Research Article | Open Access

# Scalable Revocable Identity-Based Signature Scheme with Signing Key Exposure Resistance from Lattices

**Academic Editor:**Bruce M. Kapron

#### Abstract

In 2014, a new security definition of a revocable identity-based signature (RIBS) with signing key exposure resistance was introduced. Based on this new definition, many scalable RIBS schemes with signing key exposure resistance were proposed. However, the security of these schemes is based on traditional complexity assumption, which is not secure against attacks in the quantum era. Lattice-based cryptography has many attractive features, and it is believed to be secure against quantum computing attacks. We reviewed existing lattice-based RIBS schemes and found that all these schemes are vulnerable to signing key exposure. Hence, in this paper, we propose the first lattice-based RIBS scheme with signing key exposure resistance by using the left-right lattices and delegation technology. In addition, we employ a complete subtree revocation method to ensure our construction meeting scalability. Finally, we prove that our RIBS scheme is selective-ID existentially unforgeable against chosen message attacks (EUF-sID-CMA) under the standard short integer solutions (SIS) assumption in the random oracle model.

#### 1. Introduction

Nowadays, dynamic management systems are becoming increasingly popular in enterprises and schools. A common operation in these systems is deleting users. Although many works with efficient revocation mechanisms have been proposed for public key cryptography, and only a few studies have been conducted on identity-based cryptography, which uses a user’s identity as his/her public key. Boneh and Franklin [1] proposed an approach to revoke users in an identity-based setting, but this results in a heavy computation overhead at the key generation center (KGC). In order to reduce the KGC’s overhead, Boldyreva et al. [2] employed a binary tree to propose the first scalable revocable identity-based encryption (RIBE) scheme, in which the overhead of the KGC is logarithmically increased based on the number of users. All subsequent scalable RIBE schemes [3–5] followed Boldyreva et al.’s basic framework and security model. However, in 2013, Seo and Emura [6] found that all existing Boldyreva-based scalable RIBE schemes are vulnerable to decryption key exposure. They then improved the definition and security model of RIBE and proposed the first scalable RIBE with decryption key exposure resistance. Meanwhile, they also introduced a new security definition of an RIBS with signing key exposure resistance and proposed the first scalable RIBS scheme. In 2013, Tsai et al. studied the revocation problem in identity-based signatures and proposed the first revocable identity-based signature (RIBS) scheme from bilinear pairings. All subsequent RIBS schemes [7–9] were constructed based on Tsai’s definition and security model. Unfortunately, these RIBS schemes are also vulnerable to signing key exposure attacks. It is worth noting that the security of all abovementioned RIBS schemes are based on the traditional complexity problem, namely, the Diffie–Hellman problem. Hence, these schemes would not be secure against attacks from quantum computers. Lattice-based cryptography has many attractive features, and it is believed to be secure against attacks using quantum computers. In 2015, Xinyin [10] utilized a complete subtree structure to propose the first lattice-based RIBS scheme, which adopts secret channels to send periodic time update keys. Since the update keys are transmitted in a secret way, they can avoid signing key exposure. Recently, Hung et al. [11] employed the rejection sampling technique [12] to propose a new latticed-based RIBS scheme. Their scheme has a better performance in terms of signature size, signing key size, and the revocation mechanism with public channels. However, the KGC’s overhead increases linearly with the number of users, which results in issues with scalability. Moreover, their scheme cannot avoid signing key exposure. As far as we know, there is no lattice-based scalable RIBS scheme with signing key exposure resistance and the update keys are regularly sent over public channels.

##### 1.1. Our Contributions

The main contributions of our paper are summarized as follows:(1)We study the approach used to achieve signing key exposure resistance in Seo et al.’s RIBS scheme and adopt Agrawal et al.’s left-right lattices and delegation technology to propose the first lattice-based RIBS scheme with signing key resistance(2)We then set all the parameters to ensure our construction’s correctness and prove that our construction is selective-ID existentially unforgeable against chosen message attacks (EUF-sID-CMA) under the standard short integer solutions (SIS) assumption(3)Our revocation mechanism employs Boldyreva et al.’s binary tree structure to meet scalability needs and ensures that the KGC does not need to send periodic time update keys over secret channels

