DOI QR코드

DOI QR Code

Efficient Certificateless Signature Scheme on NTRU Lattice

  • Xie, Jia (School of Telecommunications Engineering, Xidian University) ;
  • Hu, Yupu (School of Telecommunications Engineering, Xidian University) ;
  • Gao, Juntao (School of Telecommunications Engineering, Xidian University) ;
  • Gao, Wen (School of Telecommunications Engineering, Xidian University) ;
  • Jiang, Mingming (School of Computer Science and Technology, Huaibei Normal University)
  • Received : 2015.10.22
  • Accepted : 2016.08.22
  • Published : 2016.10.31

Abstract

Because of the advantages of certificateless and no escrow feature over the regular signature and identity-based signature, certificateless signature has been widely applied in e-business, e-government and software security since it was proposed in 2003. Although a number of certificateless signature schemes have been proposed, there is only one lattice-based certificateless signature scheme which is still secure in the quantum era. But its efficiency is not very satisfactory. In this paper, the first certificateless signature scheme on NTRU lattice is proposed, which is proven to be secure in random oracle model. Moreover, the efficiency of the new scheme is higher than that of the only one lattice-based certificateless signature.

Keywords

1. Introduction

Since it was proposed in 1976, the digital signature scheme has more than 40 years' history. With the further research of digital signature and the rapid development of e-commerce and e-government, the conventional digital signature can no longer meet the needs in practice. So more and more researchers pay increasing attention to the digital signatures with additional properties, such as, blind signature, identity-based signature, certificateless signature, group signature, proxy signature and so on. In blind signature scheme, the signer can complete the signature on message m without learning anything about m. So it is widely used in e-cash and e-voting. Group signature makes it possible to realize the anonymity and traceability at the same time, and it is widely applied in anonymous certificates, e-voting, e-cash, and anonymous attestation. Ring signature is an alternative to group signature, but the anonymity revocation in it is impossible. Proxy signature can realize the delegating signing capabilities in authenticated routing. As can be seen in [1,2], all the non-conventional digital signatures can contribute to challenges in the information and communication technology.

With the advent of lightweight cryptography, the main difficulty today in digital signature is the lightweight authentication, which can be realized by decreasing the cost of infrastructures to authenticate the public/private keys. In the traditional Public Key Infrastructure (PKI), a trusted certificate authority (CA) composes certificates to ensure the authenticity of the users. It brings a vexing problem—certificate management problem. In order to deal with it, identity-based public key cryptography (IB-PKC) was first proposed in [3]. In the IB-PKC, the public key is just the product of the user's identity while the private key is generated by the trusted private key generator (PKG) and the user. It is obvious that the IB-PKC has the advantage of certificateless. However, it suffers from the key escrow problem. More specifically, the PKG knows all users' private keys. To overcome it, certificateless public key cryptography (CL-PKC) was proposed in [4], which has the significant advantages of certificateless and no escrow feature at the same time.

There have been a large number of certificateless signature (CLS) schemes so far, for example, [4-11]. And all of them are based on the hardness of the classical number theory problem, particularly the discrete logarithm assumptions. However, Shor indicated in [12] that the discrete logarithm problem and the integer factorization problem would no longer be hard when quantum computers came into reality. In view of the recent progress about quantum computers in [13], looking for a quantum-secure CLS scheme is very urgent.

Fortunately, Bernstein has conjectured in [14] that only some schemes can be reduced to computational problems on lattices, which are still hard even for quantum algorithms. What is more, lattice-based cryptographic schemes are also easy to implement because typical computations involved in them are only the integer matrix–vector multiplication and modular addition operations (refer to [15], for an overview on lattice-based cryptography). And lattice-based cryptographic schemes are supported by the worst-case to average-case security guarantees. Considering these three advantages, lattice cryptography has entered a rapid development stage and the last ten years has met its achievements, such as cryptographic primitives [16-20], encryption schemes (public key encryption schemes [21-25], fully homomorphic encryption schemes [26-29]), signature schemes [16,30-35]. The first lattice-based CLS scheme has been proposed in [36]. Nevertheless, its efficiency is not very satisfactory.

1.1 Our Contribution

In this paper, the first CLS scheme on NTRU lattice is proposed. We prove it is existentially unforgeable against strong adversaries in the random oracle model when the small integer solution (SIS) problem on NTRU lattice is hard. Moreover, the comparison between the two lattice-based CLS schemes indicates that the new CLS scheme is more efficient.

