Provably Secure Lattice-Based Self-Certified Signature Scheme

Yang, Qiang; Li, Daofeng

doi:https://doi.org/10.1155/2021/2459628

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 2459628 | https://doi.org/10.1155/2021/2459628

Provably Secure Lattice-Based Self-Certified Signature Scheme

Qiang Yang^1,2and Daofeng Li^1,2

Academic Editor: De Rosal Ignatius Moses Setiadi

Received10 Sept 2021

Revised06 Dec 2021

Accepted08 Dec 2021

Published31 Dec 2021

Abstract

Digital signatures are crucial network security technologies. However, in traditional public key signature schemes, the certificate management is complicated and the schemes are vulnerable to public key replacement attacks. In order to solve the problems, in this paper, we propose a self-certified signature scheme over lattice. Using the self-certified public key, our scheme allows a user to certify the public key without an extra certificate. It can reduce the communication overhead and computational cost of the signature scheme. Moreover, the lattice helps prevent quantum computing attacks. Then, based on the small integer solution problem, our scheme is provable secure in the random oracle model. Furthermore, compared with the previous self-certified signature schemes, our scheme is more secure.

1. Introduction

Due to the development of the Internet, various networks require to verify the authenticity of the message or the user, such as data verification for Internet of Vehicles [1] and user authentication for industry and mobility networks [2, 3]. In general, these authentication systems can be divided into traditional public key infrastructure- (PKI-) based cryptosystems with certificates [4] and certificateless cryptosystems [5, 6]. In a PKI-based cryptosystem, a certificate issued by the certificate authority (CA) is often required to certify the authenticity of the relationship between the public key and the user. However, it increases the computation overheads and communication costs because certificate management is complicated. Furthermore, it is vulnerable to public key replacement attacks if certificates are not used. To avoid certificate management, in 1984, Shamir [5] introduced the idea of an identity-based (IB) cryptosystem. The public key of a user is the user’s identity information. Although it does not require any certificates, it suffers from the key escrow problem.

To deal with the above problems, in 1991, Girault [7] introduced the notion of self-certified public keys, which can enable the public key to implicitly authorize the user’s identity without an extra certificate. Concretely, the public key is computed by the user and the authority. Then, the verification of the authenticity of the signature and public key is placed in a logically single step. Thus the self-certified signature scheme can mitigate the burdens for the certificate management and storage and prevent the key escrow problem. Therefore, self-certified signature schemes have a promising future for environments with limited memory and computational capacity, such as smart mobile devices [8], wireless sensor networks [9], the cloud [10], and vehicular ad hoc networks [11].

However, most of them are based on discrete logarithm problems or large integer factorization problems. Unfortunately, Shor [12] pointed out that the two problems are easily solved by quantum computers, so the signature schemes based on the two problems are no longer secure in the quantum era. Lattice cryptography is one of the postquantum candidate schemes proposed by the National Institute of Standards and Technology [13]. Meanwhile, in recent years, lattice cryptography on the refinements of the security assessment and the fast implementation [14, 15] has achieved rapid developments. Thus, to prevent quantum attacks, in this paper, based on lattice cryptography, we propose a provably secure self-certified signature scheme in the random oracle model (ROM).

Our contributions are mainly as follows: firstly, our scheme adopts the advantages of self-certified public keys and lattice signature schemes, which simplifies the public key authentication process of the scheme and avoids the key escrow problems and public key replacement attacks. Moreover, it can resist quantum attacks. Secondly, based on the hardness of the small integer solution (SIS) problem, our scheme is existential unforgeability against two types of adversaries in the ROM.

Related work: in PKI-based signature schemes [16], CA issues a certificate for the user, which increases the burden of certificate management and storage.