##### 1.2. Related Work

###### 1.2.1. Revocable Identity-Based Encryption Schemes

In 1984, Shamir [13] first proposed the concept of an identity-based cryptosystem, which uses a user’s identity as his/her public key. In 2001, Boneh and Franklin [1] proposed the first practical identity-based encryption (IBE) scheme. They also considered the revocation problem in an identity-based setting and presented an approach to revoke users, but this imposes a huge overhead on the KGC. In 2008, Boldyreva et al. [2] introduced a basic framework and security model for RIBE and proposed the first scalable RIBE scheme, which greatly reduces the KGC’s overhead. However, their scheme is only selective-ID secure. Later, Libert and Vergnaud [3] proposed an adaptive-ID secure RIBE scheme. All of the above RIBE schemes are constructed based on parings. In 2012, Chen et al. [4] proposed the first lattice-based scalable RIBE scheme based on Boldyreva’s definition and security model. In 2013, Seo and Emura [6] revisited all existing scalable RIBE schemes and found that all of them are vulnerable to decryption key exposure. They then introduced a new security definition for RIBE and proposed the first scalable RIBE scheme with decryption key exposure resistance. Since then, several RIBE schemes with decryption key exposure resistance [14–17] have been proposed that are built on bilinear groups. In 2017, Takayasu and Watanabe [18] proposed the first lattice-based RIBE scheme with bounded decryption key exposure resistance.

###### 1.2.2. Revocable Identity-Based Signature Schemes

In 2013, Tsai et al. [7] proposed the first RIBS scheme based on bilinear pairings, which is EUF-CMA in a random oracle. Also relying on bilinear pairings, Hung et al. [9] proposed a strongly EUF-CMA secure RIBS scheme without a random oracle. Since the pairing computation is considered a rather expensive operation, Sun et al. [8] proposed an RIBS scheme without pairings. Aforementioned all RIBS schemes are not scalable or satisfying signing key exposure resistance. In 2013, Seo and Emura [6] introduced a new security definition of revocable identity-based signature (RIBS) with signing key exposure resistance and proposed the first scalable RIBS scheme based on the Paterson–Schuldt IBS. In order to improve the efficiency of key revocation, Liu et al. [19] proposed a strongly unforgeable RIBS scheme in the standard model, which can efficiently revoke users and resist key exposure attacks. Subsequently, Wei et al. [20] proposed an RIBS scheme with forward secure. Yang et al. [21] improved Hung et al.’s RIBS scheme [9] and also constructed an RIBS scheme in the standard model with strong unforgeability and signing key exposure resistance. And Zhao et al. [22] also proposed a communication-efficient RIBS scheme from multilinear maps. However, all of them cannot resist quantum attacks. In 2015, Xinyin [10] proposed an RIBS scheme based on lattices, but the revocable functionality channel is secret. Then, Hung et al. [11] proposed an RIBS scheme based on NTRU lattices, in which the KGC sends regular update keys in public channels. One limitation of their scheme is that it is vulnerable to decryption key exposure. Therefore, no lattice-based scalable RIBS schemes with signing key exposure resistance have been proposed so far.

The rest of the paper is organized as follows: in Section 2, we present some important preliminaries. In Section 3, we present the definition and security model of the RIBS. In Section 4, based on Agrawal et al. ‘s left-right lattices and delegation technology, we construct a concrete scalable RIBS scheme and prove that our construction meets the EUF-sID-CMA security standards. In Section 5, we give some comparisons with previous works in terms of functionalities. Section 6 concludes the paper.

#### 2. Preliminaries

##### 2.1. Notation

is a ring of integers modulo *q* and represents integers in , where . is a set of matrices, in which the elements are in . denotes the Euclidean norm of a vector . Matrix is the transpose of , and represents the norm of a matrix which is defined as the largest norm of its columns. Given matrix , and are ’s Gram–Schmidt orthogonalization and Gram–Schmidt norm.

##### 2.2. Lattices

*Definition 1. *Given prime *q*, , and , define following lattices:Let be the standard Gaussian function with center and variance σ. For a lattice and all the ’s points , define the discrete Gaussian distribution over as . For ease of notation, we use as ’s abbreviate.

