- Email: [email protected]
Attribute-based signatures on lattices
The Journal of China Universities of Posts and Telecommunications August 2016, 23(4): 83–90 www.sciencedirect.com/science/journal/10058885
http://jcupt.bupt.edu.cn
Attribute-based signatures on lattices Xie Jia1 (
), Hu Yupu1, Gao Juntao1, Gao Wen1, Li Xuelian2
1. The State Key Laboratory of Integrated Services Network, Xidian University, Xi’an 710071, China 2. School of Mathematics and Statistics, Xidian University, Xi’an 710071, China
Abstract Because of its wide application in anonymous authentication and attribute-based messaging, the attribute-based signature scheme has attracted the public attention since it was proposed in 2008. However, most of the existing attribute-based signature schemes are no longer secure in quantum era. Fortunately, lattice-based cryptography offers the hope of withstanding quantum computers. And lattices has elevated it to the status of a promising potential alternative to cryptography based on discrete log and factoring, owing to implementation simplicity, provable security reductions and quantum-immune. In this paper, the first lattice attribute-based signature scheme in random oracle model is proposed, which is proved existential unforgeability and perfect privacy. Compared with the current attribute-based signature schemes, our new attribute-based signature scheme can resist quantum attacks and has much shorter public-key size and signature size. Furthermore, this scheme is extended into an attribute-based signature scheme on number theory research unit (NTRU) lattice, which is also secure even in quantum era and has much higher efficiency than the former. Keywords attribute, signature, lattice, unforgeability, perfect privacy
1 Introduction The concept of attribute-based signature (ABS) scheme was first introduced in Ref. [1] as an extension of the identity-based signature. Generally speaking, in the ABS scheme a user obtains his private key for a set of attributes, instead of just the identity, from the attribute authority. The ABS breaks the one to one restriction in the traditional public key cryptography. That is to say, one can distribute a message to a specific set of users and sign it under just one common public key. Because of its perfect privacy and good expression ability, the ABS scheme has widely cryptographic application, such as anonymous authentication and attribute-based messaging. Since the first ABS scheme emerged, several beautiful ABS constructions had been proposed [1–9]. Escala et al proposed the first ABS scheme satisfying proven secure against fully adaptive adversaries in Ref. [2]. Li et al. constructed two ABS schemes supporting flexible Received date: 25-11-2015 Corresponding author: Xie Jia, E-mail: [email protected] DOI: 10.1016/S1005-8885(16)60049-3
threshold predicates in Ref. [3], where the length of the signature depends on the largest size of attribute set. Two ABS constructions with constant signature size were proposed in Ref. [4]. And they are proven secure against selective predicate and adaptive message attacks. Zeng et al. proposed an ABS scheme with constant signature size in Ref. [5], which is not only unforgeable but also unconditionally anonymous. Okamoto and Takashima respectively proposed a fully secure ABS scheme in the standard model in Ref. [6] and the first decentralized multi-authority ABS scheme in Ref. [7]. The later no longer need the trusted setup and central authority. However, most of the ABS schemes above are based on the discrete logarithm problem, which have high efficiency but are no longer intractable when quantum computer comes into reality according to Ref. [10]. Fortunately, Bernstein has conjectured in Ref. [11] that lattice-based cryptographic schemes can withstand quantum attacks. What is more, lattice-based cryptographic schemes are also easy to implement because typical computations involved in them are only integer matrix–vector multiplication and modular addition operations (Ref. [12], for an overview on
84
The Journal of China Universities of Posts and Telecommunications
lattice-based cryptography). And lattice-based cryptographic schemes are supported by the worst-case to average-case security guarantees. Considering these three advantages, lattice-based cryptography enters a rapid development period and in the last ten years it have got many achievements, such as cryptographic primitive [13–18], encryption scheme (public key encryption [19–24], fully homomorphic encryption schemes [25–28]), signature schemes [14,29–35], multilinear maps [36–38]. So far, there have been three lattice-based ABS schemes which were respectively proposed in Refs. [39–41]. Even though all of them are proven secure even in quantum era, they are the attribute-based signatures in standard model and their efficiency is low. So how to construct ABS schemes, which are quantum-immune, in random oracle model and with high efficiency, may be the urgent issue in the coming years. 1.1
Our contributions
We propose the first lattice-based ABS scheme in random oracle model. And the scheme is proved existentially unforgeable against adaptively chosen message and selective access structure attacks, based on the hardness of small integer solution (SIS) problem. What’s more, the efficiency of our new scheme is much higher than the existed lattice-based ABS schemes in Refs. [39–41]. Furthermore, we extend our scheme into the ABS scheme on NTRU lattice, which can improve the efficiency in large amplitude, and its security depends on the hardness of the ring small integer solution (R-SIS) problem, it means the ABS scheme over NTRU lattice is also security even in quantum era. 1.2
Paper organization
The remainder of this paper is organized as follows. Sect. 2 presents some preliminaries. Sect. 3 gives the syntax and security model for ABS schemes. The first lattice-based ABS scheme in random oracle model is provided in Sect. 4. The extensional ABS scheme from NTRU lattices is proposed in Sect. 5. Finally, Sect. 6 concludes this paper.
2 Preliminaries 2.1
Notation
The security parameter in this paper is a positive integer
2016
n. ℝ and ℤ respectively denote the real space and integer space. Ring R= ℤ [x]/(xn+1) and ring Rq= ℤ q[x]/(xn+1) will be used. [k] is the set {1,2,…,k}, where k is a positive integer. Vectors and matrixes are respectively denoted as bold low-case letters and bold upper-case letters in italic. Aɶ denotes the Gram-Schmidt orthogonalization of the matrix A . And || v || denotes the Euclid norm of vector v . n −1
n −1
i=0
i =0
Let f = ∑ f i x i and g = ∑ gi x i be polynomials in R. Notation: fg denotes polynomial multiplication in R, while f ∗ g = fg mod ( x n + 1) . (f) is the vector whose coordinates are respectively f 0 ,..., f n −1 . ( f , g ) ∈ ℝ 2 n = R1× 2 is the concatenation of (f) and G. Definition 1 Anticirculant matrices An n dimensional anticirculant matrix of f is the following Toeplitz matrix: f1 f 2 … f n −1 ( f ) f0 − f f f 1 … f n − 2 ( xf ) C n F = n −1 0 = ⋮ ⋮ ⋮ ⋮ ⋮ n −1 − f1 − f 2 … … f 0 ( x f ) When it is clear from context, we will drop the subscript n, and just write C(f). 2.2
Lattices
Definition 2 B=[b1,…,bm]∈ ℝ m× m is a matrix, where the column vectors b1,…,bm∈ ℝ m are linearly independent [29]. The m dimensional lattice Λ generated by the basis B is the set, m Λ = L ( B ) = y ∈ ℝ m : ∃s ∈ ℤ m , y = Bs = ∑ si bi i ′=1 Definition 3 For a prime q, a matrix A∈ ℤ qn× m and a vector y∈ ℤ qn , we define two common cosets as follows [29] Λ⊥ ( A) = {e ∈ ℤ m : Ae = 0(mod q)} ,
Λy ( A) = {e ∈ ℤ m : Ae = y (mod q)} . Definition 4 NTRU lattice. Let q be the prime bigger than 5 and n be a power of 2. And f, g∈Rq (f is invertible modulo q ). Let h=g ∗ f −1 mod q. The NTRU lattice associated to h and q is Λh,q={(u,v) ∈R2| u+v ∗ h=0 mod q}. Here Λh,q is a full-rank lattice of ℝ 2 n generated by the row of
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
−C n ( h ) I n Ah , q = . 0n qI n where In and 0n are respectively the n×n unit matrix and n×n null matrix.
85
of SIS problem or the R-SIS, which are described in the following. Definition 6 Given a positive integer q, a matrix A∈ ℤ nq× m and a real β. A way to describe the SIS problem is to find a vector v∈ ℤ m / { 0 } such that Av=0 mod q and
2.3
Gaussin sample
||v|| ≤ β. Definition 7
Definition 5 Discrete Gaussians distribution. For any s>0, c∈ ℝ m , the m dimensional Gaussian function centered at c with parameter s is 2 X −c ρ s ,c ( X ) ≜ exp − π s2 For lattice Λ⊂ ℝ m , let ρs,c(Λ) ≜ ∑ ρ s ,c ( X ) . And the
SIS over ring: R-SISφq , m , β . The SIS
problem on ring with parameters q, m, β and φ is defined as follows: given m polynomials a1, a2,…,am chosen uniformly and independently in Rq= ℤq[x]/ (φ ) , finding the solution t∈a⊥\0 which satisfies the condition ||t|| ≤ β, where a ⊥ := (t1 ,..., tm ) ∈ R m : ∑ ti ai = 0 mod q .
{
i
}
x∈Λ
corresponding discrete Gaussian distribution is normalized as DΛ,s,c(X)=ρs,c(X)/ρs,c(Λ). For simplicity, we always abbreviate DΛ,s,0(X) as DΛ,s(X). Lemma 1 For any σ >0 and positive integer m, 1) Pr[ X ← Dσ1 : X > 12σ ] < 2−100 . Lemma 2 For any v∈ ℤ m and positive real α, if σ = ω(||v|| lb m ), we have [30] Pr[ X ← Dℤ m ,σ : Dℤ m ,σ ( X ) Dℤm ,σ ,v ( X ) = O(1)] = 1 − 2ω (lb m ) , and more specifically, if σ =α||v|| , then 2
Pr[ X ← Dℤm ,σ : Dℤm ,σ ( X ) Dℤm ,σ ,v ( X ) < e12 α +1 (2α ) ] = 1 − 2−100.
