' ID U k ||i , T ID U k ||i =Ā ID U k ||i ·SK ID U k ||i , then the public key of the user U k in the i-th period is PK ID U k ||i = Ā ID U k ||i , T ID U k ||i . The public key set of the user U k in the T-period is PK U k = PK ID U k ||0 , PK ID U k ||1 , · · · · · · , PK ID U k ||T . After the user U k generates the public key set, he stores PK U k carefully at first, and then publishes the public key together with the signature after signing.

Key Update
The user U k updates the key, Update(q,n) → (SK' U k , PK' U k ): To ensure the security of the signature system, users are advised to update their keys periodically. Under the circumstances in which the user key is not leaked and is still within the T-period, the user continues to use the original master key without PKG updating. To generate a new user master key in such cases, only step 3 in Section 3.1.1 needs to be repeated, followed by the calculation of key iteration as described in Section 3.1.2. When the key is used up or the key is leaked, the user sends a key request to PKG again to update the master key, i.e., the user will redo all the steps in Sections 3.1.1 and 3.1.2 to update the key. Since the lattice-basis delegation algorithm takes less time to calculate than the trapdoor-generation algorithm, it will complete the calculation task quickly, which ensures that the user can update the key in a relatively short time.

Strong Forward-Secure Signature Scheme on Lattice
This section provides a detailed description of a strong forward-secure signature scheme. The construction of the signature scheme is based on the strong forward-secure key-iteration algorithm KI put forward in Section 3.1. It guarantees strong forward security of signatures under a quantum attack environment.

Key Generation
Suppose the user is U k , the user's identity ID is ID U k , and the required key period is T. The user invokes the strong forward-secure key-iteration algorithm in 3.1 to generate a signature key: KeyGen(PP) → (SK U k ,PK U k ): Inputting the security parameter PP, the user invokes the key-iteration algorithm in Section 3.1.2 to generate a private key set and a public key set (SK U k ,PK U k ) for T periods. The user U k first stores the set of public keys, and subsequently publishes the public key PK U k of the current period along with its signature after signing. After the T-period public-private key set is used up, the user U k invokes the key update algorithm in Section 3.1.3 to generate another T'-period public-private key set (SK' U k , PK' U k ) for a new round of signature and verification.

Sign
When a user intends to sign a message, he checks the private key number in the private key set to determine the current period. He then publicizes the public key of the period along with the signature. The private key will become invalid once being used, because the user will delete the used private key from the private key set. This allows the period to be determined from the label of the private key.
Sign(PP,m,SK ID U k ||i ) → e i : Assuming that the current period is i and the user is U k , then U k uses the private key of the i-th period SK ID U k ||i to sign the message m. The user U k signature needs to do the following work: 1.
The user inputs the public parameters PP, the message m ∈ {0, 1} * , and the private key of the i-th period SK ID U k ||i .

2.
The user randomly selects a vector y i ← D m r i .

3.
Calculates c i = H 2 Ā ID U k ||i ·y i , m .

4.
Then calculates z i = SK ID U k ||i ·c i + y i .

5.
Outputs the current period signature e i = (c i , z i ) with a probability of min 1, , and re-executes the algorithm if there is no output.

6.
Publishes the current period public key PK ID U k ||i .

Verify
The user U k signs the message, the verifier needs to verify the signature to confirm the validity of the signature.
Verify(PP,m,e i , PK ID U k ||i ) → 0/1:The verifier inputs the public parameter PP, the original message m, the public key PK ID U k ||i disclosed by user U k and the signature e i , then the verifier performs the following operations: If c i = H 2 Ā ID U k ||i ·z i − T ID U k ||i ·c i , m and the z i ≤ 2r i · √ m are established simultaneously, the signature is accepted and the output result is 1, otherwise, the signature is rejected and the output result is 0. Theorem 1 will help to prove the correctness of the identity-based strong forwardsecure signature scheme brought forward in this paper. Theorem 1. The verification process of the signature guarantees the correctness of the signature.
Proof of Theorem 1. The public key is PK ID U k ||i = Ā ID U k ||i , T ID U k ||i , the signature is e i = (c i , z i ), the message is m, and the public key and message signature pair are public. The correctness of the verifier's success in verifying the signature is guaranteed by the following equation: By verifying the signature, it confirms that the signature is indeed generated by the holder of the private key, which guarantees both data integrity and unaltered transmission, therefore ensuring the accuracy of the signature.

Existential Unforgeability against Chosen-Message Attacks
Theorem 2 will help to prove the existential and unforgeability of the identity-based strong forward-secure signature scheme proposed in this paper.
Under the hard assumption of the SIS problem on the lattice, it is proved that the identitybased strong forward-secure signature scheme on the lattice is existentially unforgeable.

