Transitive Signature Schemes for Undirected Graphs from Lattices

Abstract

In a transitive signature scheme, a signer wants to authenticate edges in a dynamically growing and transitively closed graph. Using transitive signature schemes it is possible to authenticate an edge (i, k), if the signer has already authenticated two edges (i, j) and (j, k). That is, it is possible to make a signature on (i, k) using two signatures on (i, j) and (j, k). We propose the first transitive signature schemes for undirected graphs from lattices. Our first scheme is provably secure in the random oracle model and our second scheme is provably secure in the standard model.

1. Introduction

 In 2002, Silvio Micali and Ronald L. Rivest introduced the concept of transitive signatures [1]. In a transitive signature scheme, a signer wants to authenticate edges in a dynamically growing and transitively closed graph. The signer with the knowledge of a secret key can generate two signatures σ_i,j on (i, j) and σ_j,k on an edge (j, k), then anyone without the knowledge of the secret key can derive a signature σ_i,k on (i, k) from σ_i,j and σ_j,k. This property of transitive signatures could be useful in applications such as a military chain-of-command (for directed graphs) and administrative domains (for undirected graphs).

 Constructing a transitive signature scheme for directed graphs still remains an open problem. In 2003, Susan Rae Hohenberger even showed that constructing a transitive signature scheme for directed graphs may be very hard [2]. Actually, there exist only transitive signature schemes for directed trees (not for directed graphs) [3][4][5][6][7]. In this paper, we only take an interest in constructing a transitive signature scheme for undirected graphs.

 In an undirected graph, we assume that there are k nodes. Then we observe that there may exist O(k²) edges. With a standard signature scheme, naturally, a signer has to generate O(k²) signatures. With a transitive signature scheme, however, a signer only needs to generate O(k) signatures [1]. Therefore, the transitive signature scheme can be efficient and useful in the environmen1ts.

1.1 Related Works

1.1.1 Transitive Signatures

 In 2002, Silvio Micali and Ronald L. Rivest proposed the first transitive signature scheme for undirected graphs [1]. In 2004, Siamak Fayyaz Shahandashti et al. proposed a transitive signature scheme for undirected graphs [8]. Their scheme is based on bilinear maps. Since then, Mihir Bellare and Gregory Neven proposed transitive signature schemes for undirected graphs [9][10]. The securities of their schemes are based on the hardness of RSA assumption, factoring, DLP, GDH (Gap Diffie-Hellman) assumption, respectively. Mihir Bellare and Gregory Neven also constructed a simple generic transformation from a stateful transitive signature scheme to a stateless transitive signature scheme with a pseudorandom function [10]. The signing algorithm in the transformed stateless transitive signature scheme is deterministic because the pseudorandom function is used.

1.1.2 Lattice-based Cryptosystems

 To date, there exist many transitive signature schemes for undirected graphs, but there exists no transitive signature scheme for undirected graphs from lattices. Lattice-based cryptosystems have some advantages compared to other cryptosystems based on the hardness of factoring, DLP, and so on. First, lattice-based cryptosystems are based on the worst-case hardness assumptions, but other cryptosystems are based on the average-case hardness assumptions. Next, lattice-based cryptosystems have the potential to resist quantum computing attacks, but other cryptosystems are insecure against quantum computing attacks [11]. Finally, lattice-based cryptosystems require less computational cost than other cryptosystems. With these in mind, there are proposed many lattice-based cryptosystems such as standard signatures [12][13][14][15][16], (hierarchical) identity-based signatures [15][17], group signatures [18], ring signatures [19][20], designated verifier signatures [21], homomorphic signatures [22][23], public key encryptions [16], (hierarchical) identity-based encryptions [12][13][24][25][26], homomorphic encryptions [27], and so on.

1.1.3 Homomorphic Signatures

 Transitive signatures are related to homomorphic signatures formalized by Robert Johnson et al. in 2002 [28]. In a homomorphic signature scheme, a signer wants to authenticate data and anyone without the knowledge of the secret can generate a valid signature for computing on signed data. In 2011, Dan Boneh and David Mandell Freeman proposed two linearly homomorphic signature schemes from lattices [22][23].

1.2 Our Contributions

 We propose two transitive signature schemes for undirected graphs from lattices. The first scheme is provably secure in the random oracle model and the second scheme is provably secure in the standard model.

 Our transitive signature schemes are stateful. In 2012, Abhishek Banerjee et al. proposed pseudorandom functions from lattices [29]. With the pseudorandom functions from lattices, our stateful transitive signature schemes can be transformed into stateless transitive signature schemes [10].

 All existing transitive signature schemes are insecure against quantum computing attacks. Therefore, we propose the first transitive signature schemes that have the potential to resist quantum computing attacks. Our first transitive signature scheme which is motivated by Craig Gentry et al.’s signature scheme from lattices [12] is provably secure in the random oracle model. To design our transitive signature scheme, we use a signature value in Craig Gentry et al.’s signature scheme that has a particular coset of q -ary lattices [12]. Our second transitive signature scheme is provably secure in the standard model. To make our transitive signature scheme secure in the standard model, we use the idea of the k -time signature scheme from lattices by Dan Boneh and David Mandell Freeman [22] and a signature value that has a particular coset of q -ary lattices [12].

