Provably Secure Lattice-Based Self-Certified Signature Scheme

Digital signatures are crucial network security technologies. However, in traditional public key signature schemes, the certificate management is complicated and the schemes are vulnerable to public key replacement attacks. In order to solve the problems, in this paper, we propose a self-certified signature scheme over lattice. Using the self-certified public key, our scheme allows a user to certify the public key without an extra certificate. It can reduce the communication overhead and computational cost of the signature scheme. Moreover, the lattice helps prevent quantum computing attacks. ,en, based on the small integer solution problem, our scheme is provable secure in the random oracle model. Furthermore, compared with the previous self-certified signature schemes, our scheme is more secure.


Introduction
Due to the development of the Internet, various networks require to verify the authenticity of the message or the user, such as data verification for Internet of Vehicles [1] and user authentication for industry and mobility networks [2,3]. In general, these authentication systems can be divided into traditional public key infrastructure-(PKI-) based cryptosystems with certificates [4] and certificateless cryptosystems [5,6]. In a PKI-based cryptosystem, a certificate issued by the certificate authority (CA) is often required to certify the authenticity of the relationship between the public key and the user. However, it increases the computation overheads and communication costs because certificate management is complicated. Furthermore, it is vulnerable to public key replacement attacks if certificates are not used. To avoid certificate management, in 1984, Shamir [5] introduced the idea of an identity-based (IB) cryptosystem. e public key of a user is the user's identity information. Although it does not require any certificates, it suffers from the key escrow problem.
To deal with the above problems, in 1991, Girault [7] introduced the notion of self-certified public keys, which can enable the public key to implicitly authorize the user's identity without an extra certificate. Concretely, the public key is computed by the user and the authority. en, the verification of the authenticity of the signature and public key is placed in a logically single step. us the self-certified signature scheme can mitigate the burdens for the certificate management and storage and prevent the key escrow problem. erefore, self-certified signature schemes have a promising future for environments with limited memory and computational capacity, such as smart mobile devices [8], wireless sensor networks [9], the cloud [10], and vehicular ad hoc networks [11].
However, most of them are based on discrete logarithm problems or large integer factorization problems. Unfortunately, Shor [12] pointed out that the two problems are easily solved by quantum computers, so the signature schemes based on the two problems are no longer secure in the quantum era. Lattice cryptography is one of the postquantum candidate schemes proposed by the National Institute of Standards and Technology [13]. Meanwhile, in recent years, lattice cryptography on the refinements of the security assessment and the fast implementation [14,15] has achieved rapid developments.
us, to prevent quantum attacks, in this paper, based on lattice cryptography, we propose a provably secure self-certified signature scheme in the random oracle model (ROM). Our contributions are mainly as follows: firstly, our scheme adopts the advantages of self-certified public keys and lattice signature schemes, which simplifies the public key authentication process of the scheme and avoids the key escrow problems and public key replacement attacks. Moreover, it can resist quantum attacks. Secondly, based on the hardness of the small integer solution (SIS) problem, our scheme is existential unforgeability against two types of adversaries in the ROM.
Related work: in PKI-based signature schemes [16], CA issues a certificate for the user, which increases the burden of certificate management and storage.
Many schemes are proposed to reduce the cost of certification management and storage. For instance, numerous IB signature schemes are proposed. In these schemes, the public key is the user's identity. erefore, it does not need an extra certificate, but it is vulnerable to the key escrow problem because the key generation center (KGC) generates the private keys of all users [17]. us, a malicious KGC can impersonate any user. e certificateless public key cryptography [6] also does not require a separate certificate. Recently, Gowri et al. [18] proposed a certificateless signatures scheme from ECC, but later Xu et al. [19] found that it is vulnerable to signature forgery attacks.
To solve the above problems, Girault [7] proposed the self-certified cryptosystem, in which there are no certificates, and neither the user nor the authority can independently obtain the full private key of the user.
Since the self-certificated public key was introduced, many self-certified signature schemes have been proposed. Shao [20] proposed a novel self-certified signature scheme from pairings, but it was later proved to be insecure. In addition, some self-certified signature schemes based on discrete logarithm problems were also proposed, Xie [21] and Wu and Xu [22]. However, Sadeghpour [23] pointed out that Wu and Xu's scheme [22] is vulnerable to internal attacks. Moreover, there exist also several self-certified signature and authentication schemes applied to specific scenarios [9,11,24,25]. Nevertheless, these schemes are not secure against quantum attacks because the hard assumptions are not difficult for quantum computers.
Using the lattice to implement the postquantum selfcertified signature scheme is a considerable method. Li et al. [8] first proposed a lattice-based self-certified signatures scheme. However, this scheme is based on NTRUSign, so it lacks rigorous security proof. Moreover, there are no other self-certified signature schemes over lattice. Tian and Huang [26] and others propose several lattice-based certificateless signatures schemes, which do not need the certificate too. However, they cannot prevent insider attack, and there exist other flaws [27,28]. Hence, in this paper, we aim to propose a provably secure self-certified signature scheme over lattice. e rest of the paper is organized as follows: in Section 2, we introduce some basic concepts of lattice signature schemes. In Section 3, we introduce the syntax of the selfcertified signature scheme and the security model. In Section 4, we introduce our scheme. In Section 5, we analyze the correctness, security, and comparisons. Finally, we give our conclusion and further work.