Theorem 2.
Under the random oracle model, according to the difficulty assumption of the SIS problem, the identity-based strong forward-secure signature scheme on the lattice realizes the existential unforgeability under the chosen-message attacks.

Proof of Theorem 2.
Assume that there is an adversary A of PPT who outputs a forged signature with a non-negligible probability after a polynomial query, which destroys the unforgeability of the identity-based strong forward-secure signature scheme given in 3.2. Then a simulator C with non-negligible advantages will be constructed, which can solve the SIS problem instance.
Parameter establishment: C selects two hash functions H 1 : {0, 1} * → Z m×m , H 2 : {0, 1} * → v : v ∈ {−1, 0, 1} k , v ≤ k , and generates matrices M U k A 0 , M U k B 0 ∈ Z n×m q and M U k T A 0 , M U k T B 0 , U kT A 0 , U kT B 0 ∈ Z m×m , then sends M U k A 0 , M U k B 0 , H 1 , H 2 to A. H 1 Query: For any time period i(i=1,2,. . .,T), the simulator C maintains two list the tuple ID U k U kT A 0 i, Q i is in L 1 , C will use Q i as the response to the H 1 query, otherwise C will randomly choose a G i ∈ Z m×m q and use G i as the response to the H 1 query, after that ID U k U kT A 0 i, G i will be added into L 1 . A will conduct H 1 query on C will use O i as the response to the H 1 query, otherwise C will randomly choose a J i ∈ Z m×m q and use J i be the response to the H 1 query, whereupon ID U k U kT B 0 i, J i will be added into L' 1 .
H 2 Query: C maintains a list L 2 = Ā ID U k ||i ·y i , c i of H 2 query, and the initial list is empty. A will conduct H 1 query on Ā ID U k ||i ·y i , c i , if Ā ID U k ||i ·y i , c i is in L 2 , C will respond c i as the response of H 2 query, otherwise C will randomly choose a C i ∈ Z k q and use it as the response to the H 2 query, and then (Ā ID U k ||i ·y i , C i ) will be added into L 2 .
Key query: C maintains a list L 3 = ID U k U kT A 0 i, ID U k U kT B 0 i,Ā ID U k ||i , SK ID U k ||i , and the initial list is empty. C responds to the initial or iterative key query as follows: 1.
C first browses whether there is a corresponding hash value in the list L 1 and L' 1 , if exists, directly returns the corresponding hash value and calculates A ID U k ||i If the corresponding hash value does not exist, C randomly select a matrix P i ∈ Z n×m q , then run the BasisDel algorithm to generate a private key SK ID U k ||i and add it to the list L 3 .

2.
C maintains list L 4 = ID U k U kT A 0 i, ID U k U kT B 0 i, SK ID U k ||i , sk ID U k ||i−1 , sk ID U k ||i+1 , if A performs a key query on ID U k i, C returns the current cycle private key SK ID U k ||i of A as a response. Then C browses whether there is a corresponding hash value in the list L 1 and L' 1 , and if so, directly returns the corresponding hash value. Af- If the corresponding hash value does not exist, C randomly selects a matrix G i ∈ Z m×m q , then runs the BasisDel algorithm to generate a forward private key sk ID U k ||i−1 and a backward private key sk ID U k ||i+1 , afterwards adds them into list L 4 .
Signature query: Adversary A asks for the signature of message m, B first browses the list L 1 , L' 1 and L 2 , for any period i ≤ T, if there is a corresponding hash value, then C calculates z i = SK ID U k ||i ·c i + y i and outputs the current period signature e i = (c i , z i ) with the probability of min 1, ; otherwise, C randomly selects the vector c' i and z' i , whereupon obtained c i by H 2 query with H 2 Ā ID U k ||i ·z' i − T ID U k |i ·c' i , m , and then computed z i = SK ID U k ||i ·c i + y i to output the current period signature e i = (c i , z i ).
Forgery: The adversary ends the above queries, outputs the identity ID * U k of current period i * , message m * and signature of the current period e i * . The adversary wins if the following conditions hold.
ID * U k has not been queried in the key query. 3.
(ID * U k ,i * , m * ) has not been asked in the signature query.

