Provable Secure Attribute-Based Proxy Signature Over Lattice Small Integer Solution Problem in Random Oracle Model

Abstract

Current proxy signature schemes are mostly identity-based proxy signatures that distinguish users by identity. This signature method faces some problems, such as identity information leakage and single access control. Attribute-based proxy signature (ABPS) divides the signer’s identity information into a collection of attributes; thus, users’ identity information can be protected and access control can become fine-grained. With the development of quantum computers, the security of signature schemes based on traditional number theory problems is under threat. Therefore, we construct a new attribute-based proxy signature scheme on a lattice that can resist quantum attacks. This scheme has the properties of both attribute-based signatures and proxy signatures, i.e., fine-grained access control and strong undeniability properties. Moreover, based on the small integer solution problem (SIS), our scheme is provably secure in the random oracle model and protects the proxy signer in the adaptive security model.

1. Introduction

With the rapid development of networks, security has become particularly important. Digital signatures can verify the integrity and reliability of a message, and so they have become an indispensable part of security authentication. Due to some special circumstances, the original signer needs to delegate the signature authority to the authorized proxy signer to generate a valid signature on their behalf. The appearance of proxy signatures has resulted in greater convenience. However, how to identify the signer and ensure the reliability of the message has become an important issue. With the improvement of requirements, the signature method has evolved from certificate-based signatures, certificateless signatures and identity-based signatures to attribute-based signatures. At present, most proxy signatures are still identity-based proxy signatures (IBPS), such as [1,2]. This method uses the identity of the signer as the authentication mark to ensure the nonrepudiation and other characteristics of the signature. However, at the same time, it also brings with it a series of problems, such as the possibility of exposing identity information, which is too singular as an identification mark. For this reason, the identity-based signature has been continuously optimized. In 2008, Maji et al. [3] proposed the first attribute-based signature (ABS) scheme, and  showed that this signature method has the characteristics of fine-grained access and perfect privacy. The ABS method divides the identity information of the signer into a multiattribute set. The signature can be completed only when the signer’s attributes satisfy the conditions of access control. Thus, attribute-based proxy signature (ABPS) schemes are starting to receive more attention [4,5].

Research on quantum computers has been a hot topic in recent years, and the Shor algorithm [6] has proved that the current state of cryptography based on traditional number theory will no longer be reliable under quantum attacks, such as the ElGamal algorithm and Rivest, Shamir and Adleman (RSA) algorithm. NIST in the United States is also publicly soliciting postquantum cryptography algorithms. Currently, the recognized antiquantum algorithms include lattice-based cryptography, code-based cryptography, hash-based cryptography and multivariate-based cryptography. Lattice-based cryptography has the advantages of simple operation and can construct a variety of advanced cryptographic applications, so it is more widely used. Most ABS and proxy signature schemes are mainly based on traditional number theory problems, such as integer factorization, bilinear pairs and so on [7,8,9,10,11]. These options are more reliable security choices for constructing ABPS schemes based on lattice-based cryptography.

1.1. Related Works

ABS, as a new, important signature method, is used in many areas, such as emerging named data networks [12], edge computing [13], swarm intelligence awareness [14] and healthcare systems [15]. The first ABS scheme [3] was based on groups with bilinear pairs and can only be proved secure in the generic group model. Subsequently, due to these great advantages, ABS has received increasing amounts of attention, and a large number of ABS schemes have been proposed [16,17,18]. The first proxy signature scheme proposed [19] was a full delegation method. The delegation method in proxy signatures is mainly developed as three approaches: full delegation, partial delegation and delegation with warrant. Since delegation with warrant can protect both the proxy signer and the original signer, most of the current schemes use this approach. ABS and proxy signatures are both included in ABPS. The ABPS scheme from Sun [4] is existentially unforgeable against chosen-message attacks (EUF-CMA) in the random oracle model. However, this scheme is constructed on bilinear pairings, which cannot defeat the quantum attack, and there is no security model proposed for this ABPS scheme.

One of the most famous applications of lattice-based cryptography is fully homomorphic encryption [20]. Therefore, homomorphic signatures are widely used [21]. Proxy signature schemes and identity-based proxy signature schemes based on a lattice have also emerged [22,23,24]. Mao et al. [25] proposed the first ABS schemes based on lattices using the preimage sampling technique. Subsequently, more ABS schemes based on lattices were proposed [26,27,28].

1.2. Our Contributions

In this paper, we constructed a new ABPS scheme over a lattice, which is resistant to quantum attacks. Our scheme allows the original signer to sign a warrant using their attribute keys to delegate signing authority. Then, the proxy signer signs the message only when the attribute set of the original signer satisfies the access structure and the warrant is valid. The verifier also checks the original signer’s attributes and the validity of the signature. This feature provides fine-grained access. To sum up, our ABPS scheme has the following properties:

• Fine-grained access control. Only when a signer’s attribute set satisfies the access structure may they assign their signature rights to others. This feature can help us identify the signers in a fine-grained manner.
• Provable security. The ABPS scheme we constructed is provably secure in the random oracle model. It is also more secure than most current ABPS schemes.

1.3. Organization

The rest of the paper is sequenced as follows. Section 2 reviews some basic concepts of the lattice signature scheme. Section 3 introduces the background of the ABPS scheme. Section 4 presents our proposed new scheme. Section 5 analyzes the security of the constructed scheme. Section 6 evaluates the scheme’s performance. Section 7 concludes the paper.

2. Prelimnary

2.1. Lattice

With a set of linearly independent vectors ${\mathit{b}}_{\mathbf{1}},{\mathit{b}}_{\mathbf{2}},\dots ,{\mathit{b}}_{\mathit{n}}$ as the lattice’s basis, the lattice can then be expressed as $\mathsf{\Lambda }\left(\mathit{B}\right)=\{{\sum }_{i=1}^n{\mathit{b}}_{\mathit{i}}{x}_i|x_i\in \mathbb{Z}\}$.

Definition 1

(Orthogonal lattice). The orthogonal lattice of Λ is defined as ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left(\mathit{A}\right)=\{\mathit{x}\in {\mathbb{Z}}^n:\mathit{Ax}=0modq\}$.

Definition 2

(Small integer solution (SIS) problem; see [29]). For a matrix $\mathit{A}$ ← ${\mathbb{Z}}_q^{n\times m}$, the $SI{S}_{q,\beta }$ problem aims to find a nonzero vector $\mathit{v}$ ∈ ${\mathbb{Z}}^m$ that satisfies $\mathit{Av}$ = 0 $mod$ q and $|\mathit{v}|$$\le$β, where β is a real number.

2.2. Gaussian on Lattice

For a positive real number $s>0$ with a center of $\mathit{c}$ ∈ ${\mathbb{R}}^n$, the Gaussian function is defined as $\forall \mathit{x}$ ∈ ${\mathbb{R}}^n$, ${\rho }_{s,\mathit{c}}\left(\mathit{x}\right)$ = $exp(-\pi \parallel \mathit{x}-\mathit{c}{\parallel }^2/s^2)$.

The discrete Gaussian distribution over lattice $\mathsf{\Lambda }$ is defined as $\forall \mathit{x}\in \mathsf{\Lambda },D_{\mathsf{\Lambda },s,\mathit{c}}\left(\mathit{x}\right)={\rho }_{s,\mathit{c}}\left(\mathit{x}\right)/{\rho }_{s,\mathit{c}}(\mathsf{\Lambda })$.

