ID-Based Strong Designated Verifier Signature over R-SIS...

Research ArticleID-Based Strong Designated Verifier Signature overR-SIS Assumption

Jie Cai ,1 Han Jiang ,2 Pingyuan Zhang ,1 Zhihua Zheng,3 Hao Wang ,3

Guangshi Lü,1 and Qiuliang Xu2

1School of Mathematics, Shandong University, Ji’nan, Shandong, China2School of Software, Shandong University, Ji’nan, Shandong, China3School of Information Science and Engineering, Shandong Normal University, Ji’nan, Shandong, China

Correspondence should be addressed to Han Jiang; [email protected]

Received 23 April 2019; Accepted 18 June 2019; Published 15 July 2019

Academic Editor: Clemente Galdi

Copyright © 2019 Jie Cai et al. This is an open access article distributed under the Creative Commons Attribution License, whichpermits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

In this paper, we propose an ID-based strong designated verifier signature (SDVS) overR−SIS assumption in the random model.We remove pre-image sampling function and Bonsai trees such complex structures used in previous lattice-based SDVS schemes.We only utilize simple rejection sampling to protect the security of our scheme. Hence, we will show our design has the shortestsignature size comparing with existing lattice-based ID-based SDVS schemes. In addition, our scheme satisfies anonymity (privacyof signer’s identity) proved in existing schemes rarely, and it can resist side-channel attacks with uniform sampling.

1. Introduction

The first designated verifier signature scheme was proposedby Jakobsson, Sako, and Impagliazzo [1] in 1996. Thissignature scheme satisfies that only the designated verifiercan verify correctness of generated signatures and he can’tconvince others to believe in the validity of these signatures.The main reason for satisfying this property is that thedesignated verifier can generate an indistinguishable tran-script from the real signatures. In [1], they also provideda notion of strong designated verifier signature (SDVS) toresist an online eavesdropper’s attack. In a SDVS, anyone cancreate an identical transcript which is indistinguishable fromreal signatures. Generally speaking, a SDVS needs to satisfyunforgeability and untransferability which were providedby Saeednia, Kremer, and Markowitch in [2] formally. In[3], Laguillaumie and Vergnaud added a property, that is,privacy of signer’s identity (anonymity), which means anyadversary can’t distinguish Alice’s signature for Bob fromCindy’s signature for Bob without Bob’s secret key.

An advantage of identity-based scheme is that the verifierdoesn’t need to generate his public key setup before receivingauthenticated message from signer. In [4], Susilo, Zhang, and

Mu first introduced the notion of identity-based SDVS (ID-based SDVS).They gave an efficiently generic construction ofsuch schemes which were based on bilinear Diffie-Hellmanassumption.

2. Related Work

2.1. Classical ID-Based SDVS Schemes. Several classical ID-based SDVS have been provided since the first general con-struction is introduced in [4]. In [5], Huang et al. proposeda short ID-based SDVS based on bilinear pairing. Theircontributions of paper are not merely their shorter signaturesize, but having two security proofs in random model and instandardmodel. In addition, the scheme of [5] has anonymitycompared with [4]. Recently, Blazy et al. provided an ID-based SDVS [6] under CDH assumption in the standardmodel.

However, classical ID-based SDVS schemes can’t resistagainst quantum adversaries. Hence, people try to designpostquantum ID-based SDVS schemes.With the collection ofpostquantum algorithms byNIST, lattice-based cryptographyis widely studied.

HindawiSecurity and Communication NetworksVolume 2019, Article ID 9678095, 8 pageshttps://doi.org/10.1155/2019/9678095

https://orcid.org/0000-0002-3151-3963https://orcid.org/0000-0002-4909-367Xhttps://orcid.org/0000-0003-4841-8564https://orcid.org/0000-0003-3472-3699https://creativecommons.org/licenses/by/4.0/https://doi.org/10.1155/2019/9678095

2 Security and Communication Networks

2.2. Lattice-Based ID-Based SDVS Schemes. As far as weknow, there are two main postquantum schemes both basedon lattice hard problems. The first lattice-based ID-basedSDVS was proposed by Noh et al. [7]. They used pre-image sampling function and Bonsai trees (see [8]) withlarge parameters to protect the security. Soon Wang etal. proposed a more efficient scheme [9]. The security ofthis scheme was based on the hardness of LWE and itsunforgeability can be reduced to SIS problem in the randommodel. At the same time, they showed the signature size(3𝑚 log 𝑞) is shorter than any other already existing SDVSscheme.

However, above schemes that usedGaussian sampling areunusual to resist side-channel attack [10–12], and the authorsonly gave the proofs of unforgeability and untransferabilitywithout anonymity.

2.3. Our Contribution. In this paper, we propose an effi-cient ID-based SDVS based on SIS problem over ringin the random model, and our design has advantages asfollows:

(1) Shorter signature size and lower rejection time. Thesignature size of our scheme approximately equals2𝑚 log 𝑞 + 𝑚. Since 𝑞 ≫ 2 holds in practicalapplication, it is easy to see our result is better than3𝑚 log 𝑞 [9]. The main reason for this is that we don’tutilize pre-image sampling function and Bonsai treessuch complex structures. Then we needn’t choose toolarge parameters to protect the existence and securityof scheme. About efficiency, we use filtering technique(see [13]) to make the rejection 1.28 lower thanothers.

(2) Resisting side-channel attacks. The common methodsof existing sampling over lattice-based signature areGaussian sampling (see [14–16]) and uniform sam-pling (see [13, 17, 18]). It has been proved that theseschemes with Gaussian sampling lead to side-channelattacks easily [10–12]. Hence we choose uniformsampling to resist them efficiently.

(3) Satisfying anonymity. Although anonymity was intro-duced in [3] long ago, being proved in existingschemes is very rare indeed. Our scheme satisfiesthree properties of unforgeability, untransferabil-ity, and anonymity. In addition, anonymity can bereduced to solving SIS problem.

