An Efficient Identity-based Signature from Lattice in ... - Semantic Scholar

Journal of Computational Information Systems 7: 11 (2011) 3963-3971 Available at http://www.Jofcis.com

An Efficient Identity-based Signature from Lattice in the Random Oracle Model Feng XIA, Bo YANG†, Weiwei SUN, Sha MA College of Informatics, South China Agricultural University, Guangzhou 510642, China

Abstract We propose an efficient identity-based signature (IBS) scheme. The security of our scheme is proved in the random oracle model. Core technical components of our constructions are built on an arborist extends its control for a lattice to an arbitrary higher-dimensional extension. We use lattice's growth and lattice basis randomization securely to generate the user's secret key, and use trapdoor functions with preimage sampling to generate signature. Compared with the schemes based on factoring or discrete log, our scheme requires only linear operations on small integers except with larger public and secret keys. In particular, our scheme can resist quantum attack. Keywords: Lattice; Identity-based Signature; Random Oracle Model

1. Introduction Identity-based signature (IBS), first proposed by Shamir [1], permits a user’s identity to serve as public keys in a cryptosystem. The corresponding secret key is issued by a trusted key generation center (KGC) who is assumed to have an out-of-band way to verify the identity of the user. This eliminates some cost associated to PKI and certificate, and opens the way to construct more efficient schemes. Thus far, IBS has been realized using groups with bilinear pairings (e.g., [2, 3]) and the quadratic residuosity (QR) [4]. If quantum computer is applied, the problem based on factoring or discrete log will be solved in the polynomial-time [5]. In order to resist quantum attack, there has been a recent rapid growth in post-quantum cryptography. In these cryptographies, lattice-based cryptography is intriguing because of its advantages: they are asymptotic efficiency, require only linear operations on small integers, resist cryptanalysis by quantum algorithms. Cryptographic schemes based on lattice are fruitful, which include digital signatures [6-8], (hierarchical) identity-based encryption (H)IBE [7-9], noninteractive zero knowledge [10], efficient collision-resistant hash functions [11], a fully homomorphic cryptosystem [12] and a new kind of LWE cryptosystem using Ideal Lattices [13]. Since a polynomial-time algorithm that samples from a so-called discrete Gaussian probability distribution over a lattice is constructed by [14], it has many applications in construction of special digital signature. S.Dov Gordon et al. proposed a group signature scheme [15], Markus Ruckert proposed a lattice-based blind signature [16] and a hierarchical identity-based signature without random oracle [17], and an efficient lattice-based threshold ring signature was proposed by [18]. In this paper, we propose an IBS in the random oracle model. The core technique of our results is built on an arborist extends its control for a lattice to an arbitrary higher-dimensional extension which was proposed by [8]. Different from IBS based on bilinear pairings(which forces the adversary to name its target identity before getting the public †

Corresponding author. Email addresses: [email protected] (Bo YANG).

1553-9105/ Copyright © 2011 Binary Information Press November, 2011

3964

F. Xia et al. /Journal of Computational Information Systems 7:11 (2011) 3963-3971

key), our scheme is adaptive-ID secure and can output a forgery for any identity, therefore our reduction proof is more efficient. 2. Preliminaries 2.1. Notation We denote set of real numbers by R and the integers by Z . For a positive integer n, [n] denotes {1, …, n}. By convention, vectors are assumed to be in column form and are written using bold lower-case letters. Matrices are written as bold capital letters and are viewed as the set of its column vectors. An n-dimensional lattice of rank k < n is Λ = L (B ) = Bc : c ∈ Z k , B ∈ R n×k , where the k columns

{

b1 ," , b k ∈ R

n

}

of the basis B are linearly independent. The dual lattice of Λ , denoted Λ , is defined *

as Λ * = {x ∈ span ( Λ ) : ∀v ∈ Λ , < x, v >∈ Z} . The minimum distance λ1 ( Λ ) of a lattice Λ is the length (in some norm, implicitly the Euclidean l2 norm) of its shortest nonzero element: λ1 ( Λ ) = min 0 ≠ x∈Λ x . Let A ∈ Z nq×m for some positive integers n, m, q. We can get two lattices generated