2.3. Preimage Sampling Technique

Lemma 1

(see [30]). Given a matrix $\mathit{A}$ ∈ ${\mathbb{Z}}_q^{n\times m}$, a short trapdoor basis $\mathit{T}$ ∈ ${\mathbb{Z}}_q^{m\times m}$ of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left(\mathit{A}\right)$, a vector $\mathit{u}$ ∈ ${\mathbb{Z}}^n$ and a Gaussian parameter s, there exists a probabilistic polynomial-time algorithm, denoted by SamplePre $(\mathit{A},$ $\mathit{T},$ $\mathit{u},$ $s)$. It outputs a sample e within negligible statistical distance of $D_{{\mathsf{\Lambda }}^{\perp }\left(\mathit{A}\right),s}$.

2.4. Bonsai Trees

Bonsai trees contains four main techniques. We predominantly use three of them: controlled growth, extending control and randomizing control.

The following lemma states how the controlled growth technique generates a random lattice under control.

Lemma 2

(see [31]). There exists a probabilistic polynomial-time algorithm GenBasis$(1^n,$ $1^m,$ $q)$: given a constant C and m ≥ $Cnlogq$, GenBasis$(1^n,$ $1^m,$ $q)$ outputs $\mathit{A}$ ∈ ${\mathbb{Z}}_q^{n\times m}$ and $\mathit{T}$ ∈ ${\mathbb{Z}}_q^{m\times m}$, such that $\mathit{T}$ is the basis of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left(\mathit{A}\right)$; $\parallel \tilde{S}\parallel$ ≤ $\tilde{L}$ = $O\left(\sqrt{nlogq}\right)$. The distribution of $\mathit{A}$ is within $negl\left(n\right)$ of the uniform, in terms of statistical distance.

Here, we describe the extending control technique, which can extend the control of a lattice to an arbitrary higher-dimensional extension.

Lemma 3

(see [32]). Given ${\mathit{A}}_{\mathbf{1}}$ ∈ ${\mathbb{Z}}_q^{n\times m_1}$, ${\mathit{T}}_{\mathbf{1}}$ ∈ ${\mathbb{Z}}_q^{m_1\times m_1}$ and an arbitrary matrix ${\mathit{A}}_{\mathbf{2}}$ ∈ ${\mathbb{Z}}_q^{n\times m_2}$, where ${\mathit{T}}_{\mathbf{1}}$ is the basis of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left({\mathit{A}}_{\mathbf{1}}\right)$, there exists a probabilistic polynomial-time algorithm ExtBasis$({\mathit{T}}_{\mathbf{1}},$ $\mathit{A}$ = ${\mathit{A}}_{\mathbf{1}}$|${\mathit{A}}_{\mathbf{2}})$ that can output an arbitrary basis $\mathit{T}$ ∈ ${\mathbb{Z}}_q^{m_1+m_2}$ of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left(\mathit{A}\right)$. Furthermore, $\mathit{T}$ satisfies $\parallel \tilde{\mathit{T}}\parallel$ = $\parallel {\tilde{\mathit{T}}}_{\mathbf{1}}\parallel$. However, a disadvantage is that this cannot guarantee the dependence of $\mathit{T}$ and ${\mathit{T}}_{\mathbf{1}}$.

Finally, we show the randomizing control technique. This technique can randomize the basis of a lattice, such that the resulting basis is independent of the original basis.

Lemma 4

(see [32]). Then, there exists a probabilistic polynomial-time algorithm, denoted by RandBasis$(\mathit{T},$ $s)$. $\mathit{T}$ is the basis of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left(\mathit{A}\right)$, and s ≥ $\parallel \tilde{\mathit{T}}\parallel \omega \left(\sqrt{logn}\right)$ is a Gaussian parameter. This algorithm outputs another basis ${\mathit{T}}_{\mathit{r}}$, satisfying $\parallel {\mathit{T}}_{\mathit{r}}\parallel$ ≤ $r\sqrt{m}$. For the two different bases ${\mathit{T}}_{\mathbf{1}},{\mathit{T}}_{\mathbf{2}}$ of the same lattice, when s ≥ $max\{\parallel {\mathit{T}}_{\mathbf{1}}\parallel ,$ $\parallel {\mathit{T}}_{\mathbf{2}}\parallel \}·\omega \left(\sqrt{logn}\right)$, the outputs of RandBasis$({\mathit{T}}_{\mathbf{1}},$ $s)$ and RandBasis(${\mathit{T}}_{\mathbf{2}},$ $s)$ are within $negl\left(n\right)$ in terms of statistical distance.

3. Attribute-Based Proxy Signature Scheme

3.1. Syntax of ABPS Scheme

An ABPS scheme consists of six phases, Setup, Key Extraction, Delegate Generation, Key Extraction for Proxy Signer, Proxy Signing and Verification:

• Setup: In this phase, with a security parameter n as input, it returns the system parameters $Params$ and the master private key $msk$;
• Key Extraction: The attribute authority selects the original signer’s attribute public key ${\mathit{A}}_{\mathit{OA}}$ and generates their attribute private key ${\mathit{T}}_{\mathit{OA}}$;
• Delegate Generation: The original signer uses their attribute key to sign a delegate warrant $\eta$;
• Key Extraction for Proxy Signer: The proxy signer verifies the warrant $\eta$ and generates their signing key $({\mathit{A}}_{\mathit{PS}},$ ${\mathit{T}}_{\mathit{PS}})$;
• Proxy Signing: When the original signer’s attribute set satisfies the access structure, the proxy signer generates a signature $\sigma$ of the message $\mu$;
• Verification: A verifier checks whether the original signer’s attributes satisfies the access structure, then checks the warrant $\eta$ and the signature $\sigma$.

3.2. Security of the ABPS Scheme

An ABPS scheme is mainly concerned with the following security properties: unforgeability, perfect privacy and key dependence.

3.2.1. Unforgeability

Our scheme is strongly unforgeable under the chosen-message attack (SUF-CMA). In our proof, we take two types of adversaries, as follows:

Type I: An adversary knows the secret key of the original signer but cannot obtain the private key of the proxy signer.

Type II: An adversary obtains the secret key of the proxy signer but cannot obtain the private key of the original signer and the delegation of the proxy signer.

Definition 3

(Type I attack). When the following game’s running time is at most $t_1$ and receives hash queries at most $q_1$ times, if no type I adversary can win the game with a probability of at least ${\xi }_1$, then we can say this ABPS scheme is unforgeable under $(t_1,$ $q_1,$ ${\xi }_1)$ with the type I attack.

Setup: With a security parameter, the challenger $\mathcal{C}$ executes the Setup and Key Extraction phases. Then, they give the system parameters, the original signer’s attribute public–private key pair and the proxy signer’s public key, to the adversary ${\mathcal{A}}_1$, keeping the proxy signer’s private key secret.

Query:

• Hash queries:

  (a)

  $H_1$ queries: $\mathcal{C}$ gives ${\mathcal{A}}_1$ the hash value $H_1\left(INF\right)$ for any $INF$ ∈ $\{0,$ ${1\}}^{*}$;

  (b)

  $H_2$ queries: For the delegate information $\xi$, $\mathcal{C}$ returns a matrix ${\mathit{A}}_{\xi }$ of $\xi$ to ${\mathcal{A}}_1$;

• Proxy sign queries: With a given message $\mu$, $\mathcal{C}$ sends a signature $\sigma$ of this message to ${\mathcal{A}}_1$.

Forgery: ${\mathcal{A}}_1$ gives a new signature ${\sigma }^{*}$ for the message ${\mu }^{*}$. If this signature ${\sigma }^{*}$ is valid for ${\mu }^{*}$, then ${\mathcal{A}}_1$ wins the game.

Definition 4

(Type II attack). When the following game’s running time is at most $t_2$ and receives hash queries at most $q_2$ times, if no type II adversary can win the game with a probability of at least ${\xi }_2$, then we can say this ABPS scheme is unforgeable under $(t_2,$ $q_2,$ ${\xi }_2)$ with the type II attack.

