Efficient Lattice-Based Signcryption in Standard Model

Signcryption is a cryptographic primitive that can perform digital signature and public encryption simultaneously at a significantly reduced cost. This advantage makes it highly useful in many applications. However, most existing signcryption schemes are seriously challenged by the booming of quantum computations. As an interesting stepping stone in the post-quantum cryptographic community, two lattice-based signcryption schemes were proposed recently. But both of them were merely proved to be secure in the random oracle models. Therefore, the main contribution of this paper is to propose a new lattice-based signcryption scheme that can be proved to be secure in the standard model.


Introduction
In many situations, we need to simultaneously realize confidentiality, integrity, authentication, and non-repudiation.There are generally two approaches to accomplish this task: the signature-then-encryption approach and signcryption proposed by Zheng [1].Compared with the former, signcryption can perform both signature and encryption simultaneously at a lower cost.Hence, the signcryption scheme is more appropriate in many environments such as smart cards, mobile communications, and electronic commerce.Up to date, many efficient signcryption schemes [2][3][4][5][6] have been designed based on various assumptions in number theory.However, the cryptography based on number theory has been seriously challenged due to the booming of quantum computation.Under this situation, many researchers make efforts to probe new cryptosystems based on new security fundamentals, such as quantum cryptography [7][8][9], chaos cryptography [10,11], DNA cryptography [12], and so forth.However, as far as we know, there is no efficient signcryption schemes based on these new fundamentals.Therefore, we have to pay our attention to another new upsurging branch of modern cryptography-post-quantum cryptography, including lattice-based cryptography, codebased cryptography, hash-based cryptography, and multivariate cryptography [13].
Recently, Li et al. [14] (LMK12) and Wang et al. [15] (WHW12) have succeeded in designing signcryption schemes based on lattice.Lattice-based cryptography has been regarded as the most attractive option for resisting quantum attacks.Meanwhile, it has many important advantages.Firstly, the security of lattice-based cryptography is based on worst-case hardness of lattice problems, while the previous cryptography constructed on number theory is based on average-case hardness.Secondly, the main operations in a lattice-based cryptographic scheme are addition and multiplications over a moderate modulus (say not larger than 1024).Thus, taking a long-term look, lattice-based cryptosystems can be performed extremely rapid, compared to the currently used cryptosystems (such as RSA) in which the exponentiations over a huge modulus (say not less than 2 1024 ) are always involved.
However, both of Li et al. 's scheme and Wang et al. 's scheme are merely proved to be secure in the random oracle model.After the publication of Canetti's critical statement on provable security reduction based on random  [15] ↘ ↘ ↘ ↘ ↗ LMK12 [14] ≈ ↘ ↘ ↗ ↗ oracles (ROMs) [16], it is always an interesting practice to design/prove cryptographic schemes that are not based on ROMs.In this paper, we construct a lattice-based signcryption scheme and present its security reductions without using ROMs.Our original ideas can be formulated as follows.The lattice generated by [17] has advantages in small trapdoor and small public key, but its public key encryption scheme can only achieve CCA1 security.The challenger cannot reply the decryption queries for the ciphertext with the first tuple  identical to the first tuple  0 in the challenge ciphertext in phase two.Moreover, the ciphertext of [17] is malleable.One of the typical methods for transforming an encryption scheme from CCA1 to CCA2 is to make use of a one time strongly unforgeable signature to ensure the nonmalleability of ciphertexts.However, this method will increase the ciphertext length and encryption/decryption time.We set  to be the hash value (, ), where  is a random number but  is the signature generated in the signcryption process.The domain of  is big enough such that the probability that the first tuple in the ciphertext generated normally is equal to  0 is negligible.Hence, the challenger can reply the decryption queries in phase two.Further, we use CCA security of the symmetric encryption and collision resistance of hash function  to prevent the malleability of ciphertext.
In the proving process, the hash function  can be replaced with a chameleon hash function   , so the challenger can generate  0 to form challenge ciphertext.If there exists an adversary who can forge a valid ciphertext, he/she can find a collision of   .The probability for the above event is negligible according to [18], so our signcryption scheme can achieve CCA2 security.The strong unforgeability of the signcryption can be obtained by the strong unforgeability of the original signature.In summary, the proposed scheme is (i) indistinguishable against inner adaptively chosen ciphertext attacks (IND-CCA2) under the learning with errors (LWE) assumption in the standard model, (ii) strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA) under small integer solution (SIS) assumption in the standard model.
Here, the term "inner" means that in the IND-CCA2 (resp., SUF-CMA) game, the sender (resp., receiver) who possesses the signing (resp., decryption) key is allowed to launch the corresponding attacks.Apparently, an "inner" attacker is much stronger than outer ones.Thus, the inner security of our proposal also implies its outer security.In addition, our scheme has the advantages both in computational cost and in public/private keys size.That is, our main contribution can be summarized in Table 1.In order to make the trapdoors to be consistent, we construct a chameleon hash function by using the new trapdoor technique of [17], that may be of independent interest.In fact, our chameleon hash function is similar with the one in [19].Although the chameleon hash function in [19] can be used in our scheme, it will lead to use two different kinds trapdoors technique and reduce efficiency.
The rest of this paper is organized as follows.In Section 2, the necessary preliminaries on lattice-based cryptographic assumptions and algorithms are introduced.In Section 3, the security models of signcryption, including the IND-CCA2 game and SUF-CMA game, are reviewed.In Section 4, the main contribution, that is, the proposed lattice-based signcryption scheme is presented in detail, followed by the proof on its consistency.The security proofs are given in Section 5 and the performance comparisons are given in Section 6.Finally, the concluding remarks are given in Section 7.

