Efficient forward secure identity-based shorter signature from lattice

doi:10.1016/j.compeleceng.2013.12.003

Computers & Electrical Engineering

Volume 40, Issue 6, August 2014, Pages 1963-1971

https://doi.org/10.1016/j.compeleceng.2013.12.003 Get rights and content

Highlights

•
We propose an efficient forward secure identity-based signature scheme from lattice assumption.
•
The signing secret key size and the signature length of our scheme are much shorter and invariant.
•
We prove that our scheme is unforgeability in the random oracle model.
•
We extend our scheme to a forward secure identity-based signature scheme in the standard model.

Abstract

All regular cryptographic schemes rely on the security of the secret key. However, with the explosive use of some relatively insecure mobile devices, the key exposure problem has become more aggravated. In this paper, we propose an efficient forward secure identity-based signature (FSIBS) scheme from lattice assumption, with its security based on the small integer solution problem (SIS) in the random oracle model. Our scheme can guarantee the unforgeability of the past signatures even if the current signing secret key is revealed. Moreover, the signature size and the secret key size of our scheme are unchanged and much shorter. To the best of our knowledge, our construction is the first FSIBS scheme based on lattice which can resist quantum attack. Furthermore, we extend our FSIBS scheme to a forward secure identity-based signature scheme in the standard model.

Introduction

Identity-based signature (IBS) was first introduced by Shamir [1] in 1984. It belongs to a type of public key cryptography. In an IBS scheme, any known information of a user’s identity can be used as a public key, and the corresponding signing secret key is issued by a trusted Key Generation Center (KGC). Identity-based signature can reduce the complexity and the cost for managing the Public Key Infrastructure (PKI). Until now, most identity-based signatures [2], [3], [4], [5], [6], [7] have been proposed using groups with bilinear pairings or the quadratic residuosity.

However, Shor [8] pointed out that discrete logarithm and prime factorization problems can be solved by a quantum computer in polynomial time. It means that once quantum computer comes into reality, all of the existing public key algorithms will be broken. In order to resist quantum computer attack, there has been a rapid growth in post-quantum cryptography recently. In particular, the lattice-based cryptographic primitive is attractive due to its security on the worst-case hardness of lattice problems under a quantum reduction. Moreover, the computational cost of lattice-based cryptography is every simple and suitable for low power devices. Recently, lattice-based cryptographic schemes have been very fruitful in applications, such as digital signatures [9], [10], [11], (hierarchical) identity-based encryption (H)IBE [12], a fully homomorphic cryptosystem [13] and a new kind of LWE cryptosystem using ideal lattices [14].

As far as our knowledge is concerned, the security of all modern identity-based signature schemes wholly depends on the assumption that the signing secret keys are absolutely secure. However, once a signing secret key is exposed, the security of past and future signatures will be compromised. Furthermore, key exposure seems more likely to occur with the explosive use of mobile and unprotected devices in lots of cryptographic systems. It is much more convenient for an attacker to intrude a user’s storage space to obtain his signing secret key than to get the signing secret key only by solving some actual cryptographic hard problem. Consequently, exposure of signing secret key is a severe threat to identity-based signatures. How to provide the protection against key exposure in identity-based signatures is an important and interesting issue, which needs researchers’ more attention.

Forward-secure signature is one of the most promising solutions to guarantee security of signature against key exposure. In a non-interactive forward-secure signature scheme, the whole lifetime is divided into T time periods labeled from 1 to T. At the end of time period i, the user computes a new signing secret key ${SK}_{i + 1}$ for the next time period using update algorithm with the input ${SK}_{i}$ , and finally deletes the old signing secret key ${SK}_{i}$ . Thus a forward secure signature scheme guarantees that exposure of signing secret key at time period i will not compromise on the security of system for any prior time period.

Forward-secure signature was first proposed by Anderson [15]. Bellare and Miner [16] further presented a practical scheme and formalized the definitions of forward-secure signature and its security. A large number of research papers about forward-secure signatures [17], [18], [19], [20], [21], [22], [23], [24] have been proposed so far. Compared with forward-secure signature, the research on forward-secure identity-based signature (FSIBS) seems to be much less active. Liu et al. [25] proposed the first FSIBS scheme, however, they did not provide the security definition and formal security proof. Therefore the construction of FSIBS scheme with provable security is still worthwhile research. Recently, Yu et al. [26] formalized the definition and security notion for FSIBS scheme, but it needs a lot of bilinear pairing operations, to some extent, which maybe too hard for some mobile devices with limited computational capacity. Ebri’s research work [27] has proposed an efficient general construction of FSIBS and refined the definition of FSIBS. Additionally, in the scheme the users can freely specify time periods over which their signing secret keys evolve. However, their work did not refer to lattice-based cryptography which can resist quantum attack in the post-quantum cryptographic era.

