Revocable ID-Based Signature with Short Size over Lattices

ThisisanopenaccessarticledistributedundertheCreativeCommonsAttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In the past, many ID-based signature (IBS) schemes based on the integer factorization or discrete logarithm problems were proposed. With the progress on the development of quantum technology, IBS schemes mentioned above would become vulnerable. Recently, several IBS schemes over lattices were proposed to be secure against attacks in the quantum era. As conventional public-keysettings,ID-basedpublic-keysettingshavetoofferarevocationmechanismtorevokemisbehavingormalicioususers.However, inthepast,littleworkfocusesontherevocationproblemintheIBSschemesoverlattices.Inthisarticle,weproposeanewrevocable IBS(RIBS)schemewithshortsizeoverlattices.Basedontheshortintegersolution(SIS)assumption,weprovethattheproposed RIBSschemeprovidesexistentialunforgeabilityagainstadaptivechosen-messageattacks.AscomparedtotheexistingIBSschemes overlattices,ourRIBSschemehasbetterperformanceintermsofsignaturesize,signingkeysize,andtherevocationmechanism withpublicchannels.


Introduction
The perception of identity-based cryptography (IBC) was first proposed by Shamir [1] in 1984.In IBC, a user's public key can be derived from her/his identity such as email address and physical IP address.The private keys of users are generated by a trusted private key generator, named PKG.The private keys are, respectively, given to the corresponding users using secure channels.As contradicted to conventional public-key settings, IBC removes the need of certificate management.By following Shamir's perception, Boneh and Franklin [2] proposed a practical identity-(ID-) based encryption (IBE) scheme based on bilinear pairings.
The public key of a user is legal before its intended expiration date, but several circumstances must force to revoke it.So a public-key setting should offer a revocation method or mechanism to revoke the associated public keys of misbehaving or malicious users.Indeed, Boneh and Franklin [2] proposed not only a practical IBE scheme but also a revocation method for ID-based public-key setting.In their revocation method, the PKG periodically generates the new private keys for all nonrevoked users and securely sends the periodic private keys to these users, respectively.In such a case, a secure channel between the PKG and each nonrevoked user must be established to send the periodic private key.However, the size of the PKG's key update equals the amount of all nonrevoked users.Afterward, Boldyreva et al. [3] employed a tree structure to propose a new revocable IBE (RIBE) scheme.In the RIBE scheme, the size of the PKG's key update is reduced to the logarithm of the amount of all nonrevoked users, but the private key size of each user will increase from constant to the logarithm of the amount of all nonrevoked users.Nevertheless, two mentioned revocation mechanisms above still require encryption/decryption to send periodic private keys to users.Thus, the required periodic encryption/decryption will raise the workloads of both the PKG and users.To eliminate the requirement of encryption/decryption, Tseng and Tsai [4] proposed a new RIBE scheme with a public channel.In their RIBE scheme, the PKG and users do not need to encrypt/decrypt the periodic private keys.It provides an alternative which is more practical than the previously proposed revocation solutions.
The security of today's universally used public-key cryptographies (including the mentioned IBC above) is based on the prime factoring assumption or the hardness of the discrete logarithm problem.With the progress on the development of quantum technology, the computational power of quantum computers would cause instant threat to these public-key cryptographies [5].Accordingly, this has motivated the era of postquantum cryptography (PQC).Among several postquantum research areas, lattice-based publickey cryptography has received the most significant attention from researchers.When compared with other (PQC) cryptographies, lattice-based public-key cryptography can provide more efficiency in public-key encryption and digital signature schemes.In the past five years, there has been a tremendous growth in lattice-based public-key cryptography and its related schemes have become viable.
Related Work.To combine the advantages of IBC and lattices, Ruckert [6] proposed the first two ID-based signature (IBS) schemes over lattice assumptions.To improve the efficiency and security, several lattice-based IBS schemes [7][8][9][10] have been proposed.In [7,8], they employed Gentry et al. 's signature scheme [11] with a user's identity to generate the corresponding signing key.By the signing key, the user can run a preimage sampling algorithm (i.e., lattice basis delegation) [12] to obtain a signature.According to Gentry et al. 's signature scheme, the user's signing key is a short basis of a lattice.In such a case, two lattice-based IBS schemes [7,8] would be inefficient in practice since the signing key size and the signature size will increase dramatically after lattice basis delegation.
Based on the lattice-based IBS scheme in [8], Tian and Huang [9] replaced the preimage sampling algorithm with the rejection sampling technique [13] to generate a signature.Their signature scheme can be viewed as an identity-based version of Lyubashevsky's signature scheme [13].The advantage of Tian and Huang's lattice-based IBS scheme is to reduce the signature size and computation overhead of generating a signature.In 2016, inspired by the IBE scheme over NTRU lattice proposed by Ducas et al. [14], Xie et al. [10] employed their key extract algorithm to further improve the size of a user's signing key.However, these lattice-based IBS schemes mentioned above did not address the revocation problem.Indeed, these lattice-based IBS schemes would use Boneh and Franklin's periodic revocation mechanism [2] to achieve revocation functionality.However, in the revocation mechanism, the PKG and nonrevoked users require encryption/ decryption to send periodic signing keys to users.
Recently, Xiang [15] adopted the binary tree structure used in [3] to construct a revocable IBS (RIBS) scheme over lattices.As the advantage of Boldyreva et al. 's scheme [3], the size of the PKG's key update is reduced to the logarithm of the amount of all nonrevoked users.Indeed, Xiang's scheme also inherits the disadvantages that occurred in Boldyreva et al. 's scheme [3], namely, the private key size of a user increases from constant to the logarithm of the number of users, and encryption/decryption are required to securely send the users' periodic signing keys.Meanwhile, the signing key size, signature size, and computational cost in Xiang's scheme turn out to be inefficient.

