Efficient forward secure identity-based shorter signature from lattice

Computers and Electrical Engineering 40 (2014) 1963–1971

Contents lists available at ScienceDirect

Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng

Efficient forward secure identity-based shorter signature from lattice q Xiaojun Zhang a,⇑, Chunxiang Xu a,*, Chunhua Jin a, Run Xie a,b a b

School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China School of Mathematical, Yibin University, Yibin 644000, China

a r t i c l e

i n f o

Article history: Available online 31 December 2013

a b s t r a c t All regular cryptographic schemes rely on the security of the secret key. However, with the explosive use of some relatively insecure mobile devices, the key exposure problem has become more aggravated. In this paper, we propose an efficient forward secure identitybased signature (FSIBS) scheme from lattice assumption, with its security based on the small integer solution problem (SIS) in the random oracle model. Our scheme can guarantee the unforgeability of the past signatures even if the current signing secret key is revealed. Moreover, the signature size and the secret key size of our scheme are unchanged and much shorter. To the best of our knowledge, our construction is the first FSIBS scheme based on lattice which can resist quantum attack. Furthermore, we extend our FSIBS scheme to a forward secure identity-based signature scheme in the standard model. Ó 2013 Elsevier Ltd. All rights reserved.

1. Introduction Identity-based signature (IBS) was first introduced by Shamir [1] in 1984. It belongs to a type of public key cryptography. In an IBS scheme, any known information of a user’s identity can be used as a public key, and the corresponding signing secret key is issued by a trusted Key Generation Center (KGC). Identity-based signature can reduce the complexity and the cost for managing the Public Key Infrastructure (PKI). Until now, most identity-based signatures [2–7] have been proposed using groups with bilinear pairings or the quadratic residuosity. However, Shor [8] pointed out that discrete logarithm and prime factorization problems can be solved by a quantum computer in polynomial time. It means that once quantum computer comes into reality, all of the existing public key algorithms will be broken. In order to resist quantum computer attack, there has been a rapid growth in post-quantum cryptography recently. In particular, the lattice-based cryptographic primitive is attractive due to its security on the worst-case hardness of lattice problems under a quantum reduction. Moreover, the computational cost of lattice-based cryptography is every simple and suitable for low power devices. Recently, lattice-based cryptographic schemes have been very fruitful in applications, such as digital signatures [9–11], (hierarchical) identity-based encryption (H)IBE [12], a fully homomorphic cryptosystem [13] and a new kind of LWE cryptosystem using ideal lattices [14]. As far as our knowledge is concerned, the security of all modern identity-based signature schemes wholly depends on the assumption that the signing secret keys are absolutely secure. However, once a signing secret key is exposed, the security of past and future signatures will be compromised. Furthermore, key exposure seems more likely to occur with the explosive use of mobile and unprotected devices in lots of cryptographic systems. It is much more convenient for an attacker to intrude

q

Reviews processed and recommended for publication to Editor-in-Chief by Associate Editor Dr. Jose M. Alcaraz calero.

⇑ Corresponding authors. Tel.: +86 18011394462 (X. Zhang). Tel.: +86 13060090608 (C. Xu). E-mail addresses: [email protected] (X. Zhang), [email protected] (C. Xu). 0045-7906/$ - see front matter Ó 2013 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.compeleceng.2013.12.003

1964

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

a user’s storage space to obtain his signing secret key than to get the signing secret key only by solving some actual cryptographic hard problem. Consequently, exposure of signing secret key is a severe threat to identity-based signatures. How to provide the protection against key exposure in identity-based signatures is an important and interesting issue, which needs researchers’ more attention. Forward-secure signature is one of the most promising solutions to guarantee security of signature against key exposure. In a non-interactive forward-secure signature scheme, the whole lifetime is divided into T time periods labeled from 1 to T. At the end of time period i, the user computes a new signing secret key SK iþ1 for the next time period using update algorithm with the input SK i , and finally deletes the old signing secret key SK i . Thus a forward secure signature scheme guarantees that exposure of signing secret key at time period i will not compromise on the security of system for any prior time period. Forward-secure signature was first proposed by Anderson [15]. Bellare and Miner [16] further presented a practical scheme and formalized the definitions of forward-secure signature and its security. A large number of research papers about forward-secure signatures [17–24] have been proposed so far. Compared with forward-secure signature, the research on forward-secure identity-based signature (FSIBS) seems to be much less active. Liu et al. [25] proposed the first FSIBS scheme, however, they did not provide the security definition and formal security proof. Therefore the construction of FSIBS scheme with provable security is still worthwhile research. Recently, Yu et al. [26] formalized the definition and security notion for FSIBS scheme, but it needs a lot of bilinear pairing operations, to some extent, which maybe too hard for some mobile devices with limited computational capacity. Ebri’s research work [27] has proposed an efficient general construction of FSIBS and refined the definition of FSIBS. Additionally, in the scheme the users can freely specify time periods over which their signing secret keys evolve. However, their work did not refer to lattice-based cryptography which can resist quantum attack in the post-quantum cryptographic era. 1.1. Our contribution In this paper, we combine forward security with identity-based signature to propose the first lattice-based forwardsecure identity-based signature scheme. And in the random oracle model, we prove our scheme is unforgeable against chosen message and adaptively chosen identity attacks even on a quantum computer. Thus, key-exposure does not affect the security of signatures generated in previous time periods. Our second contribution is an extension to FSIBS in the standard model. The update algorithm in our extension scheme is constructed with an inspiration of the scheme in [28]. Moreover, we employ the technique in [29] for delegating a short lattice basis that has the advantage of keeping the lattice dimension unchanged, thus the signing secret key size and the signature size of our schemes are both invariant and much shorter. 1.2. Organization The rest of this paper is organized as follows. We introduce the preliminaries of our work in Section 2, including lattice definitions and hard assumptions. We give the formal definition of FSIBS scheme and its security notions in Section 3. We give our formal FSIBS scheme from lattice assumption, its security analysis and efficiency comparison in Section 4. We extend our scheme to a FSIBS scheme in the standard model in Section 5. Finally, we conclude our work in Section 6. 2. Preliminaries 2.1. Notation For a positive integer T; ½T denotes f1; . . . ; Tg. For an n  m matrix A, let A ¼ ½a1 ; . . . ; am , where ai denotes the ith column vector of A. We write kak for the Euclidean norm of a, and kAk ¼ maxi2½m kai k. We set n as a security parameter. A negligible function, denoted by negl(n), is a f ðnÞ such that f ðnÞ ¼ Oðnc Þ for some fixed pffiffiffiffiffiffiffiffiffiffiffi constant c. We denote polyðnÞ a polynomial time function, and xð log nÞ a super logarithmic function which increases faster pffiffiffiffiffiffiffiffiffiffiffi than log n in n. 2.2. Lattice Let B ¼ fb1 ; . . . ; bn g be a set consisting of n linearly independent vectors. The n-dimensional lattice generated by B is P LðBÞ ¼ fBc ¼ i2½n ci bi : ci 2 Z n g, B is called a basis for L(B). We define q-ary lattices from Ajtai [30] as follows. Definition 1 (q-ary lattices). Let q be a prime number, A 2 Z nm and u 2 Z nq , we define: q