Many schemes are proposed to reduce the cost of certification management and storage. For instance, numerous IB signature schemes are proposed. In these schemes, the public key is the user’s identity. Therefore, it does not need an extra certificate, but it is vulnerable to the key escrow problem because the key generation center (KGC) generates the private keys of all users [17]. Thus, a malicious KGC can impersonate any user. The certificateless public key cryptography [6] also does not require a separate certificate. Recently, Gowri et al. [18] proposed a certificateless signatures scheme from ECC, but later Xu et al. [19] found that it is vulnerable to signature forgery attacks.

To solve the above problems, Girault [7] proposed the self-certified cryptosystem, in which there are no certificates, and neither the user nor the authority can independently obtain the full private key of the user.

Since the self-certificated public key was introduced, many self-certified signature schemes have been proposed. Shao [20] proposed a novel self-certified signature scheme from pairings, but it was later proved to be insecure. In addition, some self-certified signature schemes based on discrete logarithm problems were also proposed, Xie [21] and Wu and Xu [22]. However, Sadeghpour [23] pointed out that Wu and Xu’s scheme [22] is vulnerable to internal attacks. Moreover, there exist also several self-certified signature and authentication schemes applied to specific scenarios [9, 11, 24, 25]. Nevertheless, these schemes are not secure against quantum attacks because the hard assumptions are not difficult for quantum computers.

Using the lattice to implement the postquantum self-certified signature scheme is a considerable method. Li et al. [8] first proposed a lattice-based self-certified signatures scheme. However, this scheme is based on NTRUSign, so it lacks rigorous security proof. Moreover, there are no other self-certified signature schemes over lattice. Tian and Huang [26] and others propose several lattice-based certificateless signatures schemes, which do not need the certificate too. However, they cannot prevent insider attack, and there exist other flaws [27, 28]. Hence, in this paper, we aim to propose a provably secure self-certified signature scheme over lattice.

The rest of the paper is organized as follows: in Section 2, we introduce some basic concepts of lattice signature schemes. In Section 3, we introduce the syntax of the self-certified signature scheme and the security model. In Section 4, we introduce our scheme. In Section 5, we analyze the correctness, security, and comparisons. Finally, we give our conclusion and further work.

2. Preliminaries

2.1. Notations

The notations used in this paper are listed as follows:(1)Let be the set of real numbers, the set of integers, and the set of nonnegative integer numbers. For a positive integer , is the set of integers modulo .(2)Column vectors are written as bold lowercase letters, for example, . The th component of is represented by , the norm of is denoted by , and define . The norm of can be denoted by , and the norm of is denoted by , and define . Matrices are represented by bold uppercase letters, for example, . Let the th column of be represented by and define the norm . If is a full rank square matrix, its Gram–Schmidt orthogonalization is denoted by , and . Let and denote the transpositions of the vector and the matrix , respectively.(3)For a real number , denotes the Gaussian distribution with the standard variance . Moreover, denotes that each component of the vector is sampled from . For a random value and a set , denotes that is sampled uniform from the set .

2.2. Lattice

Definition 1. (lattice). A lattice is a discrete subgroup of . Let , where are linear independent vectors. The lattice in the -dimensional Euclidean space generated by the basis is defined as .

For , let and and define the -ary lattice as follows:

The dual lattice of is denoted by , defined as .

Definition 2. (small integer solution (SIS) problem [29]). For any , given positive integers , a matrix and , problem is finding a nonzero integer vector satisfying and .

Definition 3. (inhomogeneous SIS(ISIS) problem). For any, positive integers,, and,problem is defined as follows: given, find a vectorsuch thatand.

The hardness of (I)SIS is based on the lattice problems in the worst case [29, 30].

Lemma 1. (hardness). For any polynomial bounds and a prime number , solving (I)SIS problems is as hard as solving GapSVP and SIVP on an arbitrary -dimensional lattice.

2.3. Gaussian on Lattices

Definition 4. (Gaussian function). For any real , center and define the Gaussian function on as

For simplicity, when and are taken to be 1 and 0, respectively, they can be omitted.