Setup: With a security parameter, the challenger $\mathcal{C}$ executes the Setup and Key Extraction phases. Then, they give the system parameters and the original signer’s attribute public key to the adversary ${\mathcal{A}}_2$, while keeping the original signer’s attribute private key secret.

Query:

• Hash queries: $\mathcal{C}$ gives ${\mathcal{A}}_2$ the hash value $H\left(INF\right)$ for any $INF$ ∈ $\{0,$ ${1\}}^{*}$;
• Delegate generation queries: For the delegate information $\xi$, $\mathcal{C}$ returns a warrant $\eta$ of $\xi$ to ${\mathcal{A}}_2$;
• Extract proxy signer queries: With the warrant $\eta$, $\mathcal{C}$ returns the proxy signer’s signing key pair $({\mathit{A}}_{\mathit{PS}},$ ${\mathit{T}}_{\mathit{PS}})$ to ${\mathcal{A}}_2$.

Forgery: ${\mathcal{A}}_2$ gives a new warrant ${\eta }^{*}$. If the warrant is valid for the information ${\xi }^{*}$, then ${\mathcal{A}}_2$ wins the game.

3.2.2. Perfect Privacy

For the perfect privacy requirement, an adversary can obtain the same parameters and information of signers. When the adversary obtains the correct warrant signature, they cannot obtain information about the signer. An attribute-based proxy signature scheme can satisfy these conditions: All $(Params,$ $msk)$ ← ABPS. Setup, all attributes sets $W_1$, $W_2$, all attribute secret keys ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}}$ ← ABPS. Key Extraction $(Params,$ $W_1)$, ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{2}}}$ ← ABPS. Key Extraction $(Params,$ $W_2)$, all delegate information $\xi$, and all claim access control L, such that $W_1$ = $W_2$$| =$ L. If the distributions of ABPS.Delegate Generation $({\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}},$ $\xi ,$ $Params)$ and ABPS.Delegate Generation $({\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}},$ $\xi ,$ $Params)$ are equal, as a result, this attribute-based proxy signature scheme provides perfect privacy.

3.2.3. Key Dependence

The proxy signer cannot sign a message without the original signer’s delegation.

4. Proposed ABPS Scheme

In this section, we present our scheme over a lattice.

The main methods we use are bonsai trees and the preimage sampling algorithm. In our scheme, attributes led to an increase in the dimension of lattices, and bonsai trees can help generate the trapdoor of the growth lattice. Above all, the controlled growth in bonsai trees can generate the lattice and its trapdoor, such that the trapdoor satisfies the size we need. We set the lattice and its trapdoor as the initial key. Then, we combined the initial lattice generated for the original signer and some selected matrices as the original signer’s attribute public key, and the proxy signer’s signing public key was composed of the initial key generated for the proxy signer and a matrix generated by the original signer’s warrant. Then, the extending control and randomizing control technique was used to generate the original signer’s attribute private key and the proxy signer’s signing private key. Finally, we used the preimage sampling algorithm to complete the warrant and signature.

Our scheme consists of six phases: Setup, Key Extraction, Delegate Generation, Key Extraction for Proxy Signer, Proxy Signing and Verification. The technical architecture of our scheme is shown in Figure 1.

Figure 1. The framework of our scheme.

Here, we describe this scheme in detail. In this scheme, for the attribute universe $U=\{u_1,$ $u_2,$ $\dots \}$, we let $k=|U|$.

4.1. Setup

In this phase, given a security parameter n, the public system parameter $Params$ is then published, and the master private key $msk$ is kept secret. The details are given in Algorithm 1.

Algorithm 1 Setup

Input : a security parameter n. Output : public parameters $Params$ and master private key $msk$.  1: Let q = $poly\left(n\right)$, m ≥ $6nlogq$, $\tilde{r}$ = $O\left(\sqrt{nlogq}\right)$, s = $\tilde{r}\omega (logn)$, and select two secure hash functions: $H_1$ = $\{0,$ ${1\}}^{*}$ → ${\mathbb{Z}}_q^n$, $H_2$ = $\{0,$ ${1\}}^{*}$ → ${\mathbb{Z}}_q^{n\times m}$.  2: Generate $({\mathit{A}}_{\mathit{O}},$ ${\mathit{T}}_{\mathit{O}})$ ← GenBasis$(1^n,$ $1^m,$ $q)$, ${\mathit{A}}_{\mathit{O}}$ ∈ ${\mathbb{Z}}_q^{n\times m}$, ${\mathit{T}}_{\mathit{O}}$ ∈ ${\mathbb{Z}}_q^{m\times m}$ is the trapdoor of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left({\mathit{A}}_{\mathit{O}}\right)$ with $\parallel \widetilde{{\mathit{T}}_{\mathit{O}}}\parallel$ ≤ $\tilde{r}$.  3: Select $2k$ random and independent matrices ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}$ ∈ ${\mathbb{Z}}_q^{n\times m}$, where j ∈ k and i = $\{0,$ $1\}$.  4: Public system parameters $Params$ = $\{n,$ $q,$ $m,$ $s,$ $H_1,$ $H_2,$ ${\mathit{A}}_{\mathit{O}},$ ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}\}$, and the master private key $msk$ = $\left\{{\mathit{T}}_{\mathit{O}}\right\}$.

4.2. Key Extraction

The algorithm of this phase is given in Algorithm 2. Firstly, we need a trusted attribute authority (AA) to generate the attribute public key ${\mathit{A}}_{\mathit{OA}}$ for the original signer and then generate the attribute private key ${\mathit{T}}_{\mathit{OA}}$. The proxy signer’s public–private key pair is $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$. We need to keep ${\mathit{T}}_{\mathit{OA}}$ and ${\mathit{T}}_{\mathit{P}}$ secret.

Algorithm 2 Key Extraction

Input : matrices ${\mathit{A}}_{\mathit{O}},$ ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}$ in $Params$ where j ∈ $\left[k\right]$ and i = $\{0,$ $1\}$. Output : original signer’s attribute key $({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}})$ and the proxy signer’s key $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$.  1: The trusted AA selects matrices from ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}$ depending on the original signer’s attribute set W. If $u_j$∈W, then select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{1}\right)}$; else select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{0}\right)}$. Let ${\mathit{A}}_{\mathit{OA}}$ = ${\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{b}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{b}\right)}$, where ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{b}\right)}$ is selected by AA and b = $\{0,$ $1\}$.  2: Generate ${\mathit{T}}_{\mathit{OA}}$ ← RandBasis(ExtBasis$({\mathit{T}}_{\mathit{O}},$ ${\mathit{A}}_{\mathit{OA}}),$ $s)$.  3: Generate $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$ ← GenBasis$(1^n,$ $1^m,$ $q)$, ${\mathit{A}}_{\mathit{P}}$ ∈ ${\mathbb{Z}}_q^{n\times m}$, ${\mathit{T}}_{\mathit{P}}$ ∈ ${\mathbb{Z}}_q^{m\times m}$ is the trapdoor of ${\mathsf{\Lambda }}_{\mathit{q}}^{\perp }\left({\mathit{A}}_{\mathit{P}}\right)$ with $\parallel \widetilde{{\mathit{T}}_{\mathit{P}}}\parallel$ ≥ $\tilde{r}$.  4: Publish ${\mathit{A}}_{\mathit{OA}}$ and ${\mathit{A}}_{\mathit{P}}$, keep ${\mathit{T}}_{\mathit{OA}}$ and ${\mathit{T}}_{\mathit{P}}$ secret.

