# Efficient identity-based signature over NTRU lattice

## Abstract

Identity-based signature has become an important technique for lightweight authentication as soon as it was proposed in 1984. Thereafter, identity-based signature schemes based on the integer factorization problem and discrete logarithm problem were proposed one after another. Nevertheless, the rapid development of quantum computers makes them insecure. Recently, many efforts have been made to construct identity-based signatures over lattice assumptions against attacks in the quantum era. However, their efficiency is not very satisfactory. In this study, an efficient identity-based signature scheme is presented over the number theory research unit (NTRU) lattice assumption. The new scheme is more efficient than other lattice- and identity-based signature schemes. The new scheme proves to be unforgeable against the adaptively chosen message attack in the random oracle model under the hardness of the γ-shortest vector problem on the NTRU lattice.

## Keywords

Identity Signature Lattice Number theory research unit (NTRU)## CLC number

TP309.7## 1 Introduction

Digital signatures are the cornerstones of e-business, e-government, software security, and other applications. Their importance is increasing as increasing numbers of tasks and processes are computerized every day. In the most basic form, each user in the digital signature system generates his/her own key pair consisting of a public key and a corresponding private key, and the user is assumed to be uniquely identified by his/her public key. However, the cost associated with public key infrastructures and certificates is huge.

To simplify the key management procedures of certificated-based public key infrastructures, an identity-based signature (IBS) scheme was proposed by Shamir (1984). Since then, several IBS schemes have been proposed based on the integer factorization problem, such as the first IBS scheme (Desmedt and Quisquater, 1987), a new realization scheme (Tanaka, 1987), the IBS scheme in Tsuji and Itoh (1989), and an identity-based noninteractive public-key distribution system (Maurer and Yacobi, 1991). However, the first fully practical IBS was proposed by Boneh and Franklin (2001) based on bilinear pairings. Thereafter, many excellent proposals for IBS based on pairings appeared, such as the IBS proposed by Hess (2003), the efficient IBS scheme proposed by Paterson and Schuldt (2006), and the signature scheme proposed by Barreto *et al.* (2005). These IBS proposals were very efficient for practical applications, and they all substantially relied on the discrete logarithm problem. However, Shor (1997) indicated that the discrete logarithm problem and the integer factorization problem would no longer be hard when quantum computers come into reality. In view of the recent progress in quantum computers, looking for a quantum-immune IBS scheme is very crucial (Krenn *et al.*, 2014).

Lattice seems to be the best candidate because cryptographie schemes based on lattices are supported by the worst-case hardness assumption, and Bernstein (2009) has conjectured that lattice can withstand quantum attacks. What is more, lattice-based cryptographic schemes are easy to implement because typical computations involved in them are only integer matrix-vector multiplication and modular addition (refer to Micciancio and Regev (2006) for an overview on lattice-based cryptography). Rückert (2010) successfully constructed the first two (hierarchical) IBS schemes over lattice assumptions. One is secure in the random oracle model, and the other in the standard model. Some other lattice-based IBS schemes appeared later on, such as the identity-based signcryption (Li *et al.*, 2012), the efficient IBS proposed by Tian *et al.* (2013), the efficient and strongly unforgeable IBS (Liu *et al.*, 2013), and the efficient lattice-based IBS (Tian and Huang, 2014). Nevertheless, the efficiency of these lattice-based IBS schemes is not very satisfactory. As is well known, the number theory research unit (NTRU) lattice is the most efficient lattice. So, the IBS scheme on an NTRU lattice may be a good attempt.

Inspired by the identity-based encryption (IBE) scheme (Ducas *et al.*, 2014), we propose the first efficient IBS scheme based on the small integer solution (SIS) problem over the NTRU lattice. Since the NTRU lattice features reasonable simplicity, easily created keys, high speed, and low memory requirements, it is believed that the cryptosystems over the NTRU lattice are always more efficient than those over the general lattice. Actually, compared with other lattice-based IBS schemes, our scheme is more efficient. And it is proved that the IBS scheme is secure against adaptively chosen message and adaptively chosen identity attacks in the random oracle model under the SIS assumption over the NTRU lattice, which in turn leads our IBS scheme to be secure under the hardness of the *γ*-shortest vector problem (*γ*-SVP).

