Abstract
Digital signatures are crucial network security technologies. However, in traditional public key signature schemes, the certificate management is complicated and the schemes are vulnerable to public key replacement attacks. In order to solve the problems, in this paper, we propose a selfcertified signature scheme over lattice. Using the selfcertified public key, our scheme allows a user to certify the public key without an extra certificate. It can reduce the communication overhead and computational cost of the signature scheme. Moreover, the lattice helps prevent quantum computing attacks. Then, based on the small integer solution problem, our scheme is provable secure in the random oracle model. Furthermore, compared with the previous selfcertified signature schemes, our scheme is more secure.
1. Introduction
Due to the development of the Internet, various networks require to verify the authenticity of the message or the user, such as data verification for Internet of Vehicles [1] and user authentication for industry and mobility networks [2, 3]. In general, these authentication systems can be divided into traditional public key infrastructure (PKI) based cryptosystems with certificates [4] and certificateless cryptosystems [5, 6]. In a PKIbased cryptosystem, a certificate issued by the certificate authority (CA) is often required to certify the authenticity of the relationship between the public key and the user. However, it increases the computation overheads and communication costs because certificate management is complicated. Furthermore, it is vulnerable to public key replacement attacks if certificates are not used. To avoid certificate management, in 1984, Shamir [5] introduced the idea of an identitybased (IB) cryptosystem. The public key of a user is the user’s identity information. Although it does not require any certificates, it suffers from the key escrow problem.
To deal with the above problems, in 1991, Girault [7] introduced the notion of selfcertified public keys, which can enable the public key to implicitly authorize the user’s identity without an extra certificate. Concretely, the public key is computed by the user and the authority. Then, the verification of the authenticity of the signature and public key is placed in a logically single step. Thus the selfcertified signature scheme can mitigate the burdens for the certificate management and storage and prevent the key escrow problem. Therefore, selfcertified signature schemes have a promising future for environments with limited memory and computational capacity, such as smart mobile devices [8], wireless sensor networks [9], the cloud [10], and vehicular ad hoc networks [11].
However, most of them are based on discrete logarithm problems or large integer factorization problems. Unfortunately, Shor [12] pointed out that the two problems are easily solved by quantum computers, so the signature schemes based on the two problems are no longer secure in the quantum era. Lattice cryptography is one of the postquantum candidate schemes proposed by the National Institute of Standards and Technology [13]. Meanwhile, in recent years, lattice cryptography on the refinements of the security assessment and the fast implementation [14, 15] has achieved rapid developments. Thus, to prevent quantum attacks, in this paper, based on lattice cryptography, we propose a provably secure selfcertified signature scheme in the random oracle model (ROM).
Our contributions are mainly as follows: firstly, our scheme adopts the advantages of selfcertified public keys and lattice signature schemes, which simplifies the public key authentication process of the scheme and avoids the key escrow problems and public key replacement attacks. Moreover, it can resist quantum attacks. Secondly, based on the hardness of the small integer solution (SIS) problem, our scheme is existential unforgeability against two types of adversaries in the ROM.
Related work: in PKIbased signature schemes [16], CA issues a certificate for the user, which increases the burden of certificate management and storage.
Many schemes are proposed to reduce the cost of certification management and storage. For instance, numerous IB signature schemes are proposed. In these schemes, the public key is the user’s identity. Therefore, it does not need an extra certificate, but it is vulnerable to the key escrow problem because the key generation center (KGC) generates the private keys of all users [17]. Thus, a malicious KGC can impersonate any user. The certificateless public key cryptography [6] also does not require a separate certificate. Recently, Gowri et al. [18] proposed a certificateless signatures scheme from ECC, but later Xu et al. [19] found that it is vulnerable to signature forgery attacks.
To solve the above problems, Girault [7] proposed the selfcertified cryptosystem, in which there are no certificates, and neither the user nor the authority can independently obtain the full private key of the user.
Since the selfcertificated public key was introduced, many selfcertified signature schemes have been proposed. Shao [20] proposed a novel selfcertified signature scheme from pairings, but it was later proved to be insecure. In addition, some selfcertified signature schemes based on discrete logarithm problems were also proposed, Xie [21] and Wu and Xu [22]. However, Sadeghpour [23] pointed out that Wu and Xu’s scheme [22] is vulnerable to internal attacks. Moreover, there exist also several selfcertified signature and authentication schemes applied to specific scenarios [9, 11, 24, 25]. Nevertheless, these schemes are not secure against quantum attacks because the hard assumptions are not difficult for quantum computers.
