Construction for a Nominative Signature Scheme from Lattice with Enhanced Security

Abstract

The existing secure nominative signature schemes are all based on bilinear pairings and are secure only on classical machines. In this paper, we present the first lattice based nominative signature scheme. The security of our scheme relies on the hardness of short integer solution (SIS) and learning with error (LWE) problems for which no polynomial time quantum algorithms exist till now. Consequently, our scheme is the first nominative signature scheme that withstand quantum attacks. Furthermore, we propose stronger security models for unforgeability and invisibility and prove our construction achieve these enhanced security. Besides, our scheme exhibits impersonation and non-repudiation following standard security model. We emphasis that the security analysis against all the security attributes for our scheme are in standard model except the security against malicious nominator which uses random oracle.

1 Introduction

A nominative signature scheme, introduced by Kim et al. [6], is an important cryptographic primitive which enables a nominator to select a nominee and produce a nominative signature corresponding to the nominee. Moreover, only the nominee can prove (convince) the validity of a nominative signature to a verifier. A nominative signature should satisfy the following security attributes − unforgeability, invisibility, non-impersonation and non-repudiation. Unforgeability ensures that a nominator or a nominee cannot produce a valid nominative signature alone while invisibility features that the verification of a nominative signature can be performed by nominee only. Non-impersonation guarantees that only the nominee can prove (convince) the validity of a nominative signature to a verifier. Non-repudiation holds certain control on the nominee. It ensures that inspite of having the ability of verification and checking validity of a nominative signature, the nominee cannot deceive a verifier by proving the validity of an invalid nominative signature or invalidity of a valid nominative signature.

Nominative signature has several practical applications in user identification system, banking, insurance, mobile communication etc. For instance, suppose a government body (nominator) certifies and issues signature on passport of a countryman (nominee) who requests for it. Nominative signature scheme can be an ideal cryptographic primitive to handle this situation by producing a mutual agreement (nominative signature) between the government body and the countryman. The government body cannot make false claims on the countryman and vice versa if the scheme is unforgeable. The invisibility property of the scheme permits only the countryman to verify whether the issued passport contains all the correct details or not. Impersonation allows only the countryman to prove (convince) to the airport authority (verifier) that the passport belongs to him/her. Moreover, if the countryman has a fake (or an original) passport then he should not be able to mislead the airport authority by proving the fake passport to be an original (or an original passport to be a fake) passport. This feature is ensured by non-repudiation.

Related Work: Nominative signature was introduced by Kim et al. [6] in 1996 based on Schnorr’s signature and claimed to be secure under the hardness of discrete logarithm problem. However, the scheme is found flawed by Huang and Wang [5] in 2004. The concept of convertible nominative signature was introduced in [5]. They also proposed a construction for convertible nominative signature which is proven to be insecure in [15].

The formal definition and security model for a nominative signature was introduced by Liu et al. [10] in 2007 along with a nominative signature scheme. This construction is based on Chaum’s undeniable signature and is secure under the hardness of computational Diffie-Hellman problem, decisional Diffie-Hellman problem and discrete logarithm problem. The scheme requires multi-round of communication between a nominator and a nominee for the signature generation. A more efficient design for nominative signature was proposed by Liu et al. [9] using ring signature with one round of communication between a nominator and a nominee. This construction is proven to be secure under the discrete logarithm assumption and computational Diffie-Hellman assumption. However, the schemes [9, 10] exhibit the weak invisibility in the sense that the nominator does not take part in generating of some valid signatures.

Huang et al. [4] proposed a stronger security model by introducing stronger invisibility with an extra feature of considering nominator as an adversary. They designed a one-round nominative signature scheme which achieves security in this stronger security model. They proposed a security model stronger that of [4] by proposing a stronger unforgeability where adversary generates the challenge public nominee key. Together with the model of stronger unforgeability they have constructed a nominative signature scheme which is proven to be secure in this stronger security model.

The works of [4, 14] are the only secure nominative signature schemes so far on the classical machine. Both these schemes use bilinear pairing. The scheme in [4] uses witness indistinguishable and is proven secure in the random oracle model under the hardness of weak discrete logarithm problem, weak Diffie-Hellman problem, bilinear Diffie-Hellman exponent problem, weak computational Diffie-Hellman (WCDH)-I problem and WCDH-II problem. It is an efficient scheme as it requires only one-round of communication between a nominator and a nominee to generate a nominative signature. The number of bilinear pairings used in the generation of the nominative signature is 3. The nominator’s public-secret keys, nominee’s public-secret keys all have size \(|\mathbb {G}|\), nominative signature is of size \(4|\mathbb {G}|\), communication cost is \(|\mathbb {G}|\). On the other hand, the scheme in [14] uses zero knowledge proof of knowledge and is proven secure in the standard model under the hardness of discrete logarithm problem and discrete linear problem. It also requires only one-round of communication between a nominator and a nominee to generate a nominative signature and it uses 3 bilinear pairings in the generation of the nominative signature. The nominator’s public-secret keys, nominee’s public-secret keys are of size \((n+3)|\mathbb {G}|\), \(|\mathbb {G}|\), \((n+6)|\mathbb {G}|\) and \((n+3)|\mathbb {G}|\) respectively, nominative signature is of size \(4|\mathbb {G}|\), communication cost is \(2|\mathbb {G}|\) where \(|\mathbb {G}|\) is the bit size of an element of the group \(\mathbb {G}\).

As there is a threat on the reality of quantum machine, a modern public key cryptosystem is required to withstand quantum attacks. Cryptosystems based on hash functions, lattices, codes, multivariate polynomials, isogenies etc are secure on the quantum machine. Lattice based cryptography is one of the most promising tools for the post quantum era as it offers security under worst-case intractability assumptions, efficient parallel computations and homomorphic computation in addition to the apparent resistance to quantum attacks. Although a number of cryptographic primitives have been designed using lattice, till now there are no lattice-based construction for nominative signature.

Our Contribution: In this paper, we propose a security model for the nominative signature scheme which is stronger than the models proposed in [4, 14]. Further, we construct the first lattice based nominative signature scheme which achieves security in this stronger security model under the hardness of short integer solution (SIS) problem [1] and learning with error (LWE) problem [13]. More precisely, we note the following:

• At a high level, we design a nominative signature by employing the decomposition extension technique of Ling et al. [8] and integrate the non-interactive zero knowledge argument system of Libert et al. [7]. In our construction, the public key of a nominator or a nominee is a matrix \(\mathbf S \in \mathbb {Z}_q^{n \times m}\) and the secret key \(\mathsf{{T}}_\mathbf S \in \mathbb {Z}^{m \times m}\) is a short basis of the lattice \(\varLambda _q^\perp (\mathbf S )=\{\mathbf{x }: \mathbf S {} \mathbf x =\mathbf 0 \bmod q\}\) where q, n, m are integers and \(m=poly(n)\). The nominator can choose a nominee. The nominee, in turn, proves its identity to the nominator by issuing a signature Sig to the nominator which contains a non-interactive zero knowledge proof \(\varPi \). The proof \(\varPi \) proves to the nominator that the nominee has the knowledge of a vector \(\mathbf y \in \mathbb {Z}_q^{m}\) satisfying an equation of the form \(\mathbf P {} \mathbf y =\mathbf v \bmod q\). Here \(\mathbf P \in \mathbb {Z}_q^{n \times m}\) and \(\mathbf v \in \mathbb {Z}_q^n\) are suitably formed using the decomposition-extension technique and are publicly computable. After suitably verifying Sig, the nominator issues the nominative signature \(\mathsf{{nsig}}\) which consists of a short solution \(\mathbf x \) of an equation of the form \(\mathbf A {} \mathbf x =\mathbf b \bmod q\) where \(\mathbf A \), \(\mathbf b \) are publicly available. The nominative signature \(\mathsf{{nsig}}\) can be verified by the nominee and the validity (or invalidity) can be proven to the verifier only by the nominee using the confirmation protocol (or disavowal protocol).

• We propose a security model which is stronger than the security of [4, 14] by exhibiting stronger unforgeability against malicious nominee, stronger unforgeability against malicious nominator together with stronger invisibility. Similar to [14], the security against impersonation in our model is included in the unforgeability against malicious nominator while non-repudiation follows the model of [4]. The unforgeability in our model is stronger in the following sense.

  1. (i)

     The forger is allowed to query for the signature on the forged tuple (\(M^*\), NE, NR) only ones. Here \(M^*\) is the message on which the forged nominative signature \(\mathsf{{nsig}}^*\) is produced, NE is the malicious (or uncorrupted) nominee and NR is the uncorrupted (or malicious) nominator corresponding to \(\mathsf{{nsig}}^*\) for unforgeability against malicious nominee (or against malicious nominator). This query is not permitted in the security model of [4, 14].

  2. (ii)

     Besides, the forger is provided the flexibility to choose the honest nominator NR (or the honest nominee NE) from all the uncorrupted nominators (or nominees) to achieve unforgeability against malicious nominees (or malicious nominators). In [4, 14], honest nominee or honest nominator are chosen by the challenger.

  3. (iii)

     Additionally, the forger can corrupt nominator and nominees by querying their secret keys which is not permitted in the security model of [14].

  4. (iv)

     Furthermore, similar to [14], the forger is allowed to query for a proof for the validity or invalidity of the signature Sig (or nsig) issued by a honest nominee (or a honest nominator).

• Like [4, 14] our scheme also offers non-transferability which ensures that the verifier cannot convince (or disavow) a third party that the verifier received a valid (or invalid) signature on a given message from the nominee. It follows from the combination of invisibility and zero knowledge argument system.

• We also achieve a stronger invisibility as our model gives the choice to the adversary to choose the honest nominee for the challenge query which is not permitted in [4, 14].

