Research Article  Open Access
Jianhua Yan, Licheng Wang, Lihua Wang, Yixian Yang, Wenbin Yao, "Efficient LatticeBased Signcryption in Standard Model", Mathematical Problems in Engineering, vol. 2013, Article ID 702539, 18 pages, 2013. https://doi.org/10.1155/2013/702539
Efficient LatticeBased Signcryption in Standard Model
Abstract
Signcryption is a cryptographic primitive that can perform digital signature and public encryption simultaneously at a significantly reduced cost. This advantage makes it highly useful in many applications. However, most existing signcryption schemes are seriously challenged by the booming of quantum computations. As an interesting stepping stone in the postquantum cryptographic community, two latticebased signcryption schemes were proposed recently. But both of them were merely proved to be secure in the random oracle models. Therefore, the main contribution of this paper is to propose a new latticebased signcryption scheme that can be proved to be secure in the standard model.
1. Introduction
In many situations, we need to simultaneously realize confidentiality, integrity, authentication, and nonrepudiation. There are generally two approaches to accomplish this task: the signaturethenencryption approach and signcryption proposed by Zheng [1]. Compared with the former, signcryption can perform both signature and encryption simultaneously at a lower cost. Hence, the signcryption scheme is more appropriate in many environments such as smart cards, mobile communications, and electronic commerce. Up to date, many efficient signcryption schemes [2–6] have been designed based on various assumptions in number theory. However, the cryptography based on number theory has been seriously challenged due to the booming of quantum computation. Under this situation, many researchers make efforts to probe new cryptosystems based on new security fundamentals, such as quantum cryptography [7–9], chaos cryptography [10, 11], DNA cryptography [12], and so forth. However, as far as we know, there is no efficient signcryption schemes based on these new fundamentals. Therefore, we have to pay our attention to another new upsurging branch of modern cryptography—postquantum cryptography, including latticebased cryptography, codebased cryptography, hashbased cryptography, and multivariate cryptography [13].
Recently, Li et al. [14] (LMK12) and Wang et al. [15] (WHW12) have succeeded in designing signcryption schemes based on lattice. Latticebased cryptography has been regarded as the most attractive option for resisting quantum attacks. Meanwhile, it has many important advantages. Firstly, the security of latticebased cryptography is based on worstcase hardness of lattice problems, while the previous cryptography constructed on number theory is based on averagecase hardness. Secondly, the main operations in a latticebased cryptographic scheme are addition and multiplications over a moderate modulus (say not larger than). Thus, taking a longterm look, latticebased cryptosystems can be performed extremely rapid, compared to the currently used cryptosystems (such as RSA) in which the exponentiations over a huge modulus (say not less than) are always involved.
However, both of Li et al.’s scheme and Wang et al.’s scheme are merely proved to be secure in the random oracle model. After the publication of Canetti’s critical statement on provable security reduction based on random oracles (ROMs) [16], it is always an interesting practice to design/prove cryptographic schemes that are not based on ROMs. In this paper, we construct a latticebased signcryption scheme and present its security reductions without using ROMs. Our original ideas can be formulated as follows. The lattice generated by [17] has advantages in small trapdoor and small public key, but its public key encryption scheme can only achieve CCA1 security. The challenger cannot reply the decryption queries for the ciphertext with the first tupleidentical to the first tuplein the challenge ciphertext in phase two. Moreover, the ciphertext of [17] is malleable. One of the typical methods for transforming an encryption scheme from CCA1 to CCA2 is to make use of a one time strongly unforgeable signature to ensure the nonmalleability of ciphertexts. However, this method will increase the ciphertext length and encryption/decryption time. We setto be the hash valuewhereis a random number butis the signature generated in the signcryption process. The domain ofis big enough such that the probability that the first tuple in the ciphertext generated normally is equal tois negligible. Hence, the challenger can reply the decryption queries in phase two. Further, we use CCA security of the symmetric encryption and collision resistance of hash functionto prevent the malleability of ciphertext. In the proving process, the hash functioncan be replaced with a chameleon hash function, so the challenger can generateto form challenge ciphertext. If there exists an adversary who can forge a valid ciphertext, he/she can find a collision of. The probability for the above event is negligible according to [18], so our signcryption scheme can achieve CCA2 security. The strong unforgeability of the signcryption can be obtained by the strong unforgeability of the original signature. In summary, the proposed scheme is(i)indistinguishable against inner adaptively chosen ciphertext attacks (INDCCA2) under the learning with errors (LWE) assumption in the standard model,(ii)strongly unforgeable against inner adaptively chosen message attacks (SUFCMA) under small integer solution (SIS) assumption in the standard model.