1.2 Paper Organization

The remainder of this paper is organized as follows. Section 2 presents some preliminaries. Section 3 describes the syntax and security model for CLS schemes. The first CLS scheme on NTRU lattice is provided in Section 4. Section 5 gives the efficiency comparison between the only two lattice-based CLS schemes. Finally, Section 6 concludes this paper.

 

2. Preliminaries

2.1 Notation

Throughout this paper, security parameter n=2t is a positive integer which is larger than 8. ℝ and ℤ are the real space and integer space, respectively. We will work in the ring R = ℤ[x]/(xn+1) and ring Rq = ℤq[x]/(xn+1) where a prime q is bigger than 5. It is also satisfied that xn+1 can split into kq irreducible factors modulo prime q. R× denotes the set of invertible elements in R. If vector x ∈ ℝn, then ||x|| denotes the Euclidean norm of x. And for a matrix A, let ai be the ith column of A and ||A|| is defined as maxi (||ai||).

Let be polynomials in R.

- fg denotes polynomial multiplication in R, while f* g = fg mod(xn+1).

- (f) is the vector whose coordinates are respectively f0,..., fn-1. (f, g) ∈ ℝ2n = R1×2 is the concatenation of (f) and (g).

Definition 1(Anticirculant matrices). An n-dimensional anticirculant matrix of f is the following Toeplitz matrix:

When it is clear from context, we will drop the subscript n, and just write C(f).

2.2 Lattices

An n-dimensional lattice is a full-rank discrete subgroup of ℝn. Here we focus on NTRU lattice.

Definition 2(NTRU lattice). Let q be a prime bigger than 5 and n be the power of 2. And f, g∈Rq (f is invertible modulo q). Let h=g*f−1 mod q. The NTRU lattice associated to h and q is Λh,q={(u,v)∈R2| u+v*h=0 mod q}. Here Λh,q is a full-rank lattice of ℝ2n generated by the row of

Where In and On are respectively the n×n unit matrix and n×n null matrix.

2.3 Gaussian on Lattices

Gaussian sampling was first proposed in [37] as a technique to use a short basis as a trapdoor without leaking any information about the short basis. The discrete gaussian distribution on lattice is defined as follows.

Definition 3(Discrete Gaussian distribution). For any s>0, c∈ℝn, define n-dimensional Gaussian function ρs,c : ℝn→(0,1] as

For any lattice Λ⊂ℝn, The probability mass function of the discrete Gaussian distribution is normalized as DΛ,s,c(x)=ρs,c(x)/ρs,c(Λ). For simplicity, in the rest of the paper, DΛ,s,c(x) will be abbreviated as DΛ,s(x).

In the following lemmas, we review several well-known facts about discrete Gaussian distribution.

Lemma 1[refer to [15]]: For any n-dimensional lattice Λ, center c∈ℝn, positive ε>0, s>2ηε(Λ). For any x∈Λ, we have

where ηε(Λ) is the smoothing parameter of the lattice Λ. For ε<1/3, the min-entropy of DΛ,s,c(x) is at least n−1.

Lemma 2: For any σ>0 and a positive integer m, we have

1. Pr[x←Dℤ,σ : |x|>12σ]<2-100

2.

Lemma 3[refer to [38]]: For any v∈ℤm and a positive real α, if we have

and more specifically, if σ=α||v||, then

The preimage sampling algorithm on NTRU lattice is defined as.

In this sampling algorithm above, the algorithm samples one-dimensional is the Gram–Schmidt orthogonalization of B.

2.4 Hardness Assumption

Definition 4 (SIS over ring Rq, namely R-SISq,m,β). The Small Integer Solution problem on ring Rq with parameters q, m, β and Φ is defined as follows: Given m polynomials a1, a2,..., am chosen uniformly and independently in Rq=ℤq[x]/(Φ=xn+1), a way to describe SIS on ring Rq is to find a solution t∈a⊥\0 which satisfied that ||t||≤β, where

The trapdoor generation algorithm on NTRU lattice is somewhat different from that on general lattice, which is defined as shown in Algorithm 2 in the following. Here it s denoted as Trapdoor Generation.

When f and g are chosen according to Theorem 4.1 in [39] shows that the statistical distance between the distribution of h=g/f and the uniform distribution in which is negligible. So the SIS on NTRU lattice, namely R-SISq,2,β, can be defined in the following.

Definition 5 ((q,2,β)-SIS on NTRU lattice). A way to state the SIS problem on NTRU lattice is to set R=ℤ[x]/(xn+1) and two small polynomials f, g are picked according to and h=g/f. So R-SISq,2,β is to find the (z1, z2) which satisfies A(z1, z2)T=0 and ||(z1, z2)|| ≤β.