• Our scheme is proven to be secure in this stronger security model. We achieve unforgeability against malicious nominee under the hardness of SIS search problem. The invisibility is obtained under the hardness of SIS decision problem and LWE problem. Non-repudiation follows from the completeness and soundness properties of the non-interactive zero knowledge argument system of [7]. Our security analysis is in the standard model without using any random oracles. However, we attain unforgeability against malicious nominator in the random oracle model under the hardness of SIS search problem. As mentioned earlier, we cover non-impersonation in the unforgeability against malicious nominator.

• In our scheme, the public key of a user (nominator or nominee) is a matrix \(\mathbf S \in \mathbb {Z}_q^{n \times m}\) and the secret key \(\mathsf{{T}}_\mathbf S \in \mathbb {Z}^{m \times m}\) is a short basis of the lattice \(\varLambda _q^\perp (\mathbf S )=\{\mathbf{x }: \mathbf S {} \mathbf x =\mathbf 0 \bmod q\}\) where q, n, m are integers and \(m=poly(n)\). Consequently, the size of user’s public key and secret key is \(\widetilde{\mathcal {O}}(n^2)\) each. On the other hand, the nominative signature in our scheme is \(\mathsf{{nsig_{NR}}}=(\mathbf z , \mathbf y _1)\) where \(\mathbf z \in \mathbb {Z}_q^{m}\) and \(\mathbf y _1\in \mathbb {Z}_q^{n}\). Therefore the size of the nominative signature is \(\widetilde{\mathcal {O}}(n)\). The Sig issued by the nominee to prove his identity to the nominator is Sig = (\(\varPi \), \(\mathbf y _1\)) where \(\varPi =(\{\mathsf{{COM}}\}_{\gamma =1}^s, \mathsf{{Ch}}, \{\mathsf{{RSP}}\}_{\gamma =1}^s)\) is the proof of knowledge of a vector \(\mathbf y \in \mathbb {Z}_q^{m}\) satisfying an equation of the form \(\mathbf P {} \mathbf y =\mathbf v \bmod q\). This implies that the communication cost for the non-interactive zero knowledge proof is \(s\cdot |\mathsf{{COM}}|+s\cdot |\mathsf{{RSP}}|+s\). Here COM is the commitment function used by the nominee to produce a commitment about the knowledge of \(\mathbf y \) to the nominator and RSP is the response on this commitment COM depending on the challenge Ch and \(|\mathsf{{RSP}}|=\mathcal {O}(L)\), \(L=6(m+1)p\), \(p=\lfloor \log _2 \beta \rfloor +1\), \(\beta =2\sigma \sqrt{m}\) and \(\sigma \) is the standard deviation of the discrete Gaussian distribution.

2 Preliminaries

Notations. Here we define some basic terminology for our work. Throughout this paper, a vector \(\mathbf a \in \mathbb {S}^n\) denotes a column vector of dimension \(n \times 1\) with entries from the set \(\mathbb {S}\). For \(\mathbf u =(u_1,u_2,\ldots ,u_n)\in \mathbb {R}^n\), \(||\mathbf u ||_{\infty }=\max \limits _{i}|u_i|\) denotes the maximum norm and \(||\mathbf u ||=\sqrt{u_1^2+u_2^2+\ldots +u_n^2}\) stands for the Euclidean norm. Let \(\mathbf A =(\mathbf a _1, \mathbf a _2,\ldots , \mathbf a _m)\) be a matrix with m columns in \(\mathbb {R}^n\) then \(||\mathbf A ||= \max \limits _{1\le i \le m}||\mathbf a _i||\). The notation \(\mathbf A \hookleftarrow \varDelta \) implies \(\mathbf A \) is a matrix following the distribution \(\varDelta \) and \(\mathbf A ^t\) represents the transpose of the matrix \(\mathbf A \). We refer || for the concatenation of matrices and also for the concatenation of vectors. We say that a function f is negligible in \(\lambda \) if \(f=\lambda ^{-\omega (1)}\).

Definition 1

(Lattice). For any \(m\ge n\), let \(\mathbf{B }=\{\mathbf{b }_1,\mathbf{b }_2,\cdots , \mathbf b _m\}\) be any linearly independent set of vectors in \(\mathbb {R}^n\). A lattice generated by the set \(\mathbf B \) is defined as \(\varLambda (\mathbf B )= \{\sum \limits _\mathbf{b _i \in \mathbf B }c_i \mathbf b _i : c_i \in \mathbb {Z}\}\) with basis \(\mathbf B \).

For \(q\in \mathbb {N}\), matrix \(\mathbf A \in \mathbb {Z}_q^{n\times m}\) and vector \(\mathbf u \in \mathbb {Z}_q^n\), we define the following three q-ary lattices generated by \(\mathbf A \): \(\varLambda _q^\perp (\mathbf A )=\{\mathbf{x }\in \mathbb {Z}^m : \mathbf A {} \mathbf x =\mathbf 0 \bmod q\}\), \(\varLambda _q^\mathbf u (\mathbf A )=\{\mathbf{x }\in \mathbb {Z}^m : \mathbf A {} \mathbf x =\mathbf u \bmod q\}\), \(\varLambda _q(\mathbf A )=\{\mathbf{x }\in \mathbb {Z}^m : \mathbf A ^t\mathbf s =\mathbf x \bmod q, { \mathrm {for\,some}}\,\mathbf s \in \mathbb {Z}_q^n\}\), where m, n are integers with \(m\ge n\ge 1\) and \(\mathbf 0 \) is a zero vector of size \(n \times 1\).

Definition 2

(Gaussian distribution over a lattice). For a lattice \(\varLambda \) and a real number \(\sigma >0\), discrete Gaussian distribution over \(\varLambda \) centered at \(\mathbf 0 \), denoted by \(D_{\varLambda , \sigma }\), is defined as: \(\forall \mathbf y \in \varLambda \), \(D_{\varLambda , \sigma }[\mathbf y ]\sim exp(- \pi || \mathbf y || ^2/ \sigma ^2)\), i.e. \(D_{\varLambda , \sigma }[\mathbf y ]\) is proportional to \(exp(- \pi || \mathbf y || ^2/ \sigma ^2)\) where \(D_{\varLambda , \sigma }[\mathbf y ]\) means the vector \(\mathbf y \hookleftarrow D_{\varLambda , \sigma }\). We say that \(D_{\varLambda , \sigma }\) is a distribution with standard deviation \(\sigma \).

Lemma 1

For any n-dimensional lattice \(\varLambda \) and for any real number \(\sigma >0\), we have the following results and probabilistic polynomial time (PPT) algorithms:

1. (i)

   \(Pr_\mathbf{b \hookleftarrow D_{\varLambda ,\sigma }}[|| \mathbf b ||\le \sigma \sqrt{n}]\ge 1-2^{-\varOmega (n)}\), i.e. if \(\mathbf b \hookleftarrow D_{\varLambda ,\sigma }\) then \(||\mathbf b ||\le \sigma \sqrt{n}\) with overwhelming probability.

2. (ii)

   \(\mathsf{{TrapGen}}(n,m,q)\longrightarrow (\mathbf A ,\mathsf{{T}}_\mathbf A )\) [2]. This randomized algorithm outputs a matrix \(\mathbf A \in \mathbb {Z}_q^{n \times m}\) and a short basis \(\mathsf{{T}}_\mathbf A \in \mathbb {Z}^{m \times m}\) of \(\varLambda _q^\perp (\mathbf A )\) such that \(\mathbf A \) is within the statistical distance \(2^{-\varOmega (n)}\) to \(U(\mathbb {Z}_q^{n\times m})\) and \(||\widetilde{\mathsf{{T}}}_\mathbf A || \le \mathcal {O}(\sqrt{n \log q})\). Here \(U(\mathbb {Z}_q^{n\times m})\) is the uniform distribution of integer matrices over \(\mathbb {Z}_q\) of order \(n \times m\) and \(\widetilde{\mathsf{{T}}}_\mathbf A \) is the Gram-Schmidt orthogonalization of \(\mathsf{{T}}_\mathbf A \).

3. (iii)

   SampleD\((\mathsf{{T}}_\mathbf A \), \(\mathbf A \), \(\mathbf u \), \(\sigma )\) \(\longrightarrow \) \((\mathbf x )\) [12]. Given a matrix \(\mathbf A \in \mathbb {Z}_q^{n \times m}\) whose columns span \(\mathbb {Z}_q^n\), a basis \(\mathsf{{T}}_\mathbf A \in \mathbb {Z}^{m \times m}\) of \(\varLambda _q^u(\mathbf A )\), a vector \(\mathbf u \in \mathbb {Z}_q^n\) and a real number \(\sigma \), this randomized algorithm returns a vector \(\mathbf x \in \mathbb {Z}^m\) from the distribution \(D_{\mathbb {Z}^m,\sigma }\) (i.e., \(||\mathbf x ||\le \sigma \sqrt{m}\) by (i)) satisfying \(\mathbf A \cdot \mathbf x =\mathbf u \bmod q\).

2.1 Computational and Decisional Problems

Definition 3

(Inhomogeneous short integer solution (ISIS) search problem) [1]. Given an integer q, a real number \(\beta \), a matrix \(\mathbf A \in \mathbb {Z}_q^{n \times m}\) and a vector \(\mathbf u \in \mathbb {Z}_q^n\), the ISIS problem is to find an integer vector \(\mathbf e \in \mathbb {Z}^m\) such that \(\mathbf Ae =\mathbf u \bmod q\) with \(||\mathbf e || \le \beta \) with non-negligible probability. If \(\mathbf u =\mathbf 0 \in \mathbb {Z}_q^n\), then it is known as short integer solution (SIS) problem.

