Research Article  Open Access
IDBased Strong Designated Verifier Signature over SIS Assumption
Abstract
In this paper, we propose an IDbased strong designated verifier signature (SDVS) over SIS assumption in the random model. We remove preimage sampling function and Bonsai trees such complex structures used in previous latticebased SDVS schemes. We only utilize simple rejection sampling to protect the security of our scheme. Hence, we will show our design has the shortest signature size comparing with existing latticebased IDbased SDVS schemes. In addition, our scheme satisfies anonymity (privacy of signer’s identity) proved in existing schemes rarely, and it can resist sidechannel attacks with uniform sampling.
1. Introduction
The first designated verifier signature scheme was proposed by Jakobsson, Sako, and Impagliazzo [1] in 1996. This signature scheme satisfies that only the designated verifier can verify correctness of generated signatures and he can’t convince others to believe in the validity of these signatures. The main reason for satisfying this property is that the designated verifier can generate an indistinguishable transcript from the real signatures. In [1], they also provided a notion of strong designated verifier signature (SDVS) to resist an online eavesdropper’s attack. In a SDVS, anyone can create an identical transcript which is indistinguishable from real signatures. Generally speaking, a SDVS needs to satisfy unforgeability and untransferability which were provided by Saeednia, Kremer, and Markowitch in [2] formally. In [3], Laguillaumie and Vergnaud added a property, that is, privacy of signer’s identity (anonymity), which means any adversary can’t distinguish Alice’s signature for Bob from Cindy’s signature for Bob without Bob’s secret key.
An advantage of identitybased scheme is that the verifier doesn’t need to generate his public key setup before receiving authenticated message from signer. In [4], Susilo, Zhang, and Mu first introduced the notion of identitybased SDVS (IDbased SDVS). They gave an efficiently generic construction of such schemes which were based on bilinear DiffieHellman assumption.
2. Related Work
2.1. Classical IDBased SDVS Schemes
Several classical IDbased SDVS have been provided since the first general construction is introduced in [4]. In [5], Huang et al. proposed a short IDbased SDVS based on bilinear pairing. Their contributions of paper are not merely their shorter signature size, but having two security proofs in random model and in standard model. In addition, the scheme of [5] has anonymity compared with [4]. Recently, Blazy et al. provided an IDbased SDVS [6] under CDH assumption in the standard model.
However, classical IDbased SDVS schemes can’t resist against quantum adversaries. Hence, people try to design postquantum IDbased SDVS schemes. With the collection of postquantum algorithms by NIST, latticebased cryptography is widely studied.
2.2. LatticeBased IDBased SDVS Schemes
As far as we know, there are two main postquantum schemes both based on lattice hard problems. The first latticebased IDbased SDVS was proposed by Noh et al. [7]. They used preimage sampling function and Bonsai trees (see [8]) with large parameters to protect the security. Soon Wang et al. proposed a more efficient scheme [9]. The security of this scheme was based on the hardness of LWE and its unforgeability can be reduced to SIS problem in the random model. At the same time, they showed the signature size () is shorter than any other already existing SDVS scheme.
However, above schemes that used Gaussian sampling are unusual to resist sidechannel attack [10–12], and the authors only gave the proofs of unforgeability and untransferability without anonymity.
2.3. Our Contribution
In this paper, we propose an efficient IDbased SDVS based on SIS problem over ring in the random model, and our design has advantages as follows:(1)Shorter signature size and lower rejection time. The signature size of our scheme approximately equals . Since holds in practical application, it is easy to see our result is better than [9]. The main reason for this is that we don’t utilize preimage sampling function and Bonsai trees such complex structures. Then we needn’t choose too large parameters to protect the existence and security of scheme. About efficiency, we use filtering technique (see [13]) to make the rejection 1.28 lower than others.(2)Resisting sidechannel attacks. The common methods of existing sampling over latticebased signature are Gaussian sampling (see [14–16]) and uniform sampling (see [13, 17, 18]). It has been proved that these schemes with Gaussian sampling lead to sidechannel attacks easily [10–12]. Hence we choose uniform sampling to resist them efficiently.(3)Satisfying anonymity. Although anonymity was introduced in [3] long ago, being proved in existing schemes is very rare indeed. Our scheme satisfies three properties of unforgeability, untransferability, and anonymity. In addition, anonymity can be reduced to solving SIS problem.
