#### Abstract

A proxy blind signature scheme is a special form of blind signature which allowed a designated person called proxy signer to sign on behalf of original signers without knowing the content of the message. It combines the advantages of proxy signature and blind signature. Up to date, most proxy blind signature schemes rely on hard number theory problems, discrete logarithm, and bilinear pairings. Unfortunately, the above underlying number theory problems will be solvable in the postquantum era. Lattice-based cryptography is enjoying great interest these days, due to implementation simplicity and provable security reductions. Moreover, lattice-based cryptography is believed to be hard even for quantum computers. In this paper, we present a new identity-based proxy blind signature scheme from lattices without random oracles. The new scheme is proven to be strongly unforgeable under the standard hardness assumption of the short integer solution problem (SIS) and the inhomogeneous small integer solution problem (ISIS). Furthermore, the secret key size and the signature length of our scheme are invariant and much shorter than those of the previous lattice-based proxy blind signature schemes. To the best of our knowledge, our construction is the first short lattice-based identity-based proxy blind signature scheme in the standard model.

#### 1. Introduction

Digital signature schemes are the cornerstone of e-business, e-government, software security, and many more applications. The importance of these schemes is likely to grow in the future as more and more everyday tasks and processes are computerized.

The concept of blind signature was first proposed in 1982 by Chaum [1]: user A could obtain the signature of B on any given message, without any information about the message or its signature revealed, and any receiver could verify the signature that is signed by signer B.

In 1996, Mambo et al. introduced the concept of proxy signature [2]: an original signer delegates his signing authority to another signer, who is called a proxy signer. At last, the proxy signer can sign any message on behalf of the original signer and the verifier can verify and distinguish between normal signature and proxy signature.

In 1985, Shamir introduced the concept of identity-based (ID-based) cryptography and presented an ID-based signature (IBS) scheme [3]. In an IBS scheme, a public key can be derived from the identity of the user, and a corresponding secret key can be generated by a private key generator (PKG). Of course, the IBS scheme can simplify key management procedures in certificate-based public key systems, so it can be an alternative for certificate-based public key systems in some occasions, especially, when efficient key management and moderate security are required.

In 2000, Lin and Jan [4] introduced the concept of proxy blind signature. Proxy blind signatures are actually the combination of both proxy signature and blind signature. It plays an important role in the following scenario: in e-cash system, the user makes the bank blindly sign a coin using blind signature schemes. Whenever a user goes through a valid branch to withdraw a coin, he/she needs the branch to make proxy blind signature on behalf of the signee bank.

Tan et al.’s scheme is a proxy blind signature scheme which is based on Schnorr blind signature. But Awasthi and der Lal [5] showed a forgery attack on Tan et al.’s scheme and proposed a more secure proxy blind signature scheme. Recently Sun et al. [6] pointed out that neither Tan et al.’s scheme nor Awasthi and der Lal’s scheme satisfies the unlinkability property of the proxy blind signature scheme. But they did not give an improved scheme to overcome the insecurity. For the first time, Zhang et al. [7] proposed a proxy blind signature scheme from bilinear pairings. In 2004, Zheng et al. [8] proposed an ID-based proxy blind signature scheme which uses bilinear pairings of elliptic curves or hyperelliptic curves. Since then, many identity-based proxy blind signature schemes have been proposed, for example, [9–11].

Up to date, most of proposed identity-based proxy blind signature schemes rely on hard number theory problems such as integer factorization, discrete logarithm, and bilinear pairings with the Diffie-Hellman problem. However, the above underlying number theory problems will be solvable if practical quantum computers become reality, so it implies a potential security threat to these identity-based proxy blind schemes. Thus, a natural question one can ask is how to design identity-based proxy blind signature schemes that are secure in the quantum environment.

In recent years, lattices have emerged as a possible alternative to number theories. Lattice-based cryptography began with the seminal work of Ajtai [12], who showed that it is possible to construct families of cryptographic functions. Moreover, lattice-based cryptography is believed to be hard even for quantum computers [13]. Several lattice-based signature schemes [14–18] have been proposed so far. Among them, Jiang et al. [18] presented the first proxy signature scheme from lattices. Unfortunately, Tian and Huang [19] pointed that an original signer is able to forge a proxy signature on any message in the scheme. In 2010, Cash et al. put forward a new cryptographic notion called a bonsai tree based on hard lattice [20]. Since then, many proxy signatures [21, 22] were presented in bonsai tree model based on the bonsai tree signature scheme. However, both the private keys and the signatures in these schemes become dramatically longer than general signature. Therefore, they may not be practical for large communities.

Recently, Agrawal et al. [23] presented a basis delegation algorithm which keeps the dimension of the lattices involved constant. Based on the algorithm, the first lattice-based hierarchical identity-based encryption scheme with short ciphertexts in the standard model was proposed in [23]. Still, there is no identity-based proxy blind signature scheme from lattices in the standard model.