Here, the term “inner” means that in the INDCCA2 (resp., SUFCMA) game, the sender (resp., receiver) who possesses the signing (resp., decryption) key is allowed to launch the corresponding attacks. Apparently, an “inner” attacker is much stronger than outer ones. Thus, the inner security of our proposal also implies its outer security. In addition, our scheme has the advantages both in computational cost and in public/private keys size. That is, our main contribution can be summarized in Table 1. In order to make the trapdoors to be consistent, we construct a chameleon hash function by using the new trapdoor technique of [17], that may be of independent interest. In fact, our chameleon hash function is similar with the one in [19]. Although the chameleon hash function in [19] can be used in our scheme, it will lead to use two different kinds trapdoors technique and reduce efficiency.
The rest of this paper is organized as follows. In Section 2, the necessary preliminaries on latticebased cryptographic assumptions and algorithms are introduced. In Section 3, the security models of signcryption, including the INDCCA2 game and SUFCMA game, are reviewed. In Section 4, the main contribution, that is, the proposed latticebased signcryption scheme is presented in detail, followed by the proof on its consistency. The security proofs are given in Section 5 and the performance comparisons are given in Section 6. Finally, the concluding remarks are given in Section 7.
2. Preliminaries
Throughout this paper, we denote the set of integers by, residue classby, the real numbers byand real intervalby. The expression(resp.,) denotes vectors space on(resp.,) in which every vector haselements. Similarly, the expression(resp.,) denotes matrice space on(resp.,) in which every matrix hasrows andcolumns. We denote the setby, for an integer. The symbol “” denotes strings concatenation operators and “” denotes matrice concatenation operators. The vectors are denoted by lowercase and bold letters (e.g.,), matrices by uppercase and bold letters (e.g.,), and the GramSchmidt orthogonalization ofby. The order for a matrix’s column vectors can be interchangeable. The functiondenotes the largest singular value of a matrix. For a given distributionover space, we useto denote thatis picked at random from the spaceaccording to the distribution. If the sampling spaceis specified from the context, we also simply useorto denote the same meaning. Also, we useto denote thatis picked at random from the spaceaccording to the uniform distribution.
2.1. Lattice and Gaussian Distribution
Definition 1 (Lattice). Andimensional latticeis a discrete additive subgroup of(). Formally, letbelinearly independent vectors. The lattice generated byis whereis called a basis for. In many cryptographic applications, a particular family which is calledary integer lattices is frequently used. For positive integers(=) andand matrix, theary lattices are defined by
For integersand, some probability distributionoverand a vector,is defined as the distribution ofon, whereandare chosen uniformly fromand, respectively.
Definition 2 (Learning with Errors (LWE) [23]). For an integerand a distributionon, the target of learning with errorsis to distinguish with nonnegligible probability between the distributionand the uniform distribution onby accessing the oracle for the given distribution, where.
For,is defined as the distribution onof a normal variable with meanand standard deviation, reduced modulo. When normal variableobeys distribution,is the discretized normal distribution onof random variable, wheredenotes rounding.
Proposition 3 (hardness of LWE [23]). Letandbe a prime to satisfy. If there is an efficient (possibly quantumn) algorithm that can solve, then there is an efficient quantum algorithm for approximatingwithinfactors (referring to [24] for its hardness) in the worst case.
Definition 4 (Small Integer Solution (SIS) [18]). Given an integer, a realand a matrix, the goal ofis to find a nonzero integer vectorto satisfyand.
Proposition 5 (hardness of SIS Theorem 5.16 [18]). For any polybounded,and for any prime, the averagecase problemis as hard as approximating the SIVP problem (among others) in the worst case to within certainfactors.