Definition 4

(Short integer solution (SIS) decision problem) [11]. Let \(\chi \) be a distribution over \(\mathbb {Z}_q\) having samples of the form \((\mathbf A ,\mathbf A {} \mathbf s ) \in \mathbb {Z}_q^{n \times m} \times \mathbb {Z}_q^{n \times 1} \) with standard deviation \(\sigma \) where \(\mathbf A \in \mathbb {Z}_q^{n \times m}\) is a matrix and \(\mathbf s \in \mathbb {Z}_q^{m \times 1}\) is a vector with \(||\mathbf s || \le \sigma \sqrt{m}\). The decisional SIS is to decide whether \((\mathbf A ,\mathbf A {} \mathbf s )\) follows \(\chi \) distribution or uniform distribution \(U(\mathbb {Z}_q^{n \times m} \times \mathbb {Z}_q^n)\) with non-negligible probability.

Definition 5

(Learning with errors (LWE) problem) [13]. Let \(n\ge 1\) be any integer, \(p\ge 2\) be any prime and \(\chi \) be a distribution on \(\mathbb {Z}\). For any fixed vector \(\mathbf s \in \mathbb {Z}_p^n\), given arbitrarily many samples of the form \((\mathbf a , \langle \mathbf a ,\mathbf s \rangle +e)\) with \(\mathbf a \) uniform in \(\mathbb {Z}_p^n\) and e sampled from \(\chi \), the problem of finding \(\mathbf s \) is called the search LWE and the problem of distinguishing the distribution of \((\mathbf a , \langle \mathbf a ,\mathbf s \rangle +e)\) from the uniform distribution \(U(\mathbb {Z}_p^n \times \mathbb {Z}_p)\) is called the decisional LWE. Here \(\langle \mathbf a ,\mathbf s \rangle =\mathbf a ^t\mathbf s \).

2.2 Zero Knowledge Argument System [7]

This section deals with the zero knowledge argument system when the prover wants to prove the knowledge of the witness \(\mathbf x \) satisfying the relation \(\mathbf P {} \mathbf x =\mathbf v \) without giving \(\mathbf x \) to the verifier. Here \(\mathbf P \) is any matrix and \(\mathbf v \) is a vector (or matrix), both publicly available and \(\mathbf x \) is prover’s secret vector (or matrix) with some conditions to be proven in zero knowledge to the verifier.

Let \(q\ge 2\) be any integer and D, L be two positive integers. We consider a set VALID \(\subseteq \{-1,0,1\}^L\). Similar to Libert et al. [7], let S be any finite set of permutations such that for any \(\pi \in S\), one can associate a permutation \(T_\pi \) of L elements satisfying

1. (i)

   \(\mathbf x \in \mathsf{{VALID}}\Leftrightarrow T_\pi (\mathbf x )\in \mathsf{{VALID}}\).

2. (ii)

   \(\hbox {If}~ \mathbf x \in ~ \mathsf{{VALID}}~ \hbox {and} ~\pi ~\hbox {is uniform in}~ S ~\hbox {then}~ T_\pi (\mathbf x )~ \hbox {is uniform in} ~\mathsf{{VALID}}\).

A zero knowledge argument of knowledge (ZKAoK) for the relation \(\mathcal {R}=\{(\mathbf P \), \(\mathbf v ) \in \mathbb {Z}_q^{D\times L} \times \mathbb {Z}_q^D,\mathbf x \in \mathsf{{VALID}}: \mathbf Px =\mathbf v \bmod q\}\) written as ((\(\mathbf P \), \(\mathbf v \)), \(\mathbf x \))\( \in \mathcal {R}\) is a 3-round protocol ZKAoK = (Commitment, Challenge, Response,Verification) between a prover and a verifier, both having access to \(\mathbf P \) and \(\mathbf v \) where ZKAoK.Commitment, ZKAoK.Challenge, ZKAoK.Response are PPT algorithms and ZKAoK.Verification is a deterministic algorithm with the following requirements:

1. 1.

   ZKAoK.Commitment\((\mathbf P \), \(\mathbf v \), \(\mathbf x )\longrightarrow \) (COM = (\(C_1\), \(C_2\), \(C_3))\). The prover does the following:

   1. (a)

      It samples randomness \(\rho _1\), \(\rho _2\), \(\rho _3\) for generating commitments and selects \(\mathbf r \hookleftarrow U(\mathbb {Z}_q^L), \pi \hookleftarrow U(S) \) where S is a finite set of permutation.

   2. (b)

      It computes the commitment \(\mathsf{{COM}}=(C_1\), \(C_2\), \(C_3)\) where \(C_1=\mathsf{{CMT}}_1(\pi \), \(\mathbf P {} \mathbf r \); \(\rho _1)\), \(C_2=\mathsf{{CMT}}_2(T_\pi (\mathbf r )\); \(\rho _2)\), \(C_3=\mathsf{{CMT}}_3(T_\pi (\mathbf x +\mathbf r )\); \(\rho _3)\) are generated using randomness \(\rho _1\), \(\rho _2\), \(\rho _3\) respectively and the permutation \(T_\pi \) corresponding to \(\pi \). Here \(\mathsf{{CMT}}_i\), \(i=1\), 2, 3, is statistically hiding and computationally binding commitment scheme such that the hiding property holds even against all-powerful receivers while the binding property holds only for polynomially bounded senders.

   3. (c)

      Finally, the prover sends the commitment COM to the verifier.

2. 2.

   ZKAoK.Challenge(\(\mathbf P \), \(\mathbf v \)) \(\longrightarrow (\mathsf{{Ch}} \hookleftarrow U(\{1\), 2, \(3\}))\). The verifier sends a challenge \(\mathsf{{Ch}}\hookleftarrow U(\{1\), 2, \(3\})\) to the prover.

3. 3.

   ZKAoK.Response(Ch, \(\rho _1\), \(\rho _2\), \(\rho _3\), \(\pi \), \(\mathbf r \), \(\mathbf x \)) \(\longrightarrow \) (RSP). The prover sends a response RSP computed as follows:

   1. (a)

      If Ch\(\,=1\) then the prover sets \(\mathbf t _\mathbf x \) = \(T_\pi (\mathbf x )\), \(\mathbf t _\mathbf r =T_\pi (\mathbf r )\) and RSP = (\(\mathbf t _\mathbf x \), \(\mathbf t _\mathbf r \), \(\rho _2\), \(\rho _3\)) using \(T_\pi \) associated with \(\pi \).

   2. (b)

      If Ch\(\,=2\) then the prover sets \(\pi _2\) = \(\pi \), \(\mathbf y =\mathbf x +\mathbf r \) and RSP = (\(\pi _2\), \(\mathbf y \), \(\rho _1\), \(\rho _3\)).

   3. (c)

      If Ch\(\,=3\) then the prover sets \(\pi _3\) = \(\pi \), \(\mathbf r _3\) = \(\mathbf r \) and RSP = (\(\pi _3\), \(\mathbf r _3\), \(\rho _1\), \(\rho _2)\).

4. 4.

   ZKAoK.Verification(\(\mathbf P \), \(\mathbf v \), \(\mathsf{{RSP}}\), Ch, \(\mathsf{{COM}}\)) \(\longrightarrow \) (VRF). On receiving the response RSP from the prover, the verifier uses the commitment scheme \(\mathsf{{CMT}}_i\), \(i=1,2,3\) and proceeds as follows:

   1. (a)

      If Ch = 1 then the verifier checks whether \(\mathbf t _\mathbf x \in \) VALID and \(C_2\) = \( \mathsf{{CMT}}_2(\mathbf t _\mathbf r \); \(\rho _2)\), \(C_3= \mathsf{{CMT}}_3(\mathbf t _\mathbf x +\mathbf t _\mathbf r \); \(\rho _3)\) using RSP = (\(\mathbf t _\mathbf x \), \(\mathbf t _\mathbf r \), \(\rho _2\), \(\rho _3\)) and extracting \(C_2\), \(C_3\) from COM.

   2. (b)

      If Ch = 2 then the verifier checks whether \(C_1\) = \(\mathsf{{CMT}}_1(\pi _2\), \(\mathbf P {} \mathbf y \)-\(\mathbf v \); \(\rho _1)\) and \(C_3= \mathsf{{CMT}}_3(T_{\pi _2}(\mathbf y )\); \(\rho _3)\) extracting \(C_1\), \(C_3\) from COM and using RSP = \((\pi _2\), \(\mathbf y \), \(\rho _1\), \(\rho _3)\) together with the permutation \(T_{\pi _2}\) associated with \(\pi _2\).

   3. (c)

      If Ch = 3 then the verifier checks whether \(C_1= \mathsf{{CMT}}_1(\pi _3\), \(\mathbf P {} \mathbf r _3\); \(\rho _1), C_2= \mathsf{{CMT}}_2(T_{\pi _3}(\mathbf r _3)\); \(\rho _2)\) using \(C_1\), \(C_2\) obtained from COM, RSP = (\(\pi _3\), \(\mathbf r _3\), \(\rho _1\), \(\rho _3\)) and permutation \(T_{\pi _3}\) corresponding to \(\pi _3\).

   In each case, the verifier outputs \(\mathsf{{VRF}}=1\) if the verification succeeds; otherwise \(\mathsf{{VRF}}=0\).

The above zero knowledge argument protocol satisfies the following three properties [7]:

Let VRF \(\leftarrow \) ZKAoK.Verification (\(\mathbf P \), \(\mathbf v \), \(\mathsf{{RSP}}\), \(\mathsf{{COM}}\)), RSP \(\leftarrow \) ZKAoK.Response (Ch, \(\rho _1\), \(\rho _2\), \(\rho _3\), \(\pi \), \(\mathbf r \), \(\mathbf x \)), COM \(\leftarrow \) ZKAoK.Commitment (\(\mathbf P \), \(\mathbf v \), \(\mathbf x \)) and Ch \(\leftarrow \) ZKAoK.Challenge \((\mathbf P \), \(\mathbf v )\) where \(\rho _1\), \(\rho _2\), \(\rho _3\), \(\mathbf r \), \(\pi \) are as selected in algorithm ZKAoK.Commitment(\(\mathbf P \), \(\mathbf v \), \(\mathbf x \)) by the prover.