Preliminaries
Throughout this paper, we denote the set of integers by Z, residue class mod by Z  , the real numbers by R, and real interval [0, 1) by T. The expression Z  (resp.Z   , R  ) denotes vectors space on Z (resp.Z  , R) in which every vector has  elements.Similarly, the expression Z × (resp.Z ×  , R × ) denotes matrice space on Z (resp.Z  , R) in which every matrix has  rows and  columns.We denote the set {1, 2, . . ., } by [], for an integer  > 0. The symbol "|" denotes strings concatenation operators and "‖" denotes matrice concatenation operators.The vectors are denoted by lower-case and bold letters (e.g., x), matrices by upper-case and bold letters (e.g., A), and the Gram-Schmidt orthogonalization of A by Ã.The order for a matrix's column vectors can be interchangeable.The function  1 (⋅) denotes the largest singular value of a matrix.For a given distribution  over space P, we use s← $ (P) to denote that  is picked at random from the space P according to the distribution .If the sampling space P is specified from the context, we also simply use s ∈  or s← $  to denote the same meaning.Also, we use s← $ () to denote that  is picked at random from the space P according to the uniform distribution.

Lattice and Gaussian Distribution
Definition 1 (Lattice).An -dimensional lattice Λ is a discrete additive subgroup of R  ( ≥ ).Formally, let B = {b 1 , b 2 , . . ., b n } be  linearly independent vectors.The lattice generated by B is where B is called a basis for Λ.In many cryptographic applications, a particular family which is called -ary integer lattices is frequently used.For positive integers ,  (≥ ) and  and matrix A ∈ Z ×  , the -ary lattices are defined by For integers  > 0 and  > 2, some probability distribution  over Z  and a vector s ∈ Z   , A s, is defined as the distribution of (a, a t s + x) on Z   × Z  , where a and x are chosen uniformly from Z   and , respectively.
Definition 2 (Learning with Errors (LWE) [23]).For an integer  = () and a distribution  on Z  , the target of learning with errors LWE , is to distinguish with nonnegligible probability between the distribution A s, and the uniform distribution on Z   × Z  by accessing the oracle for the given distribution, where s ← $ (Z   ).
For  ∈ R + , Ψ  is defined as the distribution on T of a normal variable with mean 0 and standard deviation / √ 2, reduced modulo 1.When normal variable  obeys distribution Ψ  , Ψ  is the discretized normal distribution on Z  of random variable ⌊ ⋅ ⌉ mod , where ⌊⌉ denotes rounding.
Proposition 3 (hardness of LWE [23]).Let  = () ∈ (0, 1) and  = () be a prime to satisfy  > 2√.If there is an efficient (possibly quantumn) algorithm that can solve LWE ,Ψ  , then there is an efficient quantum algorithm for approximating   within Õ(/) factors (referring to [24] for its hardness) in the worst case.Definition 4 (Small Integer Solution (SIS) [18]).Given an integer , a real  > 0 and a matrix A ∈ Z ×  , the goal of SIS , is to find a nonzero integer vector z ∈ Z  to satisfy Az = 0 mod  and ‖z‖ ≤ .
Proposition 5 (hardness of SIS Theorem 5.16 [18]).For any polybounded ,  = (), and for any prime  ≥  ⋅ (√ log ), the average-case problem  , is as hard as approximating the SIVP problem (among others) in the worst case to within certain  =  ⋅ Õ(√) factors.Definition 6 (Gaussian measure [18]).Given any vector c, x, and real  > 0, let be a Gaussian function around c with parameter .Its total measure is ∫ x∈R   ,c (x)x =   .The probability density function of the corresponding continuous Gaussian distribution is defined as When c = 0, it is always omitted.
Proposition 8 (Claim 5.3 [23]).Let  > 1 be a constant, and let  >  log  be an integer.The columns of a uniformly random A ∈ Z ×  generate all of Z   , except with 2 −Ω() probability.

Proposition 9.
Let B be a basis of Λ ⊥ (A), where A ∈ Z ×  and the columns of A generate Z   .Let  ≥ ‖ B‖(√log ).

Universal Hashes and Chameleon Hashes.
In general, we hope a hash function used in cryptographic schemes to be collision resistant.But in our construction, we need further assumptions on involved hashes.One is universal property and another is the so-called Chameleon property.
In addition, a kind of specifical hash named chameleon hash introduced by Krawczyk and Rabin [27] is used in our work.The chameleon hash functions have the following four properties: (1) efficient forward computation, (2) standard collision-resistance property, (3) uniformity property, and (4) chameleon property.We will construct a chameleon hash family based on the lattice-trapdoor technique given in [17] and prove it has the above properties in Section 4.1; hence we do not describe these properties here in detail.[17] proposed new, simpler, easy-toimplement and more efficient methods to generate and utilize "strong trapdoors" in cryptographic lattices.These methods include specialized algorithms for inverting LWE, which are important for encryption and signature.