2. Preliminaries

2.1 Notations

 Let n be a security parameter. We denote integers, real numbers, the ring of integers modulo q ≥ 2 by \(\mathbb{Z}\), \(\mathbb{R}\) , and  \(\mathbb{Z}_q\), respectively. We denote matrices by upper-case letters (e.g., A ) and vectors by lower-case letters (e.g., v ). We denote the Euclidean norms of v by ||v||. We use standard big- O notation. For all integer c > 0 , we say that a function \(f(n)=O\left(n^{-c}\right): \mathbb{Z} \rightarrow \mathbb{R}^{+}\) is negligible in n . If \(q \in \Theta\left(n^{c}\right)\), for all integer c > 0 , we say q = poly(n). If v is selected from a distribution \(\mathcal{D}\) at random, we denote \(v \leftarrow \mathcal{D}\). We denote a concatenation of v₁ and v₂ by \(v_{1} \mid v_{2}\). Let Round(v) be the function that rounds the coordinates of its argument vector v to the nearest integers.

2.2 Lattices

 In this paper, we will be interested in m -dimensional integer lattices which are defined as follows:

 Definition 2.1. Given any basis \(B=\left\{b_{1}, \cdots, b_{m}\right\} \subset \mathbb{Z}^{m}\), an m -dimensional integer lattice Λ and a dual lattice Λ* of Λ are defined as follows:

\(\Lambda=\left\{B \cdot z=\sum_{i=1}^{m} z_{i} b_{i}: z \in \mathbb{Z}^{m}\right\} \subseteq \mathbb{Z}^{m}\),       (1)

\(\Lambda^{*}=\left\{x \in \mathbb{Z}^{m}: \forall y \in \Lambda,\langle x, y\rangle \in \mathbb{Z}\right\} \subseteq \mathbb{Z}^{m}\).       (2)

 In particular, we will use q -ary lattices and their cosets which are defined as follows:

 Definition 2.2. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), a zero vector \(0 \in \mathbb{Z}_{q}^{n}\), and any syndrome \(u \in \mathbb{Z}_{q}^{n}\), a q -ary lattice \(\Lambda_{q}^{\perp}(A)\) and a coset \(\Lambda_{q}^{u}(A)\) of \(\Lambda_{q}^{\perp}(A)\) are defined as follows:

\(\Lambda_{q}^{\perp}(A)=\left\{v \in \mathbb{Z}^{m}: A \cdot v=0(\bmod q)\right\} \subseteq \mathbb{Z}^{m}\),       (3)

\(\Lambda_{q}^{u}(A)=\left\{v \in \mathbb{Z}^{m}: A \cdot v=u(\bmod q)\right\} \subseteq \mathbb{Z}^{m}\).       (4)

2.2.1 Gaussian Distributions

 We recall Gaussian distributions.

 Definition 2.3 (Gaussian function). Let \(\mathcal{H}\) be a d -dimensional subspace of \(\mathbb{R}^{m}\). For m ≥1, s > 0 , x∈\(\mathcal{H}\) , and c∈\(\mathcal{H}\) , a Gaussian function \(\rho_{\mathcal{H}, s, c}(x)\) is defined as follows:

\(\rho_{\mathcal{H}, s, c}(x)=\exp \left(-\pi\|x-c\|^{2} / s^{2}\right)\).       (5)

Definition 2.4 (Continuous distribution). Let \(\mathcal{H}=\operatorname{span}(\Lambda \subset \mathcal{H})\). For x∈Λ , a continuous distribution \(\mathcal{D}_{\mathcal{H}, s, c}(x)\) with density function is defined as follows:

\(\mathcal{D}_{\mathcal{H}, s, c}(x)=\frac{\rho_{\mathcal{H}, s, c}(x)}{\int_{x \in \mathcal{H}} \rho_{\mathcal{H}, s, c}(x) d x} \).       (6)

 Definition 2.5 (Discrete distribution). Let \(\mathcal{H}=\operatorname{span}(\Lambda \subset \mathcal{H})\). For x∈Λ , a discrete distribution \(\mathcal{D}_{\Lambda, s, c}(x)\) with density function over Λ is defined as follows:

\(\mathcal{D}_{\Lambda, s, c}(x)=\frac{\mathcal{D}_{\mathcal{H , s}, c}(x)}{\mathcal{D}_{\mathcal{H}, s, c}(\Lambda)}\).       (7)

 For convenience, \(\rho_{\mathcal{H}, s, 0}(x)\) and \(\mathcal{D}_{\mathcal{H}, s, 0}(x)\) are abbreviated as \(\rho_{\mathcal{H}, s}(x)\) and \(\mathcal{D}_{\mathcal{H}, s}(x)\), respectively.

 Definition 2.6 (Gaussian parameter). Let Λ^* be a dual lattice of Λ . For ε > 0∈\(\mathbb{R}\) , a Gaussian parameter \(\eta_{\varepsilon}(\Lambda)\) is the smallest s such that \(\rho_{\mathcal{H}, 1 / s}\left(\Lambda^{*} \backslash\{0\}\right) \leq \varepsilon\).

2.2.2 Trapdoor Generation

 We will use the trapdoor generation algorithm GenTrap\(\left(1^{n}, 1^{m}, q\right)\) which is as follows:

 Theorem 2.7 (Trapdoor generation) [16]. Given any integers n ≥1, \(m=O(n \log q)\), and q ≥ 2 , the trapdoor generation algorithm GenTrap\(\left(1^{n}, 1^{m}, q\right)\) outputs a uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\) and a trapdoor matrix \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\) of \(\Lambda_{q}^{\perp}(A)\), where \(m=\bar{m}+n l\), \(\bar{m}=O(n l)\), \(l=O(\log n)\), and the rank of A is n .

