Keywords

1 Introduction

Proxy re-signature is proposed by Blaze, Bleumer, and Strauss [1]. In a proxy re-signature scheme, a semi-trusted proxy is given some information that allows it to transform Alice’s signature into Bob’s signature on the same message, but the proxy cannot generate signatures for Alice or Bob on its own. In [1], the first proxy re-signature scheme is constructed and is proven to be multi-use and bidirectional. However, the proxy re-signature primitive was seldom noticed until 2005. In 2005, Ateniese and Hohenberger [2] formalized the definition of security and illustrated the applications of proxy re-signature schemes. What follows presents some properties that will be taken into account in a proxy re-signature scheme.

  1. 1.

    Unidirectional: the proxy only can turn the Alice’s signatures into the Bob’s signatures, but the reverse is not true.

  2. 2.

    Multi-use: a signature can be re-signed many times;

  3. 3.

    Private Proxy: re-signature keys are kept secret;

  4. 4.

    Transparent: we can not distinguish the re-signatures from the original signatures;

  5. 5.

    Key optimal: a user is only required to store a constant amount of secret data;

  6. 6.

    Non-interactive: the delegatee does not participate in the process of the generation of the proxy re-signature key;

  7. 7.

    Non-transitive: the re-signing rights cannot be re-delegated by the proxy;

  8. 8.

    Unlinkable: a re-signature cannot be linked to the one from which it was generated.

In [2], three proxy re-signature schemes were proposed: the first one is multi-use and bidirectional with a private re-signature key; the second one is single-use and unidirectional with a public re-signature key; the third one is single-use and unidirectional with a private re-signature key. The possible applications of a re-signature scheme may include the space-efficient proof, group signatures management, simplification of certificate management. However, it remains an open problem to design a multi-use unidirectional re-signature scheme. To solve this problem, Labert and Vergnaud [3] proposed two multi-use and unidirectional schemes with a private re-signature key based on the l-FlexDH assumption (in the random oracle model and the standard model, respectively). However, we are confronted with two open problems: one is to construct a multi-use unidirectional proxy re-signature scheme under the standard hardness assumptions; the other is to reduce the size of signatures and the verification costs. Sunitha and Amberker [4] proposed another multi-use unidirectional proxy re-signature scheme, but the scheme only obtains a forward security, and hence is not provably secure. Sunitha [5] constructed a proxy signature schemes that translates Alice’s Schnorr/ElGamal/RSA signature to Bob’s RSA signature, but failed to prove the security. Shao et al. [6] proposed the first multi-use bidirectional proxy re-signature scheme in the standard model and extended it to the ID-based case. Shao et al. [7] proposed the first unidirectional identity based proxy re-signature in the random oracle based on the Schnorr’s signature and the Libert-Vergnaud proxy re-signature. Shao et al. [8] analyzed and improved the previous security model [2] and gave a unidirectional proxy re-signature scheme to meet the new security model. Yang et al. [9] first defined the security model for threshold proxy re-signature scheme, and then proposed two threshold proxy re-signature schemes based on the Ateniese-Hohenberger’s and the Shao-Cao-Wang-Liang’s approach. However, the four proposals were built from the intractability assumptions for factoring large integers or solving discrete logarithms. Thus, they are not secure in the quantum setting and hence it is meaningful to construct a proxy re-signature scheme secure in the quantum setting.

As an important class of post-quantum cryptography, lattice cryptography attracts more and more attentions in the cryptographic literature in recent years due to the elegant cryptographic properties. First, lattice cryptography only involves some linear operations on small integers, and hence results in an asymptotically low computational complexity. Second, the security is supported by the worst-case to average-case equivalence connections. Since the first proposals of a provably secure lattice signature scheme and a lattice IBE scheme due to Gentry et al. [10], we are witnessing a rapid development of lattice cryptography. Many lattice schemes are constructed, such as the lattice-based public key encryption schemes [11,12,13,14], identity-based encryption schemes [10, 15,16,17], fully homomorphic encryption [18,19,20,21] and lattice-based signatures schemes [10, 22] and signature schemes with particular properties [23,24,25].

1.1 Contributions

We aim at the open problems left by Libert and Vergnaud over lattices. In our scheme, the proxy re-signature key is generated by the Gaussian Sample algorithm. First, given two public keys \( pk_{1} = \varvec{A}_{1} \), \( pk_{2} = \varvec{A}_{2} \) of users 1 and 2 and the secret key of user 2, use the Gaussian Sample algorithm to generate the proxy re-signature key \( \varvec{S}_{1 \to 2} \), such that \( \varvec{A}_{2} \varvec{S}_{1 \to 2} = \varvec{A}_{1} \bmod q \). Second, gives an original signature \( \varvec{e}_{1} \) of user 1, and the re-signature \( \varvec{e}_{2} = \varvec{S}_{1 \to 2} \varvec{e}_{1} \). We know that the proxy re-signature key \( \varvec{S}_{1 \to 2} \) has two properties: (1) its norm is small; (2) its distribution is statistically close to a Gaussian distribution. Then the distribution of the re-signature is statistically close to a Gaussian distribution and its norm is also small. Thus, the proxy re-signature has the same properties as the original signature.

1.2 Organization

In Sect. 2, we formalize the related notations, review the definitions of lattice and Gaussian distribution, introduce the lattice basis delegation technique, and define the Small Integer Solution hardness assumption on which the security of our scheme is based. We describe the definition and security model of a Proxy Re-Signature scheme in Sect. 3. In Sect. 4, we propose a Multi-Use Unidirectional Proxy Re-Signature scheme based on lattice in the random model. The scheme in the standard model is constructed in Sect. 5. Finally, the conclusion is given in Sect. 6.

2 Preliminaries

2.1 Notation

We denote sets of real numbers by \( {\mathbb{R}} \) and the integers by \( {\mathbb{Z}} \), respectively. Vectors are written as bold italic lower-case letters, e.g. \( \varvec{x} \). The i-th component of \( \varvec{x} \) is denoted by \( x_{i} \). Matrices are written as bold italic capital letters, e.g. \( \varvec{X} \), and the i-th column vector of a matrix \( \varvec{X} \) is denoted \( \varvec{x}_{i} \). The Euclidean norm \( l_{2} \) norm of a vector \( x \) is denoted as \( \left\| \varvec{x} \right\|_{2} = \sqrt {\left\langle {\varvec{x},\varvec{x}} \right\rangle } = \sqrt {\sum\limits_{i = 1}^{n} {x_{i}^{2} } } \). Generally, we abbreviate \( \left\| \varvec{x} \right\|_{2} \) as \( \left\| \varvec{x} \right\| \). The length of a matrix is defined as the norm of the longest column, namely, \( \left\| \varvec{X} \right\| = \max_{i} \left\| {\varvec{x}_{i} } \right\| \), for \( 1 \le i \le k \).

2.2 Lattice

Let \( \varvec{B} = \left\{ {\varvec{b}_{1} , \cdots ,\varvec{b}_{m} } \right\} \in {\mathbb{R}}^{m \times m} \) be an \( m \times m \) matrix whose columns are linearly independent vectors \( \varvec{b}_{1} , \cdots ,\varvec{b}_{m} \in {\mathbb{R}}^{m} \). The \( m \)-dimensional lattice \( \Uplambda \) generated by \( \varvec{B} \),

$$ \Lambda = {\mathcal{L}}\left( \varvec{B} \right) = \left\{ {\varvec{y} \in {\mathbb{R}}^{m} \;\;s{.}t{.}\;\;{\kern 1pt} \exists \varvec{x} \in {\mathbb{Z}}^{m} ,\;\;{\mathbf{y}} = \varvec{Bx} = \sum\limits_{i = 1}^{m} {x_{i} \varvec{b}_{i} } } \right\} $$
(1)

Here, we focus on inter lattices, i.e., \( {\mathcal{L}} \) is contained in \( {\mathbb{Z}}^{m} \).