Related Algorithms for Inverting and Sampling. Micciancio and Peikert
Firstly, we introduce the related matrices.Let g t = [1, 2, 4, . . ., 2 −1 ] ∈ Z 1×  ,  ∈ N. Define matrix S k as The matrix S k can be easily constructed in the following two cases: (1) when  is a power of 2, let  = ⌈log ⌉,   = 0 for 0 ≤  ≤  − 2, and  −1 = 2; (2) when  is not a power of 2,   is the th bit of .In the former, ‖ Sk ‖ = 2 and in the latter ‖ Sk ‖ < √ 3 by Lemma 4.3 of [17].It can be verified that S k is a basis for Λ ⊥ (g t ).
There are two cases for :  is a power of 2 or not.In the former case, Algorithm 1 can finish this task.
In the latter case, the above algorithm can work, but the interval for error vector e needs to be changed into For convenience, the algorithm for the latter case is also called InvertG.
The primitive vector g t and the corresponding lattice Λ(g t ) basis S k can be used to construct parity-check matrix G and matrix S as follows.It follows that G is a primitive matrix, and S is a basis for lattice Λ ⊥ (G): Given an LWE instance b t =  A (s, e) = s t A + e t mod  with suitably small e ∈ Z  and the G-trapdoor T with corresponding matrix M, Algorithm 2 can recover s and e.
Finally, we recall the algorithms, denoted by SampleD and due to Peikert [28], for sampling from Gaussian distribution with short basis.
The mechanism of [17] for generating a trapdoor is different from that of [29].As a result, it uses a new algorithm but also named SampleD to sample from a discrete Gaussian over Λ ⊥  (A) in [17], in which Algorithm 3 is called.It is used in signature and delegation.For distinction, let us call it SampleDG.The reader can refer to Theorem 5.5 of [17] for the correctness (Algorithm 4).

Signcryption: Primitive and Security Models
Signcryption was invented in 1996 but was first disclosed to the public at CRYPTO 1997 [1].Signcryption is a public key cryptographic method that achieves unforgeability and confidentiality simultaneously with significantly smaller overhead than that required by "digital signature followed by public key encryption." It does this by signing and encrypting a message in a single step, fulfilling a cryptographer's dream to "kill two birds with one stone" [1,3].Signcryption techniques are now a global standard for data protection [30].
The primitive of signcryption provides confidentiality of the message against all entities except the intended receiver and meanwhile it provides the authenticity of the sender (i.e., the signer) for the intended receiver.It is clear that the authenticity embedded in the signcryption primitive is unidirectional, instead of bidirectional.In particular, if an intended receiver can forge a signature on behalf of some signer, he/she can plant some false evidence against the signer and then encrypt the signature for himself/herself.By doing so, the singer is incriminated.Therefore, in considering the security of signcryption, we should take into account the orthogonal combination of two kinds of attackers (i.e., inner attackers and outer attackers) and two protection goals (i.e., unforgeability and confidentiality).In 2005, Dent [31,32] gave comprehensive elaborations on the inner security and outer security of signcryption.With the purpose of providing a handy consult for the security reduction given latter, we give a review on the security models of signcryption from LMK12 [14], in which we merely formulated the security models against inner attacker because in general an inner attacker is much stronger than an outer ones.
(i) Setup(1  ): this is an initialization algorithm that should be executed only once by any honest user in the system.It takes as input the security parameter 1  and outputs the public parameters P  that are shared by all users in the system.(ii) KeyGen(1  , P  ): this is a key generation algorithm that should be executed by each user only once.It takes as inputs the security parameter 1  as well as the public parameters P  and outputs the public/private key pair (, ) where  will be published publicly while  will be kept known only to the user himself/herself.(In sequel, let us assume that the sender's public/private key pair is (  ,   ), while the receiver's is (  ,   ).) (iii) Signcrypt(u,   ,   ,   ): this is a signcryption algorithm that should be executed by a senders whenever he/she wants to send a message to someone.It takes as inputs a message u, the intended receiver's public key   , and the sender's public/private key

Input:
Parity-check matrix A∈ Z ×  ; G-trapdoor T∈ Z  0 × of A and corresponding invertible tag M I ∈ Z ×  ; Vector b t =  A (s, e) for suitably small e ∈ Z  .

Output:
Vectors s and e.
( (iv) Unsigncrypt(C,   ,   ,   ): this is a unsigncryption algorithm that should be executed by a receiver.It takes as inputs a signcryption ciphertext c and the receiver's public/private key pair (  ,   ), as well as the sender's public key   , and outputs a plaintext u or ⊥.
Definition 14 (consistency of signcryption).We say that a signcryption scheme defined above is consistent if the following probability Pr is exponentially close to 1; that is, () is negligible with respect to .
To capture the confidentiality of a signcryption defined above, we need to introduce a game, denoted by Game IND-CCA2, between a challenger C and an adversary A as follows.

Input:
Offline phase: Online phase:
(iv) Phase 2: phase 1 is repeated with the restriction that A is not allowed to ask unsigncryption query on triple (C * ,  *  ).
(v) Guess: A outputs a bit   as his/her guessing on .
Then, the advantage of A to win Game IND-CCA2 is defined as Adv Definition 15 (confidentiality of signcryption).A signcryption scheme is said to be indistinguishable against inner chosen ciphertext attacks (IND-CCA2), if there is no probabilistic polynomial time adversary that can win Game IND-CCA2 with nonnegligible advantage.
To capture the (strong) unforgeability of a signcryption defined above, we need to introduce another game, denoted by Game SUF-CMA, between a challenger C and a forgery F as follows.

Game SUF-
Definition 16 (strong unforgeability of signcryption).A signcryption scheme is said to be strongly unforgeable against inner adaptively chosen message attacks (SUF-CMA), if no probabilistic polynomial time adversary can win Game SUF-CMA with nonnegligible advantage.

Proposed Lattice-Based Signcryption Scheme
In this section, we firstly present a chameleon hash function based on the lattice-trapdoor technique given in [17].Next, based on the signature scheme and the encryption scheme given in [17], we propose a signcryption scheme.Finally, we prove the consistency of the proposed scheme.Note that, the matrices G, S, S k used in this section are as in Section 2.3.

