Next Article in Journal
Fuzzy Logic-Based Model That Incorporates Personality Traits for Heterogeneous Pedestrians
Previous Article in Journal
Internet of THings Area Coverage Analyzer (ITHACA) for Complex Topographical Scenarios
Article

Lattice-Based Revocable Certificateless Signature

Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan
*
Author to whom correspondence should be addressed.
Symmetry 2017, 9(10), 242; https://doi.org/10.3390/sym9100242
Received: 27 September 2017 / Revised: 16 October 2017 / Accepted: 18 October 2017 / Published: 20 October 2017

Abstract

Certificateless signatures (CLS) are noticeable because they may resolve the key escrow problem in ID-based signatures and break away the management problem regarding certificate in conventional signatures. However, the security of the mostly previous CLS schemes relies on the difficulty of solving discrete logarithm or large integer factorization problems. These two problems would be solved by quantum computers in the future so that the signature schemes based on them will also become insecure. For post-quantum cryptography, lattice-based cryptography is significant due to its efficiency and security. However, no study on addressing the revocation problem in the existing lattice-based CLS schemes is presented. In this paper, we focus on the revocation issue and present the first revocable CLS (RCLS) scheme over lattices. Based on the short integer solution (SIS) assumption over lattices, the proposed lattice-based RCLS scheme is shown to be existential unforgeability against adaptive chosen message attacks. By performance analysis and comparisons, the proposed lattice-based RCLS scheme is better than the previously proposed lattice-based CLS scheme, in terms of private key size, signature length and the revocation mechanism.
Keywords: cryptography; lattice; certificateless signature; short integer solution (SIS); assumption; post-quantum cryptography cryptography; lattice; certificateless signature; short integer solution (SIS); assumption; post-quantum cryptography

1. Introduction

Identity (ID)-based public-key cryptography (ID-PKC) was introduced by Shamir [1] to break away the requirement of certificates in conventional public-key cryptography (PKC). In ID-PKC, the public key of a user is decided by his/her associated identity information, such as e-mail address, telephone number, social security number, and so on. With the public key of a user, a trusted third party (called private key generator (PKG) produces the user’s associated private key and sends it to the user via a secure channel. Thus, the legitimacy of public keys can be verified publicly. Boneh and Franklin [2] employed Shamir’s concept to construct a workable ID-based encryption (IBE) scheme using bilinear maps such as Ate, Tate, and Weil pairings. Since the PKG knows all the users’ private keys, the PKG may impersonate all the users to forge a signature on any message and encrypt any ciphertext. In such a case, all ID-based cryptographic schemes have the key escrow problem.
In 1993, certificateless public-key cryptography (CL-PKC) was introduced by Al-Riyami and Paterson [3] to simultaneously repeal the use of certificates in conventional PKC and resolve the key escrow problem in ID-PKC. They concretely presented a certificateless signature (CLS) and a certificateless public-key encryption (CL-PKE) scheme. In CL-PKC, the private key of a user includes two parts, namely, a secret value and a partial private key. The secret value is randomly selected by the user while the partial private key is generated with her/his identity by a key generation center (KGC). Hence, the KGC does not know a user’s private key so that the key escrow problem occurred in ID-PKC is avoided. In addition, the user independently generates and publishes the public key, so the need of certificates in conventional PKC is abolished. Afterwards, numerous works [4,5,6,7,8,9] have addressed the CL-PKC area.
That are several cases that request a user’s public key to be invalidated before its preplanned expiration time. Thus, a public-key setting should offer a revocation method to cancel compromised or illegal users from the system. Tseng and Tsai [10] presented the revocation method using public channel. In addition, two primitives (encryption and signature) in revocable certificateless public-key cryptography (RCL-PKC) were also proposed, such as revocable certificateless public-key encryption (RCL-PKE) schemes [11,12] and revocable certificateless signature (RCLS) scheme [13,14]. Furthermore, Hung et al. [15] presented a short RCLS scheme.
Indeed, the security of these conventional PKC, ID-PKC, CL-PKC and RCL-PKC mentioned above rely on the difficulty of solving the discrete logarithm or integer factorization problems. However, when quantum computers come into reality, both hard problems would become easy to compute [16] so that those cryptographic schemes based on them would become insecure. Whereas, several new mathematical methods for cryptography have been constructed to resist quantum attacks. For post-quantum cryptography, lattice-based cryptography is significant [17] because no efficient quantum algorithm can solve the related problems that include the short integer solution (SIS) and short independent vector problem (SIVP) problems over lattices. Moreover, lattice-based cryptography is more efficient than other post-quantum cryptographies.

1.1. Related Work

For lattice-based cryptography, Goldreicha et al. [18] proposed lattice-based signature and public-key encryption schemes under the conventional PKC settings. Unfortunately, its signature scheme was completely broken in [19]. Afterward, several famous signature schemes were presented, including Gentry et al.’s scheme [20] and Lyubashevsky’s schemes [21,22]. The former is provably secure. In their scheme, Gentry et al. employed the Gaussian sampling and the hash-and-sign techniques, respectively, to produce users’ private keys and signatures. However, the private key is lengthy while the hash-and-sign technique is inefficient. Lyubashevsky [21] employed the Fiat-Shamir transformation technique to propose an efficient lattice-based signature scheme while its security is based on the short integer solution problem (SIS) over lattices. The Fiat-Shamir transformation turns out to be more efficient than the hash-and-sign technique when generating a signature. Moreover, to improve the efficiency further, Lyubashevsky [22] proposed another lattice-based signature scheme, which employed the rejection sampling technique to produce the signature. Lyubashevsky’s second scheme is simple and needs just a few matrix-vector multiplications and rejection samplings.
To combine the advantages of ID-PKC and lattice-based cryptography, Ruckert [23] presented two ID-based signature (IBS) schemes over lattice assumptions. One was shown to be secure in the standard model and the other is secure in the random oracle model. The framework of Ruckert’s scheme followed Gentry et al.’s scheme [20]. Therefore, the private key and the signature remain lengthy. Then, several lattice-based IBS schemes [24,25,26] were presented to enhance the security and efficiency. Recently, Xiang [27] adopted the binary tree structure used in [28] to construct a revocable IBS (RIBS) scheme over lattices. To improve the efficiency, Hung et al. [29] furthermore presented a new lattice-based RIBS. Their scheme adopted the NTRU lattice in [26] to produce the private key of a user. Therefore, the private key size and signature size are shorter than those of Xiang’s scheme.
In the past, the study of the lattice-based certificateless signature (CLS) schemes received little attention. Tian and Huang [30] proposed the first lattice-based CLS scheme. Since they adopted the GPV lattice in [20] to generate the private key of a user, it is of the form ( S 1 , S 2 ) , where S 1 is an m 1 × k matrix and S 2 is an m 2 × k matrix, with m 1 , m 2 >   5 k log q and q being a prime. However, the private key above turns out to be lengthy, so is the associated signature. Therefore, their scheme is inefficient and impractical. Moreover, no study on addressing the revocation problem in the existing lattice-based CLS schemes is presented.