Discrete Gaussian distribution: the Gaussian distribution over is defined as .

For any , , and -dimensional lattice , define the discrete Gaussian distribution over lattice as

Definition 5. (smoothing parameter [31]). For a lattice and real , the smoothing parameter of the lattice is the smallest real such that .

For , the Gaussian distribution is close to a uniform distribution.

Lemma 2. (see[30]). For the lattice with a basis , let Gaussian parameter , .

Lemma 3. (see[30]). For any -dimensional lattice with basis and real , there is , where with a base and .

2.4. Short Bases of Lattice

Definition 6. (gadget-lattice [32]). The gadget matrix is defined as with -dimensional gadget vector , where , and the default value of is 2. The -ary lattice is the sum of copies of the lattice . And , where and .

The (I)SIS problems are easily solved on the gadget matrix .

Definition 7. (-Trapdoor [32]). For the matrices and , where , , , and . The -Trapdoor of is a matrix such that for .

Here, is an invertible matrix. The quality of the trapdoor is determined by its maximum singular value .

The most efficient trapdoor generation algorithm now is the G-TrapGen [32].

Lemma 4. (-TrapGen [32]). Let and , and set . There is a probabilistic polynomial time (PPT) algorithm that outputs a parity-check matrix and the trapdoor .

The matrix is statistically close to uniformly random. The quality of the trapdoor is .

Lemma 5. (-Trapdoor SamlePre [32]). For the matrix-trapdoor pair , a positive definite matrix is defined as , where and . Given a vector , there is a PPT algorithm that outputs the preimage where is a perturbation and , such that .

Lemma 6. (SampleMat [26]). Let the integers , , , given a matrix and the trapdoor , for and the Gaussian parameter . There is a PPT algorithm SampleMAT () that outputs the preimage such that and .

2.5. Rejection Sampling Technique

Lemma 7. (see [31]). For any Gaussian parameter and positive integer ,

Lemma 8. (see [33]). For any , positive real and , , we haveand more specifically, if , then

The rejection sampling technique ensures that the distribution of the outputted signature is independent of the signing key so that a valid signature is generated without leaking any useful information about the key.

Concretely, given the distribution , the signing key , and a message , first sample , then compute and , and the signature is . Here, we want to obtain sampled from instead of , where is the distribution from the shift of the distribution by an offset vector . Therefore, we select an appropriate value and output with the probability , so that the distribution of is statistically indistinguishable from the distribution .

3. Self-Certified Signature Scheme

3.1. The Syntax of the SCS

A self-certified signature (SCS) scheme consists of the following algorithms: Setup, KeyGen, Extract, Sign, and Verify:(1)Setup: it takes a security parameter as input and returns the system parameter .(2)KeyGen: CA selects the master private key and generates its public key .(3)Extract: each user first selects his private key and the partial public key and then sends to CA. After receiving the request, CA extracts the partial private key of the user. Therefore, the full public key is , and the full private key is .(4)Sign: the user generates a signature of the message with the private key .(5)Verify: a verifier checks the signature .

3.2. Security Model

In this section, we give the security model of the SCS scheme.

SCS schemes are secure against two types of adversaries, which are classified as external and internal adversaries as follows.

Type 1: Adversary (Outsider). A type 1 adversary knows the secret value of any user by listening to the public channel or replacing the public key.

Type 2: Adversary (Honest-But-Curious CA). A type 2 adversary can compute the partial private key of any user, but it does not know the user’s secret value.

Definition 8. (type 1 attack). A SCS scheme is existentially unforgeable against adaptive chosen message type 1 attacks if no polynomial bounded type 1 adversary with a nonnegligible advantage wins the following game.

Setup: the challenger takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA’s master public key to the adversary and keeps the master secrete key secret.