4.3. Delegate Generation

The original signer signs their delegate information $\xi$ by $({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}})$. Then, the warrant $\eta$ = $(\psi ,$ $\xi )$ is published. The algorithm is described in Algorithm 3.

Algorithm 3 Delegate Generation

Input : the original signer’s attribute public key ${\mathit{A}}_{\mathit{OA}}$ and their delegate information $\xi$, and the hash function $H_1$ in $Params$. Output : a warrant $\eta$ = $(\psi ,$ $\xi )$.  1: Compute ${\mathit{U}}_{\xi }$ = $H_1\left(\xi \right)$ ∈ ${\mathbb{Z}}_q^n$.  2: Generate $\psi$ ← SamplePre$({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}},$ ${\mathit{U}}_{\xi },$ $s)$.  3: Publish the warrant $\eta$ = $(\psi ,$ $\xi )$.

4.4. Key Extraction for Proxy Signer

The proxy signer verifies the warrant $\eta =(\psi ,\xi )$ using Algorithm 4. If the result is $true$, then Algorithm 5 is executed to generate the signing key pair $({\mathit{A}}_{\mathit{PS}},$ ${\mathit{T}}_{\mathit{PS}})$. ${\mathit{A}}_{\mathit{PS}}$ is the signing public key, and ${\mathit{T}}_{\mathit{PS}}$ is the private key.

Algorithm 4 Verify Warrant

Input : the warrant $\eta =(\psi ,\xi )$ and hash functions in $Params$. Output : the verified result $true$/$false$.  1: Compute ${\mathit{U}}_{\xi }$ = $H_1\left(\xi \right)$.  2: Checks whether $\psi$ ≥ $s\sqrt{(k+1)m}$ and ${\mathit{A}}_{\mathit{OA}}$ · $\psi$ = ${\mathit{U}}_{\xi }$ $mod$ q.  3: If these conditions are satisfied, then $\mathrm{output}$$true$; else $\mathrm{output}$$false$;

Algorithm 5 Key Extraction for Proxy Signer

Input : the warrant $\eta$, the proxy signer’s key ${\mathit{A}}_{\mathit{P}}$ and the hash function $H_2$ in $Params$. Output : the proxy signer’s key $({\mathit{A}}_{\mathit{PS}},{\mathit{T}}_{\mathit{PS}})$.  1: Compute ${\mathit{A}}_{\xi }=H_2\left(\xi \right)\in {\mathbb{Z}}_q^{n\times m}$.  2: Let ${\mathit{A}}_{\mathit{PS}}={\mathit{A}}_{\mathit{P}}|{\mathit{A}}_{\xi }$.  3: Generate ${\mathit{T}}_{\mathit{PS}}\leftarrow RandBasis(ExtBasis(\mathit{T},{\mathit{A}}_{\mathit{PS}}),s)$.  4: Publish ${\mathit{A}}_{\mathit{PS}}$, keep ${\mathit{T}}_{\mathit{PS}}$ secret.

4.5. Proxy Signing

The proxy signer executes Algorithm 6 to generate the signature $\rho$ of message $\mu$. Then, they send $\sigma$ = $(\rho ,$ $\mu )$ to the verifier.

Algorithm 6 Proxy Sign

Input : a message $\mu$, the proxy signer’s public key ${\mathit{A}}_{\mathit{PS}}$ and the hash function $H_1$. Output : the signature $\sigma$ = $(\rho ,$ $\mu )$.  1: Attribute authority checks whether $u_j$∈L, if so select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{1}\right)}$, else select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{0}\right)}$. Let ${\mathit{A}}_{\mathit{L}}$ = ${\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{P}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{P}\right)}$, where ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{P}\right)}$ is selected by attribute authority and p = $\{0,$ $1\}$.  2: Check $W|=L$ whether ${\mathit{A}}_{\mathit{L}}$ = ${\mathit{A}}_{\mathit{OA}}$.  3: if$W|=L$then Computes ${\mathit{U}}_{\mu }$ = $H_1\left(\mu \right)$; Generate $\rho$ ← SamplePre$({\mathit{A}}_{\mathit{PS}},$ ${\mathit{T}}_{\mathit{PS}},$ ${\mathit{U}}_{\mu },$ $s)$; Publish $\sigma$ = $(\rho ,$ $\mu )$.  4:  else  refuse to sign.  5:  end if

4.6. Verification

The verifier first runs the Verify I algorithm described in Algorithm 7. In this algorithm, they should check whether the attribute set of the original signer satisfies the access structure and the validity of warrant $\eta$ = $(\psi ,$ $\xi )$. If the result is true, then the signature is verified in Algorithm 8, and it is decided whether to accept or reject it.

Algorithm 7 Verify I

Input : the access structure L, the warrant $\eta$ = $(\psi ,$ $\xi )$, matrices ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}$ and hash functions in $Params$. Output : the verified result $true$/$false$.  1: Attribute authority checks whether $u_j$∈L, if so select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{1}\right)}$, else select ${\mathit{A}}_{\mathit{j}}^{\left(\mathbf{0}\right)}$. Let ${\mathit{A}}_{\mathit{L}}$ = ${\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{P}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{P}\right)}$, where ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{P}\right)}$ is selected by attribute authority and p = $\{0,$ $1\}$.  2: Checks whether $\psi$ ≥ $s\sqrt{(k+1)m}$ and ${\mathit{A}}_{\mathit{L}}$ · $\psi$ = $H_1\left(\xi \right)$ $mod$ q.  3: if these conditions are satisfied then output $true$;  4: else output $false$.  5: end if

Algorithm 8 Verify II

Input : the warrant $\eta$, the signature $\sigma$ = $(\rho ,$ $\mu )$, the matrix ${\mathit{A}}_{\mathit{P}}$ and hash functions in $Params$. Output : the verified result $accept$/$reject$.  1: Check whether $\rho$ ≥ $s\sqrt{2m}$ and (${\mathit{A}}_{\mathit{P}}$|$H_2\left(\eta \right)$)·$\rho$ = $H_1\left(\mu \right)$ $modq$.  2: if satisfied then output $accept$;  3: else output $reject$;  4: end if

Remark 1.

This scheme is based on the SIS problem presented in Definition 2. Nevertheless, with the bonsai tree technique we used, the dimensions of the lattice and its trapdoor increase; thus, the SIS problem also changes here.

Theorem 1.

The achievement of a signature in our ABPS scheme is based on the $SI{S}_{q,\beta }$problem, where $m^{\prime }=2m$.

Proof. 

Assuming that $\mathit{A}$ ∈ ${\mathbb{Z}}_q^{n\times m^{\prime }}$ is the matrix in the $SI{S}_{q,\beta }$ problem, then the target nonzero vector $\mathit{v}$ ∈ ${\mathbb{Z}}^{m^{\prime }}$.

For the signature, $\mathit{A}$ = ${\mathit{A}}_{\mathit{PS}}$ = $({\mathit{A}}_{\mathit{P}}$|${\mathit{A}}_{\eta })$ = $({\mathit{A}}_{\mathit{P}}$|$H_2\left(\eta \right))$. Due to ${\mathit{A}}_{\mathit{P}}$ ∈ ${\mathbb{Z}}_q^{n\times m}$ and $H_2$ = $\{0,$ ${1\}}^{*}$ → ${\mathbb{Z}}_q^{n\times m}$, $\mathit{A}$ = $({\mathit{A}}_{\mathit{P}}$|$H_2\left(\eta \right))$ ∈ ${\mathbb{Z}}_q^{n\times 2m}$. Then, the aim is to find a nonzero vector $\mathit{v}$ ∈ ${\mathbb{Z}}^{2m}$.