Definition 1.

For q prime, \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), \( \varvec{u} \in {\mathbb{Z}}_{q}^{n} \), define:

$$ \Lambda _{q}^{ \bot } \left( \varvec{A} \right): = \left\{ {\varvec{e} \in {\mathbb{Z}}^{m} \;\;{\kern 1pt} s{.}t{.}\;\;\varvec{Ae} = \varvec{0}\left( {\bmod q} \right)} \right\} $$
(2)
$$ \Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right): = \left\{ {\varvec{e} \in {\mathbb{Z}}^{m} \;\;s{.}t{.}\;\;{\kern 1pt} \varvec{Ae} = \varvec{u}{\kern 1pt} \left( {\bmod q} \right)} \right\} $$
(3)

Observe that if \( \varvec{t} \in\Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right) \), then \( \Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right) =\Lambda _{q}^{ \bot } \left( \varvec{A} \right) + \varvec{t} \), hence \( \Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right) \) is a shift of \( \Lambda _{q}^{ \bot } \left( \varvec{A} \right) \).

Lemma 1

[26]. Let \( q \ge 3 \) be odd and \( m = \left\lceil {6n\log q} \right\rceil \). There is a probabilistic polynomial-time algorithm TrapGen(q, n) that outputs two matrixes \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \) and \( \varvec{T} \in {\mathbb{Z}}_{q}^{m \times m} \) such that \( \varvec{A} \) is statistically close to a uniform matrix in \( {\mathbb{Z}}_{q}^{n \times m} \) and \( \varvec{T} \) is a basis for \( \Lambda _{q}^{ \bot } \left( \varvec{A} \right) \) satisfying

\( \left\| {\tilde{\varvec{T}}} \right\| \le O\left( {\sqrt {n\log q} } \right) \) and \( \left\| \varvec{T} \right\| \le O\left( {n\log q} \right) \) with all but negligible probability in n.

2.3 Discrete Gaussians

We briefly recall Discrete Gaussian Distributions over lattices.

For any positive parameter \( \sigma > 0 \) define the Gaussian function on \( {\mathbb{R}}^{m} \) centered at \( \varvec{c} \):

$$ \forall \varvec{x} \in {\mathbb{R}}^{m} ,\rho_{{\sigma ,\varvec{c}}} \left( \varvec{x} \right) = \exp \left( {{{ - \pi \left\| {\varvec{x} - \varvec{c}} \right\|^{2} } \mathord{\left/ {\vphantom {{ - \pi \left\| {\varvec{x} - \varvec{c}} \right\|^{2} } {\sigma^{2} }}} \right. \kern-0pt} {\sigma^{2} }}} \right) $$
(4)

For any \( \varvec{c} \in {\mathbb{R}}^{m} \), real \( \sigma > 0 \), and an m-dimensional \( \Lambda \), define the Discrete Gaussian Distribution over \( \Lambda \) as:

$$ \forall \varvec{x} \in {\mathbb{R}}^{m} {\kern 1pt} ,D_{{\varLambda ,\sigma ,{\mathbf{c}}}} \left( \varvec{x} \right) = \frac{{\rho_{{\sigma ,\varvec{c}}} \left( \varvec{x} \right)}}{{\rho_{{\sigma ,\varvec{c}}} \left(\Lambda \right)}} = \frac{{\rho_{{\sigma ,\varvec{c}}} \left( \varvec{x} \right)}}{{\sum\nolimits_{{x \in\Lambda }} {\rho_{{\sigma ,\varvec{c}}} \left( \varvec{x} \right)} }} $$
(5)

Lemma 2

[10]. Let \( q \ge 2 \) and a matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), \( m > n \). Let \( \varvec{T}_{\varvec{A}} \) be a basis for \( \Lambda _{q}^{ \bot } \left( \varvec{A} \right) \), \( \sigma \ge \left\| {\tilde{\varvec{T}}_{\varvec{A}} } \right\| \cdot \omega \left( {\sqrt {\log m} } \right) \). Then for \( \varvec{c} \in {\mathbb{R}}^{m} \), \( \varvec{u} \in {\mathbb{Z}}_{q}^{n} \):

  1. 1.

    \( \Pr \left[ {\varvec{x} \sim D_{{\varLambda_{q}^{ \bot } \left( {\mathbf{A}} \right),\sigma }} :\left\| \varvec{x} \right\| > \sigma \sqrt m } \right] \le negl\left( n \right) \).

  2. 2.

    There is a polynomial-time algorithm SampleGaussian \( \left( {\varvec{A},\varvec{T}_{\varvec{A}} ,\sigma ,\varvec{c}} \right) \) that returns \( \varvec{x} \in\Lambda _{q}^{ \bot } \left( \varvec{A} \right) \) drawn from a distribution statistically close to \( D_{{\Lambda _{q}^{ \bot } \left( \varvec{A} \right),\sigma ,\varvec{c}}} \).

  3. 3.

    There is a polynomial-time algorithm SamplePre \( \left( {\varvec{A},\varvec{T}_{\varvec{A}} ,\varvec{u},\sigma } \right) \) that returns \( \varvec{x} \in\Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right) \) sampled from a distribution statistically close to \( {\kern 1pt} {\kern 1pt} D_{{\Lambda _{q}^{\varvec{u}} \left( \varvec{A} \right),\sigma ,\varvec{c}}} \).

Definition 2.

For any \( m \)-dimensional lattice \( \Lambda \) and positive real \( \epsilon > 0 \), the smoothing parameter \( \eta_{\epsilon } \) is the smallest real \( \sigma > 0 \) such that \( \rho_{1/\sigma } (\Uplambda^{*} \backslash \{ 0\} ) \le \epsilon \).

Lemma 3

[27]. Let \( \Lambda \subseteq {\mathbb{Z}}^{m} \) be a lattice and \( \sigma \in {\mathbb{R}} \). For \( i = 1, \cdots ,k \), \( \varvec{v}_{i} \in {\mathbb{Z}}^{m} \) and let \( X_{i} \) be mutually independent random variables sampled from \( D_{{\Lambda + \varvec{v}_{i} ,\sigma }} \). Let \( \varvec{c} = \left( {c_{1} , \cdots ,c_{k} } \right) \in {\mathbb{Z}}^{k} \), and define \( g: = \gcd \left( {c_{1} , \cdots ,c_{k} } \right) \), and \( \varvec{v}: = \sum\nolimits_{i = 1}^{k} {c_{i} \varvec{v}_{i} } \). Suppose that \( \sigma > \left\| \varvec{c} \right\| \cdot \eta_{\epsilon } \left( \Uplambda \right) \) for some negligible \( \epsilon \). Then \( Z = \sum\nolimits_{i = 1}^{k} {c_{i} X_{i} } \) is statistically close to \( D_{{g\Lambda + \varvec{v},\left\| \varvec{c} \right\|\sigma }} \).

Definition 3.

We say that a matrix \( \varvec{A} \) in \( {\mathbb{Z}}^{m \times m} \) is \( {\mathbb{Z}}_{q} \)-invertible if \( \varvec{A}\bmod q \) is invertible as a matrix in \( {\mathbb{Z}}_{q}^{m \times m} \).

Algorithm 1.

[16] \( {\text{Sample}}\varvec{S}\left( {1^{m} } \right) \)

Let \( \sigma_{\varvec{s}} = O\left( {\sqrt {n\log q} } \right) \cdot \omega \left( {\log m} \right) \cdot \sqrt m \)

  1. 1.

    Let \( \varvec{T}_{0} \) be the canonical basis of the lattice \( {\mathbb{Z}}^{m} \);

  2. 2.

    For \( i = 1, \cdots ,m \) do \( \varvec{s}_{i} \xleftarrow{R}{\text{SampleGaussian}}\left( {{\mathbb{Z}}^{m} ,\varvec{\rm T}_{0} ,\sigma_{\varvec{s}} ,\varvec{0}} \right) \);

  3. 3.

