Research Article | Open Access
A Fuzzy Identity-Based Signature Scheme from Lattices in the Standard Model
A fuzzy identity-based signature (FIBS) scheme allows a user with identity to issue a signature that could be verified with identity if and only if and lie within a certain distance. To obtain an FIBS scheme that can resist known quantum attacks, we use the double-trapdoor technique from ABB10a for secret key extracting and the vanishing trapdoor technique from Boyen10 for message signing. In addition, in order to reflect the functionality of fuzziness, Shamir secret sharing scheme is also used in our construction. In this paper, we propose an FIBS scheme from lattices and prove that this new scheme achieves strong unforgeability under selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) in the standard model. To the best of our knowledge, our scheme is not only the first FIBS scheme from lattices without random oracles but also the first FIBS scheme that achieves strong unforgeability.
In order to overcome certificates management problem in traditional public key cryptography, Shamir first put forward the concept of identity-based public key cryptography  in 1985; that is, the public key of an identity can be easily computed from his identity information. The first efficient and secure identity-based public key encryption (IBE) scheme was given by Boneh and Franklin in . However, identity string for each identity is not unique, while biometric characteristics (e.g., fingerprints, faces, irises, etc.) are unique. Therefore, identity’s biometric characteristics can be used as public keys. Biometric keys have many advantages: hard to guess, forget, copy, share, and forge. However, biometric measurements are noisy, and there are many different measurements to the same biometric.
Sahai and Waters first introduced the concept of fuzzy identity-based encryption (FIBE)  in 2005. In an FIBE scheme, a user using the secret key, which the identity described as an attribute set , can decrypt a ciphertext encrypted with the public key if and only if and lie within a certain distance judged by some metric. Thus, an FIBE scheme involves an error tolerance parameter between the identities. In 2007, Baek et al.  put forward two FIBE schemes; these new schemes provided public parameters whose size was independent of the number of attributes in each identity and had beautiful structures, which made the key extraction and encryption more efficient than the scheme . In , Goyal et al. showed that FIBE can also be regarded as a type of application of attribute based encryption (ABE).
Yang et al.  first introduced the concept of fuzzy identity-based signature (FIBS) and constructed an FIBS scheme based on scheme . A fuzzy identity-based signature (FIBS) scheme allows a user with identity to issue a signature that could be verified with identity if and only if and lie within a certain distance judged by some metric. A number of FIBS schemes have been put forward in recent years, such as [7–11]. However, all of these schemes not only are based on hard number theoretical problems (e.g., integer factorization, discrete logarithm, and bilinear pairings), which are vulnerable to quantum computer attacks , but also achieved existential unforgeability. Existential unforgeability is only a basic requirement for a signature scheme; it means that an adversary is allowed to forge a new different signature of the same message. Strong unforgeability means that it prevents forging of signatures on messages that could have been signed previously. Cryptologists prefer to design digital signature schemes that can achieve strong unforgeability.
In recent years, lattice-based cryptographic systems have attained a great interest for postcryptography, as the systems have the ability to resist the known quantum analysis (e.g., Shor algorithm analysis ). Furthermore, the systems also enjoy great promise because of having a very strong security proof based on worst-case hardness, relatively efficient implementations, and great simplicity due to the structure and linearity of lattices. Many cryptographic schemes are based on the learning with errors (LWE) problem and small integer solution (SIS) problem, for example, public key encryption schemes [13, 14], digital signatures [15, 16], identity-based encryption [17, 18], fully homomorphic encryption [19, 20], and so on.
Meanwhile, researchers are always concerned with fuzzy identity-based signature (FIBS) scheme from lattices. An FIBS scheme from lattices was first proposed by Yao and Li  in 2013. The paper pointed out the defect of security model in  and put forward a more reasonable security model for FIBS scheme. In addition, authors also presented an FIBS scheme based on the SIS problem hardness assumption. However, the scheme could only achieve the standard of existentially unforgeable against adaptively chosen message and identity (EU-ACMIA) attacks in the random oracles. However, considering Canetti’s critical statement on provable security reduction based on random oracles  and the risk of random oracle model , it is a meaningful and relatively safe direction to design cryptographic schemes that are not in the random oracle model.
Based on the security model of , we use the double-trapdoor technique from ABB10a for secret key extracting, the vanishing trapdoor technique from Boyen10 for message signing, and Shamir secret sharing scheme . We propose a new FIBS scheme that achieves strong unforgeability against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) in the standard model. To the best of our knowledge, our scheme is the first FIBS scheme from lattices without random oracles and achieves strong unforgeability.
The rest of this paper is organised as follows. In Section 2, we introduce some preliminaries about SIS problem and some algorithms that will be used in our construction and security proof. The model of FIBS and security notations are given in Section 3. In Section 4, we present our main result that is an FIBS scheme from SIS. The security proof and parameters analysis are presented in Section 5. We give the performance analysis and simulations in Section 6. In Section 7, we present the conclusions and open problem for the future.
