Generic Construction of Forward-Secure Revocable Identity-Based Signature and Lattice-Based Instantiations

,


Introduction
In 1984, Adi [1] frst introduced an identity-based mechanism. Te core idea is to use the user's identity as a public key for encryption or a public key for verifying signatures and give the frst identity-based signature (IBS). Compared with PKI, it does not need to issue public key certifcates and other related complex steps, which improves efciency. However, it was not until 2001 that Boneh [2] proposed an identity-based encryption scheme for the frst time. Boneh's [2] revocable mechanism has huge computational overhead. To reduce the runtime of revocable user computations, Ge and Wei [3] proposed a binary tree method in 2008 with a logarithmic increase in computational cost. However, it cannot resist key exposure attacks.
In 2013, Seo and Emura [4] proposed a stronger defnition and security model of RIBE (revocable identity-based encryption), which can resist decryption key exposure attacks. In 2014, they [5] also gave a new security defnition of RIBS (revocable identity-based signature) scheme that can resist signing key exposure attacks and introduced a scalable RIBS scheme. In 2013, Tsai et al. [6] proposed a bilinear pairbased RIBS scheme under the standard model. All RIBS schemes before Tsai were constructed by the random oracle model. All subsequent RIBS schemes [7,8] refer to Tasi's security model and defnition, where scheme [8] achieves the SU-CMA security under the standard model. However, the previous RIBS schemes cannot guarantee both efcient revocation and strong unforgeability simultaneously. In 2016, Liu et al. [9] proposed a strong unforgeable RIBS scheme that solves the above problems in the standard model. However, these RIBS schemes [6][7][8] cannot resist signing key exposure attacks. In 2018, Yang et al. [10] performed some optimizations based on [8]. Zhao et al. [11] also proposed an efcient communication scheme based on multi-linear mapping in 2019. With the imminent advent of quantum computers, the need for cryptographic schemes to resist quantum attacks is increasingly urgent. In 2015, Xiang [12] introduced the frst lattice-based RIBS scheme using a complete subtree structure, which can prevent signing key exposure but requires a secret channel. In 2020, Xie et al. [13] proposed the RIBS scheme under the standard model on the lattice. Later in the same year, Xie et al. [14] proposed a scheme that can resist the exposure of the signature key. As recently as 2022, Xie et al. [15] proposed a fully homomorphic RIBS (RIBFHS) scheme, which is homomorphic and is the frst RIBFHS scheme that considers signature key exposure on lattices. However, its security only is sID-EU-CMA and forward security cannot be guaranteed.
Furthermore, forward security has also become a hot research topic. Its original intention is to ensure that the adversary cannot decrypt the ciphertext of the user's last period or forge the signature of the previous period after the private key of the current period is leaked. At present, few works research on the forward security of revocable signatures; only Wei et al. [16] studied forward security of revocable IBS. However, their construction security is based on traditional difcult problems and cannot resist quantum attacks. Qin et al. [17] proposed the general structure of revocable forward security encryption in 2021. Its main idea combines a node selection algorithm and identity-based hierarchical encryption. As far as we know, there is no revocable forward-secure identity-based signature scheme on the lattice. So, in this work, we propose a generic method to construct a forward-secure revocable identity-based signature (FS-RIBS) and introduce two methods to improve its verifcation efciency.