Some facts
Proposition 1 On input of q=ploy(n) ≥ 3 and m ≥ 6nlb q, there exists a algorithm trapdoor generation algorithm (TrapGen(1n)) that returns a pair (A,TA), where A ∈ ℤ qn×m is matrix statistically close to uniform distribution in ℤ qn× m and TA is a basis of Λ⊥(A) such that || TɶA || ≤O ( n lb q ) [15]. Proposition 2 Let q=ploy(n) ≥ 3, m ≥ 6n lb q, A∈ ℤ qn× m , T A be a short basis of lattice Λ⊥(A) and σ ≥ || TɶA || ω ( lb m ) [14]. For any vector u∈ ℤ qn , there exists a probabilistic polynomial time (PPT) algorithm SamplePre(A, T A , σ, u) returns e∈ ℤ qm sampled from a distribution statistically close to DΛu ( A),σ . 2.5
Here the syntax and security model of attribute-based signature are described as follows. 3.1
2) Pr[ X ← Dσm : X > 2σ m ] < 2− m .
2.4
3 Syntax and security model
Hardness assumption
The security of our schemes is reduced to the hardness
Syntax
Definition 8 Let i∈ ℕ , U={a1, a2,…,aN} is the set of attributes. And for ai∈U , Si={vi1, vi2,…,vi N(i)} is the set of the possible values of attribute ai, where N(i) is the number of the possible values. If one user owns an attribute list L={l1, l2,…,lN}, li∈ Si and W={w1, w2,…,wN} is the access structure. When li= wi for i∈ ℕ , we say L|=W denotes the attribute list L satisfies the access structure. An attribute-based signature is a 4-tuples (Setup, Extract, Sign, Verify) in the following: Setup Taking the security parameter n as input, the algorithm outputs the public parameters (PP), the master public key (MPK) and the master private key (MSK). Extract On input of PP, MPK, MSK and a user’s attribute list L, the algorithm outputs the corresponding private key SKL. Sign When the user with the attribute set L wants to sign a message µ, given PP, MPK, SKL, the message µ and the access structure W, the algorithm generates and outputs a signature sig if and only if L|=W. Verify After receiving a signature sig on message µ, an attribute set L and the access structure W, the algorithm outputs 1 if and only if L|=W and the signature is valid. 3.2
Correctness
Definition 9
If Verify(PP, sig, µ, L, W)=1, it is
86
The Journal of China Universities of Posts and Telecommunications
2016
believed that the ABS scheme is correct. Where (PP, MPK, MSK)←Setup(n), µ is the message, L is the attribute list, W is access structure, SKL←Extract(PP, MPK, MSK, L) and sig←Sign(PP, MPK, SKL, L, W).
Ref. [30] to construct an ABS scheme from lattice assumption.
3.3
The new ABS scheme is described as follows. Setup On input of the security parameter n, which is a positive integer, let the PP be: the prime q which is larger than 3, M is real, m ≥ 6n lb q, k and λ are positive integer, Lɶ = O ( n lb q ) , Gaussian parameter s= Lɶω ( lb n ) ,
Security model of ABS
The security requirements of an ABS scheme can be summarized as unforgeability and perfect privacy. Next, we describe these two requirements in detail. Definition 10 Unforgeability. The ABS scheme is existentially unforgeable against selective-access structure attack and against adaptively chosen message attacks if any PPT adversary A wins the following experiment with negligible probability. Initial phase Adversary A firstly chooses a challenge access structure W* which will be in the forgery signature and then send it to challenger C. Setup phase After receiving the challenge access structure from A, challenger C runs Setup(n) to obtain the PP and the master key pairs (MPK, MSK). Then C sends MPK to the adversary A and keeps MSK private. Query phase The adversary A performs polynomial queries to two oracles (Extract oracle and Sign oracle) as follows. 1) Extract oracle query: given an attribute set L not satisfying W* to the Extract oracle, challenger C outputs the corresponding secret key SKL to the adversary A. 2) Sign oracle query: given a message µ with access structure W to the Sign oracle, challenger C outputs the signature sig to the adversary A. Forgery phase Finally, the adversary A outputs a valid forgery signature (W*, µ*, sig*), where W* is the challenge access structure chosen in the Initial phase and µ* has not been queried in the Query phase. The advantage of adversary A in the above game is defined as AdvABS(A)=Pr[Verify(PP, sig*, µ*, L*, W*)=1]. Definition 11 Perfect privacy. An ABS scheme is considered perfect privacy, if for (MSK, MPK)←Setup(n), any attribute sets L1, L2, SK1←Extract(MSK, L1), SK2←Extract(MSK, L2), any message µ and access structure W such that L1 , L2 satisfy W, the signatures sig1←Sign(SK1, MPK, µ, L1) and sig 2 ←Sign(SK2, MPK, µ, L2) have the same distribution.
4 Lattice-based ABS scheme in random oracle model
4.1
Our construction
σ=12sλm. Then a trusted authority does these steps as follows: 1) Run the trapdoor generation algorithm TrapGen(1n) to generate a uniform matrix A ∈ ℤ qn×m and a basis
T ∈ ℤ qm× m of the lattice Λ⊥ ( A) . 2) Choose two Hash functions H:{0,1}*→{v: v ∈ {−1,0,1}k, ||v||1 ≤ λ} and H1: ℤ qn → ℤ qm× k . 3) Output {A, H, H1} as the master public key MPK and the MSK is T. Extract Taking the PP, MSK, MPK and the attribute list L as input, do as follows: 1) Choose the vector ui j ∈ ℤ qn for every attribute vi j, and compute H1L=
1
ij
) =[u1|u2|…|uk], where i∈ ℕ ,
j∈ ℕ , i ≠ j . 2) For each i∈{1,2,…,k}, run the pre-sample algorithm SamplePre (A, T, s, ui) →ei. 3) Send the signing key SKL=[e1| e2|…|ek] to the user with the attribute list L. Sign Assuming that a user with the attribute list L wants to sign a message µ on the access structure W, do the following if and only if L|=W. 1) Select a random vector y← Dσm . 2) Compute h=H(Ay,µ) and z=SKLh+y. 3) Output sig=(h,z) with probability min (1, Dσm ( z ) ⋅ m ( MDSK ( z )) −1 . L h ,σ
Verify On input of sig, µ, L and W, the algorithm outputs 1 if and only if 1) L|=W. 2) h=H(Az − H1Lh, µ). 3) ||z|| ≤ 2σ m . 4.2
Correctness
Theorem 1 In the following, we use rejection sampling technique in
∑ H (u vij ∈L
The obtained signature above satisfies
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
correctness. Proof According to the Sign phase, just when L satisfies the access structure W, we can generate a signature. So the Condition 1 in Verify phase is satisfied. Then we focus on the Condition 2 in Verify phase. According to Proposition 2 and step 2) in Extract phase, it is obvious that Az − H1L h = Az − ASK L h = A(SK L h + y ) − ASK L h = Ay So, H(Az−H1Lh, µ)=h holds, which means Condition 2 is satisfied. Combing the rejection sampling with Lemma 1 and Lemma 2, we know the distribution of z is very close to Dσm , so ||z|| ≤ 2σ m with probability at least (1−2−m ). 4.3 4.3.1
Security of the ABS scheme Unforgeability
Theorem 2 The ABS scheme above is existentially unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model, assuming the hardness of SIS problem. Proof Assuming there is a PPT adversary A who breaks the ABS scheme with non-negligible probability, we can construct a simulator C to solve the SIS problem as follows. Invocation Being invoked on a random instance of SIS problem, the simulator C is required to return a valid solution. Supplied: a matrix A ∈ ℤ qn×m . Requested: a vector s ∈ ℤ m , which satisfies As=0(mod q) and ||s|| ≤ β. Initial phase The adversary A firstly chooses a challenge access structure W* and then sends it to C. Setup phase On input of security parameter n, the simulator C randomly chooses A ∈ ℤ qn×m and two Hash functions H: {0,1}*→{v: v ∈ {−1, 0,1}k , ||v||1 ≤ λ}, H1: ℤqn →
ℤmq × k . Then he sends MPK={A, H, H1} to the adversary A. Query phase Adversary A can adaptively query all the oracles shown next. 1) H1 oracle query. The simulator C keeps a list LH1, which is 3 tuples (L, SKL, PL ). Taking an attribute set L as input, C looks up it in LH1. If L is found in LH1, the simulator C returns the corresponding PL to A. Otherwise, C picks k vectors e1,…,ek from Dsm . Finally, C stores (L, SKL=(e1,…,ek), PL=ASKL) and returns PL to A. 2) Extract oracle query. After receiving the query on
87
attribute list L, which does not satisfy the challenge access structure W*, the simulator C arises LH1 for L. And then he returns SKL to A. 3) H oracle query. The simulator C keeps the list LH. Taking (Ay, µ) as input, the simulator C looks up them in LH. If they already existed in LH, C returns h to A. Otherwise, C randomly selects h from DH and stores (Ay, µ, h) in LH. Finally, the simulator C returns h to A. 4) Sign oracle query. On input of message µ, attribute list L and the access structure W, the simulator C first checks whether L|=W. If yes, the simulator C looks up L in LH1 and returns SKL. Then C runs Sign to obtain sig=(h,z) and sends sig to A. Forgery phase After the queries above, adversary A outputs a valid forgery sig*=(h*, z*) on (µ*, L*, W*) with non-negligible probability. The simulator C can solve the SIS problem as follows: After receiving the forgery sig*, the simulator C will outputs a new forgery sig′ = (h′, z ′) on the same (µ*, L*, W*) by the forking Lemma in Ref. [42]. So, Az* − PL* h* = Az ′ − PL′ h′ ⇒ A( z* − z ′ + SK L' h′ − SK L* h* ) = 0 .