Queries: makes following adaptive queries:(i)Hash queries: given any , returns the hash value to .(ii)Secret key queries: given a user’s identity , returns the user’s secret key to .(iii)Partial private key queries: given a user’s identity , returns the user’s partial private key to .(iv)Public key queries: given a user’s identity , returns the user’s public key to .(v)Public key replacement queries: given a user’s identity and a public key , replaces the user’s public key with .(vi)Sign queries: given a message , returns a signature of to .(vii)Verify queries: given a signature , responds the verification result to .

Forgery: outputs a new signature for a message , and wins the game if the outputted signature is valid and without making a partial private key query or a sign query for the message .

Definition 9. (type 2 attack). A SCS scheme is existentially unforgeable under adaptive chosen message type 2 attacks if no polynomial bounded type 2 adversary with a nonnegligible advantage wins the following game.

Setup: the challenger takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA’s master public key to the adversary and keeps the master secrete key secret.

Queries: makes following adaptive queries:(i)Hash queries: given any , returns the hash value to .(ii)Secret key queries: given a user’s identity , returns the user’s secret key to .(iii)Public key queries: given a user’s identity , returns the user’s public key to .(vi)Sign queries: given a message , returns a signature of to .(v)Verify queries: given a signature , returns the verification result to .

Forgery: outputs a new signature for a message , and wins the game if the outputted signature is valid and without making a secret key query or a sign query for the message .

Definition 10. (unforgeability). A SCS scheme is secure if it is existentially unforgeable under adaptive chosen attacks; namely, the advantages that the adversaries and successfully forge a valid signature are negligible.

4. Our Signature Scheme

Our scheme consists of five algorithms: Setup, KeyGen, Extract, Sign, and Verify.

(1) Setup: given security parameters , for positive integers , and . Let , , , , , , and select two secure hash functions: , . Finally, publish system parameters .

(2) KeyGen: the KeyGen algorithm is described in Algorithm 1. CA runs the algorithm G-TrapGen to output the public-private key pair. The master private key is the trapdoor , and the public key is the public matrix .

	Input: security parameter .
	Output:.
(1)	Output G-TrapGen , is the master public key and is the master private key.
(2)	Choose a random uniform matrix .
(3)	Publish and , and keep secret.

(3) Extract: the extract algorithm is described in Algorithm 2. The user’s public-private key pair is generated by the user and CA. first selects his secret key and computes the partial public key . CA generates the partial private key and sends it to the user through a secure channel. Therefore, the full private key is and the full public key is the .

	Input: with an identity , .
	Output: the user’s key .
(1)	selects a random uniform matrix from as the secret key, where .
(2)	Computes , and sends to CA.
(3)	Upon receiving the , CA performs as follows:
(i)	computes .
(ii)	uses the algorithm SampleMAT to output .
(iii)	sends to through a secure channel.
(4)	checks the authenticity of by verifying and . If so, output as their partial private key. Otherwise, reject it.

	Input: a message , , the signing key and other public parameters.
	Output: the signature .
(1)	Randomly select , and compute .
(2)	Compute , , and let .
(3)	Output the signature with probability , where .
(4)	If , repeat this algorithm.

(4) Sign: the Sign algorithm is described in Algorithm 3. generates a signature of the message using the rejection sampling technique.

Remark 1. According to the rejection sampling technique described in Section 2, at most attempts, we will output a signature such that the distribution of is statistically close to , and we have .

(5) Verify: the KeyGen algorithm is described in Algorithm 4. The verifier verifies the signature of the message on .

	Input: and , the message , the signature .
	Output: the verification result.
(1)	Compute .
(2)	Check whether and .
(3)	If so, return accept. Otherwise, return reject.

5. Analysis

5.1. Correctness

The correctness of the scheme is as follows:

First, we have , , so

At this moment, we complete the proof.

5.2. Security Analysis

Our scheme is existentially unforgeable under the adaptive chosen message attacks in the random oracle model.

Theorem 1. Our SCS scheme is existentially unforgeable in ROM for a polynomial-time type 1 adversary. If the adversary can successfully forge a valid signature, then it can solve the problem, where .

