Forward-Secure Revocable Secret Handshakes from Lattices

Abstract

Secret handshake (\(\textsf{SH}\)), as a fundamental privacy-preserving primitive, allows members from the same organization to anonymously authenticate each other. Since its proposal by Balfanz et al., numerous constructions have been proposed, among which only the ones separately designed by Zhang et al. over coding and An et al. over lattice are secure against quantum attacks. However, none of known schemes consider the issue of key exposure, which is a common threat to cryptosystem implementations. To guarantee users’ privacy against the key exposure attack, forward-secure mechanism is believed to be a promising countermeasure, where secret keys are periodically evolved in such a one-way manner that, past transactions of users are protected even if a break-in happens.

In this work we formalize the model of forward-secure secret handshake and present the first lattice-based instantiation, where ABB \(\textsf{HIBE}\) is applied to handle key evolution process through regarding time periods as hierarchies. In particular, dynamic revocability is captured by upgrading the static verifier-local revocation techniques into updatable ones. To achieve anonymous handshake with ease, we present a generic way of transforming zero-knowledge argument systems termed as Fiat-Shamir with abort, into mutual authentication protocols. Our scheme is proved secure under the Short Integer Solution (\(\textsf{SIS}\)) and Learning With Errors (\(\textsf{LWE}\)) assumptions in the random oracle model.

A A Deferred Proof of Theorem 3

Proof

We prove Theorem 3 by separately proving that our scheme satisfies the 3 required properties defined in Sect. 3.

Forward Impersonator Resistance. We prove this property by contradiction. Suppose that a PPT adversary \(\mathcal A\) succeeds in experiment \(\textbf{Exp}^{\mathsf F\text{- }\textsf{IR}}_{\mathcal A}\) with non-negligible advantage \(\epsilon \). Then we can build a PPT algorithm \(\mathcal B\) that solves \(\textsf{SIS}_{n,m,q,2\sqrt{m}\beta _d}\) problem with non-negligible probability.

Given an \(\textsf{SIS}\) instance \(\textbf{A}\in \mathbb Z_q^{n\times m}\), the goal of \(\mathcal B\) is to find a non-zero vector \(\textbf{z}\in \mathbb Z_q^m\) such that \(\textbf{A}\cdot \textbf{z}=\textbf{0}\mod q\) and \(\Vert {\textbf{z}}\Vert \le \sqrt{m}\beta \). Towards this goal, \(\mathcal B\) first prepares a simulated attack environment for \(\mathcal A\) as follows:

• Randomly guess the target user’s identity \(\textsf{ID}^*: \textbf{i}^*\in \{0,1\}^\ell \) and forgery time period \(t^*\in [0,T-1]\).

• Sample random matrices \(\textbf{R}_1^{\textbf{t}^*[1]},\textbf{R}_2^{\textbf{t}^*[2]},\ldots ,\textbf{R}_d^{\textbf{t}^*[d]}\in \mathbb Z^{m\times m}\) from the distribution \(\mathcal D_{m\times m}\). Set \(\textbf{A}_{i^*}=\textbf{A}\;\textbf{R}_d^{\textbf{t}^*[d]}\cdots \textbf{R}_2^{\textbf{t}^*[2]}\;\textbf{R}_1^{\textbf{t}^*[1]}\in \mathbb Z_q^{n\times m}\), which is the public key of target user \(\textsf{ID}^*\).

• Sample \(\textbf{v}\hookleftarrow D_{\mathbb Z^m,\sigma _d}\). If \(\Vert {\textbf{v}}\Vert _\infty >\beta _d\), then repeat the sampling. Compute \(\textbf{u}^*=\textbf{A}\cdot \textbf{v}\mod q\).

