Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice
Abstract
:1. Introduction
- To simplify the key management and resistance to quantum attacks, we propose a post-quantum secure identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice using a matrix cascade technique and lattice cryptosystem. In the proposed ID-Proxy-BS scheme on a lattice, we cascade user identity and the master public key to construct the public key of the lattice signature and generate random parameters through a bimodal Gaussian distribution and rejection sampling algorithm. The ID-Proxy-BS scheme has better security.
- Under the ROM, the security of the ID-Proxy-BS scheme on a lattice is proved under the assumption of the small integer solution (SIS) problem.
- To achieve efficient e-voting, we apply the ID-Proxy-BS scheme on a lattice to e-voting and design a quantum-resistant proxy e-voting system. The system achieves multi-regional e-voting and ensures the anonymity of ballot content in e-voting.
2. Preliminaries
2.1. Lattice Theory
2.2. Statistical Distance
2.3. Gaussian Distribution
2.4. Trapdoor Generation and Preimage Sampling Algorithm
3. Security Model
3.1. Blindness
3.2. Unforgeability
4. Identity-Based Proxy Blind Signature Model
- : It inputs security parameters and generates system parameters;
- : It inputs system parameters, public keys of O-signer and P-signer, and generates private keys of O-signer and P-signer;
- : It inputs system parameters, O-signer’s key pair, and P-signer’s public key, and generates a proxy key;
- : It inputs system parameters, message, and P-signer’s private key and proxy key, and the algorithm generates a blind signature of the message;
- : It inputs a message and its corresponding blind signature; the algorithm verifies that the signature is valid. If it is, the signature is accepted; otherwise, the signature is rejected.
5. Identity-Based Proxy Blind Signature (ID-Proxy-BS) Scheme on a Lattice
5.1. Setup
- (1)
- Parameter setting: denotes the security parameters, , , , .
- (2)
- Hash function settings: , .
- (3)
- KGC runs to generate and a basis of lattice , where .
- (4)
- The public parameter is set to ; the master private key is .
5.2. KeyGen
5.3. ProxyDelegation
- (1)
- After O-signer determines the object for P-signer to authorize, O-signer generates an authorization certificate and publishes it.
- (2)
- O-signer runs the algorithm , where . O-signer will send authorization information to P-signer.
5.4. ProxyKeyGen
- (1)
- After P-signer receives , it verifies that the equation holds. If the equality holds, P-signer accepts the authorization; otherwise, O-signer re-authorizes.
- (2)
- If Equation (1) holds, P-signer runs to generate a proxy key such that and .
5.5. Proxy-BS
5.5.1. Blinding
- (1)
- U randomly selects two blinding factors , .
- (2)
- U calculates , .
- (3)
- U selects a bit .
- (4)
- U computes the blinded message , .
- (5)
- U sends blind message to P-signer.
5.5.2. Proxy Blind Signature
- (1)
- P-signer uses the random vector selected when generating the commitment for the user , .
- (2)
- P-signer calculates the signature , of the blind message .
- (3)
- P-signer returns the blind signature to U.
5.5.3. Unblinding
- (1)
- U uses the blinding factor , selected in the blinding message phase.
- (2)
- U calculates the signature , of the original message m.
5.6. Signature Verification
- (1)
- , (where , , ).
- (2)
- , .
- (3)
- .
- (4)
- .
6. Performance Analysis
6.1. Correctness
- (1)
- The Verifier verifies that equation holds:
- (2)
- The Verifier verifies that equation holds:
6.2. Blindness
- The distribution of . The interaction of adversary S with and , respectively, generates and . The statistical distance of and is . Since and it is output with probability , and have the same distribution through the rejection sampling algorithm. The statistical distance satisfies , and they are independent of the signed messages, so the adversary S cannot distinguish them.
- The distribution of e. Similar to because and have the same distribution through the rejection sampling algorithm. Their statistical distance satisfies and they are independent of signed messages, so the adversary S cannot distinguish them. The final P-signer cannot associate the message with the signatures and .