{

by A: Λ ( A, q ) = y ∈ Z m : y = As mod q , s ∈ Z n For any (ordered) set S = {s1 ," , s k } ∈ R

m

}

{

}

and Λ ⊥ ( A, q ) = e ∈ Z m : Ae = 0 mod q .

of linearly independent vectors, let S = {s1 ," , s k }

denote its Gram-Schmidt orthogonalization, defined iteratively as follows: s1 = s1 , and for each

i = 2," , k , the vector s i is the component of s i orthogonal to span (s1 ," , si −1 ) . The natural security parameter throughout the paper is n, and all other quantities are implicitly functions −c of n. A negligible function, denoted generically, by negl(n), is an f ( n ) such that f ( n ) = o ( n ) for every fixed constant c. We say that f ( n ) = O ( g ( n )) if f ( n ) = O ( g ( n ) ⋅ log c n ) for some fixed constant c. We let poly ( n ) denote a polynomial time function, and ω ( log n ) denote a super logarithmic function which increase faster than

log n in n.

A family of chameleon hashing functions was introduced by Krawczyk and Rabin [19]. It is a collection H = {hi : M × R = Y } of functions hi mapping a message m ∈ M and randomness r ∈ R to a range Y . A function hi is efficiently computable when given its description. The family has the property that a random hi ← H may be generated together with a trapdoor t, and has the property of standard collision-resistance. Using the particular preimage sampleable functions from [7], it is easy to get chameleon hash functions under conventional lattice assumptions. 2.2. Lattice Problems Many lattice problems are NP-hard in the worst case. Among them, two problems are well-known. One is γ-approximate shortest vector problem GapSVPr, another is the short independent vectors problem SIVP. For public-key encryption and signature, however, it is very difficult to construct one-way functions in the worst case lattice problem. Fortunately, the seminal work of Ajtai [20] connects the average-case complexity of lattice problems to their complexity in the worst case. There are two well-known average-case problems in lattice also. One is LWE [21], which stems from a work of Regev, who defined a very natural intermediate problem called Learning with errors (LWE). The LWE problem is amazingly versatile, in addition to construct public key cryptosystem [21], it has provided the foundation for many cryptographic schemes, including chosen ciphertext secure cryptosystems [22], IBE [7], and others [8,9,23,24]. Another is SIS [15], which can be seen as the dual problem of LWE and be used for constructing signature schemes [7, 8]. In this paper, we mainly consider the following lattice problems. Definition 2.1. (γ-Approximate Shortest Vector Problem) An input to GapSVPr is a pair (B, d) where B


3965

is an n-dimensional lattice basis and d is a rational number. In Yes inputs λ1 ( L (B )) < d and in No inputs

λ1 ( L (B )) > γ ( n) ⋅ d . Definition 2.2. (Shortest Independent Vectors Problem) An input to SIVP is an n-dimensional lattice basis B. The goal is to output a set of n linearly independent lattice vectors S ⊂ L (B ) such that

S ≤ γ ( n) ⋅ λ1 ( L (B )) . Definition 2.3. (The Small Integer Solution Problem) SIS is as follows: given an integer q, a matrix A ∈ Z nq×m , and a real β, find a nonzero integer vector e ∈ Z m such that Ae = 0 mod q and e ≤ β . For functions

q ( n) , m( n) , and β ( n) , SIS q , m , β

( q ( n ) , m ( n ) , β ( n ) ) where A ∈ Z q

n× m

is the ensemble over instances

is uniformly random.