4.
Signature e i * pass the verification.
According to the Fork Lemma in the security proof, when adversary A successfully forges a signature e i * and is used by simulator C to crack a difficult problem, the challenge process needs to be run twice so that the output of both processes matches for a period of time before diverging at a certain point. This allows simulator C to solve the difficult problem. So there exists the following equationĀ ID U k ||i ·z i − T ID U k ||i ·c i = A·z i * − T ID U k * ||i * ·c i * , where T ID U k ||i =Ā ID U k ||i ·SK ID U k ||i , T ID U k * ||i * =Ā·SK ID U k * ||i * . Transform the equation ·y i * , λ 1 and λ 2 are both non-zero vectors, and there are A 0 λ 1 = 0 and B 0 λ 2 = 0, so λ 1 and λ 2 will be regarded as the solution to the SIS problem.
If there exists an adversary that can forge a valid signature of a digital signature scheme with probability acc, then there exists an algorithm F B that outputs the solution of the SIS problem instance with probability Adv ≥ acc· , q H 1 and q H 2 , respectively, represent the number of H 1 and H 2 query, q s represent the number of signature queries, h is the number of replies to random oracle queries. In this way, the simulator cracks the SIS problem with a non-negligible advantage, but because of the computational difficulty of the SIS problem, such an adversary cannot break through our scheme, so the scheme is secure. Key-iteration algorithm has forward security The user's signature private key iterates as the period increases. If an attacker obtains the user U k 's signature private key SK ID U k ||j of period j and wants to use the signature private key SK ID U k ||j to obtain the private key SK ID U k ||j−1 of period j − 1, then the attacker needs to break through the problem of small integers on the lattice. As the computational difficulty of the problem, the attacker cannot obtain the private key SK ID U k ||j−1 used by SK ID U k ||j , as well as being unable to obtain the private keys such as SK ID U k ||j−2 , SK ID U k ||j−3 ,. . ., SK ID U k ||1 for the existing signatures.

2.
The signature scheme is forward-secure The user U k 's signature in the j-th period is e j = c j , z j , where c j = H 2 Ā ID U k ||i ·y i , m , z j = SK ID U k ||j ·c j + y j , m is the message, PK ID U k ||j = Ā ID U k ||j , T ID U k ||j is the public key, and y j is selected randomly. The attacker wants to forge the signature of period j − 1. Since the public key is public, the attacker has the condition to calculate c j−1 . If he wants to forge the signature, the attacker needs to calculate it z j−1 . At this time, the private key of period j − 1 is needed. Due to the difficulty of solving the problem with small integers on the grid, even if the attacker obtains the signature key of period j, he cannot forge the signature key of period j − 1, so a valid signature cannot be generated. The statements mentioned above ensure the forward security of the signature.

1.
The key-iteration algorithm has backward security The user's signature private key iterates as the period decreases. If an attacker obtains the user U k 's signature private key SK ID U k ||j of period j and wants to use the signature private key SK ID U k ||j to obtain the private key SK ID U k ||j+1 of period j + 1, then it needs the attacker to break through the small integer problem on the lattice, so the attacker cannot obtain the private key SK ID U k ||j+1 using SK ID U k ||j , as well as being unable to obtain the private keys such as SK ID U k ||j+2 ,SK ID U k ||j+3 ,. . .,SK ID U k ||T for the subsequent signatures.

2.
The signature scheme is forward-secure The user U k 's signature in the j-th period is e j = c j , z j , where c j = H 2 Ā ID U k ||i ·y i , m , z j = SK ID U k ||j ·c j + y j , m is the message, PK ID U k ||j = Ā ID U k ||j , T ID U k ||j is the public key, and y j is selected randomly. The attacker wants to forge the signature of period j+1. If the user U k has signed with SK ID U k ||j+1 , the public key has been disclosed by the user U k , then the attacker has the condition to calculate c j+1 . If he wants to forge the signature, the attacker still needs to calculate z j+1 . At this time, the private key of period j + 1 is needed. Due to the difficulty of solving the problem with small integers on the grid, even if the attacker obtains the signature key of period j, he cannot forge the signature key of period j + 1, so a valid signature cannot be generated. This ensures the forward security of the signature. If the user U k has not used SK ID U k ||j+1 to sign, then the user U k has not disclosed the public key. With the anti-collision property of the hash function, the attacker cannot calculate c j , let alone calculate z j . Therefore, a valid signature cannot be generated, thus ensuring the forward security of the signature.
Since the key-iteration algorithm and the signature scheme have both forward security and backward security, it is shown that the scheme proposed in Section 3 has strong forward security.

Remote Identity Authentication to Resist Quantum Attacks
With the popularity of the Internet, it has become more convenient and effective to use the Internet to engage in various activities, which inevitably requires the credibility of the participants. To ensure consistency between the users' real identity and the digital identity on the network, it is necessary to use some technical verification methods for consistency verification. Identity-authentication technology solves the problem of consistency. It is an effective means to ensure information security. It plays an important role in information systems and is used as a tool to confirm the validity of participants' identities.