Our Contributions.
Tis article is mainly inspired by Qin et al.'s work [17]. In this work, we research on FS-RIBS and its instantiations on lattices. In a FS-RIBS system (see Figure 1), we split each user's private key into two parts: the frst part is the secret key held by the user for a long time, and the second part is the signing key that is only available to sign messages signed within t time period. Any user's "longterm" (this long-term secret key is not immutable, and it evolves once in each time period) secret key is also closely related to the time period and will change with the time period, while the verifcation key does not change. At the start of all time periods, KGC publishes the update key on the public channel to ensure that users who have not been revoked can sign typically.
(i) Firstly, we introduce the formal defnition and security model for the FS-RIBS system. Te system captures signing key exposure resistance, forward security, and user revocation. (ii) Secondly, we give a generic construction of the FS-RIBS scheme. A forward-secure RIBS scheme is built on a hierarchical IBS scheme and a standard IBS scheme. Te HIBS scheme was used to obtain the signing key of the user's initial time period, and this initial signature key can deduce the signature key of the following time period. Ten, a time-based update key is generated through IBS and a complete binary tree. (iii) Tirdly, we further make two improvements to our proposed generic construction; although it will increase some signature overhead, both improvements can greatly improve the efciency of verifying signatures and have tight security. (iv) Finally, an instance of our generic construction on the lattice is given, which is secure against signing key exposure (SKE) attacks and is forward secure, and has scalability, as in the generic construction. We also present a comparison of our example with other related RIBS schemes, including classical and recent schemes, both bilinear map-based and lattice-based.  [3] introduced a structure that can reduce the size of the update key and reduced the update key size to O(R log(N/R)). Subsequently, some works [6,8] proposed new RIBS schemes. In 2014, Seo and Emura [5] proposed a new security model of RIBS, which can resist signing key exposure attacks and introduced a scalable RIBS scheme. All the following works [17,18] are based on the improvement of the security model of the scheme [5], either increasing security or improving efciency. In 2017, Wei et al. [16] proposed a scheme that can resist the exposure of signature keys and ensure forward security. However, all the above solutions are not resistant to quantum attacks. To resist quantum attacks, Xiang [12] proposed a lattice-based RIBS scheme in 2015, but its cancellation operation requires a secure channel. Subsequently, Wei et al. [16] introduced a RIBS scheme based on the NTRU lattice that the update key can be updated on the open channel. In the next few years, Xie et al. [13][14][15] proposed some RIBS schemes. Tese schemes all improve the security of the scheme in some cases. However, none of the above schemes can guarantee forward security. For now, there is no RIBS scheme on the lattice that can guarantee forward security and resist signature key exposure attacks.  [24] further proposed an efcient forward security algorithm on the lattice, which has stronger security. But there is no revocable mechanism, it and cannot resist key exposure attacks. To the best of our knowledge, Wei et al. [16] frst studied FS-RIBS and gave a construction. But, it is not resistant to quantum attacks. Qin et al. [17] proposed the general structure of revocable forward security for encryption in 2021. Its main idea combines a node selection algorithm and identity-based hierarchical encryption.

Preliminary
Notations. We use "U|V" to represent a concatenation of two elements U and V, which can be binary strings, matrices, etc. We use "t" to represent a time period in binary form. We denote sets with capital italic, e.g., U and V. Security parameter is λ. mpk means master public key, and msk means master secret key. Te revocation list is represented by RL. A complete binary tree is represented by BT.

Te Algorithm of Node Selection.
In order to prevent the time complexity of revoking users from increasing linearly, our revocation scheme adopts a node selection algorithm. Te core idea of the algorithm is to use a complete binary tree to fnd the fewest nodes required to cover all non-revoked users. In this tree, each leaf node has a one-to-one correspondence with an identity. Te set of all nodes on the path from the root node of the user ID to the leaf node is represented by Path (ID). x l and x r are used to represent the left and right child nodes of node x. Tis algorithm KUN(BT, RL, t) will input RL, a binary tree BT, and t time period. Te algorithm has the following four steps: (1) Let sets U and V be empty sets.  Figure 2 shows that no user has been revoked, and Figure 3 shows that the user with I D � 3 has been revoked.

Defnition of (H)IBS.
In this section, we introduce the formal defnition of (H)IBS constructions. First, we give the defnition of IBS, which can easily be extended to HIBS. Tere are 4 PPT algorithms in an IBS system: Essentially, the HIBS scheme only has one more feature than the IBS scheme, which is the feature of hierarchy, that is, the user of the parent node can deduce the key of the user of its child node, but the user of the leaf node cannot deduce the key of the parent node. However, there is no connection between the users of the IBS scheme. So, we just need to add a Derive algorithm to the IBS scheme. Let the maximum depth of our HIBS system be d; set a user I D � (ID 1 , . . . , ID k ), and the signature private key is usk I D , where k ≤ d. Te Derive algorithm inputs ID and usk I D and obtains the key usk I D|r of the following hierarchy where r is 0 or 1. Trough iteration, the Security and Communication Networks user ID can get keys of all users whose depth is up to d and prefxed with ID. When d � 1, it is the IBS scheme.
Next, we give the security model of the (H)IBS scheme. Strong unforgeability under adaptive chosen message attack (SU-CMA) is the required security for our HIBS and IBS schemes. We set the maximum hierarchy depth of our HIBS scheme to be d (IBS is the case of d � 1 ). It formally defnes the game between adversary A and challenger C.
(1) Setup:C gets (mpk, msk) by running Setup(λ, l id , d) and sends mpk to adversary A. (2) Phase 1:A adaptively makes a polynomial number of the following queries: (i) Create key: for any identity ID |1 � (ID 1 ) at depth 1, the challenge runs usk ID |1 ←Extract (mpk, msk, ID 1 ). It adds (ID |1 , 1, usk ID |1 ) to a key list KL. (ii) Secret key: A can query a secret key for an identity ID |k � (ID 1 , . . . , ID k ) where k ≤ d. C frst checks whether the key list has a secret key usk ID |i for identity ID |i which is a prefx of identity ID |k . If so, C runs usk ID |k ←Derive(usk ID |i , ID |k ) and returns to A the secret key usk ID |k . If no such tuple, C returns ⊥. If i � k, C sends usk ID |i to A. (iii) Signature query:A can adaptively query C for polynomial signatures. Te identity and message of these signatures are arbitrary. Here, suppose A queries q times, the message set is M 1 , . . . , M q , and the identity set is . . , q refers to the i-th identity. C calculates the signature of these messages by and returns the set to A.
(4) Forgery: the adversary A forges a signature σ M * ID * of M * . A will succeed if the following three conditions hold: (2) ID * or its any prefx cannot be queried during the secret key query phase. Multi-Identity Security. In the forgery stage, multiple identities can be submitted, and as long as one is successfully root x 1 x 3 x 7 x 8 x 4 x 9 x 10 x 2 x 5 x 11 x 12 x 13 x 14 x 3 x 7 x 8 x 4 x 9 x 10 x 2 x 5 x 11 x 12 x 13 x 14 verifed, the adversary is won. We assume there are n identities. By a hybrid argument, we can prove that the advantage of A to forge a signature successfully is no more than n · Adv SU−CMA (H)IBS,A (λ).