• Assemble d matrices \(\textbf{F}_j=\textbf{A}_{i^*}\;(\textbf{R}_1^{\textbf{t}^*[1]})^{-1}\ldots (\textbf{R}_j^{\textbf{t}^*[j]})^{-1}\) for \(j\in [0,d-1]\) (\(\textbf{F}_0=\textbf{A}_{i^*}\)). For each \(\textbf{F}_j\), invoke \(\textsf{SampleRwithBasis}(\textbf{F}_j)\) to obtain a matrix \(\textbf{R}_{j+1}^{1-\textbf{t}^*[j+1]}\), along with a short basis \(\textbf{T}_{j+1}\) for \(\mathrm {\varLambda }^{\bot }(\textbf{F}'_{j+1})\) where \(\textbf{F}'_{j+1}=\textbf{F}_j\;(\textbf{R}_{j+1}^{1-\textbf{t}^*[j+1]})^{-1}\). As the simulation in [2], \(\mathcal B\) can use these bases to generate \(\textsf{ID}^*\)’s secret key for every period \(t'>t^*\).

• Generate other elements of \((\textsf{gpk}^*,\textsf{gsk}^*)\) for group \(G^*\) that \(\textsf{ID}^*\) belongs to.

• Operates as \(\textsf{GA}\) in algorithm \(\textsf{AddMember}\) to determine the target user’s credential \(\textsf{cred}_{\textsf{ID}^*\Vert t^* }\) at period \(t^*\).

Note that, by construction, the distribution of \((\textsf{par}^*,\textsf{gpk}^*,\textsf{gsk}^*,\textsf{cred}_{\textsf{ID}^*\Vert t^* })\) is statistically close to that of the real scheme, and the choice of \((\textsf{ID}^*,t^*)\) is hidden from the adversary.

\(\mathcal B\) responds to \(\mathcal A\)’s queries of \(\{\textsf{KeyP,Trace,Remove,AddU,KeyG}\}\) exactly the same as the real scheme. For other queries at current period t, \(\mathcal B\) interacts with \(\mathcal A\) as follows.

• When \(\mathcal A\) queries random oracles \(\mathcal H_0\) or \(\mathcal G\), \(\mathcal B\) replies with uniformly random strings and records the inputs/outputs of these queries.

• For queries of oracle \(\textsf{CorU}\), if the requested user has been already corrupted, i.e., \((\textsf{ID},\cdot ,\cdot ,\;)\in \textsf{CU}\), \(\mathcal B\) aborts. Otherwise, consider two cases:

  1. i)

     The chosen user’s identity is \(\textsf{ID}^*\). If \(t\le t^*\), \(\mathcal B\) aborts. Otherwise, for each node \(\textbf{s}\in \textsf{Evolve}_{t\rightarrow T-1}\), denote the length of \(\textbf{s}\) as \(d_{\textbf{s}}\), \(\mathcal B\) first computes the smallest index \(j_{\textbf{s}}\) such that \(1\le j_{\textbf{s}} \le d_{\textbf{s}}\) and \(\textbf{s}[j_{\textbf{s}}]\ne \textbf{t}^*[j_{\textbf{s}}]\). After setting delegation matrix \({\textbf{R}}^{(\textbf{s})}=(\textbf{R}_{j_{\textbf{s}}+1}^{\textbf{s}[j_{\textbf{s}}+1]})^{-1}\cdots (\textbf{R}_{d_{\textbf{s}}}^{\textbf{s}[d_{\textbf{s}}]})^{-1}\), \(\mathcal B\) computes \(\textsf{usk}_{i^*\Vert t}[\textbf{s}]\) via \(\textsf{SamplePre}(\textbf{F}'_{j_{\textbf{s}}}\textbf{R}^{(\textbf{s})},\textsf{BasisDel}(\textbf{F}'_{j_{\textbf{s}}},(\textbf{R}^{(\textbf{s})})^{-1},\textbf{T}_{j_{\textbf{s}}},\overline{\sigma }_{d_{\textbf{s}}}),\textbf{u},\sigma _d)\) if \(d_{\textbf{s}}=d\), or via \(\textsf{BasisDel}(\textbf{F}'_{j_{\textbf{s}}},(\textbf{R}^{(\textbf{s})})^{-1},\textbf{T}_{j_{\textbf{s}}},\overline{\sigma }_{d_{\textbf{s}}})\) if \(d_{\textbf{s}}<d\). Next, \(\mathcal B\) builds \(\textsf{usk}_{i^*\Vert t}\) and derives \(\textsf{cred}_{i^*\Vert t}\) as in our main scheme. Finally \(\mathcal B\) returns the secret pair to \(\mathcal A\) and adds \((\textsf{ID}^*,G^*,t)\) to \(\textsf{CU}\). Note that \(\mathcal A\) can not obtain the target user’s secret until period \(t^*+1\).