Definition 2.4. (The Inhomogeneous Small Integer Solution Problem) ISIS is as follows: given an integer q, a matrix A ∈ Z nq× m , and a real β , find a nonzero integer vector e ∈ Z such that m

Ae = u mod q and e ≤ β . The average-case problem ISIS q , m , β is defined similarly, where A and u are uniformly random and independent. Using Gaussian techniques, Micciancio and Regev [14] showed that the SIS q , m , β problem is as hard (on the average) as approximating certain worst-case problems on lattices to within small factors. A simpler and slightly tighter proof (also showing hardness for ISIS q , m , β ) that employs them discrete Gaussian sampling algorithm was given by Gentry et.al [7]. Theorem 2.1. For any poly-bounded m , β = poly ( n) and for any prime q , the average-case problems SIS q , m , β and ISIS q , m , β are as hard as approximating the problems SIVP and GapSVPr the worst case to within certain factors

in

n) . γ ( n) = β ⋅ O(

2.3. Gaussians on Lattices In mathematics, a Gaussian function (named after Carl Friedrich Gauss) is a function of the form

f = ae− ( x −b )

2

/2 c 2

for some real constants a, b, c > 0 , and

be extended to the vector space. For any vectors c and

e ≈ 2.718281828 (Euler's number). It can

s > 0 , let ∀x ∈ R n , ρ s ,c = exp(−π x − c 2 / s 2 )

be a Gaussian function centered in c scaled by a factor of s. For any vector c, real s > 0 , and lattice Λ , define the probability distribution DΛ , s ,c ( x) over by:

∀x ∈ Λ, DΛ , s ,c (x) =

ρ s ,c ( x ) ρ s ,c ( Λ )

When c or s is not specified, we assume that they are the origin and 1 respectively. For a large enough s,

DΛ , s ,c ( x) have an average value very close to c and expected squared distance from c is very close to

ns 2 /2π , This parameter s is named as the smoothing parameter [14].

Definition 2.5. (Smoothing parameter) For any n-dimensional lattice Λ and positive real

smoothing parameter

ηε (Λ)

is the smallest real s > 0 such that

ε > 0 , the

ρ1/ s (Λ \ {0}) ≤ ε . *

Gentry et al. [7] gives an algorithm SampleD that samples from a discrete Gaussian over any lattice. When Gaussian parameter s is sufficiently large, the following theorem holds. Theorem 2.2. For any lattice basis B ∈ Z

n× k

, any real s ≥ B ⋅ ω ( log n ) , and any

c ∈ R n , the

3966


output distribution of SampleD(B, s, c) is within negligible statistical distance of DL ( B ), s ,c ( x ) . The running time of SampleD is polynomial in n and the size of its input (B, s, c). An upper bound on the probability of the mode (the most likely element) of a discrete Gaussian is showed in the following theorem [15]:

Λ of rank k, center c ∈ Rn , positive ε < exp(−4π ) ,

Theorem 2.3. For any n-dimensional lattice and

s ≥ ηε (Λ) , and for every x ∈ Λ , It has

1 + ε −k ⋅2 1− ε The following theorem shows the distribution of the syndrome u = Ae mod q is statistically close to DΛ , s ,c ( x) ≤

uniform when input victor is sampled from Gaussian distribution. It is very useful for the security of constructing cryptography scheme. Output distribution of the algorithm is oblivious to the particular geometry of the given basis. Theorem 2.4[7]. Let n and q be positive integers with q prime, m ≥ 2n lg q . Then for all but a 2q

−n

A ∈ Z nq×m and for any s ≥ ω ( log m ) , the distribution of the syndrome

fraction of all

u = Ae mod q is statistically close to uniform over Z nq , where e ← DZ m , s . n×m

Theorem 2.5 shows how to sample an essentially uniform A ∈ Z q

, along with a short full-rank

⊥

“trapdoor” set of lattice vectors S ⊂ Λ ( A, q) .

