Lattice-Based Signcryption Without Random Oracles

Abstract

Signcryption is a scheme that achieves both functionalities of public key encryption and digital signatures, and hence it is an important and fundamental protocol in cryptography. On the other hand, it is interesting to efficiently construct a signcryption scheme based on lattice-based problems, since lattice-based construction is expected to have resistance against quantum computing. The contribution of this paper is to construct an efficient lattice-based signcryption satisfying strong security without random oracles. We propose such a construction based on the problems of the learning with errors (LWE) and small integer solution (SIS). The public-key size and ciphertext size in our construction are shorter than any other schemes, and there is no disadvantage for ours in other parameters compared to other ones in terms of public/secret-key and ciphertext sizes.

Appendices

Appendix A: Deta Encapsulation Mechanism (DEM)

A DEM consists of a two-tuple of polynomial-time algorithms DEM = (Enc, Dec) as follows: Let \(\mathcal {MSP}\) be a message-space, and let \(\mathcal {KSP}\) be a key-space.

• \(\text {Enc}(K,\mu )\): Enc is a randomised encryption algorithm that on input a symmetric-key \(K \in \mathcal {KSP}\) and a message \(\mu \in \mathcal {MSP}\), outputs a ciphertext C.

• \(\text {Dec}(K,C)\): Dec is a deterministic decryption algorithm that on input a secret-key K and a ciphertext C, outputs a message \(\mu \) or invalid \(\bot \).

IND-OT security against DEM = (Enc, Dec) is defined as follows: Let \(\mathcal {A}\) be a PPT adversary in the following game.

• Setup: The challenger generates a symmetric-key \(K \overset{U}{\leftarrow }\mathcal {KSP}\).

• Challenge: When \(\mathcal {A}\) submits \((\mu _0,\mu _1)\), the challenger chooses \(b \in \{ 0,1 \}\) uniformly at random and returns \(C^* \leftarrow \text {Enc}(K,\mu _b)\).

• Output: \(\mathcal {A}\) outputs \(b^\prime \in \{ 0,1 \}\), and wins if \(b = b^\prime \).

Let \(Adv_{\mathcal {A}}^{\text {IND-OT}}(k) := |\Pr [b=b^\prime ] - \frac{1}{2}|\) be the advantage of \(\mathcal {A}\). DEM is IND-OT secure if \(Adv_{\mathcal {A}}^{\text {IND-OT}}(k) \le \mathrm{negl}(k)\) for any PPT adversary \(\mathcal {A}\).

Appendix B: Lattice-Based Tag-Based Encryption and Tag-Based KEM

IND-sTag-CCA secure TBE based on LWE can be easily constructed from lattice-based tag-based trapdoor functions [23], where IND-sTag-CCA means indistinguishability against selective tag chosen ciphertext attack (cf. [17]). Hence, we obtain the following lattice-based construction of TBE = (Setup, Kg, Enc, Dec):

• \(prm \leftarrow \text {Setup}(1^n)\): Take a security parameter n as input and then set public parameters prm as follows: a prime \(q = \mathrm{poly}(n)\), integers \(\bar{m} = O(n \log {q})\), \(m = \bar{m} + n \log {q}\), \(\alpha ^{-1} = O(n \log {q})^2 \cdot \omega (\sqrt{\log {n}})\), a matrix \(\varvec{G} \in \mathbb {Z}_q^{n \times n \log {q}}\) is as the definition in Sect. 2.2.

  Output \(prm = (n, q, \bar{m}, m, \alpha , \varvec{G})\).

• \((pk, sk) \leftarrow \text {Kg}(prm)\): To generate a public-key pk and a secret-key sk, do the following:

  1. 1.

     \(\bar{\varvec{A}} \overset{U}{\leftarrow }\mathbb {Z}_q^{n \times \bar{m}}, \varvec{T} \leftarrow D_{\log {n}}^{\bar{m} \times n \log {q}}\), \(\varvec{U} \overset{U}{\leftarrow }\mathbb {Z}_q^{n \times \ell }\), \(\varvec{A} = \left[ \bar{\varvec{A}} | - \bar{\varvec{A}}\varvec{T} \right] \in \mathbb {Z}_q^{n \times m}\),

  2. 2.

     Output \(pk = (\varvec{A}, \varvec{U}), sk = \varvec{T}\).

• \(C \leftarrow \text {Enc}(pk, tag, \mu )\): To encrypt a message \(\mu \in \{ 0,1 \}^\ell \), do the following:

  1. 1.

     \(\varvec{s} \overset{U}{\leftarrow }\mathbb {Z}_q^n, \varvec{x}_0 \leftarrow D_{\alpha q}^m, \varvec{x}_1 \leftarrow D_{\alpha q}^{\ell }\), \(\varvec{A}_{tag} = \left[ \bar{\varvec{A}} | H(tag)\varvec{G} - \bar{\varvec{A}}\varvec{T} \right] \in \mathbb {Z}_q^{n \times m}\),

  2. 2.

     \(\varvec{c}_0 = \varvec{s}^T \varvec{A}_{tag} + \varvec{x}_0^T \in \mathbb {Z}_q^m\), \(\varvec{c}_1 = \varvec{s}^T \varvec{U} + \varvec{x}_1^T + \mu \cdot \lfloor q/2 \rfloor \in \mathbb {Z}_q^\ell \),

  3. 3.

     Output a ciphertext \(C = (\varvec{c}_0, \varvec{c}_1)\).

• \(\mu \leftarrow \text {Dec}(sk, tag, C)\): To decrypt \(C = (\varvec{c}_0,\varvec{c}_1)\), do the following:

  1. 1.

     \(\varvec{A}_{tag} = \left[ \bar{\varvec{A}} | H(tag) \varvec{G} - \bar{\varvec{A}}\varvec{T} \right] \), \((\varvec{s}, \varvec{x}_0) = \textsf {Invert}(\varvec{T}, \varvec{A}_{tag}, \varvec{c}_0)\),

  2. 2.

     \(\varvec{d} = \varvec{c}_1 - \varvec{s}^t \varvec{U} \in \mathbb {Z}_q^\ell \), let \(\varvec{d} = (d_1, \ldots , d_{\ell })\), and for each \(i \in [\ell ]\), \(k_i = 0\) if \(d_i\) is closer to 0 than to \(\lfloor \frac{q}{2} \rfloor \), otherwise let \(k_i = 1\).

  3. 3.

     Output a message \(\mu = (k_1, \ldots , k_{\ell }) \in \{ 0,1 \}^\ell \).

Note that the above construction is based on LWE, and we can obtain the lattice-based (IND-sTag-CCA secure) TB-KEM from the TBE above by replacing a message with a random key.