Notations.
e notations used in this paper are listed as follows: (1) Let R be the set of real numbers, Z the set of integers, and N the set of nonnegative integer numbers. For a positive integer p, Z p is the set of integers modulo p.

Lattice
For q, n, m ∈ N, let q ≥ 2 and A ∈ Z n×m and define the q-ary lattice as follows: (1) Definition 2 (small integer solution (SIS) problem [29]). For any n ∈ Z, given positive integers q, m ∈ Z, a matrix A ∈ Z n×m q and β ∈ R, SIS n,m,q,β problem is finding a nonzero integer vector x ∈ Z m satisfying Ax � 0 mod q and ‖x‖ ≤ β. Definition 3 (inhomogeneous SIS(ISIS) problem). For any n ∈ Z, positive integers q, m ∈ Z, A ∈ Z n×m q , and β ∈ R, ISIS n,m,q,β problem is defined as follows: given y ∈ Z n q , find a vector x ∈ Z m such that Ax � y mod q and ‖x‖ ≤ β. e hardness of (I)SIS is based on the lattice problems in the worst case [29,30].

Lemma 1 (hardness). For any polynomial bounds m, β and a prime number q ≥ βω(
������ � n log n ), solving (I)SIS problems is as hard as solving GapSVP and SIVP on an arbitrary n-dimensional lattice.

Gaussian on Lattices
Definition 4 (Gaussian function). For any real s > 0, center c ∈ R n and define the Gaussian function on R n as For simplicity, when s and c are taken to be 1 and 0, respectively, they can be omitted.
Discrete Gaussian distribution: the Gaussian distribution over Z is defined as For any s > 0, c ∈ R n , and n-dimensional lattice Λ, define the discrete Gaussian distribution over lattice D Λ+c,s as Definition 5 (smoothing parameter [31]). For a lattice Λ and real ε > 0, the smoothing parameter η ε (Λ) of the lattice is the smallest real s > 0 such that For s ≥ 2η ε (Λ), the Gaussian distribution D Λ,s is close to a uniform distribution.
Lemma 2 (see [30]). For the lattice Λ with a basis B, let Gaussian parameter Lemma 3 (see [30]). For any n-dimensional lattice Λ with basis B and real

Short Bases of Lattice
Definition 6 (gadget-lattice [32]). e gadget matrix G is defined as e (I)SIS problems are easily solved on the gadget matrix G.
Definition 7 (G-Trapdoor [32]). For the matrices A ∈ Z n×m Here, H is an invertible matrix. e quality of the trapdoor is determined by its maximum singular value s 1 (R).
e most efficient trapdoor generation algorithm now is the G-TrapGen [32]. e matrix A is statistically close to uniformly random. e quality of the trapdoor is Lemma 5 (G-Trapdoor SamlePre [32]). For the matrix- there is a PPT algorithm that outputs the preimage y � p + Lemma 6 (SampleMat [26]). Let the integers n ≥ 1, q ≥ 2, m � O(n log q), given a matrix A ∈ Z n×m and the trapdoor R, for U ∈ Z n×k and the Gaussian parameter s � O ( ������ n log q ). ere is a PPT algorithm SampleMAT (A, R, s, U) that outputs the preimage X ∈ Z m×k such that AX � U and ‖X‖ ≤ s �� m √ .