Theorem 1[19]. Let n=2k, Φ=xn+1 and ε>0. m and q are positive integers such that and m, log q≤Poly(n). If there exists a polynomial-time algorithm A solving R-SISq,.m,β with non-negligible probability, a new algorithm B can be constructed to solve γ-Ideal-shortest vector problem (SVP) in polynomial-time with by invoking algorithm A.

So far, there is no algorithm which is known to perform non-negligibly better for γ-Ideal-SVP than for γ–SVP. According to the development of the algorithm, it is generally believed that there has not been any sub-exponential quantum algorithm that can solve the computational variants of γ–SVP or γ-Ideal-SVP in the worst case, for any γ that is polynomial in the dimension. And the smallest γ which is known to be achievable in polynomial time is exponential, up to poly-logarithmic factors in the exponent [40-42].

 

3. Syntax And Security Model for CLS scheme

3.1 Syntax

A CLS scheme is a set of 7 probabilistic polynomial-time (PPT) algorithms: Setup, Extract-Partial-Private-Key, Set-Secret-Value, Set-Private-Key, Set-Public-Key, CL-Sign, CL-Verify as follows.

Setup(n). Taking security parameter n as input, PKG outputs the master private/public key pair (msk, mpk). Note that PKG keeps msk secret.

Extract-Partial-Private-Key(msk, id). On input of the master private key msk and an identity id, PKG outputs a partial private key did and then sends it to the user via a secure channel.

Set-Secret-Value(id). Given an identity id, the user id outputs a secret value sid.

Set-Private-Key(did, sid). Taking the user id 's partial private key did and the secret value sid as input, the user id runs this algorithm to output skid as the full private key.

Set-Public-Key(skid). On input of full private key skid, the user id outputs a public key pkid.

CL-Sign(μ, id, skid). Given a message μ, the user's identity id and skid, the algorithm outputs a signature sig on μ.

CL-Verify(sig, μ, id, pkid). On input of (sig, μ, id, pkid), the algorithm outputs 1 if and only if sig is valid. Otherwise, outputs 0.

3.2 Security model for CLS scheme

In general, a secure CLS scheme should satisfy the following requirements:

(1) Correctness: The signature obtained from CL-Sign can be verified by the verifier.

(2) Unforgeability: When it comes to the unforgeability of the CLS scheme, we should consider two types of adversaries.

Type 1: The adversary models an outside attacker. So the Type 1 adversary can replace any user's public key with the value chosen by himself.

Type 2: The adversary models a malicious PKG. So the Type 2 adversary knows the master secret key msk.

However, neither Type 1 adversary nor Type 2 adversary can replace public keys and know the master secret key at the same time.

The security model consists of two games. Game 1 is played between a challenger C and a Type 1 adversary A1. The second game is the interaction between a challenger C and a Type 2 adversary A2, namely Game 2.

Game 1. This game is played as follows.

Initialization: The challenger C runs the algorithms Setup to generate the master secret key msk. Here A1 is an outside attacker, so he cannot know the msk.

Queries: Adversary A1 can adaptively query all the oracles as follows.

(1) Create-User-Oracle. The oracle keeps the LC-list which is a list of 5-tuples (id, did, sid, skid, pkid). Given an identity id∈{0,1}*, the oracle looks up it in LC-list. If id is found in LC-list, pkid will be returned as output. Otherwise, the oracle runs algorithms Extract-Partial-Private-Key, Set-Secret-Value, Set-Private-Key and Set-Public-Key to output did, sid, skid and pkid, respectively. And then the oracle stores (id, did, sid, skid, pkid) and returns pkid.

(2) Extract-Partial-Private-Key-Oracle. Given an identity id∈{0,1}*as input, challenger C looks up id in the LC-list and returns the corresponding partial private key did to adversary A1.

(3) Extract-Secret-Value-Oracle. When A1 queries this oracle for identity id∈{0,1}*, challenger C arises the LC-list for id and the corresponding secret key sid will be returned to adversary A1.

(4) Replace-Public-Key-Oracle. Given an identity id and a new public key pkid', challenger C replaces the current public key with pkid' and records this change successively.

(5) CL-Sign-Oracle. Taking an identity id, a message μ and a secret value xid associated to the current public key pkid as input, the challenger C first browses the LC-list for skid and then runs CL-Sign to output a valid signature sig which will be verified by the public key pkid. Note that if pkid is derived from the Create-User-Oracle, xid=⊥.