Definition 6 (Gaussian measure [18]). Given any vector, and real, let be a Gaussian function aroundwith parameter. Its total measure is. The probability density function of the corresponding continuous Gaussian distribution is defined as When, it is always omitted.
Definition 7 (discrete Gaussian distribution [18]). For any vector, real, and lattice, the distribution is called discrete Gaussian distribution over.
Proposition 8 (Claim 5.3 [23]). Letbe a constant, and letbe an integer. The columns of a uniformly randomgenerate all of, except withprobability.
Proposition 9. Letbe a basis of, whereand the columns ofgenerate. Let.(1)(Theorem 3.1 [20]) Let ; the distribution of is far from the uniform distribution over , and the conditional distribution of given is . (2)(Lemma 4.4 [18])
According to nonasymptotic theory of random matrices [25], we have the following lemma.
Proposition 10 (Lemma 2.9 [17]). For anysubGaussian with parameterrandom matrixand any real, there is a constant, such thatwith at least probability.
2.2. Universal Hashes and Chameleon Hashes
In general, we hope a hash function used in cryptographic schemes to be collision resistant. But in our construction, we need further assumptions on involved hashes. One is universal property and another is the socalled Chameleon property.
Definition 11 (universal hash functions [26]). We say that a family of hash functionsis universal if for every distinct pair,holds.
In addition, a kind of specifical hash named chameleon hash introduced by Krawczyk and Rabin [27] is used in our work. The chameleon hash functions have the following four properties: (1) efficient forward computation, (2) standard collisionresistance property, (3) uniformity property, and (4) chameleon property. We will construct a chameleon hash family based on the latticetrapdoor technique given in [17] and prove it has the above properties in Section 4.1; hence we do not describe these properties here in detail.
2.3. Related Algorithms for Inverting and Sampling
Micciancio and Peikert [17] proposed new, simpler, easytoimplement and more efficient methods to generate and utilize “strong trapdoors” in cryptographic lattices. These methods include specialized algorithms for inverting LWE, which are important for encryption and signature.
Firstly, we introduce the related matrices. Let,. Define matrixas The matrixcan be easily constructed in the following two cases: (1) whenis a power of 2, let,forand; (2) whenis not a power of 2,is theth bit of. In the former,and in the latterby Lemma 4.3 of [17]. It can be verified thatis a basis for.
Let. Giventhere exist efficient algorithms to findandsuch that, when. There are two cases for:is a power ofor not. In the former case, Algorithm 1 can finish this task.

In the latter case, the above algorithm can work, but the interval for error vectorneeds to be changed into. For convenience, the algorithm for the latter case is also called InvertG.
The primitive vectorand the corresponding latticebasiscan be used to construct paritycheck matrixand matrixas follows. It follows thatis a primitive matrix, andis a basis for lattice:
Definition 12. Given matricesandand invertible matrixfor positive integers, ifandis small enough,is called atrapdoor ofcorresponding to.
Given a functionwith suitably small, an efficient oraclefor invertingcan be achieved by calling Algorithm 1 fortimes.
Given an LWE instancewith suitably smalland thetrapdoorwith corresponding matrix, Algorithm 2 can recoverand.

Finally, we recall the algorithms, denoted by SampleD and due to Peikert [28], for sampling from Gaussian distribution with short basis.
The mechanism of [17] for generating a trapdoor is different from that of [29]. As a result, it uses a new algorithm but also named SampleD to sample from a discrete Gaussian overin [17], in which Algorithm 3 is called. It is used in signature and delegation. For distinction, let us call it SampleDG. The reader can refer to Theorem 5.5 of [17] for the correctness (Algorithm 4).


3. Signcryption: Primitive and Security Models
Signcryption was invented in 1996 but was first disclosed to the public at CRYPTO 1997 [1]. Signcryption is a public key cryptographic method that achieves unforgeability and confidentiality simultaneously with significantly smaller overhead than that required by “digital signature followed by public key encryption.” It does this by signing and encrypting a message in a single step, fulfilling a cryptographer’s dream to “kill two birds with one stone” [1, 3]. Signcryption techniques are now a global standard for data protection [30].
The primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver. It is clear that the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional. In particular, if an intended receiver can forge a signature on behalf of some signer, he/she can plant some false evidence against the signer and then encrypt the signature for himself/herself. By doing so, the singer is incriminated. Therefore, in considering the security of signcryption, we should take into account the orthogonal combination of two kinds of attackers (i.e., inner attackers and outer attackers) and two protection goals (i.e., unforgeability and confidentiality). In 2005, Dent [31, 32] gave comprehensive elaborations on the inner security and outer security of signcryption. With the purpose of providing a handy consult for the security reduction given latter, we give a review on the security models of signcryption from LMK12 [14], in which we merely formulated the security models against inner attacker because in general an inner attacker is much stronger than an outer ones.
Definition 13 (signcryption). A signcryption scheme consists of the following four algorithms.(i): this is an initialization algorithm that should be executed only once by any honest user in the system. It takes as input the security parameterand outputs the public parametersthat are shared by all users in the system.(ii): this is a key generation algorithm that should be executed by each user only once. It takes as inputs the security parameteras well as the public parametersand outputs the public/private key pairwherewill be published publicly whilewill be kept known only to the user himself/herself. (In sequel, let us assume that the sender’s public/private key pair is, while the receiver’s is.)(iii): this is a signcryption algorithm that should be executed by a senders whenever he/she wants to send a message to someone. It takes as inputs a message, the intended receiver’s public keyand the sender’s public/private key pairand outputs a signcryption ciphertext.(iv): this is a unsigncryption algorithm that should be executed by a receiver. It takes as inputs a signcryption ciphertextand the receiver’s public/private key pair, as well as the sender’s public key, and outputs a plaintextor.
Definition 14 (consistency of signcryption). We say that a signcryption scheme defined above is consistent if the following probability is exponentially close to 1; that is,is negligible with respect to.
To capture the confidentiality of a signcryption defined above, we need to introduce a game, denoted by Game INDCCA2, between a challengerand an adversaryas follows.
Game INDCCA2(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Phase??1:can perform polynomially bounded unsigncryption queries in an adaptive manner andresponds accordingly. More precisely,’s query is specified by a tripleand’s responds with the corresponding plaintextifis a valid signcryption ciphertext with respect to the receiver’s public keyand sender’s public keyorotherwise.(iii)Challenge:chooses two equal length plaintextsand sendsto, andtosses a fair coinand sets. Finally,sendsthe challenged signcryption ciphertext.(iv)Phase??2: phase 1 is repeated with the restriction thatis not allowed to ask unsigncryption query on triple.(v)Guess:outputs a bitas his/her guessing on.
Then, the advantage ofto win Game INDCCA2 is defined as.
Definition 15 (confidentiality of signcryption). A signcryption scheme is said to be indistinguishable against inner chosen ciphertext attacks (INDCCA2), if there is no probabilistic polynomial time adversary that can win Game INDCCA2 with nonnegligible advantage.
To capture the (strong) unforgeability of a signcryption defined above, we need to introduce another game, denoted by Game SUFCMA, between a challengerand a forgeryas follows.
Game SUFCMA(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Singcrypt query:can perform polynomially bounded signcryption queries in an adaptive manner. More precisely,’s query is specified by a pairand’s responds with. (Here,is the intended receiver’s public key and the corresponding private keyis known to. Furthermore,is allowed to either obtainby calling the algorithmor pick them randomly.)(iii)Forgery:outputs a tuplewith the restriction thatnever responds towithfor answering’s signcryption query on.
Then, the advantage ofto win Game SUFCMA is defined as
Definition 16 (strong unforgeability of signcryption). A signcryption scheme is said to be strongly unforgeable against inner adaptively chosen message attacks (SUFCMA), if no probabilistic polynomial time adversary can win Game SUFCMA with nonnegligible advantage.
4. Proposed LatticeBased Signcryption Scheme
In this section, we firstly present a chameleon hash function based on the latticetrapdoor technique given in [17]. Next, based on the signature scheme and the encryption scheme given in [17], we propose a signcryption scheme. Finally, we prove the consistency of the proposed scheme. Note that, the matricesused in this section are as in Section 2.3.
