A Fuzzy Identity-Based Signcryption Scheme from Lattices

Abstract

Fuzzy identity-based cryptography introduces the threshold structure into identity-based cryptography, changes the receiver of a ciphertext from exact one to dynamic many, makes a cryptographic scheme more efficient and flexible. In this paper, we propose the first fuzzy identity-based signcryption scheme in lattice-based cryptography. Firstly, we give a fuzzy identity-based signcryption scheme that is indistinguishable against chosen plaintext attack under selective identity model. Then we apply Fujisaki-Okamoto method to obtain a fuzzy identity-based signcryption scheme that is indistinguishable against adaptive chosen ciphertext attack under selective identity model. Thirdly, we prove our scheme is existentially unforgeable against chosen message attack under selective identity model. As far as we know, our scheme is the first fuzzy identity-based signcryption scheme that is secure even in the quantum environment.

1. Introduction

In public key cryptography, a user has a pair of public key and a private key, and this pair is bounded with the user by a trusted third party. For security consideration, the user and the matching public/private key should be updated frequently, and it is complicated to maintain public key infrastructure to support key authenticity. In order to solve this problem, Shamir introduced identity-based cryptography[1]. In identity-based cryptography, a user’s identity is viewed as his public key, and the associated private key is generated by a private key generator, and the relation between a user and his public/private key is natural. Identity-based cryptography doesn’t depend on the complex public key infrastructure, simplifies the user key management, and leads to more practical cryptosystems[2, 3].

However, one person must ascertain the receiver, in public key cryptography and identity-based cryptography, when he encrypts a message. The truth of the matter is that, the sender couldn’t ascertain the receiver in such situations as pay-TV systems and cloud storages, for the group of receivers is of a dynamic change. To adapt to this environment, we may introduce access control structure in encryption, and allow people, who are admitted by the access control structure, to decrypt the ciphertext. When the access control structure is specific to threshold structure, it is fuzzy identity-based cryptography. Fuzzy identity-based cryptography is an error-tolerant identity-based cryptography. In other words, a ciphertext or signature obtained via an identity id can be decrypted or verified via an identity id' if and only if the difference between id and id' is within a certain range, and the range is the threshold value.

Fuzzy identity-based encryption(FIBE) was introduced by Sahai and Waters[4]. Sahai and Waters formalized the model of fuzzy identity-based encryption and provided two fuzzy identity-based encryption schemes which are secure against chosen plaintext attack under selective identity model. Subsequently, Baek et al. gave two more efficient fuzzy identity-based encryption schemes[5] using Pirretti et al.’s results[6], and Li et al. proposed a fuzzy identity-based encryption scheme with dynamic threshold[7].

When it comes to digital signature, Yang et al. firstly introduced the notion of fuzzy identity-based signature(FIBS)[8] and gave a specific construction based on Sahai and Waters’s fuzzy identity-based encryption schemes[4]. Afterward, Wang proposed a fuzzy identity-based signature scheme with shorter parameters and more efficient verification[9], and Wu also proposed a fuzzy identity-based signature scheme with the generalized selective identity security[10].

Aiming at further improvement in the practicability of cryptographic system, Zheng introduced the notion of signcryption to combine encryption and signature[11]. Signcryption is a cryptographic primitive that can perform the functions of public key encryption and digital signature in a logic step, so that it cuts down the cost of computation and communication without security compromise. To meet the needs of biometric identity, Zhang et al.[12] and Li et al. [13] introduced fuzziness property into signcryption respectively, and proposed fuzzy signcryption schemes.

So far, all the literatures mentioned above are based on the traditional numerical assumptions, and Shor’s groundbreaking results[14] show that these schemes are not secure in the quantum era. Thus, it is a rewarding work to build quantum secure cryptographic schemes. Lattice-based cryptography is an outstanding representative of post-quantum cryptography, and there exist many public key encryption schemes[15, 16, 17] and digital signature schemes[18, 19, 20] based on lattice theory. But as far as we know, there aren’t fuzzy identity-based signcryption schemes based on lattice assumptions.

In this paper, we give the first fuzzy identity-based signcryption scheme based on lattice assumptions. According to the technique in [21], we take the signature associated with the message as an error vector, to disturb the lattice point associated with the message. As a result, we bind the encrypted message and the signature to realize confidentiality and authentication simultaneously. And we reduce the frequency of sampling errors compare with the generic sign-then-encrypt method. To accomplish ukeyExtract queries in the proof of existential unforgeability against chosen message attack under selective identity model, we introduce identity information to public key for encryption. In order to further decrease the length of the ciphertext, we make use of the technique of the lattice basis delegation in fixed dimension[16]. In addition, we apply the Fujisaki-Okamoto method[22] to increase our scheme’s security from indistinguishability against chosen plaintext attack under selective identity model(IND-sID-CPA) to indistinguishability against adaptive chosen ciphertext attack under selective identity model(IND-sID-CCA2).

The following is the roadmap of our paper. Section 2 includes preliminaries that are necessary in our construction, Section 3 gives the formal definition of a fuzzy identity-based signcryption scheme. Section 4 introduces the security definitions of a fuzzy identity-based signcryption scheme. Section 5 gives our new scheme and its consistency analysis. Section 6 gives the security analysis of our scheme. Section 7 provides its efficiency analysis and performance comparison with other related schemes. Finally, Section 8 is summary and conclusions.

 

2. Preliminaries

In this section, we give an overview of basic notions and results that are involved in our construction about lattice-based cryptography. We refer readers to [15, 16, 23] for more details.