Forgery. Finally, adversary A1 outputs a forgery sig* on (id*, μ*). Here pkid* is the current public key. In general, when we say A1 wins the game, it always means that (1) CL-Verify (sig*, μ*, id*, pkid*)=1 (2) (μ*, id*, xid*) has never been sent to the oracle Extract-Partial-Private-Key-Oracle for query (3) id* has never appeared in the LC-list.

Game 2. Here a challenger C and a Type 2 adversary A1 interact with each other as follows.

Initialization: In order to generate the master secret key msk, challenger C runs the algorithms Setup. As the malicious PKG, A2 knows the master secret key msk.

Queries: Adversary A2 makes the following queries adaptively.

(1) Create-User-Oracle. The oracle keeps a list of 5-tuples (id, did, sid, skid, pkid), namely LC-list. Given an identity id∈{0,1}*, the oracle searches LC-list. If id is found in the LC-list, challenger C returns pkid to adversary A2. Otherwise, the oracle successively runs the algorithms Extract-Partial-Private-Key, Set-Secret-Value, Set-Private-Key and Set-Public-Key to output (did, sid, skid, pkid). Finally, challenger C stores (id, did, sid, skid, pkid) in LC-list and returns pkid to adversary A2.

(2) Extract-Secret-Value-Oracle. Taking an identity id∈{0,1}*as input, challenger C searches LC-list for id and the secret key sid will be returned to adversary A2.

(3) Replace-Public-Key-Oracle. Given an identity id and a new public key pkid' as input, challenger C replaces the current public key with pkid' and successively records this replacement.

(4) CL-Sign-Oracle. Given an identity id, a message μ and a secret value xid associated to the current public key pkid, challenger C arises LC-list for skid and then runs the algorithm CL-Sign to generate a valid signature sig which can be verified with pkid. Note that if pkid is derived from the Create-User-Oracle, xid=⊥.

Forgery. Finally, the adversary A2 outputs a forgery sig* for (id*, μ*). Here pkid* is the current public key. When it comes into the condition that A2 wins the game, it always means: (1) CL-Verify (sig*, μ*, id*, pkid*)=1 (2) (μ*, id*) has never been queried to the CL-Sign-Oracle (3) id* has never been queried to the oracle Extract-Secret-Value-Oracle.

 

4. A CLS Scheme from Lattices

4.1 Construction

Let a prime n be the security parameter, κ be positive integers, Our certificateless signature scheme on NTRU lattice is:

Setup(n). Taking security parameter n as input, the PKG runs the Algorithm 2 to output a trapdoor as well as as the msk and mpk, respectively. Where B is the basis of the NTRU lattice Λh,q.

Extract-Partial-Private-Key(msk, id). Taking the master private key msk and an identity id as input, the PKG runs the preimage sampling algorithm on the NTRU lattice Gaussian_Sampler(B,s,(H(id),0)) to output (s1,s2). Then the PKG sends (s1,s2) to the user. And the user can verify whether and s1+s2*h=H(id). If so, the user takes (s1,s2) as did. Otherwise, rejects them.

Set-Secret-Value(id). The user id chooses and outputs

Set-Private-Key(did, sid). Given the user id 's partial private key did and the secret value sid, the user id outputs skid=(did, sid) as the full private key.

Set-Public-Key(skid). Taking full private key skid as input, the user computes and outputs pkid as his public key.

CL-Sign(μ, id, skid). Given a message μ, the user's identity id and skid, the algorithm does as follows:

(1)Select random and define

(2)Set

(3)Output sig=(e,z) with probability If nothing is outputted, repeat this algorithm.

CL-Verify(sig, μ, id, pkid). On input of (sig, μ, id, pkid), the algorithm outputs 1 if and only if

(1)

(2)

4.2 Correctness

Theorem 1. The lattice-based CLS scheme satisfies correctness.

Proof. According to the CL-Sign phase, we know

So the valid signature sig=(e,z) derived from CL-Sign will satisfy the equality

In addition, it is obvious that the distributions of are very close to Dℤn,σ by combining the rejecting technique and Theorem 3.4 in [38]. According to Lemma 2, we have with probability at least 1−2−n.

4.3 Security

Theorem 2. The CLS scheme is proven existentially unforgeable against strong adversaries in random oracle model, under the assumption the γ-Ideal-SVP against polynomial-time algorithm is hard.

Lemma 4. If the on NTRU Lattice Λh,q is intractable, the new CLS scheme is existentially unforgeable against any polynomial-time strong Type 1 adversary in the random oracle model.

