Next Article in Journal
Reinforcement Learning-Based Decentralized Safety Control for Constrained Interconnected Nonlinear Safety-Critical Systems
Next Article in Special Issue
Research on Quantum-Attack-Resistant Strong Forward-Secure Signature Schemes
Previous Article in Journal
Multi-Party Quantum Private Comparison Based on Bell States
Previous Article in Special Issue
Weighted Sum Secrecy Rate Maximization for Joint ITS- and IRS-Empowered System
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice

School of Computer Science, Qufu Normal University, Rizhao 276800, China
*
Author to whom correspondence should be addressed.
Entropy 2023, 25(8), 1157; https://doi.org/10.3390/e25081157
Submission received: 26 June 2023 / Revised: 27 July 2023 / Accepted: 28 July 2023 / Published: 2 August 2023
(This article belongs to the Special Issue Quantum and Classical Physical Cryptography)

Abstract

:
Blind signatures have been widely applied when privacy preserving is required, and the delegation of blind signature rights and a proxy blind signature (Proxy-BS) become necessary when the signer cannot sign. Existing Proxy-BS schemes are based on traditional cryptographically hard problems, and they cannot resist quantum attacks. Moreover, most current Proxy-BS schemes depend on public key infrastructure (PKI), which leads to high certificate storage and management overhead. To simplify key management and resist quantum attacks, we propose a post-quantum secure identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice using a matrix cascade technique and lattice cryptosystem. Under the random oracle model (ROM), the security of the proposed scheme is proved. Security shows that the proposed scheme assures security against quantum attacks and satisfies the correctness, blindness, and unforgeability. In addition, we apply the ID-Proxy-BS scheme on a lattice to e-voting and propose a quantum-resistant proxy e-voting system, which is resistant to quantum attacks and achieves the efficiency of e-voting.

1. Introduction

A proxy blind signature (Proxy-BS) is a peculiar type of digital signature and is widely applied in e-government systems [1]. Proxy-BS was first proposed by Lin et al. [2]. It allows the original signer to grant their binding signing rights to the proxy signer (P-signer), after which the P-signer signs without revealing the context of the signed message. Therefore, the two properties of Proxy-BS, namely blindness and unforgeability [3,4], guarantee the privacy of the message and security of the signature. Subsequently, a large number of Proxy-BS schemes based on public key cryptography have been proposed. The RSA-based Proxy-BS scheme [5], Proxy-BS scheme based on DLP and ECDLP [6], and Schnorr-based Proxy-BS scheme [7] have been proposed.
However, with the advent of quantum computers, traditional signature schemes such as RSA and DSA have become insecure since the probabilistic polynomial time algorithm was proposed by Shor [8]. Therefore, the lattice-based signature algorithm is one of the most promising candidate technologies. In 1996, AJTAI proposed a lattice-based cryptographic scheme and proved that it is resistant to quantum attacks [9]. Subsequently, a signature scheme based on NTRU was proposed, but it was soon broken by Regev et al. [10,11]. In 2008, Gentry et al. constructed a GPV signature scheme and proved that it satisfies security under the ROM [12]. In 2013, Ducas et al. proposed a new no-sampling algorithm that samples from a bimodal Gaussian distribution and proposed a lattice signing scheme based on this new no-sampling algorithm [13]. In 2014, Zhang et al. proposed a lattice-based Proxy-BS scheme under the standard model and proved its security based on the small integer solution (SIS) [14]. In 2022, Gu et al. proposed device-independent quantum key distribution, which can provide unconditional security for communication between users [15]. In 2023, Yin et al. proposed an experimental secure network, which enables unconditionally secure quantum digital signatures and encryption [16].
The above Proxy-BS schemes are based on the PKI [17]. In the public key cryptosystem based on the PKI, the user’s identity (ID) and public key (pk) are bound through the certificate, which involves cumbersome storage and legality verification of the certificate. As an alternative to the PKI-based public key cryptosystem, in 1984, Shamir took the user’s ID as the user’s pk and proposed the notion of identity encryption. Identity-based cryptography (IBC) also comes from this [18].
In 2017, Gao et al. improved Rückert’s scheme and proposed an identity-based blind signature scheme [19]. In 2018, Ye et al. proposed a partial Proxy-BS scheme, which was constructed based on identity and lattice [20]. Although these blind signature schemes are resistant to quantum attacks, they ignore the problem of master key leakage. In 2021, Zhou et al. proposed a lattice-based partial Proxy-BS scheme, which satisfies security such as resistance to master key disclosure attacks and unforgeability [21]. Proxy-BS can provide proxy delegation and anonymous authentication, preserve the privacy of the user, and is widely applied in e-government and blockchain systems. Therefore, we combined an identity-based cryptosystem with proxy technology on a lattice to design an efficient and quantum-resistant Proxy-BS scheme.
In this paper, we propose a post-quantum secure identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice. We apply the ID-Proxy-BS scheme to e-voting and design a quantum-resistant proxy e-voting system, which achieves multi-regional e-voting and ensures the anonymity of ballot content in e-voting. The contributions of this study are given below:
  • To simplify the key management and resistance to quantum attacks, we propose a post-quantum secure identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice using a matrix cascade technique and lattice cryptosystem. In the proposed ID-Proxy-BS scheme on a lattice, we cascade user identity and the master public key to construct the public key of the lattice signature and generate random parameters through a bimodal Gaussian distribution and rejection sampling algorithm. The ID-Proxy-BS scheme has better security.
  • Under the ROM, the security of the ID-Proxy-BS scheme on a lattice is proved under the assumption of the small integer solution (SIS) problem.
  • To achieve efficient e-voting, we apply the ID-Proxy-BS scheme on a lattice to e-voting and design a quantum-resistant proxy e-voting system. The system achieves multi-regional e-voting and ensures the anonymity of ballot content in e-voting.