KðAÞ ¼ fy 2 Z m : 9s 2 Z nq ; y ¼ AT s mod qg: K? ðAÞ ¼ fe 2 Z m : Ae ¼ 0 mod qg: Ku ðAÞ ¼ fe 2 Z m : Ae ¼ u mod qg: We observe that if z 2 Ku ðAÞ, then Ku ðAÞ ¼ K? ðAÞ þ z.

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

1965

Now we define the hard-on-average problem, which was first proposed by Ajtai [30]. The problem was formalized in [10] as follows. Definition 2 (The Small Integer Solution Problem). SIS: given an integer q, a matrix A 2 Z nm , and a real number b, find a q nonzero integer vector e 2 Z m such that Ae ¼ 0 mod q and kek 6 b. is uniformly For functions qðnÞ; mðnÞ, and bðnÞ; SISq;m;b is the ensemble over instances ðqðnÞ; mðnÞ; bðnÞÞ where A 2 Z nm q random. Lemma 1 (see [10]). For any poly-bounded m, b ¼ polyðnÞ and for any prime q, the average-case problem SISq;m;b is as hard as e pffiffiffi nÞ. approximating the problem SIVP in the worst case to within certain factors cðnÞ ¼ b  Oð 2.3. Discrete Gaussians on lattices We briefly recall Gaussian distribution on lattices [10]. Let K be a subset of Z m . For any vector c 2 Rm and any positive P parameter r 2 R, define: qr;c ðxÞ ¼ expðpkx  ckÞ=r2 and qr;c ðKÞ ¼ x2K qr;c ðxÞ. The discrete Gaussian distribution on K with parameter r and center c is as follows: 8y 2 K; DK;r;c ¼ qr;c ðyÞ=qr;c ðKÞ. The distribution DK;r;c is usually defined over the lattice K? ðAÞ for a matrix A 2 Z nm or over a coset Ku ðAÞ ¼ K? ðAÞ þ z q where z 2 Z m . 2.4. Basis delegation Let A 2 Z nm be a random matrix, the one-way function fA is defined as fA : Dn ! Rn with fA ðeÞ ¼ Ae mod q, where q pffiffiffiffiffi Dn ¼ fe 2 Z m : kek 6 r mg and Rn ¼ Z nq . A short basis B for K? ðAÞ can be used as a trapdoor to sample from fA1 ðyÞ for any n y 2 Zq . For an (ordered) set of linearly independent vector S ¼ fs1 ; . . . ; sn g  Rn , its Gram-Schmidt orthogonalization e S is defined iteratively as ~s1 ¼ s1 , and ~si is the component of si orthogonal to span ðs1 ; . . . ; si1 Þ for i ¼ 2; . . . ; n. It is obvious that k~si k 6 ksi k. Lemma 2 (see [31]). Let K be an m-dimensional lattice. There is a probabilistic polynomial-time algorithm that, given an arbitrary pffiffiffiffiffi e k 6 ke basis of K and a full-rank set S ¼ fs1 ; . . . ; sm g in K, returns a basis T of K satisfying k T Sk and kTk 6 kSk m=2. Preimage Sampleable Functions Gentry et al. [10] defined and constructed the preimage sampleable functions. Here, we give the construction of the preimage sampleable functions as follows. TrapGenðq; nÞ: Let q P 3 be odd, m P 6n log q. A probabilistic polynomial-time algorithm TrapGenðq; nÞ defined in [32] ; T 2 Z mm ) such that A is statistically close to a uniform matrix in Z nm and T is a basis for that outputs a pair (A 2 Z nm q q p ffiffiffiffiffiffiffiffiffiffiffiffiffiffi K? ðAÞ satisfying k Te k 6 Oð n log qÞ and kTk 6 Oðn log qÞ with all but negligible probability in n. SampleDomðA; sÞ: Let B be the standard basis for Z m . This algorithm uses the algorithm SampleDðB; s; 0Þ define in [10] to sample from distribution DZm ;s . SampleDðB; s; cÞ takes as input a basis B of an m-dimensional lattice K ¼ LðBÞ, a parameter s, and a center c 2 Rm , and outputs a sample from a distribution that is statistically close to DK;s;c . SamplePre (A; T; u; r): This algorithm takes as input A 2 Z nm , a good basis T 2 Z mm for K? ðAÞ as above, a vector u 2 Rn and q a parameter r, and the algorithm works as follows. First, choose via linear algebra an arbitrary t 2 Z m such that At ¼ u mod q. Then sample v from the Gaussian distribution DK? ðAÞ;r;t using SampleD(T; r; t) and output e 2 Dn such that e ¼ t þ v . This function is one-way and collision-resistant without trapdoor T. Now we recall the method proposed in [11] which uses a good basis of a lattice K to generate another good basis for a higher-dimensional lattice. The algorithms ExtBasis and RandBasis are described as follows. 1 2 ExtBasis(S; A ¼ A1 kA2 Þ: On input A1 2 Z nm , an arbitrary A2 2 Z nm , a basis S1 2 Z m1 m1 of K? ðA1 Þ. The algorithm outputs a q q ðm1 þm2 Þðm1 þm2 Þ ? e ~ basis S 2 Z for K ðAÞ with k Sk ¼ kS1 k. pffiffiffiffiffiffiffiffiffiffiffi RandBasis(A; S; r): On input A 2 Z nm , a basis S 2 Z mm of K? ðAÞ and a parameter r > kSk  xð log nÞ, the algorithm outq pffiffiffiffiffi puts a basis S0 of K? ðAÞ such that kS0 k 6 r m and no information specific to S is leaked by the output S0 . Now we describe Agrawal et al. [29] basis delegation technique. Let A be a matrix in Z nm and T A be a short basis of K? ðAÞ. q mm We define B ¼ AR1 2 Z nm , where R is a low norm matrix in Z . Note that the dimension of B is the same as dimension of A. q It is also required that it is hard to recover short basis of K? ðAÞ from the short basis of K? ðBÞ. Now we describe new basis delegation algorithm NewBasisDel (A; R; T A ; r) as follows: 1. Let T A ¼ fa1 ; . . . ; am g. Compute T 0B ¼ fRa1 ; . . . ; Ra2 g. 2. Use Lemma 2 to convert T 0B into a basis T 00B of K? ðBÞ. The algorithm in Lemma 2 takes as input T 0B and an arbitrary basis of K? ðBÞ and outputs a basis T 00B whose Gram-Schmidt norm is no more than that of T 0B . 3. Run the algorithm RandBasisðT 00B ; rÞ and output the resulting basis T B of K? ðBÞ.

1966

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

pffiffiffiffiffi

r satisfies: r > k TfA k  rR mxðlog3=2 mÞ. Let T B be the basis of K ðAR Þ, the output of NewBasisDel. The distribution of T B is statistically close to the distribution of RandBasis(T; r), where T pffiffiffiffiffiffiffiffiffiffiffiffi fA k < r=xð log mÞ. If R is a product of ‘ matrices sampled from Dmm , then the is an arbitrary basis of K? ðAR1 Þ satisfying k T ffi ‘ 1=2 fA kðrR pffiffiffiffi mwðlog mÞÞ  xðlog mÞ. bound on r degrades to r > k T Theorem 1 (see [29]). Suppose R is sampled from Dmm and ?

