An Identity-Based Blind Signature Scheme Using Lattice with Provable Security

Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 051800, China Information Security Lab, Computer School, Central China Normal University, Wuhan 430072, China School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China Department of Information Systems and Cyber Security and the Department of Electrical and Computer Engineering, University of Texas at San Antonio, San Antonio, TX 78249, USA School of Mechatronical Engineering, Beijing Institute of Technology, Beijing 100081, China


Introduction
Currently, the emergence of quantum computing causes a potential threat to the traditional cryptosystems. In 2011, the first commercial quantum computer "D-Wave One" was worked out, which provided the application of certain cracking algorithms to the traditional public key cryptography with feasible condition. Furthermore, it is because most of mathematical hard problems in the traditional cryptosystems are vulnerable to the strong computing power of quantum computers. erefore, it is obvious that the influence quantum computers bring to the traditional cryptosystem will permeate into the information security and Internet security of all areas of a country, such as politics, economy, culture, and military.
Specifically, it can be explained from two main aspects: Firstly, for the integer factorization problem, the conjecture that an n-bit integer can be decomposed by the n-qubit quantum computer easily is proposed by Beauregard [1]. As for the discrete logarithm problem, Proos and Zalka [2] pointed out that n-bits elliptic curve discrete logarithmic problem [3,4] can be solved by n-qubit quantum computer. Secondly, the valid length of the secret key in traditional cryptosystem will be half of the original length under the attack of quantum adversary.
Blind signature was first proposed by Chaum [5] to make electronic money in an electronic cash system. In general, the user can get a valid signature of any message through a blind signature scheme, where the signer knows nothing about the actual message. is special property makes the blind signature used widely. erefore, a plenty of blind schemes were worked out after the work of Chaum, such as [6,7]. However, those schemes had the significant problem on certificates, which is the core problem in public key infrastructure (PKI) cryptosystem. In 1984, the identitybased (ID-based) public key cryptosystem was worked out by Shamir [8], which is useful to eliminate the serious defect of the PKI cryptosystem. Since then, lots of ID-based blind signature schemes were proposed with efficient performance.
As is known to all, most of the above blind signature schemes cannot resist the attack of quantum algorithms. It is because the computational power of the quantum computers is so strong that the hard problems in those schemes are easy to be broken. In order to remove this threat, the postquantum cryptography appears in the vision of cryptographers, which is that the traditional cryptosystem still holds its security under the attack of the quantum adversary. In the postquantum cryptography systems, the lattice-based cryptography is the most promising. Currently, lots of cryptographic protocols have been devised on the lattice, such as [9][10][11].
ere are several advantages of the lattice-based cryptography which are worth noting. Firstly, this cryptosystem has got widespread attention in the last decade.
en, this cryptography currently cannot be broken by any algorithms, including quantum algorithms. Moreover, lattice-based cryptography has the same level of security in the average case and the worst case. Finally, the designs of lattice-based schemes are very simple and efficient, including mainly matrix-vector multiplication, linear summation operation, and modulo operation.
Taking advantage of these benefits, some blind signature schemes were designed, but several problems included in these schemes make them inapplicable in the real environment. For example, some blind signature schemes lack the formal security proof or describe the ability of the adversary incorrectly. Besides, the efficiency shortcomings in other schemes are too serious to be neglected, such as the scheme proposed by Rückert [12] and the work of Zhang et al. [13]. e main reason for this is that complex algorithms are used in the process of signing or the efficient aborting technology is not involved in these blind signature schemes.
In order to improve the practicability of blind signature, a new ID-based scheme on lattice is proposed in this paper, which is more efficient and secure. Specifically, the main contributions of this paper are as follows: (1) Firstly, our blind signature scheme can resist the attack of the malicious quantum adversaries, because it is based on lattice. Meanwhile, we prove that our scheme is secure based on SIS problem in the random oracle model. e lattice cryptosystem also makes it more efficient due to the simple operations involved in lattice-based algorithms.
(2) Secondly, we use the bimodal Gaussian rejection sampling in our scheme to prevent the leakage of critical information, such as the signer's secret key. Using this aborting technology, it makes the mean value of sampling times needed to generate a valid signature smaller. Additionally, we can get the blind signature with smaller size under this novel technology.
(3) Finally, because the framework of ID-based cryptosystem is used in our scheme, it means that the additional cost is not needed to manage lots of certificates in our scheme. erefore, the proposed scheme under this cryptosystem is more practical in the real application.