## 2 Preliminaries

### 2.1 Notation

#### 2.1.1 The ring \({\mathbb{Z}_q}[x]/({x^N} + 1)\)

Throughout this study, the security parameter *N*=2^{ t } is an integer larger than 8. ℝ and ℤ are the real and integer spaces, respectively. We will work in the ring \(R = \mathbb{Z}[x]/({x^N} + 1)\) and ring \({R_q} = {\mathbb{Z}_q}[x]/({x^N} + 1)\), where the prime *q* is larger than 5. It is also satisfied that *x*^{ N }+1 can be split into *k*_{ q } irreducible factors modulo prime *q*. *R*^{×} denotes the set of invertible elements in *R*. Vectors will be denoted by bold lower-case letters in italics (e.g., * x*), and matrices will be denoted by bold capital letters in italics (e.g.,

*). The inner product of two vectors*

**X***and*

**x***will be denoted by <*

**y***>. For*

**x, y***∈ℝ*

**x**^{ N }, ∥

*∥ denotes the Euclidean norm of*

**x***x*.

Let \(f = \sum\nolimits_{i = 0}^{N - 1} {{f_i}} {x^i}\quad {\rm{and}}\quad g = \sum\nolimits_{i = 0}^{N - 1} {{g_i}} {x^i}\) be polynomials in *R*. *fg* denotes the polynomial multiplication in \(R,{f^\ast}g = fg\bmod ({x^N} + 1)\), and \((f,g) \in {\mathbb{R}^{2N}} = {R^{1 \times 2}}\) is the concatenation of *f* and *g*.

#### 2.1.2 Anticirculant matrices

**Definition 1**(Anticirculant matrices) An

*N*-dimensional anticirculant matrix of

*f*is the following Toeplitz matrix:

*N*, and just write

*(*

**C***f*).

### 2.2 Lattices

An *N*-dimensional lattice is a full-rank discrete subgroup of ℝ^{ N }. Here, we focus on the NTRU lattice.

**Definition 2**(NTRU lattice) Let

*q*be a prime larger than 5 and

*N*an integer which is a power of 2, and

*f*,

*g*∈

*R*(

*f*is invertible modulo

*q*). Let

*h*=(

*g*×

*f*

^{−1}mod

*q*). The NTRU lattice associated with

*h*and

*q*is \({\Lambda_{h,q}} = \{ (u,v) \in {R^2}:\;u + v \times h = 0\;(\bmod \;q)\}\). Here,

*Λ*

_{ h,q }is a full-rank lattice of ℝ

^{2N}generated by the row of

**I**_{ N }and

**O**_{ N }are the

*N*×

*N*unit matrix and

*N*×

*N*null matrix, respectively.

### 2.3 Gaussians on lattices

Gaussian sampling was introduced by Gentry *et al.* (2008) as a technique to use a short basis as a trapdoor without leaking any information about the short basis. The discrete Gaussian distribution on lattice is defined as follows:

**Definition 3**(Discrete Gaussian distribution) For any

*s*>0,

*∈ℝ*

**c**^{ N }, define the

*N*-dimensional Gaussian function

*ρ*

_{ s,c }: ℝ

^{ N }→(0, 1] as

*ρ*

_{s,0}(

*) and \({D_{\Lambda ,s,c}}(x)\) will be abbreviated as*

**x***ρ*

_{ s }(

*) and*

**x***ρ*

_{Λ,s}(

*), respectively.*

**x**In the following lemmas, we review several well-known facts about discrete Gaussian distribution.

**Lemma 1**(Nguyen and Regev, 2006) Given any

*N*-dimensional lattice

*Λ*, center

*∈ℝ*

**c**^{ N },

*ε*>0, and

*s*>2

*η*+(

*Λ*), for any x

**e**A, we have

*η*

_{ ε }(

*Λ*) is the smoothing parameter of the lattice

*Λ*. For

*ε*<1/3, the minimum entropy of

*D*

_{ Λ,s,c }(

*) is at least*

**x***N*−1.

**Lemma 2**For any

*σ*>0 and positive integer

*m*, the probability that the following event occurs satisfies

**Lemma 3**(Lyubashevsky, 2012) For any

*∈ℤ*

**v**^{ m }and positive real

*α*, if \(\sigma = \omega (\left\Vert v \right\Vert \sqrt {\log m} )\) where

*ω*(·) is the non-asymptotic tight lower bound, we have

To obtain the vectors following a discrete Gaussian distribution, we introduce the Gaussian sampler algorithm in Algorithm

