An Identity-Based Anti-Quantum Privacy-Preserving Blind Authentication in Wireless Sensor Networks

With the development of wireless sensor networks, IoT devices are crucial for the Smart City; these devices change people’s lives such as e-payment and e-voting systems. However, in these two systems, the state-of-art authentication protocols based on traditional number theory cannot defeat a quantum computer attack. In order to protect user privacy and guarantee trustworthy of big data, we propose a new identity-based blind signature scheme based on number theorem research unit lattice, this scheme mainly uses a rejection sampling theorem instead of constructing a trapdoor. Meanwhile, this scheme does not depend on complex public key infrastructure and can resist quantum computer attack. Then we design an e-payment protocol using the proposed scheme. Furthermore, we prove our scheme is secure in the random oracle, and satisfies confidentiality, integrity, and non-repudiation. Finally, we demonstrate that the proposed scheme outperforms the other traditional existing identity-based blind signature schemes in signing speed and verification speed, outperforms the other lattice-based blind signature in signing speed, verification speed, and signing secret key size.


Introduction
With the development of wireless sensor networks, Internet of Things (IoT) devices play an important role in smart cities. IoT devices in e-payment and e-voting services are crucial for modernisation [1][2][3]. Meanwhile, a large amount data generated by these IoT devices face the threats of security and privacy leakage since the state-of-art authentication protocols in e-payment and e-voting systems can be attacked by quantum computers successfully [4], i.e., in e-payment and e-voting systems, blind signature (BS) is crucial to protect user privacy and guarantee trustworthy of big data in the cloud [5][6][7][8]. However, these schemes based on traditional number theory can be attacked successfully by quantum computer.
BS was firstly introduced by Chaum. Then many BS schemes based on number theory were proposed [9], which can be presented as follows: The first factoring BS scheme based on RSA was proposed by Chaum, this scheme can guarantee the security of payer. However, they did not prove its security. Later, Bellare et al. defined the hard problem of RSA formally. Based on it, they proved the security of Chaum's scheme. Then a novel proven-secure RSA scheme was proposed by Camenisch and Koprowski etc., it was secure in the standard model. However, these schemes have to use long keys to guarantee security.
In order to overcome the shortages of factoring BS schemes, BS schemes based on discrete logarithm problem (DLP) were proposed for their short keys and high security. Chaum et al. proposed an e-wallet. Later, Okamoto proposed a BS scheme based on DLP. However, these schemes were not proven secure and only satisfy blindness. Then Pointcheval et al. initially considered the property of unforgeability.
After that, researchers were interested in constructing provably-secure BS schemes based on bilinear pairing. Boldyreva proposed a BS scheme based on GDH assumption, this scheme outperformed the other existing schemes in attribution and efficiency. Later, Okamoto proposed a BS scheme based on 2SDH assumption, which is stronger than SDH assumption. However, their efficiency is low.
Meanwhile, all the schemes outlined above need to depend on Public Key Infrastructure (PKI). In order to simplify key management of PKI, an identity-based signature scheme (IDS) was firstly presented by Shamir. In an IDS scheme, given a user's identity, his public key can be easily obtained. Also, his private key can be obtained easily. Until 2001, Boneh et al. initially proposed an IDS scheme, it has high efficiency, its security is dependent on the bilinear pairing problem. Then some new IDS schemes based on pairing were proposed by researchers. After that, combining BS with identity-based signature, Zhang et al. initially presented an identity-based BS (IDBS) scheme, its security is based on hard problem of bilinear pairing, this scheme was secure and efficient. Unfortunately, its computation cost was too high. Later, a new IDBS based on DLP was presented, the running time and signature size of their scheme [10] were significantly improved. However, these schemes still face the threat of quantum computer attack [4].
Thus, the replaceable IDBS schemes are based on lattice for their high-efficiency and sufficiently secure to quantum computer attack [11,12]. In the paper, a lattice-based IDBS scheme is proposed by using the advantages of number theory research unit lattice (NTRU) such as high efficiency, extremely tight keys, and sufficient safety once properly parameterized.
Then we prove that the proposed scheme satisfies confidentiality, integrity, and non-repudiation. (3) We compare our IDBS-NTRU's performance with the other IDBS schemes.
• Comparing with existing traditional IDBS schemes, its signing speed is faster than other schemes, its moves are shorter than other schemes, its signing secret key, and signature size are larger than other schemes. • Comparing with existing lattice-based BS schemes, its signing speed is faster than other lattice-based BS schemes, its moves are shorter than Rückert and ZM schemes, its signing secret key is smaller than other lattice-based schemes, and its signature length is smaller than Rückert scheme.
Organization. Section 2 presents the definitions of NTRU lattice and IDBS. Section 3 shows how to design an IDBS scheme. Section 4 proves the proposed IDBS's security, and compares with the existing IDBS schemes in terms of performance. Lastly, we conclude the paper in Section 5.