Correctness: If ((\(\mathbf P \), \(\mathbf v \)), \(\mathbf x \))\( \,\in \mathcal {R}\) then \(Pr[\mathsf{{VRF}}=1]=1\).

Soundness: If ((\(\mathbf P \), \(\mathbf v \)), \(\mathbf x \))\(\,\notin \mathcal {R}\) then \(Pr[\mathsf{{VRF}}=1]\le \mathsf{{negl}}(\lambda )\) where negl(\(\lambda \)) is a negligible function in \(\lambda \).

Zero Knowledge: If the statement proven by the prover is true then the cheating verifier learns only the fact that the statement is true.

Remark 1

The above protocol is repeated \(s=\omega (\log n)\) times to achieve negligible soundness error and can be made non-interactive using Fiat-Shamir heuristic [3] as a triple \(\varPi =(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s, \mathsf{{Ch}},\{\mathsf{{RSP}}_{\gamma }\}_{\gamma =1}^s)\) where \(\mathsf{{Ch}}=H(M\), \(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s\), \(\mathsf{{aux}}) \in \{1,2,3\}^s\), M is a message, \(\mathsf{{aux}}\) is some auxiliary information and \(H: \{0,1\}^* \rightarrow \{1,2,3\}^s\) is a cryptographically secure hash function. The prover sends s commitments \(\mathsf{{COM}}_\gamma \), \(\gamma =1,2,\ldots ,s\) to the verifier who in turn sends the challenge \(\mathsf{{Ch}}=H(M\), \(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s, \mathsf{{aux}}) \in \{1,2,3\}^s\) to the prover treating the hash function H as a random oracle. At the end, the prover outputs response \(\mathsf{{RSP}}_\gamma \) generated by executing ZKAoK.Response(Ch[\(\gamma \)], \(\rho _1^{(\gamma )}\), \(\rho _2^{(\gamma )}\), \(\rho _3^{(\gamma )}\), \(\pi ^{(\gamma )}\), \(\mathbf r ^{(\gamma )}\), \(\mathbf x \)) where Ch[\(\gamma \)] is the \(\gamma \)-th digit of \(\mathsf{{Ch}}\in \{1,2,3\}^s\) and \(\rho _1^{(\gamma )}\), \(\rho _2^{(\gamma )}\), \(\rho _3^{(\gamma )}\), \(\mathbf r ^{(\gamma )}\), \(\pi ^{(\gamma )}\) are as selected by the prover in the \(\gamma \)-th run of the algorithm ZKAoK.Commitment(\(\mathbf P \), \(\mathbf v \), \(\mathbf x \)) for \(\gamma =1,2,\ldots ,s\). For the verification, the response \(\mathsf{{RSP}}_{\gamma }\) corresponding to the \(\gamma \)-th digit of \(\mathsf{{Ch}}\in \{1,2,3\}^s\) is verified following the algorithm ZKAoK.Verification(\(\mathbf P \), \(\mathbf v \), \(\mathsf{{RSP}}_{\gamma }\), \(\mathsf{{Ch}}[\gamma ]\), \(\mathsf{{COM}}_{\gamma }\)) that generates \(\mathsf{{VRF}}_{\gamma }\). If \(\mathsf{{VRF}}_{\gamma }=1\) for all \(\gamma =1,2,\ldots ,s\) then this treats \(\varPi \) as a confirmation proof of the above zero knowledge argument system. On the other hand, \(\mathsf{{VRF}}_{\gamma }=0\) for atleast one \(\gamma =1,2,\ldots ,s\) considers \(\varPi \) as a disavowal proof for the above zero knowledge argument system.

Theorem 1

[7]. The protocol described above is a statistical ZKAoK for the relation \(\mathcal {R}\) with soundness error 2/3 and perfect completeness having the communication cost \(\mathcal {O}(L \log q)\).

3 Our Nominative Signature Scheme

Communication Model: Informally speaking, our scheme involves a trusted authority together with nominees and nominators. The trusted authority generates the system parameters, public-secret key pairs of nominees and nominators. System parameters and public keys are made public and secret keys are sent secretly to the concerned parties by the trusted authority.

A nominee issues a signature Sig to the nominator. To generate Sig, the nominee firstly transforms the system of equations involving two equations into an equation of the form \(\mathbf D _0\mathbf x _0+\mathbf D _1\mathbf x _1=\mathbf v \bmod q\). Then by using the decomposition-extension technique, the equation \(\mathbf D _0\mathbf x _0+\mathbf D _1\mathbf x _1=\mathbf v \bmod q\) is transformed into an equation \(\mathbf P {} \mathbf x =\mathbf v \bmod q\). The decomposition-extension technique helps in converting \([\mathbf x _0||\mathbf x _1]\) to \(\mathbf x \) such that \(\mathbf x \in \mathsf{{VALID}}\). Further, the nominee proves to the nominator in zero-knowledge the possession of \(\mathbf x \in \mathsf{{VALID}}\) satisfying \(\mathbf P {} \mathbf x =\mathbf v \bmod q\).

After receiving the Sig from the nominee, the nominator verifies the validity of Sig and issues the nominative signature nsig. The verification of nsig can be done only by the nominee. Our scheme also involves a confirmation or disavowal protocol in which the nominee proves to the verifier in zero-knowledge the validity or the invalidity of the nominative signature nsig issued by the nominator.

Formally, our nominative signature NS = \(\{\) Setup, KeygenNR, KeygenNE, SignNE, SignNR, Verify, ConfOrDisav = (TMnominee, TMverifer)\(\}\) works as follows:

NS.Setup\({\mathbf {(\lambda )}}\rightarrow {\textsf {param}}\). Given a security parameter \(\lambda >0\), the key generation center (KGC) generates an integer n of size \(\mathcal {O}(\lambda )\), a prime modulus q of size \(\mathcal {O}(n^3)\) and an integer m such that \(m=2n+8n\lceil \log q \rceil >n\lceil \log q\rceil \). The KGC also chooses a real number \(\sigma \) of size \(\varOmega (\sqrt{l \log q}\log n)\), an error bound \(\beta =2\sigma \sqrt{m}\) and two cryptographically secure hash functions \(H_1:\{0,1\}^*\rightarrow \mathbb {Z}_q^n\), \(H:\{0,1\}^*\rightarrow \{1,2,3\}^s\) where s is of size \(\omega (\log n)\). Observe that the size of \(\beta \) is \(\sigma \omega (\log m)\). The KGC publishes the system parameters \(\mathsf{{param}}=(n,q,m,\sigma ,\beta , H,H_1).\) We use \(\sigma \) for the standard deviation of the discrete Gaussian distribution.

NS.KeygenNR(param, u) \(\rightarrow \) (\(\mathsf{{PK}}_{u}\), \(\mathsf{{SK}}_{u}\)). To generate the public-secret key pair of a nominator u, the KGC invokes TrapGen(n, m, q) \(\rightarrow \) (\(\mathbf A _u\), \(\mathsf{{T}}_\mathbf{A _u}\)) described in Lemma 1 in Sect. 2 and sets the public and secret key

$$\mathsf{{PK}}_{u}=\mathbf A _{u},~\mathsf{{SK}}_{u}=\mathsf{{T}}_\mathbf{A _{u}}$$

for u where \(\mathbf A _u \in \mathbb {Z}_q^{n \times m}\) and \(\mathsf{{T}}_\mathbf{A _{u}}\in \mathbb {Z}^{m \times m}\). The public key \(\mathsf{{PK}}_{u}\) is made public while the secret key \(\mathsf{{SK}}_u\) is sent secretly by the KGC to u.

NS.KeygenNE(param, v) \(\rightarrow \) (\(\mathsf{{pk}}_{v}\), \(\mathsf{{sk}}_{v}\)). The KGC runs TrapGen(n, m, q) \(\rightarrow \) (\(\mathbf B _v\), \(\mathsf{{T}}_\mathbf{B _v}\)) (see Lemma 1 in Sect. 2) to produce the public-secret key pair of a nominee v. It sets the public key and secret key

$$\mathsf{{pk}}_{v}=\mathbf B _v,~\mathsf{{sk}}_{v}=\mathsf{{T}}_\mathbf{B _v}$$

for v where \(\mathbf B _v \in \mathbb {Z}_q^{n \times m}\) and \(\mathsf{{T}}_\mathbf{B _{v}}\in \mathbb {Z}^{m \times m}\). The KGC makes \(\mathsf{{pk}}_{v}\) publicly available and sends \(\mathsf{{sk}}_{v}\) secretly to v.

NS.SignNE(param, \(\mathsf{{sk_{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M) \(\rightarrow \) (\(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\) = (\(\varPi \), \(\mathbf y _1\))). Let M be a message to be signed. A nominee NE performs the following steps using param = (n, q, m, \(\sigma \), \(\beta \), H, \(H_1)\), \(\mathsf{{sk_{NE}}}\) = \(\mathsf{{T}}_\mathbf{B _{\mathsf{{NE}}}}\), \(\mathsf{{pk_{NE}}}\) = \(\mathbf B _{\mathsf{{NE}}}\) and \(\mathsf{{PK_{NR}}}\) = \(\mathbf A _{\mathsf{{NR}}}\) to generate the signature \(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=(\varPi , \mathbf y _1)\) on M.