Proof. Assume that there is a type 1 adversary who can break the scheme with nonnegligible probability. Then, we can construct a polynomial-time challenger , who runs as a subroutine to solve the problem with nonnegligible probability; that is, wins Game 1:
Game 1 setup: input the security parameter . runs the setup and the KeyGen algorithm to obtain and . Then, publishes and and keeps secret. maintains several initially empty lists: List 0, List 1, List 2, List 3, and List 4. List 0 contains , where is the user’s identity and is the partial public key. List 1 contains , where is the secret key. List 2 contains , where is the partial private key. List 3 contains , where are two random vectors. List 4 contains , where is the signature.
Queries: adaptively issues several queries to :(i)queries: sends a user’s identity to ; then, performs as follows:(1)First looks up in List 0. If found, directly returns the hash value of the public key.(2)Otherwise, randomly selects a matrix and returns it; then, it selects a matrix , and adds to List 0.(ii) queries: sends a message to ; then, performs as follows:(1)First, it looks up in List 3. If found, directly returns the hash value of message .(2)Otherwise, randomly selects a vector from and returns it. Then, it randomly selects two vectors and adds to List 3.(iii)Secret matrix queries: sends an identity to ; then, performs as follows:(1)First, it looks up in List 1. If found, directly returns the user’s secret matrix .(2)Otherwise, selects a matrix from and returns it. Then, it computes , and adds to List 1.(vi)Partial private key queries: sends to ; then, performs as follows:(1)First, it looks up in List 2. If found, directly returns the partial private key .(2)Otherwise, issues a secret matrix query to obtain and runs the algorithm SampleMAT to output a matrix as the partial private key.(3)Finally, returns and adds to List 2.(v)Public key replacement queries: sends and a public key to and then wants to replace the user’s public key. After receiving the identity , replaces the public key with and records this replacement.(vi)Sign queries: sends a message , , and a secret matrix to . Then, performs as follows:(1)First, it looks up the parameters in List 4. If found, directly returns the signature.(2)Otherwise, issues a partial private key query to obtain the signing key , issues a query to obtain , and computes .(3)Finally, returns the signature , where , and adds to List 4.Forgery: after polynomial-time queries finish, outputs a forgery on message for with nonnegligible probability. If the signature can pass the verification and partial private key queries and the sign queries for the message are never involved in this game, then wins the game.
Using the forking lemma [34], replays with different hash values of queries to get another valid signature such that and .
Because is a type 1 adversary that can make public key replacement attacks, it is easy to obtain and . Then, only the partial private key needs to be considered. Since , we have the equality:As , , , with overwhelming probability, we can see thatNow, we prove with nonnegligible probability.
Since , then, by Lemma 4.2 from [33], there is another with probability larger than such that all the columns except for the th column are the same as . And . So, if , then we have . Because and have the same role in our scheme, does not know which one is used in the simulation. Hence, can make with the probability not less than 0.5. As a result, we can construct an algorithm to solve the problem with overwhelming probability, where .

Theorem 2. Our SCS scheme is existentially unforgeable in ROM for a polynomial-time type 2 adversary. If the adversary can successfully forge a valid signature, then it can solve the problem, where .