6.3. Unforgeability
6.4. Efficiency Analysis
7. A Quantum-Resistant Proxy E-Voting System
7.1. Basic Requirements for E-Voting
- (1)
- Legitimacy: Only legitimate voters who have passed identity verification can vote.
- (2)
- Anonymity: Except for the voter themselves, no one else knows what the voter voted for.
- (3)
- Verifiability: Every voter can verify whether their votes have been counted correctly.
7.2. A Quantum-Resistant Proxy E-Voting System
- Voter: A voter; that is, the owner of the content of the ballot.
- Registration agency (RA): The registration agency checks the identity of voters.
- Voting agency: The voting agency signs the voter’s ballot to validate that ballot.
- Counter agency (CA): The counter agency is responsible for counting the number of votes in the constituency.
- General counter agency (GCA): The General counter agency is responsible for counting the total votes and publishing the results.
7.2.1. Setup
- (1)
- The RA publishes a list of voters and sends the registration form to voter who is on the list.
- (2)
- runs , then fills in on , and sends to the RA.
- (3)
- The RA receives the RE completed by ; the RA uses ’s public key to verify the legitimacy of ’s identity. If and , the RA randomly selects a ballot number for , and runs . The RA sends to .
- (4)
- After receives , uses the RA’s public key to verify the legitimacy of the ballot. If and , accepts the ballot number; otherwise, re-applies to the RA for the ballot number.
7.2.2. Vote Writing Stage
7.2.3. Voting Stage
- (1)
- Proxy delegationAfter O-signer determines the object P-signer to authorize, it runs to generate authorization information and sends it to P-signer. After P-signer receives , it verifies whether it is established. If the equality is established, P-signer accepts the authorization, otherwise, O-signer re-authorizes.
- (2)
- Proxy key generationIf the authorization is successful, P-signer runs to generate a proxy key .
- (3)
- Blind signature generation① runs the blinding algorithm to obtain blinded ballots of and send to P-signer.② P-signer signs the blinded ballot to obtain blinded signature and sends to .③ unblinds the signature to obtain . is the proxy blind signature of the ballot.
7.2.4. Counting Stage
7.3. Performance Analysis
- (1)
- Legality. Before voting, every voter must be registered and verified by the RA before becoming a legal voter. In the registration phase, the voter registers using their own identity and signs with their own private key, i.e., . Even if an adversary fills in the registration information to pretend to be a voter, they cannot know the private key of the voter. Since the SIS problem is a hard problem, the adversary cannot forge to be a legitimate voter.
- (2)
- Anonymity. In the voting stage, can obtain P-signer’s blind signature through the ID-Proxy-BS scheme. Therefore, the e-voting system proposed in this paper enables anonymous voting by voters, and no one can associate the vote with the voter except the voter themselves.
- (3)
- Efficiency: In the e-voting system proposed in this paper, O-signer grants signature rights to the P-signer for each constituency by region, and the P-signers for each constituency sign the blinded ballots for the region under their jurisdiction at the same time, thus increasing the efficiency of voting.
- (4)
- Verifiability. ① In the registration stage, obtains the unique ballot number . ② The total number of signed ballots and the total number of ballots of published on the electronic bulletin board by the CA can be used by voters to verify that the ballot papers have been counted.
8. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Data Availability Statement
Conflicts of Interest
References
- Ohkubo, M.; Miura, F.; Abe, M.; Fujioka, A.; Okamoto, T. An Improvement on a Practical Secret Voting Scheme. In Lecture Notes in Computer Science, Proceedings of the Information Security, Second International Workshop, ISW’99, Kuala Lumpur, Malaysia, 6–7 November 1999; Mambo, M., Zheng, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1729, pp. 225–234. [Google Scholar] [CrossRef]
- Amit, K.; Sunder, L. Proxy Blind Signature Scheme. 2003. Available online: http://eprint.iacr.org/2003/072 (accessed on 1 July 2023).