.In Algorithm \(\tilde B = {({\tilde b_i})_{i \in N}}\) is the Gram-Schmidt orthogonalization of * B*, and the procedure \({\rm{Sample}}\_Z(\sigma_i^\prime ,c_i^\prime )\) samples a one-dimensional vector from Gaussian distribution \({D_{\mathbb{Z},\sigma \prime ,c\prime}}\).

### 2.4 Rejection sampling technique

Rejection sampling was first proposed by Lyubashevsky (2012). The core idea of the rejection sampling technique for a signature scheme is to make the distribution of the output signatures independent of the signing key (Algorithm ).

### 2.5 Hardness assumption

Our signature scheme is based on the SIS problem on the NTRU lattice.

**Definition 4** (SIS over ring \(R - {\rm{SIS}}_{q,m,\beta}^\phi\)) The small integer solution problem on ring with parameters *q*, *m*, *β*, and φ is defined as follows: given *m* polynomials *α*_{1}, *α*_{2}, …, *α*_{ m } chosen uniformly and independently in \({R_q} = {\mathbb{Z}_q}[x]/(\phi )\), finding the solution *t*∈**a**^{⊥}0 which satisfies the condition \(\Vert t\Vert \leq \beta\), where \({a^\bot}:\{ ({t_1},{t_2}, \ldots ,{t_m}) \in {R^m}:\sum\nolimits_i {{t_i}{a_i}} = 0\;(\bmod \;q)\}{.}\)

When *f* and *g* are chosen according to Algorithm , Theorem 4.1 in Stehlé and Steinfeld (2013) shows that the statistical distance between the distribution of *h*=*g*/*f* and the uniform distribution of *R*^{×} is \({2^{10N}}{q^{ - \left\lfloor {\varepsilon N} \right\rfloor}}\), which is negligible. So, the SIS on the NTRU lattice can be defined in the following manner:

**Definition 5** (SIS on the NTRU lattice, namely \(R - {\rm{SIS}}_{q,1,2,\beta}^\kappa\)) A way to state the SIS problem on the NTRU lattice is to set \(R = \mathbb{Z}[x]/({x^N} + 1\)) and let *κ* be the distribution that picks small *f* and *g* according to Algorithm , \({A_{h,q}} = (h,1) \in R_q^{1 \times 2}\), and *h*=*g*/*f*. So, the SIS on the NTRU lattice is to find (*z*_{1}, *z*_{2}) that satisfies the conditions \({A_{h,q}}{({z_1},{z_2})^{\rm{T}}} = 0\) (mod *q*) and \(\left\Vert {({z_1},{z_2})} \right\Vert \leq \beta\).

**Definition 6** (SVP on the NTRU lattice) For the NTRU lattice *Λ*_{ h,q } generated by the basis **A**_{h,q}, the SVP on this lattice is to find the vector \((u,v) \in {\Lambda_{h,q}}\) such that \(\left\Vert {(u,v)} \right\Vert \leq \left\Vert {(s,t)} \right\Vert ,\;\forall (s,t) \in {\Lambda_{h,q}}\). So, *γ*-SVP is to find the vector \((u,\;\;v) \in {\Lambda_{h,q}}\) such that \(\left\Vert {(u,\;\;v)} \right\Vert \leq \gamma {\lambda_1}({\Lambda_{h,q}})\), where *λ*_{1}(*Λ*_{ h,q }) is the successive minimum of *Λ*_{ h,q }.

According to Definitions 5 and 6, we know that the SIS problem on the NTRU lattice is equal to the approximate SVP on the NTRU lattice when \(\gamma = \beta /{\lambda_1}({\Lambda_{h,q}})\). So, the new IBS signature scheme is based on the hardness of *γ*-SVP on the NTRU lattice against polynomial time algorithms.