Organization of the Paper. We will show the basic nota-tions, relative lattice hard problem assumption and rejectionsampling used in our scheme, and detailed definitions ofID-based SDVS and security model in Section 3. Then wepropose our ID-based SDVS scheme in detail in Section 4.In Section 5, we provide the proof of security. In Section 6,we present the relationship of our parameters to ensure theexistence and security of our scheme. Finally, we give aconclusion and further work in Section 7. Data availability,conflicts of interest, and funding statement can be seen in thelast three sections, respectively.

3. Preliminaries

3.1. Notations. We note ring R𝑞 = Z𝑞[𝑥]/(𝑥𝑛 + 1), where𝑞 is a prime number and 𝑛 is a power of 2 positive number.The bold small (capital) letters are vectors (matrices), andthe normal letters are integers or real. The ℓ𝑝 norm of avector x is denoted by ‖x‖𝑝 (𝑝 = 1, 2,∞). D𝛾 means auniform distribution in which an element x $← R𝑞 is chosenrandomly such that ‖x‖∞ ≤ 𝛾. An invertible element indistribution D𝛾 is represented by x−1. An element in R𝑛×𝑚𝑞is X = {x1 . . . x𝑚}, 𝑚 ≥ 𝑛 log 𝑞. We note ℎ : {0, 1}∗ →{r : r ∈ {−1, 0, 1}𝑚, ‖r‖1 ≤ 𝜄} is a hash function. Function𝐻maps {0, 1}∗ toR𝑚×𝑚𝑞 , which is derived by using AES128-ECB [19, 20].

3.2. Rejection Sampling. In previous part of our paper, wehave shown that using Gaussian sampling can cause seriousside-channel attack; then we just provide uniform samplingin this part.

Themethod of uniform sampling is usually called filteringtechnique [17, 18]. Its core idea is the signer needs to output asecure signature by choosing its proper range, and its mainaim is making such a good output uniform to protect hissecret key. In [13], Rückert provided a form over polynomialrings.

Lemma 1 (see [13]). Given two sets S1 = {a ∈ Z𝑚 | ‖a‖∞ ≤𝐴} and S2 = {b ∈ Z𝑚 | ‖b‖∞ ≤ 𝐵, 𝐵 ≥ Φ𝑚𝐴, Φ ∈ N+},and if given any a ∈ S1, b $← 𝑆2, then we have Pr[‖a − b‖∞ ≤𝐵 − 𝐴] > 𝑒−1/Φ − 𝑜(1).

Usually, a contains information of secret key and signa-ture form is a−b. According to above lemma, we can see thatthe output a−b is indistinguishable with uniformdistributionif and only if it is constrained in the range 𝐵 − 𝐴. Further, ifthe signature is in this range, a doesn’t leak any informationabout the secret key.

More importantly, this lemma tells us that the signaturesize is dependent on three parameters Φ,𝑚, and 𝐴. Inprinciple, the smaller these chosen parameters, the better.Unfortunately, a smaller value of Φ can cause a largerrejection time (≈ 𝑒1/Φ); hence wemust find a tradeoff for it. Inour scheme, the chosen parameter𝐴 (replaced by 𝜐) is smallerthan any other existing ones, which makes our signature sizethe shortest.

3.3. Lattice Assumption. There are two important average-case problems, SIS and LWE, in lattices which can be reducedto the worst-case problems GapSVP and SIVP [21, 22]. Aformal form of SIS problem is always denoted ℓ2 − SIS𝑞,𝑛,𝑚,𝛽.Here we list its form over ring, which is at least as hard asworst-case problem SVPΓ on ideal lattices (see [23]).

Definition 2 (see [14]). Let R be some ring and K besome distribution overR𝑛×𝑚𝑞 , whereR𝑞 is the quotient ringR/(𝑞R). Given a random matrix A ∈ R𝑛×𝑚𝑞 following thedistribution K, find a nonzero vector k ∈ R𝑚𝑞 such that

Security and Communication Networks 3

Ak = 0 and ‖k‖2 ≤ 𝛽 (0 < 𝛽 ≤ 𝑞 ⋅ 𝑝𝑜𝑙𝑦(𝑛)), which is denotedR − SISK𝑞,𝑛,𝑚,𝛽 problem.

Compared with SIS, R−SIS is more compact and moreefficient. In order to ensure existing of a sufficiently shortsolution, the dimension 𝑚 in R−SIS is approximate log 𝑞instead of 𝑛 log 𝑞 in SIS problem. Furthermore, one cancompute Ak in quasilinear time with fast Fourier transform(FFT).

Besides, R−SIS and its associated cryptographic func-tions also can be proved at least as hard as certain lattice(called ideal lattice over ring R) problems in the worstcase. In [23], Peikert and Rosen provided that R−SIS isat least as hard as worst-case SVPΓ (Γ = 𝑂√log 𝑛) onideal lattice in R, where R = O𝐾 is the ring of algebraicintegers in any number field 𝐾. Particularly, the fastest timein known (quantum) algorithms to solve SISΓ problem onideal lattice is exponential 2Ω(𝑛). Indeed, now it seems that theadditional algebraic structure of ideal lattices does not bringany advantages to solving this problem.

3.4. An Equivalent Construction of Random Matrix A. Sinceour design has many matrix multiplications, we need to findan equivalent square matrix to satisfy their multiplicability.Moreover, in [16], Lyubashevsky showed that if𝑚 ≥ 2𝑛, thereare 𝑛 linearly independent columns in a random matrix A ∈R𝑛×𝑚𝑞 with probability 𝑒−Ω(𝑛), when 𝑞 is a prime of size biggerthan 2𝑚.

In order to construct an efficient lattice-based SDVSscheme, we have introduced this idea in [24], so we provideit in brief here.