4.1. Building Block: LatticeBased Chameleon Hash Functions
According to [33, 34], we know that by using a chameleon hash function, one can transfer an SUFSMA secure signature scheme to an SUFCMA secure one. To guarantee the consistency of the proposed scheme, we need to construct a chameleon hash function based on latticebased trapdoors of given in [17]. In fact, it is a analogue to the scheme based on the trapdoors given in [29].
Let,,, andbe integers. Let integerbe message length. For matrices,, andand invertible matrixconstructand. Letbe a Gaussian parameter satisfyingsuggested by [17]. Define a message spaceand random space(then, for,holds with overwhelming probability according to Proposition 9 items (2)) and. Forand, using matrixdefine hash functionas
Lemma 17. The family(under the uniform distribution over) is a family of chameleon hash functions, assuming the hardness offor.
Proof. It is enough to prove the hash familyhas the four properties described in Section 2.2.
For efficient forward computation. Clearly, given a messageand, eachis efficiently computable.
For collisionresistance property. Assuming that it is easy to find a collisionfor, thenis a solution for, and according to the triangle inequality, we have that. It implies thatis also a solution for the instanceof. This contradicts the hardness offor. Therefore, the hash family is collisionresistant.
For uniformity property, we first show the matrixis uniform. The matrixis uniform, sois also uniform whenisfar from uniform (cf. Section 6.2 of [17]). On the other hand, the matrixis fixed whenis fixed. Consequently, the matrixisfar from uniform. On the other hand,is uniform; henceisfar from uniform. It is clear that given anyandand each matrixgenerated as above, the distribution ofis negligible far from the uniform distribution overby Proposition 9 items (1).
For chameleon property. Givenand, one withtrapdoorcan easily findsatisfyingas follows: compute, and then sample preimage.
Lemma 18. The above chameleon hash family is universal; for every distinctand distinct,
Proof. Assuming that, it follows that. Whenis fixed, the vectoris a fixed element in.
The matrixis uniform as described above. For,, the columns ofgeneratewith overwhelming probability by Proposition 8. In addition,and, whereis as in Section 2.3.
It follows thatis uniform over(up to negligible statistical distance) by Proposition 9 items (1). Consequently,. In other words,.
4.2. Signcryption Scheme
In [17], Micciancio and Peikert gave a special collector (MP collector) that maps elements from a certain ringinto matricesas required by their trapdoor construction. Let us call it MP Collector and denote it by. Given a monic degreeirreducible polynomial, a ring can be defined asand the elements ofcan be represented as vectors inrelative to the standard basis of monomials. Now, given a ring element,can be constructed as follows: for, whereis theth column of. Clearly,has the following properties. Firstly,is a ring homomorphism, namely,for. Secondly, multiplication by a ring elementcan be represented by the matrix; furthermore, the product coefficients vector equals, whereis theth column ofandis theth coefficient of ring element. Thirdly,if and only ifis a unit of, whereis a group composed of the invertible elements in. Finally, the ringhas “units difference” property, namely, for anydenotes the units set in,.
Our signcryption scheme consists of the following four algorithms. Note that we also adopt a symmetrical encryption scheme(with keyspace, encryption algorithmand decryption algorithm) in our construction.(i): Suppose the security parameter is. Then, the the public parametersfor the system can be specified as follows.(1)is the matrix as defined in Section 2.3, whereis a prime power and is large enough (cf. [17]).(2).(3),,and suitable.(4)is an LWE error rate, such that.(5).(6)A monic degreeirreducible polynomialand a ring defined as.(7)4 hash functions:(a)is a collisionresistant hash function, where;(b)is a universal hash function;(c)is chosen from a universal family, whereis a matrix in. More precisely,, and(resp.,) has the same distribution with(resp.,) described in Section 4.1 (note that the elements incan be represented by vectors in);(d)is a universal hash function with suitably specified.(8)An ordered matrix setwherefor.(9)is the Gaussian parameter for signature.(10)An arbitary basisfor.(11)MP Collector.(ii): any user can generate his/her public keyand private keyas follows.(a)Sampleand;(b)Evaluate;(c)Letand.