## 3 Syntax and the proposed IBS scheme

### 3.1 Syntax

**Definition 7**(IBS scheme) An IBS scheme has five probabilistic polynomial time algorithms (Setup, Extract, Master_Keygen, Signature, and Verification), where

- 1.
Setup(

*λ*): a randomized algorithm that takes a security parameter*λ*as input and outputs the system-wide public parameter pp; - 2.
Master_Keygen(pp): on input of the public parameter pp, the algorithm outputs the master public/private keys (msk, mpk);

- 3.
Extract(id, msk, mpk): taking the identity id and the master public/private key pair (msk, mpk) as input, this algorithm produces the private key sk

_{id}of the identity id and sends it to id; - 4.
Signature(id,

*μ*, mpk, sk_{id}): given the identity id, the master public key mpk, the message*μ*, and the private key sk_{id}of the identity id as input, this algorithm subsequently outputs the signature sig of message*μ*; - 5.
Verification(id,

*μ*, sig): on input of the identity id, the message*μ*, and the signature sig, the deterministic algorithm outputs 1 when the verification is correct, and outputs 0 otherwise.

### 3.2 The proposed IBS scheme

- 1.Setup(
*N*): on input of the security parameter*N*, this algorithm outputs the public parameters as follows:where Poly($$q = {\rm{Poly}}(N),\;\varepsilon \in \left( {0,{{\ln N} \over {\ln q}}} \right),\;s = \tilde \Omega ({N^{3/2}}\sigma ),$$*N*) is the polynomial function of security parameter*N*and \(\tilde \Omega (\cdot)\) the asymptotic lower bound. If*k*_{ q }=*N*>2, we have \(\sigma = N\sqrt {\ln (8Nq)} {\cdot q^{1/2 + \varepsilon}}\) and \({q^{1/2 - \varepsilon}} = \tilde \Omega ({N^{7/2}})\); if*k*_{ q }=2, we have \(\sigma = \sqrt {N\ln (8Nq)} {\cdot q^{1/2 + \varepsilon}}\) and \({q^{1/2 - \varepsilon}} = \tilde \Omega ({N^3})\). - 2.
Master_Keygen(

*N*,*q*), as shown in Algorithm . - 3.
Extract(

, id), as shown in Algorithm .**B** - 4.
Signature(id,

*μ*), as shown in Algorithm . - 5.
Verification(id,

*μ*, (*z*_{1},*z*_{2},*u*)), as shown in Algorithm .

## 4 Analysis of the proposed IBS scheme

### 4.1 Correctness

To retain the correctness of the proposed IBS scheme, we have taken the same parameters as the ones in the presample function (Stehlé and Steinfeld, 2013) and set \(H\prime :{\{ 0,1\} ^\ast} \rightarrow v \in \mathbb{Z}_q^N\), where the coefficients of the polynomial *v* are the integers in [−1, 1]. So, the signature (Lyubashevsky, 2012) can run correctly.

**Theorem 1** The IBS scheme proposed in Section 3.2 satisfies correctness.

**Proof**According to the construction of the IBS scheme, we know that

*s*

_{1}+

*s*

_{2}*

*h*=

*H*(id), we have

By simply combining the rejection sampling technique described in Lemma 3, it is obvious that the distribution of *z*_{ i } is very close to \({D_{{\mathbb{Z}^N},s}}\). Therefore, by Lemma 2, we have \(\left\Vert {{z_i}} \right\Vert \leq 2s\sqrt N\) with a probability of at least 1–2^{−N}. Then, the inequality \(\left\Vert {({z_1},\;{z_2})} \right\Vert \leq 2s\sqrt {2N}\) is with an overwhelming probability.

### 4.2 Analysis of security

**Theorem 2** The proposed IBS scheme is existentially unforgeable against adaptively chosen message and adaptively chosen identity attacks in the random oracle model, assuming the hardness of *γ*-SVP on the NTRU lattice against polynomial time algorithms on the NTRU lattice.