1

3. Formal definition of forward-secure identity-based signature scheme Yu et al.’s paper [26] has given the formal definition of FSIBS. However, a pre-specified number of time periods T is given by the PKG as a public parameter in the scheme. In this paper, inspired by Ebri et al. [27], we set the pre-specified number of time periods T over which the signing secret keys evolve, to be determined by each user, and consequently can avoid the scalability issue. In order to create an initial signing secret key, the PKG requests a pre-specified number of time periods T and the signer’s identifier information. Definition 3. A FSIBS scheme consists of five algorithms, each of which is described as follows. FSIBSSetup: The key setup algorithm is a probabilistic algorithm that takes as input a security parameter n, and outputs a master secret key msk and public parameters mpk by the PKG. FSIBSExtract: The secret key extract algorithm is a probabilistic algorithm that takes as input the public parameter mpk, the master secret key msk, and an identity of the user id 2 f0; 1g . And the user id consists of the user’s identity information ID and some pre-specified number of time periods T over which the signing keys evolve, namely id ¼ IDkT. Finally the algorithm outputs the initial secret key SK idk0 associated with the identity id, which will be sent to the user in a secure way. FSIBSUpdate: The key update algorithm is a probabilistic algorithm that takes as input the current time period i, a user identity id and the current secret key SK idki , and outputs the new signing secret key SK idkiþ1 for the next time period. FSIBSSign: The signing algorithm is a probabilistic algorithm that takes as input the current time period i, a user identity id, the current signing secret key SK idki , and a message M, and outputs a signature ei of M associated with id for time period i. FSIBSVerify: The verifying algorithm is a deterministic algorithm that takes as input a user identity id, the current time period i, a message M, and a candidate signature ei , and outputs 1 when ei is a valid signature or 0, otherwise. Correctness. If ei is a valid signature of message M and identity id generated by FSIBSSign algorithm in time period i, then FSIBSVerifympk ðid; i; M; ei Þ ¼ 1. 3.1. Security definition Now we give the formal security definition for forward-secure identity-based signature scheme from [27]. We define unforgeability of FSIBS against chosen message attack, called UF-FSIBS-CMA. 1. Setup phase. The challenger C runs the setup algorithm of FSIBS scheme to generate the public parameter mpk and the master secret key msk. The challenger sends mpk to the adversary F . 2. Queries phase. During this phase, the adversary F makes the following queries.  UserKeyExt. The adversary F can ask for the secret key of any identity id(id ¼ IDkT). The challenger C generates the secret key SK idk0 associated with the identity id and sends it to F .  Breakin oracle. On receiving this query ðid; jÞ from the adversary F , where id ¼ IDkT, and 1 6 j 6 T, the challenger C returns a signing secret key SK idkj for time period j.  Signing oracle. On receiving this query ðid; i; MÞ from the adversary F , the challenger C generates a signature ei for a message M using a signing secret key SK idki for time period i, where 1 6 i 6 T. At the end of each time period. The adversary F can select to proceed to the next time period of this phase or go to the forgery phase.   3. Forgery phase. In this phase, the adversary F outputs an identity id , a time period i , a message M  and a candidate sig nature ei respectively. The adversary F is considered to be successful in the game if the following conditions hold:











(1) FSIBSVerifympk ðid ; i ; M  ; ei Þ ¼ 1; (2)id has not been issued as a UserKeyExt query; (3)ðid ; i ; M  Þ has never appeared in signing-oracle query. The FSIBS scheme is UF-FSIBS-CMA secure, if for any adversary F , its successful probability is negligible in the security parameter. 4. Forward secure identity-based signature from lattice In this section, we give our FSIBS scheme based-on lattice assumption. We make use of the algorithm NewBasisDel (A; R; T A ; r) as the update algorithm of signing secret key. In the FSIBS scheme, we assume a hash function H1 that outputs

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

1967

matrix in Z mm , namely: H1 : f0; 1g ! Z mm : id ! H1 ðidÞ Dmm , where the output H1 ðidÞ is distribution as Dmm described q q in [29]. We also define a secure hash function H2 : f0; 1g ! Z nq . In addition, for each time period i, we set two series of gauss ¼ ðr0 . . . rT Þ and  ian parameters r d ¼ ðd0 . . . dT Þ. Furthermore, we employ the GPV signature scheme [10] as one important part of our formal FSIBS. FSIBSSetup: On input a security parameter n, we set the parameter q; m accordingly. The PKG runs the algorithm Trappffiffiffiffiffiffiffiffiffiffiffiffiffiffi fA k 6 Oð n log qÞ. Genðq; nÞ to generate a matrix A 2 Z nm and a corresponding short basis T A 2 Z mm for K? ðAÞ such that k T q

q

The PKG publishes the master public key mpk ¼ A and keeps master secret key msk ¼ T A secret. FSIBSExtract: Upon receiving id ¼ IDkT from the user, where ID denotes the identifier information and T denotes the prespecified number of time periods over which a signing secret key evolves. The PKG generates the secret key SK idk0 using its master secret key msk as follows. 1. Let Ridk0 ¼ H1 ðidk0Þ 2 Z mm and compute Aidk0 ¼ AðRidk0 Þ1 . q 2. The PKG runs the algorithm NewBasisDelðA; Ridk0 ; T A ; r0 Þ to generate SK idk0 as the secret key of this user. Then the PKG sends it to the user in a secure manner. FSIBSUpdate: Given ðid; i; SK idki1 Þ, where id ¼ IDkT; i is an index of current time period and SK idki1 is the signing secret key associated with the previous time period i  1, the user performs the following steps: For i ¼ 1 to T do as follows. 1. If i ¼ 1; SK idk0 is the secret key of this user. 2. Compute Ridki1 ¼ H1 ðidki  1Þ . . . H1 ðidk0Þ 2 Z mm and Aidki1 ¼ AðRidki1 Þ1 as the public key in time period i  1 with q respect to signing secret key SK idki1 . 3. Let Ri ¼ H1 ðidkiÞ, then evaluate SK idki NewBasisDelðAidki1 ; Ri ; SK idki1 ; ri Þ. 4. Output SK idki . FSIBSSig: Given ðid; i; MÞ, where id ¼ IDkT is an identity, i is an index of current time period and M is a message to be signed, the user does the following. The user computes y ¼ H2 ðidkikMÞ, then evaluates ei SamplePreðAidki ; SK idki ; y; di Þ and outputs the signature ðid; i; M; ei Þ. FSIBSVer: Given ðid; i; M; ei Þ, where id is an identity, i is an index of time period, M is a message and ei is a signature, the verifier accepts the signature only if both the following conditions satisfied: pffiffiffiffiffi 1. ei 2 Dn such that 0 < kei k 6 di m. 2. Aidki ei ¼ y, where Aidki ¼ AðRidki Þ1 , Ridki ¼ H1 ðidkiÞ . . . H1 ðidk0Þ 2 Z mm and y ¼ H2 ðidkikMÞ. q Otherwise, the verifier rejects. 4.1. Security analysis Theorem 2. In the random oracle model, if an adversary F has a non-negligible advantage e against the UF-CMA security of FSIBS, then there exists an algorithm C that can also solve SIS problem with a non-negligible advantage e0.

