ID-Based Strong Designated Verifier Signature over -SIS Assumption
In this paper, we propose an ID-based strong designated verifier signature (SDVS) over SIS assumption in the random model. We remove pre-image sampling function and Bonsai trees such complex structures used in previous lattice-based SDVS schemes. We only utilize simple rejection sampling to protect the security of our scheme. Hence, we will show our design has the shortest signature size comparing with existing lattice-based ID-based SDVS schemes. In addition, our scheme satisfies anonymity (privacy of signer’s identity) proved in existing schemes rarely, and it can resist side-channel attacks with uniform sampling.
The first designated verifier signature scheme was proposed by Jakobsson, Sako, and Impagliazzo  in 1996. This signature scheme satisfies that only the designated verifier can verify correctness of generated signatures and he can’t convince others to believe in the validity of these signatures. The main reason for satisfying this property is that the designated verifier can generate an indistinguishable transcript from the real signatures. In , they also provided a notion of strong designated verifier signature (SDVS) to resist an online eavesdropper’s attack. In a SDVS, anyone can create an identical transcript which is indistinguishable from real signatures. Generally speaking, a SDVS needs to satisfy unforgeability and untransferability which were provided by Saeednia, Kremer, and Markowitch in  formally. In , Laguillaumie and Vergnaud added a property, that is, privacy of signer’s identity (anonymity), which means any adversary can’t distinguish Alice’s signature for Bob from Cindy’s signature for Bob without Bob’s secret key.
An advantage of identity-based scheme is that the verifier doesn’t need to generate his public key setup before receiving authenticated message from signer. In , Susilo, Zhang, and Mu first introduced the notion of identity-based SDVS (ID-based SDVS). They gave an efficiently generic construction of such schemes which were based on bilinear Diffie-Hellman assumption.
2. Related Work
2.1. Classical ID-Based SDVS Schemes
Several classical ID-based SDVS have been provided since the first general construction is introduced in . In , Huang et al. proposed a short ID-based SDVS based on bilinear pairing. Their contributions of paper are not merely their shorter signature size, but having two security proofs in random model and in standard model. In addition, the scheme of  has anonymity compared with . Recently, Blazy et al. provided an ID-based SDVS  under CDH assumption in the standard model.
However, classical ID-based SDVS schemes can’t resist against quantum adversaries. Hence, people try to design postquantum ID-based SDVS schemes. With the collection of postquantum algorithms by NIST, lattice-based cryptography is widely studied.
2.2. Lattice-Based ID-Based SDVS Schemes
As far as we know, there are two main postquantum schemes both based on lattice hard problems. The first lattice-based ID-based SDVS was proposed by Noh et al. . They used pre-image sampling function and Bonsai trees (see ) with large parameters to protect the security. Soon Wang et al. proposed a more efficient scheme . The security of this scheme was based on the hardness of LWE and its unforgeability can be reduced to SIS problem in the random model. At the same time, they showed the signature size () is shorter than any other already existing SDVS scheme.
2.3. Our Contribution
In this paper, we propose an efficient ID-based SDVS based on SIS problem over ring in the random model, and our design has advantages as follows:(1)Shorter signature size and lower rejection time. The signature size of our scheme approximately equals . Since holds in practical application, it is easy to see our result is better than . The main reason for this is that we don’t utilize pre-image sampling function and Bonsai trees such complex structures. Then we needn’t choose too large parameters to protect the existence and security of scheme. About efficiency, we use filtering technique (see ) to make the rejection 1.28 lower than others.(2)Resisting side-channel attacks. The common methods of existing sampling over lattice-based signature are Gaussian sampling (see [14–16]) and uniform sampling (see [13, 17, 18]). It has been proved that these schemes with Gaussian sampling lead to side-channel attacks easily [10–12]. Hence we choose uniform sampling to resist them efficiently.(3)Satisfying anonymity. Although anonymity was introduced in  long ago, being proved in existing schemes is very rare indeed. Our scheme satisfies three properties of unforgeability, untransferability, and anonymity. In addition, anonymity can be reduced to solving SIS problem.
Organization of the Paper. We will show the basic notations, relative lattice hard problem assumption and rejection sampling used in our scheme, and detailed definitions of ID-based SDVS and security model in Section 3. Then we propose our ID-based SDVS scheme in detail in Section 4. In Section 5, we provide the proof of security. In Section 6, we present the relationship of our parameters to ensure the existence and security of our scheme. Finally, we give a conclusion and further work in Section 7. Data availability, conflicts of interest, and funding statement can be seen in the last three sections, respectively.