Building Block: Lattice-Based Chameleon Hash Functions.
According to [33,34], we know that by using a chameleon hash function, one can transfer an SUF-SMA secure signature scheme to an SUF-CMA secure one.To guarantee the consistency of the proposed scheme, we need to construct a chameleon hash function based on lattice-based trapdoors of given in [17].In fact, it is a analogue to the scheme based on the trapdoors given in [29].
Proof.It is enough to prove the hash family H = { N } has the four properties described in Section 2.2.For efficient forward computation.Clearly, given a message u ∈ M and r ∈ R, each  N (u, r) is efficiently computable.
For collision-resistance property.Assuming that it is easy to find a collision = 0 is a solution for Nx = 0, and according to the triangle inequality, we have that ‖x‖ 2 ≤  + 4 2 .It implies that x is also a solution for the instance N of SIS , .This contradicts the hardness of SIS , for  = √  + 4 2 .Therefore, the hash family is collision-resistant.
For uniformity property, we first show the matrix N is uniform.The matrix N (z) is uniform, so N (z) T is also uniform when T ∼   0 × Z,(√log ) is negl()-far from uniform (cf.Section 6.2 of [17]).On the other hand, the matrix MG is fixed when M is fixed.Consequently, the matrix N (1) is negl()-far from uniform.On the other hand, N (0) is uniform; hence N is negl()-far from uniform.It is clear that given any  ∈ M and r ←  Z  , and each matrix N generated as above, the distribution of  N (, ) is negligible far from the uniform distribution over H × Y by Proposition 9 items (1).
For chameleon property.Given u, u  ∈ M and r ∈ R, one with G-trapdoor T can easily find r  ∈ R satisfying  N (u, r) =  N (u  , r  ) as follows: compute y =  N (u, r) − N (0) u  , and then sample preimage r  = SampleDG(T, N (z) , M, y, ).

Lemma 18. The above chameleon hash family is universal;
for every distinct u, u  ∈ M and distinct r, r  ∈ R, Proof.Assuming that  N (u, r) =  N (u  , r  ), it follows that N (1) r  =  N (u, r) − N (0) u  .When u, r, u  is fixed, the vector z =  N (u, r) − N (0) u  is a fixed element in Z   .The matrix N (1) is uniform as described above.For  0 = ( log ),  =  0 +  ≥ 2 log , the columns of N (1) ∈ Z ×  generate Z   with overwhelming probability by Proposition 8.In addition,  ≥ ‖ S‖(√log ) and r  ∼  Z  , , where S is as in Section 2.3.
It follows that N (1) r  is uniform over Z   (up to negligible statistical distance) by Proposition 9 items (1).Consequently, Pr[N (1) a ring can be defined as R = Z[]/(()) and the elements of R can be represented as vectors in Z  relative to the standard basis of monomials 1, , . . .,  −1 .Now, given a ring element () =  0 +  1  + ⋅ ⋅ ⋅ +  −1  −1 ∈ R, ℏ(a) can be constructed as follows: for 0 ≤  < , where h (i) is the th column of ℏ(a).Clearly, ℏ has the following properties.Firstly, ℏ is a ring homomorphism, namely, ℏ(x Secondly, multiplication by a ring element a ∈ R can be represented by the matrix ℏ(a); furthermore, the product coefficients vector equals ∑ −1 =0   h (i) a , where h (i) a is the th column of ℏ(a) and   is the th coefficient of ring element.Thirdly, ℏ(x) ∈   () if and only if x is a unit of R, where   () is a group composed of the invertible elements in Z ×  .Finally, the ring R has "units difference" property, namely, for any x i , x j ∈ R * (R * denotes the units set in R), x i − x j ∈ R * .
Our signcryption scheme consists of the following four algorithms.Note that we also adopt a symmetrical encryption scheme Π = (K, E, D) (with keyspace K, encryption algorithm E, and decryption algorithm D) in our construction.
Then, the the public parameters P  for the system can be specified as follows.
(1) G ∈ Z ×  is the matrix as defined in Section 2.3, where  =   = poly() is a prime power and is large enough (cf.[17]).
(iii) Signcrypt(u,   ,   ,   ): a sender with public/private key pair (A s , T s ) can send a signcryption ciphertext c on some message u to a receiver with public key A r as follows.
Concretely, replace N (1) , N (0) , M with A s , arbitrary  columns of A  , I ∈ Z ×  , respectively.The others are invariant.The hash function is denoted as (5) Encrypt u as follows.
(a) Let
Proof.We analyze the procedure along the unsigncryption algorithm, when a valid ciphertext c p = (, b, c) is input to the unsigncryption.
Firstly, we demonstrate that the correct  1 can be obtained with overwhelming probability in step (1) of unsigncryption.
(ii) Secondly, when the correct e is obtained, the test in step (c) can be passed and the analysis is included in the above proof.(iii) Thirdly, in step (e), for k = (k 0 , k 1 ) = b − e mod 2, it follows that k 0 ∈ 2Λ(A t 0 ) as desired.(iv) Finally, in step (f), k t R I = 2(s t ℏ()G mod ) + (Q 1 )  mod 2; as a result, k t R I and (Q 1 )  are in the identical coset, so the decryption can obtain  1 exactly.
Next, after obtaining correct  1 and b via step (1), we get the correct key used for symmetrical encryption, so we can obtain correct (,  2 , r 1 , r 2 ) in step (2), and the verification for hash values in step (3) can be passed.
Finally, let us analyze step (4).Specifically, we prove that the signature verification can be passed with overwhelming probability.By now, we have got correct (, r 1 ) that is a signature for u, and we only need to prove that it is valid.First, we evaluate the probability for  ≤   √ 1 . = [  or y ], where  or is obtained by calling the algorithm SampleDG.It is known by SampleDG that A (0)  s  or = y  and ‖ or ‖ ≤   √ with probability 1 − 2 −Ω() by Proposition 9 items (2).On the other hand, y ≤   √  with probability 1 − 2 −Ω() by the same lemma.Therefore,  ≤   √ 1 with probability 1 − 2 −Ω() .Second, Consequently, the signature is valid with probability 1−2 −Ω() .