Attacker Model.
We refer to [25][26][27] and give what capabilities the attacker is allowed to have in our scheme combined with the actual situation. Attackers are divided into two diferent types: (1) T1 adversary is able to query sk (t) ID * of ID * within time period t ≤ t * . Tus, the user ID * must have been revoked before t * time period.
(2) T2 adversary does not do the above query. However, it is allowed to query a signing key within any t ≠ t * and can query the secret key of ID * after time period t * .
Both adversaries are allowed to obtain all public parameters of the system.

Security Defnition of FS-RIBS Scheme.
Next, we give a security defnition of FS-RIBS, which is resistant to signing key exposure and can guarantee forward security. Te FS-RIBS scheme is SU-CMA secure.

Defnition 2. (SU-CMA). Te SU-CMA security of FS-RIBS
is defned by the following experiment played between a challenger C and a PPT adversary A.
(1) Setup:C gets mpk, msk, RL, and a state ST by running Setup(λ, l id , l time ). mpk is sent by C to A. Ten, AsendsCthat he wants to challengeID * and challenge time periodt * . (2) Query phase:A is allowed to make adaptive polynomial queries to C as follows: (i) Create key query : if A queries the identity I D ∈ 0, 1 { } l id and creates key in time period t ∈ 0, 1 { } l time , frstly, C judges whether t is the initial time period of the ID. If C fnds this to be the case, then it gets an initial secret key sk (t) I D by running KeyGen (mpk, msk, ID, ST). Next, it adds triple (ID, t, sk (t) I D ) to the secret key list SKL. Otherwise, C queries in SKL whether there exists a triple (ID, sk (t ′ ) I D , t ′ ) satisfying t ′ < t. If this is the case, it iteratively runs SKEval and returns the set to A.
Te above query has the following restrictions: (i) A cannot query the signing key whose ID * is within time period t * . (ii) A can query the secret key of ID * in time period t < t * , provided that ID * must be revoked before time period t * . (iii) If the identity ID i is not a non-revoked user within time period t i , return σ  In the construction, the signature key of each user is related to a discrete time period. Specifcally, it is necessary to cascade a certain time period T after each user ID, where t∈ T � 0, 1, . . . , 2 l time − 1 is binary. In other words, when generating the signature key, the ID is concatenated with a certain time period T as the input identity, which will lead to each user ID having diferent signature keys in diferent time periods, which ensures its forward security. More specifcally, a time period can be represented by the integer t � E 1 E 2 . . . E l time ∈ 0, 1 { } l time of l time -bit, arranged from the top of the tree to the bottom. For t ∈ T, a set of l time + 1 identities is represented by J t � J t,1 , J t,2 , . . . , J t,l time +1 and J t,c is treated as an identity vector. For, c � 1 · · · l time + 1:
(iv) uk t ←SKUp da te(mpk, msk, ST, RL, t): for t ∈ 0, 1 { } l time , frstly, this algorithm runs node selection algorithm to get cover set KUN (BT,RL,t). Ten, for ∀x ∈ KUN(BT, RL, t), it runs IBS.Extract(mpk 2 , msk 2 , t|v x ) to get the key L x corresponding to identity t|v x . Ultimately, it outputs the update key set uk t � t, L x x∈KUN(BT,RL,t) .
(v) Sign k I D,t ←SKGen(sk (t) I D , uk t ): suppose that a user's uk t � t, L x x∈KUN(BT,RL,t) and sk (t) I D � t, (K t,1 , . . . , K t,l time +1 ) . Suppose that ID is a non- Correctness. Te correctness of Con.1 (Construction 1) is determined by the correctness of the fundamental HIBS and IBS schemes. Suppose that identity ID is a non-revoked user within time period t; in the IBS scheme, the signing key corresponding to t|v x * is L x * , and K t,l time +1 is the signing key corresponding to I D|J t,l time +1 in the HIBS scheme. Te two signature algorithms IBS.Sign and HIBS.Sign can correctly sign the message M. We can correctly get σ I D,t by HIBS.Sign(K t,l time +1,M ) and IBS.Sign(L _x * { }, t|v x * , M). Ten, compute V 1 ←HIBS.Verify(mpk 1 , M, t, I D|J t,l time +1 , σ 1 ) and V 2,x ←IBS.Verify(mpk 2 , M, (t|v x , σ 2 )) for each node x ∈ Path(I D). Tere always exists a V 2 ∈ V 2,x such that V 1 × V 2 � 1 holds.