Related Work
In this section, we will mainly talk about the related works on the blind signature schemes. Due to its excellent concealment, blind signature has been studied widely and put into the applications where important data needs to hold its privacy, such as electronic cash (e-cash) [14], electronic voting [15], and oblivious transfer [16].
In order to design electronic money used in the e-cash system, Chaum [5] proposed the first blind signature scheme. After the work of Chaum, lots of blind signature schemes were worked out based on PKI cryptosystem, the hardness of which is mostly based on the integer factorization problem or discrete logarithm problem [17][18][19]. However, as we all know, the issue of certificates' management is an apparent defect in this cryptosystem. Fortunately, the identity-based public key cryptography was proposed by Shamir [8] to eliminate this drawback.
Owing to the good advantages of ID-based cryptosystem, the first ID-based blind signature scheme was worked out by Zhang and Kim [20]. Later, Huang et al. [21] proposed another ID-based blind signature scheme in 2005. In 2008, a generalized ID-based blind signature with bilinear pairings was designed by Kalkan et al. [22]. en, in 2010, Rao et al. [23] constructed a blind signature scheme on the basis of IDbased digital signature framework proposed by Hess [24]. Following the work of Rao et al, a provably secure randomized blind signature scheme was constructed by Fan et al. [25] using bilinear pairings. Furthermore, there were two other new ID-based blind signature schemes based on bilinear pairings designed by Zhang et al. [26] and Shakerian et al. [27], respectively, in the same year.
However, in 2011, He et al. [28] proposed a novel IDbased blind signature scheme using no bilinear pairings. eir work opened up a new direction in the design of the ID-based blind signature scheme, because the new blind signature scheme constructed by them guaranteed both high efficiency and anonymity. Later, a new provably secure and pairing-free ID-based partially blind signature scheme was worked out by Islam et al. [29] in 2016, which was used in an online e-cash system. Besides, this scheme was provably secure in the random oracle model. In 2017, an untraceable ID-based blind signature scheme without pairing for e-cash payment system was proposed by Kumar et al. [30]. en, James et al. [31] proposed an efficient pairing-free ID-based blind signature scheme with message recovery in 2018.
Although ID-based cryptosystem can solve the efficiency drawback of schemes in PKI cryptosystem, it cannot resist the attack of quantum algorithms. In 2010, the first latticebased blind signature scheme was proposed by Rückert [12], which was provably secure in the random oracle model. Later, in 2017, a novel round-optimal lattice-based blind signature scheme used in the cloud services was constructed by Zhu et al. [32]. Similarly, a new postquantum blind signature scheme on lattice was proposed by Zhang et al. [13] in 2018, in which the unimodal rejection sampling technology was used to improve the probability of generating a valid signature.
Unfortunately, the efficiency problem still existed in these schemes because they were designed under the PKI cryptosystem. So some ID-based blind signature schemes were worked out to deal with this disadvantage of previous schemes. In 2014, Zhang and Ma [33] proposed a latticebased proxy blind signature scheme based on ID-based cryptosystem, whose security was held in the standard model. en, another ID-based blind signature scheme on lattice was constructed by Gao et al. [34] in 2016, which was based on the standard model. Interestingly, a two-round IDbased blind signature scheme on lattice was still proposed by Gao et al. [35] on the random oracle model in 2017. In addition, this scheme was proved to have the power to resist the selective identity and chosen message attacks to remain unforgeable and unconditionally blind based on the SIS problem.
However, no aborting technology or only unimodal rejection sampling was used in these schemes. In 2013, Ducas et al. [36] proposed a modified aborting technology based on the original rejection sampling, called bimodal Gaussians rejection sampling, which reduces the rejecting field between the actual sampling distribution function and the expected sampling distribution function. is means that the signer can generate a valid signature with fewer samples. Additionally, this new aborting technology still keeps the basic ability to prevent the leakage of information of the signer's secret key. erefore, using the bimodal Gaussian rejection sampling, a new ID-based blind signature scheme on lattice is constructed in this paper based on the work of Zhang et al. [13]. Our scheme has the excellent ability to resist quantum algorithm and high efficiency, combining the advantages of lattice-based cryptosystem with that of IDbased cryptosystem.

