Mathematical Problems in Engineering

Volume 2013 (2013), Article ID 702539, 18 pages

http://dx.doi.org/10.1155/2013/702539

## Efficient Lattice-Based Signcryption in Standard Model

^{1}State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China^{2}School of Information and Electric Engineering, Ludong University, Yantai 264025, China^{3}Network Security Research Institute, National Institute of Information and Communications Technology, 4-2-1 Nukui-Kitamachi, Koganei-shi, Tokyo 184-8795, Japan

Received 25 June 2013; Revised 26 August 2013; Accepted 27 August 2013

Academic Editor: Wang Xing-yuan

Copyright © 2013 Jianhua Yan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Signcryption is a cryptographic primitive that can perform digital signature and public encryption simultaneously at a significantly reduced cost. This advantage makes it highly useful in many applications. However, most existing signcryption schemes are seriously challenged by the booming of quantum computations. As an interesting stepping stone in the post-quantum cryptographic community, two lattice-based signcryption schemes were proposed recently. But both of them were merely proved to be secure in the random oracle models. Therefore, the main contribution of this paper is to propose a new lattice-based signcryption scheme that can be proved to be secure in the standard model.

#### 1. Introduction

In many situations, we need to simultaneously realize confidentiality, integrity, authentication, and non-repudiation. There are generally two approaches to accomplish this task: the signature-then-encryption approach and signcryption proposed by Zheng [1]. Compared with the former, signcryption can perform both signature and encryption simultaneously at a lower cost. Hence, the signcryption scheme is more appropriate in many environments such as smart cards, mobile communications, and electronic commerce. Up to date, many efficient signcryption schemes [2–6] have been designed based on various assumptions in number theory. However, the cryptography based on number theory has been seriously challenged due to the booming of quantum computation. Under this situation, many researchers make efforts to probe new cryptosystems based on new security fundamentals, such as quantum cryptography [7–9], chaos cryptography [10, 11], DNA cryptography [12], and so forth. However, as far as we know, there is no efficient signcryption schemes based on these new fundamentals. Therefore, we have to pay our attention to another new upsurging branch of modern cryptography—post-quantum cryptography, including lattice-based cryptography, code-based cryptography, hash-based cryptography, and multivariate cryptography [13].

Recently, Li et al. [14] (LMK12) and Wang et al. [15] (WHW12) have succeeded in designing signcryption schemes based on lattice. Lattice-based cryptography has been regarded as the most attractive option for resisting quantum attacks. Meanwhile, it has many important advantages. Firstly, the security of lattice-based cryptography is based on worst-case hardness of lattice problems, while the previous cryptography constructed on number theory is based on average-case hardness. Secondly, the main operations in a lattice-based cryptographic scheme are addition and multiplications over a moderate modulus (say not larger than). Thus, taking a long-term look, lattice-based cryptosystems can be performed extremely rapid, compared to the currently used cryptosystems (such as RSA) in which the exponentiations over a huge modulus (say not less than) are always involved.

However, both of Li et al.’s scheme and Wang et al.’s scheme are merely proved to be secure in the random oracle model. After the publication of Canetti’s critical statement on provable security reduction based on random oracles (ROMs) [16], it is always an interesting practice to design/prove cryptographic schemes that are not based on ROMs. In this paper, we construct a lattice-based signcryption scheme and present its security reductions without using ROMs. Our original ideas can be formulated as follows. The lattice generated by [17] has advantages in small trapdoor and small public key, but its public key encryption scheme can only achieve CCA1 security. The challenger cannot reply the decryption queries for the ciphertext with the first tupleidentical to the first tuplein the challenge ciphertext in phase two. Moreover, the ciphertext of [17] is malleable. One of the typical methods for transforming an encryption scheme from CCA1 to CCA2 is to make use of a one time strongly unforgeable signature to ensure the nonmalleability of ciphertexts. However, this method will increase the ciphertext length and encryption/decryption time. We setto be the hash valuewhereis a random number butis the signature generated in the signcryption process. The domain ofis big enough such that the probability that the first tuple in the ciphertext generated normally is equal tois negligible. Hence, the challenger can reply the decryption queries in phase two. Further, we use CCA security of the symmetric encryption and collision resistance of hash functionto prevent the malleability of ciphertext. In the proving process, the hash functioncan be replaced with a chameleon hash function, so the challenger can generateto form challenge ciphertext. If there exists an adversary who can forge a valid ciphertext, he/she can find a collision of. The probability for the above event is negligible according to [18], so our signcryption scheme can achieve CCA2 security. The strong unforgeability of the signcryption can be obtained by the strong unforgeability of the original signature. In summary, the proposed scheme is(i)indistinguishable against *inner* adaptively chosen ciphertext attacks (IND-CCA2) under the learning with errors (LWE) assumption in the standard model,(ii)strongly unforgeable against *inner* adaptively chosen message attacks (SUF-CMA) under small integer solution (SIS) assumption in the standard model.