1.2. Contribution and Organization

In this paper, we focus on the revocation issue and present the first revocable CLS (RCLS) scheme over lattices while improving the performance of Tian and Huang’s CLS scheme [30] mentioned above. Our RCLS scheme provides a revocation method using public channel to cancel compromised or illegal users. The revocation method follows the revocation concept of our previous literature [10]. In our RCLS scheme, a user’s private key consists of three parts that include a secret value, a time update key and a partial private key. The secret value is randomly selected by the user while the partial private key is generated with her/his identity by a key generation center (KGC). The point is that the time update key is changed along with time period and the KGC periodically sends new time update keys to non-revoked users via a public channel. If the KGC would like to cancel compromised or illegal users, the KGC just stops generating the new time update keys of these users. In our RCLS scheme, the partial private key is generated by using the key extract algorithm of Ducas et al.’s ID-based encryption over lattices [26]. In the key extract phase, Ducas et al. adopted a particular sampling algorithm to improve Gentry et al.’s key extract algorithm [20] by producing short trapdoor (private key). Meanwhile, in our signing phase, we adopt the rejection sampling technique in [22] to produce a signature. Therefore, our lattice-based RCLS has shorter private key size and signature length than others. Relied on the difficulty of solving the short integer solution (SIS) problem [31], we show that the proposed lattice-based RCLS scheme offers existential unforgeability against adaptive chosen-message attacks for three adversaries that include Type I adversary (outsider), Type II adversary (honest-but-curious KGC) and Type III adversary (revoked user). When compared with the previously proposed lattice-based CLS scheme, the proposed lattice-based RCLS scheme possesses better security and similar efficiency.
The rest of the paper is arranged as follows. In Section 2, preliminaries are presented. The framework and security model of RCLS schemes are given in Section 3. The proposed lattice-based RCLS scheme is presented in Section 4. In Section 5, the security analysis of our scheme is demonstrated. Comparisons are presented in Section 6. Conclusions are drawn in Section 7.

2. Preliminaries

2.1. Notations

Throughout this paper, we denote several parameters as follows:
-
N: a power-of-two integer.
-
: the set of real numbers.
-
: the set of integers.
-
Z q for a q > 0: the interval be the set of integers with [ q / 2 ,   q / 2 ) .
-
R q = Z q [ X ] / ( X N + 1 ) : a ring of polynomials modulo X N + 1 with coefficients in Z q .
For a vector x and a matrix X, x = x i 2 and X = max [ X i ] , respectively, denote the Euclidean norm of x and the longest norm of all columns of X. Let f = i = o N 1 f i x i and g = i = o N 1 g i x i be two polynomials in R q .
For a set S, the notation yS denotes that y is uniformly selected at random from S. For a distribution D, zD means that z is selected according to the distribution D.

2.2. Anticirculant Matrices

Anticirculant matrices have a special structure and useful properties. An N-dimensional anticirculant matrix C N ( f ) is defined as follows.
Definition 1.
C N ( f ) is a Toeplitz matrix represented by
C N ( f ) = [ ( f ) ( x f ) ( x N 1 f ) ] = [ f 0 f 1 f N 2 f N 1 f N 1 f 0 f N 3 f N 2 f 1 f 2 f N 1 f 0 ] ,
where f = i = o N 1 f i x i R q .
For convenience, C N ( f ) is abbreviated as C ( f ) in the sequel. Anticirculant matrices have the following nice property.
Lemma 1.
If f , g R q , we have C ( f ) C ( g ) = C ( f g ) and C ( f ) + C ( g ) = C ( f + g ) [26].

2.3. Lattice and NTRU Lattice

Here, we briefly define a lattice and an NTRU lattice. A lattice is a full-rank discrete subgroup of Rn. And an NTRU lattice comes from a particular class of convolution modular lattices. The detailed definitions are given below.
Definition 2.
Let n vectors v 1 , v 2 ,   , v n be linearly independent and B = { v 1 ,   , v n } be the basis of the n-dimensional lattice Λ. The lattice Λ produced by the basis B is presented as
Λ = L ( v 1 ,   , v n ) = { i = 1 n x i v i :   x i n } .
Definition 3.
Let h = g f 1 , where f , g R q . The NTRU lattice Λ h ,   q associated with h and a positive integer q is a full-rank lattice of 2 N and is represented as
Λ h ,   q = { ( u ,   v ) R q 2 | u + v h = 0 } .
Indeed, Λ h ,   q is produced by the rows of
A h ,   q = [ C ( h ) I N q I N O N ] ,
where I N is the N × N unit matrix, O N and C ( h ) , respectively, denote the N × N null matrix and an N-dimensional anticirculant matrix with h. If h is uniformly distributed in R q , the basis Λ h ,   q is not suitable to solve the usual lattice problems. Hence Hoffstein et al. [32] remedied this situation by constructing another appropriate basis for Λh, q, namely,
B f , g = [ C ( g ) C ( f ) C ( G ) C ( F ) ] ,
where F , G R q such that f G g F = q .
Indeed, we can efficiently find F and G. By the following lemma, B f ,   g is called the short basis for Λh, q due to the fact B f , g A h , q .
Lemma 2.
Let f , g R q and h = g f 1 , and let F , G R q satisfy the equality f G g F = q [26]. Then, B f ,   g generates the same NTRU lattice Λ h ,   q as A h ,   q does and B f , g A h , q .
Lemma 3.
Given a prime q, a power-of-two integer N and σ = 1.17 q / ( 2 N ) , there exists a probabilistic polynomial-time (PPT) algorithm TrapGen(q, N) that can produce a pair of polynomials f and g and then computes h = g f 1 , and outputs a trapdoor matrix B f ,   g as a short basis of Λ h ,   q . Here, h is published publicly and is statistically close to be uniform in R q [26].

2.4. Gaussian Distribution

Here, we present the definitions of the continuous and discrete Gaussian distributions, which are useful tools in lattice-based cryptography.
Definition 4.
The continuous Gaussian distribution over N with the center c ϵ N and the standard deviation s > 0, is defined as
ρ c , s N ( x ) = ( 1 s 2 π ) N e x c 2 2 s 2 ,   where   x N .
We scale this distribution for any lattice Λ N by ρ c ,   s N ( Λ ) = x Λ ρ c ,   s N ( x ) so as to make the distribution fitting and acquire a probability function.
Definition 5.
The discrete Gaussian distribution over N with the center c ϵ N and the standard deviation s > 0, is defined as D c , s N ( x ) = ρ c , s N ( x ) / ρ c , s N ( Λ ) , where xϵ N .
In this paper, ρ s N and D s N are abbreviated from ρ 0 , s N and D 0 , s N respectively for convenience. In the following lemma, Lyubashevsky [22] gave two properties of a discrete distribution D c , σ N ( x ) in dimension N with standard deviation σ at center c.
Lemma 4.
Let cϵ N .
(1) 
If σ = ω ( c log N ) , then P r [ x D σ N ; D σ N ( x ) / D c , σ N ( x ) = O ( 1 ) ] = 1 2 ω ( log N ) .
(2) 
If σ = α c and α > 0, then P r [ x D σ N ; D σ N ( x ) / D c ,   σ N ( x ) < e 12 / α + 1 / ( 2 σ 2 ) ] > 1 2 100 .

2.5. Sampling Technique

According to [31], if one takes a so-called noise vector from a Gaussian distribution and adds this vector to a lattice, then one can obtain a distribution that is statistically close to uniform one. Based on this, Gentry et al. [20] presented a sampling algorithm and a trapdoor generation algorithm by using the Gaussian sampling technique over general lattices. To reduce the private key size, Ducas et al. [26] improved Gentry et al.’s scheme to propose a particular sampling algorithm over NTRU lattices that can produce short trapdoor by using a short basis B f ,   g of Λ h ,   q which is generated by TrapGen in the previous subsection. In our scheme, we will use Ducas et al.’s technique to produce the private key of a user by the short basis B f ,   g without leaking any information of B f ,   g . Ducas et al.’s trapdoor generation algorithm has the following properties.
Lemma 5.
Given a prime q, an N-dimensional lattice Λ, a short basis B f ,   g , if s B ˜ f , g ω ( log N ) and 0 < ε < 1, where B ˜ f ,   g denotes B f ,   g ’s Gram-Schmidt orthogonalization, we have
Pr [ x c > s N ] 1 + ε 1 ε 2 N   for   any   c N   and   x D c , s N .
and, there is an algorithm SampleGau( B f ,   g , s, c) which produces a distribution statistically close to D c , s N [26].