C > 1 and a probabilistic polynomial time algorithm GenBasis(1 ,1 , q) that, for poly(n)-bounded m > Cn lg q , outputs a matrix A ∈ Z nq×m and a Theorem 2.5[25]. There is a fixed constant n

m

⊥

full-rank “trapdoor” set of lattice vectors S ⊂ Λ ( A, q ) such that: (1) the distribution of A is within negl ( n) statistical distance of uniform, ⊥

(2) S is a basis of Λ ( A, q ) , (3) || S ||≤ L = O( n log q ) . Base on the work of Ajtai, Gentry et al. constructed a collection of trapdoor one-way functions SampleISIS with preimage sampling, when the parameters q, m, and L are as in theorem 2.5 (C = 2 according to theorem 2.4) and Gaussian parameter s ≥ L ⋅ ω ( log m ) , the following theorem holds. Theorem 2.6[7]. The algorithms SampleISIS ( A , S, s, u ) give a collection of trapdoor one-way functions with preimage sampling, if ISIS q,m,s

m

is hard on the average. Furthermore, they give a

collection of trapdoor collision-resistant hash function with preimage sampling, if SIS q,m,2s

m

is hard on

the average. 2.4. Lattice’S Growth and Lattice Basis Randomization A new lattice-based cryptographic structure called a bonsai tree is proposed by David Cash et al. [8]. There are four basic principles in a bonsai tree: undirected growth, controlled growth, extending control over arbitrary new growth, and randomizing control. Undirected growth is useful primarily for allowing a simulator to embed an underlying challenge problem (i.e., SIS or LWE) into a tree. An arborist controls a lattice if it knows a relatively good (i.e., short) basis for the lattice which can be the root of a bonsai tree. When holding the root, arborist may extend its control for a lattice to an arbitrary higher-dimensional extension, without any loss of quality in the resulting basis. Finally, randomizing control can randomize its lattice basis, with a slight loss in quality. This operation is useful for securely delegating control to another entity, because the resulting basis is still short, but is statistically independent (essentially) of the original


3967

basis. To construct our identity-based signature, we cite two important theorems from [8]. m× m ⊥ n ×m Theorem 2.7. Let S ⊂ Z be an arbitrary basis of Λ ( A ) for some A ∈ Z q whose columns generate the entire group Z q , and let A ∈ Z q

n ×m

n

be arbitrary. There is a deterministic polynomial-time

algorithm ExtBasis(S, A' = A || A ) that outputs a basis S ' ⊂ Z

m+m

⊥

of Λ ( A')

such that

= S . Moreover, the statement holds even if the columns of A' are permuted arbitrarily (e.g., if S' columns of A are both appended and prepended to A). Theorem 2.8. There is a polynomial-time algorithm RandBasis (S, s ) takes a basis S of any n-dimensional integer lattice ( S R ≤ s ⋅ m ) of

Λ and a parameter s ≥ S ⋅ ω ( logn ) , and outputs a basis S R

Λ . Furthermore, no information particular to S is leaked by the output.

3. Identity-based Signature In this section, we construct an identity-based signature (IBS) system whose security is based on the hardness of the SIS and ISIS problem. It is existentially unforgeable under adaptive chosen-message attack (EU-ACMA) in the random oracle model. 3.1. The Scheme Our scheme involves following parameters: A dimension m ≥ 2n lg q , a prime q = poly ( n) , a bound L = O ( n log q ) , as per theorem 2.5, two Gaussian parameters s = L ⋅ ω ( log n ) and s ′ = s ⋅ m + 1 . It can be verified that these parameters satisfy the requirement of theorem 2.1 and theorem 2.4. That is to say, it can ensure the average-case SIS and ISIS are hard to be resolved, and we can effectively generate trapdoor one-way function. We define domain

Dn = {e ∈ Z mq +1 : e ≤ s ′ ⋅ m + 1} and range

Rn = Z qn . Our scheme uses two chameleon hash functions. H 0 (⋅) :{0,1}* → Z nq maps identity to a vector as public key. H 1 (⋅) :{0,1}* → Z mq +1 maps message to another vector. The IBS is defined below:

IBSSetup (1n ) : generates A ∈ Z nq×m and trapdoor S 0 ⊂ Λ ⊥ ( A, q) according to the trapdoor generator from theorem 2.4. The master public key is A , and the master secret key is S 0 .