Lemma 3. If A1 ∈ R𝑛×𝑚𝑞 , 𝑚 = 2𝑛, X1 ∈ R𝑚×𝑚𝑞 satisfiesA1X1 = 0 mod 𝑞, then we construct a new matrix

A = [A𝑛×𝑚1

0𝑛×𝑚] ∈ R𝑚×𝑚𝑞 (1)

, and we have AX = 0 mod 𝑞, where X = X1.Proof. According to the multiplicability of the partitionedmatrix, we can compute the below equation,

AX = [A𝑛×𝑚1 X1

𝑚×𝑚

0𝑛×𝑚X1𝑚×𝑚] = 0 mod 𝑞. (2)

This lemma shows that such a square matrix has two advan-tages for our scheme as follows:

(i) Don’t change the security. Notice that the new squarematrix A has the same solution as the common formA1 ∈ R𝑛×𝑚𝑞 based on SIS assumption. Hence, theyhave equivalent security.

(ii) Don’t change the efficiency. Although the dimensionof matrix is increased, it doesn’t cause extracomputation by filling zero matrix in originalone.

3.5. Definitions of ID-Based SDVS. An ID-based SDVSscheme contains five polynomial time algorithms (Setup,Extract, Sign, Verf, and Sim) between two participants Alice(signer) and Bob (designated verifier). Every participant hashis identity 𝐼𝐷𝐴 (𝐼𝐷𝐵). Generally, there exists a private keygenerator (PKG) to provide a secret key 𝑆𝐼𝐷𝐴 (𝑆𝐼𝐷𝐵) foreach participant during an extract algorithm. The detaileddescriptions of these algorithms are shown as follows.

Definition 4. Given a security parameter 𝜆 = 𝑝𝑜𝑙𝑦(𝑛), an ID-based SDVS is defined by algorithms:

(1) Setup: It is a probabilistic algorithm inputting thesecurity parameter 𝜆 and outputting system param-eters (𝑠𝑝) and master key (𝑚𝑘). That is,

(𝑠𝑝,𝑚𝑘) ← Setup (𝜆) . (3)(2) Extract: It is a deterministic (probabilistic) algorithm

inputting 𝑠𝑝,𝑚𝑘, and participant’s identity 𝐼𝐷𝑖 ∈{0, 1}∗ and outputting relative secret key 𝑆𝐼𝐷𝑖 . Actu-ally, the identity 𝐼𝐷𝑖 is often considered public key ofparticipant, and 𝐼𝐷𝐴 (𝐼𝐷𝐵) belongs to Alice (Bob) intwo-party schemes. Specifically,

𝑆𝐼𝐷𝑖 ← Extract (𝑠𝑝,𝑚𝑘, 𝐼𝐷𝑖) . (4)(3) Sign: It is a deterministic (probabilistic) algorithm

inputting signer’s secret key 𝑆𝐼𝐷𝐴 , designated verifier’spublic key 𝐼𝐷𝐵, and message 𝜇. Then it outputs asignature 𝜎.

𝜎 ← Sign (𝑆𝐼𝐷𝐴 , 𝐼𝐷𝐵, 𝜇) . (5)(4) Verf : It is a deterministic algorithm inputtingmessage𝜇 and relatively received signature 𝜎 from signer

Alice, 𝑆𝐼𝐷𝐵 and 𝐼𝐷𝐴. The designated verifier Bobverifies whether the following equation is correct ornot:

(𝑇𝑟𝑢𝑒, ⊥) ← Verf (𝑆𝐼𝐷𝐵 , 𝐼𝐷𝐴, 𝜇, 𝜎) (6)(5) Sim: It is a probabilistic algorithm inputting a

quadruple (𝑆𝐼𝐷𝐵 , 𝐼𝐷𝐴, 𝐼𝐷𝐵, 𝜇). Anyone can generatean indistinguishable signatures generated by the triple(𝑆𝐼𝐷𝐴 , 𝐼𝐷𝐵, 𝜇).

Security Model

(1) Correctness: For all valid Sign (𝑆𝐼𝐷𝐴 , 𝐼𝐷𝐵, 𝜇), thedesignated verifier always gets the following result:

Verf (𝑆𝐼𝐷𝐵 , 𝐼𝐷𝐴, 𝜇, Sign (𝑆𝐼𝐷𝐴 , 𝐼𝐷𝐵, 𝜇)) = 𝑇𝑟𝑢𝑒. (7)(2) Unforgeability: We provide a game between a PPT

adversary A and a challenger C to define existentialunforgeability against adaptive chosenmessage attack(EUF-CMA). In addition, we denote that 𝐼𝐷𝑖 and 𝐼𝐷𝑗are signer and designated verifier ID, respectively.


(i) Setup. The challenger C runs the followingalgorithm to generate 𝑠𝑝 and𝑚𝑘.

(𝑠𝑝,𝑚𝑘) ← Setup (𝜆) . (8)(ii) Extraction queries. The adversary A can query

the secret key of signer with 𝐼𝐷𝑖. Then C runsExtract (𝑠𝑝,𝑚𝑘, 𝐼𝐷𝑖) to answer him. That is, Acan get 𝑆𝐼𝐷𝑖 .

(iii) Sign queries. When A obtains 𝑆𝐼𝐷𝑖 , he queriesa signature 𝜎 with message 𝜇 and designatedverifier 𝐼𝐷𝑗. ThenC answers him with a correctsignature by algorithm Sign (𝑆𝐼𝐷𝑖 , 𝐼𝐷𝑗, 𝜇).

(iv) Output. At the end of this game, the adversaryA is able to generate a new signature 𝜎∗ withmessage 𝜇∗, 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗ satisfying necessaryconditions:(1) 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗ have never been requested in

Extraction queries step.(2) Message 𝜇∗ related with 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗ has

never been requested in Sign queries step.(3) The signature 𝜎∗ withmessage 𝜇∗, 𝐼𝐷𝑖∗ and𝐼𝐷𝑗∗ is valid.Then, we provide a formal security descrip-tion of EUF-CMA. We say the ID-based SDVSscheme is (𝑡, 𝜖) EUF-CMA secure, if the fol-lowing probability is negligible for any PPTadversaryA runs above game in time 𝑡.