Overview of Remote Identity Authentication
Remote identity authentication is the process of verifying a user's identity through a network or remote communication channel. It allows users to authenticate without having to attend in person to gain access to systems or resources. Remote identity authentication includes static authentication, dynamic authentication, and multi-factor authentication [29]. It has been practiced in some public domains and has become a common authentication method. The dynamic password authentication of digital signatures plays a significant part in many fields because of its particularity and real-time characteristics [30].
Applying the digital signature scheme to the working process of remote identity dynamic authentication could guarantee the security of the authentication process. The whole process includes two stages of registration and authentication. In the registration stage, the user stores his information on the server. In the authentication stage, the user and the server interact to prove their identity [31]. This section applies the identity-based strong forward-secure signature scheme proposed in Section 3 to the remote identityauthentication process to implement a secure remote identity-authentication scheme.
The lattice-based signature scheme utilizes mathematical problems based on lattices as the fundamental security measure. The signature scheme proposed in Section 3 is specifically built upon the SIS problem, which poses a formidable challenge that currently remains unsolved by quantum computers. Therefore, the lattice-based signature scheme has strong security under quantum computer attacks.

Lattice-Based Strong Forward-Secure Signature Scheme for Remote Authentication
In the remote identity-authentication process based on the signature scheme, if only a pair of public and private keys are generated when the user registers, then the signature private key used by the user in each authentication process will remain unchanged. If the key is leaked, the entire authentication process will no longer be safe. At this time, the user signature system needs to be updated, otherwise a malicious third party may obtain the important information of the user stored on the server.
However, it will be inconvenient to update the user signature system. Applying an identity-based strong forward-secure signature scheme to remote user authentication can reduce the impact of key leakage. In the identity-based strong forward-security signature scheme, there will be a unique key pair for signing and verification in each period, so even if a private key is accidentally leaked due to user storage, it ensures that the user's subsequent identity authentication is safe. With the strong forward security of the signature private key, the attacker cannot calculate the private key of other periods through a certain private key, so he cannot pretend to be a legitimate user for authentication. The remote identity-authentication framework of lattice-based strong forward-secure signature scheme is shown in Figure 2.
Entropy 2023, 25, x FOR PEER REVIEW 13 o In the remote identity-authentication process based on the signature scheme, if o a pair of public and private keys are generated when the user registers, then the signat private key used by the user in each authentication process will remain unchanged. If key is leaked, the entire authentication process will no longer be safe. At this time, the u signature system needs to be updated, otherwise a malicious third party may obtain important information of the user stored on the server.
However, it will be inconvenient to update the user signature system. Applying identity-based strong forward-secure signature scheme to remote user authentication reduce the impact of key leakage. In the identity-based strong forward-security signat scheme, there will be a unique key pair for signing and verification in each period, so e if a private key is accidentally leaked due to user storage, it ensures that the user's sub quent identity authentication is safe. With the strong forward security of the signat private key, the attacker cannot calculate the private key of other periods through a cert private key, so he cannot pretend to be a legitimate user for authentication. The rem identity-authentication framework of lattice-based strong forward-secure signat scheme is shown in Figure 2.

Enrollment Phase
When the user registers, first, they are supposed to send the identity information PKG to obtain the master private key and master public key, and then the user's mas private key and master public key generate a public-private key set. After that, the u sends his identity and public key set to the server. When receiving the encrypted inf mation, the server uses the private key to decrypt to obtain the user identity and pu key set, and then stores it in the server database. The specific registration process is: 1. The user U first determines the required period T, initiates a key request to PKG obtain the master private key M and the master public key M , and th the user U uses M , M to generate the private key set SK and the p lic key set PK , after that stores the private key set and the public key set carefu 2. The server uses a public-key encryption algorithm to generate a public-private pair (ssk, spk), and sends the public key to the user U to encrypt the transmitt identity information. 3. The user U uses the public key of the server to encrypt the identity ID and public key set PK with spk and then sends them to the server. 4. The server uses the ssk to decrypt and obtains the user's sum ID and store PK it in the server's database.
After the registration is completed, the user U becomes a legal user of the ser and performs remote identity authentication through the server.

Enrollment Phase
When the user registers, first, they are supposed to send the identity information to PKG to obtain the master private key and master public key, and then the user's master private key and master public key generate a public-private key set. After that, the user sends his identity and public key set to the server. When receiving the encrypted information, the server uses the private key to decrypt to obtain the user identity and public key set, and then stores it in the server database. The specific registration process is: The user U k first determines the required period T, initiates a key request to PKG to obtain the master private key M U k T A 0 and the master public key M U k T B 0 , and then the user U k uses M U k T A 0 , M U k T B 0 to generate the private key set SK U k and the public key set PK U k , after that stores the private key set and the public key set carefully.