Contribution.
In this article, we employ the revocation idea of Tseng and Tsai [4] to propose an efficient RIBS scheme over lattices while the size of a user's signing key remains constant.In our RIBS scheme, a user's signing key consists of two components, namely, initial key and time update key.The initial key is fixed and unchanged, while the time update key is changed along with time-period.The PKG periodically generates new time update keys and then sends them to nonrevoked users using a public channel.If the PKG would like to revoke misbehaving users, the PKG just stops issuing the new time update keys for those users.Thus, a RIBS scheme must address two kinds of adversaries: an inside adversary (or a revoked user) and an outside adversary.Based on the short integer solution (SIS) assumption over lattices [16], we prove that the proposed RIBS scheme provides existential unforgeability against adaptive chosen-message attacks for a revoked user and an outside adversary.As compared to the existing lattice-based RIBS schemes, our scheme possesses the following properties: (i) Both the initial key and time update key of a user are generated using the Gaussian sampling technique over NTRU lattice.The point is that both keys are small and independent of the number of users in the system.
(ii) We employ the rejection sampling technique [13] to generate a signature while the signature size is lesser than that of the signature scheme using the preimage sampling algorithm.
(iii) The PKG and nonrevoked users do not need to encrypt/decrypt the periodic time update keys.
In summary, as compared with previously proposed IBS and RIBS schemes over lattices, our scheme possesses better performance in terms of signing key size, signature size, and the revocation mechanism.
Organization.The rest of this article is arranged as follows.Section 2 presents several important preliminaries.In Section 3, the syntax and adversary models of RIBS schemes are given.The proposed RIBS scheme over lattices is presented in Section 4. In Section 5, the security of the proposed RIBS scheme is formally analyzed.In Section 6, performance analysis and comparisons are made to demonstrate the advantages of the proposed scheme.In Section 7, conclusions are given.

Preliminaries
Here, we review several fundamental concepts and assumptions of lattices.
2.1.Notations.Throughout this article, let  be the set of real numbers,  be an integer with the type power-of-two,  be the set of integers, and, for  ∈ ,   be the set of integers in the set [−/2, −/2).‖x‖ denotes the Euclidean norm of a vector x.‖X‖ represents the norm of a matrix X which is defined as the largest norm of its columns.Let   =   []/(  + 1) be the ring of polynomials modulo   +1 with coefficients in   .For  = ∑ −1 =0     and  = ∑ −1 =     in   , let  +  and Security and Communication Networks 3  ⋅  denote, respectively, the addition and multiplication in   , defined by Here, the coefficients of  +  and  ⋅  are reduced modulo  into the set   .For convenience, an element  in   will be written as a polynomial For any set B = {b 1 , . . ., b  } ⊂   of linearly independent vectors, let B = { b1 , . . ., b } denote its Gram-Schmidt orthogonalization, defined iteratively in the following way: b1 = b 1 , and for each  = 2, . . ., , b is the component of b  orthogonal to span (b 1 , . . ., b −1 ).Clearly, ‖ B‖ ≤ ‖B‖.