IBSExtract ( A , S 0 , id ) :

for

each

user

whose

identity

is

id,

KGC

computes

S = RandBasis(ExtBasis(S 0 , A || H 0 (id ) T ), s ) , and returns S . S is the user’s secret key. IBSSig ( A , S, id,M ) : to signature a message M ∈ {0,1}* , the user first computes u = H 1 (id || M ) , then gets e ← SampleISIS ( A || H 0 (id ) T , S, s, u ) , and outputs ( M , e, A , id ) . IBSVer ( M , e, A , id ) : if e ∈ Dn and ( A || H 0 (id ) T )e = H 1 (id || M ) , then accept, Else, reject. Except for addition of the part IBExtract, our scheme are similar to hash-and-sign signature proposed by [7], it is clear that the scheme is complete. Compared with the scheme in [7], our scheme is a slight loss in quality, length of signature e is increased to s ′ ⋅ m + 1 from s ⋅ m + 1 . That is to say, it is increased m + 1 times. But it is secure because || e || still satisfies poly(n), this is necessary according to theorem 2.1.

3968


3.2. Security At first, we provide two lemmas to show the master secret key and the user secret key are secure. Lemma 3.1. The user can't get the master secret key S 0 from her (his) secret key.

Sδ = ExtBasis(S 0 , A || H 0 (id )T ) , S = RandBasis(Sδ , s ) . According to theorem 2.8, no information particular to Sδ is leaked by the output S . Sδ is generated by S 0 , so S 0 is oblivious to S . Proof. Let

Before affording the second lemma, we give the following theorem: n×m Theorem 3.1. Let q = poly ( n) and any m ≥ 2n lg q , a random matrix A ∈ Z q , a full-rank set

S′ ⊂ Λ ⊥ ( A, q) , and || S ||≤ L = O( n log q ) , given another random matrix A ′ ∈ Z nq×m and A ′ ≠ A , there is no polynomial-time algorithm which can get S′ ⊂ Λ ( A, q) and S′ ≤ L . ⊥

Proof. We choose a random u R ∈ Z n and use it to replace a column of A to form A ' . If there is a polynomial time which can get

S′ ⊂ Λ ⊥ ( A ', q) and S' ≤ L , we can get a random A R ∈ Z qn×m ,

S R ⊂ Λ ⊥ ( A R , q) and S R ≤ L after m replacements. Then we can get e ≤ s m ( s ≥ L ⋅ ω ( logn ) ) through SampleD(SR, s, 0), such that A R e = 0 mod q . According to theorem 2.5, for any prime

q = poly (n) and m ≥ 2n lg q , there is a probabilistic polynomial time algorithm which outputs a ⊥ n×m and a full-rank set S ⊂ Λ ( A, q) . This means that we can resolve average-case SIS matrix A ∈ Z q n×m

in a polynomial time when A ∈ Z q

is random and e ≤ s m . It contradicts with theorem 2.1.

Lemma 3.2. A user possessing secret key can't get the others' secret key if he doesn't know master secret key. Proof. From the algorithm IBSExtract ( A , S 0 , id ) , we know the length of user's secret key satisfies