Organization of the Paper. We will show the basic notations, relative lattice hard problem assumption and rejection sampling used in our scheme, and detailed definitions of IDbased SDVS and security model in Section 3. Then we propose our IDbased SDVS scheme in detail in Section 4. In Section 5, we provide the proof of security. In Section 6, we present the relationship of our parameters to ensure the existence and security of our scheme. Finally, we give a conclusion and further work in Section 7. Data availability, conflicts of interest, and funding statement can be seen in the last three sections, respectively.
3. Preliminaries
3.1. Notations
We note ring , where is a prime number and is a power of 2 positive number. The bold small (capital) letters are vectors (matrices), and the normal letters are integers or real. The norm of a vector is denoted by (). means a uniform distribution in which an element is chosen randomly such that . An invertible element in distribution is represented by . An element in is . We note is a hash function. Function maps to , which is derived by using AES128ECB [19, 20].
3.2. Rejection Sampling
In previous part of our paper, we have shown that using Gaussian sampling can cause serious sidechannel attack; then we just provide uniform sampling in this part.
The method of uniform sampling is usually called filtering technique [17, 18]. Its core idea is the signer needs to output a secure signature by choosing its proper range, and its main aim is making such a good output uniform to protect his secret key. In [13], Rückert provided a form over polynomial rings.
Lemma 1 (see [13]). Given two sets and , and if given any , , then we have Pr.
Usually, contains information of secret key and signature form is . According to above lemma, we can see that the output is indistinguishable with uniform distribution if and only if it is constrained in the range . Further, if the signature is in this range, doesn’t leak any information about the secret key.
More importantly, this lemma tells us that the signature size is dependent on three parameters , and . In principle, the smaller these chosen parameters, the better. Unfortunately, a smaller value of can cause a larger rejection time (); hence we must find a tradeoff for it. In our scheme, the chosen parameter (replaced by ) is smaller than any other existing ones, which makes our signature size the shortest.
3.3. Lattice Assumption
There are two important averagecase problems, SIS and LWE, in lattices which can be reduced to the worstcase problems GapSVP and SIVP [21, 22]. A formal form of SIS problem is always denoted . Here we list its form over ring, which is at least as hard as worstcase problem on ideal lattices (see [23]).
Definition 2 (see [14]). Let be some ring and be some distribution over , where is the quotient ring . Given a random matrix following the distribution , find a nonzero vector such that and , which is denoted problem.
Compared with SIS, SIS is more compact and more efficient. In order to ensure existing of a sufficiently short solution, the dimension in SIS is approximate instead of in SIS problem. Furthermore, one can compute in quasilinear time with fast Fourier transform (FFT).
Besides, SIS and its associated cryptographic functions also can be proved at least as hard as certain lattice (called ideal lattice over ring ) problems in the worst case. In [23], Peikert and Rosen provided that SIS is at least as hard as worstcase () on ideal lattice in , where is the ring of algebraic integers in any number field . Particularly, the fastest time in known (quantum) algorithms to solve problem on ideal lattice is exponential . Indeed, now it seems that the additional algebraic structure of ideal lattices does not bring any advantages to solving this problem.
3.4. An Equivalent Construction of Random Matrix
Since our design has many matrix multiplications, we need to find an equivalent square matrix to satisfy their multiplicability. Moreover, in [16], Lyubashevsky showed that if , there are linearly independent columns in a random matrix with probability , when is a prime of size bigger than .
In order to construct an efficient latticebased SDVS scheme, we have introduced this idea in [24], so we provide it in brief here.
Lemma 3. If , , satisfies , then we construct a new matrix, and we have , where .
Proof. According to the multiplicability of the partitioned matrix, we can compute the below equation,This lemma shows that such a square matrix has two advantages for our scheme as follows:(i)Don’t change the security. Notice that the new square matrix has the same solution as the common form based on SIS assumption. Hence, they have equivalent security.(ii)Don’t change the efficiency. Although the dimension of matrix is increased, it doesn’t cause extra computation by filling zero matrix in original one.
3.5. Definitions of IDBased SDVS
An IDbased SDVS scheme contains five polynomial time algorithms (Setup, Extract, Sign, Verf, and Sim) between two participants Alice (signer) and Bob (designated verifier). Every participant has his identity (). Generally, there exists a private key generator (PKG) to provide a secret key () for each participant during an extract algorithm. The detailed descriptions of these algorithms are shown as follows.