The following lemma from [23, 24] is very useful for our construction.

Lemma 1. *Given and , ’s basis , , Then, for and , algorithm outputs and its distribution is statistically close to , where and is not empty.*

The following fact from [23] will be used in our security proof.

Lemma 2. *Given n, positive prime q, , and , mod q’s distribution is statistically close to ’s uniform except with a fraction of all , where is from .*

##### 2.3. Some Algorithms

We first recall an algorithm investigated by [24–26], which generates a random lattice and ’s short basis .

Lemma 3. *Given and , with overwhelming probability, outputs ( and its basis ), , where ’s distribution is statistically close to ’s uniform.*

The following lemma derived from [23] shows that the algorithm can convert any full-rank set of vectors in a lattice to a basis efficiently and meanwhile cannot increase the norm of the Gram–Schmidt vectors.

Lemma 4. *Given a l-dimensional lattice ’s arbitrary basis and a full-rank set , there exist a deterministic algorithm that can convert to and for all , , where is a basis of .*

Another two algorithms in [27] will be used to construct and prove our following scheme, respectively.

Lemma 5. *Given , , and , algorithm outputs a vector distributed statistically close to with full-rank matrix , ’s basis , matrix , and vector , where .*

Lemma 6. *Given , , and , algorithm outputs a vector distributed statistically close to with , , , ’s basis , vector , and parameter , where , .*

The following two algorithms from [28] will be also used to construct and prove our following scheme respectively.

Lemma 7. *Given a rank n matrix , a -invertible matrix sampled from , a basis of , and a parameter . Algorithm outputs a basis of , where .*

Lemma 8. *Let and be a prime. For all but at most a fraction of rank n matrix , algorithm outputs a matrix sampled from a distribution statistically close to . The generated basis of satisfies with overwhelming probability.*

##### 2.4. Norm of Random Matrix

The following definition from [28] defines a distribution on matrices with low norm and defines an algorithm to sample these matrices.

*Definition 2. *We say that a matrix in is -invertible if mod *q* is invertible as a matrix in . Define . We let denote the distribution on matrices in defined as with the condition that -invertible and meanwhile . Algorithm samples matrices in and their distributions are statistically close to .

##### 2.5. Small Integer Solution Problem

*Definition 3 (SIS). *For any and any function , given an integer q, a uniform and random matrix and a real number , the average-case is the problem of finding a nonzero integer vector satisfying mod *q* and .

It has been proved by Micciancio and Regev [29] that for certain parameters, the average-case problem is as hard as approximating to the worst-case shortest independent vector problem within certain factors.

##### 2.6. Encoding Identities or Times as Matrices

In our following scheme, we use an injective encoding function to map identities or times in to matrices in , whose concrete construction can be found in [27].

*Definition 4. *Given a prime q and a positive integer n, which is an encoding with full-rank differences (FRD) that satisfies the following:(1) is full rank for all distinct (2)*H is a polynomial computable function in *

#### 3. Definition of RIBS Scheme

In this section, we give the formal definition of the syntax and the security model of RIBS derived in [6]. First, we give the syntax of the RIBS scheme. An RIBS scheme consists of seven algorithms (Setup, PriKeyGen, KeyUpd, SignKeyGen, Sign, Verify, and KeyRev). Let , , and be a message space, an identity space, and a time space, respectively.

*Definition 5 (syntax of RIBS). * **Setup** takes a security parameter *λ* and a maximal number of users *N* as input and outputs the public parameters which includes the message space , a master secret key , a revocation list (initially empty), and a state . This is a stateful algorithm and run by the key authority. **PriKeyGen** takes the public parameters , the master secret key , and an identity as input and outputs a private key and an updated state . This is stateful and also run by the key authority. **KeyUpd** takes the public parameters , the master secret key , a time , the current revocation list , and the state as input and outputs a update key . This is run by the key authority*.* **SignKeyGen** takes a private key and an update key as input and outputs a signing key or a special symbol indicating that was revoked. This is a probabilistic algorithm and run by the signer. **Sign** takes the public parameters , an identity , a time , a signing key , and a message as input and outputs a signature σ. **Verify** takes the public parameters and an identity , a time , and a message/signature pair () as input and outputs 1 (accept) or 0 (reject). **KeyRev** takes a revoked identity , a time , a revocation list , and a state as input and outputs an updated revocation list . This is stateful and run by the key authority.