So, the $SI{S}_{q,\beta }$ problem is based here on $m^{\prime }$ = $2m$. □

Theorem 2.

The achievement of a warrant in our ABPS scheme is based on the $SI{S}_{q,\beta }$problem, where $m^{″}=(k+1)m$.

Proof. 

Assuming that $\mathit{A}$ ∈ ${\mathbb{Z}}_q^{n\times m^{″}}$ is the matrix in the $SI{S}_{q,\beta }$ problem, then the target nonzero vector $\mathit{v}$ ∈ ${\mathbb{Z}}^{m^{″}}$.

For the warrant, $\mathit{A}$ = ${\mathit{A}}_{\mathit{OA}}$ = $({\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{b}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{b}\right)})$. We know ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{b}\right)}$ ∈ ${\mathbb{Z}}_q^{n\times m}$, where j ∈ k and b = $\{0,$ $1\}$ in Algorithm 1; thus, $\mathit{A}$ ∈ ${\mathbb{Z}}_q^{n\times (k+1)m}$. Then, the aim is to find a nonzero vector $\mathit{v}$ ∈ ${\mathbb{Z}}^{(k+1)m}$.

So the $SI{S}_{q,\beta }$ problem here is based on $m^{″}$ = $(k+1)m$. □

4.7. Correctness Analysis

If we execute the phases in Section 4.1, Section 4.2, Section 4.3, Section 4.4, Section 4.5 and Section 4.6 correctly, then we can provide a correctness analysis. Here, we need to check both the warrant and the signature.

• Firstly, for the warrant, if $W|=L$, then ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{P}\right)}={\mathit{A}}_{\mathit{T}}^{\left(\mathit{b}\right)}$, where $j\in k$, $t\in k$ and $j=t$. Furthermore, ${\mathit{U}}_{\xi }=H_1\left(\xi \right)$, so

  $$\begin{array}{cc}\hfill {\mathit{A}}_{\mathit{L}}·\psi & =({\mathit{A}}_{\mathit{O}}|{\mathit{A}}_{\mathbf{1}}^{\left(\mathit{P}\right)}|\dots |{\mathit{A}}_{\mathbf{k}}^{\left(\mathit{P}\right)})·\psi \hfill \\ \hfill & =({\mathit{A}}_{\mathit{O}}|{\mathit{A}}_{\mathbf{1}}^{\left(\mathit{b}\right)}|\dots |{\mathit{A}}_{\mathbf{k}}^{\left(\mathit{b}\right)})·\psi \hfill \\ \hfill & ={\mathit{A}}_{\mathit{OA}}·\psi \hfill \\ \hfill & ={\mathit{U}}_{\xi }modq\hfill \\ \hfill & =H_1\left(\xi \right)modq\hfill \end{array}$$
• Secondly, for the signature, due to ${\mathit{U}}_{\mu }=H_1\left(\mu \right)$,

  $$\begin{array}{cc}\hfill ({\mathit{A}}_{\mathit{P}}|H_2\left(\eta \right))·\rho & =({\mathit{A}}_{\mathit{P}}|{\mathit{A}}_{\eta })·\rho \hfill \\ \hfill & ={\mathit{A}}_{\mathit{PS}}·\rho \hfill \\ \hfill & ={\mathit{U}}_{\mu }modq\hfill \\ \hfill & =H_1\left(\mu \right)modq\hfill \end{array}$$

5. Security Analysis

In this section, we analyze the following aspects of the security of this scheme: unforgeability, perfect privacy and key dependence.

5.1. Unforgeability

In the random oracle model, our ABPS scheme is strongly unforgeable under the adaptive chosen-message attack.

Theorem 3.

If a polynomial-time type I adversary successfully forges a valid signature in ROM, then the $SI{S}_{q,\beta }$ problem can be solved, where $\beta =2s\sqrt{m^{\prime }}$ and $m^{\prime }=2m$.

Proof .

Assume the scheme can be broken by a type I adversary ${\mathcal{A}}_1$ with a non-negligible probability. Then, the challenger $\mathcal{C}$ can solve an example of the $SI{S}_{q,\beta }$ problem with non-negligible probability in polynomial time. This means that $\mathcal{C}$ wins.

Setup: The security parameter n is inputted, and $\mathcal{C}$ runs Algorithms 1 and 2 to generate $Params$, $({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}})$ and $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$. Then, $\mathcal{C}$ sends $Params$, $({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}})$ and ${\mathit{A}}_{\mathit{P}}$ to ${\mathcal{A}}_1$, keeping ${\mathit{T}}_{\mathit{P}}$ secret. $\mathcal{C}$ creates several empty lists: L1, L2, L3 and L4. L1 records $(\xi ,{\mathit{U}}_{\xi }=H_1\left(\xi \right))$, L2 records $(\eta ,{\mathit{A}}_{\eta }=H_2\left(\eta \right))$, L3 records $(\mu ,{\mathit{U}}_{\mu }=H_1\left(\mu \right))$ and L4 records $(\mu ,\sigma )$, where $\sigma$ is the signature of message $\mu$.

Query: ${\mathcal{A}}_1$ adaptively asks several queries of $\mathcal{C}$, and $\mathcal{C}$ answers these, directed toward ${\mathcal{A}}_1$.

• $H_1$ queries:

  (a)

  ${\mathcal{A}}_1$ sends delegate information $\xi$ to $\mathcal{C}$, and then $\mathcal{C}$ finds $\xi$ in L1. $\mathcal{C}$ returns the hash value ${\mathit{U}}_{\xi }$ to ${\mathcal{A}}_1$ when it is found. Otherwise, $\mathcal{C}$ chooses a vector ${\mathit{U}}_{\xi }\in {\mathbb{Z}}_q^n$ at random, restores $(\xi ,$ ${\mathit{U}}_{\xi })$ into L1 and returns ${\mathit{U}}_{\xi }$;

  (b)

  ${\mathcal{A}}_1$ sends a message $\mu$ to $\mathcal{C}$, and $\mathcal{C}$ finds $\mu$ in L3. $\mathcal{C}$ returns the corresponding value ${\mathit{U}}_{\mu }$ to ${\mathcal{A}}_1$ when it is found. Otherwise, $\mathcal{C}$ chooses a vector ${\mathit{U}}_{\mu }$ ∈ ${\mathbb{Z}}_q^n$ at random, restores $(\mu ,$ ${\mathit{U}}_{\mu })$ into L3 and returns ${\mathit{U}}_{\mu }$.

• $H_2$ queries: $\mathcal{C}$ first finds the warrant $\eta$ = $(\psi ,$ $\xi )$ in L2. $\mathcal{C}$ returns the hash value ${\mathit{A}}_{\eta }$ to ${\mathcal{A}}_1$ when it is found. Otherwise, $\mathcal{C}$ chooses a matrix ${\mathit{A}}_{\eta }$ ∈ ${\mathbb{Z}}_q^{n\times m}$ at random, restores $(\xi ,$ ${\mathit{U}}_{\xi })$ into L2 and returns ${\mathit{U}}_{\xi }$;
• Proxy sign queries: $\mathcal{C}$ finds the message $\mu$ in L4, if there exists $(\mu ,$ $\sigma )$, and then returns $\sigma$ to ${\mathcal{A}}_1$. Otherwise, $\mathcal{C}$ runs Algorithm 6 to generate the signature $\sigma$ of $\mu$, and then restores $(\mu ,$ $\sigma )$ in L4 and sends $\sigma$ to ${\mathcal{A}}_1$.