2.2.3 Gaussian Pre-image Sampling

 We will use the Gaussian pre-image sampling algorithm SampleD( , , , ) AT u s which is as follows:

 Theorem 2.8 (Gaussian pre-image sampling) [16]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), any trapdoor matrix  \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\) of \(\Lambda_{q}^{\perp}(A)\), any syndrome \(u \in \mathbb{Z}_{q}^{n}\), and large enough \(s=O(\sqrt{n \log q})\), the Gaussian pre-image sampling algorithm SampleD(A, T, u, s) outputs a vector v . The statistical distance between the distribution of v and \(\mathcal{D}_{\Lambda_{q}^{u}(A), s \cdot \omega(\sqrt{\log n})}\) is negligible in n .

2.2.4 Gaussian Domain Sampling

 We will use the Gaussian domain sampling algorithm SampleDom(1^m, s) which is as follows:

 Theorem 2.9 (Gaussian domain sampling) [12]. Given any positive integer m and large enough s, the Gaussian domain sampling algorithm SampleDom(1^m, s) outputs a vector \(v \leftarrow \mathcal{D}_{\mathbb{Z}, s}^{m}\).

2.2.5 Hard Problems

 The securities of our constructions are based on the SIS problem and k - SIS problem, respectively. The SIS problem is defined as follows:

 Definition 2.10 (SIS problem) [30][12]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), the \(\mathrm{SIS}_{q, m, \beta}\) problem is to find a non-zero vector \(v \in \mathbb{Z}^{m}\) such that \(A \cdot v=0(\bmod q)\) and \(\|v\| \leq \beta\).

 The advantage \(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{SIS}}(n)\) of an algorithm \(\mathcal{A}\) in the \(\mathrm{SIS}_{q, m, \beta}\) problem is the probability that \(\mathcal{A}\) solves the \(\mathrm{SIS}_{q, m, \beta}\) problem.

 The k -SIS problem is defined as follows:

 Definition 2.11 ( k -SIS problem) [22]. Given any uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\) and k vectors \(v_{1}, \cdots, v_{\mathrm{k}} \leftarrow \mathcal{D}_{\Lambda_{q}^{\perp}(A), s}\) such that \(A \cdot v_{1}=\cdots=A \cdot v_{\mathrm{k}}=0(\bmod q)\), the k -\(\mathrm{SIS}_{q, m, \beta}\) problem is to find a non-zero vector \(v \in \mathbb{Z}^{m}\) such that \(A \cdot v=0(\bmod q),\|v\| \leq \beta\), and v is not in \(\mathbb{Q}\) -span (\(\left\{v_{1}, \cdots, v_{k}\right\}\)).

 The advantage \(\operatorname{Adv}_{A}^{\mathrm{k}-\mathrm{SIS}}(n)\) of an algorithm \(\mathcal{A}\) in the k - \(\mathrm{SIS}_{q, m, \beta}\) problem is the probability that \(\mathcal{A}\) solves the k -\(\mathrm{SIS}_{q, m, \beta}\) problem.

 The SIS problem for \(q \geq \beta \cdot \sqrt{n} \cdot \omega(\sqrt{\log n})\) is hard assuming worst-case hardness of approximating the SIVP on lattices [30][12]. The k -SIS problem for \(\mathrm{k}=O(n / \log n)\) is hard assuming average-case hardness of the SIS problem [22][31].

2.2.6 Useful Lemmas

 In this paper, we will use the following lemmas:

 Lemma 2.12 [30][13][16]. For \(\varepsilon \in\{0,1\}, s \geq \eta_{\varepsilon}\left(\Lambda_{q}^{\perp}(A)\right)\) for some uniformly random matrix \(A \in \mathbb{Z}_{q}^{n \times m}\), \(c \in \operatorname{span}\left(\Lambda_{q}^{\perp}(A)\right)\), and \(x \leftarrow \mathcal{D}_{\Lambda, s, c}\), the probability of \(\|x\| \geq s \cdot \sqrt{m}\) is negligible in n and the probability of x = c is negligible in n .

 Lemma 2.13 [22]. Let q be an odd prime, let \(m \geq O(n \log q)\), and let \(s>\omega(\sqrt{\log m})\). Given an instance \(\left(A, v_{1}, \cdots, v_{\mathrm{k}}\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}^{m \times \mathrm{k}}\) of the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem for any β , \(\left(A, v_{1}(\bmod 2), \cdots, v_{\mathrm{k}} \quad(\bmod 2)\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is statistically indistinguishable from uniform.

 Lemma 2.14 [22]. Let m be an integer and k < m an integer. The probability that the rank of a uniformly random matrix \(V \in \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is not k is at most \(1 / 2^{m \ k }\).