Proof. Assume that there is a type 2 adversary that can break out the scheme with nonnegligible probability. Then, we can construct a polynomial-time challenger that runs as a subroutine to solve the problem with nonnegligible probability, that is, wins Game 2:
Game 2 Setup: input the security parameter . runs the setup and KeyGen algorithm to obtain and . Then, publishes and and keeps secret. maintains several initially empty lists: List 0, List 1, List 3, and List 4.
Queries: adaptively issues several queries to :(i) queries: it is the same as the above proof.(ii) queries: it is the same as the above proof.(iii)Secret matrix queries: sends a user’s identity to ; then, performs as follows:(1)First, it looks up in List 1. If found, directly returns the user’s secret matrix .(2)Otherwise, randomly selects a matrix from , returns it, then computes , , and adds to List 1.(vi)Sign queries: sends and a message to ; then, performs as follows:(1)First, it looks up the parameters in List 4. If found, directly returns the signature.(2)Otherwise, issues a secret matrix query to obtain , issues a query to obtain the public key, and then computes . also issues a query to obtain and computes .(3)Finally, returns the signature , where , and adds to List 4.Forgery: after polynomial-time queries finish, outputs a forgery on message for with nonnegligible probability. If the signature can pass the verification, and the secret matrix queries and the sign queries for the message are never involved in this game, then wins the game.
Using the forking lemma, replays with different hash values of queries to get another valid signature such that and .
Because is a type 2 adversary that can obtain the partial private key , only the secret key needs to be considered. Moreover, since , we have the equalityAs , , , with overwhelming probability, we can see thatNow, we prove with nonnegligible probability.
Since and according to Lemma 4.2 from [33], there is another secret key with the probability larger than such that all columns except for the th column are the same as . And . So, if , then we know . Because and have the same role in our scheme, the challenger does not know which one is used in the simulation. Therefore, can make with probability not less than 0.5. Finally, we can construct an algorithm to solve the problem with overwhelming probability, where .

5.3. Comparisons

In this section, we compare our scheme with several typical self-certified authentication or signature schemes. We mainly focus on the computational costs, the storage overheads, and several security properties.

As in Table 1, we compare the computational costs. Let , , , , and denote the execution times of a bilinear pairing operation, a scale multiplication for the bilinear pairing, a scale multiplication for the ECC, a polynomial multiplication, and a general hash function operation. Although our scheme has higher computational costs, based on the lattice, our scheme provides more robust security.

As depicted in Table 2, we compare the storage overheads. For the key size, we use an improved trapdoor generation algorithm [32] based on GPV [30] to reduce the dimensionality of the trapdoor. For the signature length, we only use Gaussian sampling in the key extract phase but use the rejection sampling technique in the signature generation phase, which helps to reduce the signature length. Moreover, according to Lemma 2 in [14], if the key is distributed as a discrete Gaussian distribution with the parameter such that , the bit size of is bounded by bits.

In Table 3, we compare the security properties. According to the above tables, Li et al. [10] and Tahat et al.’s [35] schemes are more efficient than the SCS schemes over lattice, where bits and bits. However, their schemes are not secure against quantum attacks because the security is based on the pairing or elliptic curve discrete logarithm problems (ECDLP). Li et al.’s [8] scheme is the first SCS scheme over lattice. It has a shorter key size and signature length because of using NTRU lattice, but it lacks provable security. Our scheme is based on the standard lattice, so the key size and the signature length are less efficient than Li et al.’s scheme. However, our scheme is provably secure in the ROM under the SIS assumption. Therefore, our scheme is more secure against quantum computers.

6. Conclusion and Further Work

In this paper, we propose a self-certified signature scheme over the standard lattice, which authenticates the integrity of the message and the user’s public key and identity without the need for additional certificates, thus not only avoiding the key escrow problems and public key replacement attacks but also preventing quantum attacks. Based on the hardness of the SIS assumption, our scheme is provably secure in the random oracle model. Our scheme is more feasible than previous schemes.

Future work: we consider the standard model. The standard model is more secure and practical than the random oracle model. Hence, our further work is to transfer our scheme into a SCS scheme in the standard model. Furthermore, the efficiency of the scheme can be further improved.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the National Natural Science Foundation of China (no. 61662004).

