LatticeBased Revocable Certificateless Signature
Abstract
:1. Introduction
1.1. Related Work
1.2. Contribution and Organization
2. Preliminaries
2.1. Notations
 
 N: a poweroftwo integer.
 
 $\mathbb{R}$: the set of real numbers.
 
 $\mathbb{Z}$: the set of integers.
 
 ${Z}_{q}$ for a q > 0: the interval be the set of integers with $[q/2,\text{}q/2)$.
 
 ${R}_{q}={Z}_{q}\left[X\right]/\left({X}^{N}+1\right)$: a ring of polynomials modulo ${X}^{N}+1$ with coefficients in ${Z}_{q}$.
2.2. Anticirculant Matrices
2.3. Lattice and NTRU Lattice
2.4. Gaussian Distribution
 (1)
 If $\sigma =\omega (\Vert c\Vert \sqrt{\mathrm{log}N})$, then $Pr[x\in {D}_{\sigma}^{N};{D}_{\sigma}^{N}(x)/{D}_{c,\sigma}^{N}(x)=O(1)]=1{2}^{\omega (\mathrm{log}N)}$.
 (2)
 If $\sigma =\alpha \Vert c\Vert $ and α > 0, then $Pr[x\in {D}_{\sigma}^{N};{D}_{\sigma}^{N}(x)/{D}_{c,\text{}\sigma}^{N}(x){e}^{12/\alpha +1/(2{\sigma}^{2})}]1{2}^{100}$.
2.5. Sampling Technique
2.6. Rejection Sampling Algorithm
Algorithm 1: Rejection Sampling Technique 
Setup(n, λ, m, k) 
$H:{\left\{0,1\right\}}^{*}\to \{v:v\in {\{1,0,1\}}^{k},{\Vert v\Vert}_{1}\le \lambda \}$, λ is constant. 
Private Key: $S\leftarrow {\{d,\dots ,\text{}0,\dots ,\text{}d\}}^{m\times k}$. 
Verification Key: $A\leftarrow {Z}_{q}^{n\times m},\text{}T=AS$. 
Sign(A, S, μ):

Verify(A, T, z, c, μ): 
Accept it if both conditions $\Vert z\Vert \le 2\sigma \sqrt{m}\text{}\mathrm{and}\text{}c=H(AzTc,\text{}\mu )$ hold. 
2.7. Hardness Assumptions
3. Syntax and Security Model of RCLS
 
 Setup (N): The algorithm is probabilistic and performed by an KGC. The algorithm takes as input a security parameter N, it returns the public parameters Parms and a system secret key ${S}_{KGC}$. ${S}_{KGC}$ is kept secret by the KGC and Parms are made public.
 
 Partial private key extract (ID): This deterministic algorithm is performed by the KGC. Upon receiving the identity ID of a user, the KGC produces the user’s partial private key ${D}_{ID}$ and the first partial public key ${P}_{ID}$ that are returned to the user.
 
 Time key update (ID, t): This deterministic algorithm is performed by the KGC. Upon receiving the identity ID of a user and a time period t, the KGC produces the time update key ${T}_{ID}{}_{,t}$ of the user and returns it to the user.
 
 Set secret value (ID): This probabilistic algorithm is performed by a user with ID. The user randomly selects a secret value ${S}_{ID}$, with which the user computes the second partial public key ${R}_{ID}$.
 
 Set private key (${D}_{ID}$, ${T}_{ID}{}_{,t}$, ${S}_{ID}$): This deterministic algorithm is performed by a user with ID. The private key $S{K}_{ID}$ = (${D}_{ID}$, ${T}_{ID}{}_{,t}$, ${S}_{ID}$) is set by the user.
 
 Set public key (${P}_{ID}$, ${R}_{ID}$): This deterministic algorithm is performed by a user with ID. The public key $P{K}_{ID}$ = (${P}_{ID}$, ${R}_{ID}$) is set by the user, where ${P}_{ID}$ and ${R}_{ID}$ are the first partial and the second partial public keys respectively.
 
 Sign (ID, $S{K}_{ID}$, μ, t): This probabilistic algorithm is performed by a user with ID. It takes as input the private key $S{K}_{ID}$ of the user, a message μ and a time period t, and returns a signature ζ on μ.
 
 Verify (ID, $P{K}_{ID}$, μ, ζ, t): This deterministic algorithm is performed by a verifier (or receiver). It takes as input the public key $P{K}_{ID}$ of a user with ID, a message μ, a time period t, and a signature ζ and it returns “accept” if the signature ζ is validated. Otherwise, it returns “reject”.
 Type I adversary (outsider): The adversary knows the time update key and the secret value of any entity, which are respectively obtained by listening the public channel and replacing the associated public key.
 Type II adversary (honestbutcurious KGC): The adversary may produce the partial private key and time update key of any entity, but it does not know the associated secret value.
 Type III adversary (revoked user): The adversary owns the partial private key and knows the associated secret value, but it does not get the current time update key.
 