Using the lattice to implement the postquantum selfcertified signature scheme is a considerable method. Li et al. [8] first proposed a latticebased selfcertified signatures scheme. However, this scheme is based on NTRUSign, so it lacks rigorous security proof. Moreover, there are no other selfcertified signature schemes over lattice. Tian and Huang [26] and others propose several latticebased certificateless signatures schemes, which do not need the certificate too. However, they cannot prevent insider attack, and there exist other flaws [27, 28]. Hence, in this paper, we aim to propose a provably secure selfcertified signature scheme over lattice.
The rest of the paper is organized as follows: in Section 2, we introduce some basic concepts of lattice signature schemes. In Section 3, we introduce the syntax of the selfcertified signature scheme and the security model. In Section 4, we introduce our scheme. In Section 5, we analyze the correctness, security, and comparisons. Finally, we give our conclusion and further work.
2. Preliminaries
2.1. Notations
The notations used in this paper are listed as follows:(1)Let be the set of real numbers, the set of integers, and the set of nonnegative integer numbers. For a positive integer , is the set of integers modulo .(2)Column vectors are written as bold lowercase letters, for example, . The th component of is represented by , the norm of is denoted by , and define . The norm of can be denoted by , and the norm of is denoted by , and define . Matrices are represented by bold uppercase letters, for example, . Let the th column of be represented by and define the norm . If is a full rank square matrix, its Gram–Schmidt orthogonalization is denoted by , and . Let and denote the transpositions of the vector and the matrix , respectively.(3)For a real number , denotes the Gaussian distribution with the standard variance . Moreover, denotes that each component of the vector is sampled from . For a random value and a set , denotes that is sampled uniform from the set .
2.2. Lattice
Definition 1. (lattice). A lattice is a discrete subgroup of . Let , where are linear independent vectors. The lattice in the dimensional Euclidean space generated by the basis is defined as .
For , let and and define the ary lattice as follows:
The dual lattice of is denoted by , defined as .
Definition 2. (small integer solution (SIS) problem [29]). For any , given positive integers , a matrix and , problem is finding a nonzero integer vector satisfying and .
Definition 3. (inhomogeneous SIS(ISIS) problem). For any, positive integers,, and,problem is defined as follows: given, find a vectorsuch thatand.
The hardness of (I)SIS is based on the lattice problems in the worst case [29, 30].
Lemma 1. (hardness). For any polynomial bounds and a prime number , solving (I)SIS problems is as hard as solving GapSVP and SIVP on an arbitrary dimensional lattice.
2.3. Gaussian on Lattices
Definition 4. (Gaussian function). For any real , center and define the Gaussian function on as
For simplicity, when and are taken to be 1 and 0, respectively, they can be omitted.
Discrete Gaussian distribution: the Gaussian distribution over is defined as .
For any , , and dimensional lattice , define the discrete Gaussian distribution over lattice as
Definition 5. (smoothing parameter [31]). For a lattice and real , the smoothing parameter of the lattice is the smallest real such that .
For , the Gaussian distribution is close to a uniform distribution.
Lemma 2. (see[30]). For the lattice with a basis , let Gaussian parameter , .
Lemma 3. (see[30]). For any dimensional lattice with basis and real , there is , where with a base and .
2.4. Short Bases of Lattice
Definition 6. (gadgetlattice [32]). The gadget matrix is defined as with dimensional gadget vector , where , and the default value of is 2. The ary lattice is the sum of copies of the lattice . And , where and .
The (I)SIS problems are easily solved on the gadget matrix .
Definition 7. (Trapdoor [32]). For the matrices and , where , , , and . The Trapdoor of is a matrix such that for .
Here, is an invertible matrix. The quality of the trapdoor is determined by its maximum singular value .
The most efficient trapdoor generation algorithm now is the GTrapGen [32].
Lemma 4. (TrapGen [32]). Let and , and set . There is a probabilistic polynomial time (PPT) algorithm that outputs a paritycheck matrix and the trapdoor .
The matrix is statistically close to uniformly random. The quality of the trapdoor is .