Following the above discussion, in this paper, we will construct a new identity-based proxy blind signature scheme from lattices in the standard model, which is obtained from Agrawal et al.’s basis delegation algorithm [23]. The new scheme is provably secure against strong forgery under hard problems on lattices, and the size of secret keys and the signature length of our scheme are much shorter than those of signature schemes [21, 22].

The rest of the paper is organized as follows: the next section gives the introduction of lattices, Section 3 explains briefly the definition of proxy blind signature, and Section 4 gives a detailed description of our identity-based proxy blind signature from lattice basis delegation. In Section 5, an analysis about our scheme is presented. Section 6 concludes this paper.

#### 2. Preliminaries

##### 2.1. Lattice

Let and let be linearly independent vectors in ; the -dimensional lattice generated by the basis is here is called a basis of the lattice . For a basis , let denote its Gram-Schmidt orthogonalization, defined iteratively as follows: , and for , is the component of orthogonal to span ().

The minimum distance of the lattice is the length (in the Euclidean norm, unless otherwise indicated) of its shortest nonzero vector:

We define the orthogonal lattice as

##### 2.2. Hard Problems on Lattices

Security of our signature scheme rests on the hardness assumption of the short integer solution (SIS) problem and the inhomogeneous small integer solution problem [14].

*Definition 1 (the small integer solution problem (SIS) (in the Euclidean norm)). *Given an integer , a matrix , and a real , the goal of the short integer solution problem is to find a nonzero integer vector , such that mod and .

*Definition 2 (the inhomogeneous small integer solution problem (ISIS) (in the Euclidean norm)). *Give an integer , a matrix , a syndrome , and a real , to find an integer vector , such that mod and .

##### 2.3. Trapdoor and Basis Delegation Functions for Lattices

It was shown in [14] that if is hard, defines a one-way function , with , where and . The input distribution is , and a short basis for can be used as a trapdoor to sample from .

Here we briefly introduce some enhanced variants of trapdoor functions [14] with preimage sampling, which are given by a tuple of probabilistic polynomial-time algorithms (*TrapGen*,* SampleD*, and* SamplePre*), which will be used as building blocks in our signature scheme.

The following functions take the Gaussian smoothing parameter as a parameter.

*TrapGen**.* Let , and be integers with , ; TrapGen() outputs a pair , where is statistically close to uniform on and is a good basis of , such that .

*SampleD**.* Sample an from distribution , for which the distribution of is uniform over .

*SamplePre**.* On input of , a good basis for as the trapdoor, a vector , and , the conditional distribution of the output is within negligible statistical distance of .

At CRYPTO 2010, Agrawal et al. [23] presented a new short lattice basis delegation algorithm that keeps the lattice dimension unchanged. Now, we briefly recall the main results in [23].

*Definition 3. *Let be a prime, let , let and ; is defined as the distribution on full rank matrices , where for all .

*BasisDel **.* Let , , a matrix (or a product of matrices) sampled from , and a basis of ; the algorithm BasisDel () outputs a random basis for , such that , where .

*SampleRwithBasis **.* For , , and , the algorithm SampleRwithBasis () outputs a random matrix and a basis for , such that .

#### 3. Proxy Blind Signature

A proxy blind signature [4, 9–11] is considered to be the combination of proxy signature and blind signature. It consists of four participants: an original signer, a proxy blind signer, a user, and a verifier and the following four algorithms: keygen, generation of the proxy key, proxy signature generation, and verification. A proxy blind signature scheme should satisfy the following requirements.

*Distinguishability.* Proxy signatures are distinguishable from normal signatures by everyone.

*Verifiability.* From the proxy signature, the verifier can be convinced of the original signers agreement on the signed message.

*Strong Nonforgeability.* A designated proxy signer can create a valid proxy signature for the original signer. But the original signer and other third parties who are not designated as a proxy signer cannot create a valid proxy signature.

*Strong Identifiability.* Anyone can determine the identity of the corresponding proxy signer from the proxy signature.

*Strong Nondeniability.* Once a proxy signer creates a valid proxy signature of an original signer, he/she cannot repudiate the signature creation.

*Prevention of Misuse.* The proxy signer cannot use the proxy key for purposes other than generating a valid proxy signature. That is, he/she cannot sign messages that have not been authorized by the original signer.

*Blindness Property.* A signer cannot distinguish, except with negligible probability, the order in which he/she issued signatures.

#### 4. A Lattice-Based Identity-Based Proxy Blind Signature Scheme in the Standard Model

We introduce our lattice-based identity-based proxy blind signature scheme in the standard model in this section which needs the following parameters.

Let be a prime number, and , , and . A bound , the Gaussian parameter , and a hash function that outputs matrices in is

The original signer A and the proxy blind signer B have the identity and the identity , respectively, and the details are described as follows.

*Setup.* Given the security parameter , the PKG runs to generate a matrix and a corresponding short basis of . Let be the master secret key and let be the master public key. The following construction assumes that messages are arbitrary -bit strings in , choosing independent matrices . Publish the system public parameters and keep the master key secret.