**Proof**Assuming there is an adversary

*A*which can break the existentially unforgeable IBS scheme with nonnegligible probability

*ε*=

*ε*(

*N*), we can construct a polynomial-time challenger

*C*that breaks

*γ*-SVP on the NTRU lattice with a nonnegligible probability close to

*ε*=

*ε*(

*N*). The interactions between

*A*and

*C*are described as the following:

- 1.
Set up: taking security parameter

*N*as the input, challenger*C*randomly chooses a polynomial \(h \in R_q^\times\) and two hash functions*H*and*H′*. Then*C*sends the public parameters pp={*h*,*H*,*H′*} to the adversary*A*. - 2.Query: adversary
*A*can adaptively query in the following ways. In general, we assume that adversary*A*has to query the random oracle*H*for id before it makes the other queries. We assume that*A*can make hash query*H*(id) and extract query for identity id only once.- (1)
*H*hash function query (namely, id_{ i }hash function query): at the beginning,*C*keeps a list of identity queries, ID-list, which is empty initially. For an identity id_{ i }’s query,*C*looks up the ID-list to find id_{ i }. If id_{ i }is found in the list,*C*provides the hash*H*(id_{ i }) corresponding to*A*. Otherwise, id; is fresh, and*C*picks uniformly random \({s_{i1}},{s_{i2}} \in {D_{{\mathbb{Z}^N},s}}\). Then*C*computes the polynomial \({P_{{\rm{i}}{{\rm{d}}_i}}} = {s_{i1}} + {h^\ast}{s_{i2}}\) and stores \(({\rm{i}}{{\rm{d}}_i},\;\;{P_{{\rm{i}}{{\rm{d}}_i}}},\quad {\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}} = ({s_{i1}},{s_{i2}}))\) in the ID-list. Finally,*C*sends \({P_{{\rm{i}}{{\rm{d}}_i}}}\) to*A*as the response to id_{ i }. - (2)
Extract query: given id

_{ i },*C*looks up the ID-list to find \({\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}}\)corresponding to id;, and sends \({\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}}\) to*A*. - (3)
Signature query: to obtain the signature of message

*μ*_{ j }∈{0, 1}* by the user id_{ i },*A*sends (id_{ i },*μ*_{ j }) to*C*. After receiving the query,*C*looks up the ID-list for \({\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}}\) and chooses \({y_{j1}},{y_{j2}} \leftarrow {D_{{\mathbb{Z}^N},s}}\). Then*C*runs Algorithm . Finally,*C*sends ((*z*_{ j }_{1},*z*_{ j }_{2}),*u*_{ j })=Signature(id_{ j },*μ*_{ j }) to*A*and stores \(({\mu_j},\;\;{\rm{i}}{{\rm{d}}_i},\;\;({y_{j1}},{y_{j2}}))\), \({\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}},\;\;{u_j},\;\;({z_{j1}},\;\;{z_{j2}})\) in a list of signature queries, SIGN-list. - (4)
*H′*hash function query: when*A*sends*μ*_{ j }to*C*for*H′*hash query,*C*finds the corresponding*μ*_{ j }in the SIGN-list and sends it to*A*.

- (1)
- 3.
Forgery: after finishing the queries listed above,

*A*outputs a forgery \(((z_{{j^\ast}1}^\prime ,z_{{j^\ast}2}^\prime ),u_{{j^\ast}}^\prime )\) for \(({\rm{i}}{{\rm{d}}_i},{\mu_{{j^\ast}}})\) with a nonnegligible probability.

Now, without loss of generality, assume that before outputting the attempted forgery signature \(((z_{{j^\ast}1}^\prime ,z_{{j^\ast}2}^\prime ),u_{{j^\ast}}^\prime )\), *A* has made a signature query for \(({\rm{i}}{{\rm{d}}_i},{\mu_{{j^\ast}}})\), where *i* ≠ *j**.