We denote the set of integers and real numbers by and , respectively. For a positive integer , denotes the set . The vectors are denoted by lower-case bold letters (e.g., ), matrices by upper-case bold letters (e.g., ), and the Gram-Schmidt orthogonalization of by . We write for the Euclidean norm of and for the length of a matrix . We use standard , for denoting the growth of functions. The notation poly denotes a function for some constant . negl denotes some unspecified function such that for constant , and describing such a function is negligible. We also describe that a probability is overwhelming if it is . The base of logarithm function is 2.
2.2. Lattice and Small Integer Solution (SIS) Problem
Definition 1 (see ). An -dimensional lattice is a discrete additive subgroup of . Formally, let consist of linearly independent vectors. The lattice generated by is
Here is called a basis for the lattice .
For any basis , let denote its Gram-Schmidt orthogonalization of basis . It is iteratively defined as follows: , and is the component of orthogonal to span for .
Definition 2 (see ). Given a matrix for some , , , its -ary lattice is defined as follows: We also define the coset for any that is generated by the columns of as
Definition 3 (see ). Given any vector and real , a Gaussian function on centered at with parameter is defined by
For any vector , real , and -dimensional lattice , the discrete Gaussian distribution over is defined as follows: where .
Definition 4 (small integer solution (SIS) problem ). Given an integer , a real , and a matrix , the goal of is to find a vector for satisfying and , where .
Proposition 5 (hardness of SIS problem ). Given security parameter , any poly-bounded , , and any prime , the average-case problem is as hard as approximating the SIVP problem in the worst case to within certain factors.
2.3. Some Algorithms
We recall some algorithms for our construction and security proof later.
Lemma 6 (see ). Let be odd and . There is a probabilistic polynomial time algorithm that outputs a pair such that is statistically close to a uniform matrix in and is a basis for satisfying
with all but negligible probability in .
For simplicity, we let denote the maximum Gram-Schimidt norm of a basis produced by .
Lemma 7 (see [15, 26]). Let and be a matrix in with . Let be a basis for and . Then for any ,(1);(2)there is a probabilistic polynomial time algorithm that returns sampled from a distribution statistically close to .
Lemma 8 (see ). Let , , and . There exists a polynomial time algorithm that takes a matrix , a rank matrix , a matrix , and a short basis of as inputs and outputs a vector distributed statistically close to , where and .
Lemma 9 (see ). There exists a polynomial time algorithm that takes a matrix , a matrix , and a short basis of as inputs and outputs a basis of with and , where .
Lemma 10 (see ). There exists a polynomial time algorithm that takes matrices , , and and a short basis of as inputs and outputs a basis of with and , where .
3. The Model of FIBS
We recall the notation of FIBS scheme and security model from  in this section. A fuzzy identity-based signature scheme consists of four algorithms as follows.(i): this probabilistic algorithm takes a security parameter as an input and outputs the public parameters that contain an error tolerance parameter and master key .(ii): this probabilistic algorithm takes the master key and an identity as inputs and outputs a secret key for identity .(iii): this probabilistic algorithm takes public parameters , a private key associated with , and a message as inputs and outputs the signature on message for identity .(iv): this deterministic algorithm takes identity such that , the message , and the corresponding signature as inputs and returns a bit , where means that the signature is valid.
For correctness purposes, for any fixed , and arbitrary such that , it holds that
We consider the security model of FIBS scheme as strong unforgeable against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA). Strong unforgeability under adaptive chosen message attacks (SU-CMA) is stronger than existential unforgeability (EU-CMA) in the sense that the adversary is not restricted by the security model artificially. In EU-CMA, the adversary is only allowed to output a signature for a fresh message , where the signature of was known by adversary, while, the SU-CMA adversary is also allowed to output a fresh signature for one of the .
Let be an adversary assumed to be a probabilistic turing machine taking a security parameter as an input. Consider the following game in which interacts with a challenger .(i)Init: the adversary declares the target identity .(ii)Setup: the challenger runs the Setup phase of the algorithm and tells the public parameters to adversary .(iii)Queries: the adversary launches a number of different queries for the challenger .(1)Extract query: the adversary issues private key queries for any identities , where .(2)Sign query: the adversary can ask for the signature of any identities on any message .(iv)Forgery: the adversary outputs . succeeds if the following conditions hold:(1)Verify: ;(2)for any tuple that is generated during the Sign queries, we have (a) and or (b) .
We define s success probability by
A fuzzy identity-based signature (FIBS) scheme is said to be SU-sID-CMA secure if is negligible in the security parameter .
More stronger security model, strong unforgeability against adaptive chosen-identity and adaptive chosen-message attacks (SU-aID-CMA), can be obtained from SU-sID-CMA by a generic transformation that uses Chameleon hash function .