The Applications for BS
With the development of big data, which has the properties of volume, variety, velocity, value, veracity, variability, viscosity, and virality, organizations deploy their services such as e-payment and e-voting systems etc. to the cloud [16][17][18]. In e-payment and e-voting systems, BS scheme plays an important role for that BS scheme can protect user's anonymous instead of encrypting all the data and searching on the ciphertexts [19][20][21]. In addition, scholars proposed some methods to protect security in the cloud [22][23][24][25], which can provide us with new methods to make our scheme in practice.
Meanwhile, scholars proposed some methods to detect complex event analysis, which can be used to improve the security of these services and applications in the cloud [26,27]. We will briefly describe e-payment and e-voting systems as follows: E-payment system: A, B, T, and Ba are denoted as buyer, merchandiser, trusted third party, and bank respectively. Then the e-payment process is presented in Figure 1 [4]. In the beginning, T will produce and deliver keys for all the Bas, A, B will open a new account from their Ba respectively. The details are as follows: A logins into his account, draws e-cash m from the Ba-A, blinds m by using blind factor f , and then obtains m . The Ba-A signs on m , and sends the signature σ to A [28]. A unblinds the signature by using f and obtains σ. A sends the tuple < m, σ > to B. B verifies whether it is valid or not, if it is, he sends the tuple to Ba-B. The Ba-B deposits the money on B's account.  Figure 1. Blind authentication in e-payment system. E-voting system: the voter, registrar, administrator, tallier, nominators, and validator are denoted as vo, re, ad, ta, no, and va respectively. The protocol is presented in Figure 2 [4]: vo sends his id to a re, the re checks whether the vo is valid. If he is, the vo can send two nos to ad, the ad will check whether they are valid. If they are, the vo can choose a ballot m, blind it by using blind factor f , and then get the blinded message m . m will be sent to a va, the va signs on it and sends the signature σ to the vo. The vo unblinds σ by using blind factor f , and gets a signature σ. The vo sends m, σ to a ta, the ta will count all his ballots and store the results to a voting database.

NTRU Lattice, Gaussians Sampling and Rejection Sampling on Lattice
Let α and γ be the vectors, p and N = 2 p be integers, q be a prime which is greater than 5. Then we denote R = Z[x]/(x N + 1) as a ring. We denote f = Σ N−1 i=0 f i x i and g = Σ N−1 i=0 g i x i as polynomials in R. R × is a set that all the elements have inverse in R. We write < α, γ > as vectors' inner product and ||α|| as α's Euclidean norm. We write R q = Z q [x]/(x N + 1) as the ring. We denote polynomial multiplication and concatenation as f , g mod (x N + 1) and ( f , g) ∈ R 2N = R 1×2 in R respectively.
Next, we introduce the definitions of NTRU lattice, Gaussians sampling [29], and Rejection sampling [14]. NTRU lattice is used for constructing NTRUEncrypt and NTRUSign. These cryptosystems have high-efficiency, extremely tight keys, and are sufficiently secure once properly parameterized. The NTRU lattice is introduced as follows: is a matrix as follows: The security of our IDBS is based on R-SIS problem over NTRU lattice, it is defined as follows: , κ is denoted as a distribution, in which we can choose small f , g from D Z N ,σ ( f , g mod q ∈ R × q ) according to the Algorithm 3 in [13], then we can get B h,q = (h, 1) ∈ R 1×2 q , h = g f −1 . Thus, the SIS problem means to search ζ 1 , ζ 2 meeting B h,q (ζ 1 , ζ 2 ) T = 0 mod q, and ||(ζ 1 , ζ 2 || ≤ β.
Gaussian sampling was used for constructing the trapdoor in [29], i.e., a short basis was used to construct the trapdoor without revealing anything about this basis.