  2. ii)

     \(\textsf{ID}\ne \textsf{ID}^*\), then \(\mathcal B\) can perfectly answer the query as it stores the initial secret key (a short basis \(\textbf{T}\)) when \(\textsf{ID}\) was enrolled in group G. In other words, \(\mathcal B\) performs as that in \(\textsf{Update}_{\mathsf U}\) to derive user’s secret pair \((\textsf{cred}_{\textsf{ID}\Vert t},\textsf{usk}_{\textsf{ID}\Vert t})\) and returns it to \(\mathcal A\). Finally, it adds \((\textsf{ID},G,t)\) to \(\textsf{CU}\).

• For queries of oracle \(\textsf{HS}\) with input \(\textsf{ID}\), if \((\textsf{ID},\cdot ,\cdot \;)\in \textsf{CU}\), \(\mathcal B\) aborts. Otherwise, if \(\textsf{ID}\ne \textsf{ID}^*\) or \(t>t^*\), \(\mathcal B\) acts as in algorithm \(\textsf{Handshake}\) using the corresponding secrets. Else, \(\mathcal B\) has to answer without using the user’s secret key. To do so, \(\mathcal B\) also performs the same as in \(\textsf{Handshake}\), except that in the second flow \(\mathcal B\) generates a simulated proof \(\pi '\) by utilizing the well-designed simulator of applied \(\textsf{NIZKAoK}\) [41].

We claim that \(\mathcal A\) cannot distinguish whether it interacts with a real challenger or with \(\mathcal B\). First, the secret pair of \(\textsf{ID}^*\) given to \(\mathcal A\) after period \(t^*\) is indistinguishable from the real one, due to the facts that

1. i)

   the revocation token is uniform over \(\mathbb Z_q^n\) and other elements of \(\textsf{cred}_{\textsf{ID}^*\Vert t }\) are produced in the same way as that in \(\textsf{AddMember}\);

2. ii)

   the outputs of \(\textsf{BasisDel}\) are uniformly random by Lemma 5. Second, the handshake queries make no difference to the view of \(\mathcal A\), implied by the zero knowledge property of the underlying \(\textsf{NIZKAoK}\).

After \(\mathcal A\) halts with her output \(\texttt{PROOF}^*=(\rho ^*,\textbf{w}^*,\textbf{P}^*,\textbf{c}^*_1,\textbf{c}^*_2,\hat{t},\pi ^*)\) at period \(t'\), \(\mathcal B\) checks if \(t'=t^*\). If not, the guess of the impersonator period \(t^*\) fails and \(\mathcal B\) aborts. Else, parse \(\pi ^*=(cmt^*_s,\widetilde{ch}^*,rsp^*)\), since \(\mathcal A\) wins, we argue that by completeness of our scheme, \(\mathcal A\) must have queried the related random oracle \(\mathcal G\) via Fiat-Shamir heuristic on input \(\eta ^*=(cmt^*,\textsf{pp}^*)\). Otherwise, guessing correctly this value occurs only with negligible probability \(\epsilon '={(\frac{1}{2p+1})}^t\). Therefore, with probability at least \(\epsilon -\epsilon '\), the tuple \(\eta ^*\) has been an input of one hash query, denoted as \(\kappa ^* \le q_{\mathcal G}\), where \(q_{\mathcal G}\) is the total number of queries to \(\mathcal G\) made by \(\mathcal A\).