Because of ||z*||, || z ′ || ≤ 2σ m , || SK L* h* ||, || SK L′ h′ || ≤
sλ m , so we obtain || z * − z ′ + SK L′ h′ − SK L* h* || ≤ (4σ+2sλ) m with overwhelming probability. When β ≥ (4σ + 2sλ ) m , ( z * − z ′ + SK L′ h′ − SK L* h* ) is one solution to the SIS problem above. 4.3.2 Perfect privacy
Theorem 3 The ABS scheme above satisfies the perfect privacy. Proof For any two users with attribute sets L1, L2, both of which satisfy the access structure, the signing keys are respectively SKL1 and SKL2, the output signatures are sig1=(h1, z1) and sig2=(h2, z2). Assuming the distributions of z1 and z2 are respectively D1 and D2. We consider the distributions of h and z as follows. 1) By the rejecting sample technique and Lemma 2, it is obvious that ∆ ( D1 , Dσm )≤ ( 2−ω lb m M ) , ∆( D2 , Dσm )≤
( 2−ω lb m
M ) . So it is derived that ∆ ( D1 , D2 )≤ ( 21−ω lb m M ) ,
which is negligible. 2) Because both of h1 and h2 are from the uniform distribution in ℤ qm , so h1 and h2 have the same distribution. According to above 1) and 2), we can conclude that the two
88
The Journal of China Universities of Posts and Telecommunications
signatures have the same distribution. That is to say, the ABS scheme is perfect privacy.
4.4
The efficiency
As we all know, there have been three lattice-based ABS schemes, which were respectively proposed in Refs. [39–41]. Now we compare their efficiency as Table 1. Table 1
The efficiency comparison
Scheme
Size of public key
In Ref. [39] In Ref. [40] In Ref. [41] This work
(4k+2)mnlb q+nlb q+k 5mnlb q+k (k+2)mnlb q +k mnlb q+k +nklb q
Size of secret key m2lb q m2lb q m2lb q m2lb q
Size of signature (2k+1)mlb q 3mlb q 3mlb q mlb q+k
In Table 1, m ≥ 6nlb q, k<
2016
4) Compute F1 , G1 ∈ R such that fG1 − gF1 = 1 . Set
Fq = qF1 and Gq = qG1 . 5) Use Babai’s nearest plane algorithm to approximate (Fq,Gq) by an integer linear combination of ( f , g ), ( xf , xg ),…, ( x n −1 f , x n −1 g ) . Let ( F , G ) be the output, such that there exists k ∈ R
with ( F , G ) =
( Fq , Gq ) − k ( f , g ) . 6) If ( F , G ) > nσ , restart.
C ( f ) C(g) 7) Return MSK is B = and the manger C ( F ) C (G ) public key MPK is h=g/f ∈ Rq× Extract Taking the PP, MSK, MPK and the attribute list L as input, the algorithm is run as follows: 1) If SK L is in local storage then 2) Output SK L to user with attribute list L. 3) Else choose the polynomial ui j∈Rq for every attribute vi j, and compute HL= ∑ H ′′(uij ) , where i∈ ℕ , j∈ ℕ , vij ∈L
5 Extension
i≠ j.
In this section, we will work in the ring R= ℤ [x]/(xn+1) and ring Rq= ℤq[x]/(xn+1), where the prime q is bigger than 5. It is also satisfied that xn+1 can split into kq irreducible factors modulo prime q. R× denotes the set of invertible elements in R. The aforementioned basic ABS construction can be extended to an ABS scheme on NTRU lattice, which is unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model. And the extended ABS scheme works as follows: Setup On input of the security parameter n, which is the power of 2, a trusted authority firstly chooses the PP: the prime q=poly(n), the positive integer kq , two
4) Run the pre-sample algorithm on NTRU lattice SamplePre ( h, B, s, ( H L , 0) ) to output ( s1 , s2 ) , where
H ′′ : ℤ qn → ℤ qn and
Hash functions
H ′ : {0,1}*→
{v:v ∈ {−1, 0,1}k , ||v||1 ≤ λ} the Gaussian parameter s = Ωɶ (n3 2σ ) and σˆ = 12λ sn , where the Gaussian parameter σ satisfying 1 2+ε
n ln(8nq) q
1 2 −ε
,q
the condition if kq = n, σ =
= Ωɶ (n7 2 ), if kq = 2, σ = n ln(8nq) ⋅
q1 2 + ε , q1 2 −ε = Ωɶ (n3 ) . Then he does as follows: 1) Sample f and g from Dℤn ,σ that satisfy ( f mod q ) ∈ × q
R
× q
and ( g mod q ) ∈ R .
2) If
f > σ n or
g > σ n , restart.
3) If < f , g >≠ R , restart.
s1 and s2 satisfies
{s1 + s2 ∗ h = H L } .
5) SK L ← ( s1 , s2 ) 6) Output SK L to user with attribute list L and keep it in local storage Sign On input of the attribute list L, the corresponding private key SKL, the message µ with the access structure W as input, do the following if and only if L|=W. 1) Choose polynomials y1 , y2 ∈ Dσnˆ . 2) Compute u = H ′( y1 + h ∗ y2 , µ ) . 3) Then compute zi = yi + si ∗ u, for i = 1, 2 . 4) Output sig = ( z1 , z2 , u ) with probability min( Dσnˆ ( zi ) ⋅ n ( MDSK ( zi )) −1 ,1) , M = O(1) . L u ,σˆ
Verify On input of sig, µ, L and W, the algorithm outputs 1 if and only if 1) L|=W. 2) H ′( h ∗ z2 + z1 − H L ∗ u , µ ) = u . 3) ( z1 , z2 ) ≤2σˆ 2n . The proof of the correctness, the security and the perfect privacy are similar except that the security of this scheme can be reduced to the R-SIS problem. The size of public key, private key and signature in our extended ABS scheme are respectively values nlb q, 2nlb q and 2nlb q+k.
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
Compared with the size of the ABS in Sect. 4, the ABS scheme over NTRU lattice has much shorter size. So the efficiency of the NTRU lattice-based ABS scheme is much higher.
6 Conclusions We proposed the first lattice-based ABS scheme in random oracle model. Assuming the hardness of SIS problem, it is proved existentially unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model. And it also meets the perfect privacy. What’s more, compared with the previous ABS schemes, our new ABS scheme is not only secure even in quantum era but also much more efficient. So it solves the problem that it may not be possible to have both of high efficiency and quantum-immune. Further, we extended the ABS scheme into an ABS scheme on NTRU lattice, which can greatly improve the efficiency. And it is also secure even in quantum era. An efficient lattice-based ABS scheme with special property will be our future work. Acknowledgements This work was supported by the National Natural Science Foundation of China (61303217, 61303217, 61472309, 61502372 and 61572390), the 111 Project (B08038), the Fundamental Research Funds for the Central Universities (JB140115), the Natural Science Foundation of Shaanxi Province (2013JQ8002, 2014JQ8313).