Here, the term “inner” means that in the IND-CCA2 (resp., SUF-CMA) game, the sender (resp., receiver) who possesses the signing (resp., decryption) key is allowed to launch the corresponding attacks. Apparently, an “inner” attacker is much stronger than outer ones. Thus, the inner security of our proposal also implies its outer security. In addition, our scheme has the advantages both in computational cost and in public/private keys size. That is, our main contribution can be summarized in Table 1. In order to make the trapdoors to be consistent, we construct a chameleon hash function by using the new trapdoor technique of [17], that may be of independent interest. In fact, our chameleon hash function is similar with the one in [19]. Although the chameleon hash function in [19] can be used in our scheme, it will lead to use two different kinds trapdoors technique and reduce efficiency.

The rest of this paper is organized as follows. In Section 2, the necessary preliminaries on lattice-based cryptographic assumptions and algorithms are introduced. In Section 3, the security models of signcryption, including the IND-CCA2 game and SUF-CMA game, are reviewed. In Section 4, the main contribution, that is, the proposed lattice-based signcryption scheme is presented in detail, followed by the proof on its consistency. The security proofs are given in Section 5 and the performance comparisons are given in Section 6. Finally, the concluding remarks are given in Section 7.

#### 2. Preliminaries

Throughout this paper, we denote the set of integers by, residue classby, the real numbers byand real intervalby. The expression(resp.,) denotes vectors space on(resp.,) in which every vector haselements. Similarly, the expression(resp.,) denotes matrice space on(resp.,) in which every matrix hasrows andcolumns. We denote the setby, for an integer. The symbol “” denotes strings concatenation operators and “” denotes matrice concatenation operators. The vectors are denoted by lower-case and bold letters (e.g.,), matrices by upper-case and bold letters (e.g.,), and the Gram-Schmidt orthogonalization ofby. The order for a matrix’s column vectors can be interchangeable. The functiondenotes the largest singular value of a matrix. For a given distributionover space, we useto denote thatis picked at random from the spaceaccording to the distribution. If the sampling spaceis specified from the context, we also simply useorto denote the same meaning. Also, we useto denote thatis picked at random from the spaceaccording to the uniform distribution.

##### 2.1. Lattice and Gaussian Distribution

*Definition 1 (Lattice). *An-dimensional latticeis a discrete additive subgroup of(). Formally, letbelinearly independent vectors. The lattice generated byis
whereis called a basis for. In many cryptographic applications, a particular family which is called-ary integer lattices is frequently used. For positive integers(=) andand matrix, the-ary lattices are defined by

For integersand, some probability distributionoverand a vector,is defined as the distribution ofon, whereandare chosen uniformly fromand, respectively.

*Definition 2 (Learning with Errors (LWE) [23]). *For an integerand a distributionon, the target of learning with errorsis to distinguish with nonnegligible probability between the distributionand the uniform distribution onby accessing the oracle for the given distribution, where.

For,is defined as the distribution onof a normal variable with meanand standard deviation, reduced modulo. When normal variableobeys distribution,is the discretized normal distribution onof random variable, wheredenotes rounding.

Proposition 3 (hardness of LWE [23]). *Letandbe a prime to satisfy. If there is an efficient (possibly quantumn) algorithm that can solve, then there is an efficient quantum algorithm for approximatingwithinfactors (referring to [24] for its hardness) in the worst case.*

*Definition 4 (Small Integer Solution (SIS) [18]). *Given an integer, a realand a matrix, the goal ofis to find a nonzero integer vectorto satisfyand.