Preliminaries
In this section, the basic knowledge about lattices will be described firstly. Next, we introduce the Gaussian distribution in detail.

Lattices.
A lattice L is defined as a discrete additive subgroup of n-dimensional Euclidean vector space R n . Namely, if b 1 , . . . , b n are n linearly independent vectors in R n , a lattice L is the set of all integer combinations of these vectors: and the matrix B is one base of L(B). Normally, n is described as its corresponding dimension. In particular, the following two types of lattices should be paid more attention, called module lattice: (2)

Small Integer Solution (SIS) Problem.
Given a positive integer q, a matrix A ∈ Z n * m q , and a real number β > 0, the SIS problem is to find a nonzero vector v ∈ Z m such that Av � 0(mod q), and ‖v‖ ≤ β.
is kind of SIS problem is homogeneous. As for inhomogeneous SIS problem, it is to find a nonzero preimage v ∈ Z m satisfying Av � t(mod q), where ‖v‖ ≤ β.
en, there are two important algorithms used in our protocol, which are applied to generate the secret keys of the trusted third party and the signer.

Trapdoor Generation
Algorithm. An integer q ≥ 3, m > 5n log q; there is an effective algorithm TrapGen(q, m) that can generate a matrix A ∈ Z n * m q and a basis T A ∈ Z m * m of the lattice L ⊥ (A). Besides, the distribution of the matrix A is the uniform distribution in Z n * m q approximately and the orthogonal matrix

General Preimage Sampling Algorithm.
ere are an integer m ≥ n, a prime number q, and a positive integer k.
, sampling a matrix V ∈ Z m * k in a distribution closing to G L U (A),s , such that AV � U(mod q).

Gaussian Distribution. In statistics, the distribution function of continuous Gaussian distribution is
, where c is the center and δ is the standard deviation. Furthermore, if c � 0, we usually make the equation simpler, writing it as ρ δ (x). In the case of lattice L, the function is ρ c,δ (L) � x∈L ρ c,δ (x). So the discrete Gaussian distribution over Z is written as ). If the center c � 0, we usually write these two symbols as G δ (x) and G m δ (x). In the following, some theorems on the discrete Gaussian distribution are shown. Theorem 1. We assume that k ≥ 1, so the following formula holds: Furthermore, if we have δ, r > 0, and for any element v ∈ R m , the following conclusion is made out:

Mathematical Problems in Engineering
Theorem 2. It is described that we have δ � α‖v‖, where α > 0, and v is an element in Z m . We have Theorem 3. If the matrix A ∈ Z n * m q is chosen randomly and e ⟵ G Z m ,δ , we have that t � Ae(mod q), whose distribution is uniform approximately in Z n q .