References 1. Maji H K, Prabhakaran M, Rosulek M. Attribute-based signature: achieving attribute privacy and collusion-resistance. Topics in Cryptology: Proceedings of the Cryptographers’ Track at the RSA Conference (CT-RSA’11), Feb 14−18, 2011, San Francisco, CA, USA. LNCS 6558. Berlin, Germany: Springer-Verlag, 2011: 376−392 2. Escala A, Herranz J, Morillo P. Revocable attribute based signatures with adaptive security in the standard model. Progress in Cryptology: Proceedings of the 4th International Conference on Cryptology in Africa (AFRICACRYPT’11), Jul 5−7, 2011, Dakar, Senegal. LNCS 6737. Berlin, Germany: Springer-Verlag, 2011: 224−241 3. Li J, Au M H, Susilo W, et al. Attribute-based signature and its applications. Proceedings of the 5th ACM Symposium on Information Computer and Communications Security (ASIACCS’10), Apr 13-16, 2010, Beijing, China. New York, NY, USA: ACM, 2010: 60−69 4. Herranz J, Laguillaumie F, Libert B, et al. Short attribute-based signatures for threshold predicates. Topics in Cryptology: Proceedings of the Cryptolographers’s Track at the RSA Conference 2012 (CT-RSA’12), Feb 27−Mar 2, 2012, San Francisco, CA, USA. LNCS 7178. Berlin, Germany: Springer-Verlag, 2012: 51− 67 5. Zeng F, Xu C X, Li Q Y, et al. Attribute-based signature scheme with constant size signature. Journal of Computational Information Systems, 2012, 8(7): 2875−2882
89
6. Okamoto T, Takashima K. Efficient attribute based signatures for non-monotone predicates in the standard model. Public-Key Cryptography: Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography (PKC’11), Mar 6−9, 2011, Taormina, Italy. LNCS 6571. Berlin, Germany: Springer-Verlag, 2011: 35−52 7. Okamoto T, Takashima K. Decentralized attribute-based signatures. Public-Key Cryptography: Proceedings of the 16th International Conference on Practice and Theory in Public Key Cryptography (PKC13), Feb 26−Mar 1, 2013, Nara, Japan. LNCS 7778. Berlin, Germany: Springer-Verlag , 2013: 125−142 8. Li J, Kim K. Hidden attribute-based signatures without anonymity revocation. Information Sciences, 2010, 180(9): 1681−1689 9. Shahandashti S F, Safavi-Naini R. Threshold attribute-based signature and their application to anonymous credential systems. Progress in Cryptology: Proceedings of the 2nd International Conference on Cryptology in Africa (AFRICACRYPT’09), Jun 21−25, 2009, Gammarth, Tunisia. LNCS 5580. Berlin, Germany: Springer-Verlag, 2009: 198−216 10. Shor P W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal of Computing, 1997, 26(5): 1484−1509 11. Bernstein D J. Introduction to post-quantum cryptography. In: Bernstein D J, Buchmann J, Dahmen E. Post-quantum cryptography. Berlin, Germany: Springer-Verlag, 2009: 1−14 12. Regev O. Lattice-based cryptography. Advances in Cryptology: Proceedings of the 26th Annual International Cryptology Conference (CRYPTO’06), Aug 20−24, 2006, Santa Barbara, CA, USA. LNCS 4117. Berlin, Germany: Springer-Verlag, 2006: 131−141 13. Ajtai M. Generating hard instances of the short basis problem. Automata, Languages and Programming: Proceedings of the 26th International Colloquium on Automata, Languages and Programming (ICALP’99), Jul 11−15, 1999, Prague, Czech. LNCS 1644. Berlin, Germany: Springer-Verlag, 1999: 1−9 14. Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC’08), May 17−20, 2008, Victoria, Canada. New York, NY, USA: ACM, 2008: 197−206 15. Alwen J, Peiker C. Generating shorter bases for hard random lattices. Theory of Computing Systems, 2009, 48(3): 535−553 16. Micciancio D, Peikert C. Trapdoors for lattices: simpler, tighter, faster, smaller. Advances in Cryptology: Proceedings of the 31th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12), Apr 15−19, 2012, Cambridge, UK. LNCS 7237. Berlin, Germany: Springer-Verlag, 2012: 700−718 17. Laarhoven T, Mosca M, Van de Pol J. Finding shortest lattice vectors faster using quantum search. Designs, Codes and Cryptography, 2015, 77(2): 375−400 18. Lyubashevsky V, Wichs D. Simple lattice trapdoor sampling from a broad class of distributions. Public-Key Cryptography: Proceedings of 18th International Conference on Practice and Theory in Public-Key Cryptography (PKC’15), Mar 30−Apr 1, 2015, Gaithersburg, MD, USA. LNCS 9020. Berlin, Germany: Springer-Verlag, 2015: 716−730 19. Regev O. On lattices, learning with errors, random linear codes, and cryptography. Proceedings of 37th Annual ACM Symposium on Theory of Computing (STOC’05), May 22−24, 2005, Baltimore, MD, USA. New York, NY, USA: ACM, 2005: 84−93 20. Stehlé D, Steinfeld R. Making NTRU as secure as worst-case problems over ideal lattices. Advances in Cryptology: Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’11), May 15−19, 2011, Tallinn, Estonia. LNCS 6632. Berlin, Germany: Springer-Verlag, 2011: 27−47 21. Cash D, Hofheinz D, Kiltz E, et al. Bonsai trees, or how to delegate a lattice basis. Advances in Cryptology: Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10), May 30-Jun 3, 2010, Riviera, France.
90
The Journal of China Universities of Posts and Telecommunications
LNCS 6110. Berlin, Germany: Springer-Verlag, 2010: 523−552 22. Agrawal S, Boneh D, Boyen X. Efficient lattice (H)IBE in the standard model. Advances in Cryptology: Proceedings of 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10), May 30−June 3, 2010, Riviera, France. LNCS 6110. Berlin, Germany: Springer-Verlag, 2010: 553−572 23. Agrawal S, Boneh D, Boyen X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. Advances in Cryptology: Proceedings of the 30th Annual International Cryptology Conference (CRYPTO’10), Aug 15−19, 2010, Santa Barbara, CA, USA. LNCS 6223. Berlin, Germany: Springer-Verlag, 2010: 98−115 24. Ducas L, Lyubashevsky V, Prest T. Efficient identity-based encryption over NTRU lattices. Advances in Cryptology: Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’14), Dec 7−11, 2014, Kaoshiung, China. LNCS 8874. Berlin, Germany: Springer-Verlag, 2014: 22−41 25. Gentry C. Fully homomorphic encryption using ideal lattices. Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC’09), May 31−Jun 2, 2009, Bethesda, MD, USA. New York, NY, USA: ACM, 2009: 169−178 26. Gentry C. Toward basing fully homomorphic encryption on worst-case hardness. Advances in Cryptology: Proceedings of the 30th Annual International Cryptology Conference (CRYPTO’10), Aug 15−19, 2010, Santa Barbara, CA, USA. LNCS 6223. Berlin, Germany: Springer-Verlag, 2010: 116−137 27. Brakerski Z, Vaikuntanathan V. Fully homomorphic encryption from ring-LWE and security for key dependent messages. Advances in Cryptology: Proceedings of 31st Annual International Cryptology Conference (CRYPTO’11), Aug 14−18, 2011, Santa Barbara, CA, USA. LNCS 6841. Berlin, Germany: Springer-Verlag, 2011: 505−524 28. Brakerski Z, Vaikuntanathan V. Efficient fully homomorphic encryption from (standard) LWE. Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS’11), Oct 22−25, 2011, Palm Springs, CA, USA. Piscataway, NJ, USA: IEEE, 2011: 97−106 29. Boyen X. Lattice mixing and vanishing trapdoors: A framework for fully secure short signature and more. Public-Key Cryptography: Proceedings of 13th International Conference on Practice and Theory in Public Key Cryptography (PKC’10), May 26−28, 2010, Paris, France. LNCS 6056. Berlin, Germany: Springer-Verlag, 2010: 499−517 30. Lyubashevsky V. Lattice signatures without trapdoors. Advances in Cryptology: Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12), Apr 15−19, 2012, Cambridge, UK. LNCS 7237. Berlin, Germany: Springer-Verlag, 2012: 738−755 31. Ducas L, Durmus A, Lepoint T, et al. Lattice signatures and bimodal gaussians. Advances in Cryptology: Proceedings of the 33th Annual International Cryptology Conference (CRYPTO’13), Aug 18−22, 2013,
32.
33.
34.
35.
36.
37.
38.
39. 40.
41.
42.
2016
Santa Barbara, CA, USA. LNCS 8042. Berlin, Germany: Springer-Verlag, 2013:40−56 Laguillaumie F, Langlois A, Libert B, et al. Lattice-based group signatures with logarithmic signature size. Advances in Cryptology: Proceedings of the 19th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’13), Dec 1−5, 2013, Bengaluru, India. LNCS 8270. Berlin, Germany: Springer-Verlag, 2013: 41−61 Langlois A, Ling S, Nguyen K, et al. Lattice-based group signature scheme with verifier-local revocation. Public-Key Cryptography: Proceedings of 7th International Conference on Practice and Theory in Public Key Cryptography (PKC’14), Mar 26−28, 2014, Buenos Aires, Argentina. LNCS 8383. Berlin, Germany: Springer-Verlag, 2014: 345−361 Nguyen P Q, Zhang J, Zhang Z F. Simpler efficient group signatures from lattices. Public-Key Cryptography: Proceedings of 18th International Conference on Practice and Theory in Public Key Cryptography (PKC’15), Mar 30−Apr 1, 2015, Gaithersburg, MD, USA. LNCS 9020. Berlin, Germany: Springer-Verlag, 2015: 401−426 Xie J, Hu Y P, Gao J T, et al. Efficient identity-based signature over NTRU lattice. Frontiers of Information Technology & Electronic Engineering, 2016, 17(2): 135−142 Garg S, Gentry C, Halevi S. Candidate multilinear maps from ideal lattices. Advances in Cryptology: Proceedings of the 32th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’13), May 26−30, 2013, Athens, Greece. LNCS 7881. Berlin, Germany: Springer-Verlag, 2013: 1−-17 Gentry C, Gorbunov S, Halevi S. Graph-induced multilinear maps from lattices. Theory of Cryptography: Proceedings of the 12th Theory of Cryptography Conference (TCC’15), Mar 23−25, 2015, Warsaw, Poland. LNCS 9015. Berlin, Germany: Springer-Verlag, 2015: 498−527 Hu Y P, Jia H W. Cryptanalysis of GGH map. Advances in Cryptology: Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’16), LNCS 9665, May 8−12, 2016, Vienna, Austria. Berlin, Germany: Springer-Verlag, 2016: 537−565 Mao X P, Chen K F, Long Y, et al. Attribute-based signature on lattices. Journal of Shanghai Jiaotong University, 2014, 19(4): 406−411 Li M X, An N, Feng, E Y, et al. An attribute-based signature scheme from lattices. Journal of Sichuan University (Engineering Science Edition), 2015, 47(2): 102−107 (in Chinese) Zhang Y H, Hu Y P, Jiang M M. An Attribute-based signature scheme from lattice assumption. Wuhan University Journal of Natural Sciences, 2015, 20(3): 207−213 Bellare M, Neven G. Multi-signatures in the plain public-key model and a general forking lemma. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06), Oct 30−Nov 3, 2006, Alexandria, VA, USA. New York, NY, USA: ACM, 2006: 390−399