Proof. For contradiction. We assume that there exists an adversary F that can forge a signature in the proposed scheme with non-negligible advantage e. We construct an algorithm C that can solve the SIS problem with a non-negligible probability e0 by simulating views of F . First of all, we assume that: h

 For each time period i ¼ 0; 1; . . . ; T, the adversary F makes polynomial numbers of different H1 on any identity adaptively.  Whenever F makes an H1 -query on an identity at time period i, we assume that it has queried at time period j < i.  Whenever F submits a user’s signing secret key query, we assume that it has made all relevant H1 queries beforehand. Setup: Assume that the algorithm C runs the trapdoor algorithm Trapgen(q,n) to generate A 2 Z nm with corresponding q trapdoor T A 2 Z mm . Firstly, C sets master public key to be mpk ¼ A and master secret key to be msk ¼ T A . Then C provides q public parameter mpk to F .   Attack Phase: Firstly, the algorithm C randomly guesses i (1 6 i 6 T) as the time period when F forges a signature. C simulates the random oracles H1 and H2 as follows. Without loss of generality, we assume the adversary F queries the random oracle H2 on every message M for ðid; iÞ before making a signing query on ðid; i; MÞ. C maintains four lists in its local storage, called L1 list, L2 list, L3 list, L4 list respectively. They are set to be empty initially.

1968

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

 H1 queries: For each time period i ¼ 0; 1; . . . ; T, F may query the random oracle H1 , on any identity of its choice adaptively. For idki query, C looks up L1 list to check if the value of H1 was previously defined. If it was, the previously defined value is returned. Otherwise, C chooses low norm matrix Ri 2 Z mm randomly, stores (idki; Ri ) in L1 list, and returns Ri to F . q  UserkeyExt: F chooses ‘ 2 f1; 2; . . . ; Q g at random, where Q denotes the maximum number of UserkeyExt queries, C does the following. If id is not ‘th query, do the following. F queries on any identity idk0; C will check the L1 list to find its hash value. If it is 1

found, the previously defined hash value is returned, then C gets Aidk0 ¼ AðH1 ðidk0ÞÞ , and runs the algorithm ?

NewBasisDelðA; Hðidk0Þ; T A ; r0 Þ to generate a basis SK idk0 of K ðAidk0 Þ. If idk0 is not found, C chooses low norm matrix randomly, stores ðidk0; Ridk0 Þ in L1 list and runs the algorithm NewBasisDelðA; Ridk0 ; T A ; r0 Þ to generate Ridk0 2 Z mm q SK idk0 , then C returns the secret key SK idk0 to F , and stores ðidk0; SK idk0 Þ in L2 list. If id is ‘th query, C aborts.  Signing secret key queries: Once F asks for the signing secret key for ðid; iÞ; C provides F with the signing secret key SK idki for that time period as follows. If id is not ‘th query, do the following. For each i 2 ½T, since we have assumed that F would have made H1 query on as before. Then C runs the algoidkj; j < i. For hash query on idki; C will look up L1 list to find low norm matrix Ri 2 Z mm q 1

1

1

and basis rithm NewBasisDelðAidki1 ; Ri ; SK idki1 ; ri Þ to generate Aidki ¼ AðH1 ðidk0ÞÞ ðH1 ðidk1ÞÞ . . . ðH1 ðidki  1ÞÞ R1 i SK idki . Finally C returns SK idki to F , and stores ðidki; Aidki ; SK idki Þ in L3 list. If id is ‘th query, do the following.  If i 6 i , then C will choose a matrix W 2 Z mm randomly and returns it to F . q  If i ¼ i þ 1, then C runs the trapdoor algorithm TrapGen(q; n) to generate Aidki þ1 2 Z nm with corresponding trapdoor q  SK idki þ1 2 Z mm , and C returns SK idki þ1 to F and stores ðidki þ 1; Aidki þ1 ; SK idki þ1 Þ in L3 list. q  If i þ 1 6 i 6 T, then C can do this as the same as before in case that id is not ‘th query.  H2 queries: For a distinct ðid; i; MÞ; C first checks if the value of H2 was previously defined. If it was, the previously defined value is returned. Otherwise, C looks up L1 list and L3 list to get ðidki; H1 ðidkiÞÞ and ðidki; Aidki ; SK idki Þ. If they are found, C SampleDomð1n Þ, returns Aidki ei to F , and inserts ðid; i; M; ei ; Aidki ei Þ into L4 list. If they are not found, C regenerates runs ei and stores them in L1 list and L3 list respectively as before, then carries on the operation mentioned above. By the uniform output property of the collection, this is identity to the uniformly random value of H2 ðidkikMÞ 2 Rn in the real system.  Sign queries: the adversary F queries, each of which is denoted by ðid; i; MÞ; C does the following. If id is not ‘th query, then do the following. C looks up L4 list to find ðid; i; M; ei ; H2 ðidkikMÞÞ, if ðid; i; M; ei ; H2 ðidkikMÞÞ is found in the list, C returns ei as the signature. Otherwise C looks up L1 list and L3 list to get H1 ðidkiÞ and SK idki . If they are not found, C can regenerates them as before. Finally, C runs ei SampleDomð1n Þ and returns ei to F , inserts ðid; i; M; ei ; Aidki ei Þ into L4 list. 