Definition 2.1 A lattice is a discrete addition subgroup in Rm , and if it is generated by n linearly independent vectors a1,⋯,an ∈ Rm , then matrix A = [a1 |⋯| an ] is a basis of the lattice, and the lattice can be denoted by ∧(A).

Definition 2.2 Two integer lattices, as well as a lattice shift, are often used in lattice-based cryptography, and we give their definitions as follows. For ,

Definition 2.3 For ∧ ⊆ Zm , c ∈ Rm , σ ∈ R+ , let , ρσ,c(∧) = Σx∈∧ρσ,c(x) , then  is a discrete Gaussian distribution over ∧, whose center is c and parameter is σ . When c = 0 or σ = 1, we can omit them.

Lemma 2.4 With integer q ≥ 3. m ≥ Cnlogq, where C > 1 is a fixed constant, algorithm TrapGen outputs , which satisfy the following properties.

1. The statistical distance between the distribution of A and uniform distribution on is negligible.

2. AT = 0(modq).

3. ║T║ ≤ O(nlogq) and .

Definition 2.5 Let , Dmxm is the distribution  and if R ← Dmxm , then R is Zq - invertible.

Lemma 2.6 For  with rank n , R ← Dmxm , a short basis TA of , and Gaussian parameter , algorithm BasisDel outputs a basis TB of .

Lemma 2.7 Algorithm SampleRwithBasis (A) is important in security proof. Its input is a matrix A , which comes from  uniformly and randomly. Its output are matrices R and T , where R follows the distribution Dmxm , T is a short basis of .

Lemma 2.8 For , a short basis TB of , and Gaussian parameter , algorithm SamplePre outputs some e ∈ Zm such that  and Be = u(modq).

Definition 2.9 For a size parameter n ≥ 1, a modulus q ≥ 2, and an appropriate normal distribution X on Zq , As,X is the distribution obtained by selecting a vector  uniformly, sampling x : X , and outputting .

An (Zq,n,X) - LWE problem instance is composed of access to an unspecified challenge oracle O , which is, either, a pseudo-random sampler Os associated with some random secret , or, a random sampler Ou .

Os : outputs such samples as , where ai follows uniform distribution on , xi follows distribution X .

Ou : outputs such samples as (ai, bi) which follows uniform distribution on .

Given an (Zq,n,X) - LWE problem instance, if there is an efficient algorithm to decide which oracle is accessed, then there is an efficient algorithm to approximate the SIVP and GapSVP problems in the worst case.

Definition 2.10 The (n,m,q,β) - small integer solution problem SISn,m,q,β is that for , and a real β , find a vector e ∈ Zm such that Ae = 0(modq) and 0 < ║e║2 ≤ β , where ║‧║2 is the Euclidean norm.

Given an SISn,m,q,β problem instance, if there is an efficient algorithm to find its small integer solution e , then there is an efficient algorithm to approximate the SIVP problem in the worst case.

 

3. Formal definition of a fuzzy identity-based signcryption

In this section, we give the formal definition of a fuzzy identity-based signcryption.

A fuzzy identity-based signcryption scheme has five PPT algorithms as follows.

• Setup (1n,d,d') - On input system security parameter 1n , two thresholds d and d' , this algorithm outputs public parameter PP and master secret key msk .

• uKeyExtract (msk,id) - On input master secret key msk , an identity id , this algorithm outputs the unsigncryption key ukid .

• sKeyExtract (msk,id) - On input master secret key msk , an identity id , this algorithm outputs the signature key skid .

• Signcrypt (M, , ide ) - On input a message M , an identity ide for encryption, an identity ids as well as its signature key , this algorithm outputs a ciphertext C .

• Unsigncrypt (C, , idv ) - On input a ciphertext C , an identity idv for verification, an identity idu as well as its unsigncryption key , if | idu ∩ ide | ≥ d and | idv ∩ ids | ≥ d' , this algorithm gets the message M , and verifies the validity of the message and its signature. If verification is successful, this algorithm returns the message M , otherwise returns ⊥.

These five algorithms must satisfy consistency property of a fuzzy identity-based signcryption, that is, if C = Signcrypt(M, , ide ), and | idu ∩ ide | ≥ d , | idv ∩ ids | ≥ d' , then we should have M = Unsigncrypt(C, , idv ).

 

4. Security notions

The security of a fuzzy identity-based signcryption scheme includes two factors: message confidentiality and ciphertext unforgeability, which are illuminated in detail as follows.

4.1 Message confidentiality

With regard to the message confidentiality of a fuzzy identity-based signcryption scheme, we define two definitions of different security levels: indistinguishability against chosen plaintext attack under selective identity model(IND-sID-CPA), and indistinguishability against adaptive chosen ciphertext attack under selective identity model(IND-sID-CCA2).

The following game between a challenger C and an adversary A describes the indistinguishability against adaptive chosen ciphertext attack under selective identity model(IND-sID-CCA2).

• Target – The adversary A decides an identity id* to be his attack target, and returns it to the challenger C.

• Setup – The challenger C inputs secure parameter 1n , two thresholds d and d' , invokes Setup (1n,d,d') algorithm to get public parameter PP and master secret key msk . Public parameter PP is sent to the adversary A and master secret key msk is kept secret.

• Phase 1 – In this phase, the adversary A has the right to ask the following queries with a number of polynomial bounded, and the challenger C must return reasonable answers.

uKeyExtract (id) – The adversary A asks for the unsigncryption key for an identity id with | id ∩ id* | < d . The challenger C invokes algorithm uKeyExtract (msk, id) and returns its result to A .

sKeyExtract (id) – The adversary A asks for the signature key for an identity id . The challenger C invokes algorithm sKeyExtract (msk, id) and returns its result to A .