Definition 4. Given a security parameter , an IDbased SDVS is defined by algorithms:(1)Setup: It is a probabilistic algorithm inputting the security parameter and outputting system parameters () and master key (). That is, (2)Extract: It is a deterministic (probabilistic) algorithm inputting , and participant’s identity and outputting relative secret key . Actually, the identity is often considered public key of participant, and () belongs to Alice (Bob) in twoparty schemes. Specifically, (3)Sign: It is a deterministic (probabilistic) algorithm inputting signer’s secret key , designated verifier’s public key , and message . Then it outputs a signature .(4)Verf: It is a deterministic algorithm inputting message and relatively received signature from signer Alice, and . The designated verifier Bob verifies whether the following equation is correct or not: (5)Sim: It is a probabilistic algorithm inputting a quadruple . Anyone can generate an indistinguishable signatures generated by the triple .
Security Model(1) Correctness: For all valid Sign , the designated verifier always gets the following result: (2) Unforgeability: We provide a game between a PPT adversary and a challenger to define existential unforgeability against adaptive chosen message attack (EUFCMA). In addition, we denote that and are signer and designated verifier ID, respectively.(i) Setup. The challenger runs the following algorithm to generate and . (ii) Extraction queries. The adversary can query the secret key of signer with . Then runs Extract to answer him. That is, can get .(iii) Sign queries. When obtains , he queries a signature with message and designated verifier . Then answers him with a correct signature by algorithm Sign .(iv) Output. At the end of this game, the adversary is able to generate a new signature with message , and satisfying necessary conditions:(1) and have never been requested in Extraction queries step.(2)Message related with and has never been requested in Sign queries step.(3)The signature with message , and is valid. Then, we provide a formal security description of EUFCMA. We say the IDbased SDVS scheme is EUFCMA secure, if the following probability is negligible for any PPT adversary runs above game in time . where is a negligible function of secure parameter .(3) Untransferability: This property simply means that any PPT adversary can’t distinguish the real signature and simulated one in below game between and challenger .(i) Setup. The challenger runs algorithm Setup to generate and .(ii) Sign and Verf queries. The PPT adversary queries for Sign and Verf queries adaptively for chosen message . The challenger answers him by running algorithms Sign and Verf. Notice that the identities of two participants are fixed and the parameter is form 1 to in this step.(iii) Challenge. After signing and verifying queries, chooses a new massage to query . tosses a coin randomly and chooses . When , he runs correctly; otherwise he runs to answer adversary’s request.(iv) Output. At the end of this game, the adversary outputs . If holds, the adversary succeeds in the game. Formally, for any PPT adversary, he has a correct guess after quests in time with negligible probability; then we say this IDbased SDVS is () untansferable. That is, (4) Anonymity: To be accurate, any adversary can’t distinguish the real signer’s identity form given and for a designated verifier’s identity . It is similar with witness indistinguishable property actually. The detailed description of game is shown as follows.(i) Setup. The challenger runs algorithm Setup to generate and .(ii) Extraction queries. The adversary can query the secret key of signer with . Then runs Extract to answer him.(iii) Sign and Verf queries. queries the signature with message for the signer and designated verifier . Then outputs a signature and returns or if inputs ().(iv) Challenge. The adversary outputs a message with signer’s possible identities , and designated verifier’s identity to challenger satisfying necessary conditions:(1), , and have never been requested in Extraction queries step.(2)Message (or pair ()) has never been requested in Sign and Verf queries step with , , and . After receiving , tosses a coin randomly, chooses , and computes Sign returned to .(v) Output. At the end of this game, the adversary outputs . If holds, the adversary succeeds in the game. Hence, for any PPT adversary, he has a correct guess after quests in time with negligible probability; then we say this IDbased SDVS satisfies property of () privacy of signer’s identity. That is,
4. Our IDBased SDVS Scheme
In this part, we will provide our detailed construction. Then we get an efficient IDbased SDVS scheme over SIS assumption. Always we assume Alice is the signer and Bob is designated verifier.
4.1. Setup
Let be the rank of lattice, and PKG chooses . There is a low norm solution of SIS problem such that . We can see is indeed the .
4.2. Extract
Let generated by using AES128ECB [19, 20] be a mapping and be a hash function. In addition, we denote () is Alice’s (Bob’s) identity. Then, PKG computes to be seen as the participant’s public key. Since , , PKG can generate the secret keys by computing and . Simply speaking,
4.3. Sign
Alice executes the following steps to sign a signature for message .(1)(2)if is not reversible, then go to step (1).(3)(4)(5)(6)(7)if or , then go to step (3).(8)output signature of message .