Rejection
Sampling. e rejection sampling is a useful aborting skill in lattice-based schemes. Speaking in formal terms, when the positive constant M and a special distribution f are given, we need to find another distribution g, which makes f(x) ≤ M * g(x). So we can say that the distribution x⟵g is seen as another distribution f with the probability f(x)/Mg(x). In general, M is the mean value of times to get an effective sample.
(1) Rejection Sampling Lemma. It is assumed that h is a distribution whose preimage is V, where V ⊆ Z m , and V maps to R. When δ � ω(T ���� � log m ), we can have a constant M to give the distribution of the following output: In the original Gaussian rejection sampling, the mean value of repetitions of the sampling is M ≈ e(1), when the standard deviation δ � τ‖Sc‖, where the Gaussian "tail-cut" factor τ is proportional to the square root of the security parameter.
In this paper, we introduce the bimodal Gaussian rejection sampling in our scheme to get a smaller rejection area and signature size. As the paper in [13] mentioned, z � Sc + y is considered as signer's signature. But the form of the signature must be changed if we need to use the bimodal Gaussian rejection sampling in the scheme. Before the signer begins to sign the message, a random bit b ∈ − 1, 1 { } is sampled. en, the relevant signature is z � bSc + y.
us, the probability distribution of z is According to the requirement of rejection sampling, firstly, the inequality f(x) ≤ M * g(x) must be held. Secondly, we need to make M as small as possible. For the sake of interpretation, we give out the following formula: Because there is a fact in math that the inequality cosh(y) ≥ 1 is always true for any y, we can get the value M � e(1) by making δ get the value ‖Sc‖/ � 2 √ instead of the value τ‖Sc‖. It is easy to see that the mean value M in the bimodal Gaussian rejection sampling is smaller than that of original Gaussian rejection sampling. Besides, we know that the size of the final signature on lattice is roughly δ �� m √ so that this size of the signature produced by using this rejection sampling is much shorter.

Security Model
In this section, the security model of the blind signature will be introduced in detail. Normally, in addition to all kinds of security attributes that a general signature scheme has, a blind signature should have two more security attributes: (i) Blindness: the signer does not know the specific content of the actual message signed by itself. (ii) Unforgeability: after a message is signed, the signer who gets the signature of this message cannot link this signature to the details of the corresponding process.
In fact, blindness means that a malicious signer can only get information independent of the actual message. In particular, there is a formal game used to describe the blindness.

Blindness Game.
If any probabilistic polynomial-time algorithm cannot win the following game, we will consider the corresponding ID-based signature protocol as blind. In this game, there are two honest users U 0 and U 1 . In addition, A is considered to be a malicious signer. e game of blindness is defined as follows: (1) A gets the public parameters params by querying Setup. (2) A performs Extract(params, ID) ⟶ S ID . Namely, A can get the secret key S ID of the identity ID by using Key Extract algorithm. It is worth noting that A wins the game of blindness if and only if b ′ � b. Moreover, we consider A dv Blind IDBS as the advantage of A to win this game.
Next, another security game aimed at unforgeability will be defined as below. In this game, S acts as the challenger and A is an adversary playing as a user.

Unforgeability Game.
We think that A can break the unforgeability of an ID-based blind signature scheme, if A makes q E extract queries and q S issue queries during the time t and the corresponding advantage A dv UF IDPS of A is ε at least. Otherwise, this scheme is unforgeability. e game of unforgeability is defined as follows: (1) Setup: after inputting the security parameter 1 λ , S runs the Setup algorithm to generate the systematic public parameter params and the master secret key sk. en, the public parameter params is sent to A. (2) Query: there are three kinds of queries that A can choose to send to S.
(a) Hash query: after getting this query, S would select a random value and return it to A. It is worth noting that random oracle queries are responded by the challenger consistently. (b) Extract query: after receiving this query, S would run the Key Extract algorithm to get the relevant secret key sk ID and give it back to A. (c) Issue query: after obtaining this query, S executes the sign algorithm with A cooperatively to get the signature sig. But before this operation, S would get the ID's secret key S ID by performing the extract query. Finally, the signature sig is given back to A.
(3) Forgery: after the above query phase, A will use the useful information to forge a signature sig ⋆ corresponding to the message u ⋆ of the user, of which identity is ID ⋆ . Additionally, A outputs n valid signature pairs (u 1 , sig 1 ), . . . , (u n , sig n ), where (u ⋆ , sig ⋆ ) � (u n , sig n ). If the following conditions are satisfied by these signature pairs, we can conclude that A wins this game. Furthermore, A dv UF IDBS is the advantage of A to get final success in this game.
(a) For any i and j, we have that u i ≠ u j , where i ≠ j and i, j ∈ 1, . . . , n { }. (b) n > q S . (c) A never uses the extract query to get the secret key s ID ⋆ of the user whose identity is ID ⋆ .
Generally, an ID-based blind signature is considered to have blindness and unforgeability, if A dv Blind IDBS and A dv UF IDBS of any polynomial time adversary are negligible.