In this paper, we combine forward security with identity-based signature to propose the first lattice-based forward-secure identity-based signature scheme. And in the random oracle model, we prove our scheme is unforgeable against chosen message and adaptively chosen identity attacks even on a quantum computer. Thus, key-exposure does not affect the security of signatures generated in previous time periods. Our second contribution is an extension to FSIBS in the standard model. The update algorithm in our extension scheme is constructed with an inspiration of the scheme in [28]. Moreover, we employ the technique in [29] for delegating a short lattice basis that has the advantage of keeping the lattice dimension unchanged, thus the signing secret key size and the signature size of our schemes are both invariant and much shorter.

The rest of this paper is organized as follows. We introduce the preliminaries of our work in Section 2, including lattice definitions and hard assumptions. We give the formal definition of FSIBS scheme and its security notions in Section 3. We give our formal FSIBS scheme from lattice assumption, its security analysis and efficiency comparison in Section 4. We extend our scheme to a FSIBS scheme in the standard model in Section 5. Finally, we conclude our work in Section 6.

Section snippets

Notation

For a positive integer $T, [T]$ denotes ${1, \dots, T}$ . For an $n \times m$ matrix A, let $A = [a_{1}, \dots, a_{m}]$ , where $a_{i}$ denotes the ith column vector of A. We write $‖ a ‖$ for the Euclidean norm of a, and $‖ A ‖ = \max_{i \in [m]} ‖ a_{i} ‖$ .

We set n as a security parameter. A negligible function, denoted by negl(n), is a $f (n)$ such that $f (n) = O (n^{- c})$ for some fixed constant c. We denote $poly (n)$ a polynomial time function, and $ω (\sqrt{\log n})$ a super logarithmic function which increases faster than $\sqrt{\log n}$ in n.

Lattice

Let $B = {b_{1}, \dots, b_{n}}$ be a set consisting of n

Formal definition of forward-secure identity-based signature scheme

Yu et al.’s paper [26] has given the formal definition of FSIBS. However, a pre-specified number of time periods T is given by the PKG as a public parameter in the scheme. In this paper, inspired by Ebri et al. [27], we set the pre-specified number of time periods T over which the signing secret keys evolve, to be determined by each user, and consequently can avoid the scalability issue. In order to create an initial signing secret key, the PKG requests a pre-specified number of time periods T

Forward secure identity-based signature from lattice

In this section, we give our FSIBS scheme based-on lattice assumption. We make use of the algorithm NewBasisDel( $A, R, T_{A}, σ$ ) as the update algorithm of signing secret key. In the FSIBS scheme, we assume a hash function $H_{1}$ that outputs matrix in $Z_{q}^{m \times m}$ , namely: $H_{1} : {0, 1}^{*} \to Z_{q}^{m \times m} : id \to H_{1} (id) \sim D_{m \times m}$ , where the output $H_{1} (id)$ is distribution as $D_{m \times m}$ described in [29]. We also define a secure hash function $H_{2} : {0, 1}^{*} \to Z_{q}^{n}$ . In addition, for each time period i, we set two series of gaussian parameters $\bar{σ} = (σ_{0} \dots σ_{T})$

Forward secure identity-based signature from lattice in the standard model

Now we give the extension of forward-secure identity-based signature from lattice in the random oracle model to a FSIBS scheme in the standard model as follows.

FSIBSSetup: Given the security parameter n, let $q ⩾ 3$ be odd and $m ⩾ 6 n \log q$ , the PKG runs $TrapGen (n, q)$ to generate a matrix $A \in Z_{q}^{n \times m}$ and a corresponding short basis $T_{A} \in Z_{q}^{m \times m}$ . Select $2 (T + 1) t_{1}$ random matrices $R_{i, j}^{0}, R_{i, j}^{1} \leftarrow D_{m \times m}$ (for $0 ⩽ i ⩽ T, 1 ⩽ j ⩽ t_{1}), t_{2}$ random matrices $F_{j} \in Z_{q}^{n \times m}$ and a random nonzero vector $μ \in Z_{q}^{n}$ . Choose two cryptographic hash

Conclusion

With the explosive growth in the use of mobile devices (smart cards, mobile phones, etc.), the exposure of signing secret key is a severe threat to identity-based signatures. The goal of forward security is to protect security of past usage of signing secret key even if the current signing secret key is exposed. In this paper, we have utilized the lattice basis delegation technique to construct the first efficient forward-secure identity-based shorter signature scheme from lattice assumption.