Definition 3 (Discrete Gaussian Distribution)
. for ∀s > 0, x ∈ R N , and the center of Gaussian distribution c, the N-dimensional Gaussian function can be defined as ρ s,c (x) = exp( −π||x−c|| 2 s 2 ). Then the discrete Gaussian distribution on L can be defined as D L,s,c (x) = ρ s,c (x) ρ s,c (L) .
Given real ψ > 0, negligible probability ψ(n), a lattice L, and its smoothing parameter η (L) ≤ log(2N/(1 , then the total Gaussian measure on all the kinds of translation of the lattice is the same according to Lemma 2.7 in [29]. 3 , then the min-entropy of D L,s,c (x) is at least N − 1 according to Lemma 2.10 in [29]. [14]. Let B be a basis of L, σ, c be the standard deviation and the center of Gaussian distribution respectively. We can get the desired vectors from the discrete Gaussian sampling algorithm in Algorithm 1.

Lemma 1. The two events occur with probability pr
end for 9: return v 0 Next, we begin to introduce the Rejection-sampling. In a signature scheme, rejection sampling can make the output signature distribution not depend on the signing key.

Theorem 1. [Rejection Sampling
Theorem] V is the subset of Z m , the norms of V's elements are less than T, σ = ω(T logm) is the element in R, M is a constant, h : V → R is a probability distribution. There are two algorithms. One algorithm is such that x ← h, y ← D m v,σ , outputs(x, y) with probability min(

IDBS
An IDBS scheme consists of four algorithms(ST ε , EX ε , SG ε , VF ε ), U , S, and V are denoted as user, signer, and verifier respectively. Master key, master public key, and master private key are severally written as mk, mpk, and msk. System parameters are denoted as params, n is the security parameter. The definition is described as follows. • ST ε (1 n ): after inputting n, this algorithm outputs params and mk, which contains mpk and msk. • EX ε (params, msk, id): after inputting params, msk, id, this algorithm outputs private key sk id related to id.
• SG ε (id, m, sk id ): U interacts with S as follows: (1) U blinds the message m to m by using blind factor, then sends m to S.
(2) S signs on m and sends the signature σ to U .
Before introducing the security properties of IDBS, we define some notations firstly. Γ is denoted as an adversary, U is nonmalicious users, m is the plaintext message, c, n are denoted as a constant and a big integer respectively, η is a negligible probability, t is the time.
IDBS should achieve two properties, which are defined as follows [30,31]: Blindness [32]: Γ chooses two messages m 0 , m 1 , then a random bit i is selected, m 0 , m 1 are randomly denoted as m i , m 1−i , m i , m 1−i are the inputs of two honest users respectively. Γ plays the Experiment 1 with these two users, σ i , σ 1−i are the outputs of them respectively. σ i , σ 1−i are dispatched to Γ, after that, Γ will output a bit p ∈ {0, 1}. Finally, the probability of p = i is denoted as i.e., if no Γ can win the Experiment 1 at the minimum with η in t, then it satisfies blindness.
One-more unforgeability [4]: after Γ interacts with a nonmalicious signer for l times, he tries to forge the l + 1 valid signature with η. The game is defined in Experiment 2. i.e., if Γ cannot win the Experiment 2 with η at most τ 1 , τ 2 , τ 3 times respectively for extraction, hash, and signature oracles in t, then the scheme satisfies one-more unforgeability.
l is the successful interaction number between U * and signer return true iff m i = m j for 1 ≤ i < j ≤ k and VF(m i , s i , id) = 1 and l + 1 = k