Our Scheme
In this section, we will introduce our ID-based blind signature scheme in detail. Notably, there are two important algorithms used in our scheme, which are TrapGen and SampleMat [37,38]. Meanwhile, public key generator (PKG) is the trusted third party.

System Setup.
After getting the safety parameter 1 λ and n, PKG performs the following four steps: (1) Choosing a prime number q ≥ 3, m > 5n log q,

Key Extraction Phase.
In our scheme, PKG uses the following method to generate the user's key pair. e key extract phase is shown in Figure 1. So, T and A u are the user's public keys and S u is the corresponding secret key.

Sign Phase.
Essentially, this phase is an interactive threemove identification scheme over lattice based on SIS problem. It is assumed that u is the actual message needed to be signed. e specific interaction process is as follows: (1) e signer selects a random vector r ⟵ G m δ 2 and calculates x � A u r. en, x is transmitted to the user.
(2) Blind: the user chooses two blind factors a ⟵ G m δ 3 and b ⟵ G n δ 1 and computes c � H(x + A u a + Tb (mod 2q), com(u, t)). Noticeably, u is the message to be signed and t is a random value. Besides, the function com is a commitment.
en, e � pc + b is worked out, where p ∈ − 1, 1 { }. Finally, e is sent to the signer by using the bimodal Gaussian rejection sampling to stop e from leaking some information of c.
(3) BSign: the signer selects w ⟵ − 1, 1 { } randomly. Upon that, it can compute y � r + wS u e. Similarly, y is sent to the user in the same way to hide relevant information of S u .

Mathematical Problems in Engineering
(4) Unblind: the user can get the value of z � y + a.
en, z is output by the unimodal Gaussian rejection sampling.
If z ∈ J, we make result � (a, b, c, m, com(u, t)), where J is the rejection region of Gaussian sampling. Otherwise, we have result � accept. Finally, result is given to the signer. (5) After holding result, the signer checks whether the value of result is accept or not. If it holds, the blind signature (z, c) is valid. On the contrary, if e − b � mc � mH(x + A u a + Tb(mod 2q), com(u, t)), c � H(A u a + A u y − Tc(mod 2q), com(u, t)), and y + a ∈ J, the signer restarts the sign phase with the user. e sign phase is shown in Figure 2.

Verify Phase.
In this phase, the verifier should check whether the following conditions are right or not: Actually, (z, c) is the final signature pair. If the two above conditions are satisfied, we have Verify(A u , T, z, c, u) � 1.