Lemma 5. (Trapdoor SamlePre [32]). For the matrixtrapdoor pair , a positive definite matrix is defined as , where and . Given a vector , there is a PPT algorithm that outputs the preimage where is a perturbation and , such that .
Lemma 6. (SampleMat [26]). Let the integers , , , given a matrix and the trapdoor , for and the Gaussian parameter . There is a PPT algorithm SampleMAT () that outputs the preimage such that and .
2.5. Rejection Sampling Technique
Lemma 7. (see [31]). For any Gaussian parameter and positive integer ,
Lemma 8. (see [33]). For any , positive real and , , we haveand more specifically, if , then
The rejection sampling technique ensures that the distribution of the outputted signature is independent of the signing key so that a valid signature is generated without leaking any useful information about the key.
Concretely, given the distribution , the signing key , and a message , first sample , then compute and , and the signature is . Here, we want to obtain sampled from instead of , where is the distribution from the shift of the distribution by an offset vector . Therefore, we select an appropriate value and output with the probability , so that the distribution of is statistically indistinguishable from the distribution .
3. SelfCertified Signature Scheme
3.1. The Syntax of the SCS
A selfcertified signature (SCS) scheme consists of the following algorithms: Setup, KeyGen, Extract, Sign, and Verify:(1)Setup: it takes a security parameter as input and returns the system parameter .(2)KeyGen: CA selects the master private key and generates its public key .(3)Extract: each user first selects his private key and the partial public key and then sends to CA. After receiving the request, CA extracts the partial private key of the user. Therefore, the full public key is , and the full private key is .(4)Sign: the user generates a signature of the message with the private key .(5)Verify: a verifier checks the signature .
3.2. Security Model
In this section, we give the security model of the SCS scheme.
SCS schemes are secure against two types of adversaries, which are classified as external and internal adversaries as follows.
Type 1: Adversary (Outsider). A type 1 adversary knows the secret value of any user by listening to the public channel or replacing the public key.
Type 2: Adversary (HonestButCurious CA). A type 2 adversary can compute the partial private key of any user, but it does not know the user’s secret value.
Definition 8. (type 1 attack). A SCS scheme is existentially unforgeable against adaptive chosen message type 1 attacks if no polynomial bounded type 1 adversary with a nonnegligible advantage wins the following game.
Setup: the challenger takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA’s master public key to the adversary and keeps the master secrete key secret.
Queries: makes following adaptive queries:(i)Hash queries: given any , returns the hash value to .(ii)Secret key queries: given a user’s identity , returns the user’s secret key to .(iii)Partial private key queries: given a user’s identity , returns the user’s partial private key to .(iv)Public key queries: given a user’s identity , returns the user’s public key to .(v)Public key replacement queries: given a user’s identity and a public key , replaces the user’s public key with .(vi)Sign queries: given a message , returns a signature of to .(vii)Verify queries: given a signature , responds the verification result to .
Forgery: outputs a new signature for a message , and wins the game if the outputted signature is valid and without making a partial private key query or a sign query for the message .
Definition 9. (type 2 attack). A SCS scheme is existentially unforgeable under adaptive chosen message type 2 attacks if no polynomial bounded type 2 adversary with a nonnegligible advantage wins the following game.
Setup: the challenger takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA’s master public key to the adversary and keeps the master secrete key secret.
Queries: makes following adaptive queries:(i)Hash queries: given any , returns the hash value to .(ii)Secret key queries: given a user’s identity , returns the user’s secret key to .(iii)Public key queries: given a user’s identity , returns the user’s public key to .(vi)Sign queries: given a message , returns a signature of to .(v)Verify queries: given a signature , returns the verification result to .
Forgery: outputs a new signature for a message , and wins the game if the outputted signature is valid and without making a secret key query or a sign query for the message .
Definition 10. (unforgeability). A SCS scheme is secure if it is existentially unforgeable under adaptive chosen attacks; namely, the advantages that the adversaries and successfully forge a valid signature are negligible.
4. Our Signature Scheme
Our scheme consists of five algorithms: Setup, KeyGen, Extract, Sign, and Verify.
(1) Setup: given security parameters , for positive integers , and . Let , , , , , , and select two secure hash functions: , . Finally, publish system parameters .
(2) KeyGen: the KeyGen algorithm is described in Algorithm 1. CA runs the algorithm GTrapGen to output the publicprivate key pair. The master private key is the trapdoor , and the public key is the public matrix .