Security Proofs
Before giving the proofs on the confidentiality and unforgeability of the proposed scheme, we need at first to prove the following lemma.

Lemma 20. For a given unit 𝜇
Proof.We first evaluate the number of units in the above ring R. As defined in [17], the monic degree- polynomial By inclusion-exclusion principle, the amount of units in R is where the approximating from ( 17) to ( 18) is implied by that  is large enough.In the proposed scheme,  =   and   − (/ + 1)  ≈   − (/)  =   (1 − 1/  ).On the other hand, the hash functions  1 and  F are both universal.Based on the above two reasons, this lemma holds.

Theorem 21 (confidentiality). The proposed signcryption is indistinguishable against inner adaptively chosen ciphertext attack (IND-CCA2) assuming the decision-LWE 𝑞,𝛼 󸀠 problem (for
Proof.At first, let us define the following game sequence between a challenger C and an adversary A. (i) The game  0 is exactly the IND-CCA2 attack with the system as described in Section 3. (ii) In game  1 , the challenger change the way to construct the receiver's public key A r and the way to answer unsigncryption queries.The receiver's public key A r is produced as follows.At the start of the game, choose A (0) r , T r as in game  0 and let T = T r , next choose  0 ← R, and then construct The challenger gives the adversary A r as the sender's public key.Whenever A invokes a unsigncryption query on (c  , A s , T s ) = ((, b, c), A s , T s ), C responds as normal except that in step (1) of Unsigncrypt algorithm, the decryption for (, b) is changed as follows.(resp., E (1) ) has the same distribution with F (0) (resp., F (1) ).The challenge ciphertext is produced as follows.
The adversary provides two equal length messages u 0 , u 1 and the sender's public/private keys A * s , T * s .The challenger tosses a fair coin   ∈ {0, 1}, and then signcrypts u r c with a slightly change.The challenger signs u r c normally to obtain (, r 1 ), next chooses  * =  0 , and then chooses r 2 such that  * =  E ( 1 (), r 2 ) (C can do this since he/she knows the trapdoor of the chameleon hash  E ).The subsequent signcryption operation is the same as  Then, this theorem is implied by the indistinguishability between two successive games   and  +1 ( = 0, 1, 2, 3) that are presented in Lemmas 22, 23, 24, and 25, respectively.Lemma 22.The adversary's views in game  0 and game  1 are statistically indistinguishable.Meanwhile,  1 can unsigncrypt correctly (with overwhelming probability).
Proof.We first prove the indistinguishability for public key.Given  0 ∈ R * , ( 0 ) ∈   () is a fixed matrix.On the other hand, A (0) r T r is negl()-uniform by leftover hash lemma.Therefore, A (0) r T r − ℏ( 0 )G is negl()-uniform.Consequently, the value of  0 is statistically hidden from the adversary and the distribution of public key in  0 and  1 is statistically indistinguishable.
Next, we illustrate the challenger C in the game  1 can unsigncrypt correctly and C's unsigncryption behavior in  0 and  1 is indistinguishable from the view of the adversary A. When the ciphertext queried is not valid, both games will abort.Therefore, we only need to analyze the case for a valid ciphertext.In the unsigncryption process of game  1 , only the decryption for , b (i.e., public key decryption process) is changed.Therefore, it is enough to prove the correctness of public key decryption.At first, if  = 0, both games will output ⊥.Otherwise, there are two cases for :  ̸ =  0 or not.We firstly analyze the former.In this case, both games call Invert O to obtain (z, e) such that b t = z t A ()  r + e t mod  (refer to Section 4.3).In game  1 , Clearly, conditioned on  ̸ =  0 , ℏ( −  0 ) ∈ Z ×  is invertible according to the "unit differences" on R, which is necessary for calling Invert O .It also follows that T is the G-trapdoor for A ()  r corresponding to invertible tag ℏ( −  0 ).Therefore, the challenger needs to replace M I = ℏ() with M I = ℏ( −  0 ) when calling Invert O .In step (c), if there is e obtained from step (b  ) that satisfies the constraint condition, it follows that e t [ T I ] ∈ P 1/2 ( ⋅ S −t k ) in both games, where S k has been defined in Section 2.3.Therefore, this e can be obtained by calling Invert O in both games; otherwise, if there is no such an e, both games will output ⊥.In step (e), if k 1 ∉ 2Λ((A (0) r ) t ), both games output ⊥; otherwise, there exist s ∈ Z   and In step (f) of game  0 , C computes while in step (f  ) of game  1 , C does as follows: first, find any T such that A (0) r T = −A (0) r T − ℏ( 0 )G, and then, compute Clearly, k t [ T r I ] in  0 , k t [ T I ] in  1 , and

1
are in the same coset Λ(G t )/2Λ(G t ); therefore  0 and  1 can both decrypt the desired value.
We next discuss the latter case; that is,  =  0 .In this case, game  1 cannot unsigncrypt because ℏ( −  0 ) is not invertible, but since  0 is unknown to the adversary in  1 , the probability for  =  0 is negligible according to Lemma 20.Based on the above analysis, the games  0 and  1 are indistinguishable.Proof.At first, because the matrices used for constructing hash functions  E and  F have identical distribution, the games  2 and  1 are statistically indistinguishable when the hash function is replaced.Although the way for producing the challenge ciphertext ( * ,  * ,  * ) in  2 is changed, the adversary cannot distinguish  * =  0 from  * =  E (w, r 2 ) without knowing  0 , ,  2 in advance, considering that  E is universal and  0 is random selected.