 Lemma 2.15 [22]. Let \(m \geq O(n \log q)\), let \(\mathrm{k} \cdot \omega(\log n)<\min \left(s, m^{1 / 4}\right)\), and let \(\left(A, v_{1}, \cdots, v_{\mathrm{k}}\right) \in \mathbb{Z}_{q}^{n \times m} \times \mathbb{Z}^{m \times k}\) be an instance of the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for any β . There exist only \(\left(\pm v_{1}, \cdots, \pm v_{\mathrm{k}}\right)\) such that the non-zero vectors of length at most \(1.1 \cdot s \cdot \sqrt{m / 2 \pi}\) in \(\mathbb{Q}\) -span \(\left(\left\{v_{1}, \cdots, v_{k}\right\}\right)\).

2.3 Definitions for Transitive Signatures

 We define transitive signatures. A transitive signature scheme TS = {TS.Gen, TS.Sign,TS.Vrfy,TS.Comp} is specified as follows:

 • TS.Gen(1ⁿ) : On input the security parameter 1ⁿ, output a public key pk and a secret key sk .

 • TS.Sign(\(s k,(i, j)\)) : On input the secret key sk and the edge (i,j), output a signature σ_i,j, on the edge (i,j).

 • TS.Vrfy(\(p k,(i, j), \sigma_{i, j}\)) : On input the public key pk , the edge (i,j), and the signature σ_i,j, on the edge (i,j), output a bit 1 if σ_i,j is valid and output a bit 0 otherwise.

 • TS.Comp(\(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\)) : On input the public key pk , the signature σ_i,j, on (i,j), the signature σ_j,k on (j,k), output a valid signature σ_i,k on (j,k).

 Transitive signatures basically have to satisfy correctness, transitivity, and transitive unforgeability under chosen-edge attacks. First, we define that a transitive signature scheme TS is correct if, for any valid signature σ_i,k on the edge (i, k) (generated with the TS.Sign(\(s k,(i, k)\)) algorithm) or for any valid combined signature σ_i,k on (i,k) (generated with the TS.Comp\(\left(p k,(i, j, k), \quad \sigma_{i, j}, \sigma_{j, k}\right)\)  algorithm), the TS.Vrfy\(\left(p k,(i, k), \sigma_{i, k}\right)\) algorithm outputs a bit 1 with all but negligible probability.

 Next, we define that a transitive signature scheme TS is transitive if, for two signatures σ_i,j on (i,j) and σ_j,k on the edge (j,k) , anyone without the knowledge of the secret key can derive a signature σ_i,k on (i,k) which is indistinguishable from another signature σ′_i,k on (i,k) (generated with the TS.Sign(\(s k,(i, k)\)) algorithm).

 Finally, we define that a transitive signature scheme TS is transitively unforgeable under chosen-edge attacks if, in the following game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\) between an algorithm \(\mathcal{A}\) and a forger \(\mathcal{F}\), the advantage \(\operatorname{Adv}_{\mathrm{Ts}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{A}\) is negligible.

• Setup: \(\mathcal{A}\) runs the TS.Gen(1ⁿ) algorithm to get (pk, sk). \(\mathcal{A}\) sends pk to \(\mathcal{F}\) .
• Signing queries: \(\mathcal{F}\) sends the edge (i,j) to \(\mathcal{A}\) . \(\mathcal{A}\) runs the TS.Sign\((s k,(i, j))\) algorithm to get σ_i,j and sends it to \(\mathcal{F}\) .
• Output: \(\mathcal{F}\) outputs the edge \(\left(i^{*}, j^{*}\right)\) and the signature \(\sigma_{i^*, j^*}\) . If the TS.Vrfy\(\left(p k,\left(i^{*}, j^{*}\right), \sigma_{i, j^{*}}\right)\) algorithm outputs a bit 1 and the edge \(\left(i^{*}, j^{*}\right)\) is not in the transitive closure of previously signed edges, then \(\mathcal{F}\) wins the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\).

 The advantage \(\operatorname{Adv}_{\mathrm{Ts}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\) is the probability that \(\mathcal{F}\) wins the game \(\operatorname{Game}_{\mathrm{TS}, \mathcal{F}}^{\mathrm{TU}}(n)\).

2.4 Chameleon Hash Function

 In the Proof of Theorem 4.3, we will use a chameleon hash function proposed by David Cash et al. in 2010 [13]. David Cash et al.’s chameleon hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\) has the following properties:

1. Trapdoor property: Given \(\mathrm{H}\left(i, r_{i}\right)\) and j ≠ i, one with the knowledge of the trapdoor information can sample r_j such that \(\mathrm{H}\left(i, r_{i}\right)=\mathrm{H}\left(j, r_{j}\right)\).
2. Collision-resistance property: It is hard to compute two pairs \(\left(i, r_{i}\right)\) and \(\left(j, r_{j}\right)\) without the knowledge of the trapdoor information such that \(\mathrm{H}\left(i, r_{i}\right)=\mathrm{H}\left(j, r_{j}\right)\) and \(\left(i, r_{i}\right) \neq\left(j, r_{j}\right)\).

 David Cash et al.’s chameleon hash function H(⋅,⋅) is collision-resistant assuming the \(\mathrm{SIS}_{q, m, \beta}\) problem.

3. Our Construction for Undirected Graphs in the Random Oracle Model

 We construct a transitive signature scheme for undirected graphs in the random oracle model. Our scheme involves the following parameters:

• A security parameter is n .
• The dimension of signatures is \(m=\bar{m}+n l\), where \(\bar{m}=O(n l)\) and \(l=O(\log n)\).
• \(q=\operatorname{poly}(n)\).
• A Gaussian parameter is \(s=O\left(n^{c} \sqrt{\log n}\right) \cdot \omega(\sqrt{\log n})\), where c is constant.