##### 3.1. Correctness

The correctness requires that for all , polynomials *N*, all output by , all , , , and all possible valid states and revocation lists , if identity is not revoked in time *t*, then for , , and , it has .

Next, we provide a security definition of the RIBS scheme that captures realistic threats including signing key exposure.

*Definition 6 (EUF-sID-CMA). *The selective-ID essential unforgeable against chosen message attacks (EUF-sID-CMA) security model of the RIBS scheme is defined via the following game between an adversary and a challenger . Initial: the adversary first outputs the challenge identity , time , and also some information state it wants to preserve. Setup: the challenger runs **Setup** to generate public parameters , a master secret key , a revocation list (initial empty), and a state . It gives to the adversary and keeps secret. Query: may make some queries as follows:(i)** PriKeyGen Query:** on receiving a private key query, the challenger runs PriKeyGen to return a private key to (ii)

**on**

*Key Update Query:***an update key query, the challenger runs KeyUpd to return an update key to (iii)**

*receiving***on receiving a revocation query, the challenger runs KeyRev to return an update list to (iv)**

*Revocation Query:***on**

*SignKeyGen Query:***a signing key query for an identity and a time, the challenger runs PriKeyGen and KeyUpd to return a signing key to (v)**

*receiving***on receiving a signature query for a chosen message, an identity, and a time, the challenger runs Sign to return a signature to**

*Signature Query:***Forgery**: at the end of the game, outputs a forgery of a message/signature pair on the behalf of the identity in the time period . If satisfies the following four conditions, then it wins the above game:(i)(ii)Key Update Query and

**Query can be queried on time which is greater than or equal to the time of all previous queries(iii)Revocation Query cannot be queried on time**

*Revocation**t*if Key Update Query was queried on

*t*(iv)If PriKeyGen Query was

**for identity , then the Revocation Query must be queried for identity on time (v)SignKeyGen Query cannot be queried on time**

*queried**t*before Key Update Query was queried on

*t*(vi)SignKeyGen Query cannot be queried for identity on time (vii)Signature Query cannot be

**for challenge message under identity on time The probability of winning the above game is the advantage of . If there does not exist any PPT adversary who has nonnegligible advantage in the above game, then the RIBS scheme is EUF-sID-CMA secure.**

*queried*#### 4. Our Scalable RIBS Scheme

In our RIBS scheme, a user’s signing key is generated from a private key and periodical update key. The PKG periodically generates update keys and sends them to the nonrevoked users. After obtaining the update keys, the nonrevoked users can generate a valid signing key with their private key. In the process of constructing our RIBS, it is a challenging technical difficulty that a valid signing key should be guaranteed as a certain lattice space’s short basis which is used as a trapdoor to sample vectors. In order to solve this difficulty, we improve the preimage sampling algorithm and redefine it as the SampleSubInv algorithm. Therefore, in the following, we first introduce the SampleSubInv algorithm and then we give the concrete construction of RIBS and provide the process of proving its security. Throughout the section, the function refers to the FRD map (if , it can be hashed into by using a collision resistant hash). Hash function is a random oracle that outputs matrices in , namely, : .

##### 4.1. SampleSubInv Algorithm

**Algorithm SampleSubInv**: the algorithm takes a rank *n* matrix , a matrix , a basis of , a matrix , and a parameter as input and works as follows:(1)Let , for do(1a)Sample as the output of , then mod *q* and is sampled from a distribution statistically close to (1b)If is linearly independent of , accept . Otherwise, repeat step (1a)(2)Let be the matrix whose columns are . Output

Note that , and matrix is invertible. The analysis of algorithm SampleSubInv uses Corollary 3.16 of literature [30] which shows that a linearly independent set is produced in step (1a) w.h.p. after samples from . It is not difficult to show that only samples are needed in expectation.