Proof. Assuming there is a PPT adversary A1 who breaks the new CLS scheme with non-negligible probability, we can construct a simulator C to solve the SIS problem on NTRU lattice as follows.

Invocation: Being invoked on a random instance of the (q,2,β)-SIS problem on NTRU lattice Λh,q, the simulator C is required to return a valid solution.

—Supplied: a polynomial and NTRU lattice Λh,q.

—Requested: (s1, s2)∈ Λh,q and ||(s1, s2)||≤β.

Queries: A1 can adaptively query all the oracles shown next:

(1) H-Oracle query. The simulator C keeps a list LH-list which is a list of 3-tuples (idi, didi=(si1,si2), si1+ si2*h). Taking an identity idi∈{0,1}* as input, C looks up it in LH-list. If idi is found in LH-list, the simulator C returns the si1+ si2*h to adversary A1. Otherwise, C picks two polynomials si1, si2 from Dℤn,s, stores (idi, didi=(si1,si2), si1+si2*h) and returns si1+ si2*h successively to adversary A1.

(2) Creat-User-Oracle query. The simulator C keeps a list LC-list which is a list of 4-tuples On input of an identity idi, the simulator C does as follows. If idi is found in LC-list, then C returns pkidi. Otherwise, the simulator C arises the H-Oracle query for didi. Then the algorithm Set-Secret-Value and the algorithm Set-Public-Key will be performed by the simulator C to output secret value respectively. Finally, the tuples will be stored in LC-list and the simulator C returns pkidi to adversary A1.

(3) Extract-Partial-Private-Key-Oracle query. Taking an identity idi as input, the simulator C searches the LC-list for the partial private key sidi.

(4) Replace-Public-Key-Oracle query. On input of an identity idi and a new public key the simulator C looks up the corresponding public key pkidi and replaced it with Finally, this replacement will be recorded by the simulator C later.

(5) H1-Oracle query. The simulator C keeps the LH1-list which is Taking μ as input, the simulator C looks up them in LH1-list. If they are found in LH1-list, C returns the corresponding ei. Otherwise, C randomly selects ei from DH, and stores in LH1-list. Finally, the simulator C returns ei to adversary A1.

(6) CL-Sign-Oracle query. On input of a message μ, a user's identity idi and xidi. The simulator C first searches the H-Oracle query for didi, then the CL-Sign algorithm will be run to return a signature sig. Note that if pkidi is the user's current public key( that is to say pkidi has not been replaced), then xidi=⊥. In this case, C can run the CL-Sign algorithm to generate a valid signature.

Forgery: Finally, adversary A1 outputs a valid forgery sig*=(e*, z*) on (μ*,id*,pkid*) with non-negligible probability.

The simulator C can solve the SIS problem on NTRU lattice as follows.

After receiving the forgery sig*=(e*, z*), the simulator C will output a new forgery sig'=(e', z') on the same (μ*,id*,pkid*) by the forking lemma[43]. So we get

So holds. And then the inequality also holds. Because of the inequality holds and also holds, so is a solution to the SIS problem on NTRU lattice above, where

Lemma 5. If the SIS on NTRU Λh,q is intractable, the new CLS scheme is existentially unforgeable against any polynomial-time strong Type 2 adversary in the random oracle model.

Proof. Assuming there is a PPT adversary A2 who breaks the new CLS scheme with non-negligible probability, we can construct a simulator C to solve the SIS problem on NTRU lattice as follows.

Invocation: Simulator C is invoked on a random instance of the (q,2,β)-SIS problem on NTRU lattice Λh,q, and is asked to return an admissible solution.

—Supplied: a polynomials and Λh,q.

—Requested: (s1,s2)∈Λh,q and ||(s1,s2)||≤β.

Queries: A2 can adaptively query all the oracles shown next:

(1) H-Oracle query. The simulator C keeps a list LH-list which is a list of 3-tuples (idi, didi = (si1,si2), si1+si2*h) Taking an identity idi∈{0,1}* as input, C looks up it in LH-list. If idi is found in LH-list, the simulator C returns the si1+si2*h to adversary A1. Otherwise, C first runs Extract-Partial-Private-Key to obtain a partial private key didi = (si1,si2), stores (idi, didi = (si1,si2), si1+si2*h) and returns si1+si2*h successively to adversary A2.

(2) Creat-User-Oracle query. The simulator C keeps a list LC-list which is a list of 4-tuples On input of an identity idi, the simulator C does as follows. If idi is found in LC-list, then C returns pkidi. Otherwise, the simulator C arises the H-Oracle query for didi. Then the algorithm Set-Secret-Value and the algorithm Set-Public-Key will be performed by the simulator C to output secret value respectively. Finally, the tuples will be stored in LC-list and the simulator C returnsiidpkto adversary A2.