(Editor: Wang Xuying)
http://jcupt.bupt.edu.cn
Attribute-based signatures on lattices Xie Jia1 (
), Hu Yupu1, Gao Juntao1, Gao Wen1, Li Xuelian2
1. The State Key Laboratory of Integrated Services Network, Xidian University, Xi’an 710071, China 2. School of Mathematics and Statistics, Xidian University, Xi’an 710071, China
Abstract Because of its wide application in anonymous authentication and attribute-based messaging, the attribute-based signature scheme has attracted the public attention since it was proposed in 2008. However, most of the existing attribute-based signature schemes are no longer secure in quantum era. Fortunately, lattice-based cryptography offers the hope of withstanding quantum computers. And lattices has elevated it to the status of a promising potential alternative to cryptography based on discrete log and factoring, owing to implementation simplicity, provable security reductions and quantum-immune. In this paper, the first lattice attribute-based signature scheme in random oracle model is proposed, which is proved existential unforgeability and perfect privacy. Compared with the current attribute-based signature schemes, our new attribute-based signature scheme can resist quantum attacks and has much shorter public-key size and signature size. Furthermore, this scheme is extended into an attribute-based signature scheme on number theory research unit (NTRU) lattice, which is also secure even in quantum era and has much higher efficiency than the former. Keywords attribute, signature, lattice, unforgeability, perfect privacy
1 Introduction The concept of attribute-based signature (ABS) scheme was first introduced in Ref. [1] as an extension of the identity-based signature. Generally speaking, in the ABS scheme a user obtains his private key for a set of attributes, instead of just the identity, from the attribute authority. The ABS breaks the one to one restriction in the traditional public key cryptography. That is to say, one can distribute a message to a specific set of users and sign it under just one common public key. Because of its perfect privacy and good expression ability, the ABS scheme has widely cryptographic application, such as anonymous authentication and attribute-based messaging. Since the first ABS scheme emerged, several beautiful ABS constructions had been proposed [1–9]. Escala et al proposed the first ABS scheme satisfying proven secure against fully adaptive adversaries in Ref. [2]. Li et al. constructed two ABS schemes supporting flexible Received date: 25-11-2015 Corresponding author: Xie Jia, E-mail: [email protected] DOI: 10.1016/S1005-8885(16)60049-3
threshold predicates in Ref. [3], where the length of the signature depends on the largest size of attribute set. Two ABS constructions with constant signature size were proposed in Ref. [4]. And they are proven secure against selective predicate and adaptive message attacks. Zeng et al. proposed an ABS scheme with constant signature size in Ref. [5], which is not only unforgeable but also unconditionally anonymous. Okamoto and Takashima respectively proposed a fully secure ABS scheme in the standard model in Ref. [6] and the first decentralized multi-authority ABS scheme in Ref. [7]. The later no longer need the trusted setup and central authority. However, most of the ABS schemes above are based on the discrete logarithm problem, which have high efficiency but are no longer intractable when quantum computer comes into reality according to Ref. [10]. Fortunately, Bernstein has conjectured in Ref. [11] that lattice-based cryptographic schemes can withstand quantum attacks. What is more, lattice-based cryptographic schemes are also easy to implement because typical computations involved in them are only integer matrix–vector multiplication and modular addition operations (Ref. [12], for an overview on
84
The Journal of China Universities of Posts and Telecommunications
lattice-based cryptography). And lattice-based cryptographic schemes are supported by the worst-case to average-case security guarantees. Considering these three advantages, lattice-based cryptography enters a rapid development period and in the last ten years it have got many achievements, such as cryptographic primitive [13–18], encryption scheme (public key encryption [19–24], fully homomorphic encryption schemes [25–28]), signature schemes [14,29–35], multilinear maps [36–38]. So far, there have been three lattice-based ABS schemes which were respectively proposed in Refs. [39–41]. Even though all of them are proven secure even in quantum era, they are the attribute-based signatures in standard model and their efficiency is low. So how to construct ABS schemes, which are quantum-immune, in random oracle model and with high efficiency, may be the urgent issue in the coming years. 1.1
Our contributions
We propose the first lattice-based ABS scheme in random oracle model. And the scheme is proved existentially unforgeable against adaptively chosen message and selective access structure attacks, based on the hardness of small integer solution (SIS) problem. What’s more, the efficiency of our new scheme is much higher than the existed lattice-based ABS schemes in Refs. [39–41]. Furthermore, we extend our scheme into the ABS scheme on NTRU lattice, which can improve the efficiency in large amplitude, and its security depends on the hardness of the ring small integer solution (R-SIS) problem, it means the ABS scheme over NTRU lattice is also security even in quantum era. 1.2
Paper organization
The remainder of this paper is organized as follows. Sect. 2 presents some preliminaries. Sect. 3 gives the syntax and security model for ABS schemes. The first lattice-based ABS scheme in random oracle model is provided in Sect. 4. The extensional ABS scheme from NTRU lattices is proposed in Sect. 5. Finally, Sect. 6 concludes this paper.
2 Preliminaries 2.1
Notation
The security parameter in this paper is a positive integer
2016
n. ℝ and ℤ respectively denote the real space and integer space. Ring R= ℤ [x]/(xn+1) and ring Rq= ℤ q[x]/(xn+1) will be used. [k] is the set {1,2,…,k}, where k is a positive integer. Vectors and matrixes are respectively denoted as bold low-case letters and bold upper-case letters in italic. Aɶ denotes the Gram-Schmidt orthogonalization of the matrix A . And || v || denotes the Euclid norm of vector v . n −1
n −1
i=0
i =0
Let f = ∑ f i x i and g = ∑ gi x i be polynomials in R. Notation: fg denotes polynomial multiplication in R, while f ∗ g = fg mod ( x n + 1) . (f) is the vector whose coordinates are respectively f 0 ,..., f n −1 . ( f , g ) ∈ ℝ 2 n = R1× 2 is the concatenation of (f) and G. Definition 1 Anticirculant matrices An n dimensional anticirculant matrix of f is the following Toeplitz matrix: f1 f 2 … f n −1 ( f ) f0 − f f f 1 … f n − 2 ( xf ) C n F = n −1 0 = ⋮ ⋮ ⋮ ⋮ ⋮ n −1 − f1 − f 2 … … f 0 ( x f ) When it is clear from context, we will drop the subscript n, and just write C(f). 2.2
Lattices
Definition 2 B=[b1,…,bm]∈ ℝ m× m is a matrix, where the column vectors b1,…,bm∈ ℝ m are linearly independent [29]. The m dimensional lattice Λ generated by the basis B is the set, m Λ = L ( B ) = y ∈ ℝ m : ∃s ∈ ℤ m , y = Bs = ∑ si bi i ′=1 Definition 3 For a prime q, a matrix A∈ ℤ qn× m and a vector y∈ ℤ qn , we define two common cosets as follows [29] Λ⊥ ( A) = {e ∈ ℤ m : Ae = 0(mod q)} ,
Λy ( A) = {e ∈ ℤ m : Ae = y (mod q)} . Definition 4 NTRU lattice. Let q be the prime bigger than 5 and n be a power of 2. And f, g∈Rq (f is invertible modulo q ). Let h=g ∗ f −1 mod q. The NTRU lattice associated to h and q is Λh,q={(u,v) ∈R2| u+v ∗ h=0 mod q}. Here Λh,q is a full-rank lattice of ℝ 2 n generated by the row of
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
−C n ( h ) I n Ah , q = . 0n qI n where In and 0n are respectively the n×n unit matrix and n×n null matrix.
85
of SIS problem or the R-SIS, which are described in the following. Definition 6 Given a positive integer q, a matrix A∈ ℤ nq× m and a real β. A way to describe the SIS problem is to find a vector v∈ ℤ m / { 0 } such that Av=0 mod q and
2.3
Gaussin sample
||v|| ≤ β. Definition 7
Definition 5 Discrete Gaussians distribution. For any s>0, c∈ ℝ m , the m dimensional Gaussian function centered at c with parameter s is 2 X −c ρ s ,c ( X ) ≜ exp − π s2 For lattice Λ⊂ ℝ m , let ρs,c(Λ) ≜ ∑ ρ s ,c ( X ) . And the
SIS over ring: R-SISφq , m , β . The SIS
problem on ring with parameters q, m, β and φ is defined as follows: given m polynomials a1, a2,…,am chosen uniformly and independently in Rq= ℤq[x]/ (φ ) , finding the solution t∈a⊥\0 which satisfies the condition ||t|| ≤ β, where a ⊥ := (t1 ,..., tm ) ∈ R m : ∑ ti ai = 0 mod q .
{
i
}
x∈Λ
corresponding discrete Gaussian distribution is normalized as DΛ,s,c(X)=ρs,c(X)/ρs,c(Λ). For simplicity, we always abbreviate DΛ,s,0(X) as DΛ,s(X). Lemma 1 For any σ >0 and positive integer m, 1) Pr[ X ← Dσ1 : X > 12σ ] < 2−100 . Lemma 2 For any v∈ ℤ m and positive real α, if σ = ω(||v|| lb m ), we have [30] Pr[ X ← Dℤ m ,σ : Dℤ m ,σ ( X ) Dℤm ,σ ,v ( X ) = O(1)] = 1 − 2ω (lb m ) , and more specifically, if σ =α||v|| , then 2
Pr[ X ← Dℤm ,σ : Dℤm ,σ ( X ) Dℤm ,σ ,v ( X ) < e12 α +1 (2α ) ] = 1 − 2−100.