We note ring , where is a prime number and is a power of 2 positive number. The bold small (capital) letters are vectors (matrices), and the normal letters are integers or real. The norm of a vector is denoted by (). means a uniform distribution in which an element is chosen randomly such that . An invertible element in distribution is represented by . An element in is . We note is a hash function. Function maps to , which is derived by using AES128-ECB [19, 20].
3.2. Rejection Sampling
In previous part of our paper, we have shown that using Gaussian sampling can cause serious side-channel attack; then we just provide uniform sampling in this part.
The method of uniform sampling is usually called filtering technique [17, 18]. Its core idea is the signer needs to output a secure signature by choosing its proper range, and its main aim is making such a good output uniform to protect his secret key. In , Rückert provided a form over polynomial rings.
Lemma 1 (see ). Given two sets and , and if given any , , then we have Pr.
Usually, contains information of secret key and signature form is . According to above lemma, we can see that the output is indistinguishable with uniform distribution if and only if it is constrained in the range . Further, if the signature is in this range, doesn’t leak any information about the secret key.
More importantly, this lemma tells us that the signature size is dependent on three parameters , and . In principle, the smaller these chosen parameters, the better. Unfortunately, a smaller value of can cause a larger rejection time (); hence we must find a tradeoff for it. In our scheme, the chosen parameter (replaced by ) is smaller than any other existing ones, which makes our signature size the shortest.
3.3. Lattice Assumption
There are two important average-case problems, SIS and LWE, in lattices which can be reduced to the worst-case problems GapSVP and SIVP [21, 22]. A formal form of SIS problem is always denoted . Here we list its form over ring, which is at least as hard as worst-case problem on ideal lattices (see ).
Definition 2 (see ). Let be some ring and be some distribution over , where is the quotient ring . Given a random matrix following the distribution , find a nonzero vector such that and , which is denoted problem.
Compared with SIS, SIS is more compact and more efficient. In order to ensure existing of a sufficiently short solution, the dimension in SIS is approximate instead of in SIS problem. Furthermore, one can compute in quasilinear time with fast Fourier transform (FFT).
Besides, SIS and its associated cryptographic functions also can be proved at least as hard as certain lattice (called ideal lattice over ring ) problems in the worst case. In , Peikert and Rosen provided that SIS is at least as hard as worst-case () on ideal lattice in , where is the ring of algebraic integers in any number field . Particularly, the fastest time in known (quantum) algorithms to solve problem on ideal lattice is exponential . Indeed, now it seems that the additional algebraic structure of ideal lattices does not bring any advantages to solving this problem.
3.4. An Equivalent Construction of Random Matrix
Since our design has many matrix multiplications, we need to find an equivalent square matrix to satisfy their multiplicability. Moreover, in , Lyubashevsky showed that if , there are linearly independent columns in a random matrix with probability , when is a prime of size bigger than .
In order to construct an efficient lattice-based SDVS scheme, we have introduced this idea in , so we provide it in brief here.
Lemma 3. If , , satisfies , then we construct a new matrix, and we have , where .
Proof. According to the multiplicability of the partitioned matrix, we can compute the below equation,This lemma shows that such a square matrix has two advantages for our scheme as follows:(i)Don’t change the security. Notice that the new square matrix has the same solution as the common form based on SIS assumption. Hence, they have equivalent security.(ii)Don’t change the efficiency. Although the dimension of matrix is increased, it doesn’t cause extra computation by filling zero matrix in original one.
3.5. Definitions of ID-Based SDVS
An ID-based SDVS scheme contains five polynomial time algorithms (Setup, Extract, Sign, Verf, and Sim) between two participants Alice (signer) and Bob (designated verifier). Every participant has his identity (). Generally, there exists a private key generator (PKG) to provide a secret key () for each participant during an extract algorithm. The detailed descriptions of these algorithms are shown as follows.
Definition 4. Given a security parameter , an ID-based SDVS is defined by algorithms:(1)Setup: It is a probabilistic algorithm inputting the security parameter and outputting system parameters () and master key (). That is, (2)Extract: It is a deterministic (probabilistic) algorithm inputting , and participant’s identity and outputting relative secret key . Actually, the identity is often considered public key of participant, and () belongs to Alice (Bob) in two-party schemes. Specifically, (3)Sign: It is a deterministic (probabilistic) algorithm inputting signer’s secret key , designated verifier’s public key , and message . Then it outputs a signature .(4)Verf: It is a deterministic algorithm inputting message and relatively received signature from signer Alice, and . The designated verifier Bob verifies whether the following equation is correct or not: (5)Sim: It is a probabilistic algorithm inputting a quadruple . Anyone can generate an indistinguishable signatures generated by the triple .