Pr [Verf (𝐼𝐷𝑖∗ , 𝐼𝐷𝑗∗ , 𝜇∗, 𝜎∗) = 𝑇𝑟𝑢𝑒] ≤ 𝜖, (9)where 𝜖 > 0 is a negligible function of secureparameter 𝜆.

(3) Untransferability: This property simply means thatany PPT adversaryA can’t distinguish the real signa-ture and simulated one in below game betweenA andchallengerC.

(i) Setup. The challenger C runs algorithmSetup(𝜆) to generate 𝑠𝑝 and𝑚𝑘.

(ii) Sign and Verf queries. The PPT adversary Aqueries for Sign and Verf queries adaptively forchosen message 𝜇𝑖. The challenger C answershim by running algorithms Sign(𝑆𝐼𝐷A , 𝐼𝐷𝐵, 𝜇𝑖)and Verf(𝑆𝐼𝐷𝐵 , 𝐼𝐷𝐴, 𝜇𝑖, 𝜎𝑖). Notice that the iden-tities of two participants are fixed and theparameter 𝑖 is form 1 to 𝑞𝑠 = 𝑝𝑜𝑙𝑦(𝑛) in this step.

(iii) Challenge. After 𝑞𝑠 signing and verifyingqueries, A chooses a new massage 𝜇∗ to queryC. C tosses a coin randomly and chooses𝑏 $← {0, 1}. When 𝑏 = 0, he runs 𝜎∗ ←Sign (𝑆𝐼𝐷𝐴 , 𝐼𝐷𝐵, 𝜇∗) correctly; otherwise he runs𝜎∗ ← Sim(𝑆𝐼𝐷𝐵 , 𝐼𝐷𝐴, 𝐼𝐷𝐵, 𝜇∗) to answeradversary’s request.

(iv) Output. At the end of this game, the adversaryA outputs 𝑏 ∈ {0, 1}. If 𝑏 = 𝑏 holds, theadversary succeeds in the game.

Formally, for any PPT adversary, he has a correctguess after 𝑞𝑠 quests in 𝑡 time with negligibleprobability; then we say this ID-based SDVS is(𝑡, 𝑞𝑠) untansferable. That is,Pr [𝑏 = 𝑏] −

12 < 𝜖. (10)

(4) Anonymity: To be accurate, any adversary can’tdistinguish the real signer’s identity form given 𝐼𝐷𝐴0and 𝐼𝐷𝐴1 for a designated verifier’s identity 𝐼𝐷𝐵.It is similar with witness indistinguishable propertyactually. The detailed description of game is shown asfollows.

(i) Setup. The challenger C runs algorithmSetup(𝜆) to generate 𝑠𝑝 and𝑚𝑘.

(ii) Extraction queries. The adversary A can querythe secret key of signer with 𝐼𝐷𝑖. Then C runsExtract (𝑠𝑝,𝑚𝑘, 𝐼𝐷𝑖) to answer him.

(iii) Sign and Verf queries. A queries the signaturewithmessage𝜇 for the signer 𝐼𝐷𝑖 anddesignatedverifier 𝐼𝐷𝑗. Then C outputs a signature 𝜎 andreturns 𝑇𝑟𝑢𝑒 or ⊥ ifA inputs (𝜇, 𝜎).

(iv) Challenge. The adversary A outputs a message𝜇∗ with signer’s possible identities 𝐼𝐷𝐴0 , 𝐼𝐷𝐴1and designated verifier’s identity 𝐼𝐷𝐵 to chal-lengerC satisfying necessary conditions:(1) 𝐼𝐷𝐴0 , 𝐼𝐷𝐴1 , and 𝐼𝐷𝐵 have never been

requested in Extraction queries step.(2) Message 𝜇∗ (or pair (𝜇∗, 𝜎∗)) has never

been requested in Sign andVerf queries stepwith 𝐼𝐷𝐴0 , 𝐼𝐷𝐴1 , and 𝐼𝐷𝐵.

After receiving 𝜇∗, C tosses a coin randomly,chooses 𝑏 $← {0, 1}, and computes Sign(𝑆𝐼𝐷𝐴𝑏 , 𝐼𝐷𝐵, 𝜇∗) returned toA.

(v) Output. At the end of this game, the adversaryA outputs 𝑏 ∈ {0, 1}. If 𝑏 = 𝑏 holds, theadversary succeeds in the game.Hence, for any PPT adversary, he has a correctguess after 𝑞𝑠 quests in 𝑡 time with negligibleprobability; then we say this ID-based SDVSsatisfies property of (𝑡, 𝑞𝑠) privacy of signer’sidentity. That is,

Pr [𝑏 = 𝑏] −12 < 𝜖. (11)

4. Our ID-Based SDVS Scheme

In this part, we will provide our detailed construction. Thenwe get an efficient ID-based SDVS scheme over R−SISassumption. Always we assume Alice is the signer and Bobis designated verifier.

4.1. Setup. Let 𝑛 be the rank of lattice, and PKG choosesA $←R𝑚×𝑚𝑞 . There is a low norm solution of R−SIS problem X ∈R𝑚×𝑚𝑞 such that AX = 0 mod 𝑞. We can see X is indeed the𝑚𝑘.


4.2. Extract. Let 𝐻 : {0, 1}∗ → R𝑚×𝑚𝑞 generated by usingAES128-ECB [19, 20] be a mapping and ℎ : {0, 1}∗ →{r : r ∈ {−1, 0, 1}𝑚, ‖r‖1 ≤ 𝜄} be a hash function. Inaddition, we denote 𝐼𝐷𝐴 (𝐼𝐷𝐵) is Alice’s (Bob’s) identity.Then, PKGcomputes𝐻(𝐼𝐷𝑖) = H𝑖 (𝑖 = 𝐴, 𝐵) to be seen as theparticipant’s public key. Since H𝑖 ∈ R𝑚×𝑚𝑞 , X ∈ R𝑚×𝑚𝑞 , PKGcan generate the secret keys by computingX⋅H𝐴 = S𝐴 mod 𝑞andH𝐵 ⋅ X = S𝐵 mod 𝑞. Simply speaking,

S𝑖 ← Extract (𝑛,𝐻,X, 𝐼𝐷𝑖) (𝑖 = 𝐴, 𝐵) . (12)4.3. Sign. Alice executes the following steps to sign a signa-ture for message 𝜇.