Next, \(\mathcal B\) picks \(\kappa ^*\) as the target forking point and replays \(\mathcal A\) polynomial time. For each new run, \(\mathcal B\) starts with the same random tape and input as in the original execution, but from the \(\kappa ^*\)-th query onwards, \(\mathcal B\) will reply to \(\mathcal A\) with fresh and independent hash values. Moreover, \(\mathcal B\) always replies as in the original run for queries of \(\mathcal H_0\). Note that the input of \(\kappa ^*\) hash query must be \(\eta ^*\). The Forking Lemma in [14] implies that, with probability larger than 1/2, \(\mathcal B\) can obtain 3 forks involving the same tuple \(\eta ^*\), but with pairwise distinct challenges

$$\widetilde{ch}^*_{1},\;\widetilde{ch}^*_{2},\;\widetilde{ch}^*_{3} \in {[-p,p]}^t.$$

Moreover, by the binding property of used commitment scheme, \(\mathcal B\) can obtain 3 valid tuples from the output of \(\mathcal A\) as

$$\left\{ ({ch}^*_{1},cmt^*,rsp^*_{1}), ({ch}^*_{2},cmt^*,rsp^*_{2}),{ch}^*_{3},cmt^*,rsp^*_{3}\right\} ,$$

by first recovering the unsent \({cmt}^*_r\) and then the original \({ch}^*\). Then by proof of knowledge of system \(\varPi _{hs}\), \(\mathcal B\) can extract the witness

$$\xi ^*=(\textsf{ID}',\textsf{urt}^*_{\textsf{ID}'\Vert t^*},\textbf{d}^*,\textbf{r}^*,\textbf{A}_{i^*},\textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*},\textbf{e}^*,\textbf{s}^*, \textbf{e}^*_1,\textbf{e}^*_2),$$

which satisfies that

• \(\textsf{urt}^*_{\textsf{ID}'\Vert t^*}\) is correctly derived from \(\textbf{A}_{i^*}\) after \(\hat{t}\) times of updates.

• Triple \((\textsf{ID}',\textbf{d}^*,\textbf{r}^*)\) has the specific form as that in algorithm \(\textsf{AddMember}\) and satisfies Eq. 4.

• \(\textbf{W}^*\cdot \textsf{urt}^*_{\textsf{ID}'\Vert t^*}+\textbf{e}^*=\textbf{w}^*\) and \(\Vert {\textbf{e}^*}\Vert _\infty \le B\), where \(\textbf{W}^*=\mathcal H_1(\textsf{gpk}^*,\rho ^*)\).

• \(\textbf{A}_{\textsf{ID}'\Vert t^*}=\textbf{A}_{i^*}\;(\textbf{R}_1^{\textbf{t}^*[1]})^{-1}\;(\textbf{R}_2^{\textbf{t}^*[2]})^{-1}\ldots (\textbf{R}_d^{\textbf{t}^*[d]})^{-1}\).

• \(\textbf{A}_{\textsf{ID}'\Vert t^*}\cdot \textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}=\textbf{u}^* \mod q\) and \(\Vert {\textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}}\Vert _\infty \le \beta _d\).

• \(\textbf{c}^*_1=\textbf{B}^{^*\top }\cdot \textbf{s}^*+\textbf{e}^*_1,\textbf{c}^*_2=\textbf{P}^{*\top } \cdot \textbf{s}^*+\textbf{e}^*_2+\lfloor {\frac{q}{2}}\rfloor \cdot \textsf{ID}'\), where \(\Vert {\textbf{s}^*}\Vert _\infty \le B\), \(\Vert {\textbf{e}^*_1}\Vert _\infty \le B\), and \(\Vert {\textbf{e}^*_2}\Vert _\infty \le B\).