Security. Te SU-CMA security of Con.1 is determined by the SU-CMA security of the fundamental HIBS scheme and IBS scheme. Especially, it is ensured by Teorem 1. Outline of Proof. Firstly, we emphasize the core idea of security proof and then introduce a strict proof of security reduction. For this proof, adversaries are classifed into two types as described in Section 3.2. T2 adversary is designed to break Con.1's forward security. For T1 adversary, we need to build an emulator to store the master secret key of the fundamental HIBS and reduce the SU-CMA security of the FS-RIBS scheme to the SU-CMA security of the fundamental IBS scheme. For T2 adversary, the emulator holds the master secret key of the fundamental IBS scheme and reduces the SU-CMA security of the FS-RIBS scheme to the SU-CMA security of fundamental HIBS scheme.
Proof. Let adversary A break the SU-CMA security of the FS-RIBS scheme; then, we build a PPT emulator E to break the SU-CMA security of the fundamental IBS scheme or HIBS scheme. Te emulator works in two steps: frstly, it randomly gets a bit b. Secondly, if b � 0, A is regarded as E a T1 adversary, else a T2 adversary. So, the probability of E correctly or incorrectly guessing the adversary's type is 1/2.
(i) For T1 adversary, E is given mpk 2 of the fundamental IBS scheme. It emulates the process as follows: (1) Setup: it produces the master key pair (mpk 1 , msk 1 ) of the fundamental HIBS scheme. E initializes RL and BT. It sends mpk 1 and mpk 2 to A. Ten, A sends a challenge identity ID * and a challenge time period t * to E.
is a non-revoked user within time period t i , respectively. Finally, it returns σ Te instantiation details of other schemes ("Con.2+ [28]" and "Con.3+ [28,29]") are similar to the above schemes and will not be repeated.

Comparison.
We mainly compare security and storage overhead through two tables. We compare the security of our six schemes ("Con.1+ [28,29]," "Con.2+ [28]," "Con.3+ [28,29]," "Con.1+ [30,31]," "Con.2+ [30]," and "Con.3+ [30,31]") with other RIBS schemes in Table 1, in terms of whether it has forward security (FS), whether it is signing key exposure resistance (SKER), whether it is under the standard model or the random oracle model (SD/RO), whether it is existential unforgeability or strong unforgeability (SU/EU), whether it is resistant to quantum attacks (RQA), whether it is adaptive or not adaptive, and what difcult problems (DPs) are these schemes based on. We list in Table 2 space cost of our six schemes and other RIBS schemes in terms of mpk(|mpk|sk I D (|sk I D |)), uk t (|uk t |), and signature (|S|). In Table 2, the binary string length of the message is l, T is the maximum time period, and L � R log(N/R).°means that the complexity of the subsequent scheme must be multiplied by the vector or matrix after°.

Conclusion and Future Work
Tis paper introduced a generic method to construct forward-secure revocable identity-based signature and introduced two methods to improve its verifcation efciency. In addition, the paper instantiated the generic construction from various lattice-based (H)IBS schemes and obtained the frst lattice-based FS-RIBS schemes. In the future, we will try to optimize the fundamental HIBS or IBS scheme to improve its practicality.

Data Availability
No data were used to support this study.

Conflicts of Interest
Te authors declare that they have no conficts of interest.