DOI QR코드

DOI QR Code

Scalable Hierarchical Identity-based Signature Scheme from Lattices

  • Noh, Geontae (CIST (Center for Information Security Technologies), Korea University) ;
  • Jeong, Ik Rae (CIST (Center for Information Security Technologies), Korea University)
  • Received : 2013.08.17
  • Accepted : 2013.11.20
  • Published : 2013.12.12

Abstract

In the paper, we propose a novel adaptively secure hierarchical identity-based signature scheme from lattices. The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme.

Keywords

1. Introduction

In 1984, Shamir introduced the concept of identity-based cryptography and proposed an identity-based signature scheme [1]. In an identity-based signature scheme, a trusted third party, called KGC (key generation center), only issues a signer's secret key, because the signer's public key is the signer's identity such as an email address and a phone number related to the signer. That is, the public key distribution problem (or the certification management problem) is eliminated. When a verifier wants to verify a signature, therefore, the verifier does not need to ask the KGC for the signer's public key, because the verifier can easily deduce the signer's public key from the signer's identity. Actually, many identity-based signature schemes have been studied [2][3][4].

The concept of hierarchical identity-based signatures is the hierarchical extension of identity-based signatures. Like an identity-based signature scheme, the KGC issues a signer's secret key. In addition, the signer can delegate the secret keys of the signer's child identities in an identity hierarchy using its own secret key.

In 2002, Gentry and Silverberg proposed the first hierarchical identity-based signature scheme from bilinear pairings, but the security is not formally proved [5]. Since then, Chow et al. proposed the first provably secure hierarchical identity-based signature scheme from bilinear pairings [6]. However, these schemes are not resistant to quantum analysis [7].

So far, lattice-based cryptography is believed to be resistant to quantum analysis. Lattice-based cryptography is also asymptotically efficient because it requires only linear operations.

In 2010, Ruckert proposed two binary tree signature1 schemes from lattices, but both of them increase the size of the signatures by the level of hierarchy [8]. In 2012 & 2013, Tian et al. and Liu et al. proposed hierarchical identity-based signature schemes from lattices, but their schemes are insecure against adaptive identity attacks [9][10]. In 2013, Tian et al. proposed another hierarchical identity-based signature scheme from lattices [11]. In Tian et al.'s hierarchical identity-based signature scheme, however, the size of signatures depends on both the security parameter and the dimension of the lattices. We compare our scheme and existing hierarchical identity-based signature schemes from lattices in Table 1. The size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices.

Table 1.Comparison of security and efficiency

ROM means the scheme is probably secure in the random oracle model and STM means the scheme is probably secure in the standard model. DoS is the dimension of the signatures, n is the security parameter, m is the dimension of the lattices, l is the depth of the identities, and h is the bit length of the hash values for messages. SI means the scheme is secure against selective identity attacks and AI means the scheme is secure against adaptive identity attacks. BTS means the scheme is a binary tree signature scheme and HIBS means the scheme is a hierarchical identity-based signature scheme.

1.1 Our Contribution

In this paper, we propose a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. Our scheme is motivated by Gentry et al.'s signature scheme and Agrawal et al.'s hierarchical identity-based encryption scheme [12][13]. The security of our scheme is based on the SIS problem on lattices in the random oracle model.

1.2 Organization

The remainder of this paper is organized as follows: Some preliminaries such as the properties of the lattices and the definitions for hierarchical identity-based signatures are presented in Section 2. Our hierarchical identity-based signature scheme is given in Section 3. We analyze our hierarchical identity-based signature scheme in Section 4. Finally, Section 5 draws the conclusion.

 

2. Preliminaries

2.1 Notations

We let Z and R denote the integers and the real numbers, respectively. For any positive integer q≥2 , we let Zq denote the ring of integers modulo q . For any positive integer k , we let [k]={1,⋯,k} . We use upper-case letters (e.g., A ) to denote matrices and lower-case letters (e.g., v ) to denote vectors. We let 0 denote a zero vector.

We let ║v║ denote the Euclidean norm of v . We let denote the Gram-Schmidt orthogonalization of S . The statistical distance between two distributions X and Y over a countable domain D is . If v is chosen uniformly at random from D , we denote v←D .