    If \( \varvec{S} \) is \( {\mathbb{Z}}_{q} \)-invertible, output \( \varvec{S} \); otherwise repeat step 2.

2.4 The SIS Problem

In this section, we recall the Small Integer Solution problem, which is essentially the knapsack problem over elements in \( {\mathbb{Z}}_{q}^{n} \). We focus on \( l_{2} - {\text{SIS}}_{q,n,m,\beta } \) problem.

Definition 4

(\( l_{2} - {\text{SIS}}_{q,n,m,\beta } \) problem). Given an integer \( q \), a random matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \) and a real \( \beta \), find a vector \( \varvec{v} \in {\mathbb{Z}}^{m} \backslash \{ 0\} \) such that \( \varvec{Av} = \varvec{0}\bmod q \) and \( ||\varvec{v}|| \le \beta \).

The following lemma shows that \( l_{2} - {\text{SIS}}_{q,n,m,\beta } \) problem is as hard as approximating certain worst-case problems on lattice.

Lemma 4

[10]. For any poly-bounded \( m \), \( \beta = poly(n) \) and for any prime \( q \ge \beta \cdot \omega (\sqrt {n\log n} ) \), the average-case problem \( l_{2} - {\text{SIS}}_{q,n,m,\beta } \) is as hard as approximating the SIVP problem in the worst-case to within certain \( \gamma = \beta \cdot \tilde{O}(\sqrt n ) \).

Lemma 5

[16]. Let \( q > 2 \), \( m > 2n\log q \) and \( \sigma > ||\tilde{\varvec{T}}_{\varvec{A}} || \cdot \omega (\sqrt {\log 2m} ) \). Then there exists a polynomial-time algorithm \( SampleBasisLeft(\varvec{A},\varvec{M},\varvec{T}_{\varvec{A}} ) \) takes \( \varvec{A},\varvec{M} \in {\mathbb{Z}}_{q}^{n \times m} \) and a basis \( \varvec{T}_{\varvec{A}} \) of \( \Lambda _{q}^{ \bot } (\varvec{A}) \) as inputs, outputs a basis \( \varvec{T}_{\varvec{F}} \) of \( \varLambda_{q}^{ \bot } (\varvec{F}) \) with \( ||\tilde{\varvec{T}}_{\varvec{A}} || = ||\tilde{\varvec{T}}_{\varvec{F}} || \), where \( \varvec{F} = (\varvec{A}|\varvec{M}) \).

3 Proxy Re-Signature: Definition and Security Model

3.1 Definition of Unidirectional Proxy Re-Signature

In this section we recall the definition of the unidirectional proxy re-signature schemes. The unidirectional proxy re-signature scheme for L levels consists of five algorithms (KeyGen, ReKeyGen, Sign, ReSign, Verify)

KeyGen: This algorithm takes as input a security parameter n and returns a user’s private/public key pair (sk, pk).

ReKeyGen: This algorithm takes as input user i’s public key \( pk_{i} \), user \( j \)’s private key \( sk_{j} \) and returns a re-signature key \( rk_{i \to j} \) that allows translating i’s signatures into \( j \)’s signatures. The re-signature key \( rk_{i \to j} \) is secret.

Sign: This algorithm takes as input a message \( \mu \), a private key \( sk_{i} \), an integer \( l \in \left[ L \right] \) and returns a signature \( \theta \) on behalf of user \( i \) at level \( l \).

ReSign: This algorithm takes as input public parameters, a level \( l \) signature \( \theta \) for message \( \mu \) from user \( i \), a re-signature key \( rk_{i \to j} \) and checks that \( \theta \) is valid. If so, it returns a signature \( \theta^{\prime} \) which verifies at level \( l + 1 \) under public key \( pk_{j} \).

Verify: This algorithm takes as input public parameters, an integer \( l \in \left[ L \right] \), a message \( \mu \), a signature \( \theta^{\prime} \), a public key \( pk_{j} \) and returns 0 or 1.

Here, we explain that why the definition contains the level. In a proxy re-signature scheme, if we can distinguish the re-signatures from the original signatures. Without loss of generality, we say that original signatures are the Bob’s first-level signatures and the re-signatures are the Bob’s second-level signatures. We know that Alice and proxy can produce Bob’s re-signatures (second-level signatures). Then it is a secure problem that the first-level signatures are generated by Alice and proxy. If we cannot distinguish the re-signatures from the original signatures, i.e. the first-level signatures and second-level signatures are indistinguishable, the level is not considered.

3.2 Security Model of Unidirectional Proxy Re-Signature

The security model of unidirectional proxy re-signature of [2] considers the following notions termed as external and internal security.

External Security: It is the security against adversaries except the proxy and delegation partners. Formally, for the security parameter n and all probability polynomial time adversaries \( {\mathcal{A}} \):

$$ \begin{aligned} \Pr [\{ (pk_{i} ,sk_{i} ) & \leftarrow KeyGen(1^{n} )\}_{{i \in \left[ {1,k} \right]}} , \\ & \quad \quad \quad \;(t,\mu ,\theta ) \leftarrow {\mathcal{A}}^{{{\mathcal{O}}_{sign} \left( { \cdot , \cdot } \right),{\mathcal{O}}_{resign} \left( { \cdot , \cdot , \cdot , \cdot } \right)}} (\{ pk_{i} \}_{{i \in \left[ {1,k} \right]}} ): \\ & \quad \quad \quad \;Verify(pk_{t} ,\mu ,\theta ) = 1 \wedge (1 \le t \le k) \wedge (t,\mu ,\theta ) \notin Q] < 1/poly\left( n \right) \\ \end{aligned} $$
(6)

where the oracle \( {\mathcal{O}}_{sign} \) takes as input an index \( i \in \left[ {1,k} \right] \) and a message \( \mu \in M \) and outputs a signature \( \theta \leftarrow Sign\left( {sk_{j} ,\mu } \right) \). The oracle \( {\mathcal{O}}_{resign} \) takes as input two distinct indices \( 1 \le i,j \le k \), a message \( \mu \) and a signature \( \theta \) and outputs a re-signature \( \theta^{\prime} \leftarrow ReSign\left( {rk_{i \to j} ,pk_{i} ,\theta ,\mu } \right) \). Let \( Q \) denotes the set of tuples \( \left( {t,\mu ,\theta } \right) \) where \( {\mathcal{A}} \) obtained a signature \( \theta \) on \( \mu \) under public key \( pk_{t} \) by querying \( {\mathcal{O}}_{sign} \) on \( \left( {t,\mu } \right) \) or \( {\mathcal{O}}_{resign} \left( { \cdot ,t,\mu , \cdot } \right) \).

Internal Security: This security model can be against the collusion attack (dishonest proxies and colluding delegation partners). The model contains three security guarantees.

  1. 1.