Rejection Sampling Technique
Lemma 7 (see [31]). For any Gaussian parameter σ > 0 and positive integer m, Lemma 8 (see [33]). For any c ∈ Z m , positive real α and σ � ω(‖c‖ ����� log m ), x←D m σ , we have and more specifically, if σ � α‖c‖, then e rejection sampling technique ensures that the distribution of the outputted signature is independent of the Security and Communication Networks signing key so that a valid signature is generated without leaking any useful information about the key.
Concretely, given the distribution D m σ , the signing key S, and a message μ, first sample y←D m σ , then compute c � H(y, μ) and z � Sc + y, and the signature is (z, c). Here, we want to obtain z sampled from D m σ instead of D m Sc,σ , where D m Sc,σ is the distribution from the shift of the distribution D m σ by an offset vector Sc. erefore, we select an appropriate value M and output z with the probability min(1, D m σ (z)/MD m Sc,σ (z)), so that the distribution of z is statistically indistinguishable from the distribution D m σ .

e Syntax of the SCS.
A self-certified signature (SCS) scheme consists of the following algorithms: Setup, KeyGen, Extract, Sign, and Verify: (1) Setup: it takes a security parameter n as input and returns the system parameter pp. (2) KeyGen: CA selects the master private key s and generates its public key P CA . (3) Extract: each user U i first selects his private key and the partial public key Y id and then sends Y id to CA. After receiving the request, CA extracts the partial private key s id of the user. erefore, the full public key is (P CA , ID, Y id ), and the full private key is (x id , s id ).

Security Model.
In this section, we give the security model of the SCS scheme.
SCS schemes are secure against two types of adversaries, which are classified as external and internal adversaries as follows.
Type 1: Adversary (Outsider). A type 1 adversary knows the secret value of any user by listening to the public channel or replacing the public key.
Type 2: Adversary (Honest-But-Curious CA). A type 2 adversary can compute the partial private key of any user, but it does not know the user's secret value.
Definition 8 (type 1 attack). A SCS scheme is existentially unforgeable against adaptive chosen message type 1 attacks if no polynomial bounded type 1 adversary A 1 with a nonnegligible advantage wins the following game.
Setup: the challenger C takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA's master public key to the adversary A 1 and keeps the master secrete key secret.
Queries: A 1 makes following adaptive queries: (i) Hash queries: given any M ∈ 0, 1 { } * , C returns the hash value H(M) to A 1 .
(ii) Secret key queries: given a user's identity ID ∈ 0, 1 { } * , C returns the user's secret key to A 1 . (iii) Partial private key queries: given a user's identity ID, C returns the user's partial private key to A 1 . (iv) Public key queries: given a user's identity ID, C returns the user's public key to A 1 . (v) Public key replacement queries: given a user's identity ID and a public key pk * , C replaces the user's public key with pk * . (vi) Sign queries: given a message m, C returns a signature σ of m to A 1 . (vii) Verify queries: given a signature σ, C responds the verification result to A 1 .
Forgery: A 1 outputs a new signature σ * for a message m * , and A 1 wins the game if the outputted signature σ * is valid and without making a partial private key query or a sign query for the message m * . Definition 9. (type 2 attack). A SCS scheme is existentially unforgeable under adaptive chosen message type 2 attacks if no polynomial bounded type 2 adversary A 2 with a nonnegligible advantage wins the following game.
Setup: the challenger C takes a security parameter as input and runs the setup and the KeyGen algorithms. It gives the system parameters and CA's master public key to the adversary A 2 and keeps the master secrete key secret.
Queries: A 2 makes following adaptive queries: Forgery: A 2 outputs a new signature σ * for a message m * , and A 2 wins the game if the outputted signature σ * is valid and without making a secret key query or a sign query for the message m * .
Definition 10 (unforgeability). A SCS scheme is secure if it is existentially unforgeable under adaptive chosen attacks; namely, the advantages that the adversaries A 1 and A 2 successfully forge a valid signature are negligible.