Unsigncrypt (C, idu, idv) - The adversary A provides a ciphertext C , an identity idu for unsigncryption, and an identity idv for verification. The challenger C computes = uKeyExtract(idu), then invokes algorithm Unsigncrypt(C, , idv) and returns its result to A .

• Challenge – When Phase 1 ends, the adversary A selects two messages M0, M1 with same length, and an identity id*s for signature, sends all of them to the challenger C for challenge ciphertext. C selects a bit b randomly, computes the signature key skid*s = sKeyExtract (id*s) and returns C* = Signcrypt(Mb, skid*s, id*) to A .

• Phase 2 – The adversary A repeats what he did in Phase 1, with the exception that he couldn’t execute Unsigncrypt query on (C*, idu, idv) with | idu ∩ id* | ≥ d and | idv ∩ id*s | ≥ d' .

• Guess – The adversary A gives his guess b' for b which the challenger C used in Challenge phase. If b' = b , we say the adversary A wins the game.

The advantage of adversary A in this game is denoted as .

Definition 4.1 If all polynomially bounded adversaries have negligible advantages in the above game, then a fuzzy identity-based signcryption scheme is indistinguishable against adaptive chosen ciphertext attack under selective identity model. In other words, a fuzzy identity-based signcryption scheme is IND-sID-CCA2 secure.

If the Unsigncrypt query is forbidden in the above game, then the game and the associated definition 4.1 describe the indistinguishability against chosen plaintext attack under selective identity model(IND-sID-CPA).

4.2 Ciphertext unforgeability

With regard to the ciphertext unforgeability of a fuzzy identity-based signcryption scheme, we define the following game between a challenger C and an adversary A to describe the existential unforgeability against chosen message attack under selective identity model(EUF-sID-CMA).

• Target – The adversary A decides an identity id* to be his attack target, and returns it to the challenger C.

• Setup – The challenger C inputs secure parameter 1n , two thresholds d and d' , invokes Setup(1n,d,d') algorithm to get public parameter PP and master secret key msk . Public parameter PP is sent to the adversary A and master secret key msk is kept secret.

• Query – In this phase, the adversary A has the right to ask the following queries with a number of polynomial bounded, and the challenger C must return reasonable answers.

uKeyExtract (id) – The adversary A asks for the unsigncryption key for an identity id . The challenger C invokes algorithm uKeyExtract (msk, id) and returns its result to A .

sKeyExtract (id) – The adversary A asks for the signature key for an identity id , which satisfy | id ∩ id* | < d' . The challenger C invokes algorithm sKeyExtract (msk, id) and returns its result to A .

Signcrypt(M, ids, ide) - The adversary A provides a message M , an identity ids for signature, an identity ide for encryption. The challenger C computes = sKeyExtract(ids), then invokes algorithm Signcrypt(M, , ide) and returns its result to A .

• Forge – The adversary A replies to C with a ciphertext C* as well as an encryption identity id*e . If adversary A ’s reply is valid, that is to say, there exist idu and idv which satisfy | idu ∩ id*e | ≥ d and | idv ∩ id* | ≥ d' , Unsigncrypt(C*, , idv) = M ≠ ⊥ for = uKeyExtract(idu) and A didn’t make Signcrypt(M, id*, id*e) query, then we say the adversary A wins the game.

The advantage of adversary A in this game is denoted by Adv(A) = Pr[A wins] .

Definition 4.2 If all polynomially bounded adversaries have negligible advantages in the above game, then a fuzzy identity-based signcryption scheme is existentially unforgeable against chosen message attack under selective identity model. In other words, a fuzzy identity-based signcryption scheme is EUF-sID-CMA secure.

 

5. Our fuzzy identity-based signcryption scheme

At first, we give an IND-sID-CPA secure fuzzy identity-based signcryption scheme – Construction 1, then we apply Fujisaki-Okamoto method to Construction 1 to obtain an IND-sID-CCA2 secure fuzzy identity-based signcryption scheme – Construction 2.

5.1 Construction 1

• Setup(n, d, d') On input security parameter , where l is the length of an identity, ε ∈ (0,1) is a constant, and two thresholds d and d' ,

1. For q = poly(n) and pq ∈ [n6 ‧ 25l , 2n6 ‧ 25l], let m = n1.5 ,

2. For i ∈ [l], b ∈ {0,1}, invoke algorithm TrapGen (n) to obtain (Ai,b, Ti,b), with the condition that

(a) follows uniform distribution with overwhelming probability.

(b) Ti,b is a short basis of .

3. For message space M = {0,1}k , let t ∈ [k], select uniformly and randomly.

4. Let Dmxm be the Gaussian distribution , H1, H2 : {0,1}* → Dmxm , and H3 : {0,1}* → are three different hash functions.

5. Output PP = ({Ai,b}i∈[l],b∈{0,1}, {ut}t∈[k], H1, H2, H3) and msk = ({Ti,b}i∈[l],b∈{0,1}).

• uKeyExtract (msk, id) On input msk = ({Ti,b}i∈[l],b∈{0,1}) and an identity id = (id1, ⋯, idl), the unsigncryption key ukid is obtained as follows.