Some facts
Proposition 1 On input of q=ploy(n) ≥ 3 and m ≥ 6nlb q, there exists a algorithm trapdoor generation algorithm (TrapGen(1n)) that returns a pair (A,TA), where A ∈ ℤ qn×m is matrix statistically close to uniform distribution in ℤ qn× m and TA is a basis of Λ⊥(A) such that || TɶA || ≤O ( n lb q ) [15]. Proposition 2 Let q=ploy(n) ≥ 3, m ≥ 6n lb q, A∈ ℤ qn× m , T A be a short basis of lattice Λ⊥(A) and σ ≥ || TɶA || ω ( lb m ) [14]. For any vector u∈ ℤ qn , there exists a probabilistic polynomial time (PPT) algorithm SamplePre(A, T A , σ, u) returns e∈ ℤ qm sampled from a distribution statistically close to DΛu ( A),σ . 2.5
Here the syntax and security model of attribute-based signature are described as follows. 3.1
2) Pr[ X ← Dσm : X > 2σ m ] < 2− m .
2.4
3 Syntax and security model
Hardness assumption
The security of our schemes is reduced to the hardness
Syntax
Definition 8 Let i∈ ℕ , U={a1, a2,…,aN} is the set of attributes. And for ai∈U , Si={vi1, vi2,…,vi N(i)} is the set of the possible values of attribute ai, where N(i) is the number of the possible values. If one user owns an attribute list L={l1, l2,…,lN}, li∈ Si and W={w1, w2,…,wN} is the access structure. When li= wi for i∈ ℕ , we say L|=W denotes the attribute list L satisfies the access structure. An attribute-based signature is a 4-tuples (Setup, Extract, Sign, Verify) in the following: Setup Taking the security parameter n as input, the algorithm outputs the public parameters (PP), the master public key (MPK) and the master private key (MSK). Extract On input of PP, MPK, MSK and a user’s attribute list L, the algorithm outputs the corresponding private key SKL. Sign When the user with the attribute set L wants to sign a message µ, given PP, MPK, SKL, the message µ and the access structure W, the algorithm generates and outputs a signature sig if and only if L|=W. Verify After receiving a signature sig on message µ, an attribute set L and the access structure W, the algorithm outputs 1 if and only if L|=W and the signature is valid. 3.2
Correctness
Definition 9
If Verify(PP, sig, µ, L, W)=1, it is
86
The Journal of China Universities of Posts and Telecommunications
2016
believed that the ABS scheme is correct. Where (PP, MPK, MSK)←Setup(n), µ is the message, L is the attribute list, W is access structure, SKL←Extract(PP, MPK, MSK, L) and sig←Sign(PP, MPK, SKL, L, W).
Ref. [30] to construct an ABS scheme from lattice assumption.
3.3
The new ABS scheme is described as follows. Setup On input of the security parameter n, which is a positive integer, let the PP be: the prime q which is larger than 3, M is real, m ≥ 6n lb q, k and λ are positive integer, Lɶ = O ( n lb q ) , Gaussian parameter s= Lɶω ( lb n ) ,
Security model of ABS
The security requirements of an ABS scheme can be summarized as unforgeability and perfect privacy. Next, we describe these two requirements in detail. Definition 10 Unforgeability. The ABS scheme is existentially unforgeable against selective-access structure attack and against adaptively chosen message attacks if any PPT adversary A wins the following experiment with negligible probability. Initial phase Adversary A firstly chooses a challenge access structure W* which will be in the forgery signature and then send it to challenger C. Setup phase After receiving the challenge access structure from A, challenger C runs Setup(n) to obtain the PP and the master key pairs (MPK, MSK). Then C sends MPK to the adversary A and keeps MSK private. Query phase The adversary A performs polynomial queries to two oracles (Extract oracle and Sign oracle) as follows. 1) Extract oracle query: given an attribute set L not satisfying W* to the Extract oracle, challenger C outputs the corresponding secret key SKL to the adversary A. 2) Sign oracle query: given a message µ with access structure W to the Sign oracle, challenger C outputs the signature sig to the adversary A. Forgery phase Finally, the adversary A outputs a valid forgery signature (W*, µ*, sig*), where W* is the challenge access structure chosen in the Initial phase and µ* has not been queried in the Query phase. The advantage of adversary A in the above game is defined as AdvABS(A)=Pr[Verify(PP, sig*, µ*, L*, W*)=1]. Definition 11 Perfect privacy. An ABS scheme is considered perfect privacy, if for (MSK, MPK)←Setup(n), any attribute sets L1, L2, SK1←Extract(MSK, L1), SK2←Extract(MSK, L2), any message µ and access structure W such that L1 , L2 satisfy W, the signatures sig1←Sign(SK1, MPK, µ, L1) and sig 2 ←Sign(SK2, MPK, µ, L2) have the same distribution.
4 Lattice-based ABS scheme in random oracle model
4.1
Our construction
σ=12sλm. Then a trusted authority does these steps as follows: 1) Run the trapdoor generation algorithm TrapGen(1n) to generate a uniform matrix A ∈ ℤ qn×m and a basis
T ∈ ℤ qm× m of the lattice Λ⊥ ( A) . 2) Choose two Hash functions H:{0,1}*→{v: v ∈ {−1,0,1}k, ||v||1 ≤ λ} and H1: ℤ qn → ℤ qm× k . 3) Output {A, H, H1} as the master public key MPK and the MSK is T. Extract Taking the PP, MSK, MPK and the attribute list L as input, do as follows: 1) Choose the vector ui j ∈ ℤ qn for every attribute vi j, and compute H1L=
1
ij
) =[u1|u2|…|uk], where i∈ ℕ ,
j∈ ℕ , i ≠ j . 2) For each i∈{1,2,…,k}, run the pre-sample algorithm SamplePre (A, T, s, ui) →ei. 3) Send the signing key SKL=[e1| e2|…|ek] to the user with the attribute list L. Sign Assuming that a user with the attribute list L wants to sign a message µ on the access structure W, do the following if and only if L|=W. 1) Select a random vector y← Dσm . 2) Compute h=H(Ay,µ) and z=SKLh+y. 3) Output sig=(h,z) with probability min (1, Dσm ( z ) ⋅ m ( MDSK ( z )) −1 . L h ,σ
Verify On input of sig, µ, L and W, the algorithm outputs 1 if and only if 1) L|=W. 2) h=H(Az − H1Lh, µ). 3) ||z|| ≤ 2σ m . 4.2
Correctness
Theorem 1 In the following, we use rejection sampling technique in
∑ H (u vij ∈L
The obtained signature above satisfies
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
correctness. Proof According to the Sign phase, just when L satisfies the access structure W, we can generate a signature. So the Condition 1 in Verify phase is satisfied. Then we focus on the Condition 2 in Verify phase. According to Proposition 2 and step 2) in Extract phase, it is obvious that Az − H1L h = Az − ASK L h = A(SK L h + y ) − ASK L h = Ay So, H(Az−H1Lh, µ)=h holds, which means Condition 2 is satisfied. Combing the rejection sampling with Lemma 1 and Lemma 2, we know the distribution of z is very close to Dσm , so ||z|| ≤ 2σ m with probability at least (1−2−m ). 4.3 4.3.1
Security of the ABS scheme Unforgeability
Theorem 2 The ABS scheme above is existentially unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model, assuming the hardness of SIS problem. Proof Assuming there is a PPT adversary A who breaks the ABS scheme with non-negligible probability, we can construct a simulator C to solve the SIS problem as follows. Invocation Being invoked on a random instance of SIS problem, the simulator C is required to return a valid solution. Supplied: a matrix A ∈ ℤ qn×m . Requested: a vector s ∈ ℤ m , which satisfies As=0(mod q) and ||s|| ≤ β. Initial phase The adversary A firstly chooses a challenge access structure W* and then sends it to C. Setup phase On input of security parameter n, the simulator C randomly chooses A ∈ ℤ qn×m and two Hash functions H: {0,1}*→{v: v ∈ {−1, 0,1}k , ||v||1 ≤ λ}, H1: ℤqn →
ℤmq × k . Then he sends MPK={A, H, H1} to the adversary A. Query phase Adversary A can adaptively query all the oracles shown next. 1) H1 oracle query. The simulator C keeps a list LH1, which is 3 tuples (L, SKL, PL ). Taking an attribute set L as input, C looks up it in LH1. If L is found in LH1, the simulator C returns the corresponding PL to A. Otherwise, C picks k vectors e1,…,ek from Dsm . Finally, C stores (L, SKL=(e1,…,ek), PL=ASKL) and returns PL to A. 2) Extract oracle query. After receiving the query on
87
attribute list L, which does not satisfy the challenge access structure W*, the simulator C arises LH1 for L. And then he returns SKL to A. 3) H oracle query. The simulator C keeps the list LH. Taking (Ay, µ) as input, the simulator C looks up them in LH. If they already existed in LH, C returns h to A. Otherwise, C randomly selects h from DH and stores (Ay, µ, h) in LH. Finally, the simulator C returns h to A. 4) Sign oracle query. On input of message µ, attribute list L and the access structure W, the simulator C first checks whether L|=W. If yes, the simulator C looks up L in LH1 and returns SKL. Then C runs Sign to obtain sig=(h,z) and sends sig to A. Forgery phase After the queries above, adversary A outputs a valid forgery sig*=(h*, z*) on (µ*, L*, W*) with non-negligible probability. The simulator C can solve the SIS problem as follows: After receiving the forgery sig*, the simulator C will outputs a new forgery sig′ = (h′, z ′) on the same (µ*, L*, W*) by the forking Lemma in Ref. [42]. So, Az* − PL* h* = Az ′ − PL′ h′ ⇒ A( z* − z ′ + SK L' h′ − SK L* h* ) = 0 .