Lattice.
A lattice is a set of points in -dimensional space with a periodic structure [16].Let b 1 , b 2 , . . ., b  be  linearly independent vectors in   .These linearly independent vectors can generate a (-dimensional) lattice Λ that is denoted by as a basis of the lattice Λ.

Anticirculant Matrices.
Anticirculant matrices have become one of the most important and active research fields in recent years since they possess a special structure and nice properties.
Definition 1.An -dimensional anticirculant matrix with  = ∑ −1 =0     is represented as in the following Toeplitz matrix: For convenience, we denote   () as () in this article.Anticirculant matrices possess the following important property.
Lemma 2 (see [14]).() + () = ( + ) and () × () = ( ⋅ ), where ,  ∈   .[17] is a lattice-based cryptosystem that relied on a particularly efficient class of convolution modular lattices, called NTRU lattices.We briefly review the concept of NTRU lattices on which our scheme is based.Definition 3. Assume that  is a positive integer and  is a power-of-two integer while ,  ∈   and ℎ = ⋅ −1 .By using ℎ and , a NTRU full-rank lattice of  2 is represented as

NTRU Lattices. NTRU
Indeed, the NTRU full-rank lattice Λ ℎ, is generated by the matrix where   and   are, respectively, the  ×  unit matrix and  ×  null matrix.However, if ℎ is uniformly distributed in   , then the basis A ℎ, is unsuitable for solving the closed lattice vector problem.To compensate this, Hoffstein et al. [18] constructed an appropriate basis for Λ ℎ, while satisfying  ⋅  −  ⋅  = , where ,  ∈   .Indeed, it can be computed efficiently to find such  and .Moreover, B , provides a short basis for Λ ℎ, due to the fact ‖B , ‖ ≤ ‖A ℎ, ‖ by Lemma 4 below.
Gentry et al. [11] proposed the Gaussian sampling technique as the trapdoor generation algorithm to produce a trapdoor of a one-way function.Ducas et al. [14] proposed a special distribution over the NTRU lattices to improve the performance of the trapdoor generation algorithm in Gentry et al. 's scheme.In this article, we adopt Ducas et al. 's scheme as the trapdoor generation algorithm as follows.
Lemma 5 (see [14]).Let  be a prime,  be a power-of-two integer, and  = 1.17√/2.Then, we can construct a probabilistic polynomial-time (PPT) algorithm (, ) which generates two polynomials  and  to output ℎ =  ⋅  −1 and a matrix B , such that ℎ is statistically close to uniform in   and B , is a short basis of Λ ℎ, .2.5.Gaussian (Normal) Distribution.Gentry et al. [11] proposed the Gaussian sampling technique as the trapdoor generation algorithm which produces a trapdoor without leaking any information of the short basis.Before we introduce Gentry et al. 's method, we define Gaussian distributions.Definition 6.The continuous Gaussian distribution over   centered at c ∈   with the standard deviation  > 0 is defined by the function In this sequel, we can curtail   ,0 as    and   ,0 as    , respectively.On the other hand, Lyubashevsky [13] proposed an interesting fact of   ,k (x), the discrete normal distribution in dimension  with standard deviation  at center k.
2.6.Sampling Algorithms.Micciancio and Regev [19] defined a lattice parameter to determine the amount of Gaussian noise that one has to add to a lattice in order to get close to a uniform distribution.By Micciancio and Regev's method, Gentry et al. [11] proposed a sampling algorithm as follows.
Lemma 9 (see [11]).Let  be a prime and B be a short basis of an -dimensional lattice Λ.If  ≥ ‖ B‖ ⋅ (√log ) and 0 <  < 1, then, for any c ∈   , we have the following properties: (  [13] adopted the rejection sampling technique to sign a message.When a user with ID would like to sign a message with a signing key  ID , she/he first chooses a vector y ∈    .And then the user sets a candidate signature z as y +c⋅ ID where c is a hash value of message.Let F be the target distribution of the signature z which is independent of  ID .If  is a probability distribution and  > 0 while satisfying F(x) ≤  ⋅ (x) for all x, then the candidate signature z can be output successfully with probability F(z)/ ⋅ (z), and  is the expected number of times required for outputting a signature.