*C*can solve the SIS on the NTRU lattice as follows:

- 1.
*C*obtains \({\rm{s}}{{\rm{k}}_{{\rm{i}}{{\rm{d}}_i}}}\) and \(u_{{j^\ast}}^\prime ,({y_{{j^\ast}1}},{y_{{j^\ast}2}})\) from the SIGN-list. - 2.So, \({z_{{j^\ast}1}} = {s_{i1}}^\ast {u_{{j^\ast}}} + {y_{{j^\ast}1}},\;{z_{{j^\ast}2}} = {s_{i2}}^\ast {u_{{j^\ast}}} + {y_{{j^\ast}2}}\), and \({z_{{j^\ast}1}} + {z_{{j^\ast}2}}^\ast h - H({\rm{i}}{{\rm{d}}_i}){u_{{j^\ast}}}\) are computed by
*C*. Then*C*checks whetherOtherwise, there is a collision of hash function$$\begin{array}{*{20}c}{z_{{j^\ast}1}^\prime + {z_{{j^\ast}1}^\prime}^\ast h - H({\rm{i}}{{\rm{d}}_i}){u_{{j^\ast}}} = {z_{{j^\ast}1}} + {z_{{j^\ast}2}}^\ast h - H({\rm{i}}{{\rm{d}}_i}){u_{{j^\ast}}}} \\ {\quad \quad \quad \quad \quad = {y_{{j^\ast}1}} + {h^\ast}{y_{{j^\ast}2}}{.}} \end{array}$$*H*. - 3.
If the inequality \(({z_{{j^\ast}1}},{z_{{j^\ast}2}}) \neq (z_{{j^\ast}1}^\prime ,z_{{j^\ast}2}^\prime )\) holds, \(({z_{{j^\ast}1}} - z_{{j^\ast}1}^\prime ,{z_{{j^\ast}2}} - z_{{j^\ast}2}^\prime )\) is one solution to SIS on the NTRU lattice.

We analyze the advantage of *C* in the following. As discussed above, *C* wins the game if and only if (1) *A* has successfully given a forgery \(((z_{{j^\ast}1}^\prime ,z_{{j^\ast}2}^\prime ),u_{{j^\ast}}^\prime )\) and (2) \(({z_{{j^\ast}1}},{z_{{j^\ast}2}}) \neq (z_{{j^\ast}1}^\prime ,z_{{j^\ast}2}^\prime )\).

Combining Lemma 1 and Property 4 of Collision-Resistant preimage sampleable functions (Lyubashevsky, 2012), the probability that *C* can solve the SIS on the NTRU lattice is at least \((1 - {2^{ - \omega (\log N)}})\varepsilon\). Using the choice of \(\beta = 4s\sqrt {2N}\), we obtain a polynomial time algorithm for *γ*-SVP on the NTRU lattice with \(\gamma = \beta /{\lambda_1}({\Lambda_{h,q}})\), where *λ*_{1}(*Λ*_{ h,q }) is the shortest vector of lattice \({\Lambda_{h,q}}\).

### 4.3 Efficiency

As known, the efficient lattice-based IBS schemes are those that are secure in the random oracle model, e.g., the IBS schemes proposed by Rückert (2010) and Tian and Huang (2014), respectively.

*N*. Here,

*c*is the bit length of all identities in the Rückert scheme;

*X*and

*k*are positive integers;

*m*is an integer, \(m > 5N\log q\), \(\bar s = \hat s\sqrt {(c + 1)m} \omega (\sqrt {\log N} )\), \(s = {N^{5/2}}\sqrt {2q} \omega (\sqrt {\log N} )\), \(\hat s = \sqrt m \omega (\sqrt {\log N} ),\quad \hat \sigma = 12s\lambda m\), \(\sigma = 12\lambda \hat sN\). One can easily find that the signing key size and the signature length of Tian and Huang (2014) are considerably smaller than those of Rückert (2010). Thus, we compare only the concrete instances between the scheme of Tian and Huang (2014) and the new scheme in Table 2, to prove that the new scheme has the shortest signing key and signature size.