2.6. Rejection Sampling Algorithm

Lyubashevsky [22] proposed the rejection sampling technique to sign a message in lattice-based cryptography. This technique is simple and needs just a few matrix-vector multiplications and rejection samplings. Indeed, Lyubashevsky’s signing algorithm [22] is different from the one proposed by Micciancio and Peikert [33] even though both algorithms employ similar public keys. The main difference is that Lyubashevsky produces a signature by using the rejection sampling instead of the hash-and-sign technique. Moreover, the sizes of both signature and private key in Lyubashevsky’s scheme are smaller than those in Micciancio and Peikert’s scheme under the same security level. Here, we explain the workings of Lyubashevsky’s rejection sampling technique. A signer first selects a private key S which is an m × k matrix of random integers of absolute value at most d. And then the signer chooses an n × m matrix A of random integers in Z q and computes the other matrix T = A S . The signer’s associated public key consists of A and T. In addition, a cryptographic hash function H : { 0 , 1 } * { v : v { 1 , 0 , 1 } k , v 1 λ } is selected, where λ is constant. In the sign procedure, the signer takes her/his private key S, public key A and a message μ as input, and returns a signature (z, c). Upon receiving a signature (z, c), a verifier validates the signature using the public keys A and T. The setup, sign and verify procedures of the rejection sampling technique are presented in the following Algorithm 1.
Algorithm 1: Rejection Sampling Technique
Setup(n, λ, m, k)
H : { 0 , 1 } * { v : v { 1 , 0 , 1 } k , v 1 λ } , λ is constant.
 Private Key: S { d , ,   0 , ,   d } m × k .
 Verification Key: A Z q n × m ,   T = A S .
Sign(A, S, μ):
  • y D σ m .
  • c = H ( A y ,   μ ) .
  • z = S c + y .
  • Output the pair (z, c) with the probability min [ D σ m ( z ) M D S c ,   σ m ( z ) ,   1 ] , where M = O(1).
Verify(A, T, z, c, μ):
 Accept it if both conditions z 2 σ m   and   c = H ( A z T c ,   μ ) hold.
Here, we present the main concept of the signing algorithm. The rejection sampling technique is to enable the distribution of the signature (z, c) independent of the secret key S. Thus, we would like to obtain a target distribution z from D σ m , but z in the signing algorithm comes from the distribution D S c ,   σ m . For an appropriately-chosen value M and a standard deviation σ, e.g. M = 2.72 and σ = 15,157 [22], the signing algorithm will output a valid signature satisfying both z 2 σ m   and   c = H ( A z T c ,   μ ) with probability approximately 1/M. And the distribution of z is statistically close to the distribution chosen from D σ m .

2.7. Hardness Assumptions

In this section, we present the short integer solution (SIS) problem over lattices as the security assumption. The difficulty of solving the SIS problem is equivalent to the difficulty of the worst case of solving the short independent vector problem (SIVP) with an approximation polynomial factor [34]. The SIS problem and its assumption are defined as follows.
Definition 6.
Let q and β, respectively, be a positive integer and a real number, and f 1 , f 2 ,   , f m be polynomials chosen uniformly and independently from R q . The S I S q , m , β problem over lattices is to find m non-zero integers r 1 , r 2 ,   , r m that satisfy two conditions i = 1 m r i f i = 0   mod   q and ( r 1 ,   r 2 ,   ,   r m ) β .
Definition 7 (SIS assumption).
Given a real number β, a positive integer q, and m polynomials f 1 , f 2 ,   , f m chosen uniformly and independently from R q , there exists no probabilistic polynomial-time adversary A with non-negligible probability for solving the SIS problem. The successful probability (advantage) of the adversary A is presented as
A d v A =   P r [ A ( < b , q , f 1 , f 2 ,   , f m > )   = ( r 1 , r 2 ,   , r m ) : ( r 1 ,   r 2 ,   ,   r m ) β ] .
As stated in Lemma 3, the distribution of h = g/f is statistically close to the uniform distribution of R q [35]. Hence, the SIS problem on NTRU lattice is to find a pair ( z 1 , z 2 ) such that z 1 + h z 2 = 0 and ( z 1 , z 2 ) β.

3. Syntax and Security Model of RCLS

The framework of RCLS scheme is identical to that of the RCLS schemes in [14,15]. In an RCLS scheme, there are three roles, namely, a key generation center (KGC), signers and verifiers. An RCLS scheme consists of eight algorithms that are defined as follows.
Definition 8.
An RCLS scheme contains eight algorithms:
-
Setup (N): The algorithm is probabilistic and performed by an KGC. The algorithm takes as input a security parameter N, it returns the public parameters Parms and a system secret key S K G C . S K G C is kept secret by the KGC and Parms are made public.
-
Partial private key extract (ID): This deterministic algorithm is performed by the KGC. Upon receiving the identity ID of a user, the KGC produces the user’s partial private key D I D and the first partial public key P I D that are returned to the user.
-
Time key update (ID, t): This deterministic algorithm is performed by the KGC. Upon receiving the identity ID of a user and a time period t, the KGC produces the time update key T I D , t of the user and returns it to the user.
-
Set secret value (ID): This probabilistic algorithm is performed by a user with ID. The user randomly selects a secret value S I D , with which the user computes the second partial public key R I D .
-
Set private key ( D I D , T I D , t , S I D ): This deterministic algorithm is performed by a user with ID. The private key S K I D = ( D I D , T I D , t , S I D ) is set by the user.
-
Set public key ( P I D , R I D ): This deterministic algorithm is performed by a user with ID. The public key P K I D = ( P I D , R I D ) is set by the user, where P I D and R I D are the first partial and the second partial public keys respectively.
-
Sign (ID, S K I D , μ, t): This probabilistic algorithm is performed by a user with ID. It takes as input the private key S K I D of the user, a message μ and a time period t, and returns a signature ζ on μ.
-
Verify (ID, P K I D , μ, ζ, t): This deterministic algorithm is performed by a verifier (or receiver). It takes as input the public key P K I D of a user with ID, a message μ, a time period t, and a signature ζ and it returns “accept” if the signature ζ is validated. Otherwise, it returns “reject”.
By the security model of RCLS schemes in [14,15], adversaries have three types that are presented as follows.
  • Type I adversary (outsider): The adversary knows the time update key and the secret value of any entity, which are respectively obtained by listening the public channel and replacing the associated public key.
  • Type II adversary (honest-but-curious KGC): The adversary may produce the partial private key and time update key of any entity, but it does not know the associated secret value.
  • Type III adversary (revoked user): The adversary owns the partial private key and knows the associated secret value, but it does not get the current time update key.
Definition 9.
We say that an RCLS scheme has existential unforgeability against adaptive chosen message attacks (RCLS-UF-ACMA) if a PPT adversary A with a non-negligible advantage wins the following RCLS-UF-ACMA game, which is cooperatively performed by A and a challenger C.
-
Setup. The setup algorithm is performed by the challenger C to produce public parameters Parms and the system secret key S K G C . S K G C is kept secret for C. It is worth mentioning, that if the adversary A is Type II, S K G C is sent to A. Note that for Type I and III adversaries, the KGC plays as the role of the challenger C. For Type II adversary, the honest-but-curious KGC is the adversary A.
-
Queries: A may issue a number of different queries to C adaptively as follows. It is worth mentioning, that Type II adversary has the system secret key S K G C so that it may compute the partial private key and time update key of any entity.
  • Partial private key extract queries (ID). Upon receiving the identity ID of a user, C performs the partial private key extract algorithm to produce and return the user’s partial private key D I D to A.
  • Time key update queries (ID, t). Upon receiving the identity ID of a user and a time period t, the C performs the time key update algorithm to produce and return the time update key T I D , t to A.
  • Secret value queries (ID). Given a user’s ID, C performs the set secret value algorithm to produce and return the secret value S I D to A.
  • Public key queries (ID). Upon receiving the identity ID of a user, C returns P K I D to A.
  • Public key replacement queries (ID, P K I D ). Upon receiving the identity ID of a user and a new public key P K I D , C records this replacement.
  • Sign queries (ID, P K I D , μ, t). Upon receiving ID and P K I D of a user, a message μ and a time period t. C plays the role of the signer and performs the sign algorithm to produce a valid signature ζ on μ and returns ζ to A.
-
Forgery: Assume that the adversary A produces (ID*, P K I D * , μ*, ζ*, t*). It is worth mentioning, that ID* is the target identity. It is said that A wins the RCLS-UF-ACMA game when the following situations hold:
  • (ID*, μ*, t*) was never issued in the sign queries.
  • The verify algorithm on (ID*, P K I D * , μ*, ζ*, t*) outputs “accept”.
  • If A is of Type I adversary, the partial private key extract queries on ID* was never issued.
  • If A is of Type II adversary, ID* was never issued in the secret value and public key replacement queries.
  • If A is of Type III adversary, the time key update queries on (ID*, t*) was never issued.

