A Lattice-Based Identity-Based Proxy Blind Signature Scheme in the Standard Model

A proxy blind signature scheme is a special form of blind signature which allowed a designated person called proxy signer to sign on behalf of original signers without knowing the content of the message. It combines the advantages of proxy signature and blind signature. Up to date, most proxy blind signature schemes rely on hard number theory problems, discrete logarithm, and bilinear pairings. Unfortunately, the above underlying number theory problems will be solvable in the postquantum era. Lattice-based cryptography is enjoying great interest these days, due to implementation simplicity and provable security reductions. Moreover, lattice-based cryptography is believed to be hard even for quantum computers. In this paper, we present a new identity-based proxy blind signature scheme from lattices without random oracles. The new scheme is proven to be strongly unforgeable under the standard hardness assumption of the short integer solution problem (SIS) and the inhomogeneous small integer solution problem (ISIS). Furthermore, the secret key size and the signature length of our scheme are invariant and much shorter than those of the previous lattice-based proxy blind signature schemes. To the best of our knowledge, our construction is the first short lattice-based identity-based proxy blind signature scheme in the standard model.


Introduction
Digital signature schemes are the cornerstone of e-business, e-government, software security, and many more applications.The importance of these schemes is likely to grow in the future as more and more everyday tasks and processes are computerized.
The concept of blind signature was first proposed in 1982 by Chaum [1]: user A could obtain the signature of B on any given message, without any information about the message or its signature revealed, and any receiver could verify the signature that is signed by signer B.
In 1996, Mambo et al. introduced the concept of proxy signature [2]: an original signer delegates his signing authority to another signer, who is called a proxy signer.At last, the proxy signer can sign any message on behalf of the original signer and the verifier can verify and distinguish between normal signature and proxy signature.
In 1985, Shamir introduced the concept of identitybased (ID-based) cryptography and presented an ID-based signature (IBS) scheme [3].In an IBS scheme, a public key can be derived from the identity of the user, and a corresponding secret key can be generated by a private key generator (PKG).Of course, the IBS scheme can simplify key management procedures in certificate-based public key systems, so it can be an alternative for certificate-based public key systems in some occasions, especially, when efficient key management and moderate security are required.
In 2000, Lin and Jan [4] introduced the concept of proxy blind signature.Proxy blind signatures are actually the combination of both proxy signature and blind signature.It plays an important role in the following scenario: in e-cash system, the user makes the bank blindly sign a coin using blind signature schemes.Whenever a user goes through a valid branch to withdraw a coin, he/she needs the branch to make proxy blind signature on behalf of the signee bank.
Tan et al. 's scheme is a proxy blind signature scheme which is based on Schnorr blind signature.But Awasthi and der Lal [5] showed a forgery attack on Tan et al. 's scheme and proposed a more secure proxy blind signature scheme.Recently Sun et al. [6] pointed out that neither Tan et al. 's scheme nor Awasthi and der Lal's scheme satisfies the unlinkability property of the proxy blind signature scheme.But they did not give an improved scheme to overcome 2 Mathematical Problems in Engineering the insecurity.For the first time, Zhang et al. [7] proposed a proxy blind signature scheme from bilinear pairings.In 2004, Zheng et al. [8] proposed an ID-based proxy blind signature scheme which uses bilinear pairings of elliptic curves or hyperelliptic curves.Since then, many identity-based proxy blind signature schemes have been proposed, for example, [9][10][11].
Up to date, most of proposed identity-based proxy blind signature schemes rely on hard number theory problems such as integer factorization, discrete logarithm, and bilinear pairings with the Diffie-Hellman problem.However, the above underlying number theory problems will be solvable if practical quantum computers become reality, so it implies a potential security threat to these identity-based proxy blind schemes.Thus, a natural question one can ask is how to design identity-based proxy blind signature schemes that are secure in the quantum environment.
In recent years, lattices have emerged as a possible alternative to number theories.Lattice-based cryptography began with the seminal work of Ajtai [12], who showed that it is possible to construct families of cryptographic functions.Moreover, lattice-based cryptography is believed to be hard even for quantum computers [13].Several lattice-based signature schemes [14][15][16][17][18] have been proposed so far.Among them, Jiang et al. [18] presented the first proxy signature scheme from lattices.Unfortunately, Tian and Huang [19] pointed that an original signer is able to forge a proxy signature on any message in the scheme.In 2010, Cash et al. put forward a new cryptographic notion called a bonsai tree based on hard lattice [20].Since then, many proxy signatures [21,22] were presented in bonsai tree model based on the bonsai tree signature scheme.However, both the private keys and the signatures in these schemes become dramatically longer than general signature.Therefore, they may not be practical for large communities.
Recently, Agrawal et al. [23] presented a basis delegation algorithm which keeps the dimension of the lattices involved constant.Based on the algorithm, the first lattice-based hierarchical identity-based encryption scheme with short ciphertexts in the standard model was proposed in [23].Still, there is no identity-based proxy blind signature scheme from lattices in the standard model.
Following the above discussion, in this paper, we will construct a new identity-based proxy blind signature scheme from lattices in the standard model, which is obtained from Agrawal et al. 's basis delegation algorithm [23].The new scheme is provably secure against strong forgery under hard problems on lattices, and the size of secret keys and the signature length of our scheme are much shorter than those of signature schemes [21,22].
The rest of the paper is organized as follows: the next section gives the introduction of lattices, Section 3 explains briefly the definition of proxy blind signature, and Section 4 gives a detailed description of our identity-based proxy blind signature from lattice basis delegation.In Section 5, an analysis about our scheme is presented.Section 6 concludes this paper.
The minimum distance  1 of the lattice is the length  2 (in the Euclidean norm, unless otherwise indicated) of its shortest nonzero vector: ( We define the orthogonal lattice Λ ⊥ () as