2. Preliminaries

2.1. Lattice Theory

In this section, we define the lattice and a hard problem on the lattice. The specific definitions are below:
Definition 1
(Lattice). Let B = { b 1 , b 2 , b k } , in which b 1 , b 2 , b k R m are not correlated with each other. Then, the set of linear combinations of b 1 , b 2 , b k is called lattice Λ; that is,
Λ = L ( B ) = { c 1 b 1 + c 2 b 2 + c k b k c i Z }
where B is a basis of [22].
Let q be a prime number, matrix B Z q n × m and vector u Z q n . The q-ary lattice of the matrix B and the coset of the lattice Λ q ( B ) are defined as follows:
Λ q ( B ) = { B x = 0 mod q | x Z m }
Λ q u ( B ) = { B x = u mod q | x Z m }
Definition 2
(SIS problem). Given a real number ω, a prime q, and a matrix A Z q n × m , we solve a vector y z m such that A y = 0 mod q and y ω [23].
Lemma 1.
For arbitrary A Z q n × m , m > 64 + n log q / log ( 2 d + 1 ) , we randomly choose a vector x { d , , d } m , and with probability 1 2 100 , we can find another x { d , , 0 , d } m that satisfies A x = A x [24].

2.2. Statistical Distance

Definition 3
(Statistical distance). Given two random variables U, V S , the statistical distance between U and V is given by
Δ ( U , V ) = 1 2 n S | Pr U = u Pr V = u |
where S is a finite set [13].

2.3. Gaussian Distribution

Definition 4.
Gaussian distribution: For c > 0 and σ > 0 , we have a Gaussian function ρ c , σ ( x ) = e π | | x c | | 2 σ 2 centered on c and parameter σ . Then, for any x , the Gaussian distribution is D , σ , c ( x ) = ρ σ , c ( x ) ρ σ , c ( ) [25].

2.4. Trapdoor Generation and Preimage Sampling Algorithm

In this section, two algorithms are mainly introduced, which are the trapdoor generation algorithm and the preimage sampling algorithm [26]. The trapdoor generation algorithm generates a trapdoor of the lattice (i.e., a short base of the lattice), which is usually used as the master private key. The preimage sampling algorithm uses a trapdoor to generate private keys.
Definition 5
(Trapdoor Generation Algorithm). Let q, m, n be positive integers, where q 2 and m n log q . There exists an algorithm T r a p G e n ( q , m , n ) that outputs B and a basis T Z m × m of lattice Λ ( B ) such that the distribution of B Z q n × m is statistically indistinguishable from the distribution of Z q n × m , and | | T ˜ | | O ( n log q ) .
Definition 6
(Preimage Sampling Algorithm). Given a matrix B, a trapdoor basis T of lattice Λ ( B ) , a target term u Z q n , and x | | T ˜ | | · ω ( log q ) , there exists a polynomial algorithm S a m p l e P r e ( B , T , x , u ) that outputs a vector y Λ u ( B ) , and the distribution of y is statistically close to G Λ u ( B ) , x .

3. Security Model

The proxy blind signature (Proxy-BS) scheme satisfies the blindness and unforgeability of the signature scheme. Blindness primarily considers adversary signers. An adversary signer cannot find an arbitrary message–signature pair by implementing a specific signature algorithm. Unforgeability considers malicious original signers F 1 . Next, we prove the security of the scheme through games between an adversary signer and a user, adversary F 1 and the challenger.

3.1. Blindness

The blindness is proved through a game Game S b l i n d between an adversary signer and two users.
Definition 7
(Blindness). The scheme satisfies blindness if no adversary S wins the game with non-negligible probability δ. This game Game S b l i n d is below.
Game S b l i n d : U 1 and U 2 are two users, S is an adversary. The specific process of this game is as follows:
Setup: We have a random coin b { 0 , 1 } , which cannot be known by S. U 1 and U 2 randomly select two messages m b and m 1 b , respectively, and send them to S.
Signature: After S has received the message from U 1 and U 2 , S executes the blind signature algorithm with two users U 1 ( m b ) and U 2 ( m 1 b ) simultaneously, and finally U 1 and U 2 generate signatures σ ( m b ) and σ ( m 1 b ) , respectively, and send them to S.
Guess: After S has received the signature from U 1 and U 2 , S guesses b.
The adversary S’s advantage in winning the above game is | Pr [ G a m e S B l in d = 1 ] 1 2 | , where Pr [ Game S B l in d = 1 ] is the probability that Game S B l in d = 1 .

3.2. Unforgeability

The Proxy-BS scheme satisfies existential unforgeability under adaptive chosen message attack (EUF-CMA). The EUF-CMA security model has a malicious original signer F 1 . F 1 knows the proxy key, but not the proxy signer’s private key. We demonstrate the security of the Proxy-BS scheme through a game between the adversary and the challenger.
Definition 8
(EUF-CMA). The scheme satisfies EUF-CMA security if no adversary F 1 wins the game with non-negligible probability δ. This game Gam e F 1 is given below.
Gam e F 1 : T is a challenger, F 1 is an adversary. F 1 knows the proxy key. The specific process of this game is as follows:
Random oracle queries: F 1 queries the hash value of the message m i , and T returns the hash result of m i to F 1 .
Signature queries: F 1 queries the signature of the message m i , T returns signature to F 1 .
Forge: F 1 returns a forged signature of a message. If the signature is valid, F 1 wins the game. The advantage of F 1 in winning the game is the probability of returning a valid signature.

4. Identity-Based Proxy Blind Signature Model

This section introduces an identity-based proxy blind signature scheme model, which consists of five algorithms ( Setup , KeyGen , ProxyKeyGen , Proxy - BS , Verify ) [27]. This algorithm is completed by the interaction between the original signer O-signer, the proxy signer P-signer, and the user User. The specific steps are as follows.
  • Setup ( 1 λ ) p p : It inputs security parameters and generates system parameters;
  • KeyGen ( p p , I D o , I D p , σ ) S o , S p : It inputs system parameters, public keys of O-signer and P-signer, and generates private keys of O-signer and P-signer;
  • ProxyKeyGen ( p p , I D o , I D p , S o ) S : It inputs system parameters, O-signer’s key pair, and P-signer’s public key, and generates a proxy key;
  • Proxy BS ( p p , S p , S , M ) c : It inputs system parameters, message, and P-signer’s private key and proxy key, and the algorithm generates a blind signature of the message;
  • Verify ( p p , I D o , I D p M , c ) 1   or   0 : It inputs a message and its corresponding blind signature; the algorithm verifies that the signature is valid. If it is, the signature is accepted; otherwise, the signature is rejected.