Comparison of the communication overhead among several lattice-based IBS schemes

Scheme | Signing key size (bit) | Signature size (bit) |
---|---|---|

Rückert (2010) | \({(m(c + 1))^2}\log (\bar s\sqrt {(c + 1)m} )\) | \(m(c + 1)\log (\overline s \sqrt {(c + 1)m} ) + N\) |

Tian | \(mk\log (\hat s\sqrt m )\) | \(m\log (12\hat \sigma ) + k(\log \lambda + 1)\) |

This work | \(2N\log (s\sqrt N )\) | \(2N\log (12\sigma ) + N(\log \lambda + 1)\) |

Comparison of the concrete instances

Instance | | | | | Approximate private key size (bit) | Approximate signature size (bit) | ||
---|---|---|---|---|---|---|---|---|

Tian | New scheme | Tian | New scheme | |||||

1 | 512 | 227 | 80 | 28 | 97 662 557 | 38 999 | 2 604 731 | 54 237 |

2 | 512 | 225 | 512 | 14 | 575 102 845 | 37 975 | 2 339 160 | 51 677 |

3 | 512 | 233 | 512 | 14 | 776 460 530 | 42 071 | 805 029 461 | 55 773 |

4 | 512 | 218 | 512 | 14 | 402 892 589 | 34 391 | 1 652 126 | 48 093 |

5 | 512 | 226 | 512 | 14 | 600 035 269 | 38 487 | 2 438 277 | 52 189 |

In terms of computation complexity, the signing and verification algorithm of the new scheme and the IBS in Tian and Huang (2014) are more efficient because they take only matrix-vector multiplication, integer addition, and hash operations, whereas Rückert (2010)’s scheme needs to run the more complicated presample algorithm.

Therefore, our IBS scheme is more efficient than other lattice-based ones in terms of communication and computation overhead.

## 5 Conclusions

With the development of quantum computers, constructing a quantum-secure efficient IBS scheme has become a priority. Lattice is one of the existing quantum-secure cryptographic primitive. However, the existing lattice-based IBS scheme is not entirely satisfactory. We have presented an efficient IBS scheme based on the hardness of the *γ*-SVP on the NTRU lattice. The proposed scheme is existentially unforgeable in the random oracle model. Moreover, the new IBS scheme is more efficient than other lattice-based IBS schemes.

We intend to investigate the construction of an efficient lattice (hierarchical) IBS scheme, which is strongly existentially unforgeable under adaptively chosen identity and adaptively chosen message attacks in the standard model, in our future work.