1. For t ∈ [k], select a random polynomial vector ft ∈ Rn of degree d - 1 such that R = Zpq[x] and ft(0) = ut . Let for i ∈ [l]. By Shamir’s (d, l) threshold scheme, for I ⊆ [l] such that | I | ≥ d , ut = Σi∈ILi ‧ uti(modpq), where Li is the associated Lagrangian coefficient.

2. For i ∈ [l], let = H1(idi Pi), invoke algorithm BasisDel(, , , σ) to get a short basis for lattice .

3. For t ∈ [k], i ∈ [l] , run SamplePre(, , uti, σ') to get eti ∈ Zm satisfying ‧ eti = uti .

4. Output the unsigncryption key for the identity id as {eti}t∈[k],i∈[l].

• sKeyExtract (msk, id) On input msk = ({Ti,b}i∈[l],b∈{0,1}) and an identity id = (id1, ⋯, idl), the signature key skid is obtained as follows.

1. For i ∈ [l] , let = H2(id□idi□i) , invoke algorithm BasisDel(, , , σ) to get a short basis for lattice .

2. Output the signature key for the identity id as

• Signcrypt (M, , ide) On input the message M ∈ {0,1}k , the signature key = for ids , and ide = (ide1, ⋯, idel) used for encryption,

1. Let D = (l!)2 , u = H3(M)

2. Select a random polynomial vector f ∈ An of degree d' - 1 such that A = Zp[x] and f(0) = u . Let uj = f(j) ∈ for j ∈ [l]. By Shamir’s (d',l) threshold scheme, for J ⊆ [l] such that | J | ≥ d' , u = Σj∈JLj ‧ uj(modp), where Lj is the associated Lagrangian coefficient.

3. For i ∈ [l], compute = H2(ids□idsi□i), .

4. For i ∈ [l], sample ei = SamplePre(, , qui, σ') ∈ Zm .

5. Select randomly, compute c = s + qu .

6. For t ∈ [k], let .

7. For i ∈ [l], let .

8. For i ∈ [l], let .

9. Output the ciphertext C = (ide,ids,c,{ct0}t∈[k],{ci}i∈[l]).

• Unsigncrypt(C, , idv) On input the ciphertext C = (ide,ids,c,{ct0}t∈[k],{ci}i∈[l], the unsigncryption key = {eti}t∈[k],i∈[l] for idu , and idv = (idv1, ⋯, idvl) used for verification,

1. Let I = idu ∩ ide denote the set of matching bits in idu and ide , and J = idv ∩ ids denote the set of matching bits in idv and ids . If | I | < d or | J | < d' , output ⊥ and reject. Otherwise, continue.

2. For i ∈ [l], let = H1(idui Pi), . By Shamir’s (d, l) threshold scheme, we have Σi∈ILiBi,idui eti = ut(modpq) for t ∈ [k].

3. For t ∈ [k], compute , output Mt = 0, otherwise output Mt = 1. In this step, we retrieve the message M .

4. Compute s = c - qH3(M).

5. For i ∈ [l], compute = H1(idei Pi), .

6. For i ∈ [l], compute = H2(ids Pidsi Pi), .

7. Verify whether and ej ∈ Dn for j ∈ [l]. If all conditions hold, accept M as a valid message. Otherwise, output ⊥ and reject.

5.2 Consistency of Construction 1

Let I = idu ∩ ide denote the set of matching bits in idu and ide , J = idv ∩ ids denote the set of matching bits in idv and ids , and | I | ≥ d , | J | ≥ d' . Then for t = 1,⋯,k,

According to parameters setting in Setup of our scheme, with overwhelming probability, then , then Mt = 0 ; otherwise Mt = 1. And M = (M1, ⋯, Mk).

Then s = c - qH3(M) and for i ∈ [l] . Because of ei = SamplePre(, , qui, σ') and u = H3(M) = Σj∈JLj ‧ uj(modp), we have and ej ∈ Dn for j ∈ [l].

As a result, as long as the ciphertext is got following our scheme religiously, a valid unsigncrypter can obtain the original message with overwhelming probability.

5.3 IND-sID-CPA security of Construction 1

Theorem 5.1 Assuming that the LWE problem is hard, Construction 1 is indistinguishable against chosen plaintext attack under selective identity model (IND-sID-CPA).

Proof. We prove Theorem 5.1 by contradiction. Suppose that there exists a PPT adversary A who can attack the IND-sID-CPA security of Construction 1, we can construct a challenger C to solve an LWE problem instance, which is a contradiction with the hardness of the LWE problem. In other words, Construction 1 is IND-sID-CPA secure under the hardness of the LWE problem.

To end this aim, the adversary A and the challenger C behave as follows.

• Target – The adversary A decides an encryption identity id* to be his attack target, and returns id* to the challenger C.

• Instance – The challenger C requests samples from the oracle O to get for t = 1,⋯,k , and for i ∈ [l]. These samples follow LWE oracle Os or uniform distribution oracle Ou , which will be decided by challenger C with the aid of A ’ attack ability to Construction 1.

• Setup – The public parameter PP is given by challenger C in the following manner.

1. Matrices for i ∈ [l].

2. Sample l random matrices R1*,⋯,Rl* ← Dmxm , and let for i ∈ [l].

3. For i ∈ [l], is obtained by algorithm TrapGen , together with a short basis .

4. Vectors ut = wt for t ∈ [k].

Then PP = ({Ai,b}i∈[l],b∈{0,1}, {ut}t∈[k]) is returned to the adversary A .

• Phase 1 – In this phase, the adversary A has the right to ask the following queries with a number of polynomial bounded, and the challenger C must return reasonable answers.