Proposed IDBS-NTRU Scheme
Most IDBS schemes are designed with the traditional number theorem; these schemes cannot defeat a quantum computers attack. So the replaceable IDBS schemes are based on lattice. Meanwhile, NTRU-cryptosystems have some advantages, such as high-efficiency, extremely tight keys, and sufficient safety after properly parameterized. Therefore, we choose the NTRU lattice to construct a novel IDBS scheme so that we can achieve both security and efficiency.
In this section, we will firstly introduce how to construct an IDBS scheme on NTRU lattice, then we design an e-payment protocol using our proposed scheme.

IDBS-NTRU Scheme
In this section, we propose our IDBS scheme ε = (ST ε , EX ε , SG ε , VF ε ). Let U , S, V be a user, a signer, and a verifier respectively, N and id be security parameter and user's identity respectively, Ω(.) and Poly(N) be the asymptotic lower bound and N's polynomial function respectively [13].

• S computes Equations
Here, we will explain how to use the rejection sampling theorem, Theorem 1 from Section 2.2.
The core idea of this theorem is to make ζ 1 , ζ 2 , e * do not rely on the private key s 1 , s 2 respectively. Our target is that the distribution of ζ 1 , ζ 2 will obey the distribution D N σ . However, ζ 1 , ζ 2 obey the distribution D N v,σ , where c = v 1 or v 2 , v 1 = s 1 e * , and v 2 = s 2 e * . After we appropriately choose a certain M and σ, the algorithm will approximately output a signature tuple with probability 1/M, whose distribution is approximate to the distribution where ζ 1 , ζ 2 are chosen from D N σ [14]. • Finally, U gets the signature tuple <m, ζ 1 , ζ 2 , e, id> from Equations (5) and (6) (4) VF ε (m, e, ζ 1 , ζ 2 , id): V validates whether Equations (7) and (8)

An E-Payment Protocol
In this section, we design an e-payment protocol based on NTRU-IDBS scheme, which plays an important role in e-commerce. We will still follow the notations in Section 2.1. As described in Figure 4, A's account belongs to bankA, B's account belongs to BankB. Firstly, A draws e-money from BankA. Secondly, A pays the money to B. Finally, B deposits the money to BankB. Following is the details:  (1) T produces and sends keys • T runs the algorithm ST and produces the system parameter params and master key mk.
• T runs algorithm EX and generates the keys for BankA and BankB.
• BankA's public key and private key are id BankA , sk BankA respectively.
• BankB's public key and private key are id BankB , sk BankB respectively.
• T distributes the corresponding private keys to BankA and BankB.
(2) user opens an account from Bank • A and B open an account using their real identity, such as passport, ssn, address, email, male, age, and so on, their banks will give them their account information respectively.
(3) A draws e-money from BankA • A send their account information to BankA.
• BankA will verify whether he is a valid user. If it is, continue. Otherwise, abort.
(4) A pays the e-money to B • A sends m, e, ζ 1 , ζ 2 , id to B. • BankB checks whether the e-money is in the list. If it is, abort, otherwise, continue.
• BankB will deposit the e-money on B's account.
• BankB will send a notice to B that B has received the e-money. • B will send the goods or receipt to A.

Analyzing the Security and Performances
Here, we evaluate our IDBS-NTRU scheme with regard to correctness and security, then we compare the IDBS-NTRU scheme with other IDBS schemes in terms of performance.
Theorem 3 (Statistical Distance Theorem). let random variable number P, Q ∈ Ω, in which Ω is a finite domain. The statistical distance equation is presented as below [33]: When we prove IDBS-NTRU's blindness, the malicious S * will play the Experiment 1 with two trust users respectively.

Proof.
A random bit i ← {0, 1} is chosen, which is kept secret from S * . Then S * chooses m 0 , m 1 , then S * interacts with two honest users as in Experiment 1. Following is the protocol: Under finding mode, S * selects m 0 , m 1 ← S * (1 k , id, sk id ). • Under issuing mode, a random bit i is selected randomly, that cannot be obtained by S * . Then m 0 , m 1 are randomly denoted as m i , m 1−i respectively. S * concurrently interacts with U (id, m i ) and U (id, m 1−i ) .