(3) Extract-Partial-Private-Key-Oracle query. Given an identity idi, C arises the LC-list and returns the partial private key sidi.

(4) Replace-Public-Key-Oracle query. Taking an identity idi and a new public key as input, simulator C looks up the corresponding public key pkidi and replaced it by Finally, this replacement will be recorded.

(5) H1-Oracle query. C keeps a list LH1-list which is and is initially empty. Givern as input, the simulator C looks up them in LH1-list. If they are found in LH1-list, C returns the corresponding ei. Otherwise, C randomly selects ei from DH, and stores in LH1-list and returns ei.

6) CL-Sign-Oracle query. Given a message μ, a user's identity idi and sidi which is associated with the user's current public key pkidi. C firstly arises the LC-list for didi, then C runs CL-Sign algorithm to return a signature sig.

Forgery: Finally, adversary A2 outputs a valid forgery sig*=(e*, z*) on message(μ*,id* pkid*) with non-negligible probability. In this case, the public key pkid* is the original one created by C.

Simulator C can solve the SIS problem on NTRU lattice as follows.

After receiving the forgery sig*=(e*, z*), A2 will output a new forgery sig'=(e', z') on the same message (μ*,id* pkid*) by the forking lemma in [43]. So we get

So Because of the inequality holds and also holds. So is the solution to the SIS problem on NTRU lattice above, where

Applying Theorem 1, Lemma 4 and Lemma 5, we obtain Theorem 2. Fortunately, the security proof for our CLS scheme falls in the class of “history-free” reductions as defined in [44], so it is shown to imply security in the quantum-accessible random oracle model.

 

5. The Efficiency

There has been a CLS scheme [36] from lattice which is proven security in random oracle model. Now we compare our new CLS scheme with [36] as follows.

Table 1 above lists the comparison on the communication overhead of our new scheme and the existed scheme [36]. Where m1≥2nlog q, m2≥64+nlog q/(2b+1), m = m1+m2, k, b, κ are positive integers and σ1=12s1κm, σ1=12sκn. So it is obvious that the master secret key, the private key and the signature in the new scheme are considerably shorter than that in [36]. Here, we compare the concrete instances between [36] and our new scheme in Table 2 to prove that the master secret key, the private key and the signature size of the scheme [36] are unsatisfactory and our new scheme's master secret key, private key and the signature are much shorter. So we believe the new scheme is more efficient than the existed scheme [36] in terms of communication overhead.

Table 1.The efficiency comparison between two existing CLS schemes

Table 2.Comparison of the concrete instances

 

6. Conclusion

With the significant advantages of certificateless and no escrow feature, the CLS scheme has absorbed the general attention since it was proposed. However, when quantum computer comes into reality, the CLS scheme based on number theory is no longer secure. So looking for quantum-immune CLS scheme is urgent. Lattice may be the best candidate. The only lattice-based CLS scheme was proposed in [36] in 2014. Nevertheless, the efficiency of the lattice-based CLS scheme in the random oracle is not very satisfactory. This paper described the first efficient CLS scheme on NTRU lattice. It is proved secure in random oracle model. And the master secret key, the private key and the signature size in the new scheme are considerably shorter than that in [36]. An efficient lattice-based CLS scheme in standard model will be our future work.