5. Identity-Based Proxy Blind Signature (ID-Proxy-BS) Scheme on a Lattice

To achieve the anti-quantum attack performance of the proxy blind signature (Proxy-BS) scheme and solve the certificate management problem of the Proxy-BS scheme, this section proposes an identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice using a matrix cascade technique and lattice cryptosystem. This scheme cascades user identity and the master public key to construct the public key of the lattice signature, and generates random parameters through a bimodal Gaussian distribution and rejection sampling algorithm.
The ID-Proxy-BS scheme on a lattice proposed in this section is shown in Figure 1. There are six entities in the proposed scheme; they are key generation center KGC, user U, original signer O-signer, proxy signer P-signer, and verifier Verifier. This scheme contains five algorithms; namely, system initialization (Setup), key generation (KeyGen), proxy delegation (ProxyDelegation), proxy key generation (ProxyKeyGen), proxy blind signature (Proxy-BS), and signature verification (Signature Verification). The specific algorithms are as follows.

5.1. Setup

The system initialization generates the system public parameters and hash functions using the parameter setting method of the lattice cryptography, and generates the system master public key and master private key using the trapdoor generation algorithm on a lattice. The specific algorithm is below:
(1)
Parameter setting: λ denotes the security parameters, q = p l o y ( n ) , m = O ( n lg q ) , u = q I n , σ Z q n .
(2)
Hash function settings: H : { 0 , 1 } * Z 2 q n × m , H 1 : { 0 , 1 } * Z 2 q n × 3 m .
(3)
KGC runs T r a p G e n ( 1 λ ) to generate A Z 2 q n × m and a basis S Z 2 q m × n of lattice Λ 2 q ( A ) , where S O ( n log q ) .
(4)
The public parameter is set to p p = { A , H , H 1 } ; the master private key is m s k = S .

5.2. KeyGen

In this section, the master public key and the user identity are cascaded to construct the user public key, and the user’s private key is generated through the preimage sampling algorithm on the lattice. The identities of the original signer O-signer and the proxy signer P-signer are I D p and I D o , respectively. The specific algorithm is below:
KGC selects the identity I D o and I D p , KGC uses the system’s master key to run S o Z 2 q 2 m × n SamplePre ( A H ( I D o ) , S , u , σ ) such that [ A H ( I D o ) ] S o = q I n ( mod 2 q ) where S o σ 2 m . Similarly, KGC runs S p SamplePre ( A H ( I D p ) , S , u , σ ) . The private keys of O-signer and P-signer are S o and S p , respectively.

5.3. ProxyDelegation

The proxy delegation algorithm completes the authorization of O-Signer’s signature to P-Signer by generating authorization information through the preimage sampling algorithm on the lattice to sign the authorization certificate. Without loss of generality, this section assumes an authorization certificate, which includes the identity of O-signer, the ID of P-signer, and the proxy authorization period. The specific process is as follows:
(1)
After O-signer determines the object for P-signer to authorize, O-signer generates an authorization certificate ω and publishes it.
(2)
O-signer runs the algorithm δ 1 SamplePre ( A | | H ( I D o ) , S o , u , H ( ω ) ) , where δ 2 = ω . O-signer will send authorization information δ = ( δ 1 , δ 2 ) to P-signer.

5.4. ProxyKeyGen

In this section, P-signer generates a proxy key based on the authorization information sent by O-signer through the preimage sampling algorithm on the lattice. The specific algorithm is below:
(1)
After P-signer receives δ , it verifies that the equation [ A | | H ( I D o ) ] δ 1 = q I n ( mod 2 q ) holds. If the equality holds, P-signer accepts the authorization; otherwise, O-signer re-authorizes.
(2)
If Equation (1) holds, P-signer runs SamplePre ( A | | H ( I D o ) H ( I D p ) , S p , u , δ 2 ) to generate a proxy key S Z 2 q 3 m × n such that [ A H ( I D q ) H ( I D p ) ] S = q I n ( mod 2 q ) and S σ 3 m .

5.5. Proxy-BS

The Proxy-BS algorithm first generates random blinding factors to hide the original message through a bimodal Gaussian distribution, then signs the blinded message through P-signer ’s private key and the proxy key, and finally obtains the signature of the original message by removing the blinding factor. This section includes three stages; namely, blinding, proxy blind signature, and unblinding. The specific algorithm is below:
Before the blinding phase, P-signer randomly selects two vectors r 1 D σ 2 2 m , r 2 D σ 2 3 m and computes commitment x 1 [ A H ( I D p ) ] r 1 , x 2 [ A H ( I D o ) H ( I D p ) ] r 2 to U.

5.5.1. Blinding

If a signature is required, user U uses P-signer ’s commitment x 1 , x 2 , blinding factor y 1 , y 2 , and message m to hash to complete the blinding process. Then, U sends a blind message to P-signer. It is known that m is the message to be blinded. The specific algorithm is as follows:
(1)
U randomly selects two blinding factors y 1 D σ 3 2 m , y 2 D σ 3 3 m .
(2)
U calculates c 1 H 1 ( x 1 + [ A | | H ( I D p ) ] y 1 mod 2 q , m ) , c 2 H 1 ( x 2 + [ A | | H ( I D o ) | |   H ( I D p ) ] y 2 mod 2 q , m ) .
(3)
U selects a bit b { 0 , 1 } .
(4)
U computes the blinded message μ 1 ( 1 ) b c 1 , μ 2 ( 1 ) b c 2 .
(5)
U sends blind message ( μ 1 , μ 2 ) to P-signer.

