Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation
Abstract
:1. Introduction
1.1. Related Work
1.2. Our Contribution
2. Preliminaries
2.1. Notations
2.2. Lattice Theory
3. Identity-Based Proxy Signature with Message Recovery
- In our model, the delegation information is public, everyone may verify its legality; whereas, in [11], the delegation information is sent to the proxy signer secretly, and only the proxy signer can verify its legality. Therefore, a secure channel is unnecessary to transmit delegation information in our model, and every user can verify delegation information legality.
- To make it easier to understand, we divide scheme security into two factors: delegation information existential unforgeability against adaptive chosen warrant and identity (EUF-ID-CWA), signature existential unforgeability against adaptive chosen message and identity (EUF-ID-CMA). EUF-ID-CWA security assures that delegation information is believable. EUF-ID-CMA security assures that signature is believable.
3.1. Our Model
- : PKG inputs the security parameter n, outputs system public parameters and the system secret master key .
- : Given an identity , PKG makes use of the system secret master key and provides the secret key for the identity .
- : The original signer inputs his secret key , and the warrant w associated with proxy signer , computes the delegation , and publishes delegation information to all system users.
- : For arbitrary system users, he verifies the legality of delegation information . If it is legal, the output is 1, the delegation is accepted; otherwise, the output is 0, and the delegation is rejected.
- : The proxy signer verifies whether the delegation information is valid. If it is invalid, he rejects this delegation. Otherwise, he inputs his secret key and the delegation information , outputs the delegated secret key .
- : The proxy signer inputs his delegated secret key and the message , outputs the proxy signature .
- : For arbitrary system users, he first recovers the message associated with signature , and then verifies the legality of the message/ signature pair with regard to . If it is legal, the output is 1, the message is accepted; otherwise, the output is 0, and the message is rejected.
3.2. Security Definitions
3.2.1. EUF-ID-CWA
- Initial Phase: The challenger runs algorithm to get system public parameters and the system secret master key . returns to the forger and keeps himself.
- Query Phase: The forger makes the following queries adaptively with a polynomial bounded number, and the challenger has the obligation to make reasonable answers.1. : selects a user identity , sends it to the challenger . invokes algorithm to get the associated secret key . Then, returns to .2. : selects the original signer , the proxy signer , and the warrant w, and sends all of them to the challenger . executes query to get the associated secret key , and then invokes algorithm to get and returns it to .
- Forge Phase: The forger gives his forgery . If the following conditions are satisfied: , doesn’t occur in the query, doesn’t occur in the query, and his attack is successful.
3.2.2. EUF-ID-CMA
- Initial Phase: The challenger runs the algorithm to get system public parameters and the system secret master key . returns to the forger and keeps secret.
- Query Phase: The forger executes the following queries adaptively with a polynomial bounded number, and the challenger has to return reasonable answers.1. : selects a user identity and sends it to the challenger . invokes algorithm to get secret key . Then, returns to .2.: selects the original signer , the proxy signer , and the warrant w, submits them to the challenger . executes query to get the associated secret , and then invokes algorithm to get and returns it to .3. : sends the delegation information to the challenger . verifies its validity firstly. If it isn’t valid, he refuses to respond. Otherwise, executes a query to get secret key , invokes algorithm to get delegated secret key and returns it to .4. : submits and message to the challenger . verifies the legality of . If it is illegal, rejects answering the query. Otherwise, he executes the query to get the delegated secret key , invokes algorithm to get signature , and returns it to .
- Forge Phase: The forger gives his forgery .Recovering the message from , if the following conditions hold: , doesn’t occur in the query, doesn’t occur in the query, his attack is successful.
4. Our Scheme
- : Inputting the security parameter n, PKG works as follows:1. Invoke algorithm to obtain a pair of matrices , .2. Let be a secure hash function.3. Let be secure hash functions, and the image Hamming weight is not larger than .4. Let be a secure hash function, and every column vector in the image has a small Hamming weight bounded by .5. Let be a secure hash function, where is also the length of message .6. Let , be encoding functions.Finally, PKG outputs public parameters = and the secret master key .
- : Given an identity , PKG works as follows:1. Sample , such that for all . If for some , Resample again. According to [22], the probability of for some is less than .2. Invoke algorithm , provide follows the distribution , such that .3. Return as secret key for the identity .
- : The original signer inputs his secret key , and the warrant associated with proxy signer does the following steps:1. Sample , is the uniform distribution on .2. Let , .3. Let . If , go to the first step to resample .4. Return with probability , and publish delegation information to all users.
- : For arbitrary users, he verifies the legality of delegation information as follows:1. Compute .2. If and , output 1 and accept this delegation. Otherwise, output 0 and reject it.
- : the proxy signer inputs his secret key and the delegation information , computes , outputs as the delegated secret key.
- : the proxy signer inputs his delegated secret key , the message , does the next steps.1. Sample , compute .2. Let , .3. Compute , .4. Let .5. If , go to the first step to resample y. Otherwise, return proxy signature with probability
- : For arbitrary user, he verifies the proxy signature with the next steps. Here, we think the legality of delegation information has already been verified.1. Compute .2. Compute , .3. If and , accept the signature and output 1; otherwise, output 0 and reject the signature.
5. Scheme Analysis
5.1. Parameter Setting
5.2. Correctness of the Scheme
5.3. Security Analysis
5.3.1. EUF-ID-CWA Security
- Initial Phase: selects , , submits A, , and as system parameters to the forger .
- Query Phase: The forger makes the following queries, gives reasonable answers:1. query: selects a user identity , sends it to . samples , , let . He saves in the list and returns to .2. query: selects warrant associated with the original signer , the proxy signer , sends all of them to . randomly samples with Hamming weight less than or equal to , selects uniformly, let . If some entry in is larger than , resamples and again. Because , the probability that every entry in is smaller than is larger than . At last, saves in list and returns to .3. query: selects a user identity and sends it to the challenger . searches list to get , and returns . If it doesn’t exist, queries firstly.4. query: selects the original signer , the proxy signer , and the warrant , sends all of them to . looks list for and returns . If doesn’t exist, queries firstly.
- Forge Phase: The forger gives his forgery .Because queries at most times, queries at most times, so that the number of is at most . Suppose there are , , ⋯, . For , the probability of generates such that is , which is negligible, so that ∈ with overwhelming probability .
5.3.2. EUF-ID-CMA Security
- Initial Phase: selects , , submits A, , and as system parameters to the forger .
- Query Phase: The forger makes the following queries, gives reasonable answers:1. query: selects a user identity , and sends it to . samples , , let . He saves in the list and returns to .2. query: selects warrant associated with the original signer , the proxy signer , sends all of them to . randomly samples with Hamming weight less than or equal to , selects uniformly, let . If some entry in is larger than , resamples and again. Because , the probability that every entry in is smaller than is larger than . At last, saves in list and returns to .3. query: selects randomly, sends it to . selects uniformly and randomly. Then, saves in list and returns to .4. query: sends and submits it to . chooses with Hamming weight less than or equal to . Then, saves in list and returns to .5. query: selects a user identity , sends it to the challenger . searches list to get , returns . If it doesn’t exist, queries firstly.6. query: selects the original signer , the proxy signer , and the warrant sends all of them to . looks list for and returns . If doesn’t exist, queries firstly.7. query: sends the delegation information to the challenger . verifies its validity firstly. If it isn’t valid, he refuses to respond. Otherwise, executes query to get secret key , computes and , returns to .8. query: submits and message to the challenger . verifies the legality of . If it is illegal, rejects answering the query. Otherwise, he executes query to get the delegated secret key , invokes algorithm to get signature , and returns it to .
- Forge Phase: The forger gives his forgery signature for message .invokes again. Due to General Forking Lemma [29], with probability , we obtain a new signature for message , such thatThen, = for . Replacing with , we have . Let , , then , . In addition, and have a variety of options, doesn’t know which pair is used to build and . Therefore, the probability of is at least .
5.4. Performance Analysis
6. Conclusions
Author Contributions
Funding
Conflicts of Interest
References
- Mambo, M.; Usuda, K.; Okamoto, E. Proxy signatures for delegating signing operation. In Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, 14–15 March 1996; pp. 48–57. [Google Scholar]
- Wei, J.; Yang, G.; Mu, Y.; Liang, K. Anonymous Proxy Signature with Hierarchical Traceability. Comput. J. 2016, 59, 559–569. [Google Scholar] [CrossRef]
- He, K.; Liu, X.; Yuan, H.; Wei, W.; Liang, K. Hierarchical Conditional Proxy Re-Encryption: A New Insight of Fine-Grained Secure Data Sharing. In Information Security Practice and Experience, Proceedings of the 13th International Conference, ISPEC 2017, Melbourne, Australia, 13–15 December 2017; Liu, J.K., Samarati, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10701, pp. 118–135. [Google Scholar] [CrossRef]
- Shao, J.; Lu, R.; Lin, X.; Liang, K. Secure bidirectional proxy re-encryption for cryptographic cloud storage. Pervasive Mob. Comput. 2016, 28, 113–121. [Google Scholar] [CrossRef]
- Liang, K.; Susilo, W.; Liu, J.K.; Wong, D.S. Efficient and Fully CCA Secure Conditional Proxy Re-Encryption from Hierarchical Identity-Based Encryption. Comput. J. 2015, 58, 2778–2792. [Google Scholar] [CrossRef]
- Liang, K.; Chu, C.; Tan, X.; Wong, D.S.; Tang, C.; Zhou, J. Chosen-ciphertext secure multi-hop identity-based conditional proxy re-encryption with constant-size ciphertexts. Theor. Comput. Sci. 2014, 539, 87–105. [Google Scholar] [CrossRef]
- Liang, K.; Au, M.H.; Liu, J.K.; Susilo, W.; Wong, D.S.; Yang, G.; Phuong, T.V.X.; Xie, Q. A DFA-Based Functional Proxy Re-Encryption Scheme for Secure Public Cloud Data Sharing. IEEE Trans. Inf. Forensics Secur. 2014, 9, 1667–1680. [Google Scholar] [CrossRef]
- Liang, K.; Liu, J.K.; Wong, D.S.; Susilo, W. An Efficient Cloud-Based Revocable Identity-Based Proxy Re-encryption Scheme for Public Clouds Data Sharing. In Computer Security, Proceedings of the ESORICS 2014, 19th European Symposium on Research in Computer Security, Wroclaw, Poland, 7–11 September 2014; Kutylowski, M., Vaidya, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8712, pp. 257–272. [Google Scholar] [CrossRef]
- Liang, K.; Fang, L.; Susilo, W.; Wong, D.S. A Ciphertext-Policy Attribute-Based Proxy Re-encryption with Chosen-Ciphertext Security. In Proceedings of the 2013 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an, China, 9–11 September 2013; pp. 552–559. [Google Scholar] [CrossRef]
- Nyberg, K.; Rueppel, R.A. A new signature scheme based on the DSA giving message recovery. In Proceedings of the 1st ACM conference on Computer anD Communications Security, Fairfax, VA, USA, 3–5 November 1993; pp. 58–61. [Google Scholar]
- Singh, H.; Verma, G.K. ID-based proxy signature scheme with message recovery. J. Syst. Softw. 2012, 85, 209–214. [Google Scholar] [CrossRef]
- Tiwari, N.; Padhye, S. New proxy signature scheme with message recovery using verifiable self-certified public keys. In Proceedings of the 2011 2nd International Conference on Computer and Communication Technology, Allahabad, India, 15–17 September 2011; pp. 539–544. [Google Scholar]
- Xie, Q. Provably Secure Self-certified Multi-proxy Signature with Message Recovery. J. Netw. 2012, 7, 1616. [Google Scholar] [CrossRef]
- Yoon, E.J.; Choi, Y.; Kim, C. New ID-based proxy signature scheme with message recovery. In Proceedings of the International Conference on Grid and Pervasive Computing, Seoul, Korea, 9–11 May 2013; pp. 945–951. [Google Scholar]