Because of ||z*||, || z ′ || ≤ 2σ m , || SK L* h* ||, || SK L′ h′ || ≤
sλ m , so we obtain || z * − z ′ + SK L′ h′ − SK L* h* || ≤ (4σ+2sλ) m with overwhelming probability. When β ≥ (4σ + 2sλ ) m , ( z * − z ′ + SK L′ h′ − SK L* h* ) is one solution to the SIS problem above. 4.3.2 Perfect privacy
Theorem 3 The ABS scheme above satisfies the perfect privacy. Proof For any two users with attribute sets L1, L2, both of which satisfy the access structure, the signing keys are respectively SKL1 and SKL2, the output signatures are sig1=(h1, z1) and sig2=(h2, z2). Assuming the distributions of z1 and z2 are respectively D1 and D2. We consider the distributions of h and z as follows. 1) By the rejecting sample technique and Lemma 2, it is obvious that ∆ ( D1 , Dσm )≤ ( 2−ω lb m M ) , ∆( D2 , Dσm )≤
( 2−ω lb m
M ) . So it is derived that ∆ ( D1 , D2 )≤ ( 21−ω lb m M ) ,
which is negligible. 2) Because both of h1 and h2 are from the uniform distribution in ℤ qm , so h1 and h2 have the same distribution. According to above 1) and 2), we can conclude that the two
88
The Journal of China Universities of Posts and Telecommunications
signatures have the same distribution. That is to say, the ABS scheme is perfect privacy.
4.4
The efficiency
As we all know, there have been three lattice-based ABS schemes, which were respectively proposed in Refs. [39–41]. Now we compare their efficiency as Table 1. Table 1
The efficiency comparison
Scheme
Size of public key
In Ref. [39] In Ref. [40] In Ref. [41] This work
(4k+2)mnlb q+nlb q+k 5mnlb q+k (k+2)mnlb q +k mnlb q+k +nklb q
Size of secret key m2lb q m2lb q m2lb q m2lb q
Size of signature (2k+1)mlb q 3mlb q 3mlb q mlb q+k
In Table 1, m ≥ 6nlb q, k<
2016
4) Compute F1 , G1 ∈ R such that fG1 − gF1 = 1 . Set
Fq = qF1 and Gq = qG1 . 5) Use Babai’s nearest plane algorithm to approximate (Fq,Gq) by an integer linear combination of ( f , g ), ( xf , xg ),…, ( x n −1 f , x n −1 g ) . Let ( F , G ) be the output, such that there exists k ∈ R
with ( F , G ) =
( Fq , Gq ) − k ( f , g ) . 6) If ( F , G ) > nσ , restart.
C ( f ) C(g) 7) Return MSK is B = and the manger C ( F ) C (G ) public key MPK is h=g/f ∈ Rq× Extract Taking the PP, MSK, MPK and the attribute list L as input, the algorithm is run as follows: 1) If SK L is in local storage then 2) Output SK L to user with attribute list L. 3) Else choose the polynomial ui j∈Rq for every attribute vi j, and compute HL= ∑ H ′′(uij ) , where i∈ ℕ , j∈ ℕ , vij ∈L
5 Extension
i≠ j.
In this section, we will work in the ring R= ℤ [x]/(xn+1) and ring Rq= ℤq[x]/(xn+1), where the prime q is bigger than 5. It is also satisfied that xn+1 can split into kq irreducible factors modulo prime q. R× denotes the set of invertible elements in R. The aforementioned basic ABS construction can be extended to an ABS scheme on NTRU lattice, which is unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model. And the extended ABS scheme works as follows: Setup On input of the security parameter n, which is the power of 2, a trusted authority firstly chooses the PP: the prime q=poly(n), the positive integer kq , two
4) Run the pre-sample algorithm on NTRU lattice SamplePre ( h, B, s, ( H L , 0) ) to output ( s1 , s2 ) , where
H ′′ : ℤ qn → ℤ qn and
Hash functions
H ′ : {0,1}*→
{v:v ∈ {−1, 0,1}k , ||v||1 ≤ λ} the Gaussian parameter s = Ωɶ (n3 2σ ) and σˆ = 12λ sn , where the Gaussian parameter σ satisfying 1 2+ε
n ln(8nq) q
1 2 −ε
,q
the condition if kq = n, σ =
= Ωɶ (n7 2 ), if kq = 2, σ = n ln(8nq) ⋅
q1 2 + ε , q1 2 −ε = Ωɶ (n3 ) . Then he does as follows: 1) Sample f and g from Dℤn ,σ that satisfy ( f mod q ) ∈ × q
R
× q
and ( g mod q ) ∈ R .
2) If
f > σ n or
g > σ n , restart.
3) If < f , g >≠ R , restart.
s1 and s2 satisfies
{s1 + s2 ∗ h = H L } .
5) SK L ← ( s1 , s2 ) 6) Output SK L to user with attribute list L and keep it in local storage Sign On input of the attribute list L, the corresponding private key SKL, the message µ with the access structure W as input, do the following if and only if L|=W. 1) Choose polynomials y1 , y2 ∈ Dσnˆ . 2) Compute u = H ′( y1 + h ∗ y2 , µ ) . 3) Then compute zi = yi + si ∗ u, for i = 1, 2 . 4) Output sig = ( z1 , z2 , u ) with probability min( Dσnˆ ( zi ) ⋅ n ( MDSK ( zi )) −1 ,1) , M = O(1) . L u ,σˆ
Verify On input of sig, µ, L and W, the algorithm outputs 1 if and only if 1) L|=W. 2) H ′( h ∗ z2 + z1 − H L ∗ u , µ ) = u . 3) ( z1 , z2 ) ≤2σˆ 2n . The proof of the correctness, the security and the perfect privacy are similar except that the security of this scheme can be reduced to the R-SIS problem. The size of public key, private key and signature in our extended ABS scheme are respectively values nlb q, 2nlb q and 2nlb q+k.
Issue 4
Xie Jia, et al. / Attribute-based signatures on lattices
Compared with the size of the ABS in Sect. 4, the ABS scheme over NTRU lattice has much shorter size. So the efficiency of the NTRU lattice-based ABS scheme is much higher.
6 Conclusions We proposed the first lattice-based ABS scheme in random oracle model. Assuming the hardness of SIS problem, it is proved existentially unforgeable against adaptively chosen message and selective access structure attacks in the random oracle model. And it also meets the perfect privacy. What’s more, compared with the previous ABS schemes, our new ABS scheme is not only secure even in quantum era but also much more efficient. So it solves the problem that it may not be possible to have both of high efficiency and quantum-immune. Further, we extended the ABS scheme into an ABS scheme on NTRU lattice, which can greatly improve the efficiency. And it is also secure even in quantum era. An efficient lattice-based ABS scheme with special property will be our future work. Acknowledgements This work was supported by the National Natural Science Foundation of China (61303217, 61303217, 61472309, 61502372 and 61572390), the 111 Project (B08038), the Fundamental Research Funds for the Central Universities (JB140115), the Natural Science Foundation of Shaanxi Province (2013JQ8002, 2014JQ8313).