5.5.2. Proxy Blind Signature

P-signer signs the received blind message ( μ 1 , μ 2 ) according to the parameters generated by the preimage sampling algorithm on the lattice. P-signer uses random vector r 1 , r 2 , own private key, and proxy key to perform a proxy blind signature and sends the signature ( z 1 , z 2 ) to U. The specific algorithm is as follows:
(1)
P-signer uses the random vector selected when generating the commitment for the user r 1 D σ 2 2 m , r 2 D σ 2 3 m .
(2)
P-signer calculates the signature z 1 r 1 + μ 1 S p , z 2 r 2 + μ 2 S of the blind message ( μ 1 , μ 2 ) .
(3)
P-signer returns the blind signature ( z 1 , z 2 ) to U.

5.5.3. Unblinding

User U receives the blind signature ( z 1 , z 2 ) from P-signer and U unblinds the signature to recover the signature of the message m. The specific steps are as follows:
(1)
U uses the blinding factor y 1 D σ 3 2 m , y 2 D σ 3 3 m selected in the blinding message phase.
(2)
U calculates the signature e 1 y 1 + z 1 , e 2 y 2 + z 2 of the original message m.

5.6. Signature Verification

The signature ( e 1 , e 2 ) is verified based on the public key of P-signer and O-signer, and the hash values c 1 and c 2 are generated by the user during the blinding. If the signature matches the conditions, it is accepted; otherwise, it is rejected. The signature verification algorithm is shown below:
(1)
e 1 B 1 , e 2 B 2 (where B 1 = η 2 m σ , B 2 = η 3 m σ , η [ 1.1 , 1.4 ] ).
(2)
e 1 q / 4 , e 2 q / 4 .
(3)
c 1 = H 1 ( [ A | | H ( I D p ) ] e 1 + q c 1 mod 2 q , m ) .
(4)
c 2 = H 1 ( [ A | | H ( I D o ) | | H ( I D p ) ] e 2 + q c 2 mod 2 q , m ) .
If conditions (1), (2), (3), and (4) are met, the signature is valid; otherwise, the signature is invalid.

6. Performance Analysis

6.1. Correctness

In this section, we give proof of correctness for the ID-Proxy-BS scheme on a lattice. When receiving the signature ( e 1 , e 2 ) , ( c 1 , c 2 ) , the Verifier first runs the signature verification algorithm to verify that the signature is valid. It judges the four conditions e 1 B 1 , e 2 B 2 , e 1 q q 4 4 , e 2 q q 4 4 ; if any one of them is not met, the signature is invalid. Otherwise, according to the public key of P-signer and O-signer and the hash value ( c 1 , c 2 ) generated by the user during the blinding, the Verifier verifies whether the following two equations are true. The details are as follows:
(1)
The Verifier verifies that equation c 1 = H 1 ( [ A | | H ( I D p ) ] e 1 + q c 1 mod 2 q , m ) holds:
[ A | | H ( I D p ) ] e 1 + q c 1 = [ A | | H ( I D p ) ] ( y 1 + z 1 ) + q c 1 = [ A | | H ( I D p ) ] y 1 + [ A | | H ( I D p ) ] z 1 + q c 1 = [ A | | H ( I D p ) ] ( r 1 + μ 1 S p ) + [ A | | H ( I D p ) ] y 1 + q c 1 = [ A | | H ( I D p ) ] r 1 + ( 1 ) b [ A | | H ( I D p ) ] S p c 1 + [ A | | H ( I D p ) ] y 1 + q c 1 = x 1 + ( 1 ) b q c 1 + q c 1 + [ A | | H ( I D p ) ] y 1 = x 1 + [ A | | H ( I D p ) ] y 1 ( mod 2 q )
(2)
The Verifier verifies that equation c 2 = H 1 ( [ A | | H ( I D o ) | | H ( I D p ) ] e 2 + q c 2 mod 2 q , m ) holds:
[ A | | H ( I D o ) | | H ( I D p ) ] e 2 + q c 2 = [ A | | H ( I D o ) | | H ( I D p ) ] ( y 2 + z 2 ) + q c 2 = [ A | | H ( I D o ) | | H ( I D p ) ] y 2 + [ A | | H ( I D o ) | | H ( I D p ) ] z 2 + q c 2 = [ A | | H ( I D o ) | | H ( I D p ) ] ( r 2 + μ 2 S ) + [ A | | H ( I D o ) | | H ( I D p ) ] y 2 + q c 2 = [ A | | H ( I D o ) | | H ( I D p ) ] r 2 + ( 1 ) b [ A | | H ( I D o ) | | H ( I D p ) ] S c 2 + [ A | | H ( I D o ) | | H ( I D p ) ] y 2 + q c 2 = x 2 + ( 1 ) b q c 2 + q c 2 + [ A | | H ( I D o ) | | H ( I D p ) ] y 2 = x 2 + [ A | | H ( I D o ) | | H ( I D p ) ] y 2 ( mod 2 q )
If (1) and (2) above are valid, the ID-Proxy-BS scheme on a lattice satisfies correctness.

6.2. Blindness

Theorem 1.
The ID-Proxy-BS on-lattice scheme proposed in this paper satisfies blindness.
Proof. 
An adversary signer S cannot obtain useful information from signed messages. Suppose the adversary S, having the advantage A dv ( S * ) , interacts with two different users U 0 , U 1 to attack our scheme.
Setup: We are given a random coin b { 0 , 1 } , which cannot be known by S. U 1 and U 2 randomly select two messages m b and m 1 b , respectively, and send them to S.
Signature: After S has received the message from U 1 and U 2 , S executes the blind signature algorithm with two users U 1 ( m b ) and U 2 ( m 1 b ) simultaneously, and finally U 1 and U 2 generate signatures σ ( m b ) and σ ( m 1 b ) , respectively, and send them to S.
Guess: After S has received the signature from U 1 and U 2 , S guesses b.
When performing the proxy blind signature algorithm, due to the random variables, we only need to prove the blinded messages μ and ( c , e ) and note that since c is the result of a hash function and is randomly generated, we do not have to account for it. The specific analysis process is as follows:
  • The distribution of μ . The interaction of adversary S with σ ( m b ) and σ ( m 1 b ) , respectively, generates μ b and μ 1 b . The statistical distance of μ b and μ 1 b is Δ = ( μ s , μ 1 b ) = 1 2 μ ˜ Z n | Pr ( μ b = μ ˜ ) Pr ( μ 1 b = μ ˜ ) | . Since μ ( 1 ) b c and it is output with probability min ( D σ 1 μ ( μ ) M 1 , D c , σ 1 ( μ ) m , 1 ) , μ b and μ 1 b have the same distribution D σ 1 m through the rejection sampling algorithm. The statistical distance satisfies Δ ( μ b , μ 1 b ) = 0 , and they are independent of the signed messages, so the adversary S cannot distinguish them.
  • The distribution of e. Similar to μ because e b and e 1 b have the same distribution D σ 2 m through the rejection sampling algorithm. Their statistical distance satisfies Δ ( e b , e 1 b ) = 0 and they are independent of signed messages, so the adversary S cannot distinguish them. The final P-signer cannot associate the message with the signatures μ and ( c , e ) .