4. Concrete RCLS Scheme over Lattices

As defined in Definition 8 in Section 4, an RCLS scheme consists of eight algorithms. Here, we propose an efficient lattice-based RCLS scheme. Eight algorithms are presented as follows:
-
Setup: Let s > 0, σ > 0, and λ be a positive integer and N be a security parameter, the KGC chooses a prime q. Then, the KGC runs TrapGen(q, N) of Lemma 3 in Section 2.3 to obtain ( f , g ) , h = g f 1 , f < s N , and g < s N with short basis B = [ C ( g ) C ( f ) C ( G ) C ( F ) ] of Λ h ,   q , where f, g, F, Gϵ R q . Furthermore, the KGC sets the system secret key SKGC as B and selects two system public keys a 1 , a 2 Z q N and three hash functions H 0 , H 1 :   { 0 ,   1 } * Z q N and H2: Z q N × Z q N × {0, 1}*→{v: vϵ{−1, 0, 1}N, v 1 λ}, where v 1 denotes the amount of nonzero elements of the vector v. The public parameters are Parms = < N , s , α , λ , q , h , a 1 , a 2 , H 0 , H 1 , H 2 >.
-
Partial private key extract: Upon receiving the identity IDϵ{0, 1}* of a user, the KGC produces the partial private key ( s 1 , s 2 ) such that s 1 + h * s 2 = P I D and ( s 1 ,   s 2 ) < s 2 N by running SampleGau(B, s, ( P I D ,   0 )) of Lemma 5 in Section 2.5, where P I D = H 0 ( I D ) Z q N is the first partial public key. The KGC returns the partial private key D I D = ( s 1 , s 2 ) to the user securely. Note that Lyubashevsky et al. [36] have shown that if one knows ( h , P I D ), recovering ( s 1 , s 2 ) is still hard.
-
Time key update: Upon receiving the identity ID of a non-revoked user and a time period t, the KGC produces the time update key ( s 3 , s 4 ) such that s 3 + h s 4 = T I D and ( s 3 ,   s 4 ) < s 2 N by running SampleGau(B, s, ( T I D ,   0 )) of Lemma 5 in Section 2.5, where T I D = H 1 ( I D ,   t ) Z q N . The KGC then sends the time update key T I D , t = ( s 3 , s 4 ) to the user by using a public channel.
-
Set secret value: The user with ID randomly chooses a secret value S I D = ( s 5 , s 6 ) uniformly from {−d, …, 0, …, d}, where 1 ≤ d ≤ 31. Meanwhile, the second partial public key is R I D = a 1 s 5 + a 2 s 6 .
-
Set private key: The user with ID may set the private key S K I D = ( D I D , T I D , t , S I D ) .
-
Set public key: The user with ID may set the public key P K I D = ( P I D , R I D ) .
-
Sign: A signer with the private key S K I D takes as input a message μϵ{0,1}*, the signer randomly and independently selects y 1 , y 2 , y 3 , y 4 , y 5 , y 6 by the distribution D σ N , and computes the following values:
c = H 2 ( y 1 + h y 2 , y 3 + h y 4 , a 1 y 5 + a 2 y 6 , μ ) ;
z 1 = y 1 + s 1 c ;   z 2 = y 2 + s 2 c ; z 3 = y 3 + s 3 c ;
z 4 = y 4 + s 4 c ;   z 5 = y 5 + s 5 c ; z 6 = y 6 + s 6 c ,
where ( z 1 ,   z 2 ,   z 3 ,   z 4 ,   z 5 ,   z 6 ) 2 σ 6 N . If no such ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 ) is produced, repeat this algorithm. The above procedure is the rejection sampling technique. Finally, there exists a constant M = O(1) such that the user can produce a signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) with probability min ( D σ 6 N ( z ) / M D v , σ 6 N ( z )   1 ) which is similar to the ring variants of Lyubashevsky’s scheme [22], where
z = [ z 1 T | | z 2 T | | z 3 T | | z 4 T | | z 5 T | | z 6 T ] T
and
v = [ ( s 1 c ) T | | ( s 2 c ) T   | | ( s 3 c ) T   | | ( s 4 c ) T | | ( s 5 c ) T | | ( s 6 c ) T ] T .
-
Verify: Given a signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) for a user’s ID on a message μ, a verifier needs to validate the signature by the equality
c = H 2 ( z 1 + h z 2 P I D c , z 3 + h z 4 T I D c , a 1 z 5 + a 2 z 6 R I D c , μ ) .
The verify algorithm returns “accept” if the checking equality holds. Otherwise, it returns “reject”. The correctness of the checking equality follows by
( z 1 + h z 2 P I D c , z 3 + h z 4 T I D c , a 1 z 5 + a 2 z 6 R I D c )
=   ( y 1 + s 1 c + h ( y 2 + s 2 c ) ( s 1 + h s 2 ) * c , y 3 + s 3 c + h ( y 4 + s 4 c ) ( s 3 + h s 4 ) c ,
a 1 ( y 5 + s 5 c ) + a 2 ( y 6 + s 6 c ) ( a 1 s 5 + a 2 s 6 ) c )
= ( y 1 + h y 2 , y 3 + h y 4 , a 1 y 5 + a 2 y 6 ) .