Now consider the following cases:

a. There is no element in table \(\textsf{reg}\) that contains \(\textsf{ID}'\). This implies that the pair \(\left( \textbf{A}^*,(\textsf{ID}',\textbf{d}^*,\textbf{r}^*)\right) \) forms a forgery for the \(\textsf{SIS}\)-based signature of Sect. 2.2.

b. \(\textsf{ID}'\ne \textsf{ID}^*\), indicating the guess of the impersonator user fails, then \(\mathcal B\) aborts.

c. Conditioned on guessing correctly \(t^*\) and \(\textsf{ID}^*\), we have that \(\textbf{A}_{\textsf{ID}'\Vert t^*}\cdot \textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}=\textbf{A}\cdot \textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}=\textbf{u}^* \mod q\), recall that \(\textbf{A}_{i^*}=\textbf{A}\;\textbf{R}_d^{\textbf{t}^*[d]}\cdots \textbf{R}_2^{\textbf{t}^*[2]}\;\textbf{R}_1^{\textbf{t}^*[1]}\). Besides, with the fact that \(\mathcal A\) either queried the secret key of \(\textsf{ID}^*\) after period \(t^*\) or never requested it at all, it is clear that \(\textbf{v}\) is not known to \(\mathcal A\). In this sense, because \(\textbf{v}\) has large min-entropy given \(\textbf{u}^*\), we argue that \(\textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}\ne \textbf{v}\) with overwhelming probability. Now let \(\textbf{z}=\textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}- \textbf{v}\in \mathbb Z_q^m\), it holds that i) \(\textbf{z}\ne \textbf{0}\); ii) \(\textbf{A}\cdot \textbf{z}=\textbf{0 }\mod q\); iii) \(\Vert {\textbf{z}}\Vert \le \sqrt{m}\cdot \Vert {\textbf{z}}\Vert _\infty \le \sqrt{m} \cdot (\Vert {\textbf{v}_{\textsf{ID}'\Vert \textbf{t}^*}}\Vert _\infty +\Vert {\textbf{v}}\Vert _\infty )\le 2\sqrt{m}\beta _d\). \(\mathcal B\) finally outputs \(\textbf{z}\), which is a valid solution of the given \(\textsf{SIS}_{n,m,q,2\sqrt{m}\beta _d}\) instance.

We observe that the probability that \(\mathcal B\) does not abort is at least \(\frac{1}{q_G\cdot N\cdot T}\), and conditioned on not aborting, it can solve the \(\textsf{SIS}_{n,m,q,2\sqrt{m}\beta _d}\) problem with probability larger than 1/2.

Detector Resistance. We define a sequence of hybrid games \(\mathsf G^b_i\) for \(i\in [0,5]\) and \(\mathsf G_6\), such that game \(\mathsf G^b_0\), for \(b\in \{0,1\}\), is the original experiment \(\textbf{Exp}^{\mathsf {DR-b}}_{\mathcal A}\). We then prove that any two consecutive games are indistinguishable. Detector resistance follows from the fact that game \(\mathsf G_6\) is independent of the bit b. For consistency, use \(\textsf{ID}_b\) to denote the involved user (\(\textsf{ID}_b=\textsf{ID}^*\) or \(\textsf{ID}_r\) for \(b=0\) or 1, respectively).

Game \(\mathsf G_0^{b}\): This is exactly the original game \(\textbf{Exp}^{\mathsf {DR-b}}_{\mathcal A}\), where \(\mathcal B\) relies with random strings for oracle queries of \(\mathcal H_0\) and \(\mathcal G\).

Game \(\mathsf G_1^{b}\): This game is the same as Game \(\mathsf G_0^{b}\) with only one modification: at the challenge query \(\textsf{Chal}_b^{\textsf{DR}}\), we utilize the well-designed simulator in [41], so as to produce a simulated proof \(\widetilde{\pi }^*\), which is computationally indistinguishable from the real one due to zero knowledge of the underlying system.