Lemma 23. The adversary's views in game 𝐺
Lemma 24.The adversary's views in game  3 and game  2 are statistically indistinguishable.
Proof.The key idea of this lemma's proof is similar to a section in Theorem 6.3 of [17].The change of challenge ciphertext in  3 is only at the public encryption section, more precisely, where It only needs to prove that the statistical distance between e t 0 T r + êt and e t 1 is negligible.Express T r as (t 1 , t 2 , . . ., t nk ) ∈ Z  0 × , where t i ∼  Z  ,(√log ) .On the other hand ê ∼  Z,√(√log ) .It follows that for fixed e 0 , ⟨e 0 , t i ⟩ + êi is negl ()-far from  Z, 1 for  2  1 = (‖e 0 ‖ 2 +  0 () 2 )(√log ) 2 according to Corollary 3.10 of [23] and Theorem 3.1 of [28] Proof.The idea of this lemma's proof is similar to a section in Theorem 6.3 of [17].In order to show the indistinguishability, a method to discretize LWE is needed.Concretely, A s,  is a LWE instance over Z   ×T.The   samples (for s ∈ Z   ) (,  = ⟨s, ⟩/+ mod 1) can be transformed to (, 2⟨s, ⟩ mod + e  mod 2) ∈ Z   × Z 2 by mapping   → 2 +  Z−2, , for   ←  Z, and  2 = () 2 −(2  ) 2 ≥ 4 ≥   (Z) 2 according to Theorem 3.1 of [28].Clearly, by the above mapping, the uniform instance  $ over Z   × T is mapped to the uniform distribution over Z   × Z 2 .
In game  3 , (A (0) r , b 0 ) is in fact an instance of   .In game  4 , (A (0) r , b 0 ) is an uniform random instance  $ over Z × 0  × Z  2 .Because LWE is pseudorandom, the above discretized distribution is also pseudorandom under the constraint condition for   = /3 ≥ 2√/.Therefore, under discretized LWE assumption, the games  4 and  3 are computationally indistinguishable.
Next, we analyze the adversary's advantage in the game  4 .According to leftover hash lemma, (A (0) r , b 0 , A 0 T r , b 0 T r ) is negl()-uniform, when choosing T r as in  4 .Therefore, the challenge ciphertext has at most negl()-far distribution when encrypting any different messages.Consequently, the adversary's advantage in  4 is negligible.
Proof.We prove it by contradiction.If an adversary F can forge a signcryption in the proposed scheme, then the simulator can forge a signature of the above SUF-CMA signature scheme used in the proposed scheme.
Initial: C gets public parameter P  and his/her public/private keys ( *  ,  *  ) by running successively the algorithms Setup and KeyGen and then C gives  *  and P  to F.
Singcrypt query: in this phase, the adversary F can perform polynomially bounded signcryption queries as follows.When F submits a message (u and a intended receiver's public key A r ) for querying.(For convenience, we denote the intended receiver's private key by T r ).(3) Combine  1 and  2 to obtain .
In the proposed scheme, we use the signature scheme of [17].However the syndrome y in the signature scheme is replaced by a chameleon hash value of the message u and some random r.For convenience, the signature scheme involving a chameleon hash function is called MP  signature scheme.The signature scheme of [17] is SUF-SMA in the standard model assuming the hardness of SIS , for large enough  = (() 3/2 ) ⋅ (√log ) 3 ; therefore the MP  signature scheme is SUF-CMA in the standard model according to [33,Lemma 2.3] or [34,Lemma 2.1].
Because  * is a valid ciphertext, (, r 1 ) is a valid MP  signature on message u.Now, we have got a contradiction.Consequently, the proposed signcryption scheme is also SUF-CMA assuming the hardness of SIS , for  = (() 3/2 ) ⋅ (√log ) 3 .

Performance Analysis and Simulations
This section compares the ciphertext length, computational cost, key size, and so forth in the proposed scheme with that in the normal signature-then-encryption diagram and the existing signcryption schemes based on lattice.
The dimension of public keys A ∈ Z ×  need to be declared firstly.Assuming that the security parameter  is the same in LMK12 [14], WHW12 [15], and ours.In LMK12 [14] and WHW12 [15], the public/private keys for signature and encryption are all generated by the approach in [29], and the dimension  meets   = 6 log .In our scheme, the trapdoor generation algorithm is the approach proposed in [17].In order to meet the conditions: statistically close to uniform and computationally pseudorandom, let dimension  = 2log  for public key in Z ×  .For convenience, the modulo  is assumed to be same in the three schemes, although the  in our scheme might be smaller than that in LMK12 [14] and WHW12 [15].It needs to be illustrated that the signature scheme used in ours is that proposed in [17].The matrix used in it is in Z × 1 , where  1 = + for  = log .