5. Security Analysis

In the following, we demonstrate that our lattice-based RCLS scheme is secure against both Type I adversary (outsider) and Type III adversary (revoked user) in Theorem 1 while the security against Type II adversary (honest-but-curious KGC) is proven in Theorem 2. The proof technique of both theorems employs the rejection sampling technique in [22] and the Forking lemma in [37].
Theorem 1.
Let three hash functions H 0 , H 1 and H 2 be random oracles and N be the security parameter. Assume that a PPT adversary A (Types I and III) can break our lattice-based RCLS scheme with non-negligible probability ε. Thus, an algorithm C is constructed to resolve the SIS problem with non-negligible probability ( 1 2 ω ( l o g N ) ) ε .
Proof. 
Let q be a prime, N be a positive integer and λ, s, σ > 0. Let the algorithm C be a challenger who receives a random instance ( q ,   2 N ,   2 λ s 2 N + 4 σ 2 N ) of the SIS problem. In the following, we will show how the challenger C can compute a non-zero vector solution ( u 1 , u 2 ) R q 2 of the SIS problem by using A. Here, A (Type I or Type III adversary) interacts with C as defined in the RCLS-UF-ACMA game of Definition 9.
-
Setup. The challenger C randomly chooses polynomials a1, a2, hϵRq and controls the random oracles H 0 , H 1 and H 2 . The public parameters Parms = < N , s , α , λ , q , h , a 1 , a 2 , H 0 , H 1 , H 2 > are sent to A. Meanwhile, C maintains several initially empty lists L0, L1, L2 and LS.
-
Queries. A can adaptively issue several queries to C as follows:
  • H 0 queries: Let L0 consist of tuples of the form < I D i ,   D I D i ,   P I D i > . Upon receiving a query with I D i from A, C produces a response to this query as follows.
    • Search I D i in L0. If it is found, the same answer in L0 is returned to A because the query has been ever issued.
    • Otherwise, select s i 1 ,   s i 2 D s N at random such that ( s i 1 ,   s i 2 ) < s 2 N and compute the polynomial P I D i = s i 1 + h s i 2 . Then P I D i is sent to A and < I D i ,   D I D i = ( s i 1 ,   s i 2 ) ,   P I D i > is added in the list L0.
  • H 1 queries: Let L1 consist of tuples of the form < I D i ,   t ,   T 1 i ,   T I D , t > . Upon receiving a query with (IDi, t) from A, C produces a response to this query as follows.
    • Search ( I D i , t) in L1. If it is found, the same answer in L1 is returned to A because the query has been ever issued.
    • Otherwise, select s i 3 ,   s i 4 D s N at random such that ( s i 3 ,   s i 4 ) < s 2 N and compute the polynomial T 1 i = s i 3 + h s i 4 . Then T 1 i is sent to A and < I D i ,   t ,   T 1 i ,   T I D , t > is added in the list L1.
  • H 2 queries: Let L2 consist of tuples of the form < w j , x j , v j , μ j , c j >. Upon receiving a query with ( w j , v j , x j , μ j ) from A, C produces a response to this query as follows.
    • Search ( w j , v j , x j , μ j ) in L2. If it is found, the same answer in L2 is returned to A because the query has been ever issued.
    • Otherwise, randomly select   c j Z q N . Then   c j is sent to A and < w j , x j , v j , m j , c j > is added in the list L2.
  • Partial private key queries: A issues this query along with I D i , C produces a response to this query as follows.
    • Search I D i in L0. If it is found, the same answer in L0 is returned to A because the query has been ever issued.
    • Otherwise, issue the H 0 query to obtain the tuple < I D i ,   D I D i ,   P I D i > . Then, return D I D i to A.
  • Time key update queries: A issues this query along with ( I D i , t), C produces a response to this query as follows.
    • Search ( I D i , t) in L1. If it is found, the same answer in L1 is returned to A because the query has been ever issued.
    • Otherwise, issue the H 1 query to obtain the tuple < I D i ,   t ,   T 1 i ,   T I D , t > . Then, return T 1 i to A.
  • Secret value queries: Let LS consist of tuples of the form < I D i ,   S I D i ,   R I D i > . Upon receiving a query with I D i from A, C produces a response to this query as follows.
    • Search I D i in LS. If it is found, the same answer in LS is returned to A because the query has been ever issued.
    • Otherwise, randomly select s i 5 ,   s i 6 { d ,   ,   0 ,   ,   d } , where 1 ≤ d ≤ 31, and compute the polynomial R I D i = a 1 s i 5 + a 2 s i 6 . Then S I D i = ( s i 5 ,   s i 6 ) is sent to A and < I D i ,   S I D i ,   R I D i > is added in the list LS.
  • Public key queries: A issues this query along with I D i , C produces a response to this query as follows.
    • Search I D i in L0 and LS. If it is found, which means that the query has been ever issued, then C returns A with the same answer P K I D i = ( P I D i ,   R I D i ) , where P I D i and R I D i are taken from L0 and LS, respectively.
    • Otherwise, issue the H0 query and Secret value query to obtain P I D i and R I D i . Then P K I D i = ( P I D i ,   R I D i ) is sent to A.
  • Public key replacement queries: A issues this query along with a new public key P K I D i = ( P I D i ,   R I D i ) of I D i to replace the old public key P K I D i = ( P I D i ,   R I D i ) , C replaces the P I D i in L0 with P I D i and the R I D i in LS with R I D i .
  • Sign queries: Upon receiving a request from A along with a message μ j , a time period t and ( I D i ,   P K I D i ) , where P K I D i = ( P I D i ,   R I D i ) , the challenger C makes the following steps to produce a valid signature.
    • Search I D i in L0, L1 and LS, respectively, to obtain < I D i ,   D I D i ,   P I D i > , < I D i ,   t ,   T 1 i ,   T I D , t > and < I D i ,   S I D i ,   R I D i > .
    • Randomly choose   c j ϵ{v: vϵ{−1, 0, 1}N, v 1 λ} and z 1 , z 2 , z 3 , z 4 , z 5 , z 6 D σ N with ( z 1 ,   z 2 ,   z 3 ,   z 4 ,   z 5 ,   z 6 ) 2 σ 6 N . Then, compute w j = z 1 + h z 2 P I D i c j , v j = z 3 + h z 4 T 1 i c j and x j = a 1 z 5 + a 2 z 6 R I D i c j .
    • Add < w j , v j , x j , μ j , c j > in the list L2 and send the signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c j ) on μ j to A.
      Note that the signature ζ = ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c j ) is valid because it may satisfy the following equality:
      c j = H 2 ( z 1 + h z 2 P I D i c j , z 3 + h z 4 T 1 i c j , a 1 z 5 + a 2 z 6 R I D i c j , μ j ) = H 2 ( w j , v j , x j , m j ) .
      Therefore, when the adversary A issues the Sign query, the challenger C can output a valid signature even though C does not possess the valid secret key or time update key.
-
Forgery: After making all the queries needed, the adversary A forges a signature tuple ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) on message μ* for ID* at time period t*.
When A successfully forges a valid signature ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) , the challenger C uses the Forking lemma [37] and replays A with different hash value of H 2 queries to produce another valid signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) such that c* ≠ c' by the same random tape. Because ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) and ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) are two valid signatures on the message μ* for (ID*, P K I D * , t*), we can obtain the equality
H 2 ( z 1 * + h z 2 * P I D * c * ,   z 3 * + h z 4 * T 1 i * c * ,   a 1 z 5 * + a 2 z 6 * R I D * c * ,   μ * )
= H 2 ( z 1 + h z 2 P I D * c ,   z 3 + h z 4 T 1 i * c ,   a 1 z 5 * + a 2 z 6 * R I D * c ,   μ * ) ,
which reduces to
z 1 * + h z 2 * P I D * c * = z 1 + h z 2 P I D * c .
Since P I D * = s 1 + h s 2 , we arrive at
z 1 * + h z 2 * ( s 1 + h s 2 ) c * = z 1 + h z 2 ( s 1 + h s 2 ) c
z 1 * z 1 s 1 ( c * c ) + h ( z 2 * z 2 s 2 ( c * c ) ) = 0
( 1 ,   h ) * ( z 1 * z 1 s 1 ( c * c ) ,   z 2 * z 2 s 2 ( c * c ) ) = 0 .
Then, the challenger C sets ( u 1 ,   u 2 ) = ( z 1 * z 1 s 1 ( c * c ) ,   z 2 * z 2 s 2 ( c * c ) ) .