Security Model(1) Correctness: For all valid Sign , the designated verifier always gets the following result: (2) Unforgeability: We provide a game between a PPT adversary and a challenger to define existential unforgeability against adaptive chosen message attack (EUF-CMA). In addition, we denote that and are signer and designated verifier ID, respectively.(i) Setup. The challenger runs the following algorithm to generate and . (ii) Extraction queries. The adversary can query the secret key of signer with . Then runs Extract to answer him. That is, can get .(iii) Sign queries. When obtains , he queries a signature with message and designated verifier . Then answers him with a correct signature by algorithm Sign .(iv) Output. At the end of this game, the adversary is able to generate a new signature with message , and satisfying necessary conditions:(1) and have never been requested in Extraction queries step.(2)Message related with and has never been requested in Sign queries step.(3)The signature with message , and is valid. Then, we provide a formal security description of EUF-CMA. We say the ID-based SDVS scheme is EUF-CMA secure, if the following probability is negligible for any PPT adversary runs above game in time . where is a negligible function of secure parameter .(3) Untransferability: This property simply means that any PPT adversary can’t distinguish the real signature and simulated one in below game between and challenger .(i) Setup. The challenger runs algorithm Setup to generate and .(ii) Sign and Verf queries. The PPT adversary queries for Sign and Verf queries adaptively for chosen message . The challenger answers him by running algorithms Sign and Verf. Notice that the identities of two participants are fixed and the parameter is form 1 to in this step.(iii) Challenge. After signing and verifying queries, chooses a new massage to query . tosses a coin randomly and chooses . When , he runs correctly; otherwise he runs to answer adversary’s request.(iv) Output. At the end of this game, the adversary outputs . If holds, the adversary succeeds in the game. Formally, for any PPT adversary, he has a correct guess after quests in time with negligible probability; then we say this ID-based SDVS is () untansferable. That is, (4) Anonymity: To be accurate, any adversary can’t distinguish the real signer’s identity form given and for a designated verifier’s identity . It is similar with witness indistinguishable property actually. The detailed description of game is shown as follows.(i) Setup. The challenger runs algorithm Setup to generate and .(ii) Extraction queries. The adversary can query the secret key of signer with . Then runs Extract to answer him.(iii) Sign and Verf queries. queries the signature with message for the signer and designated verifier . Then outputs a signature and returns or if inputs ().(iv) Challenge. The adversary outputs a message with signer’s possible identities , and designated verifier’s identity to challenger satisfying necessary conditions:(1), , and have never been requested in Extraction queries step.(2)Message (or pair ()) has never been requested in Sign and Verf queries step with , , and . After receiving , tosses a coin randomly, chooses , and computes Sign returned to .(v) Output. At the end of this game, the adversary outputs . If holds, the adversary succeeds in the game. Hence, for any PPT adversary, he has a correct guess after quests in time with negligible probability; then we say this ID-based SDVS satisfies property of () privacy of signer’s identity. That is,
4. Our ID-Based SDVS Scheme
In this part, we will provide our detailed construction. Then we get an efficient ID-based SDVS scheme over SIS assumption. Always we assume Alice is the signer and Bob is designated verifier.
Let be the rank of lattice, and PKG chooses . There is a low norm solution of SIS problem such that . We can see is indeed the .
Let generated by using AES128-ECB [19, 20] be a mapping and be a hash function. In addition, we denote () is Alice’s (Bob’s) identity. Then, PKG computes to be seen as the participant’s public key. Since , , PKG can generate the secret keys by computing and . Simply speaking,
Alice executes the following steps to sign a signature for message .(1)(2)if is not reversible, then go to step (1).(3)(4)(5)(6)(7)if or , then go to step (3).(8)output signature of message .
Notice that there are two loop conditions in step (1) and step (7). Thus, it is necessary for us to evaluate their efficiencies.(i) About step (1). In , Hoffstein et al. proposed a method to search an invertible polynomial within 48.9 ms. Their instance is that satisfies in a trinary polynomial set , where 206 and 205 are numbers of positive coefficients and negative coefficients, respectively. Since such an invertible is contained in set , we can also find it in 48.9 ms.(ii) About step (7). This step is the key to compute the repetition using filtering technique (see ). In order to utilize their result, we require that the inequation must be satisfied. Hence we get the repetition is approximately . Obviously, we can see that is a monotonically decreasing function with variable , and the bigger value of seemingly is better. However, two of composition parts of signature are and , and their size is which is positively correlated with parameter . Hence, choosing bigger is not wise. Then we get the optimal solution by observing the following expression, where . Furthermore, the repetition is .