 We construct our scheme \(\mathrm{TS}_{1}=\left\{\mathrm{TS}_{1} \cdot \mathrm{Gen}, \mathrm{TS}_{1} \cdot \operatorname{Sign}, \mathrm{TS}_{1} \cdot \mathrm{Vrfy}, \mathrm{TS}_{1} \cdot \mathrm{Comp}\right.\) as follows:

• \(\mathrm{TS}_{1} \cdot \operatorname{Gen}\left(1^{n}\right)\) : On input the security parameter 1ⁿ :

1. Compute (A, T) using the GenTrap algorithm, where \(A \in \mathbb{Z}_{q}^{n \times m}\) and \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\).
2. Choose a hash function \(\mathrm{H}(\cdot):\{0,1\}^{*} \rightarrow \mathbb{Z}_{q}^{n}\).
   i. Note that the security analysis will view H(⋅) as a random oracle.
3. Output a public key \(p k=(A, \mathrm{H}(\cdot))\) and a secret key sk = T.

• \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, j))\) : On input the secret key sk = T and the edge (i,j) :

1. If state St(i) is empty, compute \(h_{i}=\mathrm{H}(i) \in \mathbb{Z}_{q}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{q}^{i_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=v_{i}\).
2. If state St(j) is empty, compute \(h_{j}=\mathrm{H}(j) \in \mathbb{Z}_{q}^{n}\), sample \(v_{j} \leftarrow \mathcal{D}_{\Lambda_{q}^{i_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(j)=v_{j}\).
3. Compute \(\sigma_{i, j}=v_{i}-v_{j}\) with states \(S t(i)=v_{i}\) and \(S t(j)=v_{j}\).
4. Output a signature σ_i,j.

• \(\mathrm{TS}_{1} . \mathrm{Vrfy}\left(p k,(i, j), \sigma_{i, j}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot))\), the edge (i,j) , and the signature σ_i,j:

1. Compute \(h_{i}=\mathrm{H}(i) \in \mathbb{Z}_{q}^{n}\) and \(h_{j}=\mathrm{H}(j) \in \mathbb{Z}_{q}^{n}\).
2. Output a bit 1 if \(\left\|\sigma_{i, j}\right\| \leq s \cdot \sqrt{2 m}\) and \(A \cdot \sigma_{i, j}=h_{i}-h_{j}(\bmod q)\), and output a bit 0 otherwise.

• \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot))\), the signature σ_i,j on (i,j) , the signature σ_j,k on (j,k) :

1. Compute \(\sigma_{i, k}=\sigma_{i, j}+\sigma_{j, k}\).
2. Output a signature σ_i,k.

3.1 Correctness

 We show that our scheme TS₁ is correct.

 Theorem 3.1. Our scheme TS₁ is correct.

 Proof of Theorem 3.1. The \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, j))\) algorithm can sample v_i and v_j such that \(\left\|v_{i}\right\| \leq s \cdot \sqrt{m},\left\|v_{j}\right\| \leq s \cdot \sqrt{m}, A \cdot v_{i}=h_{i}(\bmod q)\), and \(A \cdot v_{j}=h_{j}(\bmod q)\). That is, \(A \cdot \sigma_{i, j}=A \cdot\left(v_{i}-v_{j}\right)=h_{i}-h_{j}(\bmod q)\) and \(\left\|\sigma_{i, j}\right\|=\left\|v_{i}-v_{j}\right\| \leq s \cdot \sqrt{2 m}\).

 The \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm can compute \(\sigma_{i, j}+\sigma_{j, k}=\left(v_{i}-v_{j}\right)+\left(v_{j}-v_{k}\right)=v_{i}-v_{k}\) such that \(\left\|v_{i}\right\| \leq s \cdot \sqrt{m},\left\|v_{k}\right\| \leq s \cdot \sqrt{m}\), \(A \cdot v_{i}=h_{i}(\bmod q)\), and \(A \cdot v_{k}=h_{k}(\bmod q)\). That is, \(A \cdot \sigma_{i, k}=A \cdot\left(v_{i}-v_{k}\right)=h_{i}-h_{k}(\bmod q)\) and \(\left\|\sigma_{i, k}\right\|=\left\|v_{i}-v_{k}\right\| \leq s \cdot \sqrt{2 m}\).

 Therefore, our scheme TS₁ is correct.

3.2 Transitivity

 We show that our scheme TS₁ is transitive for undirected graphs.

 Theorem 3.2. Our scheme TS₁ is transitive for undirected graphs.

 Proof of Theorem 3.2. The \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm computes as follows:

\(\sigma_{i, k}=\sigma_{i, j}+\sigma_{j, k}=v_{i}-v_{j}+v_{j}-v_{k}=v_{i}-v_{k}\).       (8)

 A combined signature σ_i,k on the edge (i,k) generated with the \(\mathrm{TS}_{1} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) is indistinguishable from σ′_i,k on the edge (i,k) generated with the \(\mathrm{TS}_{1} \cdot \operatorname{Sign}(s k,(i, k))\).

 On the other hand, σ_i,j can be easily made from σ_j,i as follows:

\(\sigma_{i, j}=-\sigma_{j, i}=-\left(v_{j}-v_{i}\right)=v_{i}-v_{j}\).       (9)

 Therefore, our scheme TS₁ is transitive for undirected graphs.