If ( z 1 * z 1 ,   z 2 * z 2 ) 4 σ 2 N and ( s 1 ,   s 2 ) s 2 N with overwhelming probability, we can obtain ( u 1 ,   u 2 ) 2 λ s 2 N + 4 σ 2 N . As stated in Lemma 3, the distribution of h = g/f is statistically close to the uniform distribution of R q [35]. The SIS problem on NTRU lattice is to find a pair ( u 1 , u 2 ) ϵ R q 2 such that u 1 + h u 2 = 0 and ( u 1 , u 2 ) β, where β is 2 λ s 2 N + 4 σ 2 N . Since the adversary A does not know the system secret key B generated by g, fϵ R q and has generated such a pair ( u 1 , u 2 ) , we say that the adversary A solves the SIS problem. According to the same probability analysis in [22], if the adversary A can break our lattice-based RCLS scheme with non-negligible probability ε. Then, we can construct an algorithm C to solve the SIS problem with non-negligible probability ( 1 2 ω ( l o g N ) ) ε . ☐
Theorem 2.
Let three hash functions H 0 , H 1 and H 2 be random oracles and N be the security parameter. Assume that an PPT adversary A (Types II) can break our lattice-based RCLS scheme with non-negligible probability ε. Thus, an algorithm C is constructed to resolve the SIS problem with non-negligible probability ( 1 2 ω ( l o g N ) ) ε .
Proof. 
Let q be a prime, N be a positive integer and λ, s, σ > 0. Let the algorithm C be a challenger who receives a random instance ( q ,   2 N ,   2 λ d 2 N + 4 σ 2 N ) of the SIS problem. In the following, we will show how C can compute a non-zero vector solution ( u 1 , u 2 ) of the SIS problem by using A. Here, A (Type II adversary) interacts with the challenger C as defined in the RCLS-UF-ACMA game of Definition 9.
-
Setup. The challenger C performs the Setup algorithm of our lattice-based RCLS scheme to set SKGC = B and Parms = < N , s , α , λ , q , h , a 1 , a 2 , H 0 , H 1 , H 2 >, where three hash functions H 0 , H 1 and H 2 are random oracles. The system secret key and Parms are then sent to A. Having the system secret key S K G C , C can compute the partial private key D I D , time update key T I D , t , and partial public key P I D of any user with I D i without issuing the other queries. Meanwhile, C maintains several initially empty lists L0, L1, L2 and LS.
-
Queries. A can adaptively issue several queries to C as follows:
  • H 0 queries: Let L0 consist of tuples of the form < I D i ,   D I D i ,   P I D i > . Upon receiving a query with I D i from A, C produces a response to this query as follows.
    • Search I D i in L0. If it is found, the same answer in L0 is returned to A because the query has been ever issued.
    • Otherwise, randomly select a P I D i Z q N and run the algorithm SampleGau(B, s, ( P I D i , 0)) to obtain s i 1 ,   s i 2 D s N such that ( s i 1 ,   s i 2 ) < s 2 N . Then P I D i is sent to A and < I D i ,   D I D i = ( s i 1 ,   s i 2 ) ,   P I D i > is added in the list L0.
  • H 1 queries: Let L1 consist of tuples of the form < I D i ,   t ,   T 1 i ,   T I D , t > . Upon receiving a query with ( I D i , t) from A, C produces a response to this query as follows.
    • Search ( I D i , t) in L1. If it is found, the same answer in L1 is returned to A because the query has been ever issued.
    • Otherwise, select s i 3 ,   s i 4 D s N at random such that ( s i 3 ,   s i 4 ) < s 2 N and compute the polynomial T 1 i = s i 3 + h s i 4 . Then T 1 i is sent to A and < I D i ,   t ,   T 1 i ,   T I D , t > is added in the list L1.
  • H 2 queries: Let L2 consist of tuples of the form < w j , x j , v j , μ j , c j >. Upon receiving a query with ( w j , v j , x j , μ j ) from A, C produces a response to this query as follows.
    • Search ( w j , v j , x j , μ j ) in L2. If it is found, the same answer in L2 is returned to A because the query has been ever issued.
    • Otherwise, randomly select   c j Z q N . Then   c j is sent to A and < w j , v j , x j , μ j , c j > is added in the list L2.
  • Secret value queries: Let LS consist of tuples of the form < I D i ,   S I D i ,   R I D i > . Upon receiving a query with I D i from A, C produces a response to this query as follows.
    • Search I D i in LS. If it is found, the same answer in LS is returned to A because the query has been ever issued.
    • Otherwise, randomly select s i 5 ,   s i 6 { d ,   ,   0 ,   ,   d } , where 1 ≤ d ≤ 31, and compute the polynomial R I D i = a 1 s i 5 + a 2 s i 6 . Then S I D i = ( s i 5 ,   s i 6 ) is sent to A and < I D i ,   S I D i ,   R I D i > is added in LS.
  • Public key queries: A issues this query along with I D i , C produces a response to this query as follows.
    • Search I D i in L0 and LS. If it is found, which means that the query has been ever issued, then C returns A with the same answer P K I D i = ( P I D i ,   R I D i ) , where P I D i and R I D i are taken from L0 and LS, respectively.
    • Otherwise, issue the H0 queries and Secret value queries to obtain P I D i and R I D i . Then P K I D i = ( P I D i ,   R I D i ) is sent to A.
  • Public key replacement queries: A issues this query along with a new public key P K I D i = ( P I D i ,   R I D i ) of I D i to replace the old public key P K I D i = ( P I D i ,   R I D i ) , C replaces the P I D i in L0 with P I D i and the R I D i in LS with R I D i .
  • Sign queries: Upon receiving a query from A along with ( μ j ,   I D i ,   P K I D i ) at time period t, where P K I D i = ( P I D i ,   R I D i ) , the challenger C makes the following steps to produce a valid signature.
    • Search I D i in L0, L1 and LS, respectively, to obtain < I D i ,   D I D i ,   P I D i > , < I D i ,   t ,   T 1 i ,   T I D , t > and < I D i ,   S I D i ,   R I D i > .
    • Randomly choose   c j ϵ{v:vϵ{−1, 0, 1}N, v 1 λ} and z 1 , z 2 , z 3 , z 4 , z 5 , z 6 D σ N with ( z 1 ,   z 2 ,   z 3 ,   z 4 ,   z 5 ,   z 6 ) 2 σ 6 N . Then, compute w j = z 1 + h z 2 P I D i c j , v j = z 3 + h z 4 T 1 i c j and x j = a 1 z 5 + a 2 z 6 R I D i c j .
    • Add < w j , v j , x j , μ j , c j > in the list L1 and send the signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c j ) on μ j to A.
      Finally, as in the proof of Theorem 1, the signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c j ) is valid and can pass the verification.
-
Forgery: After making all the queries needed, the adversary A forges a valid signature tuple ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) on message μ* for ID* at time period t*.
When A successfully forges a valid signature ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) , the challenger C uses the Forking lemma [37] and replays A with different hash value of H2 queries to produce another valid signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) such that c* ≠ c' by the same random type. Because ( z 1 * , z 2 * , z 3 * , z 4 * , z 5 * , z 6 * , c * ) and ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) are two valid signatures for (μ*, ID*, P K I D * ), we can obtain the equation
H 2 ( z 1 * + h z 2 * P I D * c * ,   z 3 * + h z 4 * T 1 i * c * ,   a 1 z 5 * + a 2 z 6 * R I D * c * ,   μ * ) = H 2 ( z 1 + h z 2 P I D * c ,   z 3 + h z 4 T 1 i * c ,   a 1 z 5 * + a 2 z 6 * R I D * c ,   μ * ) ,
which reduces to
a 1 z 5 * + a 2 z 6 * R I D * c * = a 1 z 5 + a 2 z 6 R I D * c .
Since   R I D * = a 1 s 5 + a 2 s 6 , we arrive at
a 1 z 5 * + a 2 z 6 *   ( a 1 s 5 + a 2 s 6 ) c * = a 1 z 5 + a 2 z 6 ( a 1 s 5 + a 2 s 6 ) c a 1 ( z 5 * z 5 ) + a 2 ( z 6 * z 6 ) a 1 s 5 ( c * c ) a 2 s 6 ( c * c ) = 0 a 1 ( z 5 * z 5 s 5 ( c * c ) ) + a 2 ( z 6 * z 6 s 6 ( c * c ) ) = 0 ( a 1 ,   a 2 ) ( z 5 * z 5 s 5 ( c * c ) , z 6 * z 6 s 6 ( c * c )   ) = 0
Let ( u 1 ,   u 2 ) = ( z 5 * z 5 s 5 ( c * c ) ,   z 6 * z 6 s 6 ( c * c ) ) .
If ( z 5 * z 5 ,   z 6 * z 6 ) 4 σ 2 N and ( s 5 ,   s 6 ) 2 d λ 2 N with overwhelming probability, we can obtain ( u 1 ,   u 2 ) 2 d λ 2 N + 4 σ 2 N . As stated in Lemma 3, the distribution of h = g/f is statistically close to the uniform distribution of Rq [35]. The SIS problem on NTRU lattice is to find a pair ( u 1 , u 2 ) ϵ R q 2 such that u 1 + h u 2 = 0 and ( u 1 , u 2 ) β, where β is 2 λ s 2 N + 4 σ 2 N . Since the adversary A does not know the system secret key B generated by g, fϵ R q and has generated such a pair ( u 1 , u 2 ) , we say that the adversary A solves the SIS problem. According to the same probability analysis in [22], if the adversary A can break our lattice-based RCLS scheme with non-negligible probability ε. Then, we can construct an algorithm C to solve the SIS problem with non-negligible probability ( 1 2 ω ( l o g N ) ) ε . ☐