1. (i)

   The nominee NE computes \(\mathbf y =H_1(M||\mathbf A _{\mathsf{{NR}}}||\mathbf B _{\mathsf{{NE}}}) \in \mathbb {Z}_q^n\) and generates a short vector \(\mathbf v \in \mathbb {Z}_q^{m}\) satisfying \(\mathbf B _{\mathsf{{NE}}}\cdot \mathbf v =\mathbf y \bmod q\) with \(||\mathbf v ||\le \sigma \sqrt{m}\) by running the algorithm SampleD(\(\mathsf{{T}}_\mathbf{B _{\mathsf{{NE}}}}\), \(\mathbf B _{\mathsf{{NE}}}\), \(\mathbf y \), \(\sigma \)) \(\rightarrow \) (\(\mathbf v \)) using the short basis \(\mathsf{{sk_{NE}}}=\mathsf{{T}}_\mathbf{B _{\mathsf{{NE}}}}\) given in Lemma 1 in Sect. 2. Note that \(||\mathbf v ||_\infty \le ||\mathbf v ||\le \sigma \sqrt{m}\le \beta \) as \(\beta =2 \sigma \sqrt{m}\).

2. (ii)

   The nominee chooses a random number \(r_1 \in [-\beta ,\beta ]\) and sets

   $$\begin{aligned} \mathbf y _1=\mathbf B _{\mathsf{{NE}}}^t\cdot (r_1\mathbf y )+\mathbf v \bmod q \end{aligned}$$

   (1)

   where \(\mathbf B _{\mathsf{{NE}}}^t\) is the transpose of the matrix \(\mathbf B _{\mathsf{{NE}}}\). Note that, given the values of (\(\mathbf y _1\), \(\mathbf B _{\mathsf{{NE}}}\), \(\mathbf y \)) then the problem to find (\(r_1\), \(\mathbf v \)) from Eq. 1 is not feasible under the hardness of LWE.

3. (iii)

   The nominee rewrites the system of the equations

   $$\mathbf B _{\mathsf{{NE}}}\cdot \mathbf v =\mathbf y \bmod q,$$
   $$\mathbf y _1=\mathbf B _{\mathsf{{NE}}}^t\cdot (r_1\mathbf y )+\mathbf v \bmod q$$

   into a single equation

   $$\begin{aligned} \mathbf D _0 \cdot \mathbf x _0+\mathbf D _1 \cdot \mathbf x _1=\mathbf b \bmod q \end{aligned}$$

   (2)

   with

   $$ \mathbf D _0=\begin{bmatrix} (\mathbf B _{\mathsf{{NE}}})_{n\times m}&\mathbf 0 _{n \times 1}\\ \mathbf 0 _{m \times m}&\mathbf 0 _{m\times 1} \end{bmatrix}, \mathbf D _1=\begin{bmatrix} \mathbf 0 _{n\times 1}&\mathbf 0 _{n \times m}\\ (\mathbf B _{\mathsf{{NE}}}^t\cdot \mathbf y )_{m \times 1}&\mathbf I _{m\times m} \end{bmatrix},$$
   $$ \mathbf x _0=\begin{bmatrix} \mathbf v _{m \times 1}\\ 0_{1 \times 1} \end{bmatrix}, \mathbf x _1=\begin{bmatrix} (r_1)_{1\times 1} \\ \mathbf v _{m \times 1} \end{bmatrix}, \mathbf b =\begin{bmatrix} \mathbf y _{n \times 1} \\ (\mathbf y _1)_{m \times 1} \end{bmatrix}$$

   where \(\mathbf I _{m \times m}\) is an identity matrix of size m.

4. (iv)

   Let \(p=\lfloor \log _2 \beta \rfloor +1\). We define the sets \(B_{mp}^3\), \(\mathcal {S}_{3mp}\) as:

   \( B_{mp}^3=\{\mathbf{x }\in \{-1,0,1\}^{3mp}: \mathbf x \text { has exactly } mp \text { co-ordinates equal to } j \text { for } j=-1,0,1\}\),

   \(\mathcal {S}_{3mp}=\{\pi : \pi \text { is a permutation on } 3mp \text { length vectors}\}.\)

   Then \(\widehat{\mathbf{w }}\in B_{mp}^3 \Leftrightarrow \pi (\widehat{\mathbf{w }})\in B_{mp}^3\) for any permutation \(\pi \in \mathcal {S}_{3mp}\).

5. (v)

   The Eq. 2 is then converted by the nominee into an equation of the form \(\mathbf P {} \mathbf x =\mathbf b \bmod q\) as follows using the algorithm Dec-Ext\(_{m,p}\) described in Fig. 1 which is the decomposition-extension technique of Ling et al. [8].

   Note that \(\mathbf x _0,\mathbf x _1\in [-\beta ,\beta ]^{m+1}\). The nominee NE generates

   \(\widehat{\mathbf{x }}_0 \in B_{(m+1)p}^3\leftarrow \mathsf{{Dec{\hbox {-}}Ext}}(\mathbf x _0),~ \widehat{\mathbf{x }}_1 \in B_{(m+1)p}^3 \leftarrow \mathsf{{Dec{\text {-}}Ext}}(\mathbf x _1)\) and sets

   \(\widehat{\mathbf{D }}_0=\mathbf D _0\cdot \widehat{\mathbf{K }}_{(m+1),\beta } \bmod q\in \mathbb {Z}_q^{(n+m)\times 3(m+1)p},\)

   \(\widehat{\mathbf{D }}_1=\mathbf D _1\cdot \widehat{\mathbf{K }}_{(m+1),\beta } \bmod q\in \mathbb {Z}_q^{(n+m)\times 3(m+1)p}\)

   where \(\widehat{\mathbf{K }}_{m+1,\beta }=[\mathbf K _{m+1,\beta }||0^{m+1\times 2(m+1)p}]\in \mathbb {Z}^{(m+1) \times 3(m+1)p}\),

   \(\mathbf K _{m+1,\beta }=\mathbf I _{(m+1)\times (m+1)}\otimes [\beta _1,\beta _2,\ldots ,\beta _p]\) and \(\widehat{\mathbf{x }}_i\in B_{(m+1)p}^3\) satisfies

   $$\begin{aligned} \widehat{\mathbf{K }}_{(m+1),\beta }\cdot \widehat{\mathbf{x }}_i=\mathbf x _i \end{aligned}$$

   (3)

   for \(i=0,1\) (see line 6 in Fig. 1). Next, the nominee sets \(\mathbf P =[\widehat{\mathbf{D }}_0||\widehat{\mathbf{D }}_1]\in \mathbb {Z}_q^{D\times L}\), \(\mathbf x =[\widehat{\mathbf{x }}_0||\widehat{\mathbf{x }}_1]^t \in \mathbb {Z}_q^L\) where \(L=6(m+1)p\) and \(D=n+m\). As \(\widehat{\mathbf{x }}_0, \widehat{\mathbf{x }}_1\in \mathbb {Z}_q^{\frac{L}{2}}\), \(\widehat{\mathbf{D }}_0, \widehat{\mathbf{D }}_1 \in \mathbb {Z}_q^{D\times \frac{L}{2}}\), we have

   $$\begin{aligned} \mathbf P {} \mathbf x&=\widehat{\mathbf{D }}_0 \cdot \widehat{\mathbf{x }}_0+\widehat{\mathbf{D }}_1 \cdot \widehat{\mathbf{x }}_1 =\mathbf D _0\cdot \widehat{\mathbf{K }}_{(m+1),\beta }\cdot \widehat{\mathbf{x }}_0+\mathbf D _1\cdot \widehat{\mathbf{K }}_{(m+1),\beta }\cdot \widehat{\mathbf{x }}_1\\&\qquad \qquad \quad =\mathbf D _0 \cdot \mathbf x _0+\mathbf D _1 \cdot \mathbf x _1 \quad {\text {(by Eq. 3)}} \\&\qquad \qquad \quad =\mathbf b \mod q \quad {\text {(by Eq. 2)}} \end{aligned}$$
6. (vi)

   Let \(\mathsf{{VALID}}=\{\mathbf{u }\in \{-1,0,1\}^L: \mathbf{u }=[\mathbf{u }_0||\mathbf{u }_1]^t \hbox { for some } \mathbf{u }_0, \mathbf{u }_1 \in B_{(m+1)p}^3\}\) and \(\mathcal {S}=\mathcal {S}_{3(m+1)p}\times \mathcal {S}_{3(m+1)p}.\) Then \(\mathbf x =[\widehat{\mathbf{x }}_0||\widehat{\mathbf{x }}_1]^t \in \mathsf{{VALID}}\) as \(\widehat{\mathbf{x }}_0 \in B_{(m+1)p}^3\), \(\widehat{\mathbf{x }}_1 \in B_{(m+1)p}^3\). Also for any randomly selected permutation \(\pi =(\pi _0,\pi _1)\in \mathcal {S}\) and vector \(\mathbf x =[\widehat{\mathbf{x }}_0||\widehat{\mathbf{x }}_1]^t\in \mathsf{{VALID}}\), the vector \(T_\pi (\mathbf x )=(\pi _0(\widehat{\mathbf{x }}_0), \pi _1(\widehat{\mathbf{x }}_1))\in \mathsf{{VALID}}\) and \(T_\pi (\mathbf x )~ \hbox {is uniform in} ~\mathsf{{VALID}}\) whenever \(\mathbf x =[\widehat{\mathbf{x }}_0||\widehat{\mathbf{x }}_1]^t\) is uniform in VALID.

Fig. 1.

Algorithm Dec-Ext\(_{m,p}(\mathbf w )\) where \(p=\lfloor \log _2 \beta \rfloor +1\) and \(\mathbf w \in [-\beta , \beta ]^m\).

