Abstract
Puncturable signature (PS), proposed by Bellare, Stepanovs and Waters at EUROCRYPT 2016, is a special kind of digital signature that supports a fine-grained revocation of signing capacity by updating the secret key with selective messages. Puncturable signature has many usages like asynchronous transaction data signing services and proof-of-stake blockchain protocols. Meanwhile, it is an essential building block in constructing disappearing signatures in the bounded storage model. In this paper, we propose the first generic construction of puncturable signature from identity-based signature by treating identities as prefixes. With the help of our generic framework, we present different puncturable signature instantiations over lattices, bilinear maps, and multivariate public key cryptography (MPKC). Specifically, the lattice-based instantiation is based on the short integer solution (SIS) assumption and is proven secure in the random oracle model. Besides, the pairing-based instantiation is based on the computational Diffie-Hellman (CDH) assumption and is proven secure in the standard model. In addition, we show that the instantiation over MPKC is secure under current attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108 (1996)
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: 26th International Symposium on Theoretical Aspects of Computer Science STACS 2009, pp. 75–86. IBFI Schloss Dagstuhl (2009)
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Annal. 296(1), 625–635 (1993)
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 390–399 (2006)
Bellare, M., Stepanovs, I., Waters, B.: New negative results on differing-inputs obfuscation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 792–821. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_28
Cao, W., Hu, L., Ding, J., Yin, Z.: Kipnis-Shamir attack on unbalanced oil-vinegar scheme. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 168–180. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21031-0_13
Chen, J., Ling, J., Ning, J., Ding, J.: Identity-based signature schemes for multivariate public key cryptosystems. Comput. J. 62(8), 1132–1147 (2019)
Courtois, N.T.: Efficient zero-knowledge authentication based on a linear algebra problem MinRank. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 402–421. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_24
Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_12
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206 (2008)
Guan, J., Zhandry, M.: Disappearing cryptography in the bounded storage model. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13043, pp. 365–396. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_13
Halevi, S., Ishai, Y., Jain, A., Komargodski, I., Sahai, A., Yogev, E.: Non-interactive multiparty computation without correlated randomness. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 181–211. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_7
Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_15
Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055733
Li, X., Xu, J., Fan, X., Wang, Y., Zhang, Z.: Puncturable signatures and applications in proof-of-stake blockchain protocols. IEEE Trans. Inf. Forens. Secur. 15, 3872–3885 (2020)
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Maurer, U.M.: Conditionally-perfect secrecy and a provably-secure randomized cipher. J. Cryptol. 5(1), 53–66 (1992). https://doi.org/10.1007/BF00191321
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Paterson, K.G., Schuldt, J.C.N.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006). https://doi.org/10.1007/11780656_18
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Tian, M., Huang, L.: Identity-based signatures from lattices: simpler, faster, shorter. Fundam. Inf. 145(2), 171–187 (2016)
Yi, P., et al.: An efficient identity-based signature scheme with provable security. Inf. Sci. 576, 790–799 (2021)
Acknowledgements
This work is partially supported by the Australian Research Council Linkage Project LP190100984. Mei Jiang has been sponsored by the CSC scholarship from China and the CSC Top-Up scholarship from the University of Wollongong.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof for Lattice-Based Instantiation
Theorem 4
In the random oracle model, suppose that exists a PPT forger \(\mathcal {F}\) who makes at most \(q_{H}\) random oracle queries \(H_1\), initiates at most \(q_S\) signing queries, and succeeds in providing a forgery signature with probability \(\delta \). Then there exists a PPT challenger \(\mathcal {C}\) that for a given \(\textbf{A} \overset{\$}{\leftarrow }\ \mathbb {Z}_q^{n \times m}\) finds a non-zero \(\textbf{v} \in \mathbb {Z}^m\) such that \(\textbf{Av}=0\) and \(\left\| \textbf{v} \right\| \le (4\sigma _1+2\sigma _0 \theta ) \sqrt{m}\) with probability at least
Proof
The theorem is proved in two steps. First we show that the real signing algorithm could be replaced by a hybrid algorithm and random oracle programming. That is why it needs the rejection sampling technique. With the forking lemma [4], we prove that the challenger \(\mathcal {C}\) could use the valid forgery signature to find a non-zero short vector \(\textbf{v} \in \mathbb {Z}^m\) such that \(\textbf{Av} = 0\) for a given matrix \(\textbf{A} \in \mathbb {Z}_q^{n \times m}\).