3.3 Transitive Unforgeability

 We show that our scheme TS₁ is transitively unforgeable under chosen-edge attacks in the random oracle model.

 Theorem 3.3. Our scheme TS₁ is transitively unforgeable under chosen-edge attacks in the random oracle model if the \(\mathrm{SIS}_{q, m, \beta}\) problem for \(\beta=s \cdot \sqrt{4 m}\) is hard.

 Proof of Theorem 3.3. Let H(⋅) be a random oracle controlled by \(\mathcal{A}\) . Then we can construct \(\mathcal{A}\) attacking the \(\mathrm{SIS}_{q, m, \beta}\) problem for \(\beta=s \cdot \sqrt{4 m}\) if there exists a forger \(\mathcal{F}\) mounting transitive forgery attacks on TS₁ as follows:

• Setup: On input an instance \(A \in \mathbb{Z}_{q}^{n \times m}\) of the \(\mathrm{SIS}_{q, m, \beta}\) problem:

1. \(\mathcal{A}\) sends pk = A to \(\mathcal{F}\) .

• H-queries: On input the i -th node i :

1. \(\mathcal{A}\) samples, \(v_{i} \leftarrow \mathcal{D}_{\mathbb{Z}, s}^{m}\) using the SampleDom(1^m, s) algorithm.
2. \(\mathcal{A}\) computes \(h_{i}=A \cdot v_{i} \in \mathbb{Z}_{q}^{n}\).
3. \(\mathcal{A}\) sends \(h_{i}\) to \(\mathcal{F}\) .
4. \(\mathcal{A}\) adds a tuple \(\left\{i, v_{i}, h_{i}\right\}\) to the hash table.

• Signing queries: On input the edge (i,j) :

1. If i already appears on the hash table, \(\mathcal{A}\) looks up \(\left\{i, v_{i}, h_{i}\right\}\) in the hash table. Otherwise, \(\mathcal{A}\) queries i to the H -queries phase to get \(\left\{i, v_{i}, h_{i}\right\}\).
2. If j already appears on the hash table, \(\mathcal{A}\) looks up \(\left\{j, v_{j}, h_{j}\right\}\) in the hash table. Otherwise, \(\mathcal{A}\) queries j to the H -queries phase to get \(\left\{j, v_{j}, h_{j}\right\}\).
3. \(\mathcal{A}\) computes \(\sigma_{i, j}=v_{i}-v_{j}\).
4. \(\mathcal{A}\) sends σ_i,j to \(\mathcal{F}\) .
   i. Note that the number of signing queries is \(Q=\operatorname{poly}(n)\).

• Output: Assume that \(\mathcal{F}\) output a forged signature \(\sigma_{i^{*}, j^{*}}\) on the edge \(\left(i^{*}, j^{*}\right)\). \(\mathcal{A}\) proceeds as follows:

1. \(\mathcal{A}\) takes \(\left\{i^{*}, v_{i^{*}}, h_{i^*}\right\}\) and \(\left\{j^{*}, v_{j^{*}}, h_{j^*}\right\}\) from the hash table.
2. \(\mathcal{A}\) computes \(z=\sigma_{i^{*}, j^{*}}-v_{i^{*}}+v_{j^{*}}\).
   i. Note that the probability of \(\sigma_{i^{*}, j^{*}}=v_{i^{*}}-v_{j^{*}}\) is negligible in n by Lemma 2.12.
   ii. The Euclidean norm of z is \(\|z\| \leq s \cdot \sqrt{4 m}=\beta\)
3. \(\mathcal{A}\) outputs z as a solution to the \(\mathrm{SIS}_{q, m, \beta}\) problem.

 The advantage \(\operatorname{Adv}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the \(\operatorname{Game}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}(n)\) is computed as follows:

\(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{SIS}} \geq \mathrm{Adv}_{\mathrm{TS}_{1}, \mathcal{F}}^{\mathrm{TU}}\).       (10)

4. Our Construction for Undirected Graphs in the Standard Model

 We construct a transitive signature scheme for undirected graphs in the standard model. Our scheme involves the following parameters:

• A security parameter is n .
• The dimension of signatures is \(m=\bar{m}+n l\), where \(\bar{m}=O(n l)\) and \(l=O(\log n)\).
• q = poly(n) is an odd prime.
• A Gaussian parameter is\(s=O\left(n^{c} \sqrt{\log n}\right) \cdot \omega(\sqrt{\log n})\), where c is constant.
• The number of nodes is \(\mathrm{k}=O(n / \log n)\).

 We construct our scheme \(\mathrm{TS}_{2}=\left\{\mathrm{TS}_{2} \cdot \mathrm{Gen}, \mathrm{TS}_{2} \cdot \operatorname{Sign}, \mathrm{TS}_{2} \cdot \mathrm{Vrfy}, \mathrm{TS}_{2} \cdot \operatorname{Comp}\right\}\) as follows:

• \(\mathrm{TS}_{2} \cdot \operatorname{Gen}\left(1^{n}\right)\) : On input the security parameter 1ⁿ :

1. Compute (A, T) using the GenTrap algorithm, where 2 n m \(A \in \mathbb{Z}_{q}^{n \times m}\) and \(T \leftarrow \mathcal{D}_{\mathbb{Z}, \omega(\sqrt{\log n})}^{\bar{m} \times n l}\).
2. Choose a hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\).
3. Output a public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\) and a secret key sk = T .