References 1. Maji H K, Prabhakaran M, Rosulek M. Attribute-based signature: achieving attribute privacy and collusion-resistance. Topics in Cryptology: Proceedings of the Cryptographers’ Track at the RSA Conference (CT-RSA’11), Feb 14−18, 2011, San Francisco, CA, USA. LNCS 6558. Berlin, Germany: Springer-Verlag, 2011: 376−392 2. Escala A, Herranz J, Morillo P. Revocable attribute based signatures with adaptive security in the standard model. Progress in Cryptology: Proceedings of the 4th International Conference on Cryptology in Africa (AFRICACRYPT’11), Jul 5−7, 2011, Dakar, Senegal. LNCS 6737. Berlin, Germany: Springer-Verlag, 2011: 224−241 3. Li J, Au M H, Susilo W, et al. Attribute-based signature and its applications. Proceedings of the 5th ACM Symposium on Information Computer and Communications Security (ASIACCS’10), Apr 13-16, 2010, Beijing, China. New York, NY, USA: ACM, 2010: 60−69 4. Herranz J, Laguillaumie F, Libert B, et al. Short attribute-based signatures for threshold predicates. Topics in Cryptology: Proceedings of the Cryptolographers’s Track at the RSA Conference 2012 (CT-RSA’12), Feb 27−Mar 2, 2012, San Francisco, CA, USA. LNCS 7178. Berlin, Germany: Springer-Verlag, 2012: 51− 67 5. Zeng F, Xu C X, Li Q Y, et al. Attribute-based signature scheme with constant size signature. Journal of Computational Information Systems, 2012, 8(7): 2875−2882
89
6. Okamoto T, Takashima K. Efficient attribute based signatures for non-monotone predicates in the standard model. Public-Key Cryptography: Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography (PKC’11), Mar 6−9, 2011, Taormina, Italy. LNCS 6571. Berlin, Germany: Springer-Verlag, 2011: 35−52 7. Okamoto T, Takashima K. Decentralized attribute-based signatures. Public-Key Cryptography: Proceedings of the 16th International Conference on Practice and Theory in Public Key Cryptography (PKC13), Feb 26−Mar 1, 2013, Nara, Japan. LNCS 7778. Berlin, Germany: Springer-Verlag , 2013: 125−142 8. Li J, Kim K. Hidden attribute-based signatures without anonymity revocation. Information Sciences, 2010, 180(9): 1681−1689 9. Shahandashti S F, Safavi-Naini R. Threshold attribute-based signature and their application to anonymous credential systems. Progress in Cryptology: Proceedings of the 2nd International Conference on Cryptology in Africa (AFRICACRYPT’09), Jun 21−25, 2009, Gammarth, Tunisia. LNCS 5580. Berlin, Germany: Springer-Verlag, 2009: 198−216 10. Shor P W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal of Computing, 1997, 26(5): 1484−1509 11. Bernstein D J. Introduction to post-quantum cryptography. In: Bernstein D J, Buchmann J, Dahmen E. Post-quantum cryptography. Berlin, Germany: Springer-Verlag, 2009: 1−14 12. Regev O. Lattice-based cryptography. Advances in Cryptology: Proceedings of the 26th Annual International Cryptology Conference (CRYPTO’06), Aug 20−24, 2006, Santa Barbara, CA, USA. LNCS 4117. Berlin, Germany: Springer-Verlag, 2006: 131−141 13. Ajtai M. Generating hard instances of the short basis problem. Automata, Languages and Programming: Proceedings of the 26th International Colloquium on Automata, Languages and Programming (ICALP’99), Jul 11−15, 1999, Prague, Czech. LNCS 1644. Berlin, Germany: Springer-Verlag, 1999: 1−9 14. Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC’08), May 17−20, 2008, Victoria, Canada. New York, NY, USA: ACM, 2008: 197−206 15. Alwen J, Peiker C. Generating shorter bases for hard random lattices. Theory of Computing Systems, 2009, 48(3): 535−553 16. Micciancio D, Peikert C. Trapdoors for lattices: simpler, tighter, faster, smaller. Advances in Cryptology: Proceedings of the 31th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12), Apr 15−19, 2012, Cambridge, UK. LNCS 7237. Berlin, Germany: Springer-Verlag, 2012: 700−718 17. Laarhoven T, Mosca M, Van de Pol J. Finding shortest lattice vectors faster using quantum search. Designs, Codes and Cryptography, 2015, 77(2): 375−400 18. Lyubashevsky V, Wichs D. Simple lattice trapdoor sampling from a broad class of distributions. Public-Key Cryptography: Proceedings of 18th International Conference on Practice and Theory in Public-Key Cryptography (PKC’15), Mar 30−Apr 1, 2015, Gaithersburg, MD, USA. LNCS 9020. Berlin, Germany: Springer-Verlag, 2015: 716−730 19. Regev O. On lattices, learning with errors, random linear codes, and cryptography. Proceedings of 37th Annual ACM Symposium on Theory of Computing (STOC’05), May 22−24, 2005, Baltimore, MD, USA. New York, NY, USA: ACM, 2005: 84−93 20. Stehlé D, Steinfeld R. Making NTRU as secure as worst-case problems over ideal lattices. Advances in Cryptology: Proceedings of the 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’11), May 15−19, 2011, Tallinn, Estonia. LNCS 6632. Berlin, Germany: Springer-Verlag, 2011: 27−47 21. Cash D, Hofheinz D, Kiltz E, et al. Bonsai trees, or how to delegate a lattice basis. Advances in Cryptology: Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10), May 30-Jun 3, 2010, Riviera, France.
90
The Journal of China Universities of Posts and Telecommunications
LNCS 6110. Berlin, Germany: Springer-Verlag, 2010: 523−552 22. Agrawal S, Boneh D, Boyen X. Efficient lattice (H)IBE in the standard model. Advances in Cryptology: Proceedings of 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’10), May 30−June 3, 2010, Riviera, France. LNCS 6110. Berlin, Germany: Springer-Verlag, 2010: 553−572 23. Agrawal S, Boneh D, Boyen X. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. Advances in Cryptology: Proceedings of the 30th Annual International Cryptology Conference (CRYPTO’10), Aug 15−19, 2010, Santa Barbara, CA, USA. LNCS 6223. Berlin, Germany: Springer-Verlag, 2010: 98−115 24. Ducas L, Lyubashevsky V, Prest T. Efficient identity-based encryption over NTRU lattices. Advances in Cryptology: Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’14), Dec 7−11, 2014, Kaoshiung, China. LNCS 8874. Berlin, Germany: Springer-Verlag, 2014: 22−41 25. Gentry C. Fully homomorphic encryption using ideal lattices. Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC’09), May 31−Jun 2, 2009, Bethesda, MD, USA. New York, NY, USA: ACM, 2009: 169−178 26. Gentry C. Toward basing fully homomorphic encryption on worst-case hardness. Advances in Cryptology: Proceedings of the 30th Annual International Cryptology Conference (CRYPTO’10), Aug 15−19, 2010, Santa Barbara, CA, USA. LNCS 6223. Berlin, Germany: Springer-Verlag, 2010: 116−137 27. Brakerski Z, Vaikuntanathan V. Fully homomorphic encryption from ring-LWE and security for key dependent messages. Advances in Cryptology: Proceedings of 31st Annual International Cryptology Conference (CRYPTO’11), Aug 14−18, 2011, Santa Barbara, CA, USA. LNCS 6841. Berlin, Germany: Springer-Verlag, 2011: 505−524 28. Brakerski Z, Vaikuntanathan V. Efficient fully homomorphic encryption from (standard) LWE. Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS’11), Oct 22−25, 2011, Palm Springs, CA, USA. Piscataway, NJ, USA: IEEE, 2011: 97−106 29. Boyen X. Lattice mixing and vanishing trapdoors: A framework for fully secure short signature and more. Public-Key Cryptography: Proceedings of 13th International Conference on Practice and Theory in Public Key Cryptography (PKC’10), May 26−28, 2010, Paris, France. LNCS 6056. Berlin, Germany: Springer-Verlag, 2010: 499−517 30. Lyubashevsky V. Lattice signatures without trapdoors. Advances in Cryptology: Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’12), Apr 15−19, 2012, Cambridge, UK. LNCS 7237. Berlin, Germany: Springer-Verlag, 2012: 738−755 31. Ducas L, Durmus A, Lepoint T, et al. Lattice signatures and bimodal gaussians. Advances in Cryptology: Proceedings of the 33th Annual International Cryptology Conference (CRYPTO’13), Aug 18−22, 2013,
32.
33.
34.
35.
36.
37.
38.
39. 40.
41.
42.
2016
Santa Barbara, CA, USA. LNCS 8042. Berlin, Germany: Springer-Verlag, 2013:40−56 Laguillaumie F, Langlois A, Libert B, et al. Lattice-based group signatures with logarithmic signature size. Advances in Cryptology: Proceedings of the 19th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’13), Dec 1−5, 2013, Bengaluru, India. LNCS 8270. Berlin, Germany: Springer-Verlag, 2013: 41−61 Langlois A, Ling S, Nguyen K, et al. Lattice-based group signature scheme with verifier-local revocation. Public-Key Cryptography: Proceedings of 7th International Conference on Practice and Theory in Public Key Cryptography (PKC’14), Mar 26−28, 2014, Buenos Aires, Argentina. LNCS 8383. Berlin, Germany: Springer-Verlag, 2014: 345−361 Nguyen P Q, Zhang J, Zhang Z F. Simpler efficient group signatures from lattices. Public-Key Cryptography: Proceedings of 18th International Conference on Practice and Theory in Public Key Cryptography (PKC’15), Mar 30−Apr 1, 2015, Gaithersburg, MD, USA. LNCS 9020. Berlin, Germany: Springer-Verlag, 2015: 401−426 Xie J, Hu Y P, Gao J T, et al. Efficient identity-based signature over NTRU lattice. Frontiers of Information Technology & Electronic Engineering, 2016, 17(2): 135−142 Garg S, Gentry C, Halevi S. Candidate multilinear maps from ideal lattices. Advances in Cryptology: Proceedings of the 32th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’13), May 26−30, 2013, Athens, Greece. LNCS 7881. Berlin, Germany: Springer-Verlag, 2013: 1−-17 Gentry C, Gorbunov S, Halevi S. Graph-induced multilinear maps from lattices. Theory of Cryptography: Proceedings of the 12th Theory of Cryptography Conference (TCC’15), Mar 23−25, 2015, Warsaw, Poland. LNCS 9015. Berlin, Germany: Springer-Verlag, 2015: 498−527 Hu Y P, Jia H W. Cryptanalysis of GGH map. Advances in Cryptology: Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’16), LNCS 9665, May 8−12, 2016, Vienna, Austria. Berlin, Germany: Springer-Verlag, 2016: 537−565 Mao X P, Chen K F, Long Y, et al. Attribute-based signature on lattices. Journal of Shanghai Jiaotong University, 2014, 19(4): 406−411 Li M X, An N, Feng, E Y, et al. An attribute-based signature scheme from lattices. Journal of Sichuan University (Engineering Science Edition), 2015, 47(2): 102−107 (in Chinese) Zhang Y H, Hu Y P, Jiang M M. An Attribute-based signature scheme from lattice assumption. Wuhan University Journal of Natural Sciences, 2015, 20(3): 207−213 Bellare M, Neven G. Multi-signatures in the plain public-key model and a general forking lemma. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06), Oct 30−Nov 3, 2006, Alexandria, VA, USA. New York, NY, USA: ACM, 2006: 390−399
(Editor: Wang Xuying)