Hard Problems on
Lattices.Security of our signature scheme rests on the hardness assumption of the short integer solution (SIS) problem and the inhomogeneous small integer solution problem [14].
Definition 1 (the small integer solution problem (SIS) (in the Euclidean  2 norm)).Given an integer , a matrix  ∈  ×  , and a real , the goal of the short integer solution problem SIS ,, is to find a nonzero integer vector  ∈    , such that  = 0 mod  and ‖‖ 2 ≤ .
Definition 2 (the inhomogeneous small integer solution problem (ISIS) (in the Euclidean  2 norm)).Give an integer , a matrix  ∈  ×  , a syndrome  ∈    , and a real , to find an integer vector  ∈    , such that  =  mod  and ‖‖ 2 ≤ .

Trapdoor and Basis Delegation Functions for Lattices. It was shown in
The input distribution is    , , and a short basis for Λ ⊥ () can be used as a trapdoor to sample from  −1  ().Here we briefly introduce some enhanced variants of trapdoor functions [14] with preimage sampling, which are given by a tuple of probabilistic polynomial-time algorithms (TrapGen, SampleD, and SamplePre), which will be used as building blocks in our signature scheme.
The following functions take the Gaussian smoothing parameter  ≥ ‖ B‖ ⋅ (√) as a parameter.

SampleD(𝐴, 𝑟)
. Sample an  from distribution    , , for which the distribution of  is uniform over    .

Proxy Blind Signature
A proxy blind signature [4,[9][10][11] is considered to be the combination of proxy signature and blind signature.It consists of four participants: an original signer, a proxy blind signer, a user, and a verifier and the following four algorithms: keygen, generation of the proxy key, proxy signature generation, and verification.A proxy blind signature scheme should satisfy the following requirements.
Distinguishability.Proxy signatures are distinguishable from normal signatures by everyone.
Verifiability.From the proxy signature, the verifier can be convinced of the original signers agreement on the signed message.
Strong Nonforgeability.A designated proxy signer can create a valid proxy signature for the original signer.But the original signer and other third parties who are not designated as a proxy signer cannot create a valid proxy signature.
Strong Identifiability.Anyone can determine the identity of the corresponding proxy signer from the proxy signature.
Strong Nondeniability.Once a proxy signer creates a valid proxy signature of an original signer, he/she cannot repudiate the signature creation.
Prevention of Misuse.The proxy signer cannot use the proxy key for purposes other than generating a valid proxy signature.That is, he/she cannot sign messages that have not been authorized by the original signer.
Blindness Property.A signer cannot distinguish, except with negligible probability, the order in which he/she issued signatures.

A Lattice-Based Identity-Based Proxy Blind Signature Scheme in the Standard Model
We introduce our lattice-based identity-based proxy blind signature scheme in the standard model in this section which needs the following parameters.
Let  be a prime number, and  ≥ 2,  ≥ (), and  = ().A bound L = (), the Gaussian parameter  = L(), and a hash function  that outputs matrices in The original signer A and the proxy blind signer B have the identity ID 1 and the identity ID 2 , respectively, and the details are described as follows.
Proxy Blind Signature.Suppose that  is the message to be signed, and the proxy signer B and the user C compute the signature as follows.

Analysis of the Proposed Scheme
(2) (3) (4) 5.2.Analysis of Security.Our proxy blind signature scheme satisfies all the requirements stated in Section 3 based on the hardness assumption of SIS problem and ISIS problem.We proof only blindness property and strong nonforgeability.
Proof.The proxy signer cannot relate the message  and blinded message ( 1 ,  2 ) by definition; the statistical distance is because  1 ,  2 , . . .,   ∈    is uniformly random chosen from    , so prob(∑  =1 (−1) ) is close to 0. So the proxy signer cannot relate the message  and blinded message ( 1 ,  2 ).Theorem 5.The proxy blind signature scheme in this paper is existentially unforgeable under chosen-message attack.
We now analyze the reduction: by the preimage minentropy property of the hash family, thus the signature  1, =   with negligible probability 2 −() .The adversary  outputs the valid forgery (ID  , ID  , ,  1, ,  2, ) with probability , and prob( = 2,  = 1) = 1/ 2   , so  1, −   is a solution to the SIS problem with (, , 3 2 √, ) with probability negligibly close to The length of signature 2 m 6 m 2 m 5.3.Efficiency Analysis.The efficiency of signature scheme is mainly considered to include the length of public keys, secret keys, and signatures.The lattice-based special signature scheme [21,22] is also provably secure; however, the private keys and the signatures in these schemes are dependent on the identity length of the signer.In contrast, the size of private keys and the size of signature in our scheme are both unchanged and much shorter.Therefore, our scheme is more practical.Table 1 shows the comparison of the schemes.

Conclusions
In this paper, we have constructed a new lattice-based proxy blind signature scheme with short secret keys and short signatures in the standard model.Our signature scheme is more efficient than other current proxy blind signature schemes, and the security mainly depends on hard problems on lattices, so this scheme in this paper is still secure in quantum computing environment.