##### 4.2. Construction

Our concrete scalable RIBS scheme with signing key resistance works as follows: **Setup**: the setup algorithm takes a security parameter *λ* and a maximal number of users *N* as input and proceeds as follows:(1)Pick Gaussian parameters and set the parameters . These parameters are implicitly known to all of the algorithms below.(2)Sample random matrices: in , where *l* is the length of message.(3)Sample matrix with associated trapdoor: .(4)Output public parameters , master secret key , a revocation list , and a state . PriKeyGen: this algorithm takes as input the public parameters , a master secret key , an identity , and a state . Then it picks an unassigned leaf node ν from BT, stores in that node, and performs the following steps:(1)For each node , pick random matrix and store it in node θ(2)Sample , (3)Sample (4)Store in node θ(5)Output private key **KeyUpd**: this algorithm takes the public parameters , a master secret key , a time , a revocation list , and a state as input and proceeds as follows:(1)Sample and (2) and sample and compute , where is an algorithm KUNodes from [4](3)Sample (4)Output update key **SignKeyGen**: this algorithm takes a private key and an update key as input and runs the following steps:(1)Set and compute and (2) and , if , then set(3)Generate by running Lemma 4 which takes as input ( is an invertible matrix with some norm which will be proved in the Theorem 1). Then, run the algorithm to generate and output . **Sign**: the signing algorithm takes the public parameters , an identity , a time *t*, a signing key , and a message as input and outputs signature σ as follows:(1)Sample the algorithm such that , where (2)Output signature σ **Verify** : the verify algorithm takes the public parameters , an identity , a time , and a pair of message/signature as input and accepts only if the following conditions are satisfied:(i), (ii) **KeyRev**: this algorithm takes a revoked identity , a time *t*, a revocation list , and a state as input and adds to for all nodes ν associated with identity and returns .

Theorem 1. * is an invertible matrix with small norm.*

*Proof. *First, we show that is a small norm matrix. From the construction, we know thatwhich are small norm matrices. Then, we can get . Second, we will show is an invertible matrix. For matrix , we make an elementary transformation and finally obtainSince , and by the SampleSubInv algorithm in the KeyGen phase, we can see is an invertible matrix. Because and are -invertible matrices, then is invertible and then is an invertible matrix. In summary, is an invertible matrix with small norm.

The correctness equality in Verify follows from the SampleLeft algorithm. In order to ensure the correctness and security of the above construction, we set the following: , , , , , , , , where λ is the security parameter.

##### 4.3. Security

The following theorem shows that our scalable RIBS scheme is secure.

Theorem 2. *The construction of the scalable RIBS scheme is -- secure provided that the assumption holds.*

*Proof. *Assume wins the game in Section 3 and *Q* is the signing queries maximum number. We can construct a solver that provides a valid solution to the SIS problem. first gives the target identity and time . is given a random instance of the -SIS problem and is asked to return an admissible solution. That is,(i)Provided: a matrix from ’s uniform distribution(ii)Returned: any vector such that and performs as follows: : provides the adversary with simulated parameters as follows:(1)Run algorithm to obtain (2)Choose random matrices and and also choose *l* random scalars for . Let , , , and (3)Output the parameters **PriKeyGen Query and Key Update Query: ** first picks a node and allots it to . It is worth noting that there will be two types of adversaries:(i)Type (a) adversaries are revoked users and can challenge the target identity before or on time (ii)Type (b) adversaries cannot challenge the target identity at any time picks a **bit ** randomly as a guess for the type of adversarial behavior. Clearly, the probability of ’s correct guesses is 1/2. Type (a) adversaries (): simulates each node θ’s matrix as follows:(i)if , sample , and , set , . Compute , and store in the node θ.(ii)if , sample , and , set , . Store in the node *θ*.Since has been revoked before time , it has and returns ’s private key and ’s update key .

Type (b) adversaries (): simulates each node θ’s matrix as follows: Since is never queried, does not need to simulate ’s private key. It samples and and sets , . It stores in the node θ. If , returns ’s update key .Note that, when , for each node *θ*, is generated either through or though where and . Since the distribution of and are statistically close to ’s uniform distribution by leftover hash lemma, then all the above are statistically close to uniform over ; when , for each node *θ*, is generated either through or through uniform distribution in , where . No matter which case, we can have and and and . Since the distribution of and are Gaussian distribution, then the distribution of and is statistically close to Gaussian distribution. In conclusion, the distribution of the simulated system is statistically close to the real system.