References

Qi Jiang, X. Zhang, N. Zhang, Y. Tiane, X. Maa, and J. Ma, “Three-factor authentication protocol using physical unclonable function for iov,” Computer Communications, vol. 173, pp. 45–55, 2021.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, G. Xu, and D. He, “Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0,” Science China Information Sciences, vol. 65, no. 1, p. 112301, 2021.
View at: Publisher Site | Google Scholar
S. Qiu and D. Wang, “Revisiting three anonymous two-factor authentication schemes for roaming service in global mobility networks,” Journal of Surveillance, Security and Safety, vol. 2, no. 2, pp. 66–82, 2021.
View at: Publisher Site | Google Scholar
A. Boldyreva, M. Fischlin, A. Palacio, and B. Warinschi, “A closer look at PKI: security and efficiency,” in Proceedings of the 10th International Conference on Practice and Theory in Public-Key Cryptography, T. Okamoto and X. Wang, Eds., pp. 458–475, Springer, Beijing, China, April 2007.
View at: Publisher Site | Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Advances in Cryptology, Proceedings of CRYPTO ’84, pp. 47–53, Springer, Santa Barbara, California, USA, August 1984.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proceedings of the 9th International Conference on the Theory and Application of Cryptology and Information Security, C.-S. Laih, Ed., pp. 452–473, Springer, Taipei, Taiwan, November-December 2003.
View at: Publisher Site | Google Scholar
M. Girault, “Self-certified public keys,” in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, pp. 490–497, Springer, Brighton, UK, April 1991.
View at: Publisher Site | Google Scholar
D. Li, H. Chen, C. Zhong, T. Li, and F. Wang, “A new self-certified signature scheme based on ntrusing for smart mobile communications,” Wireless Personal Communications, vol. 96, no. 3, pp. 4263–4278, 2017.
View at: Publisher Site | Google Scholar
Y. Chen and J. Chen, “Anonymous and provably secure authentication protocol using self-certified cryptography for wireless sensor networks,” Multimedia Tools and Applications, vol. 80, no. 10, pp. 15291–15313, 2021.
View at: Google Scholar
H. Li, F. Guo, L. Wang, J. Wang, B. Wang, and C. Wu, “A blockchain-based public auditing protocol with self-certified public keys for cloud data,” Security and Communication Networks, vol. 2021, no. 1, pp. 6623639–10, 2021.
View at: Publisher Site | Google Scholar
X. Li, Y. Han, J. Gao, and J. Niu, “Secure hierarchical authentication protocol in VANET,” IET Information Security, vol. 14, no. 1, pp. 99–110, 2020.
View at: Publisher Site | Google Scholar
P. W. Shor, Polynomial-time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer, 1997, https://arxiv.org/abs/quant-ph/9508027.
L. Ducas, E. Kiltz, T. Lepoint et al., “Crystals-dilithium: a lattice-based digital signature scheme,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 1, pp. 238–268, 2018.
View at: Publisher Site | Google Scholar
R. El Bansarkhani and J. Buchmann, “Improvement and efficient implementation of a lattice-based signature scheme,” in Proceedings of the Selected Areas in Cryptography - Sac 2013, vol. 8282, pp. 48–67, Burnaby, BC, Canada, August 2013.
View at: Publisher Site | Google Scholar
N. Genise and D. Micciancio, “Faster Gaussian sampling for trapdoor lattices with arbitrary modulus,” in Proceedings of the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, N. Jesper Buus and R. Vincent, Eds., pp. 174–203, Springer, Tel Aviv, Israel, April-May 2018.
View at: Publisher Site | Google Scholar
M. N. S. Perera and T. Koshiba, “Fully dynamic group signature scheme with member registration and verifier-local revocation,” in Proceedings of the ICMC: International Conference on Mathematics and Computing, D. Ghosh, D. Giri, R. N. Mohapatra, K. Sakurai, E. Savas, and T. Som, Eds., pp. 399–415, Springer Singapore, Varanasi India, January 2018.
View at: Publisher Site | Google Scholar