If id is ‘th query, then do the following. When i < i 6 T; C generates the signature as above. Otherwise, C aborts.  Breakin queries: F asks for the signing secret key for a specific identity and time period ðid; jÞ. If id is not ‘th query, C looks  up L3 list to provide F with the signing secret key SK idkj for that time period. If id is ‘th query and j ¼ i ; C aborts its run. 

Forgery Phase: In this phase, F outputs an identity id , a time period t  , a message M  , and a signature e . F succeeds if : 1. 1 6 t < j.  2. id has not been issued as a UserkeyExt query.   3. ðid ; t  ; M  Þ has not been issued as a Sign query, and FSIBSVerifyAidkt ðid ; t ; M  ; e Þ ¼ 1. 



Once the adversary F outputs a forgery signature ðid ; t ; M  ; e Þ; C does the following. Check whether id is ‘th query and  t ¼ i . If any of the equalities does not hold, C aborts its run. Otherwise, the view of C is perfectly simulated. As we know, e is    a forgery signature such that id ; ðid ; t  Þ, and ðid ; t  ; M  Þ are not equal to the input of any query to UserkeyExt, Signing secret  key, and Sign queries respectively. Before forging a signature, for the query to H2 on ðid ; t  ; M  Þ; C stores a tuple   n  SampleDomð1 Þ, and returns Aid kt eM to F . By the preimage min-entropy propðid ; t ; M ; eM ; Aid kt eM Þ into L4 , for eM erty of the hash family, the min-entropy of eM given Aid kt eM (and the rest of the view of F , which is independent of eM ) is 

xðlog nÞ. Thus, the signature e – eM , except with negligible probability 2xðlog nÞ . We know that the adversary F wins the 



game only if e is a valid signature on ðid ; t  ; M  Þ. Thus, we have e 2 Dn and Aidkt e ¼ H2 ðid kt kM  Þ ¼ Aid kt eM . Therefore, we get the conclusion that C outputs a valid e ¼ e  eM such that Aidkt e ¼ 0, it means the algorithm C can resolve SIS prob  lem. As described before, if id is not ‘th query or t  – i ; C will abort its run. Thus the success probability of C in solving SIS problem is the same as that of F in forging a valid signature except for losing tightness of reduction by 1=TQ due to handing

1969

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971 Table 1 Efficiency comparison. Schemes

UPK

USK

Signature size

½33

2nmlq

4m2 lq

2mlq þ k

½34

3nmlq

4m2 lq

ð3m þ 1Þlq

Our FSIBS

nmlq

m2 lq

mlq þ k

of aborting events. Since the advantage of solving the SIS problem is negligible, the advantage of the adversary F in forging a valid signature is also negligible. 4.2. Efficiency comparison Now we compare the size of user public key, user secret key and the signature with two classical identity-based signature schemes from lattice in [33,34]. The details of efficiency comparison are described in Table 1. Since the concept of Hierarchical IBS is generalized by IBS, here we set the level of Rücket’s [33] Hierarchical IBS to be one. We denote UPK and USK as the size of user public key, the user secret key respectively. The number of bits in the representation of an element is denoted by lq . As the master public key and master secret key in these schemes are in Z nm and Z mm respectively, here we do q q not take them into account. In Rücket’s IBS scheme in the random oracle model, we assume the size of the random number is k. For consistency, we assume that the size of time period in our scheme is also k. Table 1 shows that the size of user public key, user secret key and signature in our scheme are much shorter than the previous two schemes. Meanwhile, our scheme has the forward secure property, which can deal with the key exposure problem. Therefore our scheme is more efficient and more practical. 5. Forward secure identity-based signature from lattice in the standard model Now we give the extension of forward-secure identity-based signature from lattice in the random oracle model to a FSIBS scheme in the standard model as follows. FSIBSSetup: Given the security parameter n, let q P 3 be odd and m P 6n log q, the PKG runs TrapGenðn; qÞ to generate a and a corresponding short basis T A 2 Z mm . Select 2ðT þ 1Þt1 random matrices R0i;j ; R1i;j matrix A 2 Z nm q q

Dmm (for

and a random nonzero vector 0 6 i 6 T; 1 6 j 6 t1 Þ; t 2 random matrices F j 2 Z nm q

l 2 Z nq . Choose two cryptographic hash  t1  t2 functions H : f0; 1g ! f0; 1g and h : f0; 1g ! f0; 1g . Set the public parameter mpk ¼ fA; hR0i;j ; R1i;j i; hF j i; lg and the master  ¼ ðr0 . . . rT Þ and  secret key msk ¼ T A . Moreover, we also set two series of gaussian parameters r d ¼ ðd0 . . . dT Þ.