Hardness Assumptions.
In the following, we present a mathematical problem, namely, the short integer solution (SIS) problem, which has at least the same difficulty with the worst case of short independent vector problem (SIVP) up to a polynomial approximation factor [16].

Syntax and Adversary Model of RIBS
In the following, we define the syntax and adversary model of RIBS schemes.Definition 11.A RIBS scheme includes five algorithms: (i) Setup.The algorithm takes a system parameter  and the amount  of all time-periods as input and publishes public parameters Parms and sets a system secret key  PKG in secret.
(ii) Initial Key Extract.Given a user's ID and the system secret key  PKG , it computes and sends the initial key  ID to the user.
(iii) Time Key Update.Given a time-period , a user's ID, and the system secret key  PKG , this algorithm computes and sends the time update key  ID, to the user.
(iv) Signing.This algorithm takes a message , a user's signing key  ID, , and a time-period  as input.It then returns a signature  on .
(v) Verification.This algorithm takes a message , a signature , a user's ID, and a time-period  as input.
It returns "accept" if  is valid and "reject" otherwise.
By the framework of the RIBS scheme, a user's signing key consists of two components, namely, initial key and time update key.Thus, the associated adversary model consists of two kinds of adversaries: an inside adversary (or a revoked user) and an outside adversary.
Definition 12.For a RIBS scheme, if there exists no PPT adversary A (a revoked user or an outside adversary) who has nonnegligible probability to forge a valid signature under adaptive chosen-message attacks, we say that the RIBS scheme is existentially unforgeable or RID-UF-ACMA secure.In the following RID-UF-ACMA game, the adversary A may interact with a challenger C to obtain some useful information. (

Efficient RIBS Scheme over NTRU Lattices
The proposed RIBS scheme over NTRU lattices includes five algorithms.
(ii) Initial Key Extract.Given a user's ID ∈ {0, 1} * , the PKG first calculates  0 (ID) and then uses the system secret key  PKG = B to run the algorithm (B, ,  0 (ID)) in Lemma 9 to output a sample (s 1 , s 2 ) such that ‖(s 1 , s 2 )‖ <  √ 2 and s 1 + ℎ ⋅ s 2 =  0 (ID).Then, the PKG sets the initial key  ID = (s 1 , s 2 ) and sends the user with  ID using secure channel.In fact, if one knows (ℎ,  0 (ID)) and chooses   ( = 1, 2) from a Gaussian distribution instead of a uniform one, then recovering   is as hard as solving worst-case lattice problems [21].
(iii) Time Key Update.Upon receiving a time-period  and a user's ID ∈ {0, 1} * , the PKG first calculates  1 (ID, ) and uses the system secret key  PKG = B to run the algorithm (B, ,  1 (ID, )) to output a sample (s 3 , s 4 ) such that ‖(s 3 , s 4 )‖ <  √ 2 and s 3 + ℎ ⋅ s 4 =  1 (ID, ).Then, the PKG sets the time update key  ID, = (s 3 , s 4 ) and sends the user with  ID, using public channel.Meanwhile, the user sets the signing key  ID, = ( ID ,  ID, ).In fact, if one knows (ℎ,  1 (ID, )) and chooses   ( = 3, 4) from a Gaussian distribution instead of a uniform one, then recovering   is as hard as solving worst-case lattice problems [21].
(v) Verification.Given a signature (z 1 , z 2 , c) on a message  for a user's ID at a time-period , a verifier validates the signature by checking the following equality: If the equality holds, the Verification algorithm returns "accept" and "reject" otherwise.
Here, the correctness of the equality follows from