Acknowledgements

The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work is supported by the Science and Technology on Communication Security Laboratory Foundation (Grant No. 9140C110301110C1103) and the National Natural Science Foundation of China (No. 61370203).

Xiaojun Zhang received his B.Sc. degree in mathematics and applied mathematics at Hebei Normal University in 2009, P.R. China and received M.Sc degree in pure mathematics at Guangxi University in 2012. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is a student member of Chinese Association for Cryptologic Research. CACR He is presently engaged in cryptography, network security and cloud computing security.

References (34)

H. Xiong et al.
On the security of an identity-based multi-proxy signature scheme
Comput Electr Eng
(2011)
P. Yang et al.
Fuzzy identity based signature with applications to biometric authentication
Comput Electr Eng
(2011)
X. Chen et al.
Discrete logarithm based chameleon hashing and signatures without key exposure
Comput Electr Eng
(2011)
J. Yu et al.
Forward-secure identity-based signature: security notions and contribution
Inform Sci
(2011)
A. Shamir
Identity-based cryptosystems and signature schemes
Hess F. Efficient identity based signature schemes based on pairing. In: Proceedings of SAC’2002; 2003. p....
X. Yi
An identity-based signature scheme from the Weil pairing
IEEE Commun Lett
(2003)
P. Barreto et al.
Efficient and provably-secure identity-based signatures and signcryption from bilinear maps
Z. Cao et al.
Identity-based signature scheme based on quadratic residues
Sci China Ser F Inform Sci
(2007)
P. Shor
Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
SIAM J Comput
(1997)

Lyubashevsky V, Micciancio D. Asymptotically efficient lattice-based digital signatures. In: TCC; 2008. p....

Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: STOC; 2008....

D. Cash et al.

Bonsai trees or how to delegate a lattice basis

S. Agrawal et al.

Efficient lattice (H)IBE in the standard

Gentry C. Fully homomorphic encryption using ideal lattices. In: STOC; 2009. p....

V. Lyubashevsky et al.

On ideal lattices and learning with errors over rings

R. Anderson

Two remarks on public key cryptology (invited lecture)

Cited by (0)

Chunxiang Xu received her B.Sc., M.Sc. and Ph.D. degrees at Xidian University, in 1985, 1988 and 2004 respectively, P.R. China. She is presently engaged in information security, cloud computing security and cryptography as a professor at University of Electronic Science Technology of China (UESTC).

Chunhua Jin received her B.Sc. degree in telecommunication at Northwestern Polytechnical University in 2007, P.R. China and received M.Sc degree in Xidian University, in 2011. She is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). She is presently engaged in cryptography, network security and cloud computing security.

Run Xie received his M.Sc degree in mathematics and applied mathematics at Southwest Jiaotong University in 2006, P.R. China. He is a Ph.D. degree candidate in information security at University of Electronic Science Technology of China (UESTC). He is presently engaged in cryptography, network security and cloud computing security.

^☆: Reviews processed and recommended for publication to Editor-in-Chief by Associate Editor Dr. Jose M. Alcaraz calero.

View full text

Efficient forward secure identity-based shorter signature from lattice☆

Highlights

Abstract

Introduction

Section snippets

Notation

Lattice

Formal definition of forward-secure identity-based signature scheme

Forward secure identity-based signature from lattice

Forward secure identity-based signature from lattice in the standard model

Conclusion

Acknowledgements

Comput Electr Eng

Comput Electr Eng

Comput Electr Eng

Inform Sci

Identity-based cryptosystems and signature schemes

An identity-based signature scheme from the Weil pairing

IEEE Commun Lett

Efficient and provably-secure identity-based signatures and signcryption from bilinear maps

Identity-based signature scheme based on quadratic residues

Sci China Ser F Inform Sci

Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer

SIAM J Comput

Bonsai trees or how to delegate a lattice basis

Efficient lattice (H)IBE in the standard

On ideal lattices and learning with errors over rings

Two remarks on public key cryptology (invited lecture)