FSIBSExtract: Upon receiving id ¼ IDkT from the user, where ID denotes the identifier information and T denotes the prespecified number of time periods over which a signing key evolves. The PKG generates the secret key SK idk0 , using its master secret key msk as follows: q ½t  q0 ½1 Set q0 ¼ Hðidk0Þ, compute Ridk0 ¼ R0;t0 1 1 . . . R0;1 2 Z mm , and Aidk0 ¼ AR1 The PKG calls the algorithm idk0 . q NewBasisDelðA; Ridk0 ; T A ; r0 Þ, and outputs SK idk0 as the secret key of user. FSIBSUpdate: Given signing secret key SK idki1 at time period i  1, the user can get signing secret key SK idki at time period i as follows. q

½t 

q

½1

i1 1 i1 1. Set qi1 ¼ Hðidki  1Þ, compute Ridki1 ¼ Ri1;t . . . Ri1;1 2 Z mm , Aidki1 ¼ AðRidki1 . . . Ridk0 Þ1 . q 1

q ½t 

q ½1

2. Compute qi ¼ HðidkiÞ and Ridki ¼ Ri;ti 1 1 . . . Ri;1i 2 Z mm , evaluate SK idki q 1

NewBasisDelðAidki1 ; Ridki ; SK idki1 ; ri Þ.

?

3. Output Aidki ¼ Aidki1 ðRidki Þ , and SK idki as a random basis of K ðAidki Þ. FSIBSSig: Given ðid; i; MÞ, where id is an identity, i is an index of current time period and M is a message to be signed, the user does the following. q ½t 

q ½1

1. For all i 2 ½T, let qi ¼ HðidkiÞ and compute Ridki ¼ Ri;ti 1 1 . . . Ri;1i 2 Z mm , and Aidki ¼ AðRidki Ridki1 . . . Ridk0 Þ1 2 Z nm . q q Pt2 m½j nm 2. Compute m ¼ hðidkikMÞ, set E ¼ j¼1 ð1Þ F j 2 Z q . 3. Set Am ¼ Aidki kE, run RandBasisðExtBasisðSK idki ; Am ÞÞ to generate Sm , At last, the user runs ei

SamplePreðAm ; Sm ; l; di Þ.

FSIBSVer: Given ðid; i; M; ei Þ, where id is an identity, i is an index of time period, M is a message and ei is a signature, any party can verify the validity of signature as follows. pffiffiffiffiffiffiffi 1. ei 2 Dn such that 0 < kei k 6 di 2m. q ½t  q ½1 2. Compute Aidki ¼ AðRidki Ridki1 . . . Ridk0 Þ1 , where each Ridki ¼ Ri;ti 1 1 . . . Ri;1i 2 Z mm . q

1970

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

P2 3. Compute m ¼ hðidkikMÞ, set E ¼ tj¼1 ð1Þm½j F j 2 Z nm . q 4. The verifier accepts the signature if and only if ðAidki EÞei ¼ l. The above construction of forward secure identity-based signature scheme from lattice in the standard model is inspired by Rücket’s scheme [33]. Compared with Rücket’s scheme, our scheme has more advantages because its secret key size and the signature size are uninvariant and also much shorter. The security analysis is similar to the analysis of our scheme in the random oracle model, except on how the challenger sets the matrix Aidki . 6. Conclusion With the explosive growth in the use of mobile devices (smart cards, mobile phones, etc.), the exposure of signing secret key is a severe threat to identity-based signatures. The goal of forward security is to protect security of past usage of signing secret key even if the current signing secret key is exposed. In this paper, we have utilized the lattice basis delegation technique to construct the first efficient forward-secure identity-based shorter signature scheme from lattice assumption. Moreover, we have given the details of efficiency comparison with previous classical schemes. The result of this comparison shows that our scheme is more efficient and practical. We also proved that our scheme is unforgeable in the random oracle model under chosen message and adaptively chosen identity attacks, thus it can deal with key exposure problems even in the post-quantum cryptographic era. Meanwhile, we have also extended the scheme to a FSIBS scheme in the standard model. It has more advantages because its signing secret key size and the signature size are unchanged and much shorter. The security analysis of the FSIBS in the standard model will be our future work. Acknowledgements The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work is supported by the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103) and the National Natural Science Foundation of China (No. 61370203). References [1] Shamir A. Identity-based cryptosystems and signature schemes. In: Proceedings of advances in cryptology-CRYPTO’84. LNCS, vol. 196. Spring-Verlag; 1984. p. 47–53. [2] Hess F. Efficient identity based signature schemes based on pairing. In: Proceedings of SAC’2002; 2003. p. 310–24. [3] Yi X. An identity-based signature scheme from the Weil pairing. IEEE Commun Lett 2003;7(2):76–8. [4] Barreto P, Libert B, McCullagh N, Quisquater J. Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Proceedings of advances in cryptology-ASIACRYPT 2005. LNCS, vol. 3788. Springer-Verlag; 2005. p. 515–32. [5] Cao Z, Chai Z, Dong X. Identity-based signature scheme based on quadratic residues. Sci China Ser F Inform Sci 2007;50(3):373–80. [6] Xiong H, Hu J, Chen Z, Li F. On the security of an identity-based multi-proxy signature scheme. Comput Electr Eng 2011;37(2):129–35. [7] Yang P, Cao Z, Dong X. Fuzzy identity based signature with applications to biometric authentication. Comput Electr Eng 2011;37(4):532–40. [8] Shor P. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput 1997;26(5):1484–509. [9] Lyubashevsky V, Micciancio D. Asymptotically efficient lattice-based digital signatures. In: TCC; 2008. p. 37–54. [10] Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: STOC; 2008. p. 197–206. [11] Cash D, Hofheinz D, Kiltz E, Peikert C. Bonsai trees or how to delegate a lattice basis. In: Proceedings of advances in cryptology-EUROCRYPT 2010. LNCS. Springer-Verlag; 2010. p. 523–52. [12] Agrawal S, Boneh D, Boyen X. Efficient lattice (H)IBE in the standard. In: Proceedings of advances in cryptology-EUROCRYPT 2010. LNCS. SpringerVerlag; 2010. p. 553–72. [13] Gentry C. Fully homomorphic encryption using ideal lattices. In: STOC; 2009. p. 169–78. [14] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors over rings. In: Proceedings of advances in cryptology-EUROCRYPT 2010. LNCS. Springer-Verlag; 2010. p. 1–23. [15] Anderson R. Two remarks on public key cryptology (invited lecture). In: Proceedings of the 1997 ACM conference on computer and communications security, Zurich, Switzerland. ACM; 1997. p. 135–47. [16] Bellare M, Miner SA. forward secure digital signature scheme. In: Proceedings of the 19th annual international cryptology conference. LNCS, vol. 1666. Santa Barbara, California: Springer-Verlag; 1999. p. 431–48. [17] Abdalla M, Reyzin L. A new forward-secure digital signature scheme. In: Proceedings of advances in cryptology-ASIACRYPT 2000. LNCS, vol. 1976. Springer-Verlag; 2000. p. 116–29. [18] Itkis G, Reyzin L. Forward-secure signatures with optimal signing and verifying. In: Proceedings of advances in cryptology-CRYPTO 2001. LNCS, vol. 2139. Springer-Verlag; 2001. p. 499–514. [19] Kozlov A, Reyzin L. Forward-secure signatures with fast key update. In: Proceedings of security in communication networks 2002. LNCS, vol. 2576. Springer-Verlag; 2002. p. 247–62. [20] Maklin T, Micciancio D, Miner S. Efficient general forward-secure signatures with an unbounded number of time periods. In: Proceedings of advances in cryptology-EUROCRYPT 2002. LNCS, vol. 2332. Springer-Verlag; 2002. p. 400–17. [21] Yao D, Fazio N, Dodis Y, Lysyanskaya A. ID-based encryption for complex hierarchies with applications to forward security and brodacast encryption. In: Proceedings of the ACM conference on computer and communications security; 2004. p. 354–63. [22] Boyen X, Shacham H, Shen E, Waters B. Forward-secure signatures with untrusted update. In: The 13th ACM conference on computer and communication security. ACM Press; 2006. p. 191–200. [23] Yu J, Kong F, Cheng X, Hao R, Fan J. Forward-secure identity-based public-key encryption without random oracle. Fundam Inform 2011;111(2):241–56. [24] Chen X, Zhang F, Tian H, Wei B, Kim K. Discrete logarithm based chameleon hashing and signatures without key exposure. Comput Electr Eng 2011;37(4):614–23. [25] Liu Y, Yin X, Qiu L. ID-based forward secure signature scheme from the bilinear pairings. In: 2008 International symposium on electronic commerce and security. IEEE Computer Society; 2008. p. 179–83.