Security Analysis
In this section, we demonstrate the security of the proposed RIBS scheme.In our RIBS scheme, a user's signing key includes two parts, namely, the initial key and time update key.To revoke a user, the PKG simply stops issuing the user's periodic time update key.As the RID-UF-ACMA game presented in Definition 12, the adversary may get either the time update key or the initial key, but not both.Hence, there are two kinds of adversaries to be concerned with, namely, revoked user and outside adversary.An outside adversary cannot access the target's initial key, but it may get all time Security and Communication Networks update keys.Since a revoked user has already owned the associated initial key, the user cannot get the periodic time update key.Firstly, we adopt the key extract algorithm in Ducas et al. [14,Algorithm 3] to generate both initial keys and time update keys.Based on Ducas et al. [14], Lemma 13 demonstrates that our scheme is secure against the ID forgery attacks.Moreover, Theorem 14 demonstrates that the proposed RIBS scheme is secure for an outside adversary and a revoked user.Lemma 13.Our RIBS scheme is secure against ID forgery attack.
Proof.In our scheme, we adopt the key extract algorithm in Ducas et al. [14] to generate initial keys.Let ℎ =  ⋅  −1 be the public key and be a short basis of the NTRU, where , , ,  ∈   ,  ⋅  −  ⋅  = , ‖‖ <  √ , and ‖‖ <  √ .The initial key (s 1 , s 2 ) is generated by (B, ,  0 (ID)) to output a sample s 1 as the first component of the initial key and determine the second component s 2 such that s 1 + ℎ ⋅ s 2 =  0 (ID) ∈    .By the security analysis of [14], no PPT adversary A may find (s 1 , s 2 ) with nonnegligible advantage.Therefore, the proposed RIBS scheme is secure against ID forgery attacks.Theorem 14. Assume that there exists a PPT adversary A (an outsider or a revoked user) who can break the proposed RIBS scheme with nonnegligible probability  in the random oracle model.Based on the adversary A, we then construct a PPT algorithm C to compute the −SIS problem with nonnegligible probability (1 − 2 −(log ) ), where  is the system parameter.
Proof.Here, we demonstrate only the case when A is an outside adversary since the other case when A is a revoked user can be proved similarly.Without loss of generality, an algorithm C receives a random instance (, 2, 4 √ 2 + 2 √ 2,   + 1) of the  − SIS problem, where  is a prime,  is a positive integer, and , ,  > 0. We will show how C can make use of the adversary A to output the −SIS solution which is nonzero vector (u 1 , u 2 ) ∈  2  .The algorithm C plays the challenger and interacts with the adversary A as follows.

Comparisons
Table 1 presents the comparisons among Tian and Huang's IBS scheme [9], Xiang's RIBS scheme [15], and our RIBS scheme in terms of lattice type, signing key size, signature size, computation cost of signing phase, computation cost of verifying phase, revocable functionality, and security property under the same system parameter .
Both Tian and Huang's IBS and Xiang's RIBS schemes adopted the GPV lattice in [11] to generate a user's signing key.In our scheme, we adopted the NTRU lattice in [14] to generate a user's signing key.It is obvious that both the signing key and signature sizes of our scheme are less than those of both Tian and Huang's IBS and Xiang's RIBS schemes.For the computation cost of the signing phase, both Tian and Huang's IBS scheme and ours use the rejection sampling technique to generate a signature, in which the rejection sampling technique would repeat the signing phase at average 7 times so that their total computation costs are, respectively, 7( + )  and 7( 2 + 2)  , where   is the cost of executing a multiplication operation in   .In Xiang's RIBS scheme [15], a user runs the Samplepre algorithm in [12] to obtain a signature so that it requires 2  +  sp , where  sp is the cost of executing the Samplepre algorithm.For the computation cost of the verifying phase, three schemes, respectively, require (+)  , 3  , and ( 2 +)  .Since  > 6 log , it is clear that our scheme has better performance in terms of the computation costs for the signing
i) Initialization.C performs the setup algorithm to set Parms and  PKG .The PKG sends Parms to the adversary A and keeps  PKG in secret.ID .C then sends  ID to A. (b) Time Key Update Query.Upon receiving a user's ID and a time-period , C performs the time key update algorithm to generate  ID, .C then sends  ID, to A. (c) Signing Query.Upon receiving a message , an identity ID, and a time-period , C uses  ID, = ( ID ,  ID, ) to perform the  algorithm to obtain a signature .C then sends  to A.(iii) Forgery.If A with nonnegligible probability can forge a signature tuple ( * , ID * ,  * ,  * ) that fulfills three following conditions, we call that A with nonnegligible probability wins the game.We define the nonnegligible probability as the advantage of A in the game.
(ii) Queries.A can adaptively request a number of different queries as follows.(a)Initial Key Extract Query.Upon receiving an identity ID, C performs the initial key extract algorithm to generate (1) For ( * , ID * ,  * ,  * ), the verification algorithm outputs "accept."(2) The tuple ( * , ID * ,  * ) is not issued during the signing query.(3) If A is an outside adversary, ID * is not issued during the initial key extract query.(4) If A is a revoked user (inside adversary), (ID * ,  * ) is not issued during the time key update query.