    Limited Proxy: This notion protects the honest delegator and delegatee, namely, the proxy can not forge the signatures of the delegatee or delegator unless the message was first signed by one of the latter’s delegates. Formally, for the security parameter n and all probability polynomial time adversaries \( {\mathcal{A}} \):

$$ \begin{aligned} \Pr [\{ (pk_{i} ,sk_{i} ) & \leftarrow KeyGen(1^{n} )\}_{{i \in \left[ {1,k} \right]}} , \\ & \quad \quad \quad \;(t,\mu ,\theta ) \leftarrow {\mathcal{A}}^{{{\mathcal{O}}_{sign} \left( { \cdot , \cdot } \right),{\mathcal{O}}_{rekey} \left( { \cdot , \cdot } \right)}} (\{ pk_{i} \}_{{i \in \left[ {1,k} \right]}} ): \\ & \quad \quad \quad \;Verify(pk_{t} ,\mu ,\theta ) = 1 \wedge (1 \le t \le k) \wedge (t,\mu ) \notin Q] < 1/poly\left( n \right) \\ \end{aligned} $$
(7)

where the oracle \( {\mathcal{O}}_{sign} \) takes as input an index \( i \in \left[ {1,k} \right] \) and a message \( \mu \in M \) and outputs a signature \( \theta \leftarrow Sign\left( {sk_{j} ,\mu } \right) \). The oracle \( {\mathcal{O}}_{rekey} \) takes as input two distinct indices \( 1 \le i,j \le k \) and outputs the re-signature key \( rk_{i \to j} \leftarrow ReKey\left( {pk_{i} ,pk_{j} ,sk_{j} } \right) \). Let \( Q \) denotes the set of tuples \( \left( {t,\mu } \right) \) where \( {\mathcal{A}} \) obtained a signature on \( \mu \) under public key \( pk_{t} \) or one of its delegate key’s by querying \( {\mathcal{O}}_{sign} \).

  1. 2.

    Delegatee Security: This notion protects the delegate, i.e., it can be against the collusion attack from delegator and proxy. We associate the index 0 to the delegatee. Formally, for the security parameter n and all probability polynomial time adversaries \( {\mathcal{A}} \):

$$ \begin{aligned} \Pr [\{ (pk_{i} ,sk_{i} ) & \leftarrow KeyGen(1^{n} )\}_{{i \in \left[ {1,k} \right]}} , \\ & \quad \quad \quad \;(\mu ,\theta ) \leftarrow {\mathcal{A}}^{{{\mathcal{O}}_{sign} \left( {0, \cdot } \right),{\mathcal{O}}_{rekey} \left( { \cdot ,{ \star }} \right)}} (pk_{0} ,\{ pk_{i} ,sk_{i} \}_{{i \in \left[ {1,k} \right]}} ): \\ & \quad \quad \quad \;Verify(pk_{0} ,\mu ,\theta ) = 1 \wedge (\mu ,\theta ) \notin Q] < 1/poly\left( n \right) \\ \end{aligned} $$
(8)

where and \( Q \) is the set of pairs \( \left( {\mu ,\theta } \right) \) such that \( {\mathcal{A}} \) queried \( {\mathcal{O}}_{sign} \left( {0,\mu } \right) \) and obtained \( \theta \).

  1. 3.

    Delegator Security: This notion protects the delegator, i.e., it can be against the collusion attack from delegatee and proxy. That is, there are distinguishable signatures for a user based on whether she used her strong secret key or her weak secret key. The colluding delegate and proxy cannot produce strong signatures (first-level signature) on her behalf. We associate the index 0 to the delegator. Formally, for the security parameter n and all probability polynomial time adversaries \( {\mathcal{A}} \):

$$ \begin{aligned} \Pr [\{ (pk_{i} ,sk_{i} ) & \leftarrow KeyGen(1^{n} )\}_{{i \in \left[ {1,k} \right]}} , \\ & \quad \quad \quad (\mu ,\theta ) \leftarrow {\mathcal{A}}^{{{\mathcal{O}}_{sign} \left( {0, \cdot } \right),{\mathcal{O}}_{rekey} \left( { \cdot , \cdot } \right)}} (pk_{0} ,\{ pk_{i} ,sk_{i} \}_{{i \in \left[ {1,k} \right]}} ): \\ & \quad \quad \quad Verify(pk_{0} ,\mu ,\theta ) = 1 \wedge (\mu ,\theta ) \notin Q] < 1/poly\left( n \right) \\ \end{aligned} $$
(9)

where \( \theta \) is a first-level signature and \( Q \) is the set of pairs \( \left( {\mu ,\theta } \right) \) such that \( {\mathcal{A}} \) queried \( {\mathcal{O}}_{sign} \left( {0,\mu } \right) \) and obtained \( \theta \).

4 Multi-use Unidirectional Proxy Re-Signature Scheme from Lattice in the Random Oracle Model

4.1 Our Construction

In this section, we use the Gentry, Peikert, and Vaikuntanathan’s signature scheme [10] to construct a multi-use unidirectional proxy re-signature scheme. Let \( n \) be a security parameter, and \( q \ge \beta \cdot \omega (\log n) \) for \( \beta = poly(n) \). Let \( m \ge 2n\log q \) and a Gaussian parameter \( \sigma \ge O(\sqrt {n\log q} ) \cdot \omega (\sqrt {\log n} ) \). There is a collision-resistant secure hash function \( H \) that maps \( \{ 0,1\}^{*} \) to \( {\mathbb{Z}}_{q}^{n} \). Our scheme consists of the following algorithms.

KeyGen: On input the security parameter \( n \), run \( TrapGen\left( {q,n} \right) \) to generate a random rank \( n \) matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \) and a trapdoor basis \( \varvec{\rm T} \) of \( \Lambda _{q}^{ \bot } \left( \varvec{A} \right) \) such that \( \left\| {\tilde{\varvec{T}}} \right\| \le O\left( {\sqrt {n\log q} } \right) \). Let the trapdoor function \( f_{\varvec{A}} \left( \varvec{x} \right) = \varvec{Ax}\bmod q \). The public key is \( pk = \varvec{A} \), the secret key is \( sk = \varvec{T} \).

Re-Signature Key Generation: On input public keys of user A and B, \( pk_{A} = \varvec{A} \), \( pk_{B} = \varvec{B} \) and a secret key \( sk_{B} = \varvec{T}_{B} \). Let \( \varvec{A} = \left( {\varvec{a}_{1} ,\varvec{a}_{2} , \cdots ,\varvec{a}_{m} } \right)^{T} \), where \( \varvec{a}_{i} \in {\mathbb{Z}}_{q}^{n} \). For every \( \varvec{a}_{i} \), \( i = 1,2, \cdots ,m \), use preimage sampleable algorithm \( SamplePre(\varvec{B},\varvec{T}_{B} ,\varvec{a}_{i} ,\sigma ) \) which samples a vector \( \varvec{s}_{i} \) such that \( \varvec{Bs}_{i} = \varvec{a}_{i} \bmod q \) and \( \left\| {\varvec{s}_{i} } \right\| \le \sigma \sqrt m \). Let \( \varvec{S}_{A \to B} = \left( {\varvec{s}_{1} ,\varvec{s}_{2} , \cdots ,\varvec{s}_{m} } \right) \in {\mathbb{Z}}^{m \times m} \), then \( \varvec{BS}_{A \to B} = \varvec{A}\bmod q \) and \( \left\| {\varvec{S}_{A \to B} } \right\| \le \sigma \sqrt m \). Output the re-signature key \( rk_{A \to B} = \varvec{S}_{A \to B} \).

Sign: The first-level signature: on input a secret key \( sk = \varvec{T} \) and a message \( \mu \), do:

  1. 1.

    Choose a random vector \( r \in \left\{ {0,1} \right\}^{*} \) and compute \( \varvec{u} = H\left( {\mu \,||\,r} \right) \in {\mathbb{Z}}_{q}^{n} \);

  2. 2.

    Use preimage sampleable algorithm \( SamplePre(\varvec{A},\varvec{T},\varvec{u},\sigma ) \) samples a vector \( \varvec{e} \) such that \( \varvec{Ae} = \varvec{u}\bmod q \) and \( \left\| \varvec{e} \right\| \le s\sqrt m \).

  3. 3.

    Output \( \left( {\varvec{e},r} \right) \) as the signature for message \( \mu \).

The i-level signature: on input a secret key \( sk = \varvec{T} \) and a message \( \mu \), do:

  1. 4.

    Choose a random vector \( r \in \left\{ {0,1} \right\}^{*} \) and compute \( \varvec{u} = H\left( {\mu \,||\,r} \right) \in {\mathbb{Z}}_{q}^{n} \);

  2. 5.