1. (vii)

   The nominee NE invokes the algorithm ZKAoK described in Sect. 2.2 for the relation \(\mathcal {R}=\{(\mathbf P ,\mathbf b ) \in \mathbb {Z}_q^{D\times L} \times \mathbb {Z}_q^D,\mathbf x \in \mathsf{{VALID}}: \mathbf Px =\mathbf b \bmod q\}\) to prove the knowledge of the witness \(\mathbf x \) in statistical zero knowledge argument of knowledge and generates a proof

   $$\varPi =(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s,~ \mathsf{{Ch}}, ~\{\mathsf{{RSP}}_\gamma \}_{\gamma =1}^s)$$

   where \(\mathsf{{COM}}_\gamma \leftarrow \) ZKAoK.Commitment(\(\mathbf P \), \(\mathbf b \), \(\mathbf x \)), \(\mathsf{{Ch}}=H(M,\) \(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s, \mathbf y _1) \in \{1,2,3\}^s\), \(\mathsf{{RSP}}_\gamma \leftarrow \) ZKAoK.Response(Ch[\(\gamma \)], \(\rho _1^{(\gamma )}\), \(\rho _2^{(\gamma )}\), \(\rho _3^{(\gamma )}\), \(\pi ^{(\gamma )}\), \(\mathbf r ^{(\gamma )}\), \(\mathbf x \)) where Ch[\(\gamma \)] is the \(\gamma \)-th digit of \(\mathsf{{Ch}}\in \{1,2,3\}^s\), \(s=\omega (\log n)\) and \(\rho _1^{(\gamma )}\), \(\rho _2^{(\gamma )}\), \(\rho _3^{(\gamma )}\), \(\pi ^{(\gamma )}\), \(\mathbf r ^{(\gamma )}\) are as selected by the nominee NE in the \(\gamma \)-th run of the algorithm ZKAoK.Commitment(\(\mathbf P \), \(\mathbf b \), \(\mathbf x \)) for \(\gamma =1,2,\ldots ,s\).

2. (viii)

   Finally, the nominee NE sends the signature \(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\,=\,\)(\(\varPi \), \(\mathbf y _1\)) to the nominator NR over a public channel and stores \((r_1\), \(\mathbf v \), M, NR, \(\mathbf y _1\)) in its current state \(\mathsf{{state}}_{\mathsf{{NE}}}\) where \(\mathbf y _1\) works as the session identity which is session specific.

NS.SignNR(param, \(\mathsf{{SK_{NR}}}\), \(\mathsf{{PK_{NR}}}\), \(\mathsf{{pk_{NE}}}\), M, \(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)) \(\rightarrow \) (\(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\) = (\(\mathbf z \), \(\mathbf y _1\))). On receiving the signature \(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\,=\,\)(\(\varPi \), \(\mathbf y _1\)) from the nominee NE, the nominator NR executes the following steps and issues a nominative signature \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=(\mathbf z \), \(\mathbf y _1)\) using \(\mathsf{{SK_{NR}}}\) = \(\mathsf{{T}}_\mathbf{A _{\mathsf{{NR}}}}\), \(\mathsf{{PK_{NR}}}\) = \(\mathbf A _{\mathsf{{NR}}}\) and \(\mathsf{{pk_{NE}}}=\mathbf B _{\mathsf{{NE}}}\).

1. (i)

   The NR computes \(\mathbf y =H_1(M||\mathbf A _{\mathsf{{NR}}}||\mathbf B _{\mathsf{{NE}}})\) and verifies the zero knowledge proof \(\varPi \) = (\(\{\mathsf{{COM}}_\gamma \}_{\gamma = 1}^s\), \(\mathsf{{Ch}}\), \(\{\mathsf{{RSP}}_\gamma \}_{\gamma = 1}^s\)) for the equation \(\mathbf P \mathbf x =\mathbf b \bmod q\) by computing \(\mathsf{{VRF}}_{\gamma }\) \(\leftarrow \) ZKAoK.Verification(\(\mathbf P \), \(\mathbf b \), \(\mathsf{{RSP}}_{\gamma }\), \(\mathsf{{Ch}}[\gamma ]\), \(\mathsf{{COM}}_{\gamma }\)) and verifying whether \(\mathsf{{VRF}}_{\gamma }=1\) for all \(\gamma =1,2,\ldots ,s\) where \(\mathsf{{RSP}}_{\gamma }\), \(\mathsf{{Ch}}[\gamma ]\), \(\mathsf{{COM}}_{\gamma }\) are as defined in step (vi) of the algorithm NS.SignNE(param, \(\mathsf{{sk_{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M). Note that \(\mathbf P =[\widehat{\mathbf{D }}_0||\widehat{\mathbf{D }}_1]\) and \(\mathbf b =[\mathbf y ||\mathbf y _1]^t\) are publicly computable, \(\mathbf y _1\) is extracted from \(\mathsf{{Sig}}_{M,\mathsf{{NE}}, \mathsf{{NR}}}\) and \(\mathsf{{pk_{NE}}}=\mathbf B _{\mathsf{{NE}}}\) where \(\widehat{\mathbf{D }}_0=\mathbf D _0\cdot \widehat{\mathbf{K }}_{(m+1),\beta }\) and \(\widehat{\mathbf{D }}_1=\mathbf D _1\cdot \widehat{\mathbf{K }}_{(m+1),\beta }\). The witness \(\mathbf x =[\widehat{\mathbf{x }}_0||\widehat{\mathbf{x }}_1]^t\) is known only to the nominee NE.

2. (ii)

   If the verification fails, the nominator NR aborts; otherwise the nominator NR finds a short vector

   $$\mathbf z \in \mathbb {Z}_q^m \hbox { satisfying } \mathbf A _{\mathsf{{NR}}}\cdot \mathbf z =\mathbf y _1 \bmod q \hbox { with } ||\mathbf z ||\le \sigma \sqrt{m}$$

   using the short basis \(\mathsf{{SK_{NR}}}\) = \(\mathsf{{T}}_\mathbf{A _{\mathsf{{NR}}}}\) following the algorithm SampleD(\(\mathsf{{T}}_\mathbf{A _{\mathsf{{NR}}}}\), \(\mathbf A _{\mathsf{{NR}}}\), \(\mathbf y _1\), \(\sigma \))\( \rightarrow \mathbf z \) as in Lemma 1 in Sect. 2 and issues the nominative signature \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=\,\)(\(\mathbf z \), \(\mathbf y _1\)).

NS.Verify(param, \(\mathsf{{state}}_{\mathsf{{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)) \( \in \{\mathsf{{valid}},\mathsf{{invalid}}\}\). This algorithm is executed by the nominee NE with its current internal state \(\mathsf{{state}}_{\mathsf{{NE}} }\) who on receiving \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=\,\)(\(\mathbf z \), \(\mathbf y _1\)) uses \(\mathsf{{PK_{NR}}}=\mathbf A _{\mathsf{{NR}}}\) and \(\mathsf{{pk_{NE}}}=\mathbf B _{\mathsf{{NE}}}\) to compute \(\mathbf y =H_1(M||\mathbf A _{\mathsf{{NR}}}||\mathbf B _{\mathsf{{NE}}})\) and verify whether

$$\mathbf y _1=\mathbf B _{\mathsf{{NE}}}^t\cdot (r_1\mathbf y )+\mathbf v \bmod q,~ \mathbf A _{\mathsf{{NR}}}\cdot \mathbf z =\mathbf y _1 \bmod q \hbox { and } ||\mathbf z ||\le \sigma \sqrt{m}$$

where the nominee NE extracts \(\mathbf v \), \(r_1\) from its internal secret state \(\mathsf{{state}}_{\mathsf{{NE}}}\) which contains \((r_1\), \(\mathbf v \), M, NR, \(\mathbf y _1\)). If the verification succeeds, it outputs valid; otherwise it returns invalid.

NS.ConfOrDisav = (TMnominee, TMverifier). This protocol satisfies the following requirements:

1. (i)

   TMnominee(param, \(\mathsf{{state}}_{\mathsf{{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)) \(\rightarrow (\mu ,\varPi _{\mathsf{{confORdisav}}})\). The nominee NE generates a proof

   $$\varPi _{\mathsf{{confORdisav}}}=(\{\mathsf{{COM}}_\gamma \}_{\gamma =1}^s, \mathsf{{Ch}}, \{\mathsf{{RSP}}_\gamma \}_{\gamma =1}^s)$$

   for the relations \(\mathbf B _{\mathsf{{NE}}}\cdot \mathbf v =\mathbf y \bmod q\), \(\mathbf B _{\mathsf{{NE}}}^t \cdot (r_1\mathbf y )+\mathbf v =\mathbf y _1 \bmod q\) by converting this system of equations into an equation of the form \(\mathbf D _0\mathbf x _0+\mathbf D _1\mathbf x _1=\mathbf b \bmod q\) which in turn is reduced to an equation of the form \(\mathbf P {} \mathbf x =\mathbf b \) as explained in steps (iii) and (iv) respectively of the algorithm NS.SignNE, and then invoking the algorithm ZKAoK for the relation \(\mathcal {R}=\{(\mathbf P ,\mathbf b ) \in \mathbb {Z}_q^{D\times L} \times \mathbb {Z}_q^D,\mathbf x \in \mathsf{{VALID}}: \mathbf Px =\mathbf b \bmod q\}\) as in step (vi) of the algorithm NS.SignNE. Note that \(\mathbf P =[\widehat{\mathbf{D }}_0||\widehat{\mathbf{D }}_1]\) and \(\mathbf b =[\mathbf y ||\mathbf y _1]^t\) are publicly computable from param, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=(\mathbf z \), \(\mathbf y _1)\) and \(\mathsf{{pk_{NE}}}=\mathbf B _{\mathsf{{NE}}}\). The witness \(\mathbf x =[\mathbf x _0||\mathbf x _1]^t\) is known only to the nominee NE which is stored in its current internal state \(\mathsf{{state}}_{\mathsf{{NE}}}\). It runs NS.Verify(param, \(\mathsf{{state}}_{\mathsf{{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)). If the output is valid then it returns \((\mu =1,\varPi _{\mathsf{{confORdisav}}})\) to the verifier VR. Otherwise, it sends \((\mu =0,\varPi _{\mathsf{{confORdisav}}})\) to the verifier VR.