We use standard big-O notation. For sufficiently large n , if f(n) is smaller than all polynomial fractions, then we say that a function f:R+→R+ is negligible. Pr[an event] is the probability that the event occurs.

2.2 Lattices

First, we define m-dimensional full-rank integer lattices. An m-dimensional full-rank integer lattice Λ for m linearly independent basis vectors B={b1,⋯,bm}⊂Zm is defind as follows:

We define the dual lattice Λ* of Λ as follows:

In this paper, we use an m -dimensional q -ary integer lattice which is one of m -dimensional full-rank integer lattices. Let n≥1 and q≥2 be positive integers. An m -dimensional q -ary integer lattice Λ⊥(A) for a uniformly random matrix is defined as follows:

We define the coset of Λ⊥(A) for syndrome as follows:

2.2.1 Hard Problems

We define the SIS (short integer solution) problem which is used to analyze the security of our construction.

Definition 2.1. An instance of the SISq,β problem is a uniformly random matrix Then, the SISq,β problem is to find a non-zero vector z∈Zm such that and ║z║≤ β .

In case of the classic average-case SISq,β problem is reduced to the worst-case SIVP (shortest independent vectors problem) [12][14][15].

2.2.2 Gaussian Distributions

We recall Gaussian distributions [12][15].

Definition 2.2. For any positive integer s∈R , a Gaussian function ρs with center 0 is defined as follows:

Definition 2.3. Let Λ⊂Zm be an m -dimensional full-rank integer lattice. For any positive integer s∈R, the discrete integral of ρs over Λ is defined as follows:

Definition 2.4. Let Λ⊂Zm be an m -dimensional full-rank integer lattice. For any positive integer s∈R and all x∈Λ , discrete Gaussian distribution over Λ with center 0 is defined as follows:

Definition 2.5. Let Λ⊂Zm be an m -dimensional full-rank integer lattice and Λ* a dual lattice of Λ. For any positive real number ε∈R , a Gaussian parameter ηε(Λ) is the smallest s such that ρ1/s(Λ*\{0})≤ε .

Fact 2.1 [12][15][16]. Let S ∈ Zm×m be a basis for Λ⊥(A) and a uniformly random matrix. For any and any syndrom , the probability that is negligible for n , where

Fact 2.2 [12][15][16]. Let S ∈ Zm×m be a basis for Λ⊥(A) and a uniformly random matrix. For any , the probability that x is a zero vector is negligible for n , where x←DΛ⊥(A),s .

Fact 2.3 [13][17]. Let be a uniformly random matrix, q a prime, and a Zq -invertible matrix. For any , two matrices and are also uniformly random.

2.2.3 Basic Algorithms

We review basic algorithms which are used to construct our construction and to analyze the security of our construction.

Lemma 2.1 [18]. For positive integers n≥1 , q≥2 , and m=O(nlogq) , a probabilistic polynomial time algorithm BasisGen(1n ,1m ,q) outputs a pair of a uniformly random matrix anda short basic for Λ⊥(A) such that

Lemma 2.2 [13]. Let be a uniformly random matrix, S ∈ Zm×m a basis for Λ⊥(A) , and a Zq -invertible matrix. For any , a probabilistic polynomial time algorithm BasisDel(A,R,S,s) outputs a basis S ∈ Zm×m for Λ⊥(B) such that , where .

Lemma 2.3 [12]. Let m be a positive integer. For any Gaussian parameter s , a probabilistic polynomial time algorithm SampleDom(1m,s) outputs a vector .

Lemma 2.4 [12]. Let be a uniformly random matrix, S ∈ Zm×m a basic for Λ⊥(A) , and a syndrome. For any a probabilistic polynomial time algorithm SampleD(A,S,u,s) outputs a vector .

Lemma 2.5 [13]. Let m be a positive integer. For any , a probabilistic polynomial time algorithm SampleR(1m,s) outputs a Zq -invertible matrix .

Lemma 2.6 [13]. Let be a uniformly random matrix. For any , a probabilistic polynomial time algorithm SampleRwithBasis(A,s) outputs a Zq -invertible matrix and a short basis SB ∈ Zm×m for Λ⊥(A) such that , where .