    Use preimage sampleable algorithm \( SamplePre(\varvec{A},\varvec{T},\varvec{u},\sigma^{i} m^{(i - 1)/2} ) \) to sample a vector \( \varvec{e} \) such that \( \varvec{Ae} = \varvec{u}\bmod q \) and \( \left\| \varvec{e} \right\| \le \sigma^{i} m^{i/2} \).

  3. 6.

    Output \( \left( {\varvec{e},r} \right) \) as the signature for message \( \mu \).

Re-Signature: On input re-signature key \( rk_{A \to B} = \varvec{S}_{A \to B} \), a public key \( pk_{A} = \varvec{A} \), a message \( \mu \) and a first-level signature \( \left( {\varvec{e}_{A} ,r} \right) \), check that \( \varvec{Ae}_{A} = \varvec{u}\bmod q \) and \( \left\| {\varvec{e}_{A} } \right\| \le \sigma \sqrt m \). If \( \varvec{e}_{A} \) is not a signature for \( \mu \), output \( \bot \); otherwise compute re-signature \( \varvec{e}_{B} = \varvec{S}_{A \to B} \varvec{e}_{A} \). \( \left( {\varvec{e}_{B} ,r} \right) \) is the re-signature for \( A \to B \).

The algorithm ReSign can transform an l-level signature into (l + 1)-level signature as first-level re-signature.

Verify: On input a public key \( pk_{B} = \varvec{B} \), a message \( \mu \) and a re-signature \( \left( {\varvec{e}_{B} ,r} \right) \) for \( A \to B \). If \( \varvec{Be}_{B} = \varvec{u}\bmod q \) and \( \left\| {\varvec{e}_{B} } \right\| \le \sigma^{2} m \), output 1; otherwise output 0.

4.2 Security and Good Properties

Theorem 1

(Multi-use). The scheme is multi-use correct.

Proof:

Consider the users \( 1, \cdots ,k \). Suppose \( \left( {\varvec{e}_{1} ,r} \right) \) is a valid signature of user 1, i.e., \( \varvec{A}_{1} \varvec{e}_{1} = H\left( {\mu \,||\,r} \right)\bmod q \) and \( \left\| {\varvec{e}_{1} } \right\| \le \sigma \sqrt m \). Re-signature procedure is performed from 1 to k through 2 to k − 1. The re-signature procedure is as follows:

$$ \begin{aligned} \varvec{e}_{k} & = \varvec{S}_{k - 1 \to k} \varvec{e}_{k - 1} = \varvec{S}_{k - 1 \to k} \varvec{S}_{k - 2 \to k - 1} \varvec{e}_{k - 2} \\ {\kern 1pt} & = \cdots = \varvec{S}_{k - 1 \to k} \varvec{S}_{k - 2 \to k - 1} \cdots \varvec{S}_{2 \to 1} \varvec{e}_{1} \\ \end{aligned} $$
(10)

The verification procedure by the public key \( \varvec{A}_{k} \) of user k is as follows:

$$ \begin{aligned} \varvec{A}_{k} \varvec{e}_{k} & = \varvec{A}_{k} \varvec{S}_{k - 1 \to k} \varvec{S}_{k - 2 \to k - 1} \cdots \varvec{S}_{2 \to 1} \varvec{e}_{1} \\ & = \varvec{A}_{k - 1} \varvec{S}_{k - 2 \to k - 1} \cdots \varvec{S}_{2 \to 1} \varvec{e}_{1} \\ & = \varvec{A}_{1} \varvec{e}_{1} \\ & = \varvec{u}\bmod q \\ \end{aligned} $$
(11)

and

$$ \begin{aligned} \left\| {\varvec{e}_{k} } \right\| & = \left\| {\varvec{S}_{k - 1 \to k} \varvec{S}_{k - 2 \to k - 1} \cdots \varvec{S}_{2 \to 1} \varvec{e}_{1} } \right\| \\ {\kern 1pt} & \le \left\| {\varvec{S}_{k - 1 \to k} } \right\| \cdots \left\| {\varvec{S}_{2 \to 1} } \right\|\left\| {\varvec{e}_{1} } \right\| \\ & \le \sigma^{k} m^{k/2} \\ \end{aligned} $$
(12)

Therefore, the scheme is multi-use correct.

In the following, we analyze the other properties.

Theorem 2.

In a random oracle model, the scheme is secure under the \( {\text{SIS}}_{q,n,m,\beta } \) problem, more precisely, given a random rank \( n \) matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), if finding a non-zero vector \( \varvec{v} \) such that \( \varvec{Av} = \varvec{0}\bmod q \) and \( \left\| \varvec{v} \right\| \le \beta \) is hard, then the scheme is secure.

Proof:

We argue security in two parts, i.e., the external security and the internal security.

External Security: For security, we assume there is a probability poly-time adversary \( {\mathcal{A}} \) which breaks this guarantee with non-negligible probability \( \varepsilon \) after making at most \( q_{H} \) hash queries, \( q_{s} \) signature queries and \( q_{rs} \) re-signature queries. We use \( {\mathcal{A}} \) to construct a poly-time simulator \( {\mathcal{B}} \) that solves the \( {\text{SIS}}_{q,n,m,\beta } \) problem.

System Parameters: On input a random matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), the simulator \( {\mathcal{B}} \) outputs a non-zero vector \( \varvec{v} \) such that \( \varvec{Av} = \varvec{0}\bmod q \) and \( \left\| \varvec{v} \right\| \le \beta \).

Public keys: When \( {\mathcal{A}} \) asks for the creation of user \( i \in \left\{ {1, \cdots ,\upkappa} \right\} \), \( {\mathcal{B}} \) needs to prepare \( \upkappa \) public keys \( \varvec{A}_{1} , \cdots ,\varvec{A}_{\upkappa} \). The procedure is as follows:

  1. (i)

    Let \( \varvec{A} = \varvec{A}_{t} \). \( {\mathcal{B}} \) uses the algorithm \( Sample\varvec{S}\left( {1^{m} } \right) \) to sample \( t - 1 \) matrices \( \varvec{S}_{t - 1 \to t} , \cdots ,\varvec{S}_{1 \to 2} \) and computes \( \varvec{A}_{t - 1} = \varvec{A}_{t} \varvec{S}_{t - 1 \to t} \bmod q, \cdots ,\varvec{A}_{1} = \varvec{A}_{2} \varvec{S}_{1 \to 2} \bmod q \).

  2. (ii)

    \( {\mathcal{B}} \) uses \( TrapGen\left( {1^{n} } \right) \) to generate \( \upkappa - t \) public/secret key pairs \( \left( {\varvec{A}_{i} ,\varvec{T}_{i} } \right) \), \( i = t + 1, \cdots ,\upkappa \).

In the following, \( {\mathcal{B}} \) must answer the random oracle \( H \), the signature oracle \( {\mathcal{O}}_{sign} \) and the re-signature oracle \( {\mathcal{O}}_{resign} \). \( {\mathcal{B}} \) simulates these oracles as follows:

Hash queries: \( {\mathcal{B}} \) maintains a list of tuples \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) which is called the \( H \) list. For each query to \( H \), if \( \left( {\mu_{k} ,r_{k} } \right) \) is in the \( H \) list, then \( {\mathcal{B}} \) returns \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). Otherwise, if \( i > t \), compute \( \varvec{u}_{k} = H\left( {\mu_{k} ||r_{k} } \right) \) and use the secret key \( \varvec{T}_{i} \) to sample a vector \( \varvec{e}_{k} \leftarrow SamplePre(\varvec{A}_{i} ,\varvec{T}_{i} ,\varvec{u}_{k} ,\sigma_{i} ) \), store \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). If \( i \le t \), sample \( \varvec{e}_{k} \leftarrow D_{{{\mathbb{Z}}^{m} ,s_{i} }} \) and compute \( \varvec{u}_{k} = \varvec{A}_{i} \varvec{e}_{k} \bmod q \), store \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \).

