A novel identity-based multi-signature scheme over NTRU lattices☆
Introduction
In 1976, Diffie and Hellman [10] firstly introduced the concept of digital signature. Since then, there have been a bunch of researches on digital signature. Digital signature is a key technology for simulating physical/hand-written signatures in the network environment. Generally, digital signature includes two algorithms, a signing algorithm used to sign on the messages, and a verification algorithm for verifying the validity of signatures. The message sender uses its own secret key to run the signing algorithm to generate a digital signature on the message. Anyone could run the public verification algorithm to check the validity of the signature (and the message). Validity of the signature ensures the authenticity of the message. As an important authentication technology, digital signature plays an indispensable role in the fields of identity authentication and information security [50].
With various application requirements, there are many variants of digital signature. In practice, it is often necessary for several units or departments to sign on the same document separately for this document to take effect. Multi-signature technology is a way to simulate this scenario in the network environment. In 1983, Itakura and Nakamura [25] firstly proposed the notion of multi-signature, in which a group of signers with public keys agree to jointly construct a multi-signature on the common message m. In this way, the resulting multi-signature size could be much smaller compared with a bundled signature using n single signatures [14], thereby significantly reducing the consumption of storage space and transmission bandwidth. According to whether to sign the message in order, multi-signature could be divided into two categories, broadcasting multi-signature and sequential multi-signature. In the former, each signer signs the message individually and broadcasts its signature to others. Anyone collecting all the individual signatures could combine them into a single multi-signature. While in the latter, all the signers sign the message sequentially. After receiving the signature from the -th signer, the i-th signer integrates its signature on the message into and sends the updated signature to the next signer. According to [7], in standard multi-signature schemes, security is commonly defined through an experiment with a single honest “target” signer, while viewing all other signers as corrupted. Security requires that it should be infeasible to forge a multi-signature on a new message involving the target signer, after seeing polynomially many signatures on messages of its choice.
Multi-signature has extensive applications, including blockchain bitcoin transactions [5], [26], [35], electronic contract signing [20], [28], electronic medical record [16], [29] and etc. Below we take the blockchain transaction as an example to illustrate the application of multi-signature.
Application in blockchain: Since the proposal of multi-signature, many multi-signature schemes and applications have emerged. Recently, the application of multi-signature has ushered in a new development trend with the rise of blockchain technology, because multi-signature can be applied to the blockchain technology and efficiently reduces the consumption of storage space and transmission bandwidth on the blocks. Concretely, more complicated transactions are supported in the bitcoin blockchain as the bitcoin network is developing rapidly in recent years, such as M-out-of-N transactions which require not all but M valid signatures to take effect and store these signatures to the blockchain [35]. Briefly speaking, if M of the N transactors agree to this transaction (providing M valid signatures), the transaction will be validated. In this case, it is significant to compress multiple signatures into a joint one for the sake of the storage in blockchains. Take a 2-out-of-3 transaction for instance, as shown in Fig. 1. A transaction can be executed only if 2 of the 3 signers provide valid signatures.
Multi-signature has a number of applications in Bitcoin transactions and wallets. For example, we can use multi-signature to (1) setup a joint account and divide up the responsibility for the possession of bitcoins among multiple owners, (2) to increase security of the bitcoin wallet and make it more difficult for the wallet to be compromised, and (3) to make an M-out-of-N backup so that the loss of a single key does not lead to the loss of the wallet.
Traditional public key cryptosystems work in the public key infrastructure (PKI). In order to bind the public key of a user with its identity, a trusted third-party called certificate authority (CA) issues digital certificates to users. However, the management of certificates, such as issuance, storage, verification, revocation and etc, is a complex work. As the number of users increases, the cost of certificate management grows. To solve this problem, Shamir introduced the notion of identity-based cryptography (IBC) in 1984 [43], in which each user selects their identity information (such as email address, physical IP address and etc.) as the public key, and obtains the corresponding secret key from a trusted party called private key generator (PKG). Anyone could encrypt a message using the receiver's identity even before the receiver gets its secret key from the PKG. IBC alleviates the certificate management problem effectively. Since then, IBC has attracted a lot of researchers' attention and a bunch of identity-based encryption schemes and signature schemes have been proposed. We study identity-based multi-signature in this paper.