Forgery: After completing these queries, ${\mathcal{A}}_1$ generates a forging signature $si{g}^{*}$ on message ${\mu }^{*}$ with non-negligible probability. If this signature passes the phase in Section 4.6 and the message ${\mu }^{*}$ cannot be found in L3 and L4, then ${\mathcal{A}}_1$ wins the game.

$\mathcal{C}$ uses $H_1$ queries to obtain ${\mathit{U}}_{\mu }$ = $H_1\left(\mu \right)$, then generates the signature ${\sigma }^{*}$ through the proxy sign phase. Then, we obtain $({\mathit{A}}_{\mathit{P}}$|${\mathit{A}}_{\eta })$ · $si{g}^{*}$ = ${\mathit{U}}_{\mu }$ $mod$ q and $({\mathit{A}}_{\mathit{P}}$|${\mathit{A}}_{\eta })$ · ${\sigma }^{*}$ = ${\mathit{U}}_{\mu }$ $mod$ q; so, $({\mathit{A}}_{\mathit{P}}$|${\mathit{A}}_{\eta })$ · $(si{g}^{*}$ − ${\sigma }^{*})$= 0 $mod$ q. According to [30], we know that $si{g}^{*}$ = ${\sigma }^{*}$ happens with negligible probability $2^{-\omega (logn)}$ without a trapdoor. $si{g}^{*}$ ≤ $s\sqrt{m^{\prime }}$ and ${\sigma }^{*}$ ≤ $s\sqrt{m^{\prime }}$, and then $\parallel (si{g}^{*}$ − ${\sigma }^{*})\parallel$ ≤ $2s\sqrt{m^{\prime }}$ is an answer of $SI{S}_{q,\beta }$. Therefore, $\mathcal{C}$ can solve the $SI{S}_{q,\beta }$ instance with non-negligible probability $1 -$ $2^{-\omega (logn)}$. □

Theorem 4.

If a polynomial-time type II adversary successfully forges a valid signature in ROM, then the $SI{S}_{q,\beta }$ problem can be solved, where β = $2s\sqrt{m^{″}}$ and $m^{″}$ = $(k+1)m$.

Proof .

Assume the scheme can be broken by a type II adversary ${\mathcal{A}}_2$ with a non-negligible probability. Then, the challenger $\mathcal{C}$ can solve an example of the $SI{S}_{q,\beta }$ problem with non-negligible probability in polynomial time. This means $\mathcal{C}$ wins.

Setup: The security parameter n is input, and $\mathcal{C}$ runs Algorithms 1 and 2 to generate $Params$, $({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}})$ and $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$. Then, $\mathcal{C}$ sends $Params$, ${\mathit{A}}_{\mathit{OA}}$ and $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$ to ${\mathcal{A}}_2$, keeping ${\mathit{T}}_{\mathit{OA}}$ secret. $\mathcal{C}$ creates several empty lists: L1, L2, L3 and L4. L1 records $(\xi ,$ ${\mathit{U}}_{\xi }$ = $H_1\left(\xi \right))$, L2 records $(\eta ,$ ${\mathit{A}}_{\eta }$ = $H_2\left(\eta \right))$, L3 records $(\xi ,$ ${\mathit{U}}_{\mu }$ = $H_1\left(\mu \right))$ and L4 records $(\xi ,$ $\eta$ = $(\psi ,$ $\xi \left)\right)$, where $\eta$ is the warrant of $\xi$.

Query: ${\mathcal{A}}_2$ adaptively asks several queries of $\mathcal{C}$, and $\mathcal{C}$ answers these, directed toward ${\mathcal{A}}_2$.

• $H_1$ queries:

  (a)

  ${\mathcal{A}}_2$ sends delegate information $\xi$ to $\mathcal{C}$, and then $\mathcal{C}$ finds $\xi$ in L1. $\mathcal{C}$ returns the hash value ${\mathit{U}}_{\xi }$ to ${\mathcal{A}}_2$ when it is found. Otherwise, $\mathcal{C}$ chooses a vector ${\mathit{U}}_{\xi }$ ∈ ${\mathbb{Z}}_q^n$ at random, restores $(\xi ,$ ${\mathit{U}}_{\xi })$ into L1 and returns ${\mathit{U}}_{\xi }$;

  (b)

  ${\mathcal{A}}_2$ sends a message $\mu$ to $\mathcal{C}$, and $\mathcal{C}$ finds $\mu$ in L3. $\mathcal{C}$ returns the corresponding value ${\mathit{U}}_{\mu }$ to ${\mathcal{A}}_2$ when it is found. Otherwise, $\mathcal{C}$ chooses a vector ${\mathit{U}}_{\mu }$ ∈ ${\mathbb{Z}}_q^n$ at random, restores $(\mu ,$ ${\mathit{U}}_{\mu })$ into L3 and returns ${\mathit{U}}_{\xi })$.

• Delegate generation queries: For the delegate information $\xi$, $\mathcal{C}$ performs as follows:

  (a)

  First, $\xi$ is found in L4. If found, $\mathcal{C}$ returns the value $\eta$ to ${\mathcal{A}}_2$. Otherwise, $\mathcal{C}$ seeks it in L1;

  (b)

  If there exists $(\xi ,$ ${\mathit{U}}_{\xi })$ in L1, then $\mathcal{C}$ returns ${\mathit{U}}_{\xi }$. Otherwise, $\mathcal{C}$ carries out the $H_1$ queries. Then, $\mathcal{C}$ generates $\psi$ ← SamplePre$({\mathit{A}}_{\mathit{OA}},$ ${\mathit{T}}_{\mathit{OA}},$ ${\mathit{U}}_{\xi },$ $s)$, restores $(\xi ,$ $\eta$ = $(\psi ,$ $\xi \left)\right)$ into L4 and returns $\eta$ to ${\mathcal{A}}_2$.

• $H_2$ queries: For the warrant $\eta$ = $(\psi ,$ $\xi )$, $\mathcal{C}$ performs as follows:

  (a)

  First, $\eta$ is found in L2. $\mathcal{C}$ returns the hash value ${\mathit{A}}_{\eta }$ to ${\mathcal{A}}_2$ when it is found. Otherwise, $\mathcal{C}$ seeks $(\xi ,$ $\eta )$ in L4;

  (b)

  If $(\xi ,$ $\eta )$ cannot be found in L4, $\mathcal{C}$ carries out the delegate queries. Then, $\mathcal{C}$ chooses a matrix ${\mathit{A}}_{\eta }$ ∈ ${\mathbb{Z}}_q^{n\times m}$ at random, restores $(\xi ,$ ${\mathit{U}}_{\xi })$ into L2 and returns ${\mathit{U}}_{\xi }$.

• Extract proxy signer queries: For the warrant $\eta$, $\mathcal{C}$ performs as follows:

  (a)

  First, $\eta$ in L2 is found. If found, $\mathcal{C}$ obtains the hash value ${\mathit{A}}_{\eta }$. Otherwise, $\mathcal{C}$ carries out the $H_2$ queries;

  (b)

  Then, $\mathcal{C}$ obtains ${\mathit{A}}_{\mathit{PS}}$ = $({\mathit{A}}_{\mathit{P}}$|${\mathit{A}}_{\eta })$, and runs RandBasis(ExtBasis(${\mathit{T}}_{\mathit{P}},$ ${\mathit{A}}_{\mathit{PS}}),$ $s)$ to obtain the private signing key ${\mathit{T}}_{\mathit{PS}}$;

  (c)

  $\mathcal{C}$ returns $({\mathit{A}}_{\mathit{PS}},$ ${\mathit{T}}_{\mathit{PS}})$ to ${\mathcal{A}}_2$.