 Setup. The setup algorithm is performed by the challenger C to produce public parameters Parms and the system secret key ${S}_{KGC}$. ${S}_{KGC}$ is kept secret for C. It is worth mentioning, that if the adversary A is Type II, ${S}_{KGC}$ is sent to A. Note that for Type I and III adversaries, the KGC plays as the role of the challenger C. For Type II adversary, the honestbutcurious KGC is the adversary A.
 
 Queries: A may issue a number of different queries to C adaptively as follows. It is worth mentioning, that Type II adversary has the system secret key ${S}_{KGC}$ so that it may compute the partial private key and time update key of any entity.
 Partial private key extract queries (ID). Upon receiving the identity ID of a user, C performs the partial private key extract algorithm to produce and return the user’s partial private key ${D}_{ID}$ to A.
 Time key update queries (ID, t). Upon receiving the identity ID of a user and a time period t, the C performs the time key update algorithm to produce and return the time update key ${T}_{ID}{}_{,t}$ to A.
 Secret value queries (ID). Given a user’s ID, C performs the set secret value algorithm to produce and return the secret value ${S}_{ID}$ to A.
 Public key queries (ID). Upon receiving the identity ID of a user, C returns $P{K}_{ID}$ to A.
 Public key replacement queries (ID, $PK{\prime}_{ID}$). Upon receiving the identity ID of a user and a new public key $PK{\prime}_{ID}$, C records this replacement.
 Sign queries (ID, $P{K}_{ID}$, μ, t). Upon receiving ID and $P{K}_{ID}$ of a user, a message μ and a time period t. C plays the role of the signer and performs the sign algorithm to produce a valid signature ζ on μ and returns ζ to A.
 
 Forgery: Assume that the adversary A produces (ID^{*}, $P{K}_{ID*}$, μ^{*}, ζ^{*}, t^{*}). It is worth mentioning, that ID^{*} is the target identity. It is said that A wins the RCLSUFACMA game when the following situations hold:
 (ID^{*}, μ^{*}, t^{*}) was never issued in the sign queries.
 The verify algorithm on (ID^{*}, $P{K}_{ID*}$, μ^{*}, ζ^{*}, t^{*}) outputs “accept”.
 If A is of Type I adversary, the partial private key extract queries on ID^{*} was never issued.
 If A is of Type II adversary, ID^{*} was never issued in the secret value and public key replacement queries.
 If A is of Type III adversary, the time key update queries on (ID^{*}, t^{*}) was never issued.
4. Concrete RCLS Scheme over Lattices
 
 Setup: Let s > 0, σ > 0, and λ be a positive integer and N be a security parameter, the KGC chooses a prime q. Then, the KGC runs TrapGen(q, N) of Lemma 3 in Section 2.3 to obtain $(f,g)$, $h=g\ast {f}^{1}$, $\Vert f\Vert <s\sqrt{N}$, and $\Vert g\Vert <s\sqrt{N}$ with short basis $B=\left[\begin{array}{cc}C(g)& C(f)\\ C(G)& C(F)\end{array}\right]$ of ${\Lambda}_{h,\text{}q}$, where f, g, F, Gϵ${R}_{q}$. Furthermore, the KGC sets the system secret key S_{KGC} as B and selects two system public keys ${a}_{1},{a}_{2}\in {Z}_{q}^{N}$ and three hash functions ${H}_{0},{H}_{1}:\text{}{\left\{0,\text{}1\right\}}^{*}\to {Z}_{q}^{N}$ and H_{2}: ${Z}_{q}^{N}\times $${Z}_{q}^{N}\times ${0, 1}^{*}→{v: vϵ{−1, 0, 1}^{N}, ${\Vert v\Vert}_{1}$$\le $ λ}, where ${\Vert v\Vert}_{1}$ denotes the amount of nonzero elements of the vector v. The public parameters are Parms = < $N,s,\alpha ,\lambda ,q,h,{a}_{1},{a}_{2},{H}_{0},{H}_{1},{H}_{2}$>.
 
 Partial private key extract: Upon receiving the identity IDϵ{0, 1}^{*} of a user, the KGC produces the partial private key (${s}_{1},{s}_{2}$) such that ${s}_{1}+h*{s}_{2}={P}_{ID}$ and $\Vert ({s}_{1},\text{}{s}_{2})\Vert s\sqrt{2N}$ by running SampleGau(B, s, (${P}_{ID},\text{}0$)) of Lemma 5 in Section 2.5, where ${P}_{ID}={H}_{0}(ID)\in {Z}_{q}^{N}$ is the first partial public key. The KGC returns the partial private key ${D}_{ID}$ = (${s}_{1},{s}_{2}$) to the user securely. Note that Lyubashevsky et al. [36] have shown that if one knows ($h,{P}_{ID}$), recovering (${s}_{1},{s}_{2}$) is still hard.
 
 Time key update: Upon receiving the identity ID of a nonrevoked user and a time period t, the KGC produces the time update key (${s}_{3},{s}_{4}$) such that ${s}_{3}+h\ast {s}_{4}={T}_{ID}$ and $\Vert ({s}_{3},\text{}{s}_{4})\Vert s\sqrt{2N}$ by running SampleGau(B, s, (${T}_{ID},\text{}0$)) of Lemma 5 in Section 2.5, where ${T}_{ID}={H}_{1}(ID,\text{}t)\in {Z}_{q}^{N}$. The KGC then sends the time update key ${T}_{ID}{}_{,t}=({s}_{3},{s}_{4})$ to the user by using a public channel.
 