Correctness Analysis Phase.
In this section, we mainly talk about the correctness and repetition of our blind signature. Firstly, we have us, we have the fact that c � H(x+ A u a + Tb(mod 2q), com(u, t)) � H(A u z − qc(mod 2q), com (u, t)). Additionally, on the basis of eorem 1 and rejection sampling lemma, there is ‖z‖ ≤ 2δ 3 �� m √ with overwhelming probability.
Next, because the bimodal Gaussian rejection sampling is used in two places in our scheme, the mean value of repetitions is smaller than that of the original scheme. According to the introduction of Gaussian distribution, we have that In the rejection sampling lemma, we need to keep M i (i ∈ 1, 2, 3 { }) as small as possible. erefore, the value of M i is worked out, where M 1 � e (‖c‖ 2 /2δ 2 1 ) , M 2 � e (‖S u e‖ 2 /2δ 2 2 ) , and M 3 � e (24‖y‖δ 3 +‖y‖ 2 /2δ 2 3 ) . Obviously, M 1 and M 2 are both less than the original values in the general rejection sampling, but not M 3 . erefore, it means that a valid blind signature can be generated successfully in lesser repetitions, whose specific number is 3 i�1 M i .

Security Proof
In this section, we mainly prove that our scheme is blind and unforgeable by using the security model defined in Section 4. In fact, we need a malicious adversary to play games of security with a challenger.

PKG Signer ID
SampleMat (A, B, s, A′) Figure 1: Key extraction phase. 6 Mathematical Problems in Engineering 6.1. Blindness. We mainly prove the blindness of our scheme from the indistinguishability of views. Normally, views are the information conveyed between the signer and the users, as the following theorem shows.

Theorem 4. e proposed ID-based blind signature scheme on lattice has blindness.
Proof. As the game of blindness shows, a dishonest signer A ⋆ (pk, sk) selects two messages u 0 and u 1 . en these messages are sent to two honest users U 0 (pk, u b ) and en this malicious signer plays the game of blindness with U 0 and U 1 in the interactive way, respectively. erefore, we can prove that our ID-based blind signature scheme is blind to A ⋆ by showing all outputs of the users are independent of the relevant messages signed. We can see from the proposed scheme that the outputs are e and the final signature (z, c). Because we have that c ⟵ v ∈ − 1, 0, 1 { } n : ‖v‖ 1 ≤ n , c is always a random number in the view of A ⋆ . erefore, we can only consider two values e and z.
Firstly, we consider about e. We assume that e b and e 1− b are generated in the game of blindness. e b is held by U 0 . Similarly, e 1− b is corresponding to U 1 . In our scheme, we can know that e � mc + b, where c can be seen as a random value. Besides, e is transmitted by using the bimodal Gaussian rejection sampling. erefore, after getting e b and e 1− b , A ⋆ cannot link e b and e 1− b to their respective messages u b or u 1− b . It is because the distribution of e b and e 1− b is both (1/2)G n c,δ 1 + (1/2)G n − c,δ 1 , but the output distribution of them is the same as that of b under the bimodal Gaussian rejection sampling, which is G n δ 1 . In fact, the mean value of the distribution of e b should be different from that of e 1− b . However, we know these mean values can be considered as a random number. So we set the mean value as c uniformly for sake of simplicity. So we can say that the statistical distance between e b and e 1− b is 0; namely, Δ(e b , e 1− b ) � 0.
Next, we talk about z. In the proposed scheme, we have that z � y + a, where a ⟵ G m δ 3 is a blind factor. However, the output way of z is different from that of the above challenge e, because the Gaussian rejection sampling used in this place is unimodal rather than bimodal. But this cannot make an influence on the blindness. Similarly, we assume that z b is the final signature of U 0 and z 1− b is related signature U 1 received. Similarly, we set the mean value of distribution of z b and z 1− b as y. It is because the value y is computed by the signer that the distribution of z b and z 1− b is both G y,δ 3 . According to the Gaussian rejection sampling, the output distribution of z b and z 1− b is the same as that of a, which is G m δ 3 . erefore, A ⋆ cannot determine the corresponding messages of z b and z 1− b from their output distribution.
at is, the relevant statistical distance On the contrary, we assume that A ⋆ gets the corresponding parameters ID and the secret key S ID by playing the game of blindness with U 0 and U 1 . Besides, δ(u b ) and δ(u 1− b ) are information A ⋆ has after playing this game. It is worth noting that if A ⋆ uses the method of guessing a random value of b ′ without any help to win the game of blindness, this probability is 1/2.
In addition, for i ∈ 0, 1 { }, x i , e i , and y i are the data exchanged between the signer and the user, when the issue query is performed by the user. Finally, (z 0 , c 0 ) and (z 1 , c 1 ) are returned to the dishonest signer A ⋆ . For each i, j ∈ 0, 1 { }, there are two random blind factors a, b that map x i , e i , y i to z j , c j . us, a � z j − y i and b � − mc j + e i . Since T � qI, where I is the unit matrix, we have � H A u y i + Te i + A u a − Tb(mod 2q), com(u, t) . Mathematical Problems in Engineering which result in the indistinguishability to A ⋆ . erefore, the probabilistic polynomial time adversary A ⋆ makes out the right value of b successfully with probability 1/2. In a word, our ID-based blind signature scheme on lattice has the security attribute of blindness. □ 6.2. Unforgeability. In fact, unforgeability ensures that n valid signatures can be output by a malicious user at most. n is the maximum of queries that this adversary can make to the challenger. As the process of the game of unforgeability, we will give out the specific steps of this game on the basis of the proposed scheme.