(3) Extract: the extract algorithm is described in Algorithm 2. The user’s publicprivate key pair is generated by the user and CA. first selects his secret key and computes the partial public key . CA generates the partial private key and sends it to the user through a secure channel. Therefore, the full private key is and the full public key is the .


(4) Sign: the Sign algorithm is described in Algorithm 3. generates a signature of the message using the rejection sampling technique.
Remark 1. According to the rejection sampling technique described in Section 2, at most attempts, we will output a signature such that the distribution of is statistically close to , and we have .
(5) Verify: the KeyGen algorithm is described in Algorithm 4. The verifier verifies the signature of the message on .

5. Analysis
5.1. Correctness
The correctness of the scheme is as follows:
First, we have , , so
At this moment, we complete the proof.
5.2. Security Analysis
Our scheme is existentially unforgeable under the adaptive chosen message attacks in the random oracle model.
Theorem 1. Our SCS scheme is existentially unforgeable in ROM for a polynomialtime type 1 adversary. If the adversary can successfully forge a valid signature, then it can solve the problem, where .
Proof. Assume that there is a type 1 adversary who can break the scheme with nonnegligible probability. Then, we can construct a polynomialtime challenger , who runs as a subroutine to solve the problem with nonnegligible probability; that is, wins Game 1:
Game 1 setup: input the security parameter . runs the setup and the KeyGen algorithm to obtain and . Then, publishes and and keeps secret. maintains several initially empty lists: List 0, List 1, List 2, List 3, and List 4. List 0 contains , where is the user’s identity and is the partial public key. List 1 contains , where is the secret key. List 2 contains , where is the partial private key. List 3 contains , where are two random vectors. List 4 contains , where is the signature.
Queries: adaptively issues several queries to :(i)queries: sends a user’s identity to ; then, performs as follows:(1)First looks up in List 0. If found, directly returns the hash value of the public key.(2)Otherwise, randomly selects a matrix and returns it; then, it selects a matrix , and adds to List 0.(ii) queries: sends a message to ; then, performs as follows:(1)First, it looks up in List 3. If found, directly returns the hash value of message .(2)Otherwise, randomly selects a vector from and returns it. Then, it randomly selects two vectors and adds to List 3.(iii)Secret matrix queries: sends an identity to ; then, performs as follows:(1)First, it looks up in List 1. If found, directly returns the user’s secret matrix .(2)Otherwise, selects a matrix from and returns it. Then, it computes , and adds to List 1.(vi)Partial private key queries: sends to ; then, performs as follows:(1)First, it looks up in List 2. If found, directly returns the partial private key .(2)Otherwise, issues a secret matrix query to obtain and runs the algorithm SampleMAT to output a matrix as the partial private key.(3)Finally, returns and adds to List 2.(v)Public key replacement queries: sends and a public key to and then wants to replace the user’s public key. After receiving the identity , replaces the public key with and records this replacement.(vi)Sign queries: sends a message , , and a secret matrix to . Then, performs as follows:(1)First, it looks up the parameters in List 4. If found, directly returns the signature.(2)Otherwise, issues a partial private key query to obtain the signing key , issues a query to obtain , and computes .(3)Finally, returns the signature , where , and adds to List 4.Forgery: after polynomialtime queries finish, outputs a forgery on message for with nonnegligible probability. If the signature can pass the verification and partial private key queries and the sign queries for the message are never involved in this game, then wins the game.
Using the forking lemma [34], replays with different hash values of queries to get another valid signature such that and .
Because is a type 1 adversary that can make public key replacement attacks, it is easy to obtain and . Then, only the partial private key needs to be considered. Since , we have the equality:As , , , with overwhelming probability, we can see thatNow, we prove with nonnegligible probability.
Since , then, by Lemma 4.2 from [33], there is another with probability larger than such that all the columns except for the th column are the same as . And . So, if , then we have . Because and have the same role in our scheme, does not know which one is used in the simulation. Hence, can make with the probability not less than 0.5. As a result, we can construct an algorithm to solve the problem with overwhelming probability, where .
Theorem 2. Our SCS scheme is existentially unforgeable in ROM for a polynomialtime type 2 adversary. If the adversary can successfully forge a valid signature, then it can solve the problem, where .