Table 1 :
1 ,  2 ⟩, where the hash functions  0 ,  1 , and  2 are viewed as random oracles controlled by C. Finally, C returns Parms to A.(ii) Queries.The challenger C responds to these queries issued by the adversary A as follows.(a)0 Query.At any time, A can issue the query along with ID  .To respond to the query, C maintains an initially empty list  0 of tuples of the form ⟨ID  ,  ID , DID  ⟩.When A queries the oracle  0 with ID  , C responds to A with  ID according to the following rules.(1)If ID  appears in a tuple ⟨ID  ,  ID , DID  ⟩ in  0 , then C responds with  ID .(2) Otherwise, the challenger C randomly chooses  1 ,  2 ∈    such that ‖(s 1 , s 2 )‖ <  √ 2.Then C computes the polynomial  ID = s 1 + ℎ ⋅ s 2 and adds the tuple ⟨ID  ,  ID , DID  = (s 1 , s 2 )⟩ in  0 .C responds to A with  ID .(b)  1 Query.At any time, A can issue the query along with (ID  , ).To respond to the query, C maintains an initially empty list  1 of tuples of the form ⟨ID  , ,  1 ,  ID, ⟩.When A queries the oracle  1 , C responds to A with  1 according to the following rules.(1) If (ID  , ) appears in a tuple ⟨ID  , ,  1 ,  ID, ⟩ in  1 , then C responds with  1 .(2) Otherwise, the challenger C randomly chooses s 3 , s 4 ∈    such that ‖(s 3 , s 4 )‖ <  √ 2.The challenger C sets the user's time update key  ID, = (s 3 , s 4 ) and computes  1 = s 3 + ℎ ⋅ s 4 .Then C adds the tuple ⟨ID  , ,  1 ,  ID, ⟩ in  1 .C responds to A with  1 .(c)  2 Query.At any time, A can issue the query along with (y  ,   ).To respond to the query, C maintains an initially empty list  2 of tuples of the form ⟨y  ,   , c  ⟩.When A queries oracle  2 , C responds to A with c  according to the following rules.(1) If (y  ,   ) appears in a tuple ⟨y  ,   , c  ⟩ in  2 , then C responds with c  .(2) Otherwise, C randomly chooses c  ∈   .Then, C adds the tuple ⟨y  ,   , c  ⟩ to the list  2 .Finally, the challenger C responds to A with c  .(d) Initial Key Extract Query.When A issues the query along with ID  , C first looks up the list  0 to find the tuple containing DID  associated with ID  and send it to A. If no such tuple is found in  0 , C obtains DID  by issuing the  0 (ID  ) query and responds to A with DID  .(e) Time Key Update Query.When A issues the query along with (ID  , ), C first looks up the list  1 to find the tuple containing  ID, associated with (ID  , ) and send it to A. If no such tuple is found in  1 , C obtains  ID, by issuing the  Comparisons between the existing IBS/RIBS schemes and our RIBS scheme.  : the cost of executing a multiplication operation in   ;  sp : the cost of executing the Samplepre algorithm in [12].⟨ID  , ,  1 ,  ID, ⟩, respectively.Then, C randomly chooses y  , z 1 , z 2 ∈    and computes c  = (z 1 +ℎ⋅z 2 −y  )/( ID + 1 ).C adds ⟨y  ,   , c  ⟩ in the list  2 and returns the signature (z 1 , z 2 , c  ) on   .Even though the challenger C does not hold the associated initial key and time update key, the generated tuple (z 1 , z 2 , c  ) is still a valid signature.The reason is that the signature (z 1 , z 2 , c  ) can pass the verification 1 (ID  , ) query and responds to A with  ID, .(f) Sign Query.Upon receiving this query on (  , ID  , ), the challenger C performs the following steps to generate a valid signature.First, C looks up the lists  0 and  1 to obtain, if there exist, the associated tuples ⟨ID  ,  ID , DID  ⟩ and for identity ID * at the period  * with nonnegligible probability.Note that ID * is not issued during the initial key extract query or (ID * ,  * ) is not issued during the time key update query.  ) are two valid signatures for ( * , ID * ,  * ), we have the equality (g) Forgery.Finally, the adversary A forges a valid signature tuple (z * 1 , z * 2 , c *  ) on message  *