Our Signature Scheme
Our scheme consists of five algorithms: Setup, KeyGen, Extract, Sign, and Verify.
(1) Setup: given security parameters λ, n, for positive integers q, m, d, k, κ, and σ, , and select two secure hash functions: Finally, publish system parameters Para � λ, n, q, m, d, k, κ, s, σ, H 1 , H 2 . (2) KeyGen: the KeyGen algorithm is described in Algorithm 1. CA runs the algorithm G-TrapGen (n) to output the public-private key pair. e master private key is the trapdoor R, and the public key is the public matrix A.
(3) Extract: the extract algorithm is described in Algorithm 2. e user's public-private key pair is generated by the user and CA. User ID first selects his secret key B ID and computes the partial public key P ID . CA generates the partial private key X ID and sends it to the user through a secure channel. erefore, the full private key is (B ID , X ID ) and the full public key is the (A, P ID , ID).
(4) Sign: the Sign algorithm is described in Algorithm 3. User ID generates a signature of the message μ using the rejection sampling technique.

Remark 1.
According to the rejection sampling technique described in Section 2, at most M attempts, we will output a signature such that the distribution of z is statistically close to D 2m σ , and we have Pr[‖z‖ ≤ 2σ (5) Verify: the KeyGen algorithm is described in Algorithm 4. e verifier verifies the signature (z, c) of the message μ on ID.

Correctness.
e correctness of the scheme is as follows: First, we have AX ID � U, BB ID � P ID , so � H 2 A X ID c + y 1 + B B ID c + y 2 − P ID c − Uc, μ , � H 2 AX ID c + Ay 1 + BB ID c + By 2 − P ID c − Uc, μ , � H 2 AX ID − U + BB ID − P ID c + Ay 1 + By 2 , μ , At this moment, we complete the proof.

Security Analysis.
Our scheme is existentially unforgeable under the adaptive chosen message attacks in the random oracle model. Proof. Assume that there is a type 1 adversary A who can break the scheme with nonnegligible probability. en, we can construct a polynomial-time challenger C, who runs A as a subroutine to solve the SIS n,m,q,β problem with nonnegligible probability; that is, C wins Game 1: Game 1 setup: input the security parameter n. C runs the setup and the KeyGen algorithm to obtain Para � λ, n, q, m, d, k, κ, s, σ, H 1 , H 2 } and (A, R). en, C publishes Para and A and keeps R secret. C maintains several initially empty lists: List 0, List 1, List 2, List 3, and List 4. List 0 contains (ID i , P ID , U � H 1 (A, P ID , ID i )), where ID i is the user's identity and P ID is the partial public key. List 1 contains (ID i , B ID , P ID , U), where B ID is the secret key. List 2 contains (ID i , B ID , P ID , U, X), where X is the partial private key. List 3 contains (μ, y 1 , y 2 , c � H 2 (·)), where y 1 , y 2 are two random vectors. List 4 contains (ID i , μ, (z, c)), where (z, c) is the signature.
Queries: A adaptively issues several queries to C: (i) H 1 queries: A sends a user's identity ID i to C; then, C performs as follows: (1) First looks up ID i in List 0. If found, C directly returns the hash value U of the public key. (2) Otherwise, C randomly selects a matrix U ∈ Z m×k q and returns it; then, it selects a matrix P ID ∈ Z m×k q , and adds (ID i , P ID , U) to List 0. (ii) H 2 queries: A sends a message μ to C; then, C performs as follows: (1) First, it looks up μ in List 3. If found, C directly returns the hash value c of message μ. (2) Otherwise, C randomly selects a vector c from c: c ∈ −1, 0, 1 { } k , ‖c‖ 1 ≤ κ and returns it. en, it randomly selects two vectors y 1 , y 2 ←D m σ and adds (μ, y 1 , y 2 , c) to List 3.
(iii) Secret matrix queries: A sends an identity ID i to C; then, C performs as follows: (1) First, it looks up ID i in List 1. If found, C directly returns the user's secret matrix B ID . (2) Otherwise, C selects a matrix B ID ∈ Z m×k from −d, . . . , 0, . . . , d { } m×k and returns it. en, it computes P ID � BB ID , U � H 1 (A, P ID , ID i ) and adds (ID i , B ID , P ID , U) to List 1.
(vi) Partial private key queries: A sends ID i to C; then, C performs as follows: (1) First, it looks up ID i in List 2. If found, C directly returns the partial private key X. (2) Otherwise, C issues a secret matrix query to obtain (B ID , P ID , U) and runs the algorithm SampleMAT (A, R, s, U) to output a matrix X ∈ Z m×k as the partial private key. (3) Finally, C returns X and adds (ID i , B ID , P ID , U, X) to List 2.
(v) Public key replacement queries: A sends ID i and a public key P * ID to C and then wants to replace the user's public key. After receiving the identity ID i , C replaces the public key with P * ID and records this replacement.