2.3 Definitions for Hierarchical Identity-based Signatures

We define hierarchical identity-based signatures. A hierarchical identity-based signature scheme HIBS= {HIBS.Setup,HIBS.Extract,HIBS.Sign,HIBS.Vrfy} is defined as follows:

Correctness. A hierarchical identity-based signature scheme HIBS is correct if, for any valid signature σ on any message m corresponding to any identity id , the HIBS.Vrfy(params,id,m,σ) algorithm outputs 1 with an overwhelming probability.

Unforgeability. A hierarchical identity-based signature scheme HIBS is strongly unforgeable under chosen message and adaptive identity attacks if, in the following game for a forger F , the advantage of F is negligible.

If the HIBS.Vrfy(params,id*,m*,σ*) algorithm outputs 1 , F wins the game .

The advantageof F is defined as follows:

 

3. Our Construction

We propose an adaptively secure hierarchical identity-based signature scheme SHIBS without increasing the dimension of the signatures. Our construction SHIBS uses the following parameters:

In our construction SHIBS , a message space is {0,1}k . Then, our construction SHIBS= {SHIBS.Setup,SHIBS.Extract,SHIBS.Sign,SHIBS.Vrfy} consists of the following algorithms:

 

4. Analysis

4.1 Correctness

We show that our construction SHIBS is correct.

Theorem 4.1. Our hierarchical identity-based signature scheme SHIBS is correct.

Proof of Theorem 4.1. Suppose |id|= i . The SHIBS.Extract(params,skid,id) algorithm can generate a short basis skid for Λ⊥(Fid) . Then, the id SHIBS.Sign(params,id,skid,m) algorithm can sample such that and with an overwhelming probability using the SampleD algorithm. Therefore, our hierarchical identity-based signature scheme SHIBS is correct.

4.2 Unforgeability

We show that our construction SHIBS is strongly unforgeable under chosen message and adaptive identity attacks.

Theorem 4.2. In the random oracle model [20], our hierarchical identity-based signature scheme SHIBS is strongly unforgeable under chosen message and adaptive identity attacks if the SISq,β problem for is hard.

Proof of Theorem 4.2. Suppose the hash functions H1 and H2 are random oracles controlled by an algorithm A . Then, our construction SHIBS is strongly unforgeable under chosen essage and adaptive identity attacks assuming the SISq,β problem for is hard. That is, if there exists a forger F mounting strong forgery attacks on SHIBS , then we can construct A solving the . A simulates the strong unforgeability game for F as follows:

If j = c , A sets skid = SB . Otherwise, A runs the SHIBS.Extract(params,SB,id) algorithm to obtain a secret key skid of to id .

We can assume that (mi =m*,vi,hi = H2(m*)) is in the H2 list. Then, z is a solution to the SISq,β problem, because

where

and

To reduce the SIS problem to the SIVP , we set q as follows:

The advantage of F is computed as follow:

 

5. Conclusion

In this paper, we have proposed a hierarchical identity-based signature scheme from lattices. Our scheme is adaptively secure and the size of signatures in our scheme is shortest among the existing hierarchical identity-based signature schemes from lattices. We proved the security of our scheme based on the SIS problem on lattices in the random oracle model. The question of constructing an adaptively secure hierarchical identity-based signature scheme from lattices without increasing the dimension of the signatures in the standard model still remains open.