Post-quantum security: Along with the development of quantum computing technology, traditional cryptographic schemes may no longer be secure as their underlying security assumptions (e.g. RSA or discrete logarithm problems) may not hold anymore. In 1994, Shor proposed efficient algorithms to solve discrete logarithm problem and integer factorization problem on a quantum computer, which run in time polynomial in the problem size [44]. Subsequently, Grover presented a quantum mechanical search algorithm which is polynomially faster than classical algorithms [15]. As a result, with the help of Shor's algorithms and Grover's algorithm, both traditional difficult problems could be solved in polynomial time on a quantum computer. Therefore, traditional digital signature schemes with security based on the intractability of classical hard problems are facing serious security threats. Since then, some new alternatives have been proposed for solving this vexing situation, among which lattice-based cryptography is the most anticipated. Compared with the traditional intractability assumptions, lattice problems are considered to be able to resist the attacks of quantum computing. There is no polynomial-time algorithm which could solve lattice problems even on a quantum computer up to now. Therefore, in this paper we focus on the construction of identity-based multi-signature schemes based on hard lattice problems to withstand quantum attacks, which is especially significant for financial applications.
In 1983, Itakura and Nakamura [25] firstly presented the definition of multi-signature. Subsequently, lots of works had been proposed including multi-signature schemes [30], [32], but there were some flaws in the security proofs or security models of these schemes. Actually, only the schemes proposed by Micali et al. [38] and Okamoto et al. [40] meet the security requirements. Furthermore, security of the former scheme is stronger than the latter one, since it does take rogue-key attacks [7] into account. However, we need know the set of signers in advance before applying the scheme [38]. In 2006, Bellare and Neven provided a three-round provably secure multi-signature scheme in the plain public key model [7]. In this model, it only requires that signers in the signing group should have a public key. Note that the signing process of [7] is an interactive protocol, in which each member in the signing group has to collaborate before outputting a multi-signature. Afterwards, Bagherzandi et al. [3] and Ma et al. [36] improved the scheme [7] and presented two-round multi-signature schemes in 2008 and 2010, respectively. Subsequently, Syta et al. [46] presented a highly scalable multi-signature scheme in 2016. The first multi-signature scheme supporting key aggregation was proposed by Maxwell et al. [37] in 2018, which is proved to be secure in the plain public key model. Simultaneously, new pairing-based multi-signature schemes were presented by Boneh et al. [8] which support not only key aggregation but also batch verification. To solve the certificate management problem in PKI-based schemes, lots of identity-based multi-signature schemes have been proposed, such as [2], [4], [6], [24], [49].
However, the schemes mentioned above may no longer be secure as their underlying security assumptions (e.g. RSA or discrete logarithm problems) may not hold anymore with the advent of quantum computers. Hence, some lattice-based multi-signature schemes were introduced. In 2013, a broadcast multi-signature scheme and a sequential multi-signature scheme were proposed by Kong et al. [27]. The multi-signature size of the former scheme is linearly related to the number of signers while that of the latter is constant and is independent of the number of signers. In 2016, Peng et al. [41] proposed a lattice-based multi-signature scheme, which combines the individual signatures with an NIWI proof [39] to form the multi-signature. However, the length of the multi-signature has a linear relationship with the number of signers. Subsequently, a lattice-based linear homomorphic multi-signature scheme was proposed by Choi and Kim [9] in 2016, in which the role of a dealer was used. However, the scheme has a cumbersome reset process when other members join. In the same year, Bansarkhani and Sturm [5] proposed a provably secure lattice-based broadcast multi-signature scheme, whose signature length is close to a single signature. Unfortunately, the efficiency of their signature and verification algorithms is linear with the number of signers. In 2019, both Ma and Jiang [35] and Fukumitsu and Hasegawa [12] presented multi-signature schemes over lattice based on the scheme in [5], respectively. Recently, Kansal et al. [26] constructed a lattice-based multi-signature scheme that supports public key aggregation in the plain public key model based on [5] as well. Notice that the schemes [5], [12], [26], [35] actually work in the common reference string model. All the system users have to share a trusted common string, which could be generated either by a trusted party or by all the users interactively via a secure coin tossing protocol. It is assumed that no user could have the corresponding trapdoor related to the common string, which is not easy to implement in practice. In the recent years, some works about lattice have been proposed such as [17], [18], [42], [47], to introduce the optimization on lattices and some new research directions.