Forgery: After completing these queries, ${\mathcal{A}}_2$ generates a forging warrant ${\eta }^{*}$ = $({\psi }^{*},$ $\xi )$ on delegate information $\xi$ with non-negligible probability. If the warrant passes the Algorithm 7 and cannot be found in L2 and L4, then ${\mathcal{A}}_2$ wins the game.

$\mathcal{C}$ looks up $\xi$ in L4, and if found, obtains the warrant $\eta$. Otherwise, $H_1$ queries are used to obtain ${\mathit{U}}_{\xi }$ = $H_1\left(\xi \right)$, and then the warrant $\eta$ = $(\psi ,$ $\xi )$ is generated through the delegate generation phase. Then, we can obtain ${\mathit{A}}_{\mathit{OA}}$ · ${\psi }^{*}$ = ${\mathit{U}}_{\xi }$ $mod$ q and ${\mathit{A}}_{\mathit{OA}}$ · $\psi$ = ${\mathit{U}}_{\xi }$ $mod$ q, so ${\mathit{A}}_{\mathit{OA}}$ · $({\psi }^{*}$ − $\psi )$ = 0 $mod$ q. According to the result in [30], we know that ${\psi }^{*}$ = $\psi$ happens with negligible probability $2^{-\omega (logn)}$ without a trapdoor. Because ${\psi }^{*}$ ≤ $s\sqrt{m^{″}}$ and $\psi$ ≤ $s\sqrt{m^{″}}$, then $\parallel {\psi }^{*}-\psi \parallel$ ≤ $2s\sqrt{m^{″}}$ is an answer for $SI{S}_{q,\beta }$. Therefore, $\mathcal{C}$ can solve the $SI{S}_{q,\beta }$ instance with non-negligible probability $1 -$ $2^{-\omega (logn)}$. □

5.2. Perfect Privacy

Theorem 5.

Our ABPS scheme is perfectly private, if the outcomes of RandBasis$({\mathit{T}}_{{\mathit{O}}_{\mathbf{1}}}, s)$ and RandBasis$({\mathit{T}}_{{\mathit{O}}_{\mathbf{2}}}, s)$ are within $negl\left(n\right)$ statistical distance.

Proof .

Assume that the outputs of ABPS.Delegate Generation (${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}},$ $\xi ,$ $Params$) and ABPS.Delegate Generation (${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}},$ $\xi ,$ $Params$) can be distinguished by an adversary ${\mathcal{A}}_3$ with non-negligible probability. Then, the challenger $\mathcal{C}$ can distinguish an example of the outputs of RandBasis(${\mathit{T}}_{{\mathit{O}}_{\mathbf{1}}},$ s) and RandBasis(${\mathit{T}}_{{\mathit{O}}_{\mathbf{2}}},$ s) with non-negligible probability in polynomial time. This means that $\mathcal{C}$ wins.

Setup: $\mathcal{C}$ runs Algorithm 1 with the security parameter n to generate $Params$ and $msk$. Then, with the attribute sets $W_1$ and $W_2$, the game runs as follows:

• $\mathcal{C}$ generates the warrant with the attribute set $W_1$: Firstly, $\mathcal{C}$ generates the attribute signing key $({\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}},$ ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}})$ ← ABPS.Key Extraction$(Params,$ $W_1)$; then, for the delegate information $\xi$, $\mathcal{C}$ generates the warrant ${\eta }_1$ ← ABPS. Delegate Generation (${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}},$ $\xi ,$ $Params$);
• $\mathcal{C}$ generates the warrant with the attribute set $W_2$: Firstly, $\mathcal{C}$ generates the attribute signing key $({\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}},$ ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{2}}})$ ← ABPS.Key Extraction$(Params,$ $W_2)$; then, for the delegate information $\xi$, $\mathcal{C}$ generates the warrant ${\eta }_2$ ← ABPS. Delegate Generation (${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}},$ $\xi ,$ $Params$).

Distinguish: After game 3 finishes, ${\mathcal{A}}_3$ attempts to distinguish the warrants ${\eta }_1$ and ${\eta }_2$ on delegate information $\xi$ with non-negligible probability. If ${\mathcal{A}}_3$ can distinguish the warrants ${\eta }_1$ and ${\eta }_2$ successfully, then ${\mathcal{A}}_3$ wins the game.

When $W_1=W_2$, Algorithm 2 selects the same ${\mathit{A}}_{\mathit{j}}^{\left(\mathit{i}\right)}$. With the same system parameters $Params$ and $MSK$, Algorithm 2 generates the ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}$ = ${\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{b}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{b}\right)}$ and ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}$ = ${\mathit{A}}_{\mathit{O}}$|${\mathit{A}}_{\mathbf{1}}^{\left(\mathit{b}\right)}$|…|${\mathit{A}}_{\mathbf{k}}^{\left(\mathit{b}\right)}$. Thus, ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}$ = ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}$. For the warrant ${\eta }_1$ = $({\psi }_1,$ $\xi )$, ${\eta }_2$ = $({\psi }_2,$ $\xi )$, there exists ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}$ · ${\psi }_1$ = $H_1\left(\xi \right)$ $mod$ q and ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}$ · ${\psi }_2$ = $H_1\left(\xi \right)$ $mod$ q. ${\mathcal{A}}_3$ winning game 3 means ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}$ · ${\psi }_2$ ≠ $H_1\left(\xi \right)$ $mod$ q and ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}$ · ${\psi }_1$ ≠ $H_1\left(\xi \right)$ $mod$ q. Due to these conditions, ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}$ = ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}$, and the same delegate information $\xi$ and the same hash function $H_1$ = $\{0,$ ${1\}}^{*}$ → ${\mathbb{Z}}_q^n$. This means $\mathcal{C}$ can distinguish ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}}$ ← RandBasis(ExtBasis($\mathit{T},$ ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}),$ s) and ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{2}}}$ ← RandBasis(ExtBasis($\mathit{T},$ ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}),$ s).

According to Lemma 4, RandBasis(${\mathit{T}}_{{\mathit{O}}_{\mathbf{1}}},$ s) and RandBasis(${\mathit{T}}_{{\mathit{O}}_{\mathbf{2}}},$ s) are statistically indistinguishable. ${\psi }_1$ ← SamplePre(${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}},$ ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}},$ $u,$ $s)$ and ${\psi }_2$ ← SamplePre(${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}},$ ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{2}}},$ $u,$ $s)$ are on the same Gaussian distribution with negligible statistical distance. Thus, $\mathcal{C}$ cannot distinguish ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}}$ ← RandBasis(ExtBasis($\mathit{T},$ ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{1}}}),$ s) and ${\mathit{T}}_{{\mathit{OA}}_{\mathbf{1}}}$ ← RandBasis(ExtBasis($\mathit{T},$ ${\mathit{A}}_{{\mathit{OA}}_{\mathbf{2}}}),$ s). Our scheme is perfectly private. □

5.3. Key Dependence

Theorem 6.

Our ABPS scheme has the key dependence property if the adversary cannot sign a message without the delegate warrant.

Proof .

Assume that there is a signature generated by an adversary ${\mathcal{A}}_4$ without a delegate warrant. Then, the challenger $\mathcal{C}$ can complete this proxy signature independently with non-negligible probability in polynomial time. This means that $\mathcal{C}$ wins.

Setup: The security parameter n is inputted, and $\mathcal{C}$ runs Algorithms 1 and 2 to generate $Params$ and $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$. Then, $\mathcal{C}$ sends $Params$ and $({\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}})$ to ${\mathcal{A}}_4$. $\mathcal{C}$ creates several empty lists, including L1. L1 records $(\mu ,$ ${\mathit{U}}_{\mu }$ = $H_1\left(\mu \right))$.