Notice that there are two loop conditions in step (1) and step (7). Thus, it is necessary for us to evaluate their efficiencies.(i) About step (1). In [25], Hoffstein et al. proposed a method to search an invertible polynomial within 48.9 ms. Their instance is that satisfies in a trinary polynomial set , where 206 and 205 are numbers of positive coefficients and negative coefficients, respectively. Since such an invertible is contained in set , we can also find it in 48.9 ms.(ii) About step (7). This step is the key to compute the repetition using filtering technique (see [13]). In order to utilize their result, we require that the inequation must be satisfied. Hence we get the repetition is approximately . Obviously, we can see that is a monotonically decreasing function with variable , and the bigger value of seemingly is better. However, two of composition parts of signature are and , and their size is which is positively correlated with parameter . Hence, choosing bigger is not wise. Then we get the optimal solution by observing the following expression, where . Furthermore, the repetition is .
4.4. Verf
When receiving signature from signer Alice, Bob verifies whether the following equation is correct or not:(1)(2)
4.5. Sim
If one gets a quadruple , he chooses two random elements () and to compute and . Hence, he can also compute the following equation, which is an indistinguishable signature with Alice’s.
5. Security
In this part, we will show our scheme satisfies three properties including unforgeability, untransferability, and anonymity (privacy of signer’s identity) according to security model in Section 2.
5.1. Correctness
After receiving the signature of message , designated verifier verifies the condition and computes the value of hash function as follows.Then the following equation holds.
5.2. Unforgeability
Theorem 5. If there is a PPT adversary that has ability to succeed in EUFCMA game, then he can solve SIS problem over .
Proof. Suppose EUFCMA game proceeds as required between and challenger . When finishes Extraction and Sign queries in time , he outputs a new signature with two new identities and satisfying the following conditions:
(1) and have never been requested in Extraction queries step.
(2) Message related with and has never been requested in Sign queries step.
(3) The signature with message , , and is valid.
If Verf (Sign ) holds, then can computeIn addition, the equation holds, which means is satisfied. We can easily see that the adversary gets a solution of SIS problem for a random element .
5.3. Untransferability
Theorem 6. Our IDbased SDVS is untransferability.
Proof. The adversary and challenger play untransferable game as required. After signing and verifying queries, chooses a new massage to query . chooses , and if , computes Sign to answer . That is,output signature of message .
Otherwise, runs Sim to answer adversary’s request. That is,output signature of message . Now we compute the probabilities of above two signatures distributions.Hence, the advantage of guessing for is negligible, and we can obtain
5.4. Anonymity
Theorem 7. If the PPT adversary can distinguish the signer’s identity from given and for a designated verifier’s identity , then he can distinguish the different solutions of SIS problem over .
Proof. Here, we also suppose that and interact with each other as defined of secure model. After Extraction, Sign, and Verf queries are finished, the adversary outputs a message with signer’s possible identities , and designated verifier’s identity to challenger satisfying the above elements that have not been queried.
After receiving , tosses a coin randomly, chooses , and computes Sign returned to . If can guess correctly, this means he can compute the probability as follows.We consider and as different solutions of SIS problem with . Since the result of final equation is negligible, holds.
6. Parameters
Except for , there are several main parameters for evaluating our signature efficiency, which are , and . We will describe them one by one.(i)Parameter . Generally, one wants to get bit security signature; then he will assume the output of hash function is also bit (see [15, 16]). So the parameter satisfies condition .(ii)Parameter . It is chosen according to the actual situations. Firstly, it must make the value of be in the range . In this case, the chosen value satisfying is the best one. Secondly, it can’t enlarge the signature size . To sum up, we show the final equation,(iii)Parameters and . In order to utilize the result [13], we get the condition directly. In addition, since choosing bigger means that we can get a larger signature, we let equal . Besides, according to the definition of , we can easily see . So holds.
Comparison of Signature Size. Here we give a comparison with [9] about signature size, and our result is better than theirs (). Furthermore, we can see that the signature size of our design is the shortest among any other existing IDbased SDVS schemes over ideal lattice. The detailed parameters can be seen in Table 1. Based on what we have discussed in those parameters, we provide the final size of our signature as follows:

7. Conclusion and Further Work
Conclusion. In this paper, we provide an IDbased SDVS scheme over ideal lattice. Our scheme has the shortest signature size and satisfies three properties unforgeability, untransferability, and anonymity proved in the random oracle. Moreover, we use uniform sampling to resist sidechannel attacks in our design, and the repetition approximate 1 means our scheme has a relatively high efficiency.