2. (ii)

   TMverifier(param, \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\), \(\mu \), \(\varPi _{\mathsf{{confORdisav}}})\rightarrow \beta \). On receiving a pair \((\mu ,\varPi _{\mathsf{{confORdisav}}})\) from the nominee NE, the verifier VR checks the bit \(\mu \).

• If \(\mu =1\), then it verifies the following.

  1. (a)

     \(\mathsf{{VRF}}_\gamma =1\) for all \(\gamma \) where \(\mathsf{{VRF}}_\gamma \leftarrow \) ZKAoK.Verification(\(\mathbf P \), \(\mathbf b \), \(\mathsf{{RSP}}_\gamma \), \(\mathsf{{Ch}}[\gamma ]\), \(\mathsf{{COM}}_\gamma \)). Here \(\mathbf P \), \(\mathbf b \) are computed by the verifier using param, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\) = (\(\mathbf z \), \(\mathbf y _1\)) and \(\mathsf{{PK_{NE}}}=\mathbf B _{\mathsf{{NE}}}\). Note that the witness \(\mathbf x \) is known only to the nominee NE.

  2. (b)

     \(\mathbf A _{\mathsf{{NR}}}\cdot \mathbf z =\mathbf y _1\) by extracting \(\mathbf z \), \(\mathbf y _1\) from nsig and using \(\mathsf{{PK_{NR}}}=\mathbf A _{\mathsf{{NR}}}\).

     If the verification succeeds, it outputs \(\beta =1\) indicating that the verifier VR agrees with the confirmation proof \(\varPi _{\mathsf{{confORdisav}}}\) and convinces in zero knowledge that the nominator is not a cheater. Otherwise it disagrees with the confirmation proof by returning \(\beta =0\). This means that the verifier VR is not satisfied with the confirmation proof \(\varPi _{\mathsf{{confORdisav}}}\).

• If the bit \(\mu =0\) then the verifier VR verifies whether any of the above mentioned conditions (a), (b) are violated, thereby agrees with the disavowal proof \(\varPi _{\mathsf{{confORdisav}}}\) and convinces in zero knowledge that the nominator NR is a cheater. Otherwise it disagrees with the disavowal proof and returns \(\beta =0\) indicating that the verifier VR is not convinced with the proof.

Correctness:

• (\((n,q,m,\sigma ,\beta ,H,H_1)=\mathsf{{param}})\leftarrow \mathsf{{NS.Setup}}(\lambda )\),

• \((\mathsf{{PK}}_{\mathsf{{NR}}}=\mathbf A _{\mathsf{{NR}}},\mathsf{{SK}}_{\mathsf{{NR}}}=\mathsf{{T}}_\mathbf{A _{\mathsf{{NR}}}})\leftarrow \mathsf{{NS.KeygenNR}}(\mathcal {Y},\mathsf{{NR}})\),

• \((\mathsf{{pk}}_{\mathsf{{NE}}}=\mathbf B _{\mathsf{{NR}}},\mathsf{{sk}}_{\mathsf{{NE}}}=\mathsf{{T}}_\mathbf{B _{\mathsf{{NE}}}}) \leftarrow \mathsf{{NS.KeygenNE}}(\mathcal {Y},\mathsf{{NE}})\),

• \((\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=(\varPi , \mathbf y _1))\leftarrow \) NS.SignNE(param, \(\mathsf{{sk_{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M) where \(\mathbf y _1=\mathbf B _{\mathsf{{NE}}}^t\cdot (r_1\mathbf y )+\mathbf v \bmod q\), \(r_1\in [-\beta ,\beta ]\), \(\mathbf v \in \mathbb {Z}_q^{m}\) is a short vector satisfying \(\mathbf B _{\mathsf{{NE}}}\cdot \mathbf v =\mathbf y \bmod q\) with \(||\mathbf v ||\le \sigma \sqrt{m}\),

• \((\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}=\mathbf z )\leftarrow \) NS.SignNR(param, \(\mathsf{{SK_{NR}}}\), \(\mathsf{{PK_{NR}}}\), \(\mathsf{{pk_{NE}}}\), M, \(\mathsf{{Sig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)) where \(\mathbf z \) satisfies the equation \(\mathbf A _{\mathsf{{NR}}}\cdot \mathbf z =\mathbf y _1 \bmod q\),

• \( (\mu ,\varPi _{\mathsf{{confORdisav}}})\leftarrow \mathsf{{TMnominee}}(\mathsf{{param}}, \mathsf{{state}}_{\mathsf{{NE}}}, \mathsf{{pk_{NE}}}, \mathsf{{PK_{NR}}}, M, \mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}})\) where \(\mu \in \{0,1\}\) and \(\varPi _{\mathsf{{confORdisav}}} \leftarrow \mathsf{{NS.ConfOrDisav.TMnominee}}\) is a zero knowledge proof for the relation \(\mathcal {R}=\{(\mathbf P ,\mathbf b )\in \mathbb {Z}_q^{D\times L}\times \mathbb {Z}_q^D, \mathbf x \in \mathsf{{VALID}}:\mathbf P {} \mathbf x =\mathbf b \bmod q \}\).

If the nominee NE, the nominator NR and the verifier VR are honest then we have the following.

1. (i)

   NS.Verify(param, \(\mathsf{{state}}_{\mathsf{{NE}}}\), \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\)) \(\rightarrow \mathsf{{valid}}\) as \(\mathbf A _{\mathsf{{NR}}} \cdot \mathbf z =\mathbf y _1 \bmod q\).

2. (ii)

   NS.ConfOrDisav.TMverifier(param, \(\mathsf{{pk_{NE}}}\), \(\mathsf{{PK_{NR}}}\), M, \(\mathsf{{nsig}}_{M,\mathsf{{NE}},\mathsf{{NR}}}\), \(\mu \), \(\varPi _{\mathsf{{confORdisav}}}) \rightarrow (\beta =1)\)

4 Security

Threat Model. Security attributes of a nominative signature can be broadly classified into four categories –

(Unforgeability against malicious nominee) The nominee NE alone cannot produce a valid nominative signature where the nominee NE and the message M both are chosen by the nominator NR.

(Unforgeability against malicious nominator) The nominator NR alone cannot produce a valid nominative signature and cannot convince a verifier about the validity or invalidity of a nominative signature.

(Security against invisibility) Only the nominee NE can verify the nominative signature nsig.

(Security against repudiation) If the nominative signature nsig is valid then the nominee NE cannot mislead a verifier VR and cannot prove the invalidity of nsig to the verifier VR and vice versa.

4.1 Oracles for Adversaries

An adversary \(\mathcal {A}\) invokes the following oracles accessible in the attack games and interacts with a stateful interface I who runs NS.Setup to generate param and maintains seven private lists: LcreateNR, LcreateNE, LcorruptNR, LcorruptNE, LsignNR, LsignNE, LconfORdisav.

• CreateNR Query: When \(\mathcal {A}\) invokes this oracle on a nominator u, the interface I returns \(\mathsf{{PK}}_u\) to \(\mathcal {A}\) by running NS.KeygenNR(param, u) \(\rightarrow \) (\(\mathsf{{PK}}_u\), \(\mathsf{{SK}}_u\)). The interface I stores (\(\mathsf{{PK}}_u\), \(\mathsf{{SK}}_u\)) in the list LcreateNR.

• CreateNE Query: In response to this query for a nominee v from \(\mathcal {A}\), the interface I runs NS.KeygenNE(param, v) \(\rightarrow \) (\(\mathsf{{pk}}_v\), \(\mathsf{{sk}}_v\)) and passes \(\mathsf{{pk}}_v\) to \(\mathcal {A}\). The interface stores the pair (\(\mathsf{{pk}}_v\), \(\mathsf{{sk}}_v\)) in the list LcreateNE.

• CorruptNR Query: On receiving this query on a nominator u from \(\mathcal {A}\), the interface I checks whether \((\mathsf{{PK}}_u, \mathsf{{SK}}_u)\in \mathsf{{LcreateNR}}\). If not, it returns \(\perp \). Otherwise, I sends \(\mathsf{{SK}}_u\) to \(\mathcal {A}\) and stores \(\mathsf{{PK}}_u\) in the list LcorruptNR.

• CorruptNE Query: In response to this query on a nominee v from \(\mathcal {A}\), the interface I checks whether \((\mathsf{{pk}}_v\), \(\mathsf{{sk}}_v)\in \mathsf{{LcreateNE}}\). If not, it returns \(\perp \). Otherwise, I returns (\(\mathsf{{sk}}_v\), \(\mathsf{{state}}_v\)) to \(\mathcal {A}\) and stores \(\mathsf{{pk}}_v\) in the list LcorruptNE. Here \(\mathsf{{state}}_v\) is the current internal secret state of the nominee v which is initially empty.

• SignNE Query: On querying this oracle on a tuple (v, u, M) by \(\mathcal {A}\) where v is a nominee, u is a nominator and M is a message, the interface I checks whether \((\mathsf{{pk}}_{v}\), \(\mathsf{{sk}}_{v}) \in \mathsf{{LcreateNE}}\) and \((\mathsf{{PK}}_{u}\), \(\mathsf{{SK}}_{u}) \in \mathsf{{LcreateNR}}\). If not, I returns \(\perp \). Otherwise, I outputs the signature \(\mathsf{{Sig}}_{M,v,u}\leftarrow \) NS.SignNE(param, \(\mathsf{{sk}}_{v}\), \(\mathsf{{pk}}_{v}\), \(\mathsf{{PK}}_{u}\), M) of the nominee v on M and stores \((\mathsf{{Sig}}_{M,v,u}\), \(\mathsf{{state}}_{v})\) in the list LsignNE where \(\mathsf{{state}}_{v}\) is the current internal secret state of the nominee v.