Comparison with Signature-Then-Encryption Diagram.
First, we compare on ciphertext length.When we send an   -bit length message, the normal signature-then-encryption diagram uses [17] to sign, and the signature length is approximately  1 log  bits.It uses [17] to encrypt the plaintext, and the ciphertext length is but this can only achieve CCA1 security.Aiming to achieve CCA2 security, a good candidate is to produce one time signature (OTS) for the ciphertext.For efficiency, it can achieve this target to sign for the hash value of ciphertext.The signature length of OTS is also  1 log .In this way, the total sum of bits is about In our scheme, the form of ciphertext is (, b, c).In a ciphertext, c is the ciphertext for (u |  2 | r 1 | r 2 ) with a symmetric encryption scheme whose plaintext and ciphertext are of equal length.The length for , b,  2 is (ablout)  log ,  log 2, and  1 log , respectively.In the following discussion, we assume that the bits need for representing a variable nearly equals to its min-entropy.Because r 1 ← $  Z  ,  (see Section 4.2), its min-entropy is about  by Proposition 9 items (2).As a result, the length of r 1 is about  bits.In a similar way, the length of r 2 is about .Consequently, the ciphertext length of our scheme is about The ciphertext length of ours is shorter than that of the signature-then-encryption diagram.Furthermore, the longer the length of the plaintext is, the larger our advantage is.Second, we compare on the computational cost.We first compare on signcryption.The computational cost of the signature-then-encryption diagram mainly consists of the cost of signature and that of public key encryption.The cost of signature is two pre-image sampling by using Algorithm 4. The public key encryption needs roughly ⌈  /()⌉ times.The main computational cost of our scheme consists of the following: the cost of signature, the cost of public key encryption, and the cost of symmetrical encryption.Because the cost of symmetrical encryption (resp., decryption) is much smaller than the public key encryption (resp., decryption) and signature (resp., verification for signature), it can be ignored.The cost of signature is also a preimage sampling by using Algorithm 4. The public key encryption is one time.Clearly, the computational cost of Signcrypt is far less than that of the signature-then-encryption diagram.With the growth of plaintext length, the advantage in the total computational cost of our Signcrypt becomes larger.
Next, we compare on Unsigncrypt.Our public decryption and signature verification are both one time, while the signature-then-encryption diagram needs ⌈  /()⌉ times and two times, respectively.From the above analysis, the computational cost of Signcrypt and the ciphertext length are much lower those of than the signature-then-encryption diagram, in particular for long plaintext.[14] and WHW12 [15].Due to employing simpler, tighter, and more efficient trapdoors, our scheme inherits some advantages from the technique suggested by [17].Now, let us compare the ciphertext length, computational cost, public key size, private key size, security model and security, and so forth among our scheme and the existing lattice-based signcryption schemes such as LMK12 [14] and WHW12 [15].

Comparison with the Schemes of LMK12
Firstly, we compare on ciphertext length.The ciphertext of WHW12 [15] is the form (b 1 , b 2 , . . ., b l 0 ) where  0 is big enough (say,  0 ≥ 80) such that 2 − 0 is negligible.The length of b  is   log  = 6 log 2  for  ∈ [ 0 ].Consequently, the total length of ciphertext is   + 6 0  log 2 .The ciphertext of LMK12 [14] is the form of (, , u).The length of  can be omitted since its length is much smaller than the length of  or u.The length of u is   log  = 6log 2  and the length of  is equal to the length of plaintext.As a result, the ciphertext length of LMK12 [14] is about   + 6 log 2 .Our ciphertext length is also   + 5 log 2  (see Section 6.1).
Secondly, we compare the public parameter size.Since in WHW12 [15] scheme and our proposal, the public parameters include several matrices, while in LMK12 [14] scheme the public parameters just include some scales such as ,   , and , it is convenient to merely count the representation size for the involved matrices.The role of the parameter  in the proposed scheme is the same as  0 in WHW12 [15], and we replace it with  0 for convenience.Then, the public parameter sizes of WHW12 [15] and ours are 2( 0 − 1)  log  = 12( 0 − 1) 2 log 2  and  0  log  = 2 0  2 log 2 , respectively, while To summarize, the above comparisons can be collected in Table 2.An overview of this table can also be abstracted in Table 1.We conduct 7 simulations with different parameter settings.These settings, given in Table 3, are suggested from [21], [22], and [17], respectively.In particular, under the suggestion of [17], to break a related lattice-based cryptosystem, one needs about 2 46 core-year computation time by using the state-of-the-art in lattice basis reduction [36,37] on a 64bit 1.86 GHz Xeon platform.Note that with the purpose to achieve the same security level, the lattice dimensions s are different by using different lattice generation techniques.
Then, for each setting, we perform random signcryption and unsigncryption 100 times and then collect the average time cost for signcryption and unsigncryption.The results are given in Table 4 and illustrated in Figures 1 and 2. Note that in these figures, we adopt logarithmic coordinates with the purpose to give visible changes on those data that are different hugely.
(i) Under the settings 1∼6, the average signcryption time of our scheme increases slowly from 0.489 s to 3.476 s, about 3 times and 5∼13 times faster than Li's scheme and Wang's scheme, respectively.Under these settings, the average unsigncryption time of our scheme increases slowly from 0.454 s to 3.48 s, about 3 times and 260 times faster than Li's scheme and Wang's scheme, respectively.(ii) Under the setting 7, the average signcryption time of our scheme is 9.309 s, about 580 times faster than Li's scheme and Wang's scheme.Under this setting, the average unsigncryption time of our scheme is 10.954 s, about 400 times and 33000 times faster than Li' scheme and Wang's scheme, respectively.To understand the above huge difference on the performance of our scheme, Li's scheme, and Wang's scheme, we would like to give the following further explanations.The time cost of signcryption is mainly occupied by three categories of computation: (1) matrix operations, including modular addition between matrices and modular multiplication among matrices and vectors, (2) preimage sampling, (3) discrete Gaussian sampling.
First, in our signcryption process, the time cost of matrix operations is mainly occupied in step 4(d) and 1(a) (see Section 4.2).Since step 1(a) is directly related to messages that are to be signcrypted, this is not an easy method to optimize this step; say by using precomputation.However, step 4(d) can be optimized since the matrix Q has nonzero entries merely in the main and the second diagonals.By utilizing this feature, we reduce the computation cost of step 4(d) from  3 log 3  multiplications to 2 log  multiplications.The performance comparisons on average matrix computation cost in signcryption and unsigncryption are given in Table 5 and Figures 3 and 4, respectively.Second, both Li and Wang use the preimage sampling technique given in [20] and its complexity is Ω( 2 log 2 ), while we use the preimage sampling technique given in [17], where the sample oracle is instantiated by the technique given in [28], and its complexity is reduced to O( log ).Third, our signcryption process needs to perform 5 log  times Gaussian sampling, while Wang's signcryption needs to perform in total 6 0  log  times Gaussian sampling, where  0 should enable 2 − 0 to be negligible; say  0 ≥ 80.Note that Li's signcryption reuses preimages as Gaussian error vectors and thus does not need further Gaussian sampling.The performance comparisons on average sampling cost, including the cost for preimage sampling and the cost for discrete Gaussian sampling, are collected in Table 6 and depicted in Figures 5 and 6.Note that in unsigncryption process, there is no sampling cost.