Further Work. We consider the quantum random oracle. As far as we know, in existing latticebased signature schemes, only TESLA [26] has proved its security in the quantum random oracle. Hence, our further work is to use their method to give a proper proof in the quantum random oracle for our scheme.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work was supported in part by the National Natural Science Foundation of China [grant numbers 61572294, 61602287, 11531008, and 11771252]; the State Key Program of National Natural Science of China [grant number 61632020]; the Natural Science Foundation of Shandong Province [grant number ZR2017MF021]; the Major Innovation Project of Science and Technology, Shandong [grant number 2018CXGC0702]; the Fundamental Research Funds of Shandong University [grant number 2017JC019]; the Primary Research & Development Plan of Shandong Province [grant number 2018GGX101037]; the National Innovation Demonstration Zone Development and Construction Fund Project of Shandong Peninsula [grant number S190101010001]; the Innovative Research Team in University by Ministry of Education [grant number IRT16R43]; and Taishan Scholars Project.
References
 M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their applications,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques  Advances in Cryptology  EUROCRYPT '96, vol. 1070, pp. 143–154, Saragossa, Spain, May 1996. View at: Publisher Site  Google Scholar
 S. Saeednia, S. Kremer, and O. Markowitch, “An efficient strong designated verifier signature scheme,” in Proceedings of the 6th International Conference, Information Security and Cryptology  ICISC '03, vol. 2971, pp. 40–54, Seoul, Korea, November 2003. View at: Publisher Site  Google Scholar
 F. Laguillaumie and D. Vergnaud, “Designated verifier signatures: anonymity and efficient construction from any bilinear map,” in Proceedings of the 4th International Conference of Security in Communication Networks, SCN '04, Revised Selected Papers, pp. 105–119, Amalfi, Italy, September 2004. View at: Publisher Site  Google Scholar
 W. Susilo, F. Zhang, and Y. Mu, “Identitybased strong designated verifier signature schemes,” in Proceedings of the 9th Australasian Conference, Information Security and Privacy, ACISP '04, pp. 313–324, Sydney, Australia, July 2004. View at: Publisher Site  Google Scholar
 X. Huang, W. Susilo, Y. Mu, and F. Zhang, “Short (identitybased) strong designated verifier signature schemes,” in Proceedings of the 2nd International Conference of Information Security Practice and Experience, ISPEC '06, pp. 214–225, Hangzhou, China, April 2006. View at: Publisher Site  Google Scholar
 O. Blazy, E. Conchon, P. Germouty, and A. Jambert, “Efficient idbased designated verifier signature,” in 12th International Conference on Availability, Reliability and Security, pp. 44:1–44:8, Reggio Calabria, Italy, August 2017. View at: Publisher Site  Google Scholar
 G. Noh, J. Y. Chun, and I. R. Jeong, “Identitybased strong designated verifier signature scheme from lattices,” Journal of the Korea Institute of Information Security and Cryptology, vol. 23, no. 1, pp. 45–56, 2013. View at: Publisher Site  Google Scholar
 F. Wang, Y. Hu, and B. Wang, “Latticebased strong designate verifier signature and its applications,” Malaysian Journal of Computer Science, vol. 25, no. 1, pp. 11–22, 2012. View at: Google Scholar
 F. H. Wang, H. U. YuPu, and C. X. Wang, “Identitybased strong designate verifier signature over lattices,” Journal of China Universities of Posts and Telecommunications, vol. 21, no. 6, pp. 52–60, 2014. View at: Google Scholar
 L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, “Flush, gauss, and reload – a cache attack on the bliss latticebased signature scheme,” in Proceedings of the Cryptographic Hardware and Embedded Systems – CHES '16, B. Gierlichs and A. Y. Poschmann, Eds., pp. 323–345, Springer, Berlin, Germany, 2016. View at: Google Scholar
 P. Pessl, “Analyzing the shuffling sidechannel countermeasure for latticebased signatures,” in Proceedings of the Progress in Cryptology – INDOCRYPT '16, O. Dunkelman and S. K. Sanadhya, Eds., pp. 153–170, Springer International Publishing, Cham, Switzerland, 2016. View at: Google Scholar  MathSciNet