References

  1. D. Arroyo, J. Diaz and F. B. Rodriguez, “Non-conventional Digital Signatures and Their Implementations-A Review,” in Proc. of International Joint Conference 2015, Advances in Intelligent Systems and Computing, pp.425-435, May 27, 2015. Article (CorossRefLink).
  2. P. Zhou, Research on Special Digital Signatures, Southwest Jiaotong University, China. Article (CrossRef Link).
  3. A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proc. of Cryptology–CRYPTO 1984, pp. 47-53, August 19-22, 1984. Article (CrossRef Link).
  4. S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Proc. of Cryptology—Asiacrypt 2003, pp. 452-473, November 30 - December 4, 2003. Article (CrossRef Link).
  5. X. Huang, W. Susilo, Y. Mu and F. Zhang, “On the security of certificateless signature schemes from Asiacrypt 2003,” in Proc. of the 4th International Conference on Cryptology and Network Security (CANS’05), pp. 13-25, December 14-16, 2005. Article (CrossRef Link).
  6. Z. Zhang, D. S. Wong, J. Xu and D. Feng, “Certificateless public-key signature: security model and efficient construction,” in Proc. of the 4th International Conference on Applied Cryptography and Network Security (ACNS’06), pp. 293-308, June 6-9, 2006. Article (CrossRef Link).
  7. X. Huang, Y. Mu, W. Susilo, D. S. Wong and W. Wu, “Certificateless signature revisited,” in Proc. of the 12th Australasian Conference on Information Security and Privacy (ACISP’07), pp. 308-322, July 2-4, 2007. Article (CrossRef Link).
  8. J. K. Liu, M. H. Au and W. Susilo, “Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model,” in Proc. of the 2nd ACM Symposium on Information, Computer and Communications Security (AsiaCCS’07), pp. 273-283, March 20-22, 2007. Article (CrossRef Link).
  9. B. G. Kang, J. H. Park and S. G. Hahn, “A certificate-based signature scheme,” in Proc. of Cryptology—CT-RSA 2004, pp. 99-111, February 23-27, 2004. Article (CrossRef Link).
  10. J. Li, X. Huang, Y. Mu, W. Susilo and Q. Wu, “Certificatebased signature: security model and efficient construction,” in Proc. of the 4th European Public Key Infrastructure Workshop (EuroPKI’07), pp. 110-125, June 28-30, 2007. Article (CrossRef Link).
  11. J. K. Liu, J. Baek, W. Susilo and J. Zhou, “Certificate-based signature schemes without pairings or random oracles,” in Proc. of the 11th Information Security Conference (ISC’08), pp. 285-297, September 15-18, 2008. Article (CrossRef Link).
  12. P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal of Computing, vol. 26, no. 5, pp. 1484-1509, November, 1997. Article (CrossRef Link). https://doi.org/10.1137/S0097539795293172
  13. M. Krenn, M. Huber, R. Fickler, R. Lapkiewicz, S. Ramelow and A. Zeilinger, “Generation and confirmation of a (100×100) dimensional entangled quantum system,” in Proc. of the national academy of the United States of America, vol. 111, no. 17, pp. 6243-6247, April, 2014. Article (CrossRef Link). https://doi.org/10.1073/pnas.1402365111
  14. D. J. Bernstein, “Introduction to Post-Quantum Cryptography,” D. J. Bernstein, J. Buchmann, E. Dahmen (Eds), Post-Quantum Cryptography, Springer-Verlag, Berlin, pp.1-14. Article (CrossRef Link).
  15. O. Regev, “Lattice-based cryptography,” in Proc. of the 26th Annual International Cryptology Conference, pp.131-141, August 20-24, 2006. Article (CrossRef Link).
  16. C. Gentry, C. Peikert and V. Vaikuntanathan, “Trapdoors for Hard Lattices and New Cryptographic Constructions,” in Proc. of the 40th Annual ACM Symposium on Theory of Computing, pp. 197-206, May 17-20, 2008. Article (CrossRef Link).
  17. J. Alwen and C. Peiker, “Generating shorter bases for hard random lattices,” Theory of Computing Systems, vol. 48, no. 3, pp.535-553, April, 2011. Article (CrossRef Link). https://doi.org/10.1007/s00224-010-9278-3
  18. D. Micciancio and C. Peikert, “Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller,” in Proc. of Cryptology–Eurocrypt 2012, pp. 700-718, April 15-19, 2012. Article (CrossRef Link).
  19. T. Laarhoven, M. Mosca and J. van de Pol, “Finding shortest lattice vectors faster using quantum search,” Designs, Codes and Cryptography, vol. 77, vol. 2, pp. 375-400, December, 2015. Article (CrossRef Link). https://doi.org/10.1007/s10623-015-0067-5
  20. V. Lyubashevsky and D. Wichs, “Simple lattice trapdoor sampling from a broad class of distributions,” in Proc. of 18th IACR International Conference on Practice and Theory in Public-Key Cryptography–PKC 2015, pp. 716-730, March 30-April 1, 2015. Article (CrossRef Link).
  21. D. Cash, D. Hofheinz, E. Kiltz, et al, “Bonsai trees, or how to delegate a lattice basis,” in Proc. of Cryptology–Eurocrypt 2010, pp. 523-552, May 30-June 3, 2010. Article (CrossRef Link).