Security and Communication Networks 5
(vi) Sign queries: A sends a message μ, ID i , and a secret matrix B ID to C. en, C performs as follows: (1) First, it looks up the parameters in List 4. If found, C directly returns the signature. (2) Otherwise, C issues a partial private key query to obtain the signing key (X, B ID ), issues a H 2 query to obtain c, and computes z 1 � Xc + y 1 , z 2 � B ID c + y 2 . (3) Finally, C returns the signature (z, c), where z � [z t 1 , z t 2 ] t , and adds (ID i , μ, (z, c)) to List 4.
Forgery: after polynomial-time queries finish, A outputs a forgery (z * , c * ) on message μ * for ID i with nonnegligible probability. If the signature can pass the verification and partial private key queries and the sign queries for the message μ * are never involved in this game, then A wins the game.
(1) Output (A, R)← G-TrapGen (n), A ∈ Z n×m q is the master public key and R ∈ Z 2n×n log q is the master private key.
(2) Choose a random uniform matrix B ∈ Z n×m q . multiplication, and a general hash function operation. Although our scheme has higher computational costs, based on the lattice, our scheme provides more robust security.
As depicted in Table 2, we compare the storage overheads. For the key size, we use an improved trapdoor generation algorithm [32] based on GPV [30] to reduce the dimensionality of the trapdoor. For the signature length, we only use Gaussian sampling in the key extract phase but use the rejection sampling technique in the signature generation phase, which helps to reduce the signature length. Moreover, according to Lemma 2 in [14], if the key is distributed as a discrete Gaussian distribution with the parameter σ such that ‖x‖ ≤ s �� m √ , the bit size of x is bounded by m log 2 s bits.
In Table 3, we compare the security properties. According to the above tables, Li et al. [10] and Tahat et al.'s [35] schemes are more efficient than the SCS schemes over lattice, where |G| � 320 bits and |G 1 | � 1024 bits. However, their schemes are not secure against quantum attacks because the security is based on the pairing or elliptic curve discrete logarithm problems (ECDLP). Li et al.'s [8] scheme is the first SCS scheme over lattice. It has a shorter key size and signature length because of using NTRU lattice, but it lacks provable security. Our scheme is based on the standard lattice, so the key size and the signature length are less efficient than Li et al.'s scheme. However, our scheme is provably secure in the ROM under the SIS assumption. erefore, our scheme is more secure against quantum computers.

Conclusion and Further Work
In this paper, we propose a self-certified signature scheme over the standard lattice, which authenticates the integrity of the message and the user's public key and identity without the need for additional certificates, thus not only avoiding the key escrow problems and public key replacement attacks but also preventing quantum attacks. Based on the hardness of the SIS assumption, our scheme is provably secure in the random oracle model. Our scheme is more feasible than previous schemes.
Future work: we consider the standard model. e standard model is more secure and practical than the random oracle model. Hence, our further work is to transfer our scheme into a SCS scheme in the standard model. Furthermore, the efficiency of the scheme can be further improved.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.