- Juels, A.; Luby, M.; Ostrovsky, R. Security of Blind Digital Signatures (Extended Abstract). In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; Kaliski, B.S., Jr., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1294, pp. 150–164. [Google Scholar] [CrossRef] [Green Version]
- Pointcheval, D.; Stern, J. Security Arguments for Digital Signatures and Blind Signatures. J. Cryptol. 2000, 13, 361–396. [Google Scholar] [CrossRef]
- Burt, K. RSA Digital Signature Scheme. In Encyclopedia of Cryptography and Security; van Tilborg, H.C.A., Jajodia, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 1061–1064. [Google Scholar] [CrossRef]
- Liu, W.; Tong, F.; Luo, Y.; Zhang, F. A proxy blind signature scheme based on elliptic curve with proxy revocation. In Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, Washington, DC, USA, 30 July–1 August 2007; pp. 99–104. [Google Scholar] [CrossRef]
- Jun, X.X.; Jin, P.; Zhen, X.G. New proxy signature scheme based on Schnorr signature scheme. J. Chongqing Univ. Posts Telecommun. 2005, 17, 742–744. [Google Scholar]
- Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version]
- Ajtai, M. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; Miller, G.L., Ed.; ACM: New York, NY, USA, 1996; pp. 99–108. [Google Scholar] [CrossRef]
- Hoffstein, J.; Pipher, J.; Silverman, J.H. NSS: An NTRU Lattice-Based Signature Scheme. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, 6–10 May 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 211–228. [Google Scholar] [CrossRef] [Green Version]
- Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Silverman, J.H.; Whyte, W. NTRUSIGN: Digital Signatures Using the NTRU Lattice. In Lecture Notes in Computer Science, Proceedings of the Topics in Cryptology—CT-RSA 2003, the Cryptographers’ Track at the RSA Conference 2003, San Francisco, CA, USA, 13–17 April 2003; Joye, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2612, pp. 122–140. [Google Scholar] [CrossRef]
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; Dwork, C., Ed.; ACM: New York, NY, USA, 2008; pp. 197–206. [Google Scholar] [CrossRef] [Green Version]
- Ducas, L.; Durmus, A.; Lepoint, T.; Lyubashevsky, V. Lattice Signatures and Bimodal Gaussians. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2013; Canetti, R., Garay, J.A., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8042, pp. 40–56. [Google Scholar] [CrossRef] [Green Version]
- Zhang, L.; Ma, Y. A Lattice-Based Identity-Based Proxy Blind Signature Scheme in the Standard Model. Math. Probl. Eng. 2014, 2014, 307637. [Google Scholar] [CrossRef] [Green Version]
- Gu, J.; Cao, X.Y.; Fu, Y.; He, Z.W.; Yin, Z.J.; Yin, H.L.; Chen, Z.B. Experimental measurement-device-independent type quantum key distribution with flawed and correlated sources. Sci. Bull. 2022, 67, 2167–2175. [Google Scholar] [CrossRef] [PubMed]
- Yin, H.L.; Fu, Y.; Li, C.L.; Weng, C.X.; Li, B.H.; Gu, J.; Lu, Y.S.; Huang, S.; Chen, Z.B. Experimental quantum secure network with digital signatures and encryption. Natl. Sci. Rev. 2023, 10, nwac228. [Google Scholar] [CrossRef] [PubMed]
- Rückert, M. Lattice-Based Blind Signatures. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—ASIACRYPT 2010—16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 5–9 December 2010; Abe, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6477, pp. 413–430. [Google Scholar] [CrossRef] [Green Version]
- Li, F.; Liu, Z.; Li, T.; Ju, H.; Wang, H.; Zhou, H. Privacy-aware PKI model with strong forward security. Int. J. Intell. Syst. 2022, 37, 10049–10065. [Google Scholar] [CrossRef]