For ’s private key queries and ’s update key queries, uses the trapdoor instead of . Let and . From the definition of FRD, and are nonsingular. Then, runs the sampleRightExt algorithm and generates ’s private keywhere . Moreover, samples and calls algorithm from [28]. It can obtain satisfying where , that is, . Then, it sets and and returns . For all ’s update key queries, runswhere . Moreover, it samples and then calls algorithm to get a basis satisfying , where , that is, . It sets and and then generates the update key .

Since the parameter is sufficiently large, ’s distribution is statistically close to and ’s distribution is statistically close to . and ’s distributions are distributed close to , respectively. Since and are the random bases of , then and ’s distributions are the same as those in the real system. and are -invertible, that is, and are distributed as in the real system.

##### 4.3.1. Signing Key Query

first samples a random matrix and defines . Then, it sets and picks an empty list *L*. If the adversary asks the signing key on identity and time , runs to obtain a random and a short basis for . Then, it saves the tuple in list *L* for future use and returns to the adversary . If the adversary asks the signing key on identity and time *t*, retrieves the list *L* and checks whether in *L*. If is in *L*, returns to . Otherwise, also runs to obtain a random and a short basis for . Then, it saves the tuple in list *L* for future use and returns to the adversary . In the real SignKeyGen phase, the signing keys are generated by using algorithm BasisDel. In the Simulated signing key queries, the signing keys are generated from algorithm SampleRwithBasis. By Lemma 7 and 8, the responses to oracle queries and signing key queries are as in the real system.

##### 4.3.2. Signature Queries

simulates signatures of messages *μ* for ’s adaptive signature queries as follows:(i)If the queried messages *μ* are under target identity in target time , answers as follows:(1)Compute and (2)If (mod *q*), abort the simulation(3)Otherwise sample vector:(4)Output (ii)If the queried messages *μ* are under identity or in time , first retrieves the list *L* and checks whether it has tuple . If yes, gets and samples vector . Otherwise, also runs to obtain a random and a short basis for . Then, it saves the tuple in list *L* and uses to sample algorithm . At last, returns σ to the adversary . **Forgery**: obtains a forged signature on an unqueried message and performs the following:(1)Compute and (2)If (mod *q*), abort the simulation(3)Otherwise, separate (4)Output

From Lemma 9, is small and nonzero with good probability and is a valid -SIS solution with good probability.

Lemma 9. *If provides a valid forgery for message with (mod q), then for polynomial function , satisfying and .*

*Proof. *First, when , we have . Since is message ’s valid signature under identity in time , then we can obtainNext, we will show that is appropriately short. Since is the sum of *l* low-norm matrices and are nearly independent with the same variance and their coefficients are in , then we will haveIn particular, since they are almost independent discrete Gaussian, , and . With overwhelming probability for , we set .

Finally, it remains to show that . Suppose an easy case that , then for a valid forgery, it must have , thus . On the contrary, , since ; thus, there must be at least one ’s coordinate that is nonzero modulo *q*. We set *z* be ’s last one coordinate. Let be ’s last column and be ’s last column for each . Then, we have , where the coefficients depend on the message bits. For , let , then , where depends on and does not. The only information about available to is contained in the last column of ’s last column. From a simple pigeonhole principle, there exists many admissible and equally likely vector that are the same with ’s view. cannot know the value of with probability exceeding once third, then every other would fail to do so. Thus, . If forges a signature with probability ε with , then the algorithm can solve the problem with the advantage of .

We will show that the simulation (without aborting) is statistically indistinguishable from the real system.

The differences of the algorithms are summarized as follows:(i)In real , matrix is sampled from the algorithm . Matrices are chosen uniformly at random. In simulated , , , , for random and , and (ii)In the real phase, algorithm generates signatures σ, whereas in the simulated phase, signatures are generated by algorithm or algorithm We now argue that the distribution is statistically indistinguishable in the two experiments. LetThen, from Lemma 2, we havefor random matrices from andchosen at random. Here, ’s distribution is statistically close to ’s uniform distribution. Therefore, the distribution of in the simulation is statistically indistinguishable to them in the real system.

For each *μ’*s signature query, if Gaussian parameters