• \(\mathrm{TS}_{2} \cdot \operatorname{Sign}(s k,(i, j))\) : On input the secret key sk = T and the edge (i,j) : 

1. If state St(i) is empty, choose \(r_{i} \leftarrow\{0,1\}^{m}\), compute \(h_{i}=\mathrm{H}\left(i, r_{i}\right) \in\{0,1\}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{2 q}^{q \cdot h_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=\left(v_{i}, r_{i}\right)\).
2. If state St(j) is empty, choose \(r_{j} \leftarrow\{0,1\}^{m}\), compute \(h_{j}=\mathrm{H}\left(j, r_{j}\right) \in\{0,1\}^{n}\), sample \(v_{i} \leftarrow \mathcal{D}_{\Lambda_{2 q}^{q \cdot h_{i}}(A), s}\) using the Gaussian pre-image sampling algorithm SampleD in the Theorem 2.8, and set \(S t(i)=\left(v_{i}, r_{i}\right)\).
3. Compute \(v_{i, j}=v_{i}-v_{j}\) with states \(S t(i)=\left(v_{i}, r_{i}\right)\) and \(S t(i)=\left(v_{i}, r_{i}\right)\).
4. Output a signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\).

• \(\mathrm{TS}_{2} \cdot \operatorname{Vrfy}\left(p k,(i, j), \sigma_{i, j}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\), the edge (i, j), and the signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) :

1. Compute \(h_{i}=\mathrm{H}\left(i, r_{i}\right) \in\{0,1\}^{n}\) and \(h_{j}=\mathrm{H}\left(j, r_{j}\right) \in\{0,1\}^{n}\).
2. Output a bit 1 if \(\left\|v_{i, j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\) and \(\), and output a bit 0 otherwise.

• \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) : On input the public key \(p k=(A, \mathrm{H}(\cdot, \cdot))\), the signature \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) on the edge (i,j) , the signature \(\sigma_{j, k}=\left(v_{j, k}, r_{j}, r_{k}\right)\) on the edge (j,k) :

1. Compute \(v_{i, k}=v_{i, j}+v_{j, k}\).
2. Output a signature \(\sigma_{i, k}=\left(v_{i, k}, r_{i}, r_{k}\right)\).

4.1 Correctness

 We show that our scheme TS₂ is correct.

 Theorem 4.1. Our scheme TS₂ is correct.

 Proof of Theorem 4.1. The \(\mathrm{TS}_{2} \cdot \operatorname{sign}(s k,(i, j))\) algorithm can sample v_i and v_j such that \(\left\|v_{i}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi} \quad, \quad\left\|v_{j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi} \quad, \quad A \cdot v_{i}=q \cdot h_{i}(\bmod 2 q)\), and \(A \cdot v_{j}=q \cdot h_{j}(\bmod 2 q)\). That is, \(A \cdot v_{i, j}=A \cdot\left(v_{i}-v_{j}\right)=q \cdot h_{i}-q \cdot h_{j}(\bmod 2 q)\) and \(\left\|v_{i, j}\right\|=\left\|v_{i}-v_{j}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\).

 The \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm can compute \(v_{i, j}+v_{j, k}=\left(v_{i}-v_{j}\right)+\left(v_{j}-v_{k}\right)=v_{i}-v_{k}\) such that \(\left\|v_{i}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi}\), \(\left\|v_{k}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / 2 \pi}, A \cdot v_{i}=q \cdot h_{i}(\bmod 2 q)\),  and \(A \cdot v_{k}=q \cdot h_{k}(\bmod 2 q)\). That is,\(A \cdot v_{i, k}=A \cdot\left(v_{i}-v_{k}\right)=q \cdot h_{i}-q \cdot h_{k}(\bmod 2 q)\) and \(\left\|v_{i, k}\right\|=\left\|v_{i}-v_{k}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}\).

 Therefore, our scheme TS₂ is correct.

4.2 Transitivity

 We show that our scheme TS₂ is transitive for undirected graphs.

 Theorem 4.2. Our scheme TS₂ is transitive for undirected graphs.

 Proof of Theorem 4.2. The \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) algorithm computes as follows:

\(v_{i, k}=v_{i, j}+v_{j, k}=v_{i}-v_{j}+v_{j}-v_{k}=v_{i}-v_{k}\).       (11)

 A combined signature σ_i,k on (i,k) generated with the \(\mathrm{TS}_{2} \cdot \operatorname{Comp}\left(p k,(i, j, k), \sigma_{i, j}, \sigma_{j, k}\right)\) is indistinguishable from σ′i,k on the edge (i,k) generated with the \(\mathrm{TS}_{2} \cdot \operatorname{Sign}(s k,(i, k))\).

\(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) can be easily made from \(\sigma_{j, i}=\left(v_{j, i}, r_{j}, r_{i}\right)\) as follows:

\(v_{i, j}=-v_{j, i}=-\left(v_{j}-v_{i}\right)=v_{i}-v_{j} \).       (12)

 Therefore, our scheme TS₂ is transitive for undirected graphs.

4.3 Transitive Unforgeability

 We show that our scheme TS₂ is transitively unforgeable under chosen-edge attacks in the standard model.