S ≤ L ⋅ ω log n ⋅ m + 1 ≤ s ⋅ m + 1 . According to the theorem 3.1, this lemma holds. Theorem 3.2. The IBS scheme described above is EU-ACMA , if SIS q , m +1,2 s '

m +1

is hard on the

average. Proof. According to lemma 3.1 and lemma 3.1, we know the master secret key is secure and any user who possesses secret key can't infer the others' secret key if he doesn't know master secret key. We say that an ID-based signature scheme is secure against existential forgery on adaptively chosen message attacks if no polynomial time algorithm A has a non-negligible advantage against a challenger C in the game defined by [26]. For contradiction, we assume that there is an adversary A that breaks the existential unforgeability of the IBS scheme with probability ε ∈ ε ( n ) , we construct a polynomial-time adversary C that breaks SIS q , m +1,2 s '

m +1

with probability negligibly close to ε . C runs A on public key,

and simulates the random oracle H 0 (⋅) and H1 (⋅) as follows. Without loss of generality, we assume A queries H1 (⋅) on every message M for id before making a signing query on M, and C maintains three lists in its local storage, called ID-list, S-list and M-list. They are set to empty initially. (1) id hash function query. For an identity id query, C looks up ID-list to find id. If id is found in the list, C provides v to A. Otherwise id is fresh, C picks v ⊆ Z n uniformly random, stores (id , v ) , and returns v to A. (2) Extract query. Given id, C looks up S-list to find S , if S is found in the list, C provides S to A . Otherwise, S is fresh, C looks up ID-list to find whether there is id. If id is found, C gets v corresponding with id and runs S = IBSExtract ( A , S 0 , id ) . If id isn’t found, C picks v ⊆ Z n


3969

uniformly random, stores (id , v ) and runs S = IBSExtract ( A , S 0 , id ) . Then C returns the secret key

S corresponding with id and stores (id , v, S) .

(3) M hash function query. For a distinct

(id, v, M, eM )

C looks up M-list to find

is found in the list, C provides ( A || v T )e M to A . Otherwise,

looks up ID-list and S-list to get v and

(id, v, M, eM )

id || M ,

(id, v, M, eM ) , if

id || M

is fresh, C

S . If found, C lets e M ← SampleD (S, s, 0) , stores

T

and returns ( A || v )e M to A. If not, C generates and stores it in ID-list and S-list, then

carries on the operation mentioned above. By the uniform output property of the collection, this is identical to the uniformly random value of H 1 (id || M ) ⊆ Rn in the real system. (4) Sign query. Given id and a message M, C looks up M-list to find found in the list, C returns

eM

(id, v, M, eM ) . If (id, v, M, eM )

as the signature, otherwise, C carries on (3) to get

and return

is

eM .

(id*, M*, e*) , where id* is an identity and M* is a message (its hash function is ( A || v T )e M * which stored by C), and e* is a signature, such that id* and (id*, M*, e*) are not equal to A outputs

*

the inputs of any query to Extract and Sign respectively. A wins the game if e is a valid signature of

M* for id* . Before forging signature

(id*, M*, e*) , A queries H1(⋅) on M* for id* . C stores (id*, M*,eM*) , and *

returns ( A || v T ) eM * to A . Because e is a valid signature on

M* for id* , we have e* ∈ Dn and

( A || v T )e* = H1 (id || M ) = ( A || v T )e M * . It simply remains to check eM* ≠ e* that they form a T

collision in A || v . Now we fix the value H 1 (id || M ) . By the “uniform output” property of the collection, the upper bound on the probability of eM ← SampleD (S, s, 0) is (1 + ε / 1 − ε ) ⋅ 2− ( m +1) , it can be negligible. Then the probability of e M * = e* can be negligible, so we conclude that C outputs a valid e = eM* −e*(|| e ||< 2s′ m+1) and

( A || v T )e = 0 . It means C resolves SIS q ,m +1,2 s '

m +1

. It leads to a contradiction.