◊ H1 queries – The adversary A asks for H1(id) for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

For (idi Pi), i ∈ [l],

1. If idi = id*i , let H1(idi Pi) = Ri* .

2. If idi ≠ id*i , sample ← Dmxm randomly, let H1(idi Pi) = .

Then save(id,((idi Pi),H1(idi Pi))i∈[l]) in list H1 and return ((idi Pi),H1(idi Pi))i∈[l].

◊ H2 queries – The adversary A asks for H2(id) for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

For (id Pidi Pi), i ∈ [l],

1. If idi = id*i , run algorithm SampleRwithBasis  to obtain a random ← Dmxm and a short basis for lattice .

Let H2(id Pidi Pi) = .

2. If idi ≠ id*i , sample ← Dmxm randomly, let H2(id Pidi Pi) = , invoke algorithm BasisDel(, , , σ) to get a short basis for lattice .

Then save in list H2 and return

◊ uKeyExtract queries – The adversary A asks for the unsigncryption key for an identity id with | id ∩ id* | = | I | = d0 < d . The challenger C does the following steps to reply.

1. For simplicity, we assume that the first d0 bits of id and id* are equal, then the challenger C has trapdoors for the matrices associated with the set .

2. For t ∈ [k] , let the shares of ut be uti = ut + at1i + at2i2 +⋯+ atd-1id-1 , where at1,⋯,atd-1 are vector variables with length n .

3. For i ∈ [l], execute H1(id) query to obtain = H1(idi Pi), and let .

4. For t ∈ [k], i ∈ [d0], select eti ← , and let uti = ‧ eti .

5. For t ∈ [k], i ∈ {d0 + 1,⋯,d-1}, choose d - 1 - d0 shares ,⋯, utd-1 randomly, then the values for at1,⋯,atd-1 are fixed and all l shares ut1, ⋯, utl are known.

6. For t ∈ [k], i ∈ {d0+1,⋯, l}, since is known, invoke algorithm BasisDel(, , , σ) to get a short basis for lattice , then invoke algorithm SamplePre(, , uti, σ') to get eti ∈ Zm satisfying ‧ eti = uti .

7. Return the unsigncryption key for the identity id as {eti}t∈[k],i∈[l] .

◊ sKeyExtract queries – The adversary A asks for the signature key for an identity id . The challenger C executes H2(id) query to obtain then returns

• Challenge – When Phase 1 ends, the adversary A selects two messages M(0) and M(1) with same length, and a signature identity id*s , sends all of them to the challenger C for challenge ciphertext. C selects b∈{0,1} randomly, does the following steps.

1. Let for t ∈ [k].

2. Let for i ∈ [l].

3. Select randomly.

Then (id*,id*s,c,{ct0}t∈[k],{ci}i∈[l]) is returned.

• Phase 2 – The adversary A repeats what he did in Phase 1.

• Guess – The adversary A gives his guess b' for b which the challenger C used in Challenge phase. If b' = b , C decides the samples follow LWE oracle Os ; otherwise, C decides the samples follow uniform distribution oracle Ou .

5.4 Construction 2

We apply Fujisaki-Okamoto method to Construction 1 to obtain an IND-sID-CCA2 secure fuzzy identity-based signcryption scheme – Construction 2, which is illustrated as follows.

• Setup(n, d, d') On input security parameter , where l is the length of an identity, ε ∈ (0,1) is a constant, and two thresholds d and d' ,

1. For q = poly(n) and pq ∈ [n6 ‧ 25l , 2n6 ‧ 25l], let m = n1.5 ,

2. For i ∈ [l], b ∈ {0,1}, invoke algorithm TrapGen (n) to obtain (Ai,b, Ti,b), with the condition that

(a) follows uniform distribution with overwhelming probability.

(b) Ti,b is a short basis of .

3. Let (E,D) be a one-time secure symmetric encryption scheme, whose message space is M ' = {0,1}* , key space is K = {0,1}k' .

4. Let G : {0,1}k' → {0,1}k' and H : {0,1}* → {0,1}* be hash functions. For t ∈ [k], select uniformly and randomly.

5. Let Dmxm be the Gaussian distribution , H1, H2 : {0,1}* → Dmxm , and H3 : {0,1}* → are three different hash functions.

6. Output PP = ({Ai,b}i∈[l],b∈{0,1}, {ut}t∈[k], G, H, H1, H2, H3) and msk = ({Ti,b}i∈[l],b∈{0,1}).

• uKeyExtract (msk, id) This algorithm is same as the uKeyExtract algorithm in Construction 1.

• sKeyExtract (msk, id) This algorithm is same as the sKeyExtract algorithm in Construction 1.

• Signcrypt (M, , ide) On input the message M ∈ {0,1}* , the signature key for ids , and ide = (ide1, ⋯, idel) used for encryption,

1. Select random ρ ∈ {0,1}k , let cM = E(G(ρ),M) h = H(ρ,cM).

2. Let D = (l!)2 , u = H3(M,ρ).

3. Using randomness h , execute Construction 1. Signcrypt. step 2 – step 5.

4. For t ∈ [k], let .

5. For i ∈ [l], let .

6. For i ∈ [l], let .

7. Output the ciphertext C = (ide, ids, cM, c, {ct0}t∈[k],{ci}i∈[l]).

• Unsigncrypt(C, , idv) On input the ciphertext C = (ide, ids, cM, c, {ct0}t∈[k],{ci}i∈[l], the unsigncryption key = {eti}t∈[k],i∈[l] for idu , and idv = (idv1, ⋯, idvl) used for verification,

1. Let I = idu ∩ ide denote the set of matching bits in idu and ide , and J = idv ∩ ids denote the set of matching bits in idv and ids . If | I | < d or | J | < d' , output ⊥ and reject. Otherwise, continue.