 Theorem 4.3. Our scheme TS₂ is transitively unforgeable under chosen-edge attacks in the standard model if the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for \( \beta=1.1 \cdot s \cdot \sqrt{m / \pi}\) is hard.

 Proof of Theorem 4.3. We can construct an algorithm \(\mathcal{A}\) attacking the k -\(\mathrm{SIS}_{q, m, \beta, s}\) problem for \( \beta=1.1 \cdot s \cdot \sqrt{m / \pi}\) if there exists a forger \(\mathcal{F}\) mounting transitive forgery attacks on TS₂ as follows:

• Setup: On input an instance \(\left(B, v_{1}, \cdots, v_{\mathrm{k}}\right)\) of the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem, where \(B \in \mathbb{Z}_{q}^{n \times m}\) and \(v_{1}, \cdots, v_{\mathrm{k}} \leftarrow \mathcal{D}_{\Lambda_{q}^{\perp}(B), s}\)

1. \(\mathcal{A}\) chooses a chameleon hash function \(\mathrm{H}(\cdot, \cdot):\{0,1\}^{*} \times\{0,1\}^{m} \rightarrow\{0,1\}^{n}\).
2. \(\mathcal{A}\) chooses \(h_{1}, \cdots, h_{\mathrm{k}} \leftarrow\{0,1\}^{n}\).
3. \(\mathcal{A}\) lets \(V=\left[v_{1}|\cdots| v_{\mathrm{k}}\right] \in \mathbb{Z}^{m \times \mathrm{k}}\).
4. \(\mathcal{A}\) lets \(H=\left[h_{1}|\cdots| h_{\mathrm{k}}\right] \in\{0,1\}^{n \times k}\).
5. \(\mathcal{A}\) chooses \(A_{2} \leftarrow\{0,1\}^{n \times m}\) such that \(A_{2} \cdot V=H(\bmod 2)\).
   i. Note that V (mod 2) is uniformly random by Lemma 2.13.
   ii. Note that the rank of \(V \in \mathbb{Z}_{2}^{m \times \mathrm{k}}\) is k with all but negligible probability by Lemma 2.14.
6. \(\mathcal{A}\) computes \(A \in \mathbb{Z}_{2q}^{n \times m}\) such that A=A₂ (mod 2) and A = B (mod q) using the Chinese remainder theorem.
   i. Note that A (mod 2q) is uniformly random by Lemma 2.13.
7. \(\mathcal{A}\) sends \(p k=(A, \mathrm{H}(\cdot, \cdot))\) to \(\mathcal{F}\).

• Signing queries: On input the edge (i,j) :

1. \(\mathcal{A}\) samples \(r_{i}, r_{j} \leftarrow\{0,1\}^{m}\) such that \(h_{i}=\mathrm{H}\left(i, r_{i}\right)\) and \(h_{j}=\mathrm{H}\left(j, r_{j}\right)\).
2. \(\mathcal{A}\) computes \(v_{i, j}=v_{i}-v_{j}\).
3. \(\mathcal{A}\) sends \(\sigma_{i, j}=\left(v_{i, j}, r_{i}, r_{j}\right)\) to \(\mathcal{F}\).
   i. Note that the number of signing queries is poly( ) n .

• Output: Assume that \(\mathcal{F}\) output a forged signature \(\sigma_{i^*, j^*}=\left(v_{i^*, j^*}, r_{i^*}, r_{j^*}\right)\) on the edge \(\left(i^{*}, j^{*}\right)\). \(\mathcal{A}\) proceeds as follows:

1. \(\mathcal{A}\) outputs \({v}_{i^{*}, j^{*}}\) as a solution to the k - \(\mathrm{SIS}_{q, m, \beta, s}\) problem.
   i. Note that the following equation is correct:

\(A \cdot v_{i^{*}, j^{*}}=q \cdot \mathrm{H}\left(i^{*}, r_{i^{*}}\right)-q \cdot \mathrm{H}\left(j^{*}, r_{j^{*}}\right)(\bmod 2 q)=B \cdot v_{i^{*}, j^{*}}(\bmod q)=0(\bmod q)\)(13)

ii. By Lemma 2.15, \({v}_{i^{*}, j^{*}}\) is not in \(\mathbb{Q}\) -span \(\left(\left\{v_{1}, \cdots, v_{\mathrm{k}}\right\}\right)\) and the Euclidean norm of \({v}_{i^{*}, j^{*}}\) is as follows:

\(\left\|v_{i, j^{*}}\right\| \leq 1.1 \cdot s \cdot \sqrt{m / \pi}=\beta\).       (14)

 The advantage \(\mathrm{Adv}_{\mathrm{TS}_{2}, \mathcal{F}}^{\mathrm{TU}}(n)\) of \(\mathcal{F}\) in the game \(\operatorname{Game}_{\mathrm{TS}_{2}, \mathcal{F}}^{\mathrm{TU}}(n)\) is computed as follows:

 \(\mathrm{Adv}_{\mathcal{A}}^{\mathrm{k-SIS}} \geq \mathrm{Adv}_{\mathrm{TS}_{_{2}}, \mathcal{F}}^{\mathrm{TU}}\).       (15)

5. Conclusion

 We have proposed the first transitive signature schemes for undirected graphs from lattices. The first scheme is provably secure in the random oracle model and the second scheme is provably secure in the standard model. The question of constructing a transitive signature scheme for directed graphs still remains open.