When receiving signature from signer Alice, Bob verifies whether the following equation is correct or not:(1)(2)
If one gets a quadruple , he chooses two random elements () and to compute and . Hence, he can also compute the following equation, which is an indistinguishable signature with Alice’s.
In this part, we will show our scheme satisfies three properties including unforgeability, untransferability, and anonymity (privacy of signer’s identity) according to security model in Section 2.
After receiving the signature of message , designated verifier verifies the condition and computes the value of hash function as follows.Then the following equation holds.
Theorem 5. If there is a PPT adversary that has ability to succeed in EUF-CMA game, then he can solve SIS problem over .
Proof. Suppose EUF-CMA game proceeds as required between and challenger . When finishes Extraction and Sign queries in time , he outputs a new signature with two new identities and satisfying the following conditions:
(1) and have never been requested in Extraction queries step.
(2) Message related with and has never been requested in Sign queries step.
(3) The signature with message , , and is valid.
If Verf (Sign ) holds, then can computeIn addition, the equation holds, which means is satisfied. We can easily see that the adversary gets a solution of SIS problem for a random element .
Theorem 6. Our ID-based SDVS is untransferability.
Proof. The adversary and challenger play untransferable game as required. After signing and verifying queries, chooses a new massage to query . chooses , and if , computes Sign to answer . That is,output signature of message .
Otherwise, runs Sim to answer adversary’s request. That is,output signature of message . Now we compute the probabilities of above two signatures distributions.Hence, the advantage of guessing for is negligible, and we can obtain
Theorem 7. If the PPT adversary can distinguish the signer’s identity from given and for a designated verifier’s identity , then he can distinguish the different solutions of SIS problem over .
Proof. Here, we also suppose that and interact with each other as defined of secure model. After Extraction, Sign, and Verf queries are finished, the adversary outputs a message with signer’s possible identities , and designated verifier’s identity to challenger satisfying the above elements that have not been queried.
After receiving , tosses a coin randomly, chooses , and computes Sign returned to . If can guess correctly, this means he can compute the probability as follows.We consider and as different solutions of SIS problem with . Since the result of final equation is negligible, holds.
Except for , there are several main parameters for evaluating our signature efficiency, which are , and . We will describe them one by one.(i)Parameter . Generally, one wants to get bit security signature; then he will assume the output of hash function is also bit (see [15, 16]). So the parameter satisfies condition .(ii)Parameter . It is chosen according to the actual situations. Firstly, it must make the value of be in the range . In this case, the chosen value satisfying is the best one. Secondly, it can’t enlarge the signature size . To sum up, we show the final equation,(iii)Parameters and . In order to utilize the result , we get the condition directly. In addition, since choosing bigger means that we can get a larger signature, we let equal . Besides, according to the definition of , we can easily see . So holds.
Comparison of Signature Size. Here we give a comparison with  about signature size, and our result is better than theirs (). Furthermore, we can see that the signature size of our design is the shortest among any other existing ID-based SDVS schemes over ideal lattice. The detailed parameters can be seen in Table 1. Based on what we have discussed in those parameters, we provide the final size of our signature as follows:
7. Conclusion and Further Work
Conclusion. In this paper, we provide an ID-based SDVS scheme over ideal lattice. Our scheme has the shortest signature size and satisfies three properties unforgeability, untransferability, and anonymity proved in the random oracle. Moreover, we use uniform sampling to resist side-channel attacks in our design, and the repetition approximate 1 means our scheme has a relatively high efficiency.
Further Work. We consider the quantum random oracle. As far as we know, in existing lattice-based signature schemes, only TESLA  has proved its security in the quantum random oracle. Hence, our further work is to use their method to give a proper proof in the quantum random oracle for our scheme.
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported in part by the National Natural Science Foundation of China [grant numbers 61572294, 61602287, 11531008, and 11771252]; the State Key Program of National Natural Science of China [grant number 61632020]; the Natural Science Foundation of Shandong Province [grant number ZR2017MF021]; the Major Innovation Project of Science and Technology, Shandong [grant number 2018CXGC0702]; the Fundamental Research Funds of Shandong University [grant number 2017JC019]; the Primary Research & Development Plan of Shandong Province [grant number 2018GGX101037]; the National Innovation Demonstration Zone Development and Construction Fund Project of Shandong Peninsula [grant number S190101010001]; the Innovative Research Team in University by Ministry of Education [grant number IRT16R43]; and Taishan Scholars Project.