Proposition 5 (hardness of SIS Theorem 5.16 [18]). *For any polybounded,and for any prime, the average-case problemis as hard as approximating the SIVP problem (among others) in the worst case to within certainfactors.*

*Definition 6 (Gaussian measure [18]). *Given any vector, and real, let
be a Gaussian function aroundwith parameter. Its total measure is. The probability density function of the corresponding continuous Gaussian distribution is defined as
When, it is always omitted.

*Definition 7 (discrete Gaussian distribution [18]). *For any vector, real, and lattice, the distribution
is called discrete Gaussian distribution over.

Proposition 8 (Claim 5.3 [23]). *Letbe a constant, and letbe an integer. The columns of a uniformly randomgenerate all of, except withprobability.*

Proposition 9. *Letbe a basis of, whereand the columns ofgenerate. Let.*(1)*(Theorem **3.1 [20]) Let **; the distribution of **is **-far from the uniform distribution over **, and the conditional distribution of **given **is **. *(2)*(Lemma **4.4 [18]) *

According to nonasymptotic theory of random matrices [25], we have the following lemma.

Proposition 10 (Lemma 2.9 [17]). *For any-sub-Gaussian with parameterrandom matrixand any real, there is a constant, such thatwith at least probability.*

##### 2.2. Universal Hashes and Chameleon Hashes

In general, we hope a hash function used in cryptographic schemes to be collision resistant. But in our construction, we need further assumptions on involved hashes. One is universal property and another is the so-called Chameleon property.

*Definition 11 (universal hash functions [26]). *We say that a family of hash functionsis universal if for every distinct pair,holds.

In addition, a kind of specifical hash named chameleon hash introduced by Krawczyk and Rabin [27] is used in our work. The chameleon hash functions have the following four properties: (1) efficient forward computation, (2) standard collision-resistance property, (3) uniformity property, and (4) chameleon property. We will construct a chameleon hash family based on the lattice-trapdoor technique given in [17] and prove it has the above properties in Section 4.1; hence we do not describe these properties here in detail.

##### 2.3. Related Algorithms for Inverting and Sampling

Micciancio and Peikert [17] proposed new, simpler, easy-to-implement and more efficient methods to generate and utilize “strong trapdoors” in cryptographic lattices. These methods include specialized algorithms for inverting LWE, which are important for encryption and signature.

Firstly, we introduce the related matrices. Let,. Define matrixas The matrixcan be easily constructed in the following two cases: (1) whenis a power of 2, let,forand; (2) whenis not a power of 2,is theth bit of. In the former,and in the latterby Lemma 4.3 of [17]. It can be verified thatis a basis for.

Let. Giventhere exist efficient algorithms to findandsuch that, when. There are two cases for:is a power ofor not. In the former case, Algorithm 1 can finish this task.

In the latter case, the above algorithm can work, but the interval for error vectorneeds to be changed into. For convenience, the algorithm for the latter case is also called **InvertG**.

The primitive vectorand the corresponding latticebasiscan be used to construct parity-check matrixand matrixas follows. It follows thatis a primitive matrix, andis a basis for lattice:

*Definition 12. *Given matricesandand invertible matrixfor positive integers, ifandis small enough,is called a-trapdoor ofcorresponding to.

Given a functionwith suitably small, an efficient oraclefor invertingcan be achieved by calling Algorithm 1 fortimes.

Given an LWE instancewith suitably smalland the-trapdoorwith corresponding matrix, Algorithm 2 can recoverand.

Finally, we recall the algorithms, denoted by SampleD and due to Peikert [28], for sampling from Gaussian distribution with short basis.

The mechanism of [17] for generating a trapdoor is different from that of [29]. As a result, it uses a new algorithm but also named SampleD to sample from a discrete Gaussian overin [17], in which Algorithm 3 is called. It is used in signature and delegation. For distinction, let us call it SampleDG. The reader can refer to Theorem 5.5 of [17] for the correctness (Algorithm 4).

#### 3. Signcryption: Primitive and Security Models

Signcryption was invented in 1996 but was first disclosed to the public at CRYPTO 1997 [1]. Signcryption is a public key cryptographic method that achieves unforgeability and confidentiality simultaneously with significantly smaller overhead than that required by “digital signature followed by public key encryption.” It does this by signing and encrypting a message in a single step, fulfilling a cryptographer’s dream to “kill two birds with one stone” [1, 3]. Signcryption techniques are now a global standard for data protection [30].

The primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver. It is clear that the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional. In particular, if an intended receiver can forge a signature on behalf of some signer, he/she can plant some false evidence against the signer and then encrypt the signature for himself/herself. By doing so, the singer is incriminated. Therefore, in considering the security of signcryption, we should take into account the orthogonal combination of two kinds of attackers (i.e., inner attackers and outer attackers) and two protection goals (i.e., unforgeability and confidentiality). In 2005, Dent [31, 32] gave comprehensive elaborations on the inner security and outer security of signcryption. With the purpose of providing a handy consult for the security reduction given latter, we give a review on the security models of signcryption from LMK12 [14], in which we merely formulated the security models against inner attacker because in general an inner attacker is much stronger than an outer ones.

*Definition 13 (signcryption). *A signcryption scheme consists of the following four algorithms.(i): this is an initialization algorithm that should be executed only once by any honest user in the system. It takes as input the security parameterand outputs the public parametersthat are shared by all users in the system.(ii): this is a key generation algorithm that should be executed by each user only once. It takes as inputs the security parameteras well as the public parametersand outputs the public/private key pairwherewill be published publicly whilewill be kept known only to the user himself/herself. (In sequel, let us assume that the sender’s public/private key pair is, while the receiver’s is.)(iii): this is a signcryption algorithm that should be executed by a senders whenever he/she wants to send a message to someone. It takes as inputs a message, the intended receiver’s public keyand the sender’s public/private key pairand outputs a signcryption ciphertext.(iv): this is a unsigncryption algorithm that should be executed by a receiver. It takes as inputs a signcryption ciphertextand the receiver’s public/private key pair, as well as the sender’s public key, and outputs a plaintextor.

*Definition 14 (consistency of signcryption). *We say that a signcryption scheme defined above is consistent if the following probability
is exponentially close to 1; that is,is negligible with respect to.

To capture the confidentiality of a signcryption defined above, we need to introduce a game, denoted by **Game IND-CCA2**, between a challengerand an adversaryas follows.

** Game IND-CCA2**(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Phase??1:can perform polynomially bounded unsigncryption queries in an adaptive manner andresponds accordingly. More precisely,’s query is specified by a tripleand’s responds with the corresponding plaintextifis a valid signcryption ciphertext with respect to the receiver’s public keyand sender’s public keyorotherwise.(iii)Challenge:chooses two equal length plaintextsand sendsto, andtosses a fair coinand sets. Finally,sendsthe challenged signcryption ciphertext.(iv)Phase??2: phase 1 is repeated with the restriction thatis not allowed to ask unsigncryption query on triple.(v)Guess:outputs a bitas his/her guessing on.

Then, the advantage ofto win **Game IND-CCA2** is defined as.

*Definition 15 (confidentiality of signcryption). *A signcryption scheme is said to be indistinguishable against inner chosen ciphertext attacks (IND-CCA2), if there is no probabilistic polynomial time adversary that can win **Game IND-CCA2** with nonnegligible advantage.

To capture the (strong) unforgeability of a signcryption defined above, we need to introduce another game, denoted by **Game SUF-CMA**, between a challengerand a forgeryas follows.

** Game SUF-CMA**(i)Initial:runsalgorithm to produce public parameterand then generates his/her own public/private keysby runningalgorithm. Finally,givesandto.(ii)Singcrypt query:can perform polynomially bounded signcryption queries in an adaptive manner. More precisely,’s query is specified by a pairand’s responds with. (Here,is the intended receiver’s public key and the corresponding private keyis known to. Furthermore,is allowed to either obtainby calling the algorithmor pick them randomly.)(iii)Forgery:outputs a tuplewith the restriction thatnever responds towithfor answering’s signcryption query on.

Then, the advantage ofto win **Game SUF-CMA** is defined as

*Definition 16 (strong unforgeability of signcryption). *A signcryption scheme is said to be strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA), if no probabilistic polynomial time adversary can win **Game SUF-CMA** with nonnegligible advantage.

#### 4. Proposed Lattice-Based Signcryption Scheme

In this section, we firstly present a chameleon hash function based on the lattice-trapdoor technique given in [17]. Next, based on the signature scheme and the encryption scheme given in [17], we propose a signcryption scheme. Finally, we prove the consistency of the proposed scheme. Note that, the matricesused in this section are as in Section 2.3.