*KeyGen.* On input of an identity , the PKG runs BasisDel () to generate a private key for , where is a random basis for and .

*Generation of the Proxy Key.* The original signer A chooses the identity of the proxy signer B and then runs BasisDel () to generate , where is a random basis for and . Then the original signer A sends to the proxy signer B as the proxy key.

*Proxy Blind Signature.* Suppose that is the message to be signed, and the proxy signer B and the user C compute the signature as follows.(1)Blinding: the user C chooses uniformly and samples using* SampleD*, where the distribution of and is uniform over . Then computes
At last, he/she sends to the proxy signer B.(2)Signing: if is in the local storage, B outputs ; otherwise, B chooses nonzero vectors as follows:
and then checks up and , and if not, B chooses and again, stores in the local storage, and sends to C.(3)Unblinding: after receiving , the user C computes
and then he/she outputs .

*Verification.* A verifier can accept the proxy blind signature if and only if:(1), and ;(2), and ;(3);(4).

#### 5. Analysis of the Proposed Scheme

##### 5.1. Completeness

For the proxy blind signature , we have(1)(2)(3)(4)

##### 5.2. Analysis of Security

Our proxy blind signature scheme satisfies all the requirements stated in Section 3 based on the hardness assumption of SIS problem and ISIS problem. We proof only blindness property and strong nonforgeability.

Theorem 4 (blindness). *The proxy blind signature scheme above is -blind [15].*

*Proof. *The proxy signer cannot relate the message and blinded message by definition; the statistical distance is
because is uniformly random chosen from , so is . Because and , is close to . Thus, is close to 0. Similarly, is close to 0. So the proxy signer cannot relate the message and blinded message .

Theorem 5. *The proxy blind signature scheme in this paper is existentially unforgeable under chosen-message attack.*

*Proof. *If an adversary breaks existentially unforgeability under chosen-message attack of the proxy blind signature scheme in this paper with probability , makes at most () extraction queries and signature queries, then there is a algorithm attacking the SIS problem with probability negligibly close to

*Setup.* At first, algorithm chooses randomly a matrix in and generates
where , is a basis for , and . Then, choose and run BasisDel () to generate , where is a random basis for . Set , and then let be the master secret key and let be the master public key. Next, sample nonzero vectors , using (if , choose again for ) and choose independent nonsingular matrices in . Finally, let for . We know that is statistically close to uniform over .

Algorithm sends the system parameters to adversary and keeps the master key secret.

*Extraction Queries.* When the secret key of the identity is queried for , algorithm lets , runs BasisDel () to generate , and stores and sends to the adversary . (If the secret key was previously queried on , looks up in its local storage and returns to .)

*Proxy Key Queries.* After receiving , where is the identity of the original signer and is the identity of the proxy signer, algorithm returns
to . Of course, is a random basis for

*Signature Queries.* When algorithm receives , where is the identity of the original signer, is the identity of the proxy signer, and is the blinded message of , he/she generates blinded signature for (blinded message of ) as follows.

If was queried previously, looks up in its local storage and returns as the proxy signature to ; otherwise, chooses nonzero vectors Then checks up and , and if not, it chooses and again and then stores in the local storage and sends to adversary .

After receiving , adversary removes the blind factor to get the proxy blind signature .

*Forgery.* Finally, if the adversary outputs a valid forgery with probability , we have(1), and ;(2), and ;(3);(4).

If or , we abort. Otherwise, if and , we have Because and , we can get . Let , and then and , so Thus, outputs as a solution to the SIS problem with .

We now analyze the reduction: by the preimage min-entropy property of the hash family, thus the signature with negligible probability . The adversary outputs the valid forgery with probability , and , so is a solution to the SIS problem with with probability negligibly close to

##### 5.3. Efficiency Analysis

The efficiency of signature scheme is mainly considered to include the length of public keys, secret keys, and signatures. The lattice-based special signature scheme [21, 22] is also provably secure; however, the private keys and the signatures in these schemes are dependent on the identity length of the signer. In contrast, the size of private keys and the size of signature in our scheme are both unchanged and much shorter. Therefore, our scheme is more practical. Table 1 shows the comparison of the schemes.

#### 6. Conclusions

In this paper, we have constructed a new lattice-based proxy blind signature scheme with short secret keys and short signatures in the standard model. Our signature scheme is more efficient than other current proxy blind signature schemes, and the security mainly depends on hard problems on lattices, so this scheme in this paper is still secure in quantum computing environment.

#### Conflict of Interests

The authors declared that they have no conflict of interests regarding this work.

#### Acknowledgments

This work was supported by Scientific Research Project Fund of Science and Technology Bureau of Zhengzhou (no. 20140713) and the project of science and technology office of Henan province (no. 142300410342). The authors gratefully acknowledge the anonymous reviewers for their valuable comments.