References

  1. Adi Shamir, "Identity-based cryptosystems and signature schemes," in Proc. of Advances in Cryptology - Crypto 1984, LNCS 0196, pp. 47-53, August 19-22, 1985.
  2. Florian Hess, "Efficient identity based signature schemes based on pairings," in Proc. of 9th Annual International Workshop on Selected Areas in Cryptology - SAC 2002, LNCS 2595, pp. 310-324, August 15-16, 2002.
  3. Jae Choon Cha and Jung Hee Cheon, "An identity-based signature from gap Diffie-Hellman groups," in Proc. of 6th International Workshop on Theory and Practice in Public Key Cryptography - PKC 2003, LNCS 2567, pp. 18-30, January 6-8, 2002.
  4. Paulo S. L. M. Barreto, Benoit Libert, Noel McCullagh, and Jean-Jacques Quisquat, "Efficient and provably-secure identity-based signatures and signcryption from bilinear maps," in Proc. of Advances in Cryptology - Asiacrypt 2005, LNCS 3788, pp. 515-532, December 4-8, 2005.
  5. Craig Gentry and Alice Silverberg, "Hierarchical ID-based cryptography," in Proc. of Advances in Cryptology - Asiacrypt 2002, LNCS 2501, pp. 548-566, December 1-5, 2002.
  6. Sherman S.M. Chow, Lucas C.K. Hui, Siu Ming Yiu, and K.P. Chow, "Secure hierarchical identity based signature and its application," in Proc. of 6th International Conference on Information and Communications Security - ICICS 2004, LNCS 3269, pp. 480-494, October 27-29, 2004.
  7. Peter W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM Journal on Computing, vol. 26, no. 5, pp. 1484-1509, October, 1997. https://doi.org/10.1137/S0097539795293172
  8. Markus Ruckert, "Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles," in Proc. of Third International Workshop on Post-quantum Cryptography - PQCrypto 2010, LNCS 6061, pp. 182-200, May 25-28, 2010.
  9. Miaomiao Tian, Liusheng Huang, and Wei Yang, "A new hierarchical identity-based signature scheme from lattices in the standard model," International Journal of Network Security, vol. 14, no. 6, pp. 310-315, November, 2012.
  10. Zhenhua Liu, Yupu Hu, Xiangsong Zhang, and Fagen Li, "Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model," Security and Communication Networks, vol. 6, no. 1, pp. 69-77, January, 2013. https://doi.org/10.1002/sec.531
  11. Miaomiao Tian, Liusheng Huang, and Wei Yang, "Efficient hierarchical identity-based signatures from lattices," International Journal of Electronic Security and Digital Forensics, vol. 5, no. 1, pp. 1-10, June, 2013.
  12. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan, "Trapdoors for hard lattices and new cryptographic constructions," in Proc. of 40th Annual ACM Symposium on Theory of Computing - STOC 2008, pp. 197-206, May 17-20, 2008.
  13. Shweta Agrawal, Dan Boneh, and Xavier Boyen, "Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE," in Proc. of Advances in Cryptology - Crypto 2010, LNCS 6223, pp. 98-115, August 15-19, 2010.
  14. Miklos Ajtai, "Generating hard instances of lattice problems," in Proc. of 28th ACM Symposium on the Theory of Computing - STOC 1996, pp. 99-108, May 22-24, 1996.
  15. Daniele Micciancio and Oded Regev, "Worst-case to average-case reductions based on Gaussian measures," SIAM Journal on Computing, vol. 37, no. 1, pp. 267-302, April 2007. https://doi.org/10.1137/S0097539705447360
  16. Chris Peikert and Alon Rosen, "Efficient collision-resistant hashing from worst-case assumptions on cyclic lattcies," in Proc. of 3rd Theory of Cryptography Conference - TCC 2006, LNCS 3876, pp. 145-166, March 4-7, 2006.
  17. Xavier Boyen, "Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more," in Proc. of 13th International Conference on Practice and Theory in Public Key Cryptography - PKC 2010, LNCS 6056, pp. 499-517, May 26-28, 2010.
  18. Joel Alwen J and Chris Peikert, "Generating shorter bases for hard random lattices," Theory of Computing Systems, vol. 48, no. 3, pp. 535-553, April 2011. https://doi.org/10.1007/s00224-010-9278-3
  19. David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert, "Bonsai trees, or how to delegate a lattice basis," in Proc. of Advances in Cryptology - Eurocrypt 2010, LNCS 6110, pp. 523-552, May 30-June 3, 2010.
  20. Mihir Bellare and Phillip Rogaway, "Random oracles are practical: A paradigm for designing efficient protocols," in Proc. of 1st ACM Conference on Computer and Communications Security - CCS 1993, pp. 62-73, November 3-5, 1993.

Cited by

  1. A hierarchical identity-based security for delay tolerant networks using lattice-based cryptography vol.13, pp.1, 2013, https://doi.org/10.1007/s12083-019-00776-6