 Set secret value: The user with ID randomly chooses a secret value ${S}_{ID}=({s}_{5},{s}_{6})$ uniformly from {−d, …, 0, …, d}, where 1 ≤ d ≤ 31. Meanwhile, the second partial public key is ${R}_{ID}={a}_{1}\ast {s}_{5}+{a}_{2}\ast {s}_{6}$.
 
 Set private key: The user with ID may set the private key $S{K}_{ID}=({D}_{ID},{T}_{ID}{}_{,t},{S}_{ID})$.
 
 Set public key: The user with ID may set the public key $P{K}_{ID}=({P}_{ID},{R}_{ID})$.
 
 Sign: A signer with the private key $S{K}_{ID}$ takes as input a message μϵ{0,1}^{*}, the signer randomly and independently selects ${y}_{1},{y}_{2},{y}_{3},{y}_{4},{y}_{5},{y}_{6}$ by the distribution ${D}_{\sigma}^{N}$, and computes the following values:$$c={H}_{2}({y}_{1}+h\ast {y}_{2},{y}_{3}+h\ast {y}_{4},{a}_{1}\ast {y}_{5}+{a}_{2}\ast {y}_{6},\mu );$$$${z}_{1}={y}_{1}+{s}_{1}\ast c;\text{}{z}_{2}={y}_{2}+{s}_{2}\ast c;{z}_{3}={y}_{3}+{s}_{3}\ast c;$$$${z}_{4}={y}_{4}+{s}_{4}\ast c;\text{}{z}_{5}={y}_{5}+{s}_{5}\ast c;{z}_{6}={y}_{6}+{s}_{6}\ast c,$$$$z={[{z}_{1}{}^{T}\left{z}_{2}{}^{T}\right\left{z}_{3}{}^{T}\right\left{z}_{4}{}^{T}\right\left{z}_{5}{}^{T}\right{z}_{6}{}^{T}]}^{T}$$$$v={[{({s}_{1}\ast c)}^{T}\left{({s}_{2}\ast c)}^{T}\text{}\right\left{({s}_{3}\ast c)}^{T}\text{}\right\left{({s}_{4}\ast c)}^{T}\right\left{({s}_{5}\ast c)}^{T}\right{({s}_{6}\ast c)}^{T}]}^{T}.$$
 
 Verify: Given a signature $({z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6},c)$ for a user’s ID on a message μ, a verifier needs to validate the signature by the equality$$c={H}_{2}({z}_{1}+h\ast {z}_{2}{P}_{ID}\ast c,{z}_{3}+h\ast {z}_{4}{T}_{ID}\ast c,{a}_{1}\ast {z}_{5}+{a}_{2}\ast {z}_{6}{R}_{ID}\ast c,\mu ).$$
5. Security Analysis
 
 Setup. The challenger C randomly chooses polynomials a_{1}, a_{2}, hϵR_{q} and controls the random oracles ${H}_{0}$, ${H}_{1}$ and ${H}_{2}$. The public parameters Parms = <$N,s,\alpha ,\lambda ,q,h,{a}_{1},{a}_{2},{H}_{0},{H}_{1},{H}_{2}$> are sent to A. Meanwhile, C maintains several initially empty lists L_{0}, L_{1}, L_{2} and L_{S}.
 