(1) t $← D𝛾(𝛾 < 𝑞)(2) if t is not reversible, then go to step (1).

(3) k $← D𝛾(4) c = H𝐵 ⋅ k mod 𝑞(5) r = ℎ(c, 𝜇)(6) z = S𝐴 ⋅ r + k ⋅ t−1(7) if ‖z‖∞ ≥ 𝛾 − 𝜐 or ‖S𝐴 ⋅ r‖∞ ≥ 𝜐, then go to step (3).(8) output signature (r, z, t) of message 𝜇.Notice that there are two loop conditions in step (1)

and step (7). Thus, it is necessary for us to evaluate theirefficiencies.

(i) About step (1). In [25], Hoffstein et al. proposed amethod to search an invertible polynomial t within48.9ms. Their instance is that t satisfies ‖t‖1 ≤ 40 ina trinary polynomial set 𝑇(206, 205), where 206 and205 are numbers of positive coefficients and negativecoefficients, respectively. Since such an invertible t iscontained in setD𝛾, we can also find it in 48.9ms.

(ii) About step (7). This step is the key to compute therepetition using filtering technique (see [13]). In orderto utilize their result, we require that the inequation𝑚Φ𝜐 ≤ 𝛾 must be satisfied. Hence we get therepetition is approximately 𝑒1/Φ. Obviously, we cansee that 𝑒1/Φ is a monotonically decreasing functionwith variable Φ ∈ N+, and the bigger value of Φseemingly is better. However, two of compositionparts of signature are z and t, and their size is𝑚 log(𝛾 − 𝜐) + 𝑚 log 𝛾 which is positively correlatedwith parameter Φ. Hence, choosing bigger Φ is notwise. Then we get the optimal solution Φ = 4 byobserving the following expression,

Φ = min0.75≤𝑒−1/Φ

≤1

Φ, (13)

where 1 ≤ Pr[‖z‖∞ ≤ 𝛾 − 𝜐] = 𝑒−1/Φ ≤ 0.75.Furthermore, the repetition is 𝑒1/Φ ≈ 1.28.

4.4. Verf. When receiving signature 𝜎 = (r, z, t) from signerAlice, Bob verifies whether the following equation is corrector not:

(1) ℎ(c, 𝜇) = ℎ(H𝐵zt − S𝐵H𝐴rt mod 𝑞, 𝜇)(2) ‖z‖∞ ≤ 𝛾 − 𝜐

4.5. Sim. If one gets a quadruple (S𝐵, 𝐼𝐷𝐴, 𝐼𝐷𝐵, 𝜇), he choosestwo random elements z (‖z‖∞ ≥ 𝛾 − 𝜐) and r to computezt−1 = z and rt−1 = z. Hence, he can also compute thefollowing equation,

H𝐵zt − S𝐵H𝐴rt = c = H𝐵z − S𝐵H𝐴r, (14)which is an indistinguishable signature with Alice’s.

5. Security

In this part, wewill show our scheme satisfies three propertiesincluding unforgeability, untransferability, and anonymity(privacy of signer’s identity) according to security model inSection 2.

5.1. Correctness. After receiving the signature (r, z, t) of mes-sage 𝜇, designated verifier verifies the condition ‖z‖∞ ≤ 𝛾−𝜐and computes the value of hash function as follows.

ℎ (c, 𝜇) = ℎ (H𝐵 (z − S𝐴r) t mod 𝑞, 𝜇)= ℎ (H𝐵zt −H𝐵S𝐴rt mod 𝑞, 𝜇)= ℎ (H𝐵zt −H𝐵XH𝐴rt mod 𝑞, 𝜇)= ℎ (H𝐵zt − S𝐵H𝐴rt mod 𝑞, 𝜇) .

(15)

Then the following equation holds.

Verf (S𝐵, 𝐼𝐷𝐴, 𝜇, Sign (S𝐴, 𝐼𝐷𝐵, 𝜇)) = 𝑇𝑟𝑢𝑒. (16)5.2. Unforgeability

Theorem 5. If there is a PPT adversary A that has ability tosucceed in (𝑡, 𝜖)EUF-CMAgame, then he can solve SIS problemoverR𝑚×𝑚𝑞 .

Proof. Suppose EUF-CMA game proceeds as requiredbetween A and challenger C. When A finishes Extractionand Sign queries in time 𝑡, he outputs a new signature(𝜎∗ = (r∗, z∗, t∗), 𝜇∗) with two new identities 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗satisfying the following conditions:

(1) 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗ have never been requested in Extractionqueries step.

(2) Message 𝜇∗ related with 𝐼𝐷𝑖∗ and 𝐼𝐷𝑗∗ has never beenrequested in Sign queries step.

(3) The signature 𝜎∗ with message 𝜇∗, 𝐼𝐷𝑖∗ , and 𝐼𝐷𝑗∗ isvalid.


If Verf (Sign (𝐼𝐷𝑖∗ , 𝐼𝐷𝑗∗ , 𝜇∗)) = 𝑇𝑟𝑢𝑒 holds, then A cancompute

H𝑗∗ (z∗ − S𝑖∗r∗) t∗ (t∗)−1 −H𝑗∗z∗= H𝑗∗z∗ −H𝑗∗S𝑖∗r∗ −H𝑗∗z∗ = −H𝑗∗S𝑖∗r∗

mod 𝑞.(17)

In addition, the equation ‖z∗‖∞ ≤ 𝛾 − 𝜐 holds, which means‖S𝑖∗r∗‖∞ ≤ 𝜐 is satisfied. We can easily see that the adversarygets a solution of SIS problem for a random element H𝑗∗ ∈R𝑚×𝑚𝑞 .

