基于RLWE的可证明安全无陷门签密方案

doi:10.11959/j.issn.1000-436x.2020093

通信学报 ›› 2020, Vol. 41 ›› Issue (6): 14-25.doi: 10.11959/j.issn.1000-436x.2020093

基于RLWE的可证明安全无陷门签密方案

刘镇,韩益亮,杨晓元,柳曙光

武警工程大学密码工程学院，陕西西安710086

修回日期:2020-04-18 出版日期:2020-06-25 发布日期:2020-07-04
作者简介:刘镇（1985- ），男，湖南衡南人，武警工程大学讲师、博士生，主要研究方向为公钥密码算法、可证明安全等|韩益亮（1977- ），男，甘肃会宁人，博士，武警工程大学教授，主要研究方向为密码学、隐私保护、社交网络分析等|杨晓元（1959- ），男，湖南湘潭人，武警工程大学教授，主要研究方向为密码学、信息安全等|柳曙光（1976- ），男，山东栖霞人，武警工程大学副教授，主要研究方向为计算机应用、信息安全等
基金资助:
国家自然科学基金资助项目(61572521);国家自然科学基金资助项目(U1636114);国家自然科学基金资助项目(61772550);国家密码发展基金资助项目(2017YFB0802000);武警工程大学科研创新团队基金资助项目(KYTD201805)

Provable security signcryption scheme based on RLWE without trapdoor

Zhen LIU,Yiliang HAN,Xiaoyuan YANG,Shuguang LIU

College of Cryptography Engineering,Engineering University of PAP,Xi’an 710086,China

Revised:2020-04-18 Online:2020-06-25 Published:2020-07-04
Supported by:
The National Natural Science Foundation of China(61572521);The National Natural Science Foundation of China(U1636114);The National Natural Science Foundation of China(61772550);The National Cryptography Development Fund of China(2017YFB0802000);Research and Innovation Team of Engineering University of(KYTD201805)

摘要/Abstract

摘要：

针对现有基于格的签密存在的效率与安全性问题，基于ABB16的签名方案ring-TESLA，构造了一个在机密性和认证性方面分别达到自适应抗选择密文攻击不可区分安全性和抗选择消息攻击强不可伪造安全性的无陷门签密方案RLWE-SC，其安全性可规约到环上带差错的学习问题。环上的构造方式优化了方案的公私钥尺寸，无陷门的构造方式避免了方案使用复杂的陷门产生和原像抽样运算。效率分析与实验表明，与现有的同等安全强度的格签密方案相比，RLWE-SC具有较高的计算和通信效率。

关键词: 签密, 环上带差错的学习, 无陷门, 可证明安全性, 抗量子攻击

Abstract:

In view of the existing efficiency and security problems of lattice based signcryption,with the ABB16’s signature scheme ring-TESLA,a signcryption scheme without trapdoor named RLWE-SC was constructed,which achieved indistinguish ability against adaptive chosen cipher text attack (IND-CCA2) security and strongly existential unforgeability against chosen message attack (SUF-CMA) security respectively in terms of confidentiality and authentication based on the problem of learning with errors on ring.The size of the public and private keys was optimized by the construction on the ring.The complex trapdoor generation and preimage sample calculation was avoided by the structure without trapdoor.Efficiency analysis and experiment shows that RLWE-SC has better computational and communication performance than other similar lattice-based signcryption schemes with the same security strength.

Key words: signcryption, learning with errors on ring, without trapdoor, provable security, quantum attack resistance

中图分类号:

TP309

刘镇,韩益亮,杨晓元,柳曙光. 基于RLWE的可证明安全无陷门签密方案[J]. 通信学报, 2020, 41(6): 14-25.

Zhen LIU,Yiliang HAN,Xiaoyuan YANG,Shuguang LIU. Provable security signcryption scheme based on RLWE without trapdoor[J]. Journal on Communications, 2020, 41(6): 14-25.