Proof. Assume that there is a type 2 adversary that can break out the scheme with nonnegligible probability. Then, we can construct a polynomialtime challenger that runs as a subroutine to solve the problem with nonnegligible probability, that is, wins Game 2:
Game 2 Setup: input the security parameter . runs the setup and KeyGen algorithm to obtain and . Then, publishes and and keeps secret. maintains several initially empty lists: List 0, List 1, List 3, and List 4.
Queries: adaptively issues several queries to :(i) queries: it is the same as the above proof.(ii) queries: it is the same as the above proof.(iii)Secret matrix queries: sends a user’s identity to ; then, performs as follows:(1)First, it looks up in List 1. If found, directly returns the user’s secret matrix .(2)Otherwise, randomly selects a matrix from , returns it, then computes , , and adds to List 1.(vi)Sign queries: sends and a message to ; then, performs as follows:(1)First, it looks up the parameters in List 4. If found, directly returns the signature.(2)Otherwise, issues a secret matrix query to obtain , issues a query to obtain the public key, and then computes . also issues a query to obtain and computes .(3)Finally, returns the signature , where , and adds to List 4.Forgery: after polynomialtime queries finish, outputs a forgery on message for with nonnegligible probability. If the signature can pass the verification, and the secret matrix queries and the sign queries for the message are never involved in this game, then wins the game.
Using the forking lemma, replays with different hash values of queries to get another valid signature such that and .
Because is a type 2 adversary that can obtain the partial private key , only the secret key needs to be considered. Moreover, since , we have the equalityAs , , , with overwhelming probability, we can see thatNow, we prove with nonnegligible probability.
Since and according to Lemma 4.2 from [33], there is another secret key with the probability larger than such that all columns except for the th column are the same as . And . So, if , then we know . Because and have the same role in our scheme, the challenger does not know which one is used in the simulation. Therefore, can make with probability not less than 0.5. Finally, we can construct an algorithm to solve the problem with overwhelming probability, where .
5.3. Comparisons
In this section, we compare our scheme with several typical selfcertified authentication or signature schemes. We mainly focus on the computational costs, the storage overheads, and several security properties.
As in Table 1, we compare the computational costs. Let , , , , and denote the execution times of a bilinear pairing operation, a scale multiplication for the bilinear pairing, a scale multiplication for the ECC, a polynomial multiplication, and a general hash function operation. Although our scheme has higher computational costs, based on the lattice, our scheme provides more robust security.
As depicted in Table 2, we compare the storage overheads. For the key size, we use an improved trapdoor generation algorithm [32] based on GPV [30] to reduce the dimensionality of the trapdoor. For the signature length, we only use Gaussian sampling in the key extract phase but use the rejection sampling technique in the signature generation phase, which helps to reduce the signature length. Moreover, according to Lemma 2 in [14], if the key is distributed as a discrete Gaussian distribution with the parameter such that , the bit size of is bounded by bits.
In Table 3, we compare the security properties. According to the above tables, Li et al. [10] and Tahat et al.’s [35] schemes are more efficient than the SCS schemes over lattice, where bits and bits. However, their schemes are not secure against quantum attacks because the security is based on the pairing or elliptic curve discrete logarithm problems (ECDLP). Li et al.’s [8] scheme is the first SCS scheme over lattice. It has a shorter key size and signature length because of using NTRU lattice, but it lacks provable security. Our scheme is based on the standard lattice, so the key size and the signature length are less efficient than Li et al.’s scheme. However, our scheme is provably secure in the ROM under the SIS assumption. Therefore, our scheme is more secure against quantum computers.
6. Conclusion and Further Work
In this paper, we propose a selfcertified signature scheme over the standard lattice, which authenticates the integrity of the message and the user’s public key and identity without the need for additional certificates, thus not only avoiding the key escrow problems and public key replacement attacks but also preventing quantum attacks. Based on the hardness of the SIS assumption, our scheme is provably secure in the random oracle model. Our scheme is more feasible than previous schemes.
Future work: we consider the standard model. The standard model is more secure and practical than the random oracle model. Hence, our further work is to transfer our scheme into a SCS scheme in the standard model. Furthermore, the efficiency of the scheme can be further improved.
Data Availability
No data were used to support this study.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This research was supported by the National Natural Science Foundation of China (no. 61662004).