2. For i ∈ [l], let = H1(idui Pi), . By Shamir’s (d, l) threshold scheme, we have = ut(modpq) for t ∈ [k].

3. For t ∈ [k], compute , output ρt = 0, otherwise output ρt = 1. In this step, we retrieve ρ .

4. Let M = D(G(ρ), cM) and h = H(ρ,cM).

5. Using randomness h , execute the above Signcrypt. step 3 – step 6 again. If (c,{ct0}t∈[k],{ci}i∈[l]) obtained here is same as (c,{ct0}t∈[k],{ci}i∈[l]) in the ciphertext, continue. Otherwise, reject and output ⊥.

6. Compute s = c - qH3(M,ρ).

7. For i ∈ [l], compute = H1(idei Pi), .

8. For i ∈ [l], compute = H2(ids Pidsi Pi), .

9. Verify whether = qH3(M,ρ) and ej ∈ Dn for j ∈ [l]. If all conditions hold, accept M as a valid message. Otherwise, output ⊥ and reject.

 

6. Security analysis of Construction 2

6.1 Ciphertext indistinguishability of Construction 2

Theorem 6.1 Assuming that the LWE problem is hard, Construction 2 is indistinguishable against chosen ciphertext attack under selective identity model (IND-sID-CCA2).

Proof. We prove Theorem 6.1 by contradiction. Suppose that there exists a PPT adversary A who can attack the IND-sID-CCA2 security of Construction 2, we can construct a challenger C to solve an LWE problem instance, which is a contradiction with the hardness of the LWE problem. In other words, Construction 2 is IND-sID-CCA2 secure under the hardness of the LWE problem.

To end this aim, the adversary A and the challenger C behave as follows.

• Target – The adversary A decides an encryption identity id* to be his attack target, and returns id* to the challenger C.

• Instance – The challenger C requests samples from the oracle O to get for t = 1,⋯,k , and for i ∈ [l]. These samples follow LWE oracle Os or uniform distribution oracle Ou , which will be decided by challenger C with the aid of A ’ attack ability to Construction 2.

• Setup – The public parameter PP is given by challenger C in the following manner.

1. Matrices for i ∈ [l].

2. Sample l random matrices R1*,⋯,Rl* ← Dmxm , and let for i ∈ [l].

3. For i ∈ [l], is obtained by algorithm TrapGen , together with a short basis .

4. Vectors ut = wt for t ∈ [k].

Then PP = ({Ai,b}i∈[l],b∈{0,1}, {ut}t∈[k]) is returned to the adversary A .

• Phase 1 – In this phase, the adversary A has the right to ask the following queries with a number of polynomial bounded, and the challenger C must return reasonable answers.

◊ H1 queries – The adversary A asks for H1(id) for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

For (idi Pi), i ∈ [l],

1. If idi = id*i , let H1(idi Pi) = Ri* .

2. If idi ≠ id*i , sample ← Dmxm randomly, let H1(idi Pi) = .

Then save(id,((idi Pi),H1(idi Pi))i∈[l]) in list H1 and return ((idi Pi),H1(idi Pi))i∈[l].

◊ H2 queries – The adversary A asks for H2(id) for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

For (id Pidi Pi), i ∈ [l],

1. If idi = id*i , run algorithm SampleRwithBasis to obtain a random ← Dmxm and a short basis for lattice .

Let H2(id Pidi Pi) = .

2. If idi ≠ id*i , sample ← Dmxm randomly, let H2(id□idi□i) = , invoke algorithm BasisDel(, , , σ) to get a short basis for lattice .

Then save in list H2 and return ((id Pidi Pi), )i∈[l].

◊ H3 queries – The adversary A asks for H3(M,ρ) for some M ∈ {0,1}* and ρ ∈ {0,1}k , the challenger C selects hM,ρ ∈ uniformly and randomly, saves (M, ρ, hM,ρ) in list H3 and returns H3(M,ρ) = hM,ρ .

◊ G queries - The adversary A asks for G(ρ) for some ρ ∈ {0,1}k, the challenger C selects Gρ ∈ {0,1}k' uniformly and randomly, saves (ρ, Gρ) in list G and returns G(ρ) = Gρ .

◊ H queries – The adversary A asks for H(ρ,cM) for some ρ ∈ {0,1}k and cM ∈ {0,1}* , the challenger C selects ∈ {0,1}* uniformly and randomly, saves (ρ, cM, ) in list H and returns H(ρ,cM) = .

◊ uKeyExtract queries – The adversary A asks for the unsigncryption key for an identity id with | id ∩ id* | = | I | = d0 < d . The challenger C does the following steps to reply.

1. For simplicity, we assume that the first d0 bits of id and id* are equal, then the challenger C has trapdoors for the matrices associated with the set .

2. For t ∈ [k] , let the shares of ut be uti = at1i + at2i2 +⋯+ atd-1id-1 , where at1,⋯,atd-1 are vector variables with length n .

3. For i ∈ [l], execute H1(id) query to obtain = H1(idi Pi), and let .

4. For t ∈ [k], i ∈ [d0], select eti ← , and let uti = ‧ eti .

5. For t ∈ [k], i ∈ {d0 + 1,⋯,d-1}, choose d - 1 - d0 shares ,⋯, utd-1 randomly, then the values for at1,⋯,atd-1 are fixed and all l shares ut1, ⋯, utl are known.