图/表 5

表1

相关基于格的标准签密方案的效率对比"

构造	方案	公钥	私钥	密文	签密运算	解签密运算	安全性
陷门	YWWY13	2n ² log²q	$\frac{1}{2} n^{2} \log q \log (\log n)$	l_me+5nlog ² q+5nlog q	S_T + 5S_D+3M_v	6M_v	IND-CCA2SUF-CMA （标准模型）
	LBK13	5n ² log²q	25n ² log²q	l_me+5n log² q+l_r	S _T +M_v	3M_v	IND-CCA2SUF-CMA （随机预言机模型）
	SS18	3 ²n log q	6 ³nlog q log n	12n ² log²qlogn+3nlogq	S_T +5S_D+6M_v	S_T + 5M_v	IND-CCA2SUF-CMA （标准模型）
	LTT19	nlogq	$2 n (1 + ⌊ \log (7.02 \sqrt{\frac{q}{2 n}}) ⌋)$ （发送方） nlogq（接收方）	l_me+5n log q	S_T + 5S_D+2M_v	3M_v	IND-CCA2SUF-CMA （标准模型）
无陷门	LWWD16	2 ²n log q	n² log q	l_me+4n log q	4S_D+6M_v	3M_v	IND-CCA2EUF-CMA （随机预言机模型）
	FK18(KEXFK18(KEM	2nlog q2nlog q	3nlog q3nlog q	l_me+2n log q+lHRl_me+3nlog q	8M_R8M_R	5M_R5M_R	IND-CPASUF-CMA （随机预言机模型）
	LHY19	2nlog q	3nlog q	l_me+5n log q	l_me+5n log q	5M_R	IND-CCA2SUF-CMA （随机预言机模型）
	本文方案	2nlog q	3nlog q	l_me+4nlog q	3S_D+7M _R	5M_R	IND-CCA2SUF-CMA （随机预言机模型）

表1

表2

表3

FK18转换成IND-CCA2安全的方案与本文方案效率对比"

方案	公钥	私钥	密文	签密运算	解签密运算
FK18（KEX）+LM08	2nlog q	3nlog q	$l_{me} + 2 n \log q + l_{HR} + n ⌈ \log n ⌉ \log q + 2 l_{H} ⌈ \log n ⌉$	$8 M_{R} + ⌈ \log n ⌉ M_{R}$	$5 M_{R} + ⌈ \log n ⌉ M_{R}$
FK18（KEM）+LM08	2nlog q	3nlog q	$l_{me} + 3 n \log q + n ⌈ \log n ⌉ \log q + 2 l_{H} ⌈ \log n ⌉$	$8 M_{R} + ⌈ \log n ⌉ M_{R}$	$5 M_{R} + ⌈ \log n ⌉ M_{R}$
本文方案	2nlog q	3nlog q	l_me+4n log q	3S_D+7M _R	5M_R