- Gao, W.; Hu, Y.; Wang, B.; Xie, J. Identity-Based Blind Signature from Lattices in Standard Model. In Lecture Notes in Computer Science, Proceedings of the Information Security and Cryptology—12th International Conference, Inscrypt 2016, Beijing, China, 4–6 November 2016; Revised Selected Papers; Chen, K., Lin, D., Yung, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 10143, pp. 205–218. [Google Scholar] [CrossRef]
- Ye, Q.; Zhou, J.; Tang, Y. Identity-based Against Quantum Attacks Partially Blind Signature Scheme from Lattice. Netinfo Secur. 2018, 18, 46. [Google Scholar] [CrossRef]
- Zhou, Y.; Dong, S.; Yang, Y.Y. A Lattice-based Identity-based Proxy Partially Blind Signature Scheme in the Standard Model. Netinfo Secur. 2021, 21, 37–43. [Google Scholar] [CrossRef]
- Micciancio, D. Lattice-Based Cryptography. In Encyclopedia of Cryptography and Security, 2nd ed.; van Tilborg, H.C.A., Jajodia, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 713–715. [Google Scholar] [CrossRef] [Green Version]
- Ajtai, M. Generating Hard Instances of Lattice Problems. Electron. Colloquium Comput. Complex. 1996, TR96-007, 99–108. [Google Scholar]
- Lyubashevsky, V. Lattice Signatures without Trapdoors. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology— EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 738–755. [Google Scholar] [CrossRef] [Green Version]
- Micciancio, D.; Regev, O. Worst-Case to Average-Case Reductions Based on Gaussian Measures. SIAM J. Comput. 2007, 37, 267–302. [Google Scholar] [CrossRef] [Green Version]
- Bellare, M.; Neven, G. Multi-signatures in the plain public-Key model and a general forking lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 October–3 November 2006; Juels, A., Wright, R.N., di Vimercati, S.D.C., Eds.; ACM: New York, NY, USA, 2006; pp. 390–399. [Google Scholar] [CrossRef] [Green Version]
- Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 700–718. [Google Scholar] [CrossRef] [Green Version]
- Shamir, A. Identity-Based Cryptosystems and Signature Schemes. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, CA, USA, 19–22 August 1984; Blakley, G.R., Chaum, D., Eds.; Springer: Berlin/Heidelberg, Germany, 1984; Volume 196, pp. 47–53. [Google Scholar] [CrossRef] [Green Version]
- Chaum, D. Elections with Unconditionally-Secret Ballots and Disruption Equivalent to Breaking RSA. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT ’88, Workshop on the Theory and Application of of Cryptographic Techniques, Davos, Switzerland, 25–27 May 1988; Günther, C.G., Ed.; Springer: Berlin/Heidelberg, Germany, 1988; Volume 330, pp. 177–182. [Google Scholar] [CrossRef] [Green Version]
Parameter | Value |
---|---|
n | 512 |
q | |
m | 13,824 |
d | 1 |
128 | |
64 | |
Signature length | KB |
Secret key length | 24,192 KB |
Public key length | 24,192 KB |
Symbol | Definition |
---|---|
Voters | |
Identity | |
Registration form | |
Content of the ballot | |
RA | Registration agency |
O-signer | Original signer |
P-signer | Proxy signer |
CA | Counting agency |
GCA | Tallying agency |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Li, F.; Yang, M.; Song, Z.; Wang, P.; Li, G. Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy 2023, 25, 1157. https://doi.org/10.3390/e25081157
Li F, Yang M, Song Z, Wang P, Li G. Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy. 2023; 25(8):1157. https://doi.org/10.3390/e25081157
Chicago/Turabian StyleLi, Fengyin, Mengjiao Yang, Zhihao Song, Ping Wang, and Guoping Li. 2023. "Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice" Entropy 25, no. 8: 1157. https://doi.org/10.3390/e25081157
APA StyleLi, F., Yang, M., Song, Z., Wang, P., & Li, G. (2023). Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy, 25(8), 1157. https://doi.org/10.3390/e25081157