##### 4.1. Building Block: Lattice-Based Chameleon Hash Functions

According to [33, 34], we know that by using a chameleon hash function, one can transfer an SUF-SMA secure signature scheme to an SUF-CMA secure one. To guarantee the consistency of the proposed scheme, we need to construct a chameleon hash function based on lattice-based trapdoors of given in [17]. In fact, it is a analogue to the scheme based on the trapdoors given in [29].

Let,,, andbe integers. Let integerbe message length. For matrices,, andand invertible matrixconstructand. Letbe a Gaussian parameter satisfyingsuggested by [17]. Define a message spaceand random space(then, for,holds with overwhelming probability according to Proposition 9 items (2)) and. Forand, using matrixdefine hash functionas

Lemma 17. *The family(under the uniform distribution over) is a family of chameleon hash functions, assuming the hardness offor.*

*Proof. *It is enough to prove the hash familyhas the four properties described in Section 2.2.

For efficient forward computation. Clearly, given a messageand, eachis efficiently computable.

For collision-resistance property. Assuming that it is easy to find a collisionfor, thenis a solution for, and according to the triangle inequality, we have that. It implies thatis also a solution for the instanceof. This contradicts the hardness offor. Therefore, the hash family is collision-resistant.

For uniformity property, we first show the matrixis uniform. The matrixis uniform, sois also uniform whenis-far from uniform (cf. Section 6.2 of [17]). On the other hand, the matrixis fixed whenis fixed. Consequently, the matrixis-far from uniform. On the other hand,is uniform; henceis-far from uniform. It is clear that given anyandand each matrixgenerated as above, the distribution ofis negligible far from the uniform distribution overby Proposition 9 items (1).

For chameleon property. Givenand, one with-trapdoorcan easily findsatisfyingas follows: compute, and then sample preimage.

Lemma 18. *The above chameleon hash family is universal; for every distinctand distinct,*

*Proof. *Assuming that, it follows that. Whenis fixed, the vectoris a fixed element in.

The matrixis uniform as described above. For,, the columns ofgeneratewith overwhelming probability by Proposition 8. In addition,and, whereis as in Section 2.3.

It follows thatis uniform over(up to negligible statistical distance) by Proposition 9 items (1). Consequently,. In other words,.

##### 4.2. Signcryption Scheme

In [17], Micciancio and Peikert gave a special collector (MP collector) that maps elements from a certain ringinto matricesas required by their trapdoor construction. Let us call it MP Collector and denote it by. Given a monic degree-irreducible polynomial, a ring can be defined asand the elements ofcan be represented as vectors inrelative to the standard basis of monomials. Now, given a ring element,can be constructed as follows: for, whereis theth column of. Clearly,has the following properties. Firstly,is a ring homomorphism, namely,for. Secondly, multiplication by a ring elementcan be represented by the matrix; furthermore, the product coefficients vector equals, whereis theth column ofandis theth coefficient of ring element. Thirdly,if and only ifis a unit of, whereis a group composed of the invertible elements in. Finally, the ringhas “units difference” property, namely, for anydenotes the units set in,.