6.3. Unforgeability

Theorem 2.
In the random oracle model, the ID-Proxy-BS on-lattice scheme satisfies EUF-CMA security if no adversary F 1 forges a valid proxy blind signature with a non-negligible advantage ε assuming that the SIS problem is hard.
Proof. 
Suppose there is a probabilistic polynomial adversary F 1 who performs q H hash queries and q s signature queries, and forges a valid proxy blind signature with non-negligible advantage ε . F 1 outputs the challenge identity ID. The following simulates the interaction between the challenger T and the adversary F 1 .
Hash queries: T maintains an initialized empty list L 1 to store the hash value of the message m. F 1 inputs m. T first checks the corresponding tuple in L 1 . If it exists, T returns ( m , H ( m ) ) to F 1 ; if not, T chooses c { v { 1 , 0 , 1 } k : | | v | | 1 k } and selects e D σ 3 m , with c = H ( [ A | | H ( I D ) ] e + q c mod 2 q , m ) . T stores ( e , c ) and returns c to F 1 .
Signature queries: T maintains an initialized empty list L 2 to store the signature of the message m. When F 1 sends a query for the signature of the message m, T first checks the corresponding tuple in L 2 . If it exists, T returns ( m , c , e ) to F 1 ; otherwise, T will run the proxy blind signature algorithm to generate the signature pair ( c , e ) to F 1 .
Forgery: After F 1 decides to end these queries, F 1 outputs a forged signature. T will use this forged signature to solve the SIS problem. Suppose c = c j . There are two possibilities for c j : one is c j generated in the signature queries and the other is generated in the hash queries.
When c j is generated in signature queries, due to the fact that c = c j , then H ( [ A | | H ( I D ) ] e + q c j , m ) = H ( [ A | | H ( I D ) ] e + q c j , m ) . If m m or [ A H ( I D ) ] e + q c j [ A H ( I D ) ] e + q c j , this means that F 1 has found a preimage of c j . Therefore, m = m , [ A | | H ( I D ) ] e + q c j = [ A | | H ( I D ) ] e + q c j , and A ( e e ) = 0 mod 2 q . Since e e 0 , the SIS problem is solved.
When c j is generated in hash queries, T records the adversary’s forged signatures ( e , c j ) on messages m, and selects randomly c t , . . . , c t B k . According to Lemma [18], the probability that F 1 generates a new forged signature ( e , c j ) ( c j c j ) is ( ε 1 B k n ) ( q 1 / B k n q s + q H 1 B k n ) . Since [ A | | H ( I D ) ] e q c j = [ A | | H ( I D ) ] e q c j , the public key and the private key satisfy [ A | | H ( I D ) ] S = q I n mod 2 q ; therefore, we can obtain the equation [ A | | H ( I D ) ] ( e e ) = q ( c j c j ) I n mod 2 q . Since c j c j , we can deduce that e e 0 mod 2 q . We know q ( c j c j ) mod q = 0 , so [ A | | H ( I D ) ] ( e e ) = 0 mod 2 q . It can be seen that we find a non-zero vector v with a probability of at least β = ( 1 2 2 100 ) ( ε 1 B k n ) ( q 1 / B k n q s + q H 1 B k n ) such that [ A | | H ( I D ) ] v = 0 . □

6.4. Efficiency Analysis

In this subsection, we present a comparison with the current literature Refs. [13,18,28]. Assuming that the parameters ( n , m , d , k , q , σ ) in this paper are the same as those in the existing literature, the specific comparison result will show in Table 1. The parameters of the proposed scheme are set as shown in Table 2.
According to Table 1, compared with [18] and [13], the key length and signature length of this scheme are relatively large. The public key length, private key length, and signature length of the ID-Proxy-BS on-lattice scheme are smaller than those in [28].
In this study, we set the security parameter λ to 128 bits. At the same time, we chose appropriate parameters n, q, m to ensure the security of public and private keys. Since the signature obeys the distribution D σ 3 m , the signature of the proposed scheme in this paper is ( 5 m ) log ( 12 σ 3 ) bits. Based on the specific values of these parameters, we provide the comparison results of our scheme with the current schemes, as shown in Figure 2.

7. A Quantum-Resistant Proxy E-Voting System

In this section, first, we give the conditions that a secure e-voting system needs to satisfy. Then, we apply the identity-based proxy blind signature (ID-Proxy-BS) on-lattice scheme to e-voting, and design a quantum-resistant proxy e-voting system. Finally, we perform a performance analysis of the proposed e-voting system.

7.1. Basic Requirements for E-Voting

E-voting has stimulated people’s research interest due to its advantages of saving time and effort [29]. When building an e-voting system, it is necessary to ensure the privacy of voters and the accuracy of voting. Therefore, an e-voting system should meet the following basic requirements:
(1)
Legitimacy: Only legitimate voters who have passed identity verification can vote.
(2)
Anonymity: Except for the voter themselves, no one else knows what the voter voted for.
(3)
Verifiability: Every voter can verify whether their votes have been counted correctly.