Conclusions
In this paper, we proposed a signcryption scheme in the standard model based on lattice hard problems.The scheme is proven to be indistinguishable against inner adaptively chosen ciphertext attacks under LWE assumption and strongly unforgeable against inner adaptively chosen message attacks under SIS assumption.Moreover, by using simpler, tighter, and more efficient trapdoors suggested by Micciancico and Perkeit, the cost of our scheme is much lower than existing lattice-based signcryption schemes.Another attractive problem is designing an efficient identity-based signcryption scheme in the standard model.

) Definition 12 .
Given matrices A ∈ Z ×  and T ∈ Z  0 ×  and invertible matrix M ∈ Z ×  for positive integers , ,  0 , , if A [ T I ] = MG and ‖T‖ is small enough, T is called a Gtrapdoor of A corresponding to M. Given a function  G (ŝ, ê) = ŝt G + êt mod  with suitably small ê ∈ Z  , an efficient oracle O(b ∈ Z   ) for inverting  G (ŝ, ê) can be achieved by calling Algorithm 1 for  times.

2
and game  1 are statistically indistinguishable.
C gets a signcryption value by c  ← Signcrypt(u, A r , A * s , SK * s ) and gives c  to F. Forgery: F outputs a receivers public/private keys (A * r , T * r ) and a fresh ciphertext  * = (u, b, c) under the sender's public key A * s and the receiver's private key T * r .Because  * is a valid ciphertext, C does what follows.(1) Decrypt (u, b) with T * r to obtain  1 .(2) Decrypt c with  2 ( 1 , ) to obtain (u |  2 | r 1 | r 2 ).
, P  ) algorithm.Finally, C gives  *  and P  to A.
) algorithm to produce public parameter P  and then generates his/her own public/private keys ( *  ,  *  ) by running KeyGen(1 (ii) Phase 1: A can perform polynomially bounded unsigncryption queries in an adaptive manner and C responds accordingly.More precisely, A's query is specified by a triple (C,   ) and C's responds with the corresponding plaintext u if C is a valid signcryption ciphertext with respect to the receiver's public key  *  and sender's public key   or ⊥ otherwise.(iii) Challenge: A chooses two equal length plaintexts u 0 , u 1 and sends (u 0 , u 1 ,  *  ,  *  ) to C, and C tosses a fair coin  ∈ {0,1} and sets C * ← Signcrypt(u  ,  *  ,  *  ,  *  ).Finally, C sends A the challenged signcryption ciphertext C * .
, P  ) algorithm.Finally, C gives  *  and P  to F.   is the intended receiver's public key and the corresponding private key   is known to F. Furthermore, F is allowed to either obtain (  ,   ) by calling the algorithm KeyGen(1  , P  ) or pick them randomly.)(iii) Forgery: F outputs a tuple (u * , C * ,  *  ,  *  ) with the restriction that C never responds to F with C * for answering F's signcryption query on (u * ,  *  ).Then, the advantage of F to win Game SUF-CMA is defined as (ii) Singcrypt query: F can perform polynomially bounded signcryption queries in an adaptive manner.More precisely, F's query is specified by a pair (u,   ) and C's responds with C ← Signcrypt(u,   ,  *  ,  *  ).(Here, ).Clearly, if the O( b) in Inkert O can return desired value, Inkert O can obtain desired e.The oracle O( b) −t ), referring to Section 2.3 for the definition of S k .Because e 0 ∼   0 Z, , e 1 ∼   Z, []/(()) is a field according to Chinese remainder theorem.An element  ∈ R is a unit if and only if it is nonzero modulo any prime  dividing .Assume that  has prime factors  1 ,  2 , . . .,   .The amount of elements which are zero modulo prime factor   is /  + 1.
irreducible modulo every prime  dividing .Because () is irreducible, (()) is maximum ideal and Z . In other words, b 1 in  3 has distribution negl()-far from b 1 in  2 .Consequently, the challenge ciphertext ( * , b * , c * ) in both games  3 and  2 is statistically indistinguishable.The adversary's views in game  4 and game  3 are computationally indistinguishable and the adversary's advantage in  4 is negligible, assuming that the decision- ,  problem (for   = /3 ≥ 2√/) is intractable.

Table 6 :
Average sampling cost in signcryption.