X. Zhang et al. / Computers and Electrical Engineering 40 (2014) 1963–1971

1971

[26] Yu J, Hao R, Kong F, Cheng X, Fan J, Chen Y. Forward-secure identity-based signature: security notions and contribution. Inform Sci 2011;181(3):648–60. [27] Ebri N, Baek J, Shoufan A. Forward-secure identity-based signature: new generic constructions and their applications. J Wireless Mob Netw, Ubiquitous Comput Dependable Appl 2013;4(1):32–54. [28] Singh K, Pandurangan C, Banerjee A. Lattice based forward-secure identity based encryption scheme with shorter ciphertext. J Inernet Services Inform Secur (JISIS) 2013;3(1/2); 5–19. [29] Agrawal S, Boneh D, Boyen X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Proceedings of advances in cryptology-CRYPTO 2010. LNCS, vol. 62. Springer-Verlag; 2010. p. 98–115. [30] Ajtai M. Generating hard instances of the short basis problem. In: Proceedings of automata, languages and programming ICALP 1999. LNCS, vol. 1644. Prague, Czech Republic: Springer-Verlag; 1999. p. 1–9. [31] Micciancio D, Goldwasser S. Complexity of lattice problems: a cryptographic perspective, vol. 671. Boston: Kluwer Academic Publishers; 2002. [32] Alwen J, Peikert C. Generation shorter basis for hard randoms lattices. In: Proceedings of the 26th international symposium on theoretical aspects of computer science, Freiburg, Germany; 2009. p. 75–86. [33] Rückert M. Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles, PQCcypto 2010. LNCS, vol. 6061. Springer-Verlag; 2010. [34] Liu Z, Hu Y, Zhang X, Li F. Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model. Secur Commun Netw 2013;6:69–77. Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009, P.R. China and received M.Sc degree in pure mathematics at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is a student member of Chinese Association for Cryptologic Research. CACR He is presently engaged in cryptography, network security and cloud computing security. Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, P.R. China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC). Chunhua Jin received her B.Sc. degree in telecommunication at Northwestern Polytechnical University in 2007, P.R. China and received M.Sc degree in Xidian University, in 2011. She is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). She is presently engaged in cryptography, network security and cloud computing security. Run Xie received his M.Sc degree in mathematics and applied mathematics at Southwest Jiaotong University in 2006, P.R. China. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.