Lemma 2
Let \(\mathcal {D}\) be a distinguisher who can query the random oracle \(H_1\) and either the real signing algorithm or Hybrid 2 in Fig. 1. If \(\mathcal {D}\) makes at most \(q_H\) random oracle queries \(H_1\) and at most \(q_S\) signing queries, then for all but a \(e^{-\varOmega (n)}\) fraction of all possible \(\textbf{A}\), his adventage of distinguishing the real signing algorithm from the Hybrid 2 is at most \(q_S(q_H+q_S)\cdot 2^{-n+1} + q_S \cdot \frac{2^{-\omega (\log m)}}{M}\).
Proof
The difference between the real signing algorithm and Hybrid 1 is the output of random oracle \(H_1\). In Hybrid 1, the output of \(H_1\) is chosen randomly from \(\left\{ v: v \in \left\{ -1,0,1\right\} ^d, \left\| v \right\| _1 \le \theta \right\} \) and then programmed as \(H_1(\textbf{Az}-H_0(p)\textbf{h},\mu ) = H_1(\textbf{Ay},\mu )\). There are at most \(q_S+q_H\) values of \((\textbf{Ay},\mu )\) since \(\mathcal {D}\) issues \(H_1\) and signing queries at most \(q_H\) and \(q_S\) times respectively. With Lemma 1, the probability of generating a \(\textbf{y}\) such that \(\textbf{Ay}\) is equal to a queried value is at most \(2^{-n+1}\). Thus the probability that a collision occurs after running Hybrid 1 \(q_S\) times is at most \(q_S(q_S+q_H)2^{-n+1}\). From the rejection sampling technique, the statistical distance between the outputs of Hybrid 1 and Hybrid 2 is at most \(\frac{2^{-\omega {\log m}}}{M}\). More details could be found in [16].
Lemma 3
Assume that exists a PPT forger \(\mathcal {F}\) who makes at most \(q_{H}\) random oracle queries \(H_1\), initiates at most \(q_S\) signing queries to the signer in Hybrid 2, and succeeds in providing a forgery signature with probability \(\delta \). Then there exists a PPT challenger \(\mathcal {C}\) that for a given \(\textbf{A} \overset{\$}{\leftarrow }\ \mathbb {Z}_q^{n \times m}\) finds a non-zero \(\textbf{v} \in \mathbb {Z}^m\) such that \(\textbf{Av}=0\) and \(\left\| \textbf{v} \right\| \le (4\sigma _1+2\sigma _0 \theta ) \sqrt{m}\) with probability at least
Proof
Given an SIS instance \(\textbf{A} \overset{\$}{\leftarrow }\ \mathbb {Z}_q^{n \times m}\), the challenger \(\mathcal {C}\) simulates the signature setting for the forger \(\mathcal {F}\) as follows.
Setup. The challenger \(\mathcal {C}\) initializes two empty sets \(Q_{pun}\) and \(Q_{sig}\) for punctured prefixes and queried messages respectively. Then it initializes two empty lists \(L_0\) and \(L_1\) for the output of \(H_0\) and \(H_1\) queries. After that, the challenger \(\mathcal {C}\) sets \(pk = \textbf{A}\) and returns it to \(\mathcal {F}\). Finally, \(\mathcal {C}\) generates the key related to each prefix \(p \in \mathcal {P}\) as follows. Specifically, it randomly chooses matrices \(s_0,\cdots ,s_{2^\ell -1}\) from \(\mathbb {Z}^{m \times d}\) such that each column of \(s_i\) is chosen from \(D_{\mathbb {Z}^m,\sigma }\) for \(i \in [2^\ell ]\), and stores them in the array T. For each prefix \(p \in \mathcal {P}\), \(\mathcal {C}\) computes \(H_0(p) = \textbf{A} \cdot s_i \mod q\) and stores \((i,s_i,H_0(p))\) in \(L_0[\cdot ]\), where \(i = (p)_{10}\).