5.3. Untransferability

Theorem 6. Our ID-based SDVS is (𝑡, 𝑞𝑠) untransferability.Proof. The adversaryA and challengerC play untransferablegame as required. After 𝑞𝑠 signing and verifying queries, Achooses a new massage 𝜇∗ to queryC.C chooses 𝑏 $← {0, 1},and if 𝑏 = 0,C computes 𝜎∗ ← Sign(S𝐴, 𝐼𝐷𝐵, 𝜇∗) to answerA. That is,

t∗, k∗ $← D𝛾,r∗ = ℎ (H𝐵 ⋅ k∗ mod 𝑞, 𝜇∗) ,z∗ = S𝐴 ⋅ r∗ + k∗ ⋅ (t∗)−1 ,

(18)

output signature (r∗, z∗, t∗) of message 𝜇∗.Otherwise, C runs 𝜎∗ ← Sim(S𝐵, 𝐼𝐷𝐴, 𝐼𝐷𝐵, 𝜇∗) to

answer adversary’s request. That is,

z, r $← D𝛾,r∗ = ℎ ((H𝐵z − S𝐵H𝐴r) mod 𝑞, 𝜇∗) ,z∗ = z (t∗)−1 ,t∗ = r (r∗)−1 ,

(19)

output signature (r∗, z∗, t∗) of message 𝜇∗. Now we computethe probabilities of above two signatures 𝜎∗ distributions.𝑃𝑟 [(r∗, z∗, t∗) | 𝑏 = 0]

= 𝑃𝑟 [t∗, k∗ ̸= 0 | t∗, k∗ $← D𝛾] = 1𝛾𝑚 (𝛾𝑚 − 1) .𝑃𝑟 [(r∗, z∗, t∗) | 𝑏 = 1]

= 𝑃𝑟 [z, r ̸= 0 | z, r $← D𝛾] = 1𝛾𝑚 (𝛾𝑚 − 1) .

(20)

Hence, the advantage of guessing 𝑏 = 𝑏 for A is negligible,and we can obtain Pr [𝑏 = 𝑏] −

12 < 𝜖. (21)

5.4. Anonymity

Theorem7. If the PPT adversaryA can distinguish the signer’sidentity from given 𝐼𝐷𝐴0 and 𝐼𝐷𝐴1 for a designated verifier’sidentity 𝐼𝐷𝐵, then he can distinguish the different solutions ofSIS problem overR𝑚×𝑚𝑞 .

Proof. Here, we also suppose thatA andC interact with eachother as defined of secure model. After Extraction, Sign, andVerf queries are finished, the adversaryA outputs a message𝜇∗ with signer’s possible identities 𝐼𝐷𝐴0 , 𝐼𝐷𝐴1 and designatedverifier’s identity 𝐼𝐷𝐵 to challenger C satisfying the aboveelements that have not been queried.

After receiving 𝜇∗, C tosses a coin randomly, chooses𝑏 $← {0, 1}, and computes Sign (𝑆𝐼𝐷𝐴𝑏 , 𝐼𝐷𝐵, 𝜇∗) returned toA. IfA can guess 𝑏 correctly, this means he can compute theprobability as follows.

𝑃𝑟 [𝑏 = 𝑏] = 𝑃𝑟 [D (H𝐵z∗t∗ − S𝐵H𝐴0r∗t∗)]− 𝑃𝑟 [D (H𝐵z∗t∗ − S𝐵H𝐴1r∗t∗)]= 𝑃𝑟 [D (S𝐵H𝐴0r∗t∗)] − 𝑃𝑟 [D (S𝐵H𝐴1r∗t∗)]= 𝑃𝑟 [D (H𝐵XH𝐴0r∗t∗)]− 𝑃𝑟 [D (H𝐵XH𝐴1r∗t∗)]= 𝑃𝑟 [D (H𝐵S𝐴0r∗t∗)] − 𝑃𝑟 [D (H𝐵S𝐴1r∗t∗)]= 𝑃𝑟 [D (H𝐵S𝐴0r∗)] − 𝑃𝑟 [D (H𝐵S𝐴1r∗)]

(22)

We consider S𝐴0r∗ and S𝐴1r

∗ as different solutions of SISproblem with H𝐵 ∈ R𝑚×𝑚𝑞 . Since the result of final equationis negligible, 𝑃𝑟[𝑏 = 𝑏] ≤ 𝜖 holds.6. Parameters

Except for 𝑚, 𝑛, 𝑞, there are several main parameters forevaluating our signature efficiency, which are 𝜄, Φ, 𝜐, and 𝛾.We will describe them one by one.

(i) Parameter 𝜄. Generally, one wants to get 𝜆 bit securitysignature; then he will assume the output of hashfunction is also 𝜆 bit (see [15, 16]). So the parameter 𝜄satisfies condition 2𝜄 ⋅ 𝐶𝜄𝑚 ≥ 2256.

(ii) Parameter Φ. It is chosen according to the actualsituations. Firstly, it must make the value of 𝑒−1/Φ bein the range [0.75, 1]. In this case, the chosen valuesatisfying 𝑒−1/Φ = 1(≈ 1) is the best one. Secondly,it can’t enlarge the signature size 𝑚 + 𝑚 log(𝛾 − 𝜐) +𝑚 log 𝛾. To sum up, we show the final equation,

Φ = min0.75≤𝑒−1/Φ

≤1

Φ. (23)(iii) Parameters 𝜐 and 𝛾. In order to utilize the result [13],

we get the condition 𝑚Φ𝜐 ≤ 𝛾 directly. In addition,


Table 1: Parameters of our ID-based SDVS overR−SIS.Parameters Relationship𝑛 rank of lattice𝑞 a prime number𝑚 2𝑛𝛾 < 𝑞𝜐 𝛾/4𝑚𝜄 2𝜄 ⋅ 𝐶𝜄𝑚 ≥ 2256Φ 4Signature size 2𝑚 log 𝑞 + 𝑚Repetition 𝑒1/Φ ≈ 1.28

since choosing bigger 𝛾means that we can get a largersignature, we let 𝛾 equal 𝑚Φ𝜐. Besides, according tothe definition of D𝛾, we can easily see 𝛾 < 𝑞. So 𝛾 =𝑚Φ𝜐 < 𝑞 holds.