To the best of our knowledge, all the lattice-based multi-signature schemes work in the public-key infrastructure and suffer from the complex certificate management problem. There is no identity-based multi-signature (IBMS) scheme with security against quantum attacks up to now.
In this paper we solve the aforementioned problem by constructing an IBMS scheme based on hard lattice problem. Concretely, we make the following contributions in the paper.
- 1.
We propose an IBMS scheme over NTRU lattices, which to the best of our knowledge, is the first lattice-based IBMS scheme in the literature. In our scheme each signer could simply use its identity information as its public key, thus solving the cumbersome certificate management problem. The multi-signature generation process is a six-move interactive protocol among all the signers, while the signature verification is non-interactive, which could be done by each individual verifier.
- 2.
We prove our IBMS scheme to be secure in the random oracle model based on the ring version of the short integer solution assumption (Ring-SIS) which is a well studied problem and is commonly used in constructing lattice-based cryptographic schemes.
- 3.
Compared with the RIBS scheme [23] which is an identity-based signature (not multi-signature) scheme over lattice, our IBMS scheme supports the multi-signature functionality. Signature size in our scheme is much smaller than a bundled signature consisting of N single signatures (of RIBS scheme), as we perform an accumulation operation on N signatures instead of simply concatenating them. Compared with the existing multi-signature schemes [5], [12], [26], [35] which work in the PKI setting, our scheme implements the identity-based functionality, and takes advantage of discrete Gaussian distribution instead of uniform distribution to generate secret signing keys and multi-signatures.
- 4.
Besides, our scheme does not require all the system users to share a trusted common string, which further simplifies the deployment of our scheme in practice.
The rest of this paper is organized as follows. Some preliminaries are introduced in Section 2. Section 3 presents the syntax and security model of IBMS scheme. In Section 4, our IBMS scheme over NTRU lattices is proposed, which is proved to be secure in Section 5. Performance analysis and comparisons are provided in Section 6, illustrating the advantages of our IBMS scheme. Finally, conclusions are given in Section 7.
Section snippets
Notations
Throughout the paper, we let n be a positive power-of-two integer and q be a prime convergent to 1 modulo 2n. stands for the set of real numbers while represents the set of integers. defines the set of integers in the range . denotes the infinity norm of a vector v whose Euclidean norm can be represented by (the subscript omitted). For a set of n linearly independent vectors, we take to denote its Gram-Schmidt
Definition of IBMS
Suppose there are N signers in the signing group with identity set . An IBMS scheme consists of four algorithms (MSetup, MExtract, MSign, MVerify) defined as follows:
- •
MSetup(): The setup algorithm takes a security parameter as input, and outputs the system secret key (secret key of the private key generator (PKG)) and public parameters params.
- •
MExtract(, , params): Run by the PKG, the extraction algorithm aims to generate signing keys for signers according to
Our IBMS scheme over NTRU lattices
Below, we describe the algorithms of our IBMS scheme over NTRU lattices.