Query. The forger \(\mathcal {F}\) adaptively issues the following queries for polynomial times. For simplicity, we assume that \(\mathcal {F}\) makes \(H_0(p)\) queries before any query involving the same prefix p.
-
\(H_0(p)\) Query. The challenger \(\mathcal {C}\) checks the list \(L_0[\cdot ]\) and returns \(H_0(p)\) to \(\mathcal {F}\).
-
\(H_1(\textbf{Ay},\mu )\) Query. The challenger \(\mathcal {C}\) checks the list \(L_1[\cdot ]\). If \(H_1(\textbf{Ay},\mu )\) is not defined, \(\mathcal {C}\) chooses a random value from \(\left\{ v: v \in \left\{ -1,0,1\right\} ^d, \left\| v \right\| _1 \le \theta \right\} \) and stores \(((\textbf{Ay},\mu ),H_1(\textbf{Ay},\mu ))\) in \(L_1\). Then \(\mathcal {C}\) returns \(H_1(\textbf{Ay},\mu )\) to \(\mathcal {F}\).
-
Puncture Query. After receiving a prefix p, \(\mathcal {C}\) sets \(T[j] = 0\) and \(Q_{pun} = Q_{pun} \cup \left\{ p\right\} \), where \(j = (p)_{10}\). Other positions in T remain the same.
-
Signature Query. After receiving a message \(\mu \), the challenger \(\mathcal {C}\) generates a puncturable signature according to Hybrid 2 and returns it to \(\mathcal {F}\). Then \(\mathcal {C}\) stores \(H_1(\textbf{Ay},\mu )\) in list \(L_1[\cdot ]\) and sets \(Q_{sig} = Q_{sig} \cup \left\{ \mu \right\} \).
Challenge. The forger \(\mathcal {F}\) sends a target prefix \(p^*\) to \(\mathcal {C}\) and issues additional queries as described in the Query phase with a condition that \(\mathcal {F}\) cannot make any signature query on messages with the prefix \(p^*\).
Corruption. The challenger \(\mathcal {C}\) returns the current secret key \(sk=T\) if \(p^* \in \mathcal {P}\) and \(\bot \) otherwise.
Forgery. Without loss of generality, assume that the forger \(\mathcal {F}\) issued the \(H_1\) query on \(\mu \) before outputting the forgery on message \(\mu \). If \(\mathcal {F}\) returns \(\bot \), the challenger \(\mathcal {C}\) outputs \(\bot \) as well. Otherwise, \(\mathcal {F}\) outputs a puncturable signature \(sig = (\textbf{z},\textbf{h})\) on message \(\mu \) with the punctured prefix \(p^*\). Then \(\mathcal {C}\) checks whether \(\textbf{h} = H_1 (\textbf{Az}-H_0(p)\textbf{h},\mu )\), \(\left\| \textbf{z} \right\| \le 2\sigma _1 \sqrt{m}\) and \(\mu \notin Q_{sig}\). If those conditions hold, then the forgery signature generated by \(\mathcal {F}\) is valid.