 Queries. A can adaptively issue several queries to C as follows:
 ${H}_{0}$ queries: Let L_{0} consist of tuples of the form $<I{D}_{i},\text{}{D}_{I{D}_{i}},\text{}{P}_{I{D}_{i}}$. Upon receiving a query with $I{D}_{i}$ from A, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{0}. If it is found, the same answer in L_{0} is returned to A because the query has been ever issued.
 Otherwise, select ${s}_{i1},\text{}{s}_{i2}\in {D}_{s}^{N}$ at random such that $\Vert ({s}_{i1},\text{}{s}_{i2})\Vert s\sqrt{2N}$ and compute the polynomial ${P}_{I{D}_{i}}={s}_{i1}+h\ast {s}_{i2}.$ Then ${P}_{I{D}_{i}}$ is sent to A and $<I{D}_{i},\text{}{D}_{I{D}_{i}}=({s}_{i1},\text{}{s}_{i2}),\text{}{P}_{I{D}_{i}}$ is added in the list L_{0}.
 ${H}_{1}$ queries: Let L_{1} consist of tuples of the form $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$. Upon receiving a query with (ID_{i}, t) from A, C produces a response to this query as follows.
 Search ($I{D}_{i}$, t) in L_{1}. If it is found, the same answer in L_{1} is returned to A because the query has been ever issued.
 Otherwise, select ${s}_{i3},\text{}{s}_{i4}\in {D}_{s}^{N}$ at random such that $\Vert ({s}_{i3},\text{}{s}_{i4})\Vert s\sqrt{2N}$ and compute the polynomial ${T}_{1i}={s}_{i3}+h\ast {s}_{i4}.$ Then ${T}_{1i}$ is sent to A and $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$ is added in the list L_{1}.
 ${H}_{2}$ queries: Let L_{2} consist of tuples of the form <${w}_{j},{x}_{j},{v}_{j},{\mu}_{j},{c}_{j}$>. Upon receiving a query with (${w}_{j},{v}_{j},{x}_{j},{\mu}_{j}$) from A, C produces a response to this query as follows.
 Search (${w}_{j},{v}_{j},{x}_{j},{\mu}_{j}$) in L_{2}. If it is found, the same answer in L_{2} is returned to A because the query has been ever issued.
 Otherwise, randomly select ${c}_{j}\in {Z}_{q}^{N}$. Then ${c}_{j}$ is sent to A and <${w}_{j},{x}_{j},{v}_{j},{m}_{j},{c}_{j}$> is added in the list L_{2}.
 Partial private key queries: A issues this query along with $I{D}_{i}$, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{0}. If it is found, the same answer in L_{0} is returned to A because the query has been ever issued.
 Otherwise, issue the ${H}_{0}$ query to obtain the tuple $<I{D}_{i},\text{}{D}_{I{D}_{i}},\text{}{P}_{I{D}_{i}}$. Then, return ${D}_{I{D}_{i}}$ to A.
 Time key update queries: A issues this query along with ($I{D}_{i}$, t), C produces a response to this query as follows.
 Search ($I{D}_{i}$, t) in L_{1}. If it is found, the same answer in L_{1} is returned to A because the query has been ever issued.
 Otherwise, issue the ${H}_{1}$ query to obtain the tuple $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$. Then, return ${T}_{1i}$ to A.
 Secret value queries: Let L_{S} consist of tuples of the form $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$. Upon receiving a query with $I{D}_{i}$ from A, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{S}. If it is found, the same answer in L_{S} is returned to A because the query has been ever issued.
 Otherwise, randomly select ${s}_{i5},\text{}{s}_{i6}\in \left\{d,\text{}\dots ,\text{}0,\text{}\dots ,\text{}d\right\},$ where 1 ≤ d ≤ 31, and compute the polynomial ${R}_{I{D}_{i}}={a}_{1}\ast {s}_{i5}+{a}_{2}\ast {s}_{i6}.$ Then ${S}_{I{D}_{i}}=({s}_{i5},\text{}{s}_{i6})$ is sent to A and $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$ is added in the list L_{S}.
 Public key queries: A issues this query along with $I{D}_{i}$, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{0} and L_{S}. If it is found, which means that the query has been ever issued, then C returns A with the same answer $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, where ${P}_{I{D}_{i}}$ and ${R}_{I{D}_{i}}$ are taken from L_{0} and L_{S}, respectively.
 Otherwise, issue the H_{0} query and Secret value query to obtain ${P}_{I{D}_{i}}$ and ${R}_{I{D}_{i}}$. Then $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$ is sent to A.
 Public key replacement queries: A issues this query along with a new public key $PK{\prime}_{I{D}_{i}}^{}=(P{\prime}_{I{D}_{i}}^{},\text{}R{\prime}_{I{D}_{i}}^{})$ of $I{D}_{i}$ to replace the old public key $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, C replaces the ${P}_{I{D}_{i}}$ in L_{0} with $P{\prime}_{I{D}_{i}}^{}$ and the ${R}_{I{D}_{i}}$ in L_{S} with $R{\prime}_{I{D}_{i}}^{}$.
 Sign queries: Upon receiving a request from A along with a message ${\mu}_{j}$_{,} a time period t and $(I{D}_{i},\text{}P{K}_{I{D}_{i}})$, where $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, the challenger C makes the following steps to produce a valid signature.
 Search $I{D}_{i}$ in L_{0}, L_{1} and L_{S}, respectively, to obtain $<I{D}_{i},\text{}{D}_{I{D}_{i}},\text{}{P}_{I{D}_{i}}$, $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$ and $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$.
 Randomly choose ${c}_{j}$ϵ{v: vϵ{−1, 0, 1}^{N}, ${\Vert v\Vert}_{1}$ $\le $ λ} and ${z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6}$$\in {D}_{\sigma}^{N}$ with $\Vert ({z}_{1},\text{}{z}_{2},\text{}{z}_{3},\text{}{z}_{4},\text{}{z}_{5},\text{}{z}_{6})\Vert \le 2\sigma \sqrt{6N}$. Then, compute ${w}_{j}={z}_{1}+h\ast {z}_{2}{P}_{I{D}_{i}}\ast {c}_{j}$, ${v}_{j}={z}_{3}+h\ast {z}_{4}{T}_{1i}\ast {c}_{j}$ and ${x}_{j}={a}_{1}\ast {z}_{5}+{a}_{2}\ast {z}_{6}{R}_{I{D}_{i}}\ast {c}_{j}$.
 Add < ${w}_{j},{v}_{j},{x}_{j},{\mu}_{j},{c}_{j}$> in the list L_{2} and send the signature $({z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6},{c}_{j})$ on ${\mu}_{j}$ to A.Note that the signature ζ = $({z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6},{c}_{j})$ is valid because it may satisfy the following equality:$${c}_{j}={H}_{2}({z}_{1}+h\ast {z}_{2}{P}_{I{D}_{i}}\ast {c}_{j},{z}_{3}+h\ast {z}_{4}{T}_{1i}\ast {c}_{j},{a}_{1}\ast {z}_{5}+{a}_{2}\ast {z}_{6}{R}_{I{D}_{i}}\ast {c}_{j},{\mu}_{j})={H}_{2}({w}_{j},{v}_{j},{x}_{j},{m}_{j}).$$Therefore, when the adversary A issues the Sign query, the challenger C can output a valid signature even though C does not possess the valid secret key or time update key.
 
 Forgery: After making all the queries needed, the adversary A forges a signature tuple $({z}_{1}{}^{*},{z}_{2}{}^{*},{z}_{3}{}^{*},{z}_{4}{}^{*},{z}_{5}{}^{*},{z}_{6}{}^{*},{c}^{*})$ on message μ^{*} for ID^{*} at time period t^{*}.
 
 Setup. The challenger C performs the Setup algorithm of our latticebased RCLS scheme to set S_{KGC} = B and Parms = <$N,s,\alpha ,\lambda ,q,h,{a}_{1},{a}_{2},{H}_{0},{H}_{1},{H}_{2}$>, where three hash functions ${H}_{0}$, ${H}_{1}$ and ${H}_{2}$ are random oracles. The system secret key and Parms are then sent to A. Having the system secret key ${S}_{KGC}$, C can compute the partial private key ${D}_{ID}$, time update key ${T}_{ID,t}$, and partial public key ${P}_{ID}$ of any user with $I{D}_{i}$ without issuing the other queries. Meanwhile, C maintains several initially empty lists L_{0}, L_{1}, L_{2} and L_{S}.
 
 Queries. A can adaptively issue several queries to C as follows:
 ${H}_{0}$ queries: Let L_{0} consist of tuples of the form $<I{D}_{i},\text{}{D}_{I{D}_{i}},\text{}{P}_{I{D}_{i}}$. Upon receiving a query with $I{D}_{i}$ from A, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{0}. If it is found, the same answer in L_{0} is returned to A because the query has been ever issued.
 Otherwise, randomly select a ${P}_{I{D}_{i}}\in {Z}_{q}^{N}$ and run the algorithm SampleGau(B, s, (${P}_{I{D}_{i}}$, 0)) to obtain ${s}_{i1},\text{}{s}_{i2}\in {D}_{s}^{N}$ such that $\Vert ({s}_{i1},\text{}{s}_{i2})\Vert s\sqrt{2N}$. Then ${P}_{I{D}_{i}}$ is sent to A and $<I{D}_{i},\text{}{D}_{I{D}_{i}}=({s}_{i1},\text{}{s}_{i2}),\text{}{P}_{I{D}_{i}}$ is added in the list L_{0}.
 ${H}_{1}$ queries: Let L_{1} consist of tuples of the form $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$. Upon receiving a query with ($I{D}_{i}$, t) from A, C produces a response to this query as follows.
 Search ($I{D}_{i}$, t) in L_{1}. If it is found, the same answer in L_{1} is returned to A because the query has been ever issued.
 Otherwise, select ${s}_{i3},\text{}{s}_{i4}\in {D}_{s}^{N}$ at random such that $\Vert ({s}_{i3},\text{}{s}_{i4})\Vert s\sqrt{2N}$ and compute the polynomial ${T}_{1i}={s}_{i3}+h\ast {s}_{i4}.$ Then ${T}_{1i}$ is sent to A and $<I{D}_{i},\text{}t{,\text{}\mathrm{T}}_{1i},{\text{}\mathrm{T}}_{ID,t}$ is added in the list L_{1}.
 ${H}_{2}$ queries: Let L_{2} consist of tuples of the form <${w}_{j},{x}_{j},{v}_{j},{\mu}_{j},{c}_{j}$>. Upon receiving a query with (${w}_{j},{v}_{j},{x}_{j},{\mu}_{j}$) from A, C produces a response to this query as follows.
 Search (${w}_{j},{v}_{j},{x}_{j},{\mu}_{j}$) in L_{2}. If it is found, the same answer in L_{2} is returned to A because the query has been ever issued.
 Otherwise, randomly select ${c}_{j}\in {Z}_{q}^{N}$. Then ${c}_{j}$ is sent to A and <${w}_{j},{v}_{j},{x}_{j},{\mu}_{j},{c}_{j}$> is added in the list L_{2}.
 Secret value queries: Let L_{S} consist of tuples of the form $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$. Upon receiving a query with $I{D}_{i}$ from A, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{S}. If it is found, the same answer in L_{S} is returned to A because the query has been ever issued.
 Otherwise, randomly select ${s}_{i5},\text{}{s}_{i6}\in \{d,\text{}\dots ,\text{}0,\text{}\dots ,\text{}d\},$ where 1 ≤ d ≤ 31, and compute the polynomial ${R}_{I{D}_{i}}={a}_{1}\ast {s}_{i5}+{a}_{2}\ast {s}_{i6}.$ Then ${S}_{I{D}_{i}}=({s}_{i5},\text{}{s}_{i6})$ is sent to A and $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$ is added in L_{S}.
 Public key queries: A issues this query along with $I{D}_{i}$, C produces a response to this query as follows.
 Search $I{D}_{i}$ in L_{0} and L_{S}. If it is found, which means that the query has been ever issued, then C returns A with the same answer $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, where ${P}_{I{D}_{i}}$ and ${R}_{I{D}_{i}}$ are taken from L_{0} and L_{S}, respectively.
 Otherwise, issue the H_{0} queries and Secret value queries to obtain ${P}_{I{D}_{i}}$ and ${R}_{I{D}_{i}}$. Then $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$ is sent to A.
 Public key replacement queries: A issues this query along with a new public key $PK{\prime}_{I{D}_{i}}^{}=(P{\prime}_{I{D}_{i}}^{},\text{}R{\prime}_{I{D}_{i}}^{})$ of $I{D}_{i}$ to replace the old public key $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, C replaces the ${P}_{I{D}_{i}}$ in L_{0} with $P{\prime}_{I{D}_{i}}^{}$ and the ${R}_{I{D}_{i}}$ in L_{S} with $R{\prime}_{I{D}_{i}}^{}$.
 Sign queries: Upon receiving a query from A along with $({\mu}_{j},\text{}I{D}_{i},\text{}P{K}_{I{D}_{i}})$ at time period t, where $P{K}_{I{D}_{i}}=({P}_{I{D}_{i}},\text{}{R}_{I{D}_{i}})$, the challenger C makes the following steps to produce a valid signature.
 Search $I{D}_{i}$ in L_{0}, L_{1} and L_{S}, respectively, to obtain $<I{D}_{i},\text{}{D}_{I{D}_{i}},\text{}{P}_{I{D}_{i}}$, $<I{D}_{i},\text{}t,\text{}{T}_{1i},\text{}{T}_{ID,t}$ and $<I{D}_{i},\text{}{S}_{I{D}_{i}},\text{}{R}_{I{D}_{i}}$.
 Randomly choose ${c}_{j}$ϵ{v:vϵ{−1, 0, 1}^{N}, ${\Vert v\Vert}_{1}$ $\le $ λ} and ${z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6}$$\in {D}_{\sigma}^{N}$ with $\Vert ({z}_{1},\text{}{z}_{2},\text{}{z}_{3},\text{}{z}_{4},\text{}{z}_{5},\text{}{z}_{6})\Vert \le 2\sigma \sqrt{6N}$. Then, compute ${w}_{j}={z}_{1}+h\ast {z}_{2}{P}_{I{D}_{i}}\ast {c}_{j}$, ${v}_{j}={z}_{3}+h\ast {z}_{4}{T}_{1i}\ast {c}_{j}$ and ${x}_{j}={a}_{1}\ast {z}_{5}+{a}_{2}\ast {z}_{6}{R}_{I{D}_{i}}\ast {c}_{j}$.
 Add <${w}_{j},{v}_{j},{x}_{j},{\mu}_{j},{c}_{j}$> in the list L_{1} and send the signature $({z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6},{c}_{j})$ on ${\mu}_{j}$ to A.Finally, as in the proof of Theorem 1, the signature $({z}_{1},{z}_{2},{z}_{3},{z}_{4},{z}_{5},{z}_{6},{c}_{j})$ is valid and can pass the verification.
 