  22. S. Agrawal, D. Boneh and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Proc. of Cryptology–Eurocrypt 2010, pp. 553-572, May 30-June 3, 2010. Article (CrossRef Link).
  23. S. Agrawal, D. Boneh and X. Boyen, “Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE,” in Proc. of Cryptology–CRYPTO 2010, pp.98-115, August 15-19, 2010. Article (CrossRef Link).
  24. D. Stehlé and R. Steinfeld, “Making NTRU as secure as worst-case problems over ideal lattices,” in Proc. of Cryptology–Eurocrypt 2011, pp. 27-47, May 15-19, 2011. Article (CrossRef Link).
  25. L. Ducas, V. Lyubashevsky and T. Prest, “Efficient Identity-Based Encryption over NTRU Lattices,” in Proc. of Cryptology–Asiacrypt 2014, pp. 22-41, December 7-11, 2014. Article (CrossRef Link).
  26. C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proc. of 41st Annual ACM Symposium on Theory of Computing (STOC 2009), pp. 169-178, May 31-June 2, 2009. Article (CrossRef Link).
  27. C. Gentry, “Toward basing fully homomorphic encryption on worst-case hardness,” in Proc. of Cryptology–CRYPTO 2010, pp. 116-137, August 15-19, 2010. Article (CrossRef Link).
  28. Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-LWE and security for key dependent messages,” in Proc. of Cryptology–CRYPTO 2011, pp.505-524, August 14-18, 2011. Article (CrossRef Link).
  29. Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proc. of IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS 2011), pp. 97-106, October 23-25, 2011. Article (CrossRef Link).
  30. X. Boyen, “Lattice mixing and vanishing trapdoors: a framework for fully secure short signature and more,” in Proc. of 13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010), pp. 499-517, May 26-28, 2010. Article (CrossRef Link).
  31. V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proc. of Cryptology–Eurocrypt 2012, pp. 738-755, April 15-19, 2012. Article (CrossRef Link).
  32. L. Ducas, A. Durmus, T. Lepoint and V. Lyubashevsky, “Lattice signatures and bimodal Gaussians,” in Proc. of Cryptology–CRYPTO 2013, pp.40-56, August 18-22, 2013. Article (CrossRef Link).
  33. F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé, “Lattice-Based Group Signatures with Logarithmic Signature Size,” in Proc. of Cryptology–Asiacrypt 2013, pp. 41-61, December 1-5, 2013. Article (CrossRef Link).
  34. A. Langlois, S. Ling, K. Nguyen and H. X. Wang, “Lattice-based group signature scheme with verifier-local revocation,” in Proc. of PKC 2014, pp. 345-361, March 26-28, 2014. Article (CrossRef Link).
  35. P. Q. Nguyen, J. Zhang, Z. F. Zhang, “Simpler Efficient Group Signatures from Lattices,” in Proc. of PKC 2015, pp. 401-426, March 30-April 1, 2015. Article (CrossRef Link).
  36. M. M. Tian and L. S. Huang, “Certificateless and certificate-based signatures from lattices,” Security and Communication Networks, vol. 2015, no. 8, pp.1575-1586, 2015. Article (CrossRef Link). https://doi.org/10.1002/sec.1105
  37. C. Gentry, C. Peikert, V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proc. of the 40th Annual ACM Symposium on Theory of Computing, pp.197-206, May 17-20, 2008. Article (CrossRef Link).
  38. V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proc. of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp.738–755, April 15-19, 2012. Article (CrossRef Link).
  39. D. Stehlé and R. Steinfeld, “Making NTRUEncrypt and NTRUSign as Secure as Standard Worst-Case Problems over ideal lattices,” IACR Cryptology ePrint Archive 2013:4, 2013. Article (CrossRef Link).
  40. A. K. Lenstra, H. W. Lenstra, and L. Lovâsz, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no.4, pp. 515-534, 1982. Article (CrossRef Link). https://doi.org/10.1007/BF01457454
  41. C. P. Schnorr, “A hierarchy of polynomial time lattice basis reduction algorithms,” Theoretical Computer Science, vol. 53, no. 2-3, pp. 201-224, 1987. Article (CrossRef Link). https://doi.org/10.1016/0304-3975(87)90064-8
  42. D. Micciancio and P. Voulgaris, “A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations,” in Proc. of STOC 2010, pp. 351-358, June 5-8, 2010. Article (CrossRef Link).
  43. M. Bellare and G. Neven, “Multi-signatures in the plain public-key model and a general forking lemma,” in Proc. of the 13th ACM Conference on Computer and Communications Security, pp. 390-399, October -3 November, 2006. Article (CrossRef Link).
  44. D. Boneh, Ӧ. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry, “Random oracles in a quantum world,” in Proc. of Asiacrypt 2011, pp. 41-69, December 4-8, 2011. Article (CrossRef Link).