With the forking lemma [4], the challenger \(\mathcal {C}\) rewinds \(\mathcal {F}\) with the same random tape but different outputs for \(H_1\) queries. Therefore, \(\mathcal {F}\) forge a new signature \(sig^\prime = (\textbf{z}^\prime ,\textbf{h}^\prime )\) on the same message \(\mu \) with prefix \(p^*\) such that
By plugging \(H_0 (p^*) = \textbf{A} \cdot s_{i^*}\) and \(i^* = (p^*)_{10}\) into the above equality, we have
Due to \(\left\| \textbf{z} \right\| \), \(\left\| \textbf{z}^\prime \right\| \le 2\sigma _1 \sqrt{m}\) and \(\left\| s_{i^*} \textbf{h} \right\| \), \(\left\| s_{i^*} \textbf{h}^\prime \right\| \le \sigma _0 \lambda \sqrt{m}\) with overwhelming probability, then we have
Now we show that \(\textbf{z}-\textbf{z}^\prime + s_{i^*}(\textbf{h}^\prime -\textbf{h}) \ne 0\). According to the preimage min-entropy property [10], there exists another key \(s_{i^*}^\prime \) such that \(\textbf{A}s_{i^*} = \textbf{A}s_{i^*}^\prime = H_0(i^*)\). If \(\textbf{z}-\textbf{z}^\prime + s_{i^*}(\textbf{h}^\prime -\textbf{h}) = 0\), then we have \(\textbf{z}-\textbf{z}^\prime + s_{i^*}^\prime (\textbf{h}^\prime -\textbf{h}) \ne 0\). Since the signature is independent of both keys, \(\mathcal {F}\) cannot know which key is used in the simulation. Therefore, we can get a non-zero solution with probability at least \(\frac{1}{2}\), since each key has an equal possibility of being chosen. It means that \(\mathcal {C}\) solves an SIS instance for \(\beta \le (4\sigma _1+2\sigma _0 \lambda ) \sqrt{m}\), which is assumed to be hard.
B Security Analysis for Multivariate-Based Instantiation
We will describe the current attacks of MPKC on our multivariate-based instantiation and show that the proposed scheme is secure.
The Kipnis and Shamir Attack. The Kipnis and Shamir attack [14] is to attack the balanced Oil and Vinegar scheme which contains o oil variables and v vinegar variables. The aim of this attack is to find the pre-image of the Oil subspace \(O = \left\{ x \in K_n: x_1 = \cdots = x_v = 0 \right\} \) under the affine invertible transformation T. To achieve this, it forms a random linear combination \(P = \sum _{j=1}^{o} \beta _j H_j\), multiplies it with the inverse of one of \(H_i\) and figures out the invariant subspaces of this matrix.
As mentioned in [6], the Kipnis and Shamir attacks takes the time about \(O(q^{v-o-1}o^4)\) to break a (q, v, o) unbalanced Oil and Vinegar (UOV) scheme. The Rainbow scheme could be regarded as a multi-layer UOV scheme, where the number of vinegar variables at the \(\ell \) layer is the sum of oil and vinegar variable at the \((\ell -1)\) layer. When apply such an attack to identity-based Rainbow scheme, it treats all polynomials as the polynomials at the last layer which contains \(v_{\ell }\) vinegar variables and \(o_{\ell }\) oil variables. And its complexity is \(q^{n-2o_{\ell }-1}o_{\ell }^4\), where \(n = v_{\ell }+o_{\ell }\). For our instantiation over MPKC, it cannot lead to any security threats and enjoys the same complexity as the underlying identity-based Rainbow Signature.
MinRank Attack. The MinRank attack is based on the MinRank problem [8] which asks to find a linear (or affine) combination of given matrices that has a small rank. Let \(H_i\) be the symmetric matrix representing the homogenous quadratic part of the ith public polynomial. In the MinRank attack, one tries to find linear combinations \(H = \sum _{i=1}^m \alpha _i H_i\) of the matrices representing the homogeneous quadratic parts of the public polynomials such that rank(H) \(=r<n\).
For identity-based Rainbow, the first layer has the possible minimum rank \(v_1+o_1\), where \(v_1\) and \(o_1\) denotes the the number of vinegar and oil variables respectively. Assume that the matrices related to the public key are \(Q_1,\cdots ,Q_m\), the MinRank attack is to find the linear combination \(M = \sum _{k-1}^{m} \lambda _kQ_k\) with a minimum rank r. Following the analysis in [7], the total complexity of MinRank attack on identity-based Rainbow is estimated by \(q^{r+1} \times m^3\). For our puncturable scheme, it keeps the same complexity as identity-based Rainbow since construction of public key are identical.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Jiang, M., Duong, D.H., Susilo, W. (2022). Puncturable Signature: A Generic Construction and Instantiations. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)