7.2. A Quantum-Resistant Proxy E-Voting System

The above-mentioned e-voting does not take into account the quantum security and transmission efficiency of ballots during transmission. Therefore, in this section, we apply the identity-based proxy blind signature (ID-Proxy-BS) on-lattice scheme to e-voting, and propose a multi-region proxy e-voting system that is resistant to quantum attacks. The architecture of the e-voting system is shown in Figure 3. There are k constituencies in this system, and each constituency sets up a proxy signature agency and counts votes separately, thereby improving voting efficiency. Second, the voter hides the content of the ballot in the signature, so that the privacy of the voter is protected. Finally, based on the characteristics of the lattice, the proposed e-voting system can resist quantum attacks.
The quantum-resistant proxy e-voting system consists of five entities, which are voters, registration agency, voting agency, counter agency, and general counter agency.
  • Voter: A voter; that is, the owner of the content of the ballot.
  • Registration agency (RA): The registration agency checks the identity of voters.
  • Voting agency: The voting agency signs the voter’s ballot to validate that ballot.
  • Counter agency (CA): The counter agency is responsible for counting the number of votes in the constituency.
  • General counter agency (GCA): The General counter agency is responsible for counting the total votes and publishing the results.
Specifically, the proposed e-voting system in this paper mainly includes four stages: setup, vote writing stage, voting stage, and vote counting stage. Table 3 shows the symbols and definitions used in this system.

7.2.1. Setup

Let λ be the security parameters, q = p l o y ( n ) , m 2 n lg q . Hash function H : { 0 , 1 } * Z 2 q n × m . First, the registration agency RA runs ( A , S ) T r a p G e n ( 1 n ) to generate the system’s master public key A and master private key S. Then, the RA runs SamplePre ( A H ( I D i ) , S , u , σ ) to generate the user’s private key. It is known that the public and private key pairs of O-signer and P-signer are ( I D o , S o ) and ( I D P , S P ) , respectively. Finally, the RA is responsible for registering every legal voter. The specific process is as follows:
(1)
The RA publishes a list of voters and sends the registration form R F to voter V i who is on the list.
(2)
V i runs x i SamplePre ( A H ( I D i ) , S i , σ ) , then V i fills in ( I D i , x i ) on R F , and sends R F to the RA.
(3)
The RA receives the RE completed by V i ; the RA uses V i ’s public key to verify the legitimacy of V i ’s identity. If [ A H ( I D i ) ] x i = q I n mod 2 q and x i σ 2 m , the RA randomly selects a ballot number N i { 0 , 1 } * for V i , and runs X i SamplePre ( A H ( I D i ) | | N i , S , σ ) . The RA sends ( I D i , N i , X i ) to V i .
(4)
After V i receives ( I D i , N i , X i ) , V i uses the RA’s public key to verify the legitimacy of the ballot. If A X i = q I n mod 2 q and X i σ 3 m , V i accepts the ballot number; otherwise, V i re-applies to the RA for the ballot number.

7.2.2. Vote Writing Stage

Suppose there are n voters V 1 , V 2 , V n and m candidates C 1 , C 2 , C m . If V i wants to vote for candidate C j , it is recorded as m i [ j ] = 1 ; otherwise, m i [ j ] = 0 . V i fills in the ballot as m i = m i [ 1 ] m i [ 2 ] m i [ m ] .

7.2.3. Voting Stage

In the voting stage, O-signer grants their signing rights to the P-signers of each constituency, and the P-signers of each constituency sign the blinded ballots in the areas under their jurisdiction.
(1)
Proxy delegation
After O-signer determines the object P-signer to authorize, it runs ProxyDelegation   ( A , H ( I D o ) , S o , ω ) to generate authorization information δ = ( δ 1 , δ 2 ) and sends it to P-signer. After P-signer receives δ , it verifies [ A | | H ( I D o ) ] δ 1 = q I n ( mod 2 q ) whether it is established. If the equality is established, P-signer accepts the authorization, otherwise, O-signer re-authorizes.
(2)
Proxy key generation
If the authorization is successful, P-signer runs SamplePre ( A | | H ( I D o ) H ( I D p ) ,   S p , u , δ 2 ) to generate a proxy key S Z 2 q 3 m × n .
(3)
Blind signature generation
V i runs the blinding algorithm to obtain blinded ballots ( μ 1 , μ 2 ) of m i and send ( μ 1 , μ 2 ) to P-signer.
② P-signer signs the blinded ballot ( μ 1 , μ 2 ) to obtain blinded signature ( z 1 , z 2 ) and sends ( z 1 , z 2 ) to V i .
V i unblinds the signature ( z 1 , z 2 ) to obtain ( e 1 , e 2 ) . ( m i , N i , S , e 1 , e 2 ) is the proxy blind signature of the ballot.

7.2.4. Counting Stage

The voter V i sends signed ballots ( m i , N i , S , e 1 , e 2 ) to the counting agency CA. The CA verifies the legitimacy and uniqueness of the ballot; that is, the CA verifies whether ①–④ are established at the same time:
e 1 B 1 , e 2 B 2 (where B 1 = η 2 m σ , B 2 = η 3 m σ , η [ 1.1 , 1.4 ] ).
e 1 q / 4 , e 2 q / 4 .
c 1 = H 1 ( [ A | | H ( I D p ) ] e 1 + q c 1 mod 2 q , m ) .
c 2 = H 1 ( [ A | | H ( I D o ) | | H ( I D p ) ] e 2 + q c 2 mod 2 q , m ) .
If the verification passes and the ballot number N i is unique, the CA accepts the ballot; otherwise, the CA discards it. After the voting is completed, the CA first calculates the voting results of all voters V i for each C j ; then, the CA calculates the number of votes m 1 [ j ] + m 2 [ j ] + + m n [ j ] for each C j . Finally, the CA of each constituency sends the number of votes N u m k , j of C j and signed ballots C k = ( m i , N i , S , e 1 , e 2 ) to GCA to summarize and publish the voting results.