Signature queries: For each query to \( {\mathcal{O}}_{sign} \) on input \( \left( {i,(\mu_{k} ,r_{k} )} \right) \). We assume that \( \mu_{k} \) has already been queried on the random oracle \( H \). \( {\mathcal{B}} \) looks up \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) in the \( H \) list and returns \( \varvec{e}_{k} \) to \( {\mathcal{A}} \).

Re-Signature queries: For each query to \( {\mathcal{O}}_{resign} \) on input \( \left( {i,j,\left( {\mu_{k} ,r_{k} } \right),\varvec{e}_{k} } \right) \), if \( j > t \), compute re-signature key \( rk_{i \to j} = \varvec{S}_{i \to j} \) by the Re-Signature key generation algorithm and compute \( \varvec{e^{\prime}}_{k} = \varvec{S}_{i \to j} \varvec{e}_{k} \), and then return \( \varvec{e^{\prime}}_{k} \) to \( {\mathcal{A}} \). Otherwise, if \( j \le t \), compute \( rk_{i \to j} = \varvec{S}_{i \to j} = \varvec{S}_{j - 1 \to j} \cdots \varvec{S}_{i \to i + 1} \) and \( \varvec{e^{\prime}}_{k} = \varvec{S}_{i \to j} \varvec{e}_{k} \), and then return \( \varvec{e^{\prime}}_{k} \) to \( {\mathcal{A}} \).

Forgery: Without loss of generality, we assume that \( {\mathcal{A}} \) selects \( \varvec{A}_{t} \) as the challenge public key (the probability is \( 1/\upkappa \)) before outputting its forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \) and querying \( H \) on \( \mu^{*} \). Finally, \( {\mathcal{A}} \) outputs forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \).

We now analyze the simulation. First, for each distinct query \( \left( {\mu ,r} \right) \) to \( H \), the value \( \varvec{u} \) returned by \( {\mathcal{B}} \) is \( \varvec{u} = f_{\varvec{A}} \left( \varvec{e} \right) = \varvec{Ae}\bmod q \), where \( \varvec{e} \leftarrow D_{{{\mathbb{Z}}^{m} ,s}} \). Because the distribution of \( \varvec{u} \) is uniform, it is identical to the uniformly random value of \( H\left( {\mu \,||\,r} \right) \) in the real system. Second, for each query \( \left( {\mu ,r} \right) \) to \( {\mathcal{O}}_{sign} \), \( {\mathcal{B}} \) returns a single value \( \varvec{e} \leftarrow D_{{{\mathbb{Z}}^{m} ,s}} \) such that \( f_{\varvec{A}} \left( \varvec{e} \right) = H\left( {\mu \,||\,r} \right) \). In the real system, signature queries on \( \mu \) are answered by a single value with the same distribution by the algorithm SamplePre. Third, for each query to \( {\mathcal{O}}_{resign} \), we know that the re-signature key in \( {\mathcal{O}}_{resign} \) queries is indistinguishable from that in the real system, so the \( {\mathcal{O}}_{resign} \) queries is statistically close to the view of the real system. Thus we claim that the simulation of \( {\mathcal{B}} \) is identical to the real system.

When \( {\mathcal{A}} \) outputs forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \), \( {\mathcal{B}} \) looks up \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}_{{\mu^{*} }} } \right) \) in the \( H \) list and outputs \( \varvec{v} = \varvec{e}_{{\mu^{*} }} - \varvec{e}^{*} \) as the solution of the \( {\text{SIS}}_{q,n,m,\beta } \) problem \( \varvec{Av} = \varvec{0}\bmod q \). Because \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \) and \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}_{{\mu^{*} }} } \right) \) are both the signatures of \( \mu^{*} \), then

$$ \varvec{A}_{t} \varvec{e}^{*} \bmod q = H\left( {\mu^{*} ||r^{*} } \right)\bmod q = \varvec{A}_{t} \varvec{e}_{{\mu^{*} }} \bmod q $$
(13)

Therefore, we obtain \( \varvec{A}_{t} \left( {\varvec{e}^{*} - \varvec{e}_{{\mu^{*} }} } \right) = {\mathbf{0}}\bmod q \). Since \( \left\| {\varvec{e}^{*} } \right\| \), \( \left\| {\varvec{e}_{{\mu^{*} }} } \right\| \le \sigma \sqrt m \) and \( \varvec{e}^{*} \ne \varvec{e}_{{\mu^{*} }} \), we have \( \left\| {\varvec{e}^{*} - \varvec{e}_{{\mu^{*} }} } \right\| \le 2\sigma \sqrt m \) and \( \varvec{e}^{*} - \varvec{e}_{{m^{*} }} \ne \varvec{0} \).

Internal Security: In this scheme, since the first-level signatures belong to the second-level signatures, the colluding delegatee and proxy can produce a first-level signature on delegator’s behalf. Thus, the delegator security in our scheme is not satisfied. Internal security refers only to the limited proxy security and delegatee security.

Limited Proxy Security: For security, we assume there is a probability poly-time adversary (proxy) \( {\mathcal{A}} \) which breaks this guarantee with non-negligible probability. We use \( {\mathcal{A}} \) to construct a poly-time simulator \( {\mathcal{B}} \) that solves the \( {\text{SIS}}_{q,n,m,\beta } \) problem.

System Parameters: On input a random matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), the simulator \( {\mathcal{B}} \) outputs a non-zero vector \( \varvec{v} \) such that \( \varvec{Av} = \varvec{0}\bmod q \) and \( \left\| \varvec{v} \right\| \le \beta \).

Public keys: When \( {\mathcal{A}} \) asks for the creation of user \( i \in \left\{ {1, \cdots ,\upkappa} \right\} \), \( {\mathcal{B}} \) needs to prepare \( \upkappa \) public keys \( \varvec{A}_{1} , \cdots ,\varvec{A}_{\upkappa} \). The procedure is as follows:

  1. (i)

    \( {\mathcal{B}} \) sets \( \varvec{A} = \varvec{A}_{t} \).

  2. (ii)

    \( {\mathcal{B}} \) uses \( TrapGen\left( {1^{n} } \right) \) to generate \( {\kappa - 1} \) pairs of public/secret keys \( \left( {\varvec{A}_{i} ,\varvec{T}_{i} } \right) \), \( i = 1, \cdots ,t - 1, \cdots ,t + 1, \cdots\upkappa \).

In the following, \( {\mathcal{B}} \) must answer the random oracle \( H \), the signature oracle \( {\mathcal{O}}_{sign} \) and the re-signature key oracle \( {\mathcal{O}}_{rk} \). \( {\mathcal{B}} \) simulates these oracles as follows:

Hash queries: \( {\mathcal{B}} \) maintains a list of tuples \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) which is called the \( H \) list. for each query to \( H \), if \( \left( {\mu_{k} ,r_{k} } \right) \) is in the \( H \) list, then \( {\mathcal{B}} \) returns \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). Otherwise, if \( i \ne t \), choose a random vector \( r_{k} \in \left\{ {0,1} \right\}^{*} \), compute \( \varvec{u}_{k} = H\left( {\mu_{k} \,||\,r_{k} } \right) \) and use the secret key \( \varvec{T}_{i} \) to sample a vector \( \varvec{e}_{k} \leftarrow SamplePre(\varvec{A}_{i} ,\varvec{T}_{i} ,\varvec{u}_{k} ,\sigma_{i} ) \), store \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). If \( i = t \), sample \( \varvec{e}_{k} \leftarrow D_{{{\mathbb{Z}}^{m} ,s}} \) and compute \( \varvec{u}_{k} = \varvec{A}_{i} \varvec{e}_{k} \bmod q \), store \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \).