6. For t ∈ [k], i ∈ {d0+1,⋯, l}, since is known, invoke algorithm BasisDel(, , , σ) to get a short basis for lattice , then invoke algorithm SamplePre(, , uti, σ') to get eti ∈ Zm satisfying ‧ eti = uti .

7. Return the unsigncryption key for the identity id as {eti}t∈[k],i∈[l] .

◊ sKeyExtract queries – The adversary A asks for the signature key for an identity id . The challenger C executes H2(id) query to obtain then returns

◊ Unsigncrypt queries - The adversary A provides a ciphertext C = (ide, ids, cM, c, {ct0}t∈[k],{ci}i∈[l]), an identity idu for unsigncryption, and an identity idv for verification. C does the following steps to answer.

1. If | idu ∩ id* | < d compute = uKeyExtract (idu) , then invoke algorithm Unsigncrypt(C, , idv) and return its result to A .

2. If | idu ∩ id* | > d , | idu ∩ ide | > d and | idv ∩ ids | > d' , search lists H3 , G and H to look for tuples (M, ρ, hM,ρ), (ρ, Gρ) and (ρ, cM, ), such that

(1) cM = E(Gρ, M) ; (2) Let s = c - qhM,ρ , and for i ∈ [l];

(3) = qhM,ρ and ej ∈ Dn for j ∈ [l].

If such tuples exist, return M . Otherwise, output ⊥ and reject.

• Challenge – When Phase 1 ends, the adversary A selects two messages M(0) and M(1) with same length, and a signature identity id*s , sends all of them to the challenger C for challenge ciphertext. C selects b∈{0,1} randomly, does the following steps.

1. Select random ρ ∈ {0,1}k , let cM = E(G(ρ),Mb).

2. Let for t ∈ [k].

3. Let for i ∈ [l].

4. Select randomly.

Then (id*,id*s, cM, c, {ct0}t∈[k],{ci}i∈[l]) is returned.

• Phase 2 – The adversary A repeats what he did in Phase 1, with the exception that he couldn’t execute Unsigncrypt query on (idu, idv, cM, c, {ct0}t∈[k],{ci}i∈[l]) with | idu ∩ id* | ≥ d and | idv ∩ id*s | ≥ d' .

• Guess – The adversary A gives his guess b' for b which the challenger C used in Challenge phase. If b' = b , C decides the samples follow LWE oracle Os ; otherwise, C decides the samples follow uniform distribution oracle Ou .

6.2 Ciphertext unforgeability of Construction 2

Theorem 6.2 Let . If the SISn,2ml,q,β problem is hard to solve, then Construction 2 is existentially unforgeable against chosen message attack under selective identity model. In other words, Construction 2 is EUF-sID-CMA secure under the hardness of the SISn,2ml,q,β problem.

Particularly, let A be a PPT adversary attacking EUF-sID-CMA security of Construction 2, then there exists a challenger C that can solve an SISn,2ml,q,β problem instance.

Proof. Let . The challenger C will construct a non-zero short vector e** ∈ Z2ml , such that Ae** = 0 and ║e**║2 ≤ β .

To end this aim, the adversary A and the challenger C behave as follows.

• Target – The adversary A decides an identity id* to be his attack target, and returns id* to the challenger C.

• Setup – The challenger C gives the public parameter PP in the following manner.

1. For i ∈ [l], select randomly. Use the Chinese remainder theorem to obtain such that Ui" = Ui(modq), Ui" = Ui'(modp), Xi" = Xi(modq), Xi" = Xi'(modp).

2. For i ∈ [l], Sample .

3. For t ∈ [k], select uniformly and randomly.

4. Return the public parameter PP = ({Ai,b}i∈[l],b∈{0,1}, {ut}t∈[k]).

• Query – In this phase, the adversary A has the right to ask the following queries with a number of polynomial bounded, and the challenger C must return reasonable answers.

◊ H1 queries – The adversary A asks for H1(id) for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

1. For id = (id1, ⋯, idl), i ∈ [l], run algorithm SampleRwithBasis () to obtain a random ← Dmxm and a short basis for lattice .

2. Save in list H1 and return (H1(idi Pi) = )i∈[l].

◊ H2 queries – When A asks for H2(id) for an identity id = (id1, ⋯, idl), the challenger C answers as follows.

1. If id = id* , for i ∈ [l], when idi = 0 , let ; when idi = 1, let . Save (id,(H2(id Pidi Pi), ‧ H2(id Pidi Pi)-1,⊥)i∈[l]) in list H2, and return (H2(id Pidi Pi))i∈[l].

2. If id ≠ id* , for i ∈ [l], invoke algorithm SampleRwithBasis() to obtain and a short basis for lattice . Save in list H2 and return (H2(id Pidi Pi) = )i∈[l].

◊ uKeyExtract queries – The adversary A asks for the unsigncryption key for an identity id = (id1, ⋯, idl), and the challenger C answers as follows.

1. For t ∈ [k], select a random polynomial vector ft ∈ Rn of degree d - 1 such that R = Zpq[x] and ft(0) = ut . Let for i ∈ [l]. By Shamir’s (d, l) threshold scheme, for I ⊆ [l] such that | I | ≥ d , ut = Σi∈ILi ‧ uti(modpq), where Li is the associated Lagrangian coefficient.