7.3. Performance Analysis

The e-voting system proposed in this paper has the following characteristics.
(1)
Legality. Before voting, every voter must be registered and verified by the RA before becoming a legal voter. In the registration phase, the voter V i registers using their own identity I D i and signs with their own private key, i.e., ( I D i , x i ) . Even if an adversary fills in the registration information to pretend to be a voter, they cannot know the private key S i of the voter. Since the SIS problem is a hard problem, the adversary cannot forge x i to be a legitimate voter.
(2)
Anonymity. In the voting stage, V i can obtain P-signer’s blind signature through the ID-Proxy-BS scheme. Therefore, the e-voting system proposed in this paper enables anonymous voting by voters, and no one can associate the vote with the voter except the voter themselves.
(3)
Efficiency: In the e-voting system proposed in this paper, O-signer grants signature rights to the P-signer for each constituency by region, and the P-signers for each constituency sign the blinded ballots for the region under their jurisdiction at the same time, thus increasing the efficiency of voting.
(4)
Verifiability. ① In the registration stage, V i obtains the unique ballot number N i . ② The total number of signed ballots ( m i , N i , S , e 1 , e 2 ) and the total number of ballots m 1 [ j ] + m 2 [ j ] + m n [ j ] of C j published on the electronic bulletin board by the CA can be used by voters to verify that the ballot papers have been counted.
In the e-voting system proposed in this section, voters hide the content of the ballot in their signatures and realize anonymous voting. In large-scale elections, setting up agencies for each district improves the efficiency of e-voting. Based on the characteristics of a lattice, the proposed e-voting system can resist quantum attacks. Therefore, the e-voting system proposed in this paper is anonymous, efficient, and resistant to quantum attacks.

8. Conclusions

In this paper, to simplify key management and resist quantum attacks, we have proposed a post-quantum secure identity-based proxy blind signature (ID-Proxy-BS) scheme on a lattice using a matrix cascade technique and lattice cryptosystem. In the proposed scheme, firstly, we cascaded the user identity and the master public key to construct the public key of the lattice signature, and generated random parameters through a bimodal Gaussian distribution and rejection sampling algorithm. Then, the security of the ID-Proxy-BS scheme was proved based on the SIS problem under the ROM. Finally, we applied the scheme to e-voting, and designed a quantum-resistant proxy e-voting system. The system enables multi-regional electronic voting and satisfies anonymity, high efficiency, and anti-quantum attack.