Comparison of Signature Size. Herewe give a comparisonwith[9] about signature size, and our result is better than theirs(3𝑚 log 𝑞). Furthermore, we can see that the signature size ofour design is the shortest among any other existing ID-basedSDVS schemes over ideal lattice. The detailed parameterscan be seen in Table 1. Based on what we have discussed inthose parameters, we provide the final size of our signature asfollows:

𝑚 log 2 + 𝑚 log (𝛾 − 𝜐) + 𝑚 log 𝛾= 𝑚 + 𝑚 log(𝛾 − 𝛾4𝑚) + 𝑚 log 𝛾≤ 𝑚 + 𝑚 log(𝑞 − 𝑞4𝑚) + 𝑚 log 𝑞≤ 𝑚 + 𝑚 log 𝑞 + 𝑚 log 𝑞 ≤ 3𝑚 log 𝑞.

(24)

7. Conclusion and Further Work

Conclusion. In this paper, we provide an ID-based SDVSscheme over ideal lattice. Our scheme has the shortestsignature size 2𝑚 log 𝑞 + 𝑚 and satisfies three propertiesunforgeability, untransferability, and anonymity proved inthe random oracle. Moreover, we use uniform sampling toresist side-channel attacks in our design, and the repetitionapproximate 1 means our scheme has a relatively highefficiency.

Further Work. We consider the quantum random oracle. Asfar as we know, in existing lattice-based signature schemes,only TESLA [26] has proved its security in the quantumrandom oracle. Hence, our further work is to use theirmethod to give a proper proof in the quantum random oraclefor our scheme.

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National NaturalScience Foundation of China [grant numbers 61572294,61602287, 11531008, and 11771252]; the State Key Pro-gram of National Natural Science of China [grant num-ber 61632020]; the Natural Science Foundation of Shan-dong Province [grant number ZR2017MF021]; the MajorInnovation Project of Science and Technology, Shandong[grant number 2018CXGC0702]; the Fundamental ResearchFunds of Shandong University [grant number 2017JC019];the Primary Research & Development Plan of ShandongProvince [grant number 2018GGX101037]; theNational Inno-vation Demonstration Zone Development and Construc-tion Fund Project of Shandong Peninsula [grant numberS190101010001]; the Innovative Research Team in Universityby Ministry of Education [grant number IRT16R43]; andTaishan Scholars Project.

References

[1] M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifierproofs and their applications,” inProceedings of the InternationalConference on the Theory and Application of CryptographicTechniques - Advances in Cryptology - EUROCRYPT ’96, vol.1070, pp. 143–154, Saragossa, Spain, May 1996.

[2] S. Saeednia, S. Kremer, and O. Markowitch, “An efficient strongdesignated verifier signature scheme,” in Proceedings of the 6thInternational Conference, Information Security and Cryptology -ICISC ’03, vol. 2971, pp. 40–54, Seoul, Korea, November 2003.

[3] F. Laguillaumie and D. Vergnaud, “Designated verifier signa-tures: anonymity and efficient construction from any bilinearmap,” in Proceedings of the 4th International Conference ofSecurity in CommunicationNetworks, SCN ’04, Revised SelectedPapers, pp. 105–119, Amalfi, Italy, September 2004.

[4] W. Susilo, F. Zhang, and Y. Mu, “Identity-based strong desig-nated verifier signature schemes,” in Proceedings of the 9th Aus-tralasian Conference, Information Security and Privacy, ACISP’04, pp. 313–324, Sydney, Australia, July 2004.

[5] X. Huang, W. Susilo, Y. Mu, and F. Zhang, “Short (identity-based) strong designated verifier signature schemes,” in Pro-ceedings of the 2nd International Conference of Information Secu-rity Practice and Experience, ISPEC ’06, pp. 214–225, Hangzhou,China, April 2006.

[6] O. Blazy, E. Conchon, P. Germouty, and A. Jambert, “Efficientid-based designated verifier signature,” in 12th InternationalConference on Availability, Reliability and Security, pp. 44:1–44:8, Reggio Calabria, Italy, August 2017.

[7] G. Noh, J. Y. Chun, and I. R. Jeong, “Identity-based strongdesignated verifier signature scheme from lattices,” Journal ofthe Korea Institute of Information Security and Cryptology, vol.23, no. 1, pp. 45–56, 2013.

[8] F. Wang, Y. Hu, and B. Wang, “Lattice-based strong designateverifier signature and its applications,” Malaysian Journal ofComputer Science, vol. 25, no. 1, pp. 11–22, 2012.

[9] F. H. Wang, H. U. Yu-Pu, and C. X. Wang, “Identity-basedstrong designate verifier signature over lattices,” Journal of


China Universities of Posts and Telecommunications, vol. 21, no.6, pp. 52–60, 2014.

[10] L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, “Flush,gauss, and reload – a cache attack on the bliss lattice-basedsignature scheme,” in Proceedings of the Cryptographic Hard-ware and Embedded Systems – CHES ’16, B. Gierlichs and A. Y.Poschmann, Eds., pp. 323–345, Springer, Berlin, Germany, 2016.

[11] P. Pessl, “Analyzing the shuffling side-channel countermeasurefor lattice-based signatures,” in Proceedings of the Progressin Cryptology – INDOCRYPT ’16, O. Dunkelman and S. K.Sanadhya, Eds., pp. 153–170, Springer International Publishing,Cham, Switzerland, 2016.