6. Comparisons

To show the advantages of the proposed RCLS scheme, we make the comparisons between the previous schemes and ours. For convenience, we define the following notations to count the computational costs.
  • T s : The required time of performing a sampling operation D σ .
  • T m : The required time of performing a multiplication operation.
  • T a : The required time of performing an addition/subtraction operation.
Table 1 demonstrates comparisons between Tian and Huang’s CLS scheme ([30]) and the proposed RCLS scheme in terms of lattice type, public key setting, averting key escrow problem, private key size, signature length, the computation costs of signing and verifying processes. Tian and Huang’s CLS scheme is constructed under the certificateless public key settings to solve the key escrow problem, but it does not address the revocation problem. Our RCLS scheme resolves both the revocation and key escrow problems. For the usage of Lattices, Tian and Huang’s CLS scheme uses the GPV lattice in [20] to generate the private key of a user. It is worth mentioning, that the related parameters in Table 1 have the following relationships: m 1 > 2 N l o g q , m 2 > 64 + N l o g q , s ^ 1 = m 1 ω ( log N ) , s ^ 2 = m 2 ω ( log N ) , s = N 5 / 2 2 q ω ( log N ) , σ ^ = 12 s ^ λ m 1 , σ = 12λsN. In Table 2, we choose concrete parameters: N = 512, q = 226, k = 512, d = 31, λ = 14, m1 = 38,400, m2 = 25,600 and make the comparisons of instances in bit-length. According to Table 1 and Table 2, for both the private key size, signature length, the computation costs of signing and verifying processes, our RCLS scheme is better than Tian and Huang’s CLS scheme. Our scheme adopts public channels to send the periodic time update keys.
Indeed, the signing processes of all three schemes mentioned above employ the same the rejection sampling technique in Lyubashevsky’s scheme [22] to produce signatures. Here, lets discuss the rejection probability in the signing process. If the rejection probability is too large, the performance of generating signatures may be inefficient. In our scheme, the signer can produce a useful signature ( z 1 , z 2 , z 3 , z 4 , z 5 , z 6 , c ) with probability min ( D σ 6 N ( z ) / M D v , σ 6 N ( z ) ,   1 ) . That is, the signer with probability ( 1 2 100 ) / M may output a useful signature by Lemma 4. According to the specific parameters N = 512, q ≈ 226, k = 512 and d = 31 in [22], the M value is about 7.4. Hence, the performance of signing process still remains efficiency.

7. Conclusions

In this paper, we proposed the first provably secure RCLS scheme with a public channel over lattices, which possesses existential unforgeability against adaptive chosen-message attacks. Under the SIS assumption and in the random oracle model, we formally established the security of our lattice-based RCLS scheme for three types of adversaries, namely, outside adversary, honest-but-curious KGC and revoked user. By performance analysis and comparisons, we have demonstrated that the proposed lattice-based RCLS scheme is better than the previously proposed lattice-based CLS scheme, in terms of private key size, signature length, the security property and the revocation mechanism.

Acknowledgments

The authors would like to appreciate anonymous referees for their valuable comments and constructive suggestions. This research was partially supported by Ministry of Science and Technology, Taiwan, under contract no. MOST106-2221-E-018-007-MY2.