Author Contributions

Writing—review, editing, methodology, and validation, F.L.; writing—original draft, methodology, and formal analysis, M.Y.; methodology and formal analysis, Z.S.; validation and resources, P.W.; formal analysis and validation, G.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Ohkubo, M.; Miura, F.; Abe, M.; Fujioka, A.; Okamoto, T. An Improvement on a Practical Secret Voting Scheme. In Lecture Notes in Computer Science, Proceedings of the Information Security, Second International Workshop, ISW’99, Kuala Lumpur, Malaysia, 6–7 November 1999; Mambo, M., Zheng, Y., Eds.; Springer: Berlin/Heidelberg, Germany, 1999; Volume 1729, pp. 225–234. [Google Scholar] [CrossRef]
  2. Amit, K.; Sunder, L. Proxy Blind Signature Scheme. 2003. Available online: http://eprint.iacr.org/2003/072 (accessed on 1 July 2023).
  3. Juels, A.; Luby, M.; Ostrovsky, R. Security of Blind Digital Signatures (Extended Abstract). In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; Kaliski, B.S., Jr., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1294, pp. 150–164. [Google Scholar] [CrossRef] [Green Version]
  4. Pointcheval, D.; Stern, J. Security Arguments for Digital Signatures and Blind Signatures. J. Cryptol. 2000, 13, 361–396. [Google Scholar] [CrossRef]
  5. Burt, K. RSA Digital Signature Scheme. In Encyclopedia of Cryptography and Security; van Tilborg, H.C.A., Jajodia, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 1061–1064. [Google Scholar] [CrossRef]
  6. Liu, W.; Tong, F.; Luo, Y.; Zhang, F. A proxy blind signature scheme based on elliptic curve with proxy revocation. In Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, Washington, DC, USA, 30 July–1 August 2007; pp. 99–104. [Google Scholar] [CrossRef]
  7. Jun, X.X.; Jin, P.; Zhen, X.G. New proxy signature scheme based on Schnorr signature scheme. J. Chongqing Univ. Posts Telecommun. 2005, 17, 742–744. [Google Scholar]
  8. Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version]
  9. Ajtai, M. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; Miller, G.L., Ed.; ACM: New York, NY, USA, 1996; pp. 99–108. [Google Scholar] [CrossRef]
  10. Hoffstein, J.; Pipher, J.; Silverman, J.H. NSS: An NTRU Lattice-Based Signature Scheme. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, 6–10 May 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 211–228. [Google Scholar] [CrossRef] [Green Version]
  11. Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Silverman, J.H.; Whyte, W. NTRUSIGN: Digital Signatures Using the NTRU Lattice. In Lecture Notes in Computer Science, Proceedings of the Topics in Cryptology—CT-RSA 2003, the Cryptographers’ Track at the RSA Conference 2003, San Francisco, CA, USA, 13–17 April 2003; Joye, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2612, pp. 122–140. [Google Scholar] [CrossRef]
  12. Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; Dwork, C., Ed.; ACM: New York, NY, USA, 2008; pp. 197–206. [Google Scholar] [CrossRef] [Green Version]
  13. Ducas, L.; Durmus, A.; Lepoint, T.; Lyubashevsky, V. Lattice Signatures and Bimodal Gaussians. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2013; Canetti, R., Garay, J.A., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8042, pp. 40–56. [Google Scholar] [CrossRef] [Green Version]
  14. Zhang, L.; Ma, Y. A Lattice-Based Identity-Based Proxy Blind Signature Scheme in the Standard Model. Math. Probl. Eng. 2014, 2014, 307637. [Google Scholar] [CrossRef] [Green Version]
  15. Gu, J.; Cao, X.Y.; Fu, Y.; He, Z.W.; Yin, Z.J.; Yin, H.L.; Chen, Z.B. Experimental measurement-device-independent type quantum key distribution with flawed and correlated sources. Sci. Bull. 2022, 67, 2167–2175. [Google Scholar] [CrossRef] [PubMed]
  16. Yin, H.L.; Fu, Y.; Li, C.L.; Weng, C.X.; Li, B.H.; Gu, J.; Lu, Y.S.; Huang, S.; Chen, Z.B. Experimental quantum secure network with digital signatures and encryption. Natl. Sci. Rev. 2023, 10, nwac228. [Google Scholar] [CrossRef] [PubMed]
  17. Rückert, M. Lattice-Based Blind Signatures. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—ASIACRYPT 2010—16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 5–9 December 2010; Abe, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6477, pp. 413–430. [Google Scholar] [CrossRef] [Green Version]
  18. Li, F.; Liu, Z.; Li, T.; Ju, H.; Wang, H.; Zhou, H. Privacy-aware PKI model with strong forward security. Int. J. Intell. Syst. 2022, 37, 10049–10065. [Google Scholar] [CrossRef]
  19. Gao, W.; Hu, Y.; Wang, B.; Xie, J. Identity-Based Blind Signature from Lattices in Standard Model. In Lecture Notes in Computer Science, Proceedings of the Information Security and Cryptology—12th International Conference, Inscrypt 2016, Beijing, China, 4–6 November 2016; Revised Selected Papers; Chen, K., Lin, D., Yung, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 10143, pp. 205–218. [Google Scholar] [CrossRef]
  20. Ye, Q.; Zhou, J.; Tang, Y. Identity-based Against Quantum Attacks Partially Blind Signature Scheme from Lattice. Netinfo Secur. 2018, 18, 46. [Google Scholar] [CrossRef]
  21. Zhou, Y.; Dong, S.; Yang, Y.Y. A Lattice-based Identity-based Proxy Partially Blind Signature Scheme in the Standard Model. Netinfo Secur. 2021, 21, 37–43. [Google Scholar] [CrossRef]
  22. Micciancio, D. Lattice-Based Cryptography. In Encyclopedia of Cryptography and Security, 2nd ed.; van Tilborg, H.C.A., Jajodia, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 713–715. [Google Scholar] [CrossRef] [Green Version]
  23. Ajtai, M. Generating Hard Instances of Lattice Problems. Electron. Colloquium Comput. Complex. 1996, TR96-007, 99–108. [Google Scholar]
  24. Lyubashevsky, V. Lattice Signatures without Trapdoors. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology— EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 738–755. [Google Scholar] [CrossRef] [Green Version]
  25. Micciancio, D.; Regev, O. Worst-Case to Average-Case Reductions Based on Gaussian Measures. SIAM J. Comput. 2007, 37, 267–302. [Google Scholar] [CrossRef] [Green Version]
  26. Bellare, M.; Neven, G. Multi-signatures in the plain public-Key model and a general forking lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 October–3 November 2006; Juels, A., Wright, R.N., di Vimercati, S.D.C., Eds.; ACM: New York, NY, USA, 2006; pp. 390–399. [Google Scholar] [CrossRef] [Green Version]
  27. Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7237, pp. 700–718. [Google Scholar] [CrossRef] [Green Version]
  28. Shamir, A. Identity-Based Cryptosystems and Signature Schemes. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology, Proceedings of CRYPTO ’84, Santa Barbara, CA, USA, 19–22 August 1984; Blakley, G.R., Chaum, D., Eds.; Springer: Berlin/Heidelberg, Germany, 1984; Volume 196, pp. 47–53. [Google Scholar] [CrossRef] [Green Version]
  29. Chaum, D. Elections with Unconditionally-Secret Ballots and Disruption Equivalent to Breaking RSA. In Lecture Notes in Computer Science, Proceedings of the Advances in Cryptology—EUROCRYPT ’88, Workshop on the Theory and Application of of Cryptographic Techniques, Davos, Switzerland, 25–27 May 1988; Günther, C.G., Ed.; Springer: Berlin/Heidelberg, Germany, 1988; Volume 330, pp. 177–182. [Google Scholar] [CrossRef] [Green Version]
Figure 1. Identity-based proxy blind signature scheme on a lattice.
Figure 1. Identity-based proxy blind signature scheme on a lattice.
Entropy 25 01157 g001
Figure 2. The specific results of the proposed solution compared to the literature Refs. [13,18,28].
Figure 2. The specific results of the proposed solution compared to the literature Refs. [13,18,28].
Entropy 25 01157 g002
Figure 3. E-voting system based on ID-Proxy-BS on-lattice scheme.
Figure 3. E-voting system based on ID-Proxy-BS on-lattice scheme.
Entropy 25 01157 g003
Table 1. Comparison of the proposed solution w.r.t. to the state-of-the-art.
Table 1. Comparison of the proposed solution w.r.t. to the state-of-the-art.
DocumentPublic Key LengthPrivate Key LengthSignature Length
[18] 3 m n log q 3 m n log q ( m n + d m ) log ( 12 σ )
[28] m n log ( 2 d + 1 ) nk log q 2 m log ( 12 σ )
[13] mn log q mk log q 2 m log ( 12 σ )
This article m n log ( 2 q ) m n log ( 2 q ) ( 5 m ) log ( 12 σ )
Table 2. Parameter settings.
Table 2. Parameter settings.
ParameterValue
n512
q 2 27
m13,824
d1
λ 128
σ 1 64
σ 2 2 20
σ 3 2 30
Signature length 289.2 KB
Secret key length24,192 KB
Public key length24,192 KB
Table 3. Symbol definition.
Table 3. Symbol definition.
SymbolDefinition
V i Voters
I D i Identity
R F Registration form
m i Content of the ballot
RARegistration agency
O-signerOriginal signer
P-signerProxy signer
CACounting agency
GCATallying agency
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Li, F.; Yang, M.; Song, Z.; Wang, P.; Li, G. Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy 2023, 25, 1157. https://doi.org/10.3390/e25081157

AMA Style

Li F, Yang M, Song Z, Wang P, Li G. Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy. 2023; 25(8):1157. https://doi.org/10.3390/e25081157

Chicago/Turabian Style

Li, Fengyin, Mengjiao Yang, Zhihao Song, Ping Wang, and Guoping Li. 2023. "Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice" Entropy 25, no. 8: 1157. https://doi.org/10.3390/e25081157

APA Style

Li, F., Yang, M., Song, Z., Wang, P., & Li, G. (2023). Post-Quantum Secure Identity-Based Proxy Blind Signature Scheme on a Lattice. Entropy, 25(8), 1157. https://doi.org/10.3390/e25081157

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop