# Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation

^{1}

^{2}

^{3}

^{4}

^{5}

^{6}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Related Work

#### 1.2. Our Contribution

## 2. Preliminaries

#### 2.1. Notations

#### 2.2. Lattice Theory

**Definition**

**1.**

**Definition**

**2.**

**Definition**

**3.**

**Definition**

**4.**

**Definition**

**5.**

## 3. Identity-Based Proxy Signature with Message Recovery

- In our model, the delegation information is public, everyone may verify its legality; whereas, in [11], the delegation information is sent to the proxy signer secretly, and only the proxy signer can verify its legality. Therefore, a secure channel is unnecessary to transmit delegation information in our model, and every user can verify delegation information legality.
- To make it easier to understand, we divide scheme security into two factors: delegation information existential unforgeability against adaptive chosen warrant and identity (EUF-ID-CWA), signature existential unforgeability against adaptive chosen message and identity (EUF-ID-CMA). EUF-ID-CWA security assures that delegation information is believable. EUF-ID-CMA security assures that signature is believable.

#### 3.1. Our Model

- $Setup\left(n\right)$: PKG inputs the security parameter n, outputs system public parameters $params$ and the system secret master key $msk$.
- $KeyExtract\left(msk,id\right)$: Given an identity $id$, PKG makes use of the system secret master key $msk$ and provides the secret key $s{k}_{id}$ for the identity $id$.
- $DelGen\left(s{k}_{i{d}_{O}},i{d}_{P},w\right)$: The original signer $i{d}_{O}$ inputs his secret key $s{k}_{i{d}_{O}}$, and the warrant w associated with proxy signer $i{d}_{P}$, computes the delegation ${W}_{O\to P}$, and publishes delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$ to all system users.
- $DelVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})\right)$: For arbitrary system users, he verifies the legality of delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$. If it is legal, the output is 1, the delegation is accepted; otherwise, the output is 0, and the delegation is rejected.
- $PkeyGen\left(s{k}_{i{d}_{P}},{d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})\right)$: The proxy signer $i{d}_{P}$ verifies whether the delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$ is valid. If it is invalid, he rejects this delegation. Otherwise, he inputs his secret key $s{k}_{i{d}_{P}}$ and the delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$, outputs the delegated secret key $s{k}_{O,P,w}$.
- $PSign\left(s{k}_{O,P,w},\varpi \right)$: The proxy signer $i{d}_{P}$ inputs his delegated secret key $s{k}_{O,P,w}$ and the message $\varpi $, outputs the proxy signature $\varsigma $.
- $PVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}),\varsigma \right)$: For arbitrary system users, he first recovers the message $\varpi $ associated with signature $\varsigma $, and then verifies the legality of the message/ signature pair $\left(\varpi ,\varsigma \right)$ with regard to ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$. If it is legal, the output is 1, the message is accepted; otherwise, the output is 0, and the message is rejected.

#### 3.2. Security Definitions

#### 3.2.1. EUF-ID-CWA

- Initial Phase: The challenger $\mathcal{C}$ runs $Setup$ algorithm to get system public parameters $params$ and the system secret master key $msk$. $\mathcal{C}$ returns $params$ to the forger $\mathcal{F}$ and keeps $msk$ himself.
- Query Phase: The forger $\mathcal{F}$ makes the following queries adaptively with a polynomial bounded number, and the challenger $\mathcal{C}$ has the obligation to make reasonable answers.1. $KeyExtract\left(id\right)$: $\mathcal{F}$ selects a user identity $id$, sends it to the challenger $\mathcal{C}$. $\mathcal{C}$ invokes algorithm $KeyExtract\left(msk,id\right)$ to get the associated secret key $s{k}_{id}$. Then, $\mathcal{C}$ returns $s{k}_{id}$ to $\mathcal{F}$.2. $DelGen\left(i{d}_{O},i{d}_{P},w\right)$: $\mathcal{F}$ selects the original signer $i{d}_{O}$, the proxy signer $i{d}_{P}$, and the warrant w, and sends all of them to the challenger $\mathcal{C}$. $\mathcal{C}$ executes $KeyExtract\left(i{d}_{O}\right)$ query to get the associated secret key $s{k}_{i{d}_{O}}$, and then invokes algorithm $DelGen(s{k}_{i{d}_{O}},i{d}_{p},w)$ to get ${W}_{O\to P}$ and returns it to $\mathcal{F}$.
- Forge Phase: The forger $\mathcal{F}$ gives his forgery $\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})\right)$. If the following conditions are satisfied: $DelVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})\right)=1$, $i{d}_{O}$ doesn’t occur in the $KeyExtract$ query, $\left(i{d}_{O},i{d}_{P},w\right)$ doesn’t occur in the $DelGen$ query, and his attack is successful.

**Definition**

**6.**

#### 3.2.2. EUF-ID-CMA

- Initial Phase: The challenger $\mathcal{C}$ runs the $Setup$ algorithm to get system public parameters $params$ and the system secret master key $msk$. $\mathcal{C}$ returns $params$ to the forger $\mathcal{F}$ and keeps $msk$ secret.
- Query Phase: The forger $\mathcal{F}$ executes the following queries adaptively with a polynomial bounded number, and the challenger $\mathcal{C}$ has to return reasonable answers.1. $KeyExtract\left(id\right)$: $\mathcal{F}$ selects a user identity $id$ and sends it to the challenger $\mathcal{C}$. $\mathcal{C}$ invokes algorithm $KeyExtract\left(msk,id\right)$ to get secret key $s{k}_{id}$. Then, $\mathcal{C}$ returns $s{k}_{id}$ to $\mathcal{F}$.2.$DelGen(i{d}_{O},i{d}_{p},w)$: $\mathcal{F}$ selects the original signer $i{d}_{O}$, the proxy signer $i{d}_{P}$, and the warrant w, submits them to the challenger $\mathcal{C}$. $\mathcal{C}$ executes $KeyExtract\left(i{d}_{0}\right)$ query to get the associated secret $s{k}_{i{d}_{O}}$, and then invokes algorithm $DelGen(s{k}_{i{d}_{O}},i{d}_{p},w)$ to get ${W}_{O\to P}$ and returns it to $\mathcal{F}$.3. $PkeyGen({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}))$: $\mathcal{F}$ sends the delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$ to the challenger $\mathcal{C}$. $\mathcal{C}$ verifies its validity firstly. If it isn’t valid, he refuses to respond. Otherwise, $\mathcal{C}$ executes a $KeyExtract\left(i{d}_{P}\right)$ query to get secret key $s{k}_{i{d}_{P}}$, invokes algorithm $PkeyGen\left(s{k}_{i{d}_{P}},{d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})\right)$ to get delegated secret key $s{k}_{O,P,w}$ and returns it to $\mathcal{F}$.4. $PSign\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}),\varpi \right)$: $\mathcal{F}$ submits ${d}_{g}=(i{d}_{O},i{d}_{p},w,{W}_{O\to P})$ and message $\varpi $ to the challenger $\mathcal{C}$. $\mathcal{C}$ verifies the legality of ${d}_{g}=(i{d}_{O},i{d}_{p},w,{W}_{O\to P})$. If it is illegal, $\mathcal{C}$ rejects answering the query. Otherwise, he executes the $PkeyGen({d}_{g}=(i{d}_{O},i{d}_{p},w,{W}_{OP}))$ query to get the delegated secret key $s{k}_{O,P,w}$, invokes algorithm $PSign(s{k}_{O,P,w},\varpi )$ to get signature $\varsigma $, and returns it to $\mathcal{F}$.
- Forge Phase: The forger $\mathcal{F}$ gives his forgery $\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}),\varsigma \right)$.Recovering the message $\varpi $ from $\varsigma $, if the following conditions hold: $PVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}),\varsigma \right)=1$, ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P})$ doesn’t occur in the $PkeyGen$ query, $\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}),\varpi \right)$ doesn’t occur in the $PSign$ query, his attack is successful.

**Definition**

**7.**

## 4. Our Scheme

- $Setup\left(n\right)$: Inputting the security parameter n, PKG works as follows:1. Invoke $TrapGen\left(q,m\right)$ algorithm to obtain a pair of matrices $(A\in {\mathbb{Z}}_{q}^{n\times m}$, $T\in {\mathbb{Z}}^{m\times m})$.2. Let ${H}_{1}:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_{q}^{n\times n}$ be a secure hash function.3. Let ${H}_{2},{H}_{5}:{\left\{0,1\right\}}^{*}\to {\left\{-1,0,1\right\}}^{n}$ be secure hash functions, and the image Hamming weight is not larger than ${\lambda}_{1}$.4. Let ${H}_{3}:{\left\{0,1\right\}}^{*}\to {\left\{-1,0,1\right\}}^{n\times n}$ be a secure hash function, and every column vector in the image has a small Hamming weight bounded by ${\lambda}_{2}$.5. Let ${H}_{4}:{\mathbb{Z}}_{q}^{n}\to {\left\{0,1\right\}}^{{l}_{1}+{l}_{2}}$ be a secure hash function, where ${l}_{2}$ is also the length of message $\varpi $.6. Let ${F}_{1}:{\left\{0,1\right\}}^{{l}_{2}}\to {\left\{0,1\right\}}^{{l}_{1}}$, ${F}_{2}:{\left\{0,1\right\}}^{{l}_{1}}\to {\left\{0,1\right\}}^{{l}_{2}}$ be encoding functions.Finally, PKG outputs public parameters $params$=$(A,{H}_{1},{H}_{2},{H}_{3},$${H}_{4},{H}_{5},{F}_{1},{F}_{2})$ and the secret master key $msk=T$.
- $KeyExtract\left(msk,id\right)$: Given an identity $id\in {\left\{0,1\right\}}^{*}$, PKG works as follows:1. Sample ${E}_{id}\leftarrow {\mathbb{D}}_{\sigma}^{n\times n}$, such that $\left|{E}_{id}\left(i,j\right)\right|\le 7\sigma $ for all $i,j=1,\cdots ,n$. If $\left|{E}_{id}\left(i,j\right)\right|>7\sigma $ for some $i,j$, Resample again. According to [22], the probability of $\left|{E}_{id}\left(i,j\right)\right|>7\sigma $ for some $i,j$ is less than $1/30$.2. Invoke algorithm $SamplePre(A,T,{H}_{1}\left(id\right)-{E}_{id},\sigma )$, provide ${S}_{id}$ follows the distribution ${\mathbb{D}}_{\sigma}^{m\times n}$, such that $A{S}_{id}={H}_{1}\left(id\right)-{E}_{id}$.3. Return $s{k}_{id}=$${S}_{id}$ as secret key for the identity $id$.
- $DelGen\left(s{k}_{i{d}_{O}},i{d}_{P},w\right)$: The original signer $i{d}_{O}$ inputs his secret key $s{k}_{i{d}_{O}}={S}_{i{d}_{O}}$, and the warrant $w\in {\left\{0,1\right\}}^{*}$ associated with proxy signer $i{d}_{P}$ does the following steps:1. Sample ${y}_{w}$$\leftarrow U\left({D}_{B}^{m}\right)$, $U\left({D}_{B}^{m}\right)$ is the uniform distribution on ${D}_{B}=\left[-B,B\right]$.2. Let ${c}_{w}={H}_{2}\left({A{y}_{w}\left(modq\right)}_{d},w\right)$, ${z}_{w}={S}_{i{d}_{O}}\xb7{c}_{w}+{y}_{w}$.3. Let $\omega =A{z}_{w}-{H}_{1}\left(i{d}_{O}\right)\xb7{c}_{w}\left(modq\right)$. If $\left|{\left[{\omega}_{\left(i\right)}\right]}_{{2}^{d}}\right|>{2}^{d-1}-7{\lambda}_{1}\sigma $, go to the first step to resample ${y}_{w}$.4. Return ${W}_{O\to P}=\left({z}_{w},{c}_{w}\right)$ with probability $min\left({D}_{B}^{m}\left({z}_{w}\right)/\left(M\xb7{\mathbb{D}}_{B,{S}_{i{d}_{O}}\xb7{c}_{w}}^{m}\left({z}_{w}\right)\right),1\right)$, and publish delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))$ to all users.
- $DelVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))\right)$: For arbitrary users, he verifies the legality of delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))$ as follows:1. Compute $\omega =A{z}_{w}-{H}_{1}\left(i{d}_{O}\right)\xb7{c}_{w}\left(modq\right)$.2. If ${c}_{w}={H}_{2}\left({\lfloor \omega \rceil}_{d},w\right)$ and ${\u2225{z}_{w}\u2225}_{\infty}\le B$, output 1 and accept this delegation. Otherwise, output 0 and reject it.
- $PkeyGen\left(s{k}_{i{d}_{P}},{d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))\right)$: the proxy signer $i{d}_{P}$ inputs his secret key $s{k}_{i{d}_{P}}={S}_{i{d}_{P}}$ and the delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))$, computes ${L}_{w}={H}_{3}\left(w,{z}_{w},{c}_{w}\right)\in {\left\{-1,0,1\right\}}^{n\times n}$, outputs $s{k}_{O,P,w}={S}_{i{d}_{P}}\xb7{L}_{w}\in {\mathbb{D}}_{\sigma \xb7\sqrt{{\lambda}_{2}}}^{m\times n}$ as the delegated secret key.
- $PSign(s{k}_{O,P,w},\varpi )$: the proxy signer $i{d}_{P}$ inputs his delegated secret key $s{k}_{O,P,w}={S}_{i{d}_{P}}\xb7{L}_{w}$, the message $\varpi \in {\left\{0,1\right\}}^{{l}_{2}}$, does the next steps.1. Sample $y\leftarrow U\left({D}_{B}^{m}\right)$, compute ${c}^{\prime}={H}_{4}\left({\lfloor Ay(modq)\rceil}_{d}\right)$.2. Let ${\varpi}^{\prime}={F}_{1}\left(\varpi \right)\Vert \left({F}_{2}\left({F}_{1}\left(\varpi \right)\right)\oplus \varpi \right)$, $c={c}^{\prime}\oplus {\varpi}^{\prime}$.3. Compute ${c}_{0}={H}_{5}\left(c\right)$, $z={S}_{i{d}_{P}}\xb7{L}_{w}\xb7{c}_{0}+y$.4. Let $\omega =Az-{H}_{1}\left(i{d}_{P}\right)\xb7{L}_{w}\xb7{c}_{0}\left(modq\right)$.5. If $\left|{\left[{\omega}_{\left(i\right)}\right]}_{{2}^{d}}\right|>{2}^{d-1}-7{\lambda}_{1}\sqrt{{\lambda}_{2}}\sigma $, go to the first step to resample y. Otherwise, return proxy signature $\varsigma =\left(z,c\right)$ with probability $min\left({D}_{B}^{m}\left(z\right)/\left(M\xb7{\mathbb{D}}_{B,{S}_{i{d}_{P}}{L}_{w}{c}_{0}}^{m}\left(z\right)\right),1\right)$
- $PVer\left({d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right)),\varsigma =\left(z,c\right)\right)$: For arbitrary user, he verifies the proxy signature with the next steps. Here, we think the legality of delegation information ${d}_{g}=(i{d}_{O},i{d}_{P},w,{W}_{O\to P}=\left({z}_{w},{c}_{w}\right))$ has already been verified.1. Compute ${c}^{\prime}={H}_{4}\left(\lfloor {Az-{H}_{1}\left(i{d}_{P}\right)\xb7{L}_{w}\xb7{H}_{5}\left(c\right)\left(modq\right)}_{d}\rceil \right)$.2. Compute ${\varpi}^{\prime}=c\oplus {c}^{\prime}$, $\varpi ={\left|{\varpi}^{\prime}\right|}_{{l}_{2}}\oplus {F}_{2}\left({\left|{\varpi}^{\prime}\right|}^{{l}_{1}}\right)$.3. If ${F}_{1}\left(\varpi \right)={\left|{\varpi}^{\prime}\right|}^{{l}_{1}}$ and ${\u2225z\u2225}_{\infty}<B$, accept the signature and output 1; otherwise, output 0 and reject the signature.

## 5. Scheme Analysis

#### 5.1. Parameter Setting

#### 5.2. Correctness of the Scheme

#### 5.3. Security Analysis

#### 5.3.1. EUF-ID-CWA Security

**Theorem**

**1.**

**Proof.**

- Initial Phase: $\mathcal{C}$ selects ${F}_{1}:{\{0,1\}}^{{l}_{2}}\to {\{0,1\}}^{{l}_{1}}$, ${F}_{2}:{\{0,1\}}^{{l}_{1}}\to {\{0,1\}}^{{l}_{2}}$, submits A, ${F}_{1}$, and ${F}_{2}$ as system parameters to the forger $\mathcal{F}$.
- Query Phase: The forger $\mathcal{F}$ makes the following queries, $\mathcal{C}$ gives reasonable answers:1. ${H}_{1}\left(i{d}_{i}\right)$ query: $\mathcal{F}$ selects a user identity $i{d}_{i}\in {\left\{0,1\right\}}^{*}$, sends it to $\mathcal{C}$. $\mathcal{C}$ samples ${S}_{i{d}_{i}}\leftarrow {\mathbb{D}}_{\sigma}^{m\times n}$, ${E}_{i{d}_{i}}\leftarrow {\mathbb{D}}_{\sigma}^{n\times n}$, let ${H}_{1}\left(i{d}_{i}\right)=A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}$. He saves $\left(i{d}_{i},{S}_{i{d}_{i}},A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}\right)$ in the list ${\mathcal{H}}_{1}$ and returns ${H}_{1}\left(i{d}_{i}\right)=A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}$ to $\mathcal{F}$.2. ${H}_{2}\left({w}_{ij}\right)$ query: $\mathcal{F}$ selects warrant ${w}_{ij}\in {\left\{0,1\right\}}^{*}$ associated with the original signer $i{d}_{i}\in {\left\{0,1\right\}}^{*}$, the proxy signer $i{d}_{j}\in {\left\{0,1\right\}}^{*}$, sends all of them to $\mathcal{C}$. $\mathcal{C}$ randomly samples ${c}_{ij}\leftarrow {\left\{-1,0,1\right\}}^{n}$ with Hamming weight less than or equal to ${\lambda}_{1}$, selects ${z}_{ij}\leftarrow {D}_{B}^{m}$ uniformly, let $\omega =A{z}_{ij}-{H}_{1}\left(i{d}_{i}\right)\xb7{c}_{ij}\left(modq\right)$. If some entry in $\omega $ is larger than ${2}^{d-1}-7{\lambda}_{1}\sigma $, $\mathcal{C}$ resamples ${c}_{ij}$ and ${z}_{ij}$ again. Because ${2}^{d}\ge 7{\lambda}_{1}\sqrt{{\lambda}_{2}}n\sigma $, the probability that every entry in $\omega $ is smaller than ${2}^{d-1}-7{\lambda}_{1}\sigma $ is larger than $1/3$. At last, $\mathcal{C}$ saves $\left(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij}\right)$ in list ${\mathcal{H}}_{2}$ and returns ${c}_{ij}$ to $\mathcal{F}$.3. $KeyExtract\left(i{d}_{i}\right)$ query: $\mathcal{F}$ selects a user identity $i{d}_{i}\in {\{0,1\}}^{*}$ and sends it to the challenger $\mathcal{C}$. $\mathcal{C}$ searches list ${\mathcal{H}}_{1}$ to get $(i{d}_{i},{D}_{i{d}_{i}},A{S}_{i{d}_{i}}+{E}_{i{d}_{i}})$, and returns $s{k}_{i{d}_{i}}={S}_{i{d}_{i}}$. If it doesn’t exist, $\mathcal{C}$ queries ${H}_{1}\left(i{d}_{i}\right)$ firstly.4. $DelGen\left(i{d}_{i},i{d}_{j},{w}_{ij}\right)$ query: $\mathcal{F}$ selects the original signer $i{d}_{i}\in {\{0,1\}}^{*}$, the proxy signer $i{d}_{j}\in {\{0,1\}}^{*}$, and the warrant ${w}_{ij}\in {\{0,1\}}^{*}$, sends all of them to $\mathcal{C}$. $\mathcal{C}$ looks list ${H}_{2}$ for $(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij})$ and returns $\left({z}_{ij},{c}_{ij}\right)$. If $(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij})$ doesn’t exist, $\mathcal{C}$ queries ${H}_{2}\left({w}_{ij}\right)$ firstly.
- Forge Phase: The forger $\mathcal{F}$ gives his forgery $(i{d}_{{i}^{*}},i{d}_{{j}^{*}},{w}_{i{j}^{*}},{W}_{{i}^{*}\to {j}^{*}}=\left({z}^{*},{c}^{*}\right))$.Because $\mathcal{F}$ queries ${H}_{2}\left({w}_{ij}\right)$ at most ${Q}_{1}$ times, queries $DelGen\left(i{d}_{i},i{d}_{j},{w}_{ij}\right)$ at most ${Q}_{2}$ times, so that the number of ${c}_{ij}$ is at most ${Q}_{1}+{Q}_{2}$. Suppose there are ${c}_{1}$, ${c}_{2}$, ⋯, ${c}_{{Q}_{1}+{Q}_{2}}$. For $A{z}^{*}-{H}_{1}\left(i{d}_{{i}^{*}}\right){c}^{*}\left(modq\right)$, the probability of $\mathcal{F}$ generates ${c}^{*}$ such that ${c}^{*}={H}_{2}\left({\lfloor A{z}^{*}-{H}_{1}\left(i{d}_{{i}^{*}}\right)\xb7{c}^{*}\left(modq\right)\rceil}_{d},{w}_{i{j}^{*}}\right)$ is $1/\left({2}^{128}\right)$, which is negligible, so that ${c}^{*}$∈$\left\{{c}_{1},{c}_{2},\cdots ,{c}_{{Q}_{1}+{Q}_{2}}\right\}$ with overwhelming probability $1-1/\left({2}^{128}\right)$.

#### 5.3.2. EUF-ID-CMA Security

**Theorem**

**2.**

**Proof.**

- Initial Phase: $\mathcal{C}$ selects ${F}_{1}:{\{0,1\}}^{{l}_{2}}\to {\{0,1\}}^{{l}_{1}}$, ${F}_{2}:{\{0,1\}}^{{l}_{1}}\to {\{0,1\}}^{{l}_{2}}$, submits A, ${F}_{1}$, and ${F}_{2}$ as system parameters to the forger $\mathcal{F}$.
- Query Phase: The forger $\mathcal{F}$ makes the following queries, $\mathcal{C}$ gives reasonable answers:1. ${H}_{1}\left(i{d}_{i}\right)$ query: $\mathcal{F}$ selects a user identity $i{d}_{i}\in {\left\{0,1\right\}}^{*}$, and sends it to $\mathcal{C}$. $\mathcal{C}$ samples ${S}_{i{d}_{i}}\leftarrow {\mathbb{D}}_{\sigma}^{m\times n}$, ${E}_{i{d}_{i}}\leftarrow {\mathbb{D}}_{\sigma}^{n\times n}$, let ${H}_{1}\left(i{d}_{i}\right)=A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}$. He saves $\left(i{d}_{i},{S}_{i{d}_{i}},A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}\right)$ in the list ${\mathcal{H}}_{1}$ and returns ${H}_{1}\left(i{d}_{i}\right)=A{S}_{i{d}_{i}}+{E}_{i{d}_{i}}$ to $\mathcal{F}$.2. ${H}_{2}\left({w}_{ij}\right)$ query: $\mathcal{F}$ selects warrant ${w}_{ij}\in {\left\{0,1\right\}}^{*}$ associated with the original signer $i{d}_{i}\in {\left\{0,1\right\}}^{*}$, the proxy signer $i{d}_{j}\in {\left\{0,1\right\}}^{*}$, sends all of them to $\mathcal{C}$. $\mathcal{C}$ randomly samples ${c}_{ij}\leftarrow {\left\{-1,0,1\right\}}^{n}$ with Hamming weight less than or equal to ${\lambda}_{1}$, selects ${z}_{ij}\leftarrow {D}_{B}^{m}$ uniformly, let $\omega =A{z}_{ij}-{H}_{1}\left(i{d}_{i}\right)\xb7{c}_{ij}\left(modq\right)$. If some entry in $\omega $ is larger than ${2}^{d-1}-7{\lambda}_{1}\sigma $, $\mathcal{C}$ resamples ${c}_{ij}$ and ${z}_{ij}$ again. Because ${2}^{d}\ge 7{\lambda}_{1}\sqrt{{\lambda}_{2}}n\delta $, the probability that every entry in $\omega $ is smaller than ${2}^{d-1}-7{\lambda}_{1}\sigma $ is larger than $1/3$. At last, $\mathcal{C}$ saves $\left(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij}\right)$ in list ${\mathcal{H}}_{2}$ and returns ${c}_{ij}$ to $\mathcal{F}$.3. ${H}_{4}\left(y\right)$ query: $\mathcal{F}$ selects $y\leftarrow U\left({D}_{B}^{m}\right)$ randomly, sends it to $\mathcal{C}$. $\mathcal{C}$ selects ${c}^{\prime}$$\in {\left\{0,1\right\}}^{{l}_{1}+{l}_{2}}$ uniformly and randomly. Then, $\mathcal{C}$ saves $\left(y,\lfloor Ay\left(modq\right){\rceil}_{d},{c}^{\prime}\right)$ in list ${\mathcal{H}}_{4}$ and returns ${c}^{\prime}$ to $\mathcal{F}$.4.${H}_{5}\left(c\right)$ query: $\mathcal{F}$ sends $c\in {\left\{0,1\right\}}^{{l}_{1}+{l}_{2}}$ and submits it to $\mathcal{C}$. $\mathcal{C}$ chooses ${c}_{0}\leftarrow {\left\{-1,0,1\right\}}^{n}$ with Hamming weight less than or equal to ${\lambda}_{1}$. Then, $\mathcal{C}$ saves $\left(c,{c}_{0}\right)$ in list ${\mathcal{H}}_{5}$ and returns ${c}_{0}$ to $\mathcal{F}$.5. $KeyExtract\left(i{d}_{i}\right)$ query: $\mathcal{F}$ selects a user identity $i{d}_{i}\in {\{0,1\}}^{*}$, sends it to the challenger $\mathcal{C}$. $\mathcal{C}$ searches list ${\mathcal{H}}_{1}$ to get $(i{d}_{i},{S}_{i{d}_{i}},A{S}_{i{d}_{i}}+{E}_{i{d}_{i}})$, returns $s{k}_{i{d}_{i}}={S}_{i{d}_{i}}$. If it doesn’t exist, $\mathcal{C}$ queries ${H}_{1}\left(i{d}_{i}\right)$ firstly.6. $DelGen\left(i{d}_{i},i{d}_{j},{w}_{ij}\right)$ query: $\mathcal{F}$ selects the original signer $i{d}_{i}\in {\{0,1\}}^{*}$, the proxy signer $i{d}_{j}\in {\{0,1\}}^{*}$, and the warrant ${w}_{ij}\in {\{0,1\}}^{*}$ sends all of them to $\mathcal{C}$. $\mathcal{C}$ looks list ${H}_{2}$ for $(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij})$ and returns $\left({z}_{ij},{c}_{ij}\right)$. If $(i{d}_{i},i{d}_{j},{w}_{ij},{c}_{ij},{z}_{ij})$ doesn’t exist, $\mathcal{C}$ queries ${H}_{2}\left({w}_{ij}\right)$ firstly.7. $PkeyGen\left(i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij}\right)$ query: $\mathcal{F}$ sends the delegation information $\left(i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij}\right)$ to the challenger $\mathcal{C}$. $\mathcal{C}$ verifies its validity firstly. If it isn’t valid, he refuses to respond. Otherwise, $\mathcal{C}$ executes $KeyExtract\left(i{d}_{j}\right)$ query to get secret key $s{k}_{i{d}_{j}}={S}_{i{d}_{j}}$, computes ${L}_{{w}_{ij}}={H}_{3}\left({w}_{ij},{z}_{ij},{c}_{ij}\right)$ and $s{k}_{i,j,{w}_{ij}}={S}_{i{d}_{j}}\xb7{L}_{{w}_{ij}}$, returns $s{k}_{i,j,{w}_{ij}}$ to $\mathcal{F}$.8. $PSign\left((i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij}),{\varpi}_{k}\right)$ query: $\mathcal{F}$ submits $(i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij})$ and message ${\varpi}_{k}$ to the challenger $\mathcal{C}$. $\mathcal{C}$ verifies the legality of $(i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij})$. If it is illegal, $\mathcal{C}$ rejects answering the query. Otherwise, he executes $PkeyGen\left(i{d}_{i},i{d}_{j},{w}_{ij},{z}_{ij},{c}_{ij}\right)$ query to get the delegated secret key $s{k}_{i,j,{w}_{ij}}$, invokes algorithm $PSign\left(s{k}_{i,j,{w}_{ij}},{\varpi}_{k}\right)$ to get signature ${\varsigma}_{ijk}=\left({z}_{ijk},{c}_{ijk}\right)$, and returns it to $\mathcal{F}$.
- Forge Phase: The forger $\mathcal{F}$ gives his forgery signature $(i{d}_{{i}^{*}},i{d}_{{j}^{*}},{w}_{i{j}^{*}},{z}^{*},{c}^{*},{z}_{{\varpi}^{*}},{c}_{{\varpi}^{*}})$ for message ${\varpi}^{*}$.$\mathcal{C}$ invokes $\mathcal{F}$ again. Due to General Forking Lemma [29], with probability $\left({\epsilon}_{2}-{}^{1}/{}_{{2}^{128}}\right)\left(\left({\epsilon}_{2}-{}^{1}/{}_{{2}^{128}}\right)/\left({Q}_{3}+{Q}_{4}\right)\phantom{\rule{0.277778em}{0ex}}-{}^{1}/{}_{{2}^{128}}\right)$, we obtain a new signature $(i{d}_{{i}^{*}},i{d}_{{j}^{*}},{w}_{i{j}^{*}},{z}^{*},{c}^{*},{{z}^{\prime}}_{{\varpi}^{*}},{{c}^{\prime}}_{{\varpi}^{*}})$ for message ${\varpi}^{*}$, such that$$\lfloor A{z}_{{\varpi}^{*}}-{H}_{1}\left(i{d}_{{j}^{*}}\right)\xb7{L}_{{w}_{i{j}^{*}}}\xb7{H}_{5}\left({c}_{{\varpi}^{*}}\right)\left(modq\right){\rceil}_{d}$$$$\lfloor A{{z}^{\prime}}_{{\varpi}^{*}}-{H}_{1}\left(i{d}_{{j}^{*}}\right)\xb7{L}_{{w}_{i{j}^{*}}}\xb7{H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)\left(modq\right){\rceil}_{d}$$Then, $A{z}_{{\varpi}^{*}}-{H}_{1}\left(i{d}_{{j}^{*}}\right)\xb7{L}_{{w}_{i{j}^{*}}}\xb7{H}_{5}\left({c}_{{\varpi}^{*}}\right)+\widehat{e}$ = $A{{z}^{\prime}}_{{\varpi}^{*}}-{H}_{1}\left(i{d}_{{j}^{*}}\right)\xb7{L}_{{w}_{i{j}^{*}}}\xb7{H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)\left(modq\right)$ for ${\u2225\widehat{e}\u2225}_{\infty}\le {2}^{d-1}$. Replacing ${H}_{1}\left(i{d}_{{j}^{*}}\right)$ with $A{S}_{i{d}_{{j}^{*}}}+{E}_{i{d}_{{j}^{*}}}$, we have $A\left({z}_{{\varpi}^{*}}-{{z}^{\prime}}_{{\varpi}^{*}}+{S}_{i{d}_{{j}^{*}}}\xb7{L}_{{w}_{i{j}^{*}}}\left({H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)-{H}_{5}\left({c}_{{\varpi}^{*}}\right)\right)\right)+\widehat{e}+{E}_{i{d}_{{j}^{*}}}\left({H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)-{H}_{5}\left({c}_{{\varpi}^{*}}\right)\right)=0\left(modq\right)$. Let ${e}_{1}={z}_{{\varpi}^{*}}-{{z}^{\prime}}_{{\varpi}^{*}}+{S}_{i{d}_{{j}^{*}}}\xb7{L}_{{w}_{i{j}^{*}}}\left({H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)-{H}_{5}\left({c}_{{\varpi}^{*}}\right)\right)$, ${e}_{2}=\widehat{e}+{E}_{i{d}_{{j}^{*}}}\left({H}_{5}\left({{c}^{\prime}}_{{\varpi}^{*}}\right)-{H}_{5}\left({c}_{{\varpi}^{*}}\right)\right)$, then ${\u2225{e}_{1}\u2225}_{\infty}\le 2B+2{\lambda}_{1}\sqrt{{\lambda}_{2}}\sigma $, ${\u2225{e}_{2}\u2225}_{\infty}\le {2}^{d-1}+2{\lambda}_{1}\sigma $. In addition, ${S}_{i{d}_{{i}^{*}}}$ and ${E}_{i{d}_{{i}^{*}}}$ have a variety of options, $\mathcal{F}$ doesn’t know which pair $\left({S}_{i{d}_{{j}^{*}}},{E}_{i{d}_{{j}^{*}}}\right)$ is used to build ${e}_{1}$ and ${e}_{2}$. Therefore, the probability of $\left({e}_{1},{e}_{2}\right)\ne \left(0,0\right)$ is at least $1/2$.

#### 5.4. Performance Analysis

## 6. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Mambo, M.; Usuda, K.; Okamoto, E. Proxy signatures for delegating signing operation. In Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, 14–15 March 1996; pp. 48–57. [Google Scholar]
- Wei, J.; Yang, G.; Mu, Y.; Liang, K. Anonymous Proxy Signature with Hierarchical Traceability. Comput. J.
**2016**, 59, 559–569. [Google Scholar] [CrossRef] - He, K.; Liu, X.; Yuan, H.; Wei, W.; Liang, K. Hierarchical Conditional Proxy Re-Encryption: A New Insight of Fine-Grained Secure Data Sharing. In Information Security Practice and Experience, Proceedings of the 13th International Conference, ISPEC 2017, Melbourne, Australia, 13–15 December 2017; Liu, J.K., Samarati, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10701, pp. 118–135. [Google Scholar] [CrossRef]
- Shao, J.; Lu, R.; Lin, X.; Liang, K. Secure bidirectional proxy re-encryption for cryptographic cloud storage. Pervasive Mob. Comput.
**2016**, 28, 113–121. [Google Scholar] [CrossRef] - Liang, K.; Susilo, W.; Liu, J.K.; Wong, D.S. Efficient and Fully CCA Secure Conditional Proxy Re-Encryption from Hierarchical Identity-Based Encryption. Comput. J.
**2015**, 58, 2778–2792. [Google Scholar] [CrossRef] - Liang, K.; Chu, C.; Tan, X.; Wong, D.S.; Tang, C.; Zhou, J. Chosen-ciphertext secure multi-hop identity-based conditional proxy re-encryption with constant-size ciphertexts. Theor. Comput. Sci.
**2014**, 539, 87–105. [Google Scholar] [CrossRef] - Liang, K.; Au, M.H.; Liu, J.K.; Susilo, W.; Wong, D.S.; Yang, G.; Phuong, T.V.X.; Xie, Q. A DFA-Based Functional Proxy Re-Encryption Scheme for Secure Public Cloud Data Sharing. IEEE Trans. Inf. Forensics Secur.
**2014**, 9, 1667–1680. [Google Scholar] [CrossRef] - Liang, K.; Liu, J.K.; Wong, D.S.; Susilo, W. An Efficient Cloud-Based Revocable Identity-Based Proxy Re-encryption Scheme for Public Clouds Data Sharing. In Computer Security, Proceedings of the ESORICS 2014, 19th European Symposium on Research in Computer Security, Wroclaw, Poland, 7–11 September 2014; Kutylowski, M., Vaidya, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8712, pp. 257–272. [Google Scholar] [CrossRef]
- Liang, K.; Fang, L.; Susilo, W.; Wong, D.S. A Ciphertext-Policy Attribute-Based Proxy Re-encryption with Chosen-Ciphertext Security. In Proceedings of the 2013 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an, China, 9–11 September 2013; pp. 552–559. [Google Scholar] [CrossRef]
- Nyberg, K.; Rueppel, R.A. A new signature scheme based on the DSA giving message recovery. In Proceedings of the 1st ACM conference on Computer anD Communications Security, Fairfax, VA, USA, 3–5 November 1993; pp. 58–61. [Google Scholar]
- Singh, H.; Verma, G.K. ID-based proxy signature scheme with message recovery. J. Syst. Softw.
**2012**, 85, 209–214. [Google Scholar] [CrossRef] - Tiwari, N.; Padhye, S. New proxy signature scheme with message recovery using verifiable self-certified public keys. In Proceedings of the 2011 2nd International Conference on Computer and Communication Technology, Allahabad, India, 15–17 September 2011; pp. 539–544. [Google Scholar]
- Xie, Q. Provably Secure Self-certified Multi-proxy Signature with Message Recovery. J. Netw.
**2012**, 7, 1616. [Google Scholar] [CrossRef] - Yoon, E.J.; Choi, Y.; Kim, C. New ID-based proxy signature scheme with message recovery. In Proceedings of the International Conference on Grid and Pervasive Computing, Seoul, Korea, 9–11 May 2013; pp. 945–951. [Google Scholar]
- Mahmoodi, A.; Mohajery, J.; Salmasizadeh, M. A certificate-based proxy signature with message recovery without bilinear pairing. Security Commun. Netw.
**2016**, 9, 4983–4991. [Google Scholar] [CrossRef] - Padhye, S.; Tiwari, N. ECDLP-based certificateless proxy signature scheme with message recovery. Trans. Emerg. Telecommun. Technol.
**2015**, 26, 346–354. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev.
**1999**, 41, 303–332. [Google Scholar] [CrossRef] - Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Symposium on Theory of Computing-STOC’09, Washington, DC, USA, 31 May–2 June 2009; Volume 9. [Google Scholar]
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar]
- Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology, Proceedings of the EUROCRYPT 2012, Cambridge, UK, 15–19 April 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 700–718. [Google Scholar]
- Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; pp. 738–755. [Google Scholar]
- Bai, S.; Galbraith, S.D. An improved compression technique for signatures based on learning with errors. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 25–28 February 2014; pp. 28–47. [Google Scholar]
- Tian, M.; Huang, L. Lattice-based message recovery signature schemes. Int. J. Electron. Secur. Digit. Forensics
**2013**, 5, 257–269. [Google Scholar] [CrossRef] - Li, W. An Identity-Based Proxy Signature Scheme from Lattices in the Standard Model. In Proceedings of the International Conference on Intelligent Networking and Collaborative Systems, Ostrawva, Czech Republic, 7–9 September 2016. [Google Scholar]
- Wu, F.; Yao, W.; Zhang, X.; Zheng, Z. An Efficient Lattice-Based Proxy Signature with Message Recovery. In Proceedings of the International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Guangzhou, China, 12–15 December 2017; Volume 10656, pp. 321–331. [Google Scholar]
- Lindell, Y. Fast Secure Two-Party ECDSA Signing. In Advances in Cryptology, Proceedingds of the CRYPTO 2017, Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 613–644. [Google Scholar]
- Agrawal, S.; Boneh, D.; Boyen, X. Efficient lattice (H) IBE in the standard model. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, France, 30 May–3 June 2010; pp. 553–572. [Google Scholar]
- Applebaum, B.; Cash, D.; Peikert, C.; Sahai, A. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Proceedings of the CRYPTO 2009, Santa Barbara, CA, USA, 16–20 August 2009; pp. 595–618. [Google Scholar]
- Bellare, M.; Neven, G. Multi-signatures in the plain public-Key model and a general forking lemma. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 390–399. [Google Scholar]
- Hill, J.; Szewczyk, R.; Woo, A.; Hollar, S.; Culler, D.; Pister, K. System architecture directions for networked sensors. SIGPLAN Not.
**2000**, 35, 93–104. [Google Scholar] [CrossRef]

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lu, X.; Wen, Q.; Yin, W.; Liang, K.; Jin, Z.; Panaousis, E.; Chen, J.
Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation. *Symmetry* **2019**, *11*, 272.
https://doi.org/10.3390/sym11020272

**AMA Style**

Lu X, Wen Q, Yin W, Liang K, Jin Z, Panaousis E, Chen J.
Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation. *Symmetry*. 2019; 11(2):272.
https://doi.org/10.3390/sym11020272

**Chicago/Turabian Style**

Lu, Xiuhua, Qiaoyan Wen, Wei Yin, Kaitai Liang, Zhengping Jin, Emmanouil Panaousis, and Jiageng Chen.
2019. "Quantum-Resistant Identity-Based Signature with Message Recovery and Proxy Delegation" *Symmetry* 11, no. 2: 272.
https://doi.org/10.3390/sym11020272