Our signcryption scheme consists of the following four algorithms. Note that we also adopt a symmetrical encryption scheme(with keyspace, encryption algorithmand decryption algorithm) in our construction.(i): Suppose the security parameter is. Then, the the public parametersfor the system can be specified as follows.(1)is the matrix as defined in Section 2.3, whereis a prime power and is large enough (cf. [17]).(2).(3),,and suitable.(4)is an LWE error rate, such that.(5).(6)A monic degree-irreducible polynomialand a ring defined as.(7)4 hash functions:(a)is a collision-resistant hash function, where;(b)is a universal hash function;(c)is chosen from a universal family, whereis a matrix in. More precisely,, and(resp.,) has the same distribution with(resp.,) described in Section 4.1 (note that the elements incan be represented by vectors in);(d)is a universal hash function with suitably specified.(8)An ordered matrix setwherefor.(9)is the Gaussian parameter for signature.(10)An arbitary basisfor.(11)MP Collector.(ii): any user can generate his/her public keyand private keyas follows.(a)Sampleand;(b)Evaluate;(c)Letand.(iii): a sender with public/private key paircan send a signcryption ciphertexton some messageto a receiver with public keyas follows.(1)Sign messageto obtain, as follows.(a)Compute,and then build ?whereis the binary representation of.(b)Construct chameleon hash function according to the method in Section 4.1. Concretely, replacewith, arbitrarycolumns of,, respectively. The others are invariant. The hash function is denoted as.(c)Sample.(d)Compute.(e)Sampleand compute.(f)SampleSampleDG, whereis identity matrix.(g)Let.(2)Parsesuch thatand denote the remainder as.(3)Compute.(4)Encryptas follows.(a)Sampleand evaluate.(b)Sample, and let.(c)Sample, then computeand construct.(d)Encodeas.(e)Choose a vectoruniformly and let (5)Encryptas follows.(a)Let.(b)Let(6)Output the signcryption ciphertext.(iv): upon receiving a signcryption ciphertextfrom a sender with the public key, the receiver with the private keyperforms the following steps.(1)Decryptto achieveas follows.(a)If, outputand then abort; otherwise continue.(b)Callto obtain, whereand.(c)Iforoutputand abort; otherwise continue.(d)Letand then parseas.(e)If, outputand abort; otherwise, continue.(f)Let.(2)Decryptas follows.(a)Compute.(b)Compute.(3)Check the integrity of ciphertext as follows.(a)Obtainby composing, and then compute.(b)Ifoutputand abort; otherwise, continue.(c)Ifoutputand abort; otherwise, continue.(4)Verifying the sender’s authenticity as follows.(a)Computeand then build, whereis the binary representation of.(b)Ifoutputand abort; otherwise, continue.(c)Compute.(d)Ifthen output; otherwise, output.

##### 4.3. Consistency and Unsigncryption Error

Theorem 19 (consistency). *The above signcryption scheme can unsigncrypt correctly withprobability.*

*Proof. *We analyze the procedure along the unsigncryption algorithm, when a valid ciphertextis input to the unsigncryption.

Firstly, we demonstrate that the correctcan be obtained with overwhelming probability in step (1) of unsigncryption.(i)Firstly, let us prove that after calling, the probability ofis overwhelming, whereis the vector used in **Signcrypt** algorithm. At first, we need to show that this calling can work; that is,is a-trapdoor for. For convenience, let. Becauseis a basis of, there must exist a matrixsuch that. As a result,
?Clearly, theis the form offor some; namely,is a-trapdoor for. As a result, a vectorcan be returned. We next demonstrate the probability that the probability foris overwhelming by calling(Algorithm 2). Clearly, if theincan return desired value,can obtain desired. The oracleis realized by calling **InvertG** (Algorithm 1); consequently, it only needs to prove the constraint condition is satisfied, that is, the error vector, referring to Section 2.3 for the definition of. Because,for, it follows thatandexcept with probabilityby Proposition 9 items (2). When the parameters are set as in **Setup** and the sender’s public/private keys are produced as in **KeyGen**, it follows that the maximum singular value forsatisfiesexcept probabilityaccording to Proposition 10. Let; it follows thatexcept probability, becauseis large enough.(ii)Secondly, when the correctis obtained, the test in step (c) can be passed and the analysis is included in the above proof.(iii)Thirdly, in step (e), for, it follows thatas desired.(iv)Finally, in step (f),; as a result,andare in the identical coset, so the decryption can obtainexactly.

Next, after obtaining correctandvia step (1), we get the correct key used for symmetrical encryption, so we can obtain correctin step (2), and the verification for hash values in step (3) can be passed.

Finally, let us analyze step (4). Specifically, we prove that the signature verification can be passed with overwhelming probability. By now, we have got correctthat is a signature for, and we only need to prove that it is valid. First, we evaluate the probability for., whereis obtained by calling the algorithm SampleDG. It is known by SampleDG thatandwith probabilityby Proposition 9 items (2). On the other hand,with probabilityby the same lemma. Therefore,with probability. Second,
Consequently, the signature is valid with probability.

#### 5. Security Proofs

Before giving the proofs on the confidentiality and unforgeability of the proposed scheme, we need at first to prove the following lemma.

Lemma 20. *For a given unit, if,, andis a signature obtained in step (1) of the Signcrypt algorithm, then the probability foris negligible. More precisely,.*

*Proof. *We first evaluate the number of units in the above ring. As defined in [17], the monic degree-polynomialis irreducible modulo every primedividing. Becauseis irreducible,is maximum ideal andis a field according to Chinese remainder theorem. An elementis a unit if and only if it is nonzero modulo any primedividing. Assume thathas prime factors. The amount of elements which are zero modulo prime factoris. By inclusion-exclusion principle, the amount of units inis
where the approximating from (17) to (18) is implied by thatis large enough. In the proposed scheme,and. On the other hand, the hash functionsandare both universal. Based on the above two reasons, this lemma holds.

Theorem 21 (confidentiality). *The proposed signcryption is indistinguishable against inner adaptively chosen ciphertext attack (IND-CCA2) assuming the decision-problem (for) is intractable.*

*Proof. *At first, let us define the following game sequence between a challengerand an adversary.(i)The gameis exactly the IND-CCA2 attack with the system as described in Section 3.(ii)In game, the challenger change the way to construct the receiver’s public keyand the way to answer unsigncryption queries. The receiver’s public keyis produced as follows. At the start of the game, chooseas in gameand let, next choose, and then construct. The challenger gives the adversaryas the sender’s public key. Wheneverinvokes a unsigncryption query on,responds as normal except that in step (1) of **Unsigncrypt** algorithm, the decryption foris changed as follows.(1)Decryptto achieveas follows.(a')Ifor, outputand then abort; otherwise continue.(b')Callto obtain, whereand.(c)Iforoutputand abort; otherwise continue.(d)Letand then parseas.(e)If, outputand abort; otherwise, continue.()Letwhereis an arbitrary solution of.(ii)In game, the challenger only changes hash functionand the method to produce challenge ciphertextas follows. The change for hash functionis as follows. The challenger replaces the hash functionwith a chameleon hash functionwithout revealing the trapdoor, where the matrixand(resp.,) has the same distribution with(resp.,). The challenge ciphertext is produced as follows. The adversary provides two equal length messagesand the sender’s public/private keys. The challenger tosses a fair coin, and then signcryptswith a slightly change. The challenger signsnormally to obtain, next chooses, and then choosessuch that(can do this since he/she knows the trapdoor of the chameleon hash). The subsequent signcryption operation is the same as.(iii)In game, the challenger continues to change the how the challenge ciphertextis created. Concretely, only the way to produceis changed as follows. The challenger normally chooses,and let. Next, chooseand let. Let. All the others are same as in game.(iv)In game, the challenger continues to change the challenge ciphertext. The challenger choosesuniformly. All the others are identical to.

Then, this theorem is implied by the indistinguishability between two successive gamesand() that are presented in Lemmas 22, 23, 24, and 25, respectively.

Lemma 22. *The adversary’s views in gameand gameare statistically indistinguishable. Meanwhile,can unsigncrypt correctly (with overwhelming probability).*

*Proof. *We first prove the indistinguishability for public key. Given,is a fixed matrix. On the other hand,is-uniform by leftover hash lemma. Therefore,is-uniform. Consequently, the value ofis statistically hidden from the adversary and the distribution of public key inandis statistically indistinguishable.

Next, we illustrate the challengerin the gamecan unsigncrypt correctly and’s unsigncryption behavior inandis indistinguishable from the view of the adversary. When the ciphertext queried is not valid, both games will abort. Therefore, we only need to analyze the case for a valid ciphertext. In the unsigncryption process of game, only the decryption for(i.e., public key decryption process) is changed. Therefore, it is enough to prove the correctness of public key decryption. At first, if, both games will output. Otherwise, there are two cases for:or not.

We firstly analyze the former. In this case, both games callto obtainsuch that(refer to Section 4.3). In game,
Clearly, conditioned on,is invertible according to the “unit differences” on, which is necessary for calling. It also follows thatis the-trapdoor forcorresponding to invertible tag. Therefore, the challenger needs to replacewithwhen calling. In step (c), if there isobtained from step (b') that satisfies the constraint condition, it follows thatin both games, wherehas been defined in Section 2.3. Therefore, thiscan be obtained by callingin both games; otherwise, if there is no such an, both games will output. In step (e), if, both games output; otherwise, there existandsuch that
In step (f) of game,computes
while in step (f') of game,does as follows: first, find anysuch that, and then, compute
Clearly,in,inandare in the same cosetthereforeandcan both decrypt the desired value.

We next discuss the latter case; that is,. In this case, gamecannot unsigncrypt becauseis not invertible, but sinceis unknown to the adversary in, the probability foris negligible according to Lemma 20. Based on the above analysis, the gamesandare indistinguishable.

Lemma 23. *The adversary’s views in gameand gameare statistically indistinguishable.*

*Proof. *At first, because the matrices used for constructing hash functionsandhave identical distribution, the gamesandare statistically indistinguishable when the hash function is replaced. Although the way for producing the challenge ciphertextinis changed, the adversary cannot distinguishfromwithout knowingin advance, considering thatis universal andis random selected.

Lemma 24. *The adversary’s views in gameand gameare statistically indistinguishable.*

*Proof. *The key idea of this lemma’s proof is similar to a section in Theorem 6.3 of [17]. The change of challenge ciphertext inis only at the public encryption section, more precisely, only the componentas described above. The distribution ofin both games is identical. With respect to, in game,
where, for. In game,
It only needs to prove that the statistical distance betweenandis negligible. Expressas, where. On the other hand. It follows that for fixed,is-far fromforaccording to Corollary 3.10 of [23] and Theorem 3.1 of [28]. In other words,inhas distribution-far fromin. Consequently, the challenge ciphertextin both gamesandis statistically indistinguishable.

Lemma 25. *The adversary’s views in gameand gameare computationally indistinguishable and the adversary’s advantage inis negligible, assuming that the decision-problem (for) is intractable.*

*Proof. *The idea of this lemma’s proof is similar to a section in Theorem 6.3 of [17]. In order to show the indistinguishability, a method to discretize LWE is needed. Concretely,is a LWE instance over. Thesamples (for)can be transformed toby mapping, forandaccording to Theorem 3.1 of [28]. Clearly, by the above mapping, the uniform instanceoveris mapped to the uniform distribution over.

In game,is in fact an instance of. In game,is an uniform random instanceover. Because LWE is pseudorandom, the above discretized distribution is also pseudorandom under the constraint condition for. Therefore, under discretized LWE assumption, the gamesandare computationally indistinguishable.

Next, we analyze the adversary’s advantage in the game. According to leftover hash lemma,is-uniform, when choosingas in. Therefore, the challenge ciphertext has at most-far distribution when encrypting any different messages. Consequently, the adversary’s advantage inis negligible.

Theorem 26 (unforgeability). *In standard model, the proposed signcryption is strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA) assuming thatfor large enoughis hard.*

*Proof. *We prove it by contradiction. If an adversarycan forge a signcryption in the proposed scheme, then the simulator can forge a signature of the above SUF-CMA signature scheme used in the proposed scheme.

Initial:gets public parameterand his/her public/private keysby running successively the algorithms Setup and KeyGen and thengivesandto.

Singcrypt query: in this phase, the adversarycan perform polynomially bounded signcryption queries as follows. Whensubmits a message (and a intended receiver’s public key) for querying. (For convenience, we denote the intended receiver’s private key by).gets a signcryption value byand givesto.

Forgery:outputs a receivers public/private keysand a fresh ciphertextunder the sender’s public keyand the receiver’s private key. Becauseis a valid ciphertext,does what follows.(1)Decryptwithto obtain.(2)Decryptwithto obtain.(3)Combineandto obtain.

In the proposed scheme, we use the signature scheme of [17]. However the syndromein the signature scheme is replaced by a chameleon hash value of the messageand some random. For convenience, the signature scheme involving a chameleon hash function is calledsignature scheme. The signature scheme of [17] is SUF-SMA in the standard model assuming the hardness offor large enoughtherefore thesignature scheme is SUF-CMA in the standard model according to [33, Lemma 2.3] or [34, Lemma 2.1].

Becauseis a valid ciphertext,is a validsignature on message. Now, we have got a contradiction. Consequently, the proposed signcryption scheme is also SUF-CMA assuming the hardness offor.

#### 6. Performance Analysis and Simulations

This section compares the ciphertext length, computational cost, key size, and so forth in the proposed scheme with that in the normal signature-then-encryption diagram and the existing signcryption schemes based on lattice.

The dimension of public keysneed to be declared firstly. Assuming that the security parameteris the same in LMK12 [14], WHW12 [15], and ours. In LMK12 [14] and WHW12 [15], the public/private keys for signature and encryption are all generated by the approach in [29], and the dimension