M. Jakobsson, K. Sako, and R. Impagliazzo, “Designated verifier proofs and their applications,” in Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques - Advances in Cryptology - EUROCRYPT '96, vol. 1070, pp. 143–154, Saragossa, Spain, May 1996.View at: Publisher Site | Google Scholar
F. Laguillaumie and D. Vergnaud, “Designated verifier signatures: anonymity and efficient construction from any bilinear map,” in Proceedings of the 4th International Conference of Security in Communication Networks, SCN '04, Revised Selected Papers, pp. 105–119, Amalfi, Italy, September 2004.View at: Publisher Site | Google Scholar
X. Huang, W. Susilo, Y. Mu, and F. Zhang, “Short (identity-based) strong designated verifier signature schemes,” in Proceedings of the 2nd International Conference of Information Security Practice and Experience, ISPEC '06, pp. 214–225, Hangzhou, China, April 2006.View at: Publisher Site | Google Scholar
F. Wang, Y. Hu, and B. Wang, “Lattice-based strong designate verifier signature and its applications,” Malaysian Journal of Computer Science, vol. 25, no. 1, pp. 11–22, 2012.View at: Google Scholar
F. H. Wang, H. U. Yu-Pu, and C. X. Wang, “Identity-based strong designate verifier signature over lattices,” Journal of China Universities of Posts and Telecommunications, vol. 21, no. 6, pp. 52–60, 2014.View at: Google Scholar
L. G. Bruinderink, A. Hülsing, T. Lange, and Y. Yarom, “Flush, gauss, and reload – a cache attack on the bliss lattice-based signature scheme,” in Proceedings of the Cryptographic Hardware and Embedded Systems – CHES '16, B. Gierlichs and A. Y. Poschmann, Eds., pp. 323–345, Springer, Berlin, Germany, 2016.View at: Google Scholar
P. Pessl, “Analyzing the shuffling side-channel countermeasure for lattice-based signatures,” in Proceedings of the Progress in Cryptology – INDOCRYPT '16, O. Dunkelman and S. K. Sanadhya, Eds., pp. 153–170, Springer International Publishing, Cham, Switzerland, 2016.View at: Google Scholar | MathSciNet
D. Micciancio and M. Walter, “Gaussian sampling over the integers: efficient, generic, constant-time,” in Proceedings of the 37th Annual International Cryptology Conference - Advances in Cryptology - CRYPTO '17, vol. 10402, pp. 455–485, California, Calif, USA, August 2017.View at: Publisher Site | Google Scholar
M. Rückert, “Lattice-based blind signatures,” in Proceedings of the 16th International Conference on the Theory and Application of Cryptology and Information Security - Advances in Cryptology - ASIACRYPT '10, vol. 6477 of Lecture Notes in Computer Science, pp. 413–430, Singapore, December 2010.View at: Publisher Site | Google Scholar | MathSciNet
L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice signatures and bimodal gaussians,” in Proceedings of the 33rd Annual Cryptology Conference - Advances in Cryptology - CRYPTO '13, Proceedings, Part I, pp. 40–56, California, Calif, USA, August 2013.View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice-based identification schemes secure under active attacks,” in Proceedings of the 11th International Workshop on Practice and Theory in Public-Key Cryptography - Public Key Cryptography - PKC '08, vol. 4939, pp. 162–179, Barcelona, Spain, March 2008.View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Fiat-shamir with aborts: applications to lattice and factoring-based signatures,” in Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security - Advances in Cryptology - ASIACRYPT '09, vol. 5912, pp. 598–616, Tokyo, Japan, December 2009.View at: Publisher Site | Google Scholar
E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Post-quantum key exchange - a new hope,” in Proceedings of the 25th USENIX Security Symposium, USENIX Security '16, pp. 327–343, Texas, Tex, USA, August 2016, https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/alkim.View at: Google Scholar
J. Hoffstein, J. Pipher, J. M. Schanck, J. H. Silverman, W. Whyte, and Z. Zhang, “Choosing parameters for ntruencrypt,” in Proceedings of the Cryptographers’ Track at the RSA Conference - Topics in Cryptology - CT-RSA '17, pp. 3–18, California, Calif, USA, 2017.View at: Publisher Site | Google Scholar