2. Look for list H1 to get (id,((idi□i),, , )i∈[l]). If the tuple doesn’t exist, execute, H1(id) query firstly.

3. For t ∈ [k], i ∈ [l] , run SamplePre(, , uti, σ') to get eti ∈ Zm satisfying ‧ eti = uti .

4. Return ukid = {eti}t∈[k],i∈[l].

◊ sKeyExtract queries – When A asks for the signature key of an identity id = (id1, ⋯, idl), the challenger C performs as follows.

1. If | id ∩ id* | ≥ d' , return ⊥.

2. If | id ∩ id* | < d' , look for list H2 to obtain , return If id doesn’t exist in list H2, execute H2(id) query firstly.

◊ Signcrypt queries – When A asks for the ciphertext associated with message M , the signature identity ids , and the encryption identity ide , the challenger C performs as follows.

1. Select random id' such that | ids ∩ id' | ≥ d' , search list H2 to obtain If id' doesn’t exist in list H2, execute H2(id') query firstly.

2. Execute Signcrypt  to obtain the ciphertext C and return it.

• Forge – The adversary A replies to the challenger C with a valid ciphertext C* as well as an encryption identity id*e . Then C does the following steps to get a non-zero short vector e** ∈ Z2ml , such that Ae** = 0 and ║e**║2 ≤ β .

1. Look for list H1 to get . If the tuple doesn’t exist, execute H1(id*e) query firstly.

2. Execute Unsigncrypt to obtain a signature (M*, ρ*, (e1*, ⋯, el*), id*).

3. C* is a valid ciphertext, so (M*, ρ*, (e1*, ⋯, el*), id*) is valid, that is to say, for i∈[l], ei* ∈ Dn , and there is a subset J ⊆ [l], | J | = d' , such that .

4. Without loss of generality, suppose J = {1,2⋯,d'} . For i ∈ [d'], if id*i = 1 , .

5. Output as a solution to the SISn,2ml,q,β problem.

The analysis is as follows.

1. (M*, ρ*, (e1*, ⋯, el*), id*) is a valid signature, so ei* ∈ Dn , and , namely, .

2. For i ∈ [d'], .

3. The range of H3 follows uniform distribution, the probability of H3(M,ρ) = 0 is negligible, so that the probability e** = 0 is also negligible.

Consequently, e** is a solution to the SISn,2ml,q,β problem.

 

7. Efficiency analysis of the Construction 2

In this section, we analyze the efficiency of the Construction 2 and make a performance comparison among our construction and the other two primary lattice-based signcryption schemes[24,25]. The details are shown in Table 1.

Table 1.Note: public key size, private key size and ciphertext increments are denoted by number of bits; SP denotes SamplePre algorithm; SD denotes the algorithm of sampling from a discrete Gaussian distribution over lattice; MV denotes matrix vector multiplication; and RO denotes the scheme is proved in the random oracle model.

The data of the former two columns come from Ref. [26], and we analyze the data of the third column in details as follows.

The parameters q = poly(n), m = n1.5, and pq ∈ [n6 ‧ 25l , 2n6 ‧ 25l], where l is the length of an identity. As in Ref. [26], we assume the length of the message is , which is denoted k in our scheme.

For master public key , so that the size is 2ln2.5 log(pq) + nlogq ‧ nlog(pq) = (2ln2.5 + n2 logq)log(pq). For master private key ({Ti,b}i∈[l],b∈{0,1}), T ∈ Zmxm and ║Ti,b║ ≤ O(nlog(pq)), let ║Ti,b║ = nlog(pq), then the size is 2l(n1.5)2 log(nlog(pq)) = 2ln3 log(nlog(pq)). For ciphertext increments, we assume the symmetric encryption scheme (E,D) has no ciphertext increments, then the ciphertext increments include

then the total increments are

nlog(pq) + nlogq ‧ log(pq) + ln1.5 log(pq) = nlog(pq) ‧ (1 + logq + ln0.5).

For computation cost, we lose sight of the simple operations such as addition, single vector inner product, hash, symmetric encryption, etc., and merely think about the following three operations: matrix vector multiplication, MV; sampling from a discrete Gaussian distribution over lattice, SD; SamplePre algorithm, SP. Note there is operation of matrix reverse, we ignore it because it can be precomputed in our scheme.

Specific to signcryption cost, it is l(SP + MV) + nlogq SD; specific to unsigncryption cost, it is l(SP + (2 + nlogq)MV)+ nlogq SD.

In conclusion, Ref. [24] and Ref. [25] belong to public key cryptosystems and our scheme belongs to identity-based cryptosystems, and due to our scheme’s fuzziness property, we deal with messages bit by bit, therefore our scheme isn’t as efficient as Refs. [24] and [25]. But our scheme has its own advantages as follows: it doesn’t base on public key infrastructure; it has more flexible unsigncryption users structure; and comparing with signature-then-encrypt mode, it is more efficient.

 

8. Summary and conclusions

In this paper, we propose the first fuzzy identity-based signcryption scheme based on lattice assumptions. At first, we give a fuzzy identity-based signcryption scheme that has indistinguishability against chosen plaintext attack under selective identity model. Then we apply Fujisaki-Okamoto method to get a fuzzy identity-based signcryption scheme that has indistinguishability against adaptive chosen ciphertext attack under selective identity model. At last, we prove our scheme is existentially unforgeable against chosen message attack under selective identity model. As we know it, our scheme is the first fuzzy identity-based signcryption scheme that is secure even facing a quantum computer. However, our scheme is proved under the random oracle model, and it is valuable to build a fuzzy identity-based signcryption scheme from lattices under the standard model.