In the paper, we assume two hash functions H 0 (⋅) and H1 (⋅) are chameleon hash function. They have the standard collision-resistance property. The proof of theorem 3.1 shows if A forges a signature, C can find a collision of H1 (⋅) . It also leads to contradiction. In the attack model of classical IBS scheme from gap Diffie-Hellman groups, challenger C must fix an identity ID before giving to adversary A system parameters. After finishing the attack game, A must output the given ID (together with a message and a signature) as its final result. In addition, security proof of those schemes apply a forking reduction technique proposed by Pointcheval and Stern [27], which requires the challenger resets the random oracle answers so that one set of questions from adversary are answered with two completely independent sets of answers. That is to say, the adversary must return another 1/Adv(n) times attack (Adv(n) denotes the probability of successful attack one time). Of course the efficiency of reduction is very low. IBS scheme under the QR assumption doesn’t require fixing an identity ID in attack games, but a forking reduction technique is needed. Our scheme is adaptive-ID secure and can output a forgery for any identity, furthermore, we don't require a forking reduction technique. Therefore our reduction proof is more efficient. Markus [17] proposed a notion of strong unforgeability. Strong unforgeability demands that the adversary is unable to produce a new message-signature pair (M,s), even if he or she is allowed to see a different signature s0 for M. Of course our scheme supports strong unforgeability. Markus also proposed a HIBS scheme from lattice in the random oracle model, but he didn't provide the standard security proof in

3970


the random oracle model as [26] defined. Compared with Markus' scheme, ours is more straightforward and efficient (we will give related contrast in the next section). 3.3. Performance The performance of our scheme mainly be decided by algorithm

IBSSig ( A , S, id ) and

IBSVer ( M , e, A , id ) . In algorithm IBSSig ( A , S, id ) , we need two hash operations and one 2 SampleD operation. The running time of SampleD is O ( n ) in n and the size of its input (S, s, 0) . Peikert [28] presents a new Gaussian sampling algorithm for lattices that is efficient and highly 2 parallelizable, which can make the running time of SampleD reduce to O ( n / P ) (P is processor’s number). In algorithm IBSVer ( M , e, A , id ) , two hash operations are needed. Others operations are linear operation of vector. They are very efficient. Certainly it also has weakness, that is the public and privacy key are large compared with the scheme from gap Diffie-Hellman groups and the quadratic QR assumption. The concept of HIBS is generalized by IBS. In HIBS each party (forms many levels) can act as a key extraction authority for its subordinates and IBS is the special instance of HIBS whose number of levels is two. It is easy to get HIBS from our scheme. Table 1 compares our result with Markus' scheme (in the random oracle model and number of levels is two). In table 1, MPK-lth denotes the length of master public key (others are similar). It shows that the length of user public key(UPK), user secret key(USK) and signature in our scheme is far shorter than in Markus', so our scheme is more efficient. Table 1 Comparison of Our Scheme with Markus' Scheme Scheme

MPK-lth

MSK-lth( || S 0 || )

UPK-lth

Markus'

n×m n×m

|| S 0 ||≤ L

2n × m

|| S 0 ||≤ s ⋅ 3m

|| e ||≤ s ⋅ 3m

|| S 0 ||≤ L

n

|| S 0 ||≤ s ⋅ m + 1

|| e ||≤ s ⋅ (m + 1)

Ours

USK-lth( || S 0 || )

Sign-lth

4. Conclusion In this paper, we propose an IBS scheme in the lattice. A core technical component of our constructions is an arborist extends its control for a lattice to an arbitrary higher-dimensional extension. We use lattice's growth and lattice basis randomization securely to generate the user's secret key, and use trapdoor functions with preimage sampling to generate signature. Our scheme is secure against existential forgery on adaptively chosen message and ID attacks, under the hardness assumption of average-case SIS, which is believed to be as hard as the worst-case GapSVP and SIVP. 5. Acknowledgement This work is supported by the National Natural Science Foundation of China under Grant 60973134, 61173164, and the Natural Science Foundation of Guangdong Province under Grants 10351806001000000. References [1] [2] [3] [4]

Adi Shamir. Identity-based cryptosystems and signature schemes. In Advances in cryptology-CRYPTO 1984, pages 47-53, 1985. Boneh D, Franklin M. Identity-based encryption from theWeil pairing. In Advances in cryptology-CRYPTO 2002 , pages, 213-229, 2002. Hess F. Efficient identity based signature schemes based on pairings. In Proc SAC 2002, pages 310-324, 2003. Weidong Qiu, Kefei Chen. Identity Based Signature Scheme Based on Quadratic Residues. The international series in engineering and computer science, pages 97-106, 2004.