[12] D. Micciancio and M. Walter, “Gaussian sampling over theintegers: efficient, generic, constant-time,” in Proceedings of the37th Annual International Cryptology Conference - Advances inCryptology - CRYPTO ’17, vol. 10402, pp. 455–485, California,Calif, USA, August 2017.

[13] M. Rückert, “Lattice-based blind signatures,” in Proceedings ofthe 16th International Conference on the Theory and Applicationof Cryptology and Information Security - Advances in Cryptology- ASIACRYPT ’10, vol. 6477 of Lecture Notes in ComputerScience, pp. 413–430, Singapore, December 2010.

[14] L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Latticesignatures and bimodal gaussians,” in Proceedings of the 33rdAnnual Cryptology Conference - Advances in Cryptology -CRYPTO ’13, Proceedings, Part I, pp. 40–56, California, Calif,USA, August 2013.

[15] L. Ducas, T. Lepoint, V. Lyubashevsky et al., “CRYSTALS -dilithium: digital signatures frommodule lattices,” IACR Cryp-tology ePrint Archive, 633, 2017, http://eprint.iacr.org/2017/633.

[16] V. Lyubashevsky, “Lattice signatures without trapdoors,” inProceedings of the 31st Annual International Conference on theTheory and Applications of Cryptographic Techniques - Advancesin Cryptology - EUROCRYPT ’12, pp. 738–755, Cambridge, UK,April 2012.

[17] V. Lyubashevsky, “Lattice-based identification schemes secureunder active attacks,” in Proceedings of the 11th InternationalWorkshop on Practice and Theory in Public-Key Cryptography- Public Key Cryptography - PKC ’08, vol. 4939, pp. 162–179,Barcelona, Spain, March 2008.

[18] V. Lyubashevsky, “Fiat-shamir with aborts: applications tolattice and factoring-based signatures,” in Proceedings of the15th International Conference on the Theory and Application ofCryptology and Information Security - Advances in Cryptology -ASIACRYPT ’09, vol. 5912, pp. 598–616, Tokyo, Japan,December2009.

[19] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Post-quantum key exchange - a new hope,” in Proceedings of the 25thUSENIX Security Symposium, USENIX Security ’16, pp. 327–343, Texas, Tex, USA, August 2016, https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim.

[20] J. W. Bos, C. Costello, L. Ducas et al., “Take off the ring!practical, quantum-secure key exchange from LWE,” in Pro-ceedings of the 2016 ACM SIGSAC Conference on Computerand Communications Security, pp. 1006–1018, Vienna, Austria,October 2016.

[21] “Advances in Cryptology - CRYPTO 2013,” in Proceedings of the33rd Annual Cryptology Conference, R. Canetti and J. A. Garay,Eds., vol. 8042 of Proceedings, Part I, Lecture Notes in ComputerScience, Springer, California, Calif, USA, August 2013.

[22] O. Regev, “On lattices, learning with errors, random linearcodes, and cryptography,” in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC ’05), pp. 84–93, ACM, Maryland, Md, USA, May 2005.

[23] C. Peikert andA. Rosen, “Lattices that admit logarithmic worst-case to average-case connection factors,” in Proceedings of the39thAnnual ACMSymposium onTheory of Computing, pp. 478–487, ACM, California, Calif, USA, June 2007.

[24] J. Cai, H. Jiang, P. Zhang, Z. Zheng, G. Lyu, and Q. Xu, “Anefficient strong designated verifier signature based on R-sisassumption,” IEEE Access, vol. 7, pp. 3938–3947, 2019.

[25] J. Hoffstein, J. Pipher, J. M. Schanck, J. H. Silverman, W.Whyte,and Z. Zhang, “Choosing parameters for ntruencrypt,” inProceedings of the Cryptographers’ Track at the RSA Conference- Topics in Cryptology - CT-RSA ’17, pp. 3–18, California, Calif,USA, 2017.

[26] E. Alkim, N. Bindel, J. A. Buchmann et al., “Revisiting TESLAin the quantum random oracle model,” in Proceedings ofthe 8th International Workshop - Post-Quantum Cryptography,PQCrypto ’17, pp. 143–162, The Netherlands, June 2017.

http://eprint.iacr.org/2017/633https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkimhttps://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkimhttps://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim

International Journal of

AerospaceEngineeringHindawiwww.hindawi.com Volume 2018

RoboticsJournal of

Hindawiwww.hindawi.com Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwww.hindawi.com

Volume 2018

Hindawi Publishing Corporation http://www.hindawi.com Volume 2013Hindawiwww.hindawi.com

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of


Hindawiwww.hindawi.com

Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling &Simulationin EngineeringHindawiwww.hindawi.com Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

www.hindawi.com Volume 2018

Advances in

Multimedia

Submit your manuscripts atwww.hindawi.com
https://www.hindawi.com/journals/ijae/https://www.hindawi.com/journals/jr/https://www.hindawi.com/journals/apec/https://www.hindawi.com/journals/vlsi/https://www.hindawi.com/journals/sv/https://www.hindawi.com/journals/ace/https://www.hindawi.com/journals/aav/https://www.hindawi.com/journals/jece/https://www.hindawi.com/journals/aoe/https://www.hindawi.com/journals/tswj/https://www.hindawi.com/journals/jcse/https://www.hindawi.com/journals/je/https://www.hindawi.com/journals/js/https://www.hindawi.com/journals/ijrm/https://www.hindawi.com/journals/mse/https://www.hindawi.com/journals/ijce/https://www.hindawi.com/journals/ijap/https://www.hindawi.com/journals/ijno/https://www.hindawi.com/journals/am/https://www.hindawi.com/https://www.hindawi.com/

ID-Based Strong Designated Verifier Signature over R-SIS...

Documents

Transcript of ID-Based Strong Designated Verifier Signature over R-SIS...