Query: ${\mathcal{A}}_4$ adaptively asks several queries of $\mathcal{C}$, and $\mathcal{C}$ answers these, directed toward ${\mathcal{A}}_4$.

• $H_1$ queries: ${\mathcal{A}}_4$ sends a message $\mu$ to $\mathcal{C}$, and $\mathcal{C}$ finds $\mu$ in L1. $\mathcal{C}$ returns the corresponding value ${\mathit{U}}_{\mu }$ to ${\mathcal{A}}_4$ when it is found. Otherwise, $\mathcal{C}$ selects a vector ${\mathit{U}}_{\mu }$∈ ${\mathbb{Z}}_q^n$ randomly, then restores $(\mu ,$ ${\mathit{U}}_{\mu })$ into L1 and returns ${\mathit{U}}_{\mu }$.
• Extract proxy signer queries: Because there is no warrant in this game, then $\mathcal{C}$ decides the key pair (${\mathit{A}}_{\mathit{P}},$ ${\mathit{T}}_{\mathit{P}}$) for the proxy signer’s signing key and informs ${\mathcal{A}}_4$.

Forgery: After these queries, ${\mathcal{A}}_4$ outputs a signature $si{g}_P$ of message ${\mu }^{*}$ with non-negligible probability. If it can pass Algorithms 7 and 8 during phase verification, then ${\mathcal{A}}_4$ wins the game.

However, there is no warrant and delegate information, so this signature cannot pass Algorithm 8. Furthermore, ${\mathcal{A}}_4$ owns the signing key without warrant information. Thus, this signature is only ${\mathcal{A}}_4$’s own signature, not a proxy signature, and therefore cannot pass Algorithm 7. $\mathcal{C}$ cannot complete the proxy signature scheme with the non-negligible probability of no delegation. Thus, this scheme has the key dependence property. □

6. Performance Evaluation

In this section, we compare our scheme with two IBPS schemes over a lattice and one ABPS scheme over bilinear pairings from three fields: computation costs, storage size and security properties.

6.1. Computational Cost

Firstly, we compare the computation costs of these schemes in Table 1 and define some notations as follows: $T_{SamplePre}$ is the execution time of a SamplePre() operation; $T_{mul}$ is the execution time of a polynomial multiplication; $T_{bpm}$ is the execution time of a scale multiplication of the bilinear pairing; $T_{bp}$ is the the execution time of a bilinear pairing operation; and $T_h$ is the execution time of a general hash function operation.

Table 1. A comparison of computation costs.

Scheme	Kim [22]	Zhu [1]	Sun [4]	Our Scheme
Signing cost	$2T_{SamplePre}$	$3T_{mul}+T_h$	$16T_{bpm}$	$2T_{SamplePre}$
Verify cost	$2n{T}_{mul}$	$4T_{mul}+4T_h$	$8T_{bp}+2T_{bpm}$	$2n{T}_{mul}$

The IBPS scheme from Kim [22] and our scheme use the same preimage sampling technique to sign the delegate warrant and achieve the signature, with a scheme signing cost of $2T_{SamplePre}$. The two signing lattices in Kim’s scheme are both ${\mathbb{Z}}_q^{n\times m}$, which resulted in a verification cost of $n{T}_{mul}+n{T}_{mul}=2n{T}_{mul}$. In our scheme, the lattices of the original signer and proxy signer are ${\mathbb{Z}}_q^{n\times (k+1)m}$ and ${\mathbb{Z}}_q^{n\times 2m}$, respectively. Thus, our scheme’s verification cost is also $2n{T}_{mul}$. The IBPS scheme from Zhu [1] uses the rejection sampling technique in the NTRU lattice, which has lower computation costs. Furthermore, the ABPS scheme from Sun [4] is built on bilinear pairings.

6.2. Storage

We compare the storage size of these schemes in Table 2 and define some notations as follows: OPK: the original signer’s public key size; OSK: the original signer’s secret key size; WS: the warrant’s size; PPK: the proxy signer’s public key size; PSK: the proxy signer’s secret key size; and SS: the signature size. In Kim’s scheme [22], $m\ge 6Nlogq$ and $q>2$. The parameters are denoted in Zhu’s scheme [1] as follows: $N\ge 2$, $q=Poly\left(N\right)$, $ϵ\in (0,\frac{lnN}{lnq})$ and $\sigma =N\sqrt{ln\left(8Nq\right)}{q}^{\frac{1}{2}+ϵ}$. Furthermore, in Sun’s scheme, $G_1$ is a cyclic group with a prime order p. $\lambda$ is a security parameter.

Table 2. A comparison of storage overheads.

Scheme	Kim [22]	Zhu [1]	Sun [4]	Our Scheme
OPK	$nmlog(\lambda +1)$	$Nlogq$	$|G_1|$	$(k+1)nmlog(\lambda +1)$
OSK	$m^{2}log(\lambda +1)$	$2Nlog\left(s\sqrt{N}\right)$	$2|G_1|$	$(k+1)m^{2}log(\lambda +1)$
WS	$m^{2}log(\lambda +1)$	$2Nlog\left(12\sigma \right)+N(log\lambda +1)$	$3|G_1|$	$(k+1)mlog(\lambda +1)$
PPK	$nmlog(\lambda +1)$	$Nlogq$	$|G_1|$	$2nmlog(\lambda +1)$
PSK	$m^{2}log(\lambda +1)$	$2Nlog\left(s\sqrt{N}\right)$	$6|G_1|$	$2m^{2}log(\lambda +1)$
SS	$2mlog(\lambda +1)$	$4Nlog\left(12\sigma \right)+2N(log\lambda +1)$	$5|G_1|$	$2mlog(\lambda +1)$

6.3. Security Properties

Finally, we compare the security properties of these schemes in Table 3, and some notations are defined as follows: EUF-CMA: existentially unforgeable against chosen-message attacks; EUF-sA-CMA: existentially unforgeable under selective attributes and adaptive chosen-message attacks; and SUF-CMA: strongly unforgeable against chosen-message attacks.

Table 3. A comparison of security properties.

Scheme	Kim [22]	Zhu [1]	Sun [4]	Our Scheme
Assumption	Lattice ISIS	NTRU R-SIS	Bilinear pairings	Lattice SIS
Provable security	Yes	Yes	Yes	Yes
Postquantum	Yes	Yes	No	Yes
Unforgeability	EUF-CMA	EUF-CMA	EUF-sA-CMA	SUF-CMA
Perfect Privacy	No	No	Yes	Yes

Among these schemes, Zhu’s scheme is constructed on an NTRU lattice. With the rejection sampling technique, their scheme has the lowest costs. Our ABPS scheme uses the preimage sampling and extending control technique of “bonsai trees” to ensure that the attribute can be protected in keys. This causes our scheme to have higher costs.

Notwithstanding, in Table 3, our scheme is strongly unforgeable under a chosen-message attack, whereas all others are existentially unforgeable under a chosen-message attack. Furthermore, our ABPS scheme has the perfect privacy property. Lastly, our scheme over a lattice can resist quantum attacks; thus, this scheme provides more robust security.

7. Conclusions

In this paper, we design an ABPS scheme that can resist quantum attacks. The new scheme allows a signer whose attributes satisfy the access structure to delegate their signing rights to other people. This scheme supplies many features, such as fine-grained access and perfect privacy. Then, based on the lattice SIS problem, we present the security proof of this scheme under the random oracle model. Finally, performance analysis was used to evaluate the computing, storage and security comparisons. The results show that our scheme has stronger unforgeability and is more secure. However, our solution still suffers from high computational and storage consumption. In the future, we will consider using the rejection sampling technique to implement the ABPS scheme. The rejection sampling technique can help to reduce the computational and storage costs compared with the preimage sampling technique.