表3

图1

图2

参考文献 27

[1]	ZHENG Y , . Digital signcryption or how to achieve cost (signature ＆encryption) <<cost (signature) + cost (encryption)[C]// Annual International Cryptology Conference. Berlin:Springer, 1997: 165-179.
[2]	ZHENG Y , IMAI H . How to construct efficient signcryption schemes on elliptic curves[J]. Information Processing Letters, 1998,68(5): 227-233.
[3]	STEINFELD R , ZHENG Y . A signcryption scheme based on integer factorization[C]// International Workshop on Information Security. Berlin:Springer, 2000: 308-322.
[4]	MICCIANCIO D . Lattice-based cryptography[J]. Encyclopedia of Cryptography and Security, 2011: 713-715.
[5]	LYUBASHEVSKY V , PEIKERT C , REGEV O . On ideal lattices and learning with errors over rings[J]. Journal of the ACM, 2013,60(6):43.
[6]	LYUBASHEVSKY V , . Lattice signatures without trapdoors[C]// Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin:Springer, 2012: 738-755.
[7]	AKLEYLEK S , BINDEL N , BUCHMANN J ,et al. An efficient lattice-based signature scheme with provably secure instantiation[C]// International Conference on Cryptology in Africa. Berlin:Springer, 2016: 44-60.
[8]	WANG F , HU Y , WANG C . Post-quantum secure hybrid signcryptionfrom lattice assumption[J]. Applied Mathematics ＆ Information Sciences, 2012,6(1): 23-28.
[9]	FAGEN L , FAHAD T , BIN M ,et al. Lattice-based signcryption[J]. Concurrency and Computation:Practice and Experience, 2013,25(14): 2112-2122.
[10]	YAN J , WANG L , WANG L ,et al. Efficient lattice-based signcryption in standard model[J]. Mathematical Problems in Engineering, 2013,2013: 1-18.
[11]	LU X , WEN Q , JIN Z ,et al. A lattice-based signcryption scheme without random oracles[J]. Frontiers of Computer Science, 2014,8(4): 667-675.
[12]	BAI S , GALBRAITH S D . An improved compression technique for signatures based on learning with errors[C]// Cryptographers’ Track at the RSA Conference. Berlin:Springer, 2014: 28-47.
[13]	LU X , WEN Q , WANG L ,et al. A lattice-based signcryption scheme without trapdoors[J]. Journal of Electronics and Information, 2016,38(9): 2287-2293.
[14]	GERARD F , MERCKX K . Setla:signature and encryption from lattices[C]// International Conference on Cryptology and Network Security. Berlin:Springer, 2018: 299-320.
[15]	ALKIM E , DUCAS L , P?PPELMANN T .et al Post-quantum keyexchange-a new hope[C]// 25th USENIX Security Symposium (USENIX Security 2016). Berkeley:USENIX Association, 2016: 327-343.
[16]	SATO S , SHIKATA J . Lattice-based signcryption without random oracles[C]// International Conference on Post-Quantum Cryptography(PQCrypto2018). Berlin:Springer, 2018: 331-351.
[17]	LIU Z Y , TSO R , TSENG Y F ,et al. Signcryption from NTRU lattices without random oracles[C]// 14th Asia Joint Conference on Information Security (AsiaJCIS2019). Piscataway:IEEE Press, 2019: 134-141.
[18]	DEL P R , LYUBASHEVSKY V , POINTCHEVAL D . The whole is less than the sum of its parts:constructing more efficient lattice-based AKEs[C]// International Conference on Security and Cryptography for Networks. Berlin:Springer, 2016: 273-291.
[19]	ZHANG Y H , HU Y , XIE J ,et al. Efficient ring signature schemes over NTRU lattices[J]. Security and Communication Networks, 2016,9(18): 5252-5261.
[20]	YANG X , CAO H , LI W ,et al. Improved lattice-based signcryption in the standard model[J]. IEEE Access, 2019,7: 155552-155562.
[21]	LIU Z , HAN Y L , YANG X Y . A signcryption scheme based learning with errors over rings without trapdoor[C]// National Conference of Theoretical Computer Science. Berlin:Springer, 2019: 168-180.
[22]	FUJISAKI E , OKAMOTO T . Secure integration of asymmetric and symmetric encryption schemes[J]. Journal of Cryptology, 2013,26(1): 80-101.
[23]	APPLEBAUM B , CASH D , PEIKERT C ,et al. Fast cryptographic primitives and circular-secure encryption based on hard learning problems[C]// Annual International Cryptology Conference. Berlin:Springer, 2009: 595-618.
[24]	HUANG Q , WONG D S , ZHAO Y . Generic transformation to strongly unforgeable signatures[C]// International Conference on Applied Cryptography and Network Security. Berlin:Springer, 2007: 1-17.
[25]	AN J H , DODIS Y , RABIN T . On the security of joint signature and encryption[C]// In Proceedings Advances inCryptology-EUROCRYPT 2002,LNCS 2332. Berlin:Springer, 2002: 83-107.
[26]	NANDI M , PANDIT T . Generic conversions from CPA to CCA secure functional encryption[J]. IACR Cryptology ePrint Archive,2015, 2015:457.
[27]	LYUBASHEVSKY V , MICCIANCIO D . Asymptotically efficient lattice-based digital signatures[C]// Theory of Cryptography Conference. Berlin:Springer, 2008: 37-54.