Signature queries: For each query to \( {\mathcal{O}}_{sign} \) on input \( \left( {i,(\mu_{k} ,r_{k} )} \right) \). We assume that \( \mu_{k} \) has already been queried on the random oracle \( H \). \( {\mathcal{B}} \) looks up \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) in the \( H \) list and returns \( \varvec{e}_{k} \) to \( {\mathcal{A}} \).

Re-Signature key queries: For each query to \( {\mathcal{O}}_{rk} \) on input \( \left( {i,\,j} \right) \) , if \( i = t \) or \( j = t \), abort; otherwise, compute re-signature key \( rk_{i \to j} = \varvec{S}_{i \to j} \) by the Re-Signature key generation algorithm and return \( rk_{i \to j} = \varvec{S}_{i \to j} \) to \( {\mathcal{A}} \).

Forgery: Without loss of generality, we assume that \( {\mathcal{A}} \) selects \( \varvec{A}_{t} \) as the challenge public key (the probability is \( 1/\upkappa \)) before outputting its forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \) and querying \( H \) on \( \mu^{*} \). Finally, \( {\mathcal{A}} \) outputs forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \).

Simulator \( {\mathcal{B}} \)’s simulation of the world for \( {\mathcal{A}} \) is the same as the external security except that the Re-Signature queries is replaced by the Re-Signature key queries.

Delegatee security: For security, we assume there is a probability poly-time adversary (proxy) \( {\mathcal{A}} \) which breaks this guarantee with non-negligible probability. We use \( {\mathcal{A}} \) to construct a poly-time simulator \( {\mathcal{B}} \) that solves the \( {\text{SIS}}_{q,n,m,\beta } \) problem.

System Parameters: On input a random matrix \( \varvec{A} \in {\mathbb{Z}}_{q}^{n \times m} \), the simulator \( {\mathcal{B}} \) outputs a non-zero vector \( \varvec{v} \) such that \( \varvec{Av} = \varvec{0}\bmod q \) and \( \left\| \varvec{v} \right\| \le \beta \).

Public keys: When \( {\mathcal{A}} \) asks for the creation of user \( i \in \left\{ {1, \cdots ,\upkappa} \right\} \), \( {\mathcal{B}} \) needs to prepare \( \upkappa \) public keys \( \varvec{A}_{1} , \cdots ,\varvec{A}_{\upkappa} \). The procedure is as follows:

  1. (i)

    \( {\mathcal{B}} \) sets \( \varvec{A} = \varvec{A}_{1} \).

  2. (ii)

    \( {\mathcal{B}} \) uses \( TrapGen\left( {1^{n} } \right) \) to generate \( k - 1 \) pairs of public/secret keys \( \left( {\varvec{A}_{i} ,\varvec{T}_{i} } \right) \), \( i = 2, \cdots ,\upkappa \).

In the following, \( {\mathcal{B}} \) must answer the random oracle \( H \), the signature oracle \( {\mathcal{O}}_{sign} \) and the re-signature key oracle \( {\mathcal{O}}_{rk} \). \( {\mathcal{B}} \) simulates these oracles as follows:

Hash queries: \( {\mathcal{B}} \) maintains a list of tuples \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) which is called the \( H \) list. for each query to \( H \), if \( \mu_{k} \) is in the \( H \) list, \( {\mathcal{B}} \) returns \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). Otherwise, if \( i \ne 1 \), choose a random vector \( r_{k} \in \left\{ {0,1} \right\}^{*} \), compute \( \varvec{u}_{k} = H\left( {\mu_{k} \,||\,r_{k} } \right) \) and use the secret key \( \varvec{T}_{i} \) to sample a vector \( \varvec{e}_{k} \leftarrow SamplePre(\varvec{A}_{i} ,\varvec{T}_{i} ,\varvec{u}_{k} ,\sigma_{i} ) \), store \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \). If \( i = 1 \), sample \( \varvec{e}_{k} \leftarrow D_{{{\mathbb{Z}}^{m} ,s}} \) and compute \( \varvec{u}_{k} = \varvec{A}_{1} \varvec{e}_{k} \bmod q \), store \( \left( {1,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) and return \( \varvec{u}_{k} \) to \( {\mathcal{A}} \).

Signature queries: For each query to \( {\mathcal{O}}_{sign} \) on input \( \left( {i,(\mu_{k} ,r_{k} )} \right) \). We assume that \( \mu_{k} \) has already been queried on the random oracle \( H \). \( {\mathcal{B}} \) looks up \( \left( {i,\varvec{u}_{k} ,\varvec{e}_{k} ,\left( {\mu_{k} ,r_{k} } \right)} \right) \) in the \( H \) list and returns \( \varvec{e}_{k} \) to \( {\mathcal{A}} \).

Re-Signature key queries: For each query to \( {\mathcal{O}}_{rk} \) on input \( \left( {i,j} \right) \), if \( i = 1 \), abort; otherwise, compute re-signature key \( rk_{i \to j} = \varvec{S}_{i \to j} \) by the Re-Signature key generation algorithm and return \( rk_{i \to j} = \varvec{S}_{i \to j} \) to \( {\mathcal{A}} \).

Forgery: Without loss of generality, we assume that \( {\mathcal{A}} \) selects \( \varvec{A}_{t} \) as the challenge public key (the probability is \( 1/\upkappa \)) before outputting its forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \) and querying \( H \) on \( \mu^{*} \). Finally, \( {\mathcal{A}} \) outputs forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \).

We know that the simulation is perfect. When \( {\mathcal{A}} \) outputs forgery \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \), \( {\mathcal{B}} \) looks up \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}_{{\mu^{*} }} } \right) \) in the \( H \) list and outputs \( \varvec{v} = \varvec{e}_{{\mu^{*} }} - \varvec{e}^{*} \) as the solution of the \( {\text{SIS}}_{q,n,m,\beta } \) problem \( \varvec{Av} = \varvec{0}\bmod q \). Because \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}^{*} } \right) \) and \( \left( {\left( {\mu^{*} ,r^{*} } \right),\varvec{e}_{{\mu^{*} }} } \right) \) are both the signatures of \( \mu^{*} \), then

$$ \varvec{A}_{1} \varvec{e}^{*} \bmod q = H\left( {\mu^{*} ||r^{*} } \right)\bmod q = \varvec{A}_{1} \varvec{e}_{{\mu^{*} }} \bmod q $$
(14)

Therefore, we obtain \( \varvec{A}_{1} \left( {\varvec{e}^{*} - \varvec{e}_{{\mu^{*} }} } \right) = \varvec{0}\bmod q \). Since \( \left\| {\varvec{e}^{*} } \right\| \), \( \left\| {\varvec{e}_{{\mu^{*} }} } \right\| \le \sigma \sqrt m \) and \( \varvec{e}^{*} \ne \varvec{e}_{{\mu^{*} }} \), we have \( \left\| {\varvec{e}^{*} - \varvec{e}_{{\mu^{*} }} } \right\| \le 2\sigma \sqrt m \) and \( \varvec{e}^{*} - \varvec{e}_{{\mu^{*} }} \ne \varvec{0} \).

4.3 Security and Efficiency Comparison

In this section, we compare the security and efficiency of the proposed scheme with that of the scheme of [3] which is the first multi-use unidirectional proxy re-signature scheme. The scheme needs 6 pair operations in the verification of 1-level signature, and 4L + 2 pair operations in the verification of L-level signature. The proposed construction is based on the Small Integer Solution problem. The verification cost does not grow with the number of translations (only one matrix-vector product operation in any level signature) and the size of signatures also grows linearly with the number of translations. The comparison results are summarized in Table 1.

Table 1. Security and efficiency comparison
Full size table

5 Multi-use Unidirectional Proxy Re-Signature Scheme from Lattice in the Standard Model

In this section, we use the signature scheme of [15] to construct a multi-use unidirectional proxy re-signature scheme in the standard model.