F. Xia et al. /Journal of Computational Information Systems 7:11 (2011) 3963-3971 [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28]

3971

Shor P W. Polynomial-time Algorithm for Prime Factorizeation and Discrete Logarithm on a Quantum Computer. SIAM Journal on Computing, 26(5):1484-1509, 1997. V. Lyubashevsky and D. Micciancio. Asymptotically efficient lattice-based digital signatures. In TCC 2008, pages 37-54, 2008. C. Gentry, C. Peikert, V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC 2008, pages 197-206. 2008. David Cash, Dennis Hofheinz, Eike Kiltz, Chris Peikert. Bonsai Trees, or How to Delegate a Lattice Basis. In Advances in cryptology-EUROCRYPT 2010, pages 523-552, 2010. S Agrawal, D Boneh, X Boyen. Efficient lattice (H)IBE in the standard model. In Advances in cryptology-EUROCRYPT 2010, pages 553-572, 2010. C. Peikert and V. Vaikuntanathan. Noninteractive statistical zero-knowledge proofs for lattice problems. In Advances in cryptology- CRYPTO 2008, pages 536-553, 2008. OVadim Lyubashevsky, Daniele Micciancio, Chris Peikert and A. Rosen. SWIFFT: A modest proposal for FFT hashing. In 15th International Workshop, FSE 2008, pages 54-72, 2008. C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC 2009, pages 169-178, 2009. V Lyubashevsky, C Peikert, O Regev. On ideal lattices and learning with errors over rings. In Advances in Cryptology-EUROCRYPT 2010, pages 1-23, 2010. Daniele Micciancio, Oded Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput., 37(1):267-302, 2007. S. Dov Gordon, Jonathan Katz, Vinod Vaikuntanathan. A group signature scheme from lattice assumptions. In Advances in Cryptology-ASIACRYPT 2010, pages 395-412, 2010. Markus Ruckert. Lattice-based blind signatures. In Advances in Cryptology-ASIACRYPT 2010, pages 413-430, 2010. Markus Ruckert. Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. In PQCrypto 2010, pages 182-200, 2010. Pierre-Louis Cayrel, Richard Lindner, Markus Rckert, and Rosemberg Silva. An efficient lattice-based threshold ring signature scheme. In Latincrypt 2010, pages 255-272, 2010. J. Alwen and C. Peikert. Generating shorter bases for hard random lattices. In STACS 2009, pages 75-86, 2009. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):1-40, 2009. C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In STOC 2009, pages 333-342,2009. Chris Peikert, Vinod Vaikuntanathan, BrentWaters. A framework for efficient and composable oblivious transfer. In Advances in cryptology-CRYPTO 2008, pages 554-571, 2008. Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Advances in cryptology-CRYPTO 2009, pages 595-618, 2009. H. Krawczyk and T. Rabin. Chameleon signatures. In Proceedings of NDSS, pages 1-1, 2000. M. Ajtai. Generating hard instances of lattice problems (extended abstract). In STOC 1996, pages 99-108, 1996. Cha J and Cheon J. An identity-based signature from Gap Diffie-Hellman groups. In PKC 2003, pages 18-30, 2003. David Pointcheval and Jacques Stern. Security proofs for signature schemes. In Advances in CryptologyEUROCRYPT 1996, pages 387-398, 1996. Chris Peikert. An efficient and parallel gaussian sampler for lattices. In Advances in Cryptology-CRYPTO 2010, pages 80-97, 2010.