2.
The server uses a public-key encryption algorithm to generate a public-private key pair (ssk, spk), and sends the public key to the user U k to encrypt the transmitted identity information.

3.
The user U k uses the public key of the server to encrypt the identity ID U k and the public key set PK U k with spk and then sends them to the server. 4.
The server uses the ssk to decrypt and obtains the user's sum ID U k and store PK U k it in the server's database.
After the registration is completed, the user U k becomes a legal user of the server and performs remote identity authentication through the server.

Authentication Phase
The user U k proves his identity with the server through the following interactions: 1.
The user U k checks the private key number in the private key set to determine the current period t(t≤T), encrypts the user identity ID U k as well as the public key corresponding to the current period PK ID U k ||t with the server's public key spk, and sends it to the server.

2.
After receiving the ciphertext sent by ID U k the user, the server decrypts it with the private key ssk to obtain the user's U k and the public key of the current period PK ID U k ||t , and then the server compares the user's identity and public key in the database to see whether they are consistent with the stored ones. If they are consistent, continue 3, otherwise stop the interaction.

3.
The server randomly selects a challenge message and sends the challenge message to the user.

4.
The user replies to the challenge information, and takes the challenge information and replies to information as messages to be signed.

5.
Use the private key of the current period SK ID U k ||t to sign, and send the message signature pair to the server after signing. 6.
After the server receives the message signature pair, the public key PK ID U k ||t is used to verify. If the signature is verified, the user is authenticated; otherwise, the authentication fails. The remote identity-authentication process of the lattice-based strong forward-secure signature scheme is shown in Figure 3.

Authentication Phase
The user U proves his identity with the server through the following interactions: 1. The user U checks the private key number in the private key set to determine the current period t(t≤T), encrypts the user identity ID as well as the public key corresponding to the current period PK || with the server's public key spk, and sends it to the server. 2. After receiving the ciphertext sent by ID the user, the server decrypts it with the private key ssk to obtain the user's U and the public key of the current period PK || , and then the server compares the user's identity and public key in the database to see whether they are consistent with the stored ones. If they are consistent, continue 3, otherwise stop the interaction. 3. The server randomly selects a challenge message and sends the challenge message to the user. 4. The user replies to the challenge information, and takes the challenge information and replies to information as messages to be signed. 5. Use the private key of the current period SK || to sign, and send the message signature pair to the server after signing. 6. After the server receives the message signature pair, the public key PK || is used to verify. If the signature is verified, the user is authenticated; otherwise, the authentication fails. The remote identity-authentication process of the lattice-based strong forward-secure signature scheme is shown in Figure 3.

Conclusions
In a digital signature scheme, if the key is leaked, the signature scheme will be insecure. To reduce the impact of leaked keys on the security of a signature scheme, a strong forward-secure signature scheme is proposed in this paper. With the emergence of quantum computing, the security of schemes based on RSA and discrete logarithm problems is corrupt. Therefore, a strong forward-secure signature scheme that is resistant to quantum attacks is proposed in this paper. The trapdoor-generation algorithm, lattice-basis delegation technology, and hash function are used to distribute a unique key pair for every period by iterating the key. The above algorithms ensure the forward security and backward security of the key, so that the key has strong forward security. Under the random oracle model, the proposed signature scheme satisfies existential unforgeability based on the difficulty assumption of the SIS problem. This paper is about a lattice-based strong forward-secure signature scheme under the random oracle model. In the future, a

Conclusions
In a digital signature scheme, if the key is leaked, the signature scheme will be insecure. To reduce the impact of leaked keys on the security of a signature scheme, a strong forward-secure signature scheme is proposed in this paper. With the emergence of quantum computing, the security of schemes based on RSA and discrete logarithm problems is corrupt. Therefore, a strong forward-secure signature scheme that is resistant to quantum attacks is proposed in this paper. The trapdoor-generation algorithm, latticebasis delegation technology, and hash function are used to distribute a unique key pair for every period by iterating the key. The above algorithms ensure the forward security and backward security of the key, so that the key has strong forward security. Under the random oracle model, the proposed signature scheme satisfies existential unforgeability based on the difficulty assumption of the SIS problem. This paper is about a lattice-based strong forward-secure signature scheme under the random oracle model. In the future, a lattice-based strong forward-secure signature scheme under the standard model will be further studied.