Game \(\mathsf G_2^{b}\): There is one change in Game \(\mathsf G_2^{b}\): for the token embedding step in the challenge query, compute the \(\textsf{LWE}\) function of revocation token using a random nonce \(\textbf{s}\) instead of the real value \(\textsf{urt}_{\textsf{ID}_b\Vert t^*}\), namely, \(\textbf{w}^*=\textbf{W}\cdot \textbf{s}+\textbf{e}^* \mod q\) where \(\textbf{s}\leftarrow U(\mathbb Z_q^n)\). Recall that the current token \(\textsf{urt}_{\textsf{ID}_b\Vert t^*}=\textbf{Q}_1\cdot \textsf{vdec}_{n,q-1}(\textsf{urt}_{\textsf{ID}_b\Vert t^*-1})+\textbf{Q}_2\cdot \textbf{t}^*\) is statistically close to uniform over \(\mathbb Z_q^n\). Thus, Game \(\mathsf G_2^{b}\) and \(\mathsf G_1^{b}\) are statistically indistinguishable.

Game \(\mathsf G_3^{b}\): This game follows Game \(\mathsf G_2^{b}\) with one difference: sample \(\textbf{w}^*\) uniformly from \(\mathbb Z_q^m\). Note that in the previous game, \(\textbf{W}\) is uniformly random over \(\mathbb Z_q^{m\times n}\), so the pair \((\textbf{W},\textbf{w}^*)\) is a valid \(\textsf{LWE}_{n,q,\chi }\) instance and its distribution is computationally close to the uniform distribution over \(\mathbb Z_q^{m\times n} \times \mathbb Z_q^m\). Thus, the two games are computationally indistinguishable.

Game \(\mathsf G_4^{b}\): This game conducts the same as that in Game \(\mathsf G_3^{b}\), except that it uses matrix \(\textbf{B}'\leftarrow U(\mathbb Z_q^{n\times m})\) to encrypt users’ identity. From Lemma 2, we know that the original matrix \(\textbf{B}\) is statistically close to uniform over \(\mathbb Z_q^{n\times m}\). Hence, the two games are statistically indistinguishable.

Game \(\mathsf G_5^{b}\): This game encrypts the identity with random samples, namely, it generates ciphertexts \(\textbf{c}'_1=\textbf{z}_1\) and \(\textbf{c}'_2=\textbf{z}_2+\lfloor {\frac{q}{2}}\rfloor \cdot \textsf{ID}_b\) where \(\textbf{z}_1\leftarrow U(\mathbb Z_q^m)\), \(\textbf{z}_2\leftarrow U(\mathbb Z_q^\ell )\). Based on the hardness of decision\(\text{- }\textsf{LWE}\), we have that Game \(\mathsf G_5^{b}\) and \(\mathsf G_4^{b}\) are computationally indistinguishable.

Game \(\mathsf G_6\): This game is the same as Game \(\mathsf G_5^{b}\) except that it replaces the ciphertexts with random vectors, i.e., \(\textbf{c}''_1=\textbf{z}'_1\) and \(\textbf{c}''_2=\textbf{z}'_2\) where \(\textbf{z}'_1\leftarrow U(\mathbb Z_q^m)\), \(\textbf{z}'_2\leftarrow U(\mathbb Z_q^\ell )\). Since users’ identity is an unknown random string in the view of \(\mathcal A\), it is clear that Game \(\mathsf G_6\) and \(\mathsf G_5^{b}\) are statistically indistinguishable.

Combine the whole analysis above, we have that

$$\mathsf G_0^{0}{\mathop {\approx }\limits ^{c}}\mathsf G_1^{0}{\mathop {\approx }\limits ^{s}}\mathsf G_2^{0}{\mathop {\approx }\limits ^{c}}\mathsf G_3^{0}{\mathop {\approx }\limits ^{s}}\mathsf G_4^{0}{\mathop {\approx }\limits ^{c}}\mathsf G_5^{0}{\mathop {\approx }\limits ^{s}}\mathsf G_6,\;\mathsf G_6{\mathop {\approx }\limits ^{s}}\mathsf G_5^{1}{\mathop {\approx }\limits ^{c}}\mathsf G_4^{1}{\mathop {\approx }\limits ^{s}}\mathsf G_3^{1}{\mathop {\approx }\limits ^{c}}\mathsf G_2^{1}{\mathop {\approx }\limits ^{s}}\mathsf G_1^{1}{\mathop {\approx }\limits ^{c}}\mathsf G_0^{1},$$