Theorem 5.
If A ⋆ is a probabilistic polynomial time adversary, it can break our ID-based blind signature on lattice with the nonnegligible probability. So, we can construct a polynomial-time algorithm using A ⋆ as its subroutine to solve the SIS problem with overwhelming probability.
Proof. We assume that h and l are the maximum of queries that A ⋆ can make to the random oracle H and the signer. Furthermore, the values of responses of the random oracle H are determined in advance. us, we have H ⟶ c 1 , . . . , c s , where s � l + h, because the adversary would make a query to H before sending a signature query. As shown in the following content, A ⋆ plays the game of unforgeability with the challenger S: (i) Setup: after inputting the security parameter 1 λ , the challenger picks a random matrix A ∈ Z n * m q and a hash function H 1 : 0, 1 { } * ⟶ Z n * k q . Additionally, the random oracle H is controlled by S. en, these systematic public parameters are opened to A ⋆ . (ii) Query: A ⋆ can make four types of queries to S: H 1 query, H query, extract query, and issue query. It is worth noting that S could maintain four empty lists before answering to those queries, namely, H list 1 , H list , SK list , and Sig list . e specific processes of the answers to these queries will be displayed as follows: (1) H 1 query: as mentioned above, S holds an empty list H list 1 in advance, whose form of item is (ID, P ID , S ID ). After receiving an H 1 query about the identity ID, S searches the corresponding item in H list 1 firstly. If there is an element ID i � ID, S gives P ID i to A ⋆ as its response. Otherwise, S chooses a matrix S ID ∈ Z m * k at random, whose columns obey the distribution G Z m ,s . en, S computes P ID � AS ID . According to eorems 1 and 3 in the Gaussian Distribution section, ‖S ID ‖ ≤ s �� m √ and a random matrix P ID ∈ Z n * k are held with nonnegligible probability. Finally, the new item (ID, P ID , S ID ) is inserted into H list 1 . Besides, P ID is returned to A ⋆ .
(2) Extract query: after acquiring this query, S looks for the corresponding item (ID, P ID , S ID ) in H list 1 firstly. en A ⋆ gets a random matrix S ID ′ from the matrix S ID , where S ID ′ ∈ Z n * k . Moreover, A ⋆ can compute the transposed matrix S ″k * n ID of the matrix S ID ′ and we assign the value of S ID ″ to S ′ . In the end, S ′ is inserted in SK list and SK ID � [S ′ I] T is given back to A ⋆ . If a corresponding item does not exist, S picks a random matrix S ′ ∈ Z k * n and makes an H 1 query. Similarly, the new item (ID, P ID , S ID , S ′ ) is added in the list SK list and the relevant matrix SK ID is transmitted to A ⋆ . Furthermore, S calculates A ″ � P ID SK ID (mod q).
en, S can compute A u � [2P ID |2A ′′ + qI] and give A u to the adversary as the public key of the user whose identity is ID.  (z, h). Finally, S sends (z, h) to A ⋆ as a response to this issue query.
If the response to an H query is predetermined, namely, c ∉ c 1 , . . . , c s , A ⋆ can make c as the answer of the random oracle H with the probability 1/|H|. Here, |H| is the size of output set of the random oracle H. In other words, c is one element in c 1 , . . . , c s with probability 1 − (1/|H|). erefore, A ⋆ can make a successful forgery ((z l+1 , c l+1 ), u l+1 ) with the probability ρ − (1/|H|), where c l+1 comes from c 1 , . . . , c s . As mentioned previously, the H query can take place in two places, so we need to