•
If one user outputs δ(m i ), the other outputs δ(m 1−i ), we will send a sequence < δ(m i ), δ(m 1−i )> to S * . • Under guessing mode, S * returnsĩ. Figure 3, the Interactive values do not depend on m, so what we need to do is analyzing e * , y 1 , y 2 , ζ * 1 , ζ * 2 . For e * , the statistical-distance is defined as follows

As in
For α is a random vector from Discrete Gaussian distribution, we can get the follow equations Pr(e * i = e * ) is close to 1/2 n , Pr(e * 1−i = e * ) is close to 1/2 n . Therefor, we can get ∆(e * i , e * 1−i ) is close to 0.
Before proving the one-more unforgeability of IDBS-NTRU, we will define some notations as follows: Let δ 1 , δ 2 , δ 3 , δ 4 be simulating the cost functions of H hash, extract oracle, H hash, and signature oracles respectively. Let η, η be non-negligible probability, and t be time respectively, Θ be a polynomial time algorithm, and Γ be a polynomial time forger.
Theorem 5 (One-more Unforgeability). If Γ is able to generate a legal signature with η in t, after at most τ 1 , τ 2 , τ 3 , τ 4 times queries respectively to H hash, Extract, H hash, and signature oracles. Then R-SIS κ q,1,2,β can be solved by Θ with probability at least Proof. Assuming an adversary Γ is able to produce an IDBS signature with η, we can construct Θ, this algorithm can obtain the solution of R-SIS on the NTRU lattice. The followings are the simulated interactive environment.
ST: Θ selects h ∈ R × q , H, H at random. Then Θ computes and sends the public parameters paras = {h, H, H , , q, s} to the Γ.
H oracle Queries: Θ will maintains a list L h , in the beginning, the list is mull. Once receiving an id i , Θ will inquire L h . If there exists a corresponding hash value t i , Θ will return t i . Otherwise Θ will return a random value. After that, Θ will save id i , t i in L h .
H oracle Queries: Θ maintains a list L h , in the beginning, the list is null. Once receiving m i , Λ i = y 1 i + hy 2 i + hγ i + α i − α i H(id i ), we assume Θ has already quire H oracle and gotten an entry id i , t i . Then Θ will quire L h . If there already exists a corresponding hash value e i , Θ will return e i . Otherwise, Θ will return a random value. After that, Θ will save m i , EX Oracle Queries: Θ maintains a list L id , in the beginning, the list is null. Once receiving an identity id i , Θ will inquire H oracle. If there does not exist a corresponding hash value in L id , Θ will randomly selects a t i and return it. Otherwise, return the corresponding t i . After that, Θ can get a sk id i = (s 1 i , s 2 i ), Θ returns sk id i to Γ as the private key related with id i and saves the tuple (id i , t i , sk id i ) in L id . SG Oracle Queries: Γ queries the signing oracle for (m i , id i ). Θ checks if id i is already queried for H, H or extraction oracles. If it is, Θ can get an entry (id i , t i , sk id i ) from L id . Else Θ simulates the extraction oracle and obtain a new secret key. Then Θ executes the BS protocol to obtain a valid signature (m i , id i , e i , ζ 1 i , ζ 2 i ) and stores the value (m i , id i , e i , ζ 1 i , ζ 2 i ) in the list L S .