KeyGen: On input the security parameter \( n \), run \( TrapGen\left( {q,n} \right) \) to generate a random rank \( n \) matrix \( \varvec{A}_{0} \in {\mathbb{Z}}_{q}^{n \times m} \) and a trapdoor basis \( \varvec{\rm T}_{0} \) of \( \Lambda _{q}^{ \bot } \left( {\varvec{A}_{0} } \right) \) such that \( \left\| {\tilde{\varvec{T}}_{0} } \right\| \le O\left( {\sqrt {n\log q} } \right) \).

For each \( \left( {b,j} \right) \in \left\{ {0,1} \right\} \times \left[ k \right] \), choose uniformly random and independent \( {\mathbf{A}}_{j}^{(b)} \in {\mathbb{Z}}_{q}^{n \times m} \). Output public key \( pk = (\varvec{A}_{0} ,\varvec{A}_{j}^{(b)} ) \) and secret key \( sk = \varvec{T}_{0} \).

Re-Signature Key Generation: On input public keys of user 1 and 2, \( pk_{1} = (\varvec{A}_{10} ,\varvec{A}_{j}^{(b)} ) \), \( pk_{2} = (\varvec{A}_{20} ,\varvec{A}_{j}^{(b)} ) \) and a secret key \( sk_{2} = \varvec{T}_{2} \). Let \( \varvec{A}_{10} = \left( {\varvec{a}_{11} ,\varvec{a}_{12} , \cdots ,\varvec{a}_{1m} } \right)^{T} \), where \( \varvec{a}_{1i} \in {\mathbb{Z}}_{q}^{n} \). For every \( \varvec{a}_{1i} \), \( i = 1,2, \cdots ,m \), use preimage sampleable algorithm \( SamplePre(\varvec{A}_{20} ,\varvec{T}_{2} ,\varvec{a}_{1i} ,\sigma ) \) which samples a vector \( \varvec{s}_{i} \) such that \( \varvec{A}_{20} \varvec{s}_{i} = \varvec{a}_{1i} \bmod q \) and \( \left\| {\varvec{s}_{i} } \right\| \le \sigma \sqrt m \). Let \( \varvec{S} = \left( {\varvec{s}_{1} ,\varvec{s}_{2} , \cdots ,\varvec{s}_{m} } \right) \in {\mathbb{Z}}^{m \times m} \), then \( \varvec{A}_{20} \varvec{S} = \varvec{A}_{10} \bmod q \) and \( \left\| \varvec{S} \right\| \le s\sqrt m \). Let \( \varvec{S}_{1 \to 2} = \left( {\begin{array}{*{20}c} \varvec{S} & \varvec{0} \\ \varvec{0} & \varvec{I} \\ \end{array} } \right) \) and output the re-signature key \( rk_{1 \to 2} = \varvec{S}_{1 \to 2} \).

Sign: The first-level signature: on input a secret key \( sk = \varvec{T}_{0} \) and a message \( \mu \in \{ 0,1\}^{k} \), do:

  1. 1.

    Let \( \varvec{A}_{\mu } = \varvec{A}_{0} ||\varvec{A}_{1}^{{(\mu_{1} )}} || \cdots ||\varvec{A}_{k}^{{(\mu_{k} )}} \in {\mathbb{Z}}_{q}^{n \times (k + 1)m} \). Use \( SampleBasisLeft(\varvec{A}_{0} ,\varvec{A}_{i}^{{(\mu_{i} )}} \varvec{,T}_{0} ) \) to generate the basis \( \varvec{T}_{\mu } \) of \( \Lambda ^{ \bot } \left( {\varvec{A}_{\mu } } \right) \);

  2. 2.

    Use preimage sampleable algorithm \( SamplePre(\varvec{A}_{\mu } ,\varvec{T}_{\mu } ,\varvec{0},\sigma ) \) to sample a vector \( \varvec{e} \) such that \( \varvec{A}_{\mu } \varvec{e} = \varvec{0}\bmod q \) and \( \left\| \varvec{e} \right\| \le \sigma \sqrt {(k + 1)m} \).

  3. 3.

    Output \( \varvec{e} \) as the signature for message \( \mu \).

The i-level signature: on input a secret key \( sk = \varvec{T}_{0} \) and a message \( \mu \), do:

  1. 1.

    Let \( \varvec{A}_{\mu } = \varvec{A}_{0} \,||\,\varvec{A}_{1}^{{(\mu_{1} )}} \,|| \cdots ||\,\varvec{A}_{k}^{{(\mu_{k} )}} \in {\mathbb{Z}}_{q}^{n \times (k + 1)m} \). Use \( SampleBasisLeft(\varvec{A}_{0} ,\varvec{A}_{i}^{{(\mu_{i} )}} \varvec{,T}_{0} ) \) to generate the basis \( \varvec{T}_{\mu } \) of \( \Lambda ^{ \bot } \left( {\varvec{A}_{\mu } } \right) \);

  2. 2.

    Use preimage sampleable algorithm \( SamplePre(\varvec{A}_{\mu } ,\varvec{T}_{\mu } ,\varvec{0},\sigma^{i} \left[ {(k + 1)m} \right]^{(i - 1)/2} ) \) to sample a vector \( \varvec{e} \) such that \( \varvec{A}_{\mu } \varvec{e} = \varvec{0}\bmod q \) and \( \left\| \varvec{e} \right\| \le \sigma^{i} \left[ {(k + 1)m} \right]^{i/2} \).

  3. 3.

    Output \( \varvec{e} \) as the i-level signature for message \( \mu \).

Re-Signature: On input re-signature key \( rk_{1 \to 2} = \varvec{S}_{1 \to 2} \), a public key \( pk_{1} = (\varvec{A}_{10} ,\varvec{A}_{j}^{(b)} ) \), a message \( \mu \) and its signature \( \varvec{e}_{1} \), check that \( \varvec{A}_{1\mu } \varvec{e}_{1} = \varvec{0}\bmod q \) and \( \left\| {\varvec{e}_{1} } \right\| \le s\sqrt {(k + 1)m} \), where \( \varvec{A}_{1\mu } = \varvec{A}_{10} \,||\varvec{A}_{1}^{{(\mu_{1} )}} \,|| \cdots ||\,\varvec{A}_{k}^{{(\mu_{k} )}} \in {\mathbb{Z}}_{q}^{n \times (k + 1)m} \). If \( \varvec{e}_{1} \) is not a signature for \( \mu \), output \( \bot \); otherwise compute re-signature \( \varvec{e}_{2} = \varvec{S}_{1 \to 2} \varvec{e}_{1} \). \( \varvec{e}_{2} \) is the re-signature for \( 1 \to 2 \).

Verify: On input a public key \( pk_{2} = (\varvec{A}_{20} ,\varvec{A}_{j}^{(b)} ) \), a message \( \mu \) and a re-signature \( \varvec{e}_{2} \) for \( 1 \to 2 \). If \( \varvec{A}_{2\mu } \varvec{e}_{2} = \varvec{0}\bmod q \) and \( \left\| {\varvec{e}_{2} } \right\| \le \sigma^{2} (k + 1)m \), where \( \varvec{A}_{2\mu } = \varvec{A}_{20} \,||\varvec{A}_{1}^{{(\mu_{1} )}} \,|| \cdots ||\,\varvec{A}_{k}^{{(\mu_{k} )}} \in {\mathbb{Z}}_{q}^{n \times (k + 1)m} \), output 1; otherwise output 0.

6 Conclusion

In this paper, we construct the first multi-use unidirectional proxy re-signature scheme based on the hardness of the Small Integer Solution (SIS) problem. In our scheme, the verification cost does not grow with the number of translations which only needs a matrix-vector multiplication. The size of signatures grows linearly with the number of the translations in this scheme. Our scheme only uses one signature algorithm such that the user’s i-level signatures contain (i − 1)-level signatures, however it does not resist the collusion attack of delegator security.