构造	方案	公钥	私钥	密文
陷门	YWWY13	1.2×10 ⁹	4.2×10 ⁷	3.2×10 ⁶
	LBK13	3×10 ⁹	1.5×10¹⁰	3.0×10 ⁶
	SS18	5×10 ⁷	1.5×10¹²	7.2×10¹⁰
	LTT19	2.5×10 ⁴	2.5×10 ⁴ 发送方）2.0×10⁴（接收方）	2.22×10 ⁵
无陷门	LWWD16	5×10 ⁷	2.5×10 ⁷	1.98×10 ⁵
	FK18(KEX)	4.9×10 ⁴	7.3×10 ⁴	1.49×10 ⁵
	FK18(KEM)	4.9×10 ⁴	7.3×10 ⁴	1.73×10 ⁵
	LHY19	4.9×10 ⁴	7.3×10 ⁴	2.22×10 ⁵
	本文方案	4.9×10 ⁴	7.3×10 ⁴	1.98×10 ⁵

基于RLWE的可证明安全无陷门签密方案

Provable security signcryption scheme based on RLWE without trapdoor

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 27

相关文章 15

Metrics

推荐阅读 0

[1]	黄华伟. 基于矩阵作用问题的公钥密码体制抗量子攻击安全性分析[J]. 通信学报, 2023, 44(3): 220-226.
[2]	张文波, 黄文华, 冯景瑜. 基于无证书签密的车联社会网络安全通信机制[J]. 通信学报, 2021, 42(7): 128-136.
[3]	杨小东, 席婉婷, 王嘉琪, 陈艾佳, 王彩芬. 基于签密和区块链的车联网电子证据共享方案[J]. 通信学报, 2021, 42(12): 236-246.
[4]	彭长根, 张小玉, 丁红发, 杨善慧. 基于Cocks身份密码体制的高效签密方案[J]. 通信学报, 2020, 41(12): 128-138.
[5]	韩益亮,王众. 基于编码的多接收方广义签密方案[J]. 通信学报, 2020, 41(1): 53-65.
[6]	秦艳琳,吴晓平,胡卫. 抗密钥泄露的无证书签密方案[J]. 通信学报, 2017, 38(Z2): 43-50.
[7]	牛淑芬,牛灵,王彩芬,李亚红. 标准模型下可证明安全的无证书广义签密[J]. 通信学报, 2017, 38(4): 35-45.
[8]	王彩芬,刘超,李亚红,牛淑芬,张玉磊. 基于PKI和IBC的双向匿名异构签密方案[J]. 通信学报, 2017, 38(10): 10-17.
[9]	秦艳琳,吴晓平,胡卫. 高效的无证书多接收者匿名签密方案[J]. 通信学报, 2016, 37(6): 129-136.
[10]	张波,孙涛,于代荣. 基于身份的多接收者匿名签密改进方案[J]. 通信学报, 2015, 36(9): 109-118.
[11]	赵振国. 无证书签密机制的安全性分析与改进[J]. 通信学报, 2015, 36(3): 75-80.
[12]	张宇，杜瑞颖，陈晶，侯健，周庆，王文武. 对一个基于身份签密方案的分析与改[J]. 通信学报, 2015, 36(11): 174-179.
[13]	曾捷,聂伟. 可证安全的有效代理签名方案[J]. 通信学报, 2014, 35(8): 216-222.
[14]	曾捷，聂伟. 可证安全的有效代理签名方案[J]. 通信学报, 2014, 35(8): 26-222.
[15]	庞辽军,高璐,裴庆祺,王育民. 基于身份公平的匿名多接收者签密方案[J]. 通信学报, 2013, 34(8): 161-168.