 Forgery: After making all the queries needed, the adversary A forges a valid signature tuple $({z}_{1}{}^{*},{z}_{2}{}^{*},{z}_{3}{}^{*},{z}_{4}{}^{*},{z}_{5}{}^{*},{z}_{6}{}^{*},{c}^{*})$ on message μ^{*} for ID^{*} at time period t^{*}.
6. Comparisons
 ${T}_{s}$: The required time of performing a sampling operation ${D}_{\sigma}^{}$.
 ${T}_{m}$: The required time of performing a multiplication operation.
 ${T}_{a}$: The required time of performing an addition/subtraction operation.
7. Conclusions
Acknowledgments
Author Contributions
Conflicts of Interest
References
 Shamir, A. IdentityBased cryptosystems and signature schemes. In Proceedings of the Cryptology 1984 (Crypto’84), Santa Barbara, CA, USA, 19–22 August 1984; Springer: New York, NY, USA, 1985; LNCS Volume 196, pp. 47–53. [Google Scholar]
 Boneh, D.; Franklin, M. Identitybased encryption from the Weil pairing. In Proceedings of the Cryptology 2001 (Crypto’01), Santa Barbara, CA, USA, 19–23 August 2001; Springer: New York, NY, USA, 2001; LNCS Volume 2139, pp. 213–229. [Google Scholar]
 AlRiyami, S.S.; Paterson, K.G. Certificateless public key cryptography. In Proceedings of the Advances in Cryptology (ASIACRYPT’03), Taipei, Taiwan, 30 November–4 December 2003; Springer: New York, NY, USA, 2003; LNCS Volume 2894, pp. 452–473. [Google Scholar]
 AlRiyami, S.S.; Paterson, K.G. CBE from CLPKE: A generic construction and efficient schemes. In Proceedings of the Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005; Springer: New York, NY, USA, 2005; LNCS Volume 3386, pp. 398–415. [Google Scholar]
 Libert, B.; Quisquater, J.J. On constructing certificateless cryptosystems from identity based encryption. In Proceedings of the Public Key Cryptography (PKC’06), New York, NY, USA, 24–26 April 2006; Springer: New York, NY, USA, 2006; LNCS Volume 3958, pp. 474–490. [Google Scholar]
 Huang, X.; Mu, Y.; Susilo, W.; Wong, D.; Wu, W. Certificateless signature revisited. In Proceedings of the Australasian Conference on Information Security and Privacy (ACISP’06), Melbourne, Australia, 3–5 July 2006; Springer: New York, NY, USA, 2007; LNCS Volume 4586, pp. 308–322. [Google Scholar]
 Hwang, Y.H.; Liu, J.K.; Chow, S.S.M. Certificateless public key encryption secure against malicious KGC attacks in the standard model. J. Universal Comput. Sci. 2008, 14, 463–480. [Google Scholar]
 Chen, Y.C.; Tso, R.; Susilo, W.; Huang, X.; Horng, G. Certificateless signatures: Structural extensions of security models and new provably secure schemes. In Cryptology ePrint Archiv: Report 2013/193; IACR: Santa Barbara, CA, USA, 2013. [Google Scholar]
 Hung, Y.H.; Huang, S.S.; Tseng, Y.M.; Tsai, T.T. Certificateless signature with strong unforgeability in the standard model. Informatica 2015, 26, 663–684. [Google Scholar] [CrossRef]
 Tseng, Y.M.; Tsai, T.T. Efficient revocable IDbased encryption with a public channel. Comput. J. 2012, 55, 475–486. [Google Scholar] [CrossRef]
 Tsai, T.T.; Tseng, Y.M.; Huang, S.S. Efficient revocable certificateless public key encryption with a delegated revocation authority. Secur. Commun. Netw. 2015, 8, 3713–3725. [Google Scholar] [CrossRef]
 Shen, L.; Zhang, F.; Sun, Y. Efficient revocable certificateless encryption secure in the standard model. Comput. J. 2014, 57, 592–601. [Google Scholar] [CrossRef]
 Sun, Y.; Zhang, F.; Shen, L. A revocable certificateless signature scheme. J. Comput. 2014, 9, 1843–1850. [Google Scholar] [CrossRef]
 Tsai, T.T.; Huang, S.S.; Tseng, Y.M. Secure certificateless signature with revocation in the standard model. Math. Probl. Eng. 2014, 2014, 728591. [Google Scholar] [CrossRef]
 Hung, Y.H.; Tseng, Y.M.; Huang, S.S. A revocable certificateless short signature scheme and its authentication application. Informatica 2016, 27, 549–572. [Google Scholar] [CrossRef]
 Shor, P.W. Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef]
 Bernstein, D.J. Introduction to PostQuantum Cryptography. PostQuantum Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; pp. 1–14. [Google Scholar]
 Goldreich, O.; Goldwasser, S.; Halevi, S. Publickey cryptosystems from lattice reduction problems. In Proceedings of the Advances in Cryptology (CRYPTO’97), Santa Barbara, CA, USA, 17–21 August 1997; Springer: New York, NY, USA, 1997; LNCS Volume 1294, pp. 112–131. [Google Scholar]