Author Contributions

For the research paper, Ying-Hao Hung and Yuh-Min Tseng proposed and designed the RCLS scheme with a public channel over lattices. Sen-Shan Huang presented the background about lattices. Three authors cooperatively proved the security of the proposed scheme. Ying-Hao Hung and Yuh-Min Tseng made performance comparisons.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Shamir, A. Identity-Based cryptosystems and signature schemes. In Proceedings of the Cryptology 1984 (Crypto’84), Santa Barbara, CA, USA, 19–22 August 1984; Springer: New York, NY, USA, 1985; LNCS Volume 196, pp. 47–53. [Google Scholar]
  2. Boneh, D.; Franklin, M. Identity-based encryption from the Weil pairing. In Proceedings of the Cryptology 2001 (Crypto’01), Santa Barbara, CA, USA, 19–23 August 2001; Springer: New York, NY, USA, 2001; LNCS Volume 2139, pp. 213–229. [Google Scholar]
  3. Al-Riyami, S.S.; Paterson, K.G. Certificateless public key cryptography. In Proceedings of the Advances in Cryptology (ASIACRYPT’03), Taipei, Taiwan, 30 November–4 December 2003; Springer: New York, NY, USA, 2003; LNCS Volume 2894, pp. 452–473. [Google Scholar]
  4. Al-Riyami, S.S.; Paterson, K.G. CBE from CL-PKE: A generic construction and efficient schemes. In Proceedings of the Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005; Springer: New York, NY, USA, 2005; LNCS Volume 3386, pp. 398–415. [Google Scholar]
  5. Libert, B.; Quisquater, J.J. On constructing certificateless cryptosystems from identity based encryption. In Proceedings of the Public Key Cryptography (PKC’06), New York, NY, USA, 24–26 April 2006; Springer: New York, NY, USA, 2006; LNCS Volume 3958, pp. 474–490. [Google Scholar]
  6. Huang, X.; Mu, Y.; Susilo, W.; Wong, D.; Wu, W. Certificateless signature revisited. In Proceedings of the Australasian Conference on Information Security and Privacy (ACISP’06), Melbourne, Australia, 3–5 July 2006; Springer: New York, NY, USA, 2007; LNCS Volume 4586, pp. 308–322. [Google Scholar]
  7. Hwang, Y.H.; Liu, J.K.; Chow, S.S.M. Certificateless public key encryption secure against malicious KGC attacks in the standard model. J. Universal Comput. Sci. 2008, 14, 463–480. [Google Scholar]
  8. Chen, Y.C.; Tso, R.; Susilo, W.; Huang, X.; Horng, G. Certificateless signatures: Structural extensions of security models and new provably secure schemes. In Cryptology ePrint Archiv: Report 2013/193; IACR: Santa Barbara, CA, USA, 2013. [Google Scholar]
  9. Hung, Y.H.; Huang, S.S.; Tseng, Y.M.; Tsai, T.T. Certificateless signature with strong unforgeability in the standard model. Informatica 2015, 26, 663–684. [Google Scholar] [CrossRef]
  10. Tseng, Y.M.; Tsai, T.T. Efficient revocable ID-based encryption with a public channel. Comput. J. 2012, 55, 475–486. [Google Scholar] [CrossRef]
  11. Tsai, T.T.; Tseng, Y.M.; Huang, S.S. Efficient revocable certificateless public key encryption with a delegated revocation authority. Secur. Commun. Netw. 2015, 8, 3713–3725. [Google Scholar] [CrossRef]
  12. Shen, L.; Zhang, F.; Sun, Y. Efficient revocable certificateless encryption secure in the standard model. Comput. J. 2014, 57, 592–601. [Google Scholar] [CrossRef]
  13. Sun, Y.; Zhang, F.; Shen, L. A revocable certificateless signature scheme. J. Comput. 2014, 9, 1843–1850. [Google Scholar] [CrossRef]
  14. Tsai, T.T.; Huang, S.S.; Tseng, Y.M. Secure certificateless signature with revocation in the standard model. Math. Probl. Eng. 2014, 2014, 728591. [Google Scholar] [CrossRef]
  15. Hung, Y.H.; Tseng, Y.M.; Huang, S.S. A revocable certificateless short signature scheme and its authentication application. Informatica 2016, 27, 549–572. [Google Scholar] [CrossRef]
  16. Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef]
  17. Bernstein, D.J. Introduction to Post-Quantum Cryptography. Post-Quantum Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; pp. 1–14. [Google Scholar]
  18. Goldreich, O.; Goldwasser, S.; Halevi, S. Public-key cryptosystems from lattice reduction problems. In Proceedings of the Advances in Cryptology (CRYPTO’97), Santa Barbara, CA, USA, 17–21 August 1997; Springer: New York, NY, USA, 1997; LNCS Volume 1294, pp. 112–131. [Google Scholar]
  19. Nguyen, P.; Regev, O. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. J. Cryptol. 2009, 22, 139–160. [Google Scholar] [CrossRef]
  20. Gentry, C.; Peikert, C.; Vaikuntanathan, V. How to use a short basis: Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Annual Symposium on the Theory of Computing (STOC’08), Victoria, BC, Canada, 17–20 May 2008; ACM Press: New York, NY, USA, 2008; pp. 197–206. [Google Scholar]
  21. Lyubashevsky, V. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Proceedings of the Advances in Cryptology (ASIACRYPT’09), Tokyo, Japan, 6–10 December 2009; Springer: New York, NY, USA, 2009; LNCS Volume 5912, pp. 598–616. [Google Scholar]
  22. Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Advances in Cryptology (EUROCRYPT’12), Cambridge, UK, 15–19 April 2012; Springer: New York, NY, USA, 2012; LNCS Volume 7237, pp. 738–755. [Google Scholar]
  23. Ruckert, M. Strongly unforgeable signatures and hierarchical identity-based signatures over lattices without random oracles. In Proceedings of the Post-Quantum Cryptography (PQC’10), Darmstadt, Germany, 25–28 May 2010; Springer: New York, NY, USA, 2010; LNCS Volume 6061, pp. 182–200. [Google Scholar]
  24. Liu, Z.H.; Hu, Y.P.; Zhang, X.S.; Li, F. Efficient and strongly unforgeable identity-based signature scheme over lattices in the standard model. Secur. Commun. Netw. 2013, 6, 69–77. [Google Scholar] [CrossRef]
  25. Tian, M.; Huang, L. Efficient identity-based signature from lattices. In Proceedings of the IFIP International Information Security Conference (SEC’14), Marrakech, Morocco, 2–4 June 2014; IFIPAICT Volume 428, pp. 321–329. [Google Scholar]
  26. Ducas, L.; Lyubashevsky, V.; Prest, T. Efficient identity-based encryption over NTRU lattices. In Proceedings of the Advances in Cryptology (ASIACRYPT’14), Kaohsiung, Taiwan, 7–11 December 2014; Springer: New York, NY, USA, 2014; LNCS Volume 8874, pp. 22–41. [Google Scholar]
  27. Xiang, X. Adaptive secure revocable identity-based signature scheme over lattices. Comput. Eng. 2015, 41, 126–129. [Google Scholar]
  28. Boldyreva, A.; Goyal, V.; Kumar, V. Identity-based encryption with efficient revocation. In Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS’08), Alexandria, VA, USA, 27–31 October 2008; ACM Press: New York, NY, USA, 2008; pp. 417–426. [Google Scholar]
  29. Hung, Y.H.; Tseng, Y.M.; Huang, S.S. Revocable ID-based signature with short size over lattices. Secur. Commun. Netw. 2017, 2017, 7571201. [Google Scholar] [CrossRef]
  30. Tian, M.; Huang, L. Certificateless and certificate-based signatures from lattices. Secur. Commun. Netw. 2105, 8, 1575–1586. [Google Scholar] [CrossRef]
  31. Micciancio, D.; Regev, O. Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 2007, 37, 267–302. [Google Scholar] [CrossRef]
  32. Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Silverman, J.; Whyte, W. Ntrusign: Digital signatures using the ntru lattice. In Proceedings of the Cryptographers’ Track at the RSA Conference (CT-RSA’03), San Francisco, CA, USA, 13–17 April 2003; Springer: New York, NY, USA, 2003; LNCS Volume 2612, pp. 122–140. [Google Scholar]
  33. Micciancio, D.; Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of the Advances in Cryptology (EUROCRYPT’12), Cambridge, UK, 15–19 April 2012; Springer: New York, NY, USA, 2012; LNCS Volume 7237, pp. 700–718. [Google Scholar]
  34. Ajtai, M. Generating hard instances of lattice problems. In Proceedings of the ACM Symposium on Theory of Computing (STOC’96), Philadelphia, PA, USA, 22–24 May 1996; ACM Press: New York, NY, USA, 1996; pp. 99–108. [Google Scholar]
  35. Stehle, D.; Steinfeld, R. Making NTRUEnrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. In Cryptology ePrint Archive: Report 2013/4; IACR: Santa Barbara, CA, USA, 2013. [Google Scholar]
  36. Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. In Proceedings of the Advances in Cryptology (EUROCRYPT’10), French Riviera, France, 30 May–3 June 2010; Springer: New York, NY, USA, 2010; LNCS Volume 6110, pp. 1–23. [Google Scholar]
  37. Pointcheval, D.; Stern, J. Security arguments for digital signatures and blind signatures. J. Cryptol. 2000, 13, 361–396. [Google Scholar] [CrossRef]
Table 1. Comparisons among previously proposed RIBS, CLS schemes and ours.
Table 1. Comparisons among previously proposed RIBS, CLS schemes and ours.
PropertiesTian and Huang’s CLS SchemeOur RCLS Scheme
Lattice typeGPV latticeNTRU lattice
Public-key settingCLSRCLS
Revocable functionalityNoPublic channel
Averting key escrow problemYesYes
Private key size 2 m 1 k log ( s ^ 1 m 1 ) + 2 m 2 k log ( s ^ 2 m 2 ) 6 N log ( s N )
Signature length ( m 1 + m 2 ) log(12 σ ^ ) + λ(logk+1)6Nlog(12σ) + λ(logN+1)
Computational cost of signing ( m 1 + m 2 ) ( T s + 2 N T m + T a ) 6 N T s + 9 N ( T m + T a )
Computational cost of verifying 2 N ( m 1 + m 2 ) T m + 2 N T a 7 N T m + 6 N T a
Table 2. Comparisons of concrete instances in bit-length.
Table 2. Comparisons of concrete instances in bit-length.
Bit-LengthTian and Huang’s CLS SchemeOur RCLS Scheme
Private key size595,222,811127,749
Signature length2,026,680175,312
Back to TopTop