it then follows that \(|\textrm{Pr}[\textbf{Exp}^{\mathsf {DR-1}}_{\mathcal A}=1]-\textrm{Pr}[\textbf{Exp}^{\mathsf {DR-0}}_{\mathcal A}=1]|=\textsf{negl}(\lambda ).\) This concludes the proof.

Backward Unlinkability. Experiment \(\textbf{Exp}^{\mathsf {B\text{- }Unlink-b}}_{\mathcal A}\) is much similar to \(\textbf{Exp}^{\mathsf {DR-b}}_{\mathcal A}\), in the sense that the challenger also picks one out of two users to simulate a handshake with \(\mathcal A\) twice, except now the arbitrary user is predetermined as \(\textsf{ID}_1\). Therefore we can also build a sequence of hybrid games to prove this property as the above constructions, with the only difference that we need to additionally argue the anonymity of revoked users (attribute “backward”). To this effect, it suffices to prove that the publicity of revocation tokens at period \(t'\) brings no advantage for \(\mathcal A\) at period t holding \(t<t'\). We tackle this issue in two steps:

First we demonstrate that the update algorithm for revocation token is one-way, i.e., it is impossible to recover a previous token from the current one, the claimed fact is as follows.

Lemma 6

The update function of revocation token defined in algorithm \(\mathsf {{Update}_U}\) is one-way, assuming the hardness of \(\textsf{ISIS}_{n,q,\sqrt{nk}}\) problem.

Proof

Let \(\textbf{u}=\textsf{urt}_{i\Vert t}-\textbf{Q}_2\cdot \textbf{t}\in \mathbb Z_q^n\), if one can recover the previous token \(\textsf{urt}_{i\Vert t-1}:=\textbf{v}\in \mathbb Z_q^n\) from the current one, satisfying that \(\textsf{urt}_{i\Vert t}=\textbf{Q}_1\cdot \textsf{vdec}_{n,q-1}(\textbf{v})+\textbf{Q}_2\cdot \textbf{t}\mod q\), then one can obtain a non-zero vector \(\textbf{z}=\textsf{vdec}_{n,q-1}(\textbf{v}) \in \{0,1\}^{nk}\) such that \(\textbf{Q}_1\cdot \textbf{z}=\textbf{u}\mod q\). In other words, \(\textbf{z}\) is a valid solution to the \(\textsf{ISIS}_{n,q,\sqrt{nk}}\) problem associated with matrix \(\textbf{Q}_1\) and vector \(\textbf{u}\).

Next we show that \(\mathcal A\) gains no extra advantage after knowing later revocation tokens (e.g., \(\textsf{urt}_{i\Vert t+1}\)). It suffices to prove that \(\mathcal A\) still can not distinguish the \(\textsf{LWE}\) instance \((\textbf{W}, \textbf{w}^*)\) in Game \(\mathsf G_2^{b}\) from real random samples.

Suppose that now Game \(\mathsf G_2^{b}\) and \(\mathsf G_3^{b}\) are distinguishable with a non-negligible advantage, which directly implies that \(\mathcal A\) solves decision\(\text{- }\textsf{LWE}\) with non-negligible probability. It then follows that \(\mathcal A\) can also solve search\(\text{- }\textsf{LWE}\) with non-negligible probability and a larger sample number \(m'=\textsf{poly}(m)\), implying \(\mathcal A\) can find the secret token \(\textsf{urt}_{i\Vert t}\) at current period t by use of \(\textsf{urt}_{i\Vert t+1}\). In this way, \(\mathcal A\) will break the one-way property of the update function stated in Lemma 6.