 Nguyen, P.; Regev, O. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. J. Cryptol. 2009, 22, 139–160. [Google Scholar] [CrossRef]
 Gentry, C.; Peikert, C.; Vaikuntanathan, V. How to use a short basis: Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Annual Symposium on the Theory of Computing (STOC’08), Victoria, BC, Canada, 17–20 May 2008; ACM Press: New York, NY, USA, 2008; pp. 197–206. [Google Scholar]
 Lyubashevsky, V. FiatShamir with aborts: Applications to lattice and factoringbased signatures. In Proceedings of the Advances in Cryptology (ASIACRYPT’09), Tokyo, Japan, 6–10 December 2009; Springer: New York, NY, USA, 2009; LNCS Volume 5912, pp. 598–616. [Google Scholar]
 Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Advances in Cryptology (EUROCRYPT’12), Cambridge, UK, 15–19 April 2012; Springer: New York, NY, USA, 2012; LNCS Volume 7237, pp. 738–755. [Google Scholar]
 Ruckert, M. Strongly unforgeable signatures and hierarchical identitybased signatures over lattices without random oracles. In Proceedings of the PostQuantum Cryptography (PQC’10), Darmstadt, Germany, 25–28 May 2010; Springer: New York, NY, USA, 2010; LNCS Volume 6061, pp. 182–200. [Google Scholar]
 Liu, Z.H.; Hu, Y.P.; Zhang, X.S.; Li, F. Efficient and strongly unforgeable identitybased signature scheme over lattices in the standard model. Secur. Commun. Netw. 2013, 6, 69–77. [Google Scholar] [CrossRef]
 Tian, M.; Huang, L. Efficient identitybased signature from lattices. In Proceedings of the IFIP International Information Security Conference (SEC’14), Marrakech, Morocco, 2–4 June 2014; IFIPAICT Volume 428, pp. 321–329. [Google Scholar]
 Ducas, L.; Lyubashevsky, V.; Prest, T. Efficient identitybased encryption over NTRU lattices. In Proceedings of the Advances in Cryptology (ASIACRYPT’14), Kaohsiung, Taiwan, 7–11 December 2014; Springer: New York, NY, USA, 2014; LNCS Volume 8874, pp. 22–41. [Google Scholar]
 Xiang, X. Adaptive secure revocable identitybased signature scheme over lattices. Comput. Eng. 2015, 41, 126–129. [Google Scholar]
 Boldyreva, A.; Goyal, V.; Kumar, V. Identitybased encryption with efficient revocation. In Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS’08), Alexandria, VA, USA, 27–31 October 2008; ACM Press: New York, NY, USA, 2008; pp. 417–426. [Google Scholar]
 Hung, Y.H.; Tseng, Y.M.; Huang, S.S. Revocable IDbased signature with short size over lattices. Secur. Commun. Netw. 2017, 2017, 7571201. [Google Scholar] [CrossRef]
 Tian, M.; Huang, L. Certificateless and certificatebased signatures from lattices. Secur. Commun. Netw. 2105, 8, 1575–1586. [Google Scholar] [CrossRef]
 Micciancio, D.; Regev, O. Worstcase to averagecase reductions based on Gaussian measure. SIAM J. Comput. 2007, 37, 267–302. [Google Scholar] [CrossRef]
 Hoffstein, J.; HowgraveGraham, N.; Pipher, J.; Silverman, J.; Whyte, W. Ntrusign: Digital signatures using the ntru lattice. In Proceedings of the Cryptographers’ Track at the RSA Conference (CTRSA’03), San Francisco, CA, USA, 13–17 April 2003; Springer: New York, NY, USA, 2003; LNCS Volume 2612, pp. 122–140. [Google Scholar]
 Micciancio, D.; Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of the Advances in Cryptology (EUROCRYPT’12), Cambridge, UK, 15–19 April 2012; Springer: New York, NY, USA, 2012; LNCS Volume 7237, pp. 700–718. [Google Scholar]
 Ajtai, M. Generating hard instances of lattice problems. In Proceedings of the ACM Symposium on Theory of Computing (STOC’96), Philadelphia, PA, USA, 22–24 May 1996; ACM Press: New York, NY, USA, 1996; pp. 99–108. [Google Scholar]
 Stehle, D.; Steinfeld, R. Making NTRUEnrypt and NTRUSign as secure as standard worstcase problems over ideal lattices. In Cryptology ePrint Archive: Report 2013/4; IACR: Santa Barbara, CA, USA, 2013. [Google Scholar]
 Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. In Proceedings of the Advances in Cryptology (EUROCRYPT’10), French Riviera, France, 30 May–3 June 2010; Springer: New York, NY, USA, 2010; LNCS Volume 6110, pp. 1–23. [Google Scholar]
 Pointcheval, D.; Stern, J. Security arguments for digital signatures and blind signatures. J. Cryptol. 2000, 13, 361–396. [Google Scholar] [CrossRef]
Properties  Tian and Huang’s CLS Scheme  Our RCLS Scheme 