Performances
Here, we will compare our IDBS-NTRU's performances with other IDBS schemes. First of all, we will compare NTRU-IDBS scheme with traditional IDBS schemes in terms of performance, which were constructed based on number theory. Secondly, we will compare our IDBS-NTRU scheme with lattice-based BS schemes in terms of performance.
(1) Comparing with traditional IDBS schemes As shown in Table 1, we compare IDBS-NTRU'performance with ZK scheme [35], HCZ scheme [10], and CZYW scheme [36]. The ZK scheme is constructed based on computational diffie-hellman problem of bilinear pairings. The HCZ scheme is constructed based on discrete logarithm problem of ellipse curve. The CZYW scheme is constructed based on big integer factoring problem. The IDBS-NTRU scheme's signing speed and verification speed are O(n), which outperform ZK scheme, HCZ scheme, and CZYW schemes. Its moves are 2, it is shorter than ZK scheme and HCZ scheme. Its signing secret key is 2nlog(s √ n), it is larger than ZK scheme and HCZ scheme. However, the rsa has to use O(n 3 ) to achieve n bits security, the signing secret key of IDBS-NTRU scheme is shorter than CZYW scheme. The signature size of IDBS-NTRU scheme is 2nlog(12σ) + n(logλ + 1), it is larger than ZK, HCZ, and CZYW schemes. For the same reason, it is also shorter than CZYW scheme. The most important of all, the BS schemes based on number theory are considered to be insecure to resist quantum computers attack [4], our IDBS-NTRU scheme is more secure than other three traditional schemes.
(2) Comparing with lattice-based BS schemes We compare IDBS-NTRU's performance with GHWX [37], ZTZ [4], Rückert [32], and ZM schemes [38] in Table 2, n denotes safety parameter. GHWX scheme and ZM scheme are constructed based on small integer solution problem of lattice. ZTZ scheme is constructed based on closest vector problem of lattice. Rückert is constructed based on ideal-lattice shortest vector problem. Signing secret key nm log(q + 1) dn 2 (log n + 1) mn log (2d s + 1) m 2 log(q + 1) 2n log(s √ n) Signature size m log(q + 1) dn(log n + 1) n 2 + mn log (2mnd s d * ) 2m log(q + 1) 2nlog(12σ)+ n(log λ + 1) Identity Based yes no no yes yes As presented in Table 2, IDBS-NTRU's signing speed is O(n), which outperforms all the other schemes. IDBS-NTRU's verification speed is O(n), which outperforms GHWX and ZM schemes. Our IDBS-NTRU scheme has two moves, it is shorter than Rückert scheme, and ZM scheme. In Rückert scheme, the parameters satisfy m > c m log(1) + 1, c m > 1/log(2d s ). In ZM schemes, the parameters satisfy m > 2nlogq, q > 2. The signing secret key of our IDBS-NTRU scheme is 2nlog(s √ n), it is shorter than all the other schemes. The signature size of our IDBS-NTRU scheme is 2nlog(12σ) + n(logλ + 1), it is shorter than Rückert scheme, but it is larger than GHWX, ZTZ, and ZM schemes. The ZTZ scheme and Rückert scheme are not identity-based scheme, they depend on the public key infrastructure. However, our IDBS-NTRU scheme does not need to dependent on public key infrastructure.

Conclusions
In this work, we present an IDBS-NTRU scheme by using NTRU lattice, this scheme can protect user privacy and guarantee the trustworthy of big data in e-payment and e-voting systems in wireless sensor networks, this scheme has the advantages of NTRU Lattice such as high efficiency, compact key, high security after appropriate parameterized etc. Our scheme is secure and efficient. Furthermore, we prove IDBS-NTRU satisfies blindness and unforgeability. In addition, comparing with traditional IDBS schemes, IDBS-NTRU outperforms other IDBS schemes in terms of signing speed and verifying speed. Comparing with lattice-based schemes, IDBS-NTRU scheme outperforms other schemes in terms of signing speed, verifying speed, and signing secret key, outperforms Rückert scheme in terms of signature size moves and signature size, and outperforms ZM scheme in terms of moves. The schemes based on number theorem are considered insecure to resist the quantum computers attack, so our scheme is more secure than them. Furthermore, lattice-based schemes usually have a lot of parameters which need to be initialized correctly, these schemes are not easy to implement. Therefore, almost all the works related with lattice-based cryptography are still in the step of theory research.
In addition, if we can add some common message such as date between the signer and a user in our scheme, it is easy to transform our scheme into an identity-based partial BS scheme, which is suitable for the real e-payment and e-voting systems. In the future, we will continue to construct a partial IDBS scheme based on lattice.