4. The FIBS Construction
Our construction is made of four algorithms as follows. In Section 5.1, we will further analyse the parameters.(i): this is a probabilistic algorithm that takes security parameter as an input and sets the parameters , where is the identity size, () is the error tolerance parameters, is the length of message, is a prime, is the dimension of lattice, and and are Gaussian parameters; then the algorithm performs the following steps.(1)Use algorithm TrapGen for generating matrices and corresponding trapdoors , where , , and .(2)Select uniformly random matrices , from , where . Draw independent matrices from for . Select a random nonzero vector .(3)Let be the full rank differences map as defined in .(4)Output public parameters , and master secret key .(ii): this is a probabilistic algorithm that takes the master key and an identity as inputs and then performs the following steps.(1)Call algorithm for all (the can be first expanded to , hashing it to using a collision resistant hash). Let ; then .(2)Output the secret key for identity .(iii): this is a probabilistic algorithm that takes public parameters , a private key associated with , and a message as inputs and then performs the following steps.(1)For every coordinate of , construct shares of independently using a Shamir secret-sharing scheme. Namely, for each , choose a uniformly random polynomial of degree such that . Construct the th share vector . Thus for all satisfying , we can compute fractional Lagrangian coefficients such that .(2)For message , let , where .(3)For , randomly choose .(4)Run algorithm . Let .(5)Output signature .(iv): this is a deterministic algorithm that takes identity , a message , and a signature as inputs and then performs the following steps.(1)Let denote the set of matching bits in and .(2)If , output .(3)Otherwise, compute for all and . If (a) for all and (b) , where is the corresponding fractional Lagrangian coefficient, then accept the signature . Otherwise, reject the signature .
Remark 11. In the verification equality, the only role of is to compute the subset . The equals instead of . This can be explained that the identity is a part of the signature . Designing a more graceful scheme such that the verification equality needs neither nor directly (like scheme based on pairing ) is our further research direction.
5. Correctness and Security
5.1. Correctness and Parameters
For proving the consistency of the scheme, we only consider the case , where is the matching bits set of and . First, we give the correctness of our scheme.
According to Lemma 7, we know that, for every , and . Thus, .
On the other hand, for every , vector satisfies from Lemma 7. In other words, . Therefore, for subset , .
Secondly, for the scheme working correctly, we must satisfy the following conditions.(i)Algorithm TrapGen can operate, so .(ii)Algorithm SampleBasisLeft used in Extract phase can operate; that is, , where .(iii)Algorithm SamplePre used in Sign phase can operate; that is, , where .
Taking as a security parameter, let satisfy . The parameters are set as follows: , .
Theorem 12. The FIBS scheme is SU-sID-CMA in the standard model under the hardness assumption SIS problem. Let be an adversary that makes at most extract queries and signature queries and produces a successful forgery against our FIBS scheme with probability ; then there exists an algorithm that solves the problem with probability , where .
Proof. We prove this theorem by playing the classical provable secure game between an adversary and a challenger .(i) Init: let be the identity that intends to attack. The challenger is invoked on a random SIS instance and is asked to return an admissible solution such that and .(ii) Setup: the challenger generates the public parameters as follows. (a)Parse SIS instance as matrix ; choose randomly uniformly random matrices . (b)Let , for . (c)Choose randomly vectors from . Let and regard as th share vector of . According to Shamir secret-sharing scheme, there exist fractional Lagrangian coefficients for recovering ; that is, for all satisfying . (d)Run the algorithm TrapGen for generating the matrices and corresponding trapdoors , . Let be a matrix chosen at random from for , and let be a matrix sampling each column from for independently. (e)Pick uniformly random scalars and fix . Set and , where .(iii)Extract queries: the adversary issues private key queries for any identity satisfying . Considering a query for the private key of an identity , does not know the master key . For responding to a private key query for , the challenger uses the trapdoors to produce short basis for , where + . For , is nonsingular and therefore is also a trapdoor for , where . The challenger can now respond to the private key query by running and sending to the adversary .(iv) Sign queries: the adversary asks signature for any identities on any message. Consider a query for a signature of on message .(a)If , that is, , then the challenger will try to construct a signature as aforementioned for extracting query using trapdoors . Then, for every , = . Compute the matrix and the scalar . Note that . If , abort the simulation. Otherwise, compute the matrix and run the algorithm , . Finally, respond to the adversary with the signature . Now, we prove that the signature is a valid signature and the distribution is identical to the real one. First, according to lemma 8, we have for all and is with negligible statistical distance from the distribution , where . Therefore, due to the assumptions that and . In addition, for all from Lemma 7(1). Therefore, is a valid signature.(b)If , the challenger uses the secret key from extract query for responding the signature query by the signature algorithm.(c)If , the challenger will firstly compute the secret key for identity like the extract query. Then, respond with the signature query as aforementioned.(v) Forgery: the adversary outputs a valid forgery signature for the target identity . Then the challenger computes the matrix , . If , he aborts the simulation. According to whether the message is queried or not, there are two different cases that need to be considered.(a)The message is queried in the Sign queries. Assume that the challenger responded for message in the Sign queries. Then for all , parse , , where is the first rows of matrix and is the last rows of matrix . Let + ; then . The challenger returns as solution to and . In addition, According to Lemma of , ; therefore, the probability of is at least