## References

- Babai, L., 1986. On Lovász’ lattice reduction and the nearest lattice point problem.
*Combinatorica*,**6**(1):1–13. http://dx.doi.org/10.1007/BF02579403MathSciNetCrossRefGoogle Scholar - Barreto, P.S.L.M., Libert, B., McCullagh, N.,
*et al.*, 2005. Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. 11th Int. Conf. on the Theory and Application of Cryptology and Information Security, p.515–532. http://dx.doi.org/10.1007/11593447_28Google Scholar - Bernstein, D.J., 2009. Introduction to post-quantum cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (Eds.), Post-Quantum Cryptography. Springer-Verlag, Berlin, p.1–14. http://dx.doi.org/10.1007/978-3-540-88702-7_1CrossRefzbMATHGoogle Scholar
- Boneh, D., Franklin, M., 2001. Identity based encryption from the Weil pairing. 21st Annual Int. Cryptology Conf., p.213–229. http://dx.doi.org/10.1007/3-540-44647-8_13Google Scholar
- Desmedt, Y., Quisquater, J.J., 1987. Public-key systems based on the difficulty of tampering (Is there a difference between DES and RSA?).
*LNCS*,**263**:111–111. http://dx.doi.org/10.1007/3-540-47721-7_9MathSciNetGoogle Scholar - Ducas, L., Lyubashevsky, V., Prest, T., 2014. Efficient identity-based encryption over NTRU lattice. 20th Int. Conf. on the Theory and Application of Cryptology and Information Security, p.22–41. http://dx.doi.org/10.1007/978-3-662-45608-8_2Google Scholar
- Gentry, C., Peikert, C., Vaikuntanathan, V., 2008. Trapdoors for hard lattices and new cryptographic constructions. 40th Annual ACM Symp. on Theory of Computing, p.197–206. http://dx.doi.org/10.1145/1374376.1374407Google Scholar
- Hess, F., 2003. Efficient identity based signature schemes based on pairings. 9th Annual Int. Workshop on Selected Areas in Cryptography, p.310–324. http://dx.doi.org/10.1007/3-540-36492-7_20CrossRefGoogle Scholar
- Krenn, M., Huber, M., Fickler, R.,
*et al.*, 2014. Generation and confirmation of a (100×100)-dimensional entangled quantum system.*PNAS*,**111**(17):6243–6247. http://dx.doi.org/10.1073/pnas.1402365111CrossRefGoogle Scholar - Li, F.G., Muhaya, F.T.B., Khan, M.K.,
*et al.*, 2012. Latticebased signcryption.*Concurr. Comput. Pract. Exp.*,**25**(14):2112–2122. http://dx.doi.org/10.1002/cpe.2826CrossRefGoogle Scholar - Liu, Z.H., Hu, Y.P., Zhang, X.S.,
*et al.*, 2013. Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model.*Secur. Commun. Network.*,**6**(1):69–77. http://dx.doi.org/10.1002/sec.531CrossRefGoogle Scholar - Lyubashevsky, V., 2012. Lattice signatures without trapdoors. 31st Annual Int. Conf. on the Theory and Applications of Cryptographic Techniques, p.738–755. http://dx.doi.org/10.1007/978-3-642-29011-4_43Google Scholar
- Maurer, U.M., Yacobi, Y., 1991. Non-interactive public-key cryptography. Workshop on the Theory and Application of Cryptographic Techniques, p.498–507. http://dx.doi.org/10.1007/3-540-46416-6_43Google Scholar
- Micciancio, D., Regev, O., 2009. Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (Eds.), Post-Quantum Cryptography. Springer-Verlag, Berlin, p.147-191. http://dx.doi.org/10.1007/978-3-540-88702-7_5zbMATHGoogle Scholar
- Nguyen, P.Q., Regev, O., 2006. Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. 24th Annual Int. Conf. on the Theory and Applications of Cryptographic Techniques, p.271–288. http://dx.doi.org/10.1007/11761679_17Google Scholar
- Paterson, K.G., Schuldt, J.C.N., 2006. Efficient identity-based signatures secure in the standard model. 11th Australasian Conf. on Information Security and Privacy, p.207–222. http://dx.doi.org/10.1007/11780656_18CrossRefGoogle Scholar
- Rückert, M., 2010. Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. Proc. 3rd Int. Workshop on PQCrypto, p.182–200. http://dx.doi.org/10.1007/978-3-642-12929-2_14CrossRefGoogle Scholar
- Shamir, A., 1984. Identity-based cryptosystems and signature schemes. Proc. CRYPTO, p.47–53. http://dx.doi.org/10.1007/3-540-39568-7_5
- Shor, P.W., 1997. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.
*SIAM J. Comput.*,**26**(5):1484–1509. http://dx.doi.org/10.1137/S0097539795293172MathSciNetCrossRefGoogle Scholar - Stehlé, D., Steinfeld, R., 2013. Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. Cryptology ePrint Archive 2013/004. Available from http://eprint.iacr.org/2013/004.Google Scholar
- Tanaka, H., 1987. A realization scheme for the identity-based cryptosystem. CRYPTO, p.341–349. http://dx.doi.org/10.1007/3-540-48184-2_29Google Scholar
- Tian, M.M., Huang, L.S., 2014. Efficient identity-based signature from lattices. Proc. 29th IFIP TC 11 Int. Conf., p.321–329. http://dx.doi.org/10.1007/978-3-642-55415-5_26Google Scholar
- Tian, M.M., Huang, L.S., Yang, W., 2013. Efficient hierachical identity-based signatures from lattices.
*Int. J. Electron. Secur. Dig. Forens.*,**5**(1):1–10. http://dx.doi.org/10.1504/IJESDF.2013.054403CrossRefGoogle Scholar - Tsuji, S., Itoh, T., 1989. An ID-based cryptosystem based on the discrete logarithm problem.
*IEEE J. Sel. Areas Commun.*,**7**(4):467–473. http://dx.doi.org/10.1109/49.17709CrossRefGoogle Scholar