(iii): a sender with public/private key paircan send a signcryption ciphertexton some messageto a receiver with public keyas follows.(1)Sign messageto obtain, as follows.(a)Compute,and then build ?whereis the binary representation of.(b)Construct chameleon hash function according to the method in Section 4.1. Concretely, replacewith, arbitrarycolumns of,, respectively. The others are invariant. The hash function is denoted as.(c)Sample.(d)Compute.(e)Sampleand compute.(f)SampleSampleDG, whereis identity matrix.(g)Let.(2)Parsesuch thatand denote the remainder as.(3)Compute.(4)Encryptas follows.(a)Sampleand evaluate.(b)Sample, and let.(c)Sample, then computeand construct.(d)Encodeas.(e)Choose a vectoruniformly and let (5)Encryptas follows.(a)Let.(b)Let(6)Output the signcryption ciphertext.(iv): upon receiving a signcryption ciphertextfrom a sender with the public key, the receiver with the private keyperforms the following steps.(1)Decryptto achieveas follows.(a)If, outputand then abort; otherwise continue.(b)Callto obtain, whereand.(c)Iforoutputand abort; otherwise continue.(d)Letand then parseas.(e)If, outputand abort; otherwise, continue.(f)Let.(2)Decryptas follows.(a)Compute.(b)Compute.(3)Check the integrity of ciphertext as follows.(a)Obtainby composing, and then compute.(b)Ifoutputand abort; otherwise, continue.(c)Ifoutputand abort; otherwise, continue.(4)Verifying the sender’s authenticity as follows.(a)Computeand then build, whereis the binary representation of.(b)Ifoutputand abort; otherwise, continue.(c)Compute.(d)Ifthen output; otherwise, output.
4.3. Consistency and Unsigncryption Error
Theorem 19 (consistency). The above signcryption scheme can unsigncrypt correctly withprobability.
Proof. We analyze the procedure along the unsigncryption algorithm, when a valid ciphertextis input to the unsigncryption.
Firstly, we demonstrate that the correctcan be obtained with overwhelming probability in step (1) of unsigncryption.(i)Firstly, let us prove that after calling, the probability ofis overwhelming, whereis the vector used in Signcrypt algorithm. At first, we need to show that this calling can work; that is,is atrapdoor for. For convenience, let. Becauseis a basis of, there must exist a matrixsuch that. As a result,
?Clearly, theis the form offor some; namely,is atrapdoor for. As a result, a vectorcan be returned. We next demonstrate the probability that the probability foris overwhelming by calling(Algorithm 2). Clearly, if theincan return desired value,can obtain desired. The oracleis realized by calling InvertG (Algorithm 1); consequently, it only needs to prove the constraint condition is satisfied, that is, the error vector, referring to Section 2.3 for the definition of. Because,for, it follows thatandexcept with probabilityby Proposition 9 items (2). When the parameters are set as in Setup and the sender’s public/private keys are produced as in KeyGen, it follows that the maximum singular value forsatisfiesexcept probabilityaccording to Proposition 10. Let; it follows thatexcept probability, becauseis large enough.(ii)Secondly, when the correctis obtained, the test in step (c) can be passed and the analysis is included in the above proof.(iii)Thirdly, in step (e), for, it follows thatas desired.(iv)Finally, in step (f),; as a result,andare in the identical coset, so the decryption can obtainexactly.
Next, after obtaining correctandvia step (1), we get the correct key used for symmetrical encryption, so we can obtain correctin step (2), and the verification for hash values in step (3) can be passed.
Finally, let us analyze step (4). Specifically, we prove that the signature verification can be passed with overwhelming probability. By now, we have got correctthat is a signature for, and we only need to prove that it is valid. First, we evaluate the probability for., whereis obtained by calling the algorithm SampleDG. It is known by SampleDG thatandwith probabilityby Proposition 9 items (2). On the other hand,with probabilityby the same lemma. Therefore,with probability. Second,
Consequently, the signature is valid with probability.
5. Security Proofs
Before giving the proofs on the confidentiality and unforgeability of the proposed scheme, we need at first to prove the following lemma.
Lemma 20. For a given unit, if,, andis a signature obtained in step (1) of the Signcrypt algorithm, then the probability foris negligible. More precisely,.
Proof. We first evaluate the number of units in the above ring. As defined in [17], the monic degreepolynomialis irreducible modulo every primedividing. Becauseis irreducible,is maximum ideal and