• SignNR Query: In response to this query on \(\mathsf{{Sig}}_{M,v,u}\) from \(\mathcal {A}\), the interface I verifies whether \((\mathsf{{Sig}}_{M,v,u}\), \(\mathsf{{state}}_{v}) \in \mathsf{{LSignNE}}\). If so, the interface I returns the nominative signature \(\mathsf{{nsig}}_{M,v,u}\leftarrow \) NS.SignNR(param, \(\mathsf{{SK}}_{u}\), \(\mathsf{{PK}}_{u}\), \(\mathsf{{pk}}_{v}\), M, \(\mathsf{{Sig}}_{M,v,u}\)) to \(\mathcal {A}\) and stores (\(\mathsf{{Sig}}_{M,v,u}\), \(\mathsf{{nsig}}_{M,v,u}\)) in the list LsignNR. Otherwise, I returns \(\perp \).

• ConfOrDisav Query: The interface I responses on receiving this query on \(\mathsf{{nsig}}_{M,v,u}\) from \(\mathcal {A}\) by checking if (\(\mathsf{{Sig}}_{M,v,u}\), \(\mathsf{{nsig}}_{M,v,u}\)) \(\in \) LsignNR. If not, I aborts. Otherwise, I extracts \(\mathsf{{state}}_{v}\) from \((\mathsf{{Sig}}_{M,v,u}\), \(\mathsf{{state}}_{v}) \in \) LSignNE and returns \((\mu ,\varPi _{\mathsf{{confORdisav}}})\leftarrow \) NS.ConfOrDisav.TMnominee(param, \(\mathsf{{state}}_{v}\), \(\mathsf{{pk}}_v\), \(\mathsf{{PK}}_u\), M, \(\mathsf{{nsig}}_{M,v,u}\)) to \(\mathcal {A}\). The interface I stores (\(\mathsf{{nsig}}_{M,v,u}\), \(\mu \), \(\varPi _{\mathsf{{confORdisav}}}\)) in the list LconfORdisav.

4.2 Security Model for Unforgeability Against Malicious Nominee

This is a security game \(\mathsf{{Exp_{\mathcal {F}}^{unforg}}}\) explained in Fig. 2 played between a forger \(\mathcal {F}\) and a simulator \(\mathcal {S}\).

Definition 6

(Unforgeability against malicious nominee). We say that a nominative signature is secure under unforgeability against malicious nominee if

$$\mathsf{{Adv_{\mathcal {F}}^{unforg}}}(\lambda )=\mathsf{{Prob}}[\mathsf{{Exp_{\mathcal {F}}^{unforg}}}(\lambda )=1]\le \mathsf{{negl}}(\lambda )$$

for every PPT adversary \(\mathcal {F}\) in the experiment \(\mathsf{{Exp_{\mathcal {F}}^{unforg}}}(\lambda )\) defined in Fig. 2 where \(\mathsf{{negl}}(\lambda )\) is a negligible function in \(\lambda \) i.e., negl(\(\lambda \)) = \(\lambda ^{-\omega (1)}\).

4.3 Security Model Under Unforgeability Against Malicious Nominator

Let \(\mathcal {F}\) be a forger and \(\mathcal {S}\) be a simulator. This security is modeled by the game \(\mathsf{{Exp_{\mathcal {F}}^{unforgNR}}}(\lambda )\) between \(\mathcal {F}\) and \(\mathcal {S}\) as provided in Fig. 3.

Definition 7

(Unforgeability against malicious nominator). We say that a nominative signature is secure against malicious nominator if

$$\mathsf{{Adv_{\mathcal {F}}^{unforgNR}}}(\lambda )=\mathsf{{Prob}}[\mathsf{{Exp_{\mathcal {F}}^{unforgNR}}}(\lambda )=1]\le \mathsf{{negl}}(\lambda )$$

for every PPT adversary \(\mathcal {F}\) in the experiment \(\mathsf{{Exp_{\mathcal {F}}^{unforgNR}}}(\lambda )\) defined in Fig. 3 and \(\mathsf{{negl}}(\lambda )\) is a negligible function of \(\lambda \).

5 Security Model Against Invisibility

Let \(\mathcal {D}\) be a distinguisher and \(\mathcal {C}\) be the challenger. The invisibility game \(\mathsf{{Exp_{\mathcal {D}}^{invis}}}(\lambda ,b)\) is described in Fig. 4.

Fig. 2.

Small Security game \(\mathsf{{Exp_{\mathcal {F}}^{unforg}}}(\lambda )\) under unforgeability against malicious nominee.

Definition 8

(security against invisibility). A nominative signature scheme is secure under invisibility

$$\mathsf{{Adv_{\mathcal {D}}^{invis}}}(\lambda )=|\mathsf{{Prob}}[\mathsf{{Exp_{\mathcal {D}}^{invis}}}(\lambda ,0)]-\mathsf{{Prob}}[\mathsf{{Exp_{\mathcal {D}}^{invis}}}(\lambda ,1)]|\le \mathsf{{negl}}(\lambda )$$

for every PPT adversary in the experiment \(\mathsf{{Exp_{\mathcal {D}}^{invis}}}(\lambda ,b)\) defined in Fig. 4 where \(b\in \{0,1\}\) and \(\mathsf{{negl}}(\lambda )\) is a negligible function in \(\lambda \).

Remark 2

In the above security game (Fig. 2) if SignNR query is made more than ones on \(\mathsf{{Sig}}_{M^*, \mathsf{{NE}}, \mathsf{{NR}}}^\prime \) then the adversary can compute a nominator’s signature as follows:

Suppose an adversary queried SignNR on \(\mathsf{{Sig}}_{M^*, \mathsf{{NE}}, \mathsf{{NR}}}^\prime \) two or more times then the adversary has \(\mathbf A _{\mathsf{{NR}}} \cdot \mathbf z _1=\mathbf y _1 \bmod q\) and \(\mathbf A _{\mathsf{{NR}}} \cdot \mathbf z _2=\mathbf y _1 \bmod q\). That gives to the adversary \(\mathbf A _{\mathsf{{NR}}} \cdot (\mathbf z _1+\mathbf z _2)/2=\mathbf y _1 \bmod q\). As q is a prime, 2 is invertible in \(\mathbb {Z}_q\). Thus the adversary has another signature \(\mathsf{{nsig}}_{M^*, \mathsf{{NE}}, \mathsf{{NR}}}=(\mathbf z _1+\mathbf z _2)/2\).

Fig. 3.

Security game \(\mathsf{{Exp_{\mathcal {F}}^{unforgNR}}}(\lambda )\) under security against malicious nominator

Fig. 4.

Security game \(\mathsf{{Exp_{\mathcal {D}}^{invis}}}(\lambda ,b)\) against invisibility

5.1 Security Model for Non-repudiation

Let \(\mathcal {A}\) be a cheating nominee and \(\mathcal {C}\) be the challenger. Its security game \(\mathsf{{Exp_{\mathcal {A}}^{rep}}}(\lambda )\) is explained in Fig. 5.

Definition 9

(Non-repudiation). A nominative signature scheme is secure against non-repudiation if

$$\mathsf{{Adv_{\mathcal {A}}^{rep}}}(\lambda )=|\mathsf{{prob}}[\mathsf{{Exp_{\mathcal {A}}^{rep}}}(\lambda )=1]|\le \mathsf{{negl}}(\lambda )$$

for every PPT adversary in the experiment \(\mathsf{{Exp_{\mathcal {A}}^{rep}}}(\lambda )\) defined in Fig. 5 and \(\mathsf{{negl}}(\lambda )\) is a negligible function of \(\lambda \).

Fig. 5.

Security game \(\mathsf{{Exp_{\mathcal {A}}^{rep}}}(\lambda )\) under non-repudiation

Theorem 2

Assuming the hardness of SIS search problem, the construction of our nominative signature scheme NS = \(\{\) Setup, KeygenNR, KeygenNE, SignNE, SignNR, Verify, ConfOrDisav = (TMnominee, TMverifier)\(\}\) described in Sect. 3 is secure under the unforgeability against malicious nominee as per the Definition 6 for the security game given in Fig. 2.

Theorem 3

Assuming the hardness of SIS search problem, the construction of our nominative signature scheme NS = \(\{\) Setup, KeygenNR, KeygenNE, SignNE, SignNR, Verify, ConfOrDisav = (TMnominee, TMverifier)\(\}\) described in Sect. 3 is secure in the random oracle model under the unforgeability against malicious nominator as per the Definition 7 for the security game given in Fig. 3.

Theorem 4

Assuming the hardness of decisional SIS and LWE, the construction of our nominative signature scheme NS = \(\{\) Setup, KeygenNR, KeygenNE, SignNE, SignNR, Verify, ConfOrDisav = (TMnominee, TMverifier)\(\}\) described in Sect. 3 is secure under invisibility as per the Definition 8 for the security game given in Fig. 4.

Theorem 5

Our nominative signature scheme is secure against repudiation by nominee if no PPT cheating nominee has a non negligible advantage in the security game given in Fig. 5.

Proof

By the soundness property of a proof system, the verifier will accept a language \(\mathbf x \notin \mathsf{{VALID}}\) with probability atmost \(\epsilon \in [0,1/2)\) while for any language \(\mathbf x \in \mathsf{{VALID}}\), the verifier will reject with probability \(\epsilon \in [0,1/2)\).

Proofs of all the above Theorems 2, 3 and 4 will be given in the full version of the paper.