 D. Micciancio and M. Walter, “Gaussian sampling over the integers: efficient, generic, constanttime,” in Proceedings of the 37th Annual International Cryptology Conference  Advances in Cryptology  CRYPTO '17, vol. 10402, pp. 455–485, California, Calif, USA, August 2017. View at: Publisher Site  Google Scholar
 M. Rückert, “Latticebased blind signatures,” in Proceedings of the 16th International Conference on the Theory and Application of Cryptology and Information Security  Advances in Cryptology  ASIACRYPT '10, vol. 6477 of Lecture Notes in Computer Science, pp. 413–430, Singapore, December 2010. View at: Publisher Site  Google Scholar  MathSciNet
 L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice signatures and bimodal gaussians,” in Proceedings of the 33rd Annual Cryptology Conference  Advances in Cryptology  CRYPTO '13, Proceedings, Part I, pp. 40–56, California, Calif, USA, August 2013. View at: Publisher Site  Google Scholar
 L. Ducas, T. Lepoint, V. Lyubashevsky et al., “CRYSTALS  dilithium: digital signatures from module lattices,” IACR Cryptology ePrint Archive, 633, 2017, http://eprint.iacr.org/2017/633. View at: Google Scholar
 V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques  Advances in Cryptology  EUROCRYPT '12, pp. 738–755, Cambridge, UK, April 2012. View at: Publisher Site  Google Scholar
 V. Lyubashevsky, “Latticebased identification schemes secure under active attacks,” in Proceedings of the 11th International Workshop on Practice and Theory in PublicKey Cryptography  Public Key Cryptography  PKC '08, vol. 4939, pp. 162–179, Barcelona, Spain, March 2008. View at: Publisher Site  Google Scholar
 V. Lyubashevsky, “Fiatshamir with aborts: applications to lattice and factoringbased signatures,” in Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security  Advances in Cryptology  ASIACRYPT '09, vol. 5912, pp. 598–616, Tokyo, Japan, December 2009. View at: Publisher Site  Google Scholar
 E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Postquantum key exchange  a new hope,” in Proceedings of the 25th USENIX Security Symposium, USENIX Security '16, pp. 327–343, Texas, Tex, USA, August 2016, https://www.usenix.org/conference/usenixsecurity16/technicalsessions/presentation/alkim. View at: Google Scholar
 J. W. Bos, C. Costello, L. Ducas et al., “Take off the ring! practical, quantumsecure key exchange from LWE,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018, Vienna, Austria, October 2016. View at: Publisher Site  Google Scholar
 “Advances in Cryptology  CRYPTO 2013,” in Proceedings of the 33rd Annual Cryptology Conference, R. Canetti and J. A. Garay, Eds., vol. 8042 of Proceedings, Part I, Lecture Notes in Computer Science, Springer, California, Calif, USA, August 2013. View at: Publisher Site  Google Scholar
 O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 84–93, ACM, Maryland, Md, USA, May 2005. View at: Publisher Site  Google Scholar
 C. Peikert and A. Rosen, “Lattices that admit logarithmic worstcase to averagecase connection factors,” in Proceedings of the 39th Annual ACM Symposium on Theory of Computing, pp. 478–487, ACM, California, Calif, USA, June 2007. View at: Publisher Site  Google Scholar  MathSciNet
 J. Cai, H. Jiang, P. Zhang, Z. Zheng, G. Lyu, and Q. Xu, “An efficient strong designated verifier signature based on Rsis assumption,” IEEE Access, vol. 7, pp. 3938–3947, 2019. View at: Publisher Site  Google Scholar
 J. Hoffstein, J. Pipher, J. M. Schanck, J. H. Silverman, W. Whyte, and Z. Zhang, “Choosing parameters for ntruencrypt,” in Proceedings of the Cryptographers’ Track at the RSA Conference  Topics in Cryptology  CTRSA '17, pp. 3–18, California, Calif, USA, 2017. View at: Publisher Site  Google Scholar
 E. Alkim, N. Bindel, J. A. Buchmann et al., “Revisiting TESLA in the quantum random oracle model,” in Proceedings of the 8th International Workshop  PostQuantum Cryptography, PQCrypto '17, pp. 143–162, The Netherlands, June 2017. View at: Publisher Site  Google Scholar
Copyright
Copyright © 2019 Jie Cai et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.