talk about the specific scheme in two different scenarios: (1) Scenario 1: c is generated by S during responding to an issue query made by A ⋆ . Because c is the response of a signature on (A u z ′ − Tc, u ′ ), we can have H(A u z − Tc, u) � H(A u z ′ − Tc, u ′ ). us, we must have that u � u ′ and A u z − Tc � A u z ′ − Tc. If not, it means that we can find a collision of the hash function H. So, we can make a conclusion that A u (z − z ′ ) � 0(mod 2q). Besides, we have ‖z − z ′ ‖ ≤ 4δ 3 �� m √ , because ‖z‖, ‖z ′ ‖ ≤ 2δ 3 �� m √ .
(2) Scenario 2: c is an answer of the random oracle H. In order to solve the SIS problem, S replays the game of unforgeability with A ⋆ . However, there is something different from the first process of this game. S Next, we will give out the comparison between our scheme and the classical scheme proposed by Rückert et al. simply [39]. Here, m and n are the common system parameters in these two schemes. Moreover, c is the bit size of the user's identity and s � s ������� � (c + 1)mω( ���� log n ) is the expansive Gaussian parameter in Rückert et al.'s scheme [39]. We can know that the size of final signature in our scheme is m log(12δ 3 ). According to the explanation of Rückert et al. [39], the size of signature is (c + 1)m log(s ������� (c + 1m ) + n in their ID-based blind scheme. Obviously, it is easy to make the conclusion that the signature's size in our scheme is smaller than that of Rückert et al.'s scheme [39] in the random oracle model. In terms of computing complexity, there are only some simple operators involved in our sign algorithm and verify algorithm, such as scalar-multiplication on vector, addition on vector, matrixvector multiplication, and hash function. However, in sign algorithm and verify algorithm of Rückert et al.'s scheme [39], the complex algorithms are included to generate a valid signature, such as ExtBasis algorithm and SamplePre algorithm. So our scheme is simpler and more efficient than the scheme proposed by Rückert et al. [39].
Based on the above result, we can make a conclusion that our scheme has less communicational and computational cost, compared with the latest blind signature scheme on lattice proposed by Zhang et al. [13] and the most authoritative blind signature scheme on lattice proposed by Rückert et al. [39]. us, our scheme has more efficient and practical value in applications. Table 2 shows the result of relevant comparison in detail.

Conclusion
Integrating the advantage of ID-based cryptosystem with lattice-based cryptosystem, we construct an efficient and secure ID-based blind signature scheme in this paper to protect the privacy of confidential data, which can be widely applied to the e-cash and electronic voting system. Moreover, a useful aborting technology, bimodal Gaussian rejection sampling, is used in our scheme to accelerate the speed of generating a valid blind signature. Meanwhile, our scheme is provably secure in the random oracle model, which is on the basis of the SIS problem. By showing the comparison with the scheme of Zhang et al. [13] and that of Rückert et al. [39], we demonstrate the superiority of our scheme in communicational and computational efficiency.
To extend our scheme to get other useful properties and complete an original model of evaluating the extended scheme in the real application environment is the future work executed by us.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.