W. Shen, J. Qin, J. Yu, R. Hao, and J. Hu, “Enabling identity-based integrity auditing and data sharing with sensitive information hiding for secure cloud storage,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 2, pp. 331–346, 2019.
View at: Publisher Site | Google Scholar
T. Gowri, G. Srinivasa Rao, P. Vasudeva Reddy, N. B. Gayathri, and D. V. Rama Koti Reddy, “Efficient pairing-free certificateless signature scheme for secure communication in resource-constrained devices,” IEEE Communications Letters, vol. 24, no. 8, pp. 1641–1645, 2020.
View at: Publisher Site | Google Scholar
Z. Xu, M. Luo, M. K. Khan, K.-K. R. Choo, and D. He, “Analysis and improvement of a certificateless signature scheme for resource-constrained scenarios,” IEEE Communications Letters, vol. 25, no. 4, pp. 1074–1078, 2021.
View at: Publisher Site | Google Scholar
Z. Shao, “Self-certified signature scheme from pairings,” Journal of Systems and Software, vol. 80, no. 3, pp. 388–395, 2007.
View at: Publisher Site | Google Scholar
X. Qi, “Provably secure self-certified multi-proxy signature with message recovery,” Journal of Networks, vol. 7, no. 10, pp. 1616–1623, 2012.
View at: Publisher Site | Google Scholar
F. Wu and L. Xu, “An improved and provable self-certified digital signature scheme with message recovery,” International Journal of Communication Systems, vol. 28, no. 2, pp. 344–357, 2015.
View at: Publisher Site | Google Scholar
M. Sadeghpour, “Cryptanalysis and modification of an improved self- certified digital signature scheme with message recovery,” AMERICAN SCIENTIFIC RESEARCH JOURNAL FOR ENGINEERING, TECHNOLOGY, AND SCIENCES (ASRJETS), vol. 28, pp. 257–265, 2017.
View at: Google Scholar
B. Ying and A. Nayak, “Lightweight remote user authentication protocol for multi-server 5g networks using self-certified public key cryptography,” Journal of Network and Computer Applications, vol. 131, pp. 66–74, 2019.
View at: Publisher Site | Google Scholar
B. A. Alzahrani, S. Ashraf Chaudhry, B. Ahmed, A. Al-Barakati, and T. Shon, “An anonymous device to device authentication protocol using ecc and self certified public keys usable in internet of things based autonomous devices,” Electronics, vol. 9, no. 3, 2020.
View at: Publisher Site | Google Scholar
M. Tian and L. Huang, “Certificateless and certificate‐based signatures from lattices,” Security and Communication Networks, vol. 8, no. 8, pp. 1575–1586, 2015.
View at: Publisher Site | Google Scholar
S. Chang, H. Sook Lee, J. Lee, and S. Lim, “Security analysis of a certificateless signature from lattices,” Security and Communication Networks, vol. 2017, no. 1, pp. 3413567–7, 2017.
View at: Publisher Site | Google Scholar
K.-A. Shim, “Security vulnerabilities of four signature schemes from NTRU lattices and pairings,” IEEE Access, vol. 8, pp. 85019–85026, 2020.
View at: Publisher Site | Google Scholar
M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC ’96, pp. 99–108, Association for Computing Machinery, New York, NY, USA, July 1996.
View at: Publisher Site | Google Scholar
G. Craig, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the fortieth annual ACM symposium on Theory of computing, pp. 197–206, Association for Computing Machinery, New York, NY, USA, May 2008.
View at: Publisher Site | Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 372–381, Rome, Italy, October 2004.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques, EUROCRYPT’12, pp. 700–718, Springer-Verlag, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 738–755, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar
N. Tahat, A. K. Alomari, O. M. Al-Hazaimeh, and M. F. Al-Jamal, “An efficient self-certified multi-proxy signature scheme based on elliptic curve discrete logarithm problem,” Journal of Discrete Mathematical Sciences and Cryptography, vol. 23, no. 4, pp. 935–948, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Qiang Yang and Daofeng Li. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

458

Downloads

565

Citations