- Mahmoodi, A.; Mohajery, J.; Salmasizadeh, M. A certificate-based proxy signature with message recovery without bilinear pairing. Security Commun. Netw. 2016, 9, 4983–4991. [Google Scholar] [CrossRef]
- Padhye, S.; Tiwari, N. ECDLP-based certificateless proxy signature scheme with message recovery. Trans. Emerg. Telecommun. Technol. 2015, 26, 346–354. [Google Scholar] [CrossRef]
- Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 1999, 41, 303–332. [Google Scholar] [CrossRef]
- Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Symposium on Theory of Computing-STOC’09, Washington, DC, USA, 31 May–2 June 2009; Volume 9. [Google Scholar]
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar]
- Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology, Proceedings of the EUROCRYPT 2012, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 700–718. [Google Scholar]
- Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; pp. 738–755. [Google Scholar]
- Bai, S.; Galbraith, S.D. An improved compression technique for signatures based on learning with errors. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 25–28 February 2014; pp. 28–47. [Google Scholar]
- Tian, M.; Huang, L. Lattice-based message recovery signature schemes. Int. J. Electron. Secur. Digit. Forensics 2013, 5, 257–269. [Google Scholar] [CrossRef]
- Li, W. An Identity-Based Proxy Signature Scheme from Lattices in the Standard Model. In Proceedings of the International Conference on Intelligent Networking and Collaborative Systems, Ostrawva, Czech Republic, 7–9 September 2016. [Google Scholar]
- Wu, F.; Yao, W.; Zhang, X.; Zheng, Z. An Efficient Lattice-Based Proxy Signature with Message Recovery. In Proceedings of the International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Guangzhou, China, 12–15 December 2017; Volume 10656, pp. 321–331. [Google Scholar]
- Lindell, Y. Fast Secure Two-Party ECDSA Signing. In Advances in Cryptology, Proceedingds of the CRYPTO 2017, Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 613–644. [Google Scholar]
- Agrawal, S.; Boneh, D.; Boyen, X. Efficient lattice (H) IBE in the standard model. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, France, 30 May–3 June 2010; pp. 553–572. [Google Scholar]
- Applebaum, B.; Cash, D.; Peikert, C.; Sahai, A. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Proceedings of the CRYPTO 2009, Santa Barbara, CA, USA, 16–20 August 2009; pp. 595–618. [Google Scholar]
- Bellare, M.; Neven, G. Multi-signatures in the plain public-Key model and a general forking lemma. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 390–399. [Google Scholar]
- Hill, J.; Szewczyk, R.; Woo, A.; Hollar, S.; Culler, D.; Pister, K. System architecture directions for networked sensors. SIGPLAN Not. 2000, 35, 93–104. [Google Scholar] [CrossRef]
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Lu, X.; Wen, Q.; Yin, W.; Liang, K.; Jin, Z.; Panaousis, E.; Chen, J. Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation. Symmetry 2019, 11, 272. https://doi.org/10.3390/sym11020272
Lu X, Wen Q, Yin W, Liang K, Jin Z, Panaousis E, Chen J. Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation. Symmetry. 2019; 11(2):272. https://doi.org/10.3390/sym11020272
Chicago/Turabian StyleLu, Xiuhua, Qiaoyan Wen, Wei Yin, Kaitai Liang, Zhengping Jin, Emmanouil Panaousis, and Jiageng Chen. 2019. "Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation" Symmetry 11, no. 2: 272. https://doi.org/10.3390/sym11020272
APA StyleLu, X., Wen, Q., Yin, W., Liang, K., Jin, Z., Panaousis, E., & Chen, J. (2019). Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation. Symmetry, 11(2), 272. https://doi.org/10.3390/sym11020272