Lattice type  GPV lattice  NTRU lattice 
Publickey setting  CLS  RCLS 
Revocable functionality  No  Public channel 
Averting key escrow problem  Yes  Yes 
Private key size  $2{m}_{1}k\mathrm{log}({\widehat{s}}_{1}\sqrt{{m}_{1}})$$+2{m}_{2}k\mathrm{log}({\widehat{s}}_{2}\sqrt{{m}_{2}})$  $6N\mathrm{log}(s\sqrt{N})$ 
Signature length  $({m}_{1}+{m}_{2})$log(12$\widehat{\sigma}$) + λ(logk+1)  6Nlog(12σ) + λ(logN+1) 
Computational cost of signing  $({m}_{1}+{m}_{2})({T}_{s}+2N{T}_{m}+{T}_{a})$  $6N{T}_{s}+9N({T}_{m}+{T}_{a})$ 
Computational cost of verifying  $2N({m}_{1}+{m}_{2}){T}_{m}+2N{T}_{a}$  $7N{T}_{m}+6N{T}_{a}$ 
BitLength  Tian and Huang’s CLS Scheme  Our RCLS Scheme 

Private key size  595,222,811  127,749 
Signature length  2,026,680  175,312 
© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Hung, Y.H.; Tseng, Y.M.; Huang, S.S. LatticeBased Revocable Certificateless Signature. Symmetry 2017, 9, 242. https://doi.org/10.3390/sym9100242
Hung YH, Tseng YM, Huang SS. LatticeBased Revocable Certificateless Signature. Symmetry. 2017; 9(10):242. https://doi.org/10.3390/sym9100242
Chicago/Turabian StyleHung, YingHao, YuhMin Tseng, and SenShan Huang. 2017. "LatticeBased Revocable Certificateless Signature" Symmetry 9, no. 10: 242. https://doi.org/10.3390/sym9100242