- •
MSetup. Given the system parameter , the PKG chooses two real numbers and a prime q, and runs the algorithm to generate a tuple satisfying , and as well as a short basis In addition, the system secret key and public parameters params are generated by PKG as follows:
- (a)
Select three hash functions , , and
- (a)
Security analysis
Theorem 1 Suppose there exists a polynomial-time forger , who can make at most queries to random oracles (involving , , ), initiate at most signing algorithms with the honest signer including at most signers and succeed in providing a forgery of our IBMS scheme with probability δ. Then, there exists an algorithm (whose time complexity is the same as ) that for a given finds non-zero vectors satisfying and with probability at
Comparison
As shown in Table 1, we make the performance analysis by presenting the comparison among RIBS scheme [23], BS scheme [5], MSig scheme [12], MS scheme [26], PLMS scheme [35] and our IBMS scheme, in terms of the sizes of signing key and multi-signature, computational costs of signing algorithm and verification algorithm, identity-based functionality and security property.
Compared with the RIBS scheme [23] which is an identity-based signature (not multi-signature) scheme over lattice, our IBMS
Conclusion
In this paper we proposed an identity-based multi-signature (IBMS) scheme over NTRU lattices which is provably secure in the random oracle model based on Ring-SIS assumption. To the best of our knowledge, it is the first IBMS scheme over NTRU lattices in the literature. Compared with the RIBS scheme [23] which is an identity-based signature (not multi-signature) scheme over lattice, our IBMS scheme supports the multi-signature functionality. Signature size in our scheme is much smaller compared
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (50)
- et al.
Contract signature in e-commerce
Comput. Electr. Eng.
(mar 2011) - et al.
An efficient public key secure scheme for cloud and IoT security
Comput. Commun.
(jan 2020) - et al.
Scalable revocable identity-based signature over lattices in the standard model
Inf. Sci.
(may 2020) Generating hard instances of lattice problems (extended abstract)
- et al.
Efficient ID-based key-insulated multi signature scheme without pairings
- et al.
Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma
- et al.
Identity-based aggregate and multi-signature schemes based on RSA
- et al.
An efficient lattice-based multisignature scheme with applications to bitcoins
- et al.
Identity-based multi-signatures from RSA
- et al.
Multi-signatures in the plain public-key model and a general forking lemma
Compact multi-signatures for smaller blockchains
Lattice-based multi-signature with linear homomorphism
New directions in cryptography
IEEE Trans. Inf. Theory
Efficient identity-based encryption over NTRU lattices
A tightly-secure lattice-based multisignature
Trapdoors for hard lattices and new cryptographic constructions
A digital signature scheme secure against adaptive chosen-message attacks
SIAM J. Comput.
Quantum mechanics helps in searching for a needle in a haystack
Phys. Rev. Lett.
Attribute-based multi-signature and encryption for EHR management: a blockchain-based solution
Adaptive influence maximization: if influential node unwilling to be the seed
ACM Trans. Knowl. Discov. Data
Continuous profit maximization: a study of unconstrained dr-submodular maximization
IEEE Trans. Comput. Soc. Syst.
Practical lattice-based cryptography: a signature scheme for embedded systems
NTRUSign: digital signatures using the NTRU lattice
NTRU: a ring-based public key cryptosystem
Revocable ID-based signature with short size over lattices
Secur. Commun. Netw.
Cited by (2)
An NTRU-Based Certificateless Aggregate Signature Scheme for Underwater Acoustic Communication
2024, IEEE Internet of Things JournalA Lightweight and Robust Cross-Domain Authentication Scheme Based on Master-Slave Blockchain
2022, 2022 IEEE 8th International Conference on Computer and Communications, ICCC 2022
- ☆
This work is supported by the Major Program of Guangdong Basic and Applied Research (2019B030302008), National Natural Science Foundation of China (62272174, 61872152), and Science and Technology Program of Guangzhou (201902010081).