Front. Comput. Sci.
, 2023, 17(5): 175810
https://doi.org/10.1007/s11704-022-2128-z
RESEARCH ARTICLE
Certificateless network coding proxy signatures from lattice
Huifang YU (
School of Cyberspace Security, Xi’an University of Posts & Telecommunications, Xi’an 710121, China
Higher Education Press 2023
Abstract Network coding can improve the information
transmission efficiency and reduces the network resource
consumption, so it is a very good platform for information
transmission. Certificateless proxy signatures are widely
applied in information security fields. However, certificateless
proxy signatures based on classical number theory are not
suitable for the network coding environment and cannot resist
the quantum computing attacks. In view of this, we construct
certificateless network coding proxy signatures from lattice
(LCL-NCPS). LCL-NCPS is new multi-source signature
scheme which has the characteristics of anti-quantum, anti-
pollution and anti-forgery. In LCL-NCPS, each source node
user can output a message vector to intermediate node and sink
node, and the message vectors from different source nodes will
be linearly combined to achieve the aim of improving the
network transmission rate and network robustness. In terms of
efficiency analysis of space dimension, LCL-NCPS can obtain
the lower computation complexity by reducing the dimension
of proxy key. In terms of efficiency analysis of time dimension,
LCL-NCPS has higher computation efficiency in signature and
verification.
Keywords lattice, multi-source signature scheme, proxy
signature, post-quantum
1 Introduction
Public key infrastructure (PKI) uses the certificates to verify
the users’ identities, so there exists a large number of
certificate management issues. In identity-based cryptosystem
(IBC) [1], the user calculates own public key but the
corresponding private key is obtained from private key
generator (PKG), so PKG knows the private key of each user;
IBC overcomes the certificate management but is inevitable to
result in the key escrow. Certificateless cryptosystem (CLC)
[2,3] can obtain the best performance and is applied to many
aspects in information security; CLC inherits the certificate-
free and escrow-free advantages; in CLC, the full private key
includes a partial private key derived from key generation
center (KGC) and a secret value derived from user.
Proxy signature [4] is a special digital signature that allows
the original signer to delegate the signature power to proxy
Received March 8, 2022; accepted September 6, 2022
E-mail: yuhuifang@xupt.edu.cn
✉), Ning WANG
signer, the latter signs the message instead of former.
Certificateless proxy signature combines the merits of CLC
and proxy signature; it does not need authenticate the validity
of public keys, so various resources about certificate
management are saved; also, original signer can delegate the
signature power to trusted proxy signer when former is
inconvenient to exercise the signature power. Some work on
certificateless proxy signatures [5−7] has been done, but their
security relies on traditional number theory. With the
development of quantum algorithm [8], RSA and ElGamal
cryptosystems has been broken, this means that traditional
cryptosystem based on classical number theory is no longer
secure. Lattice-based cryptosystem [9−15] is the most
common post-quantum cryptosystem because the algebraic
operations on lattice are the addition operations between
matrices or the multiplication operations between matrices and
vectors. Linear operation on lattice is simpler and more
efficient than traditional bilinear pairing algebra operation and
modular exponent operation.
Network coding can linearly combine the information from
source nodes in intermediate nodes to mix different data
streams; it has high data throughput and strong robustness.
However, the quantum algorithms bring the great threat to
network coding [16−18]. Research on anti-quantum network
coding method is a new research hotspot. Until now, there are
no certificateless multi-source proxy signatures from lattice. It
is necessary and important to design such a network coding
scheme to resist the quantum computing attacks.
In this article, by combining certificateless proxy signature,
network coding method and lattice-based cryptosystem, we
construct certificateless network coding proxy signatures from
lattice (LCL-NCPS). LCL-NCPS has high communication and
computation efficiency. In security analysis, LCL-NCPS is
proved to have the security properties of anti-forgery and anti-
pollution under the small integer solution (SIS) assumption.
LCL-NCPS is an anti-quantum multi-source signature scheme,
it is suitable for applications in many network coding fields of
wireless network security, such as UAV communication
network, 5G wireless network, wireless sensor network or
wireless ad hoc network.
2 Preliminaries
2.1 Lattice knowledge
Definition 1 Assume b1 , b2 , . . . , bm are m linearly independent
2 Front. Comput. Sci., 2023, 17(5): 175810

vectors, the lattice Λ is defined as a set of linear combinations distribution of signature is independent of signature private
of integer coefficients of b1 , b2 , . . . , bm: key.
  ( √ )


 ∑ m 

m Theorem 1 For any vector v ∈ Zm and σ = ω ∥v∥ log m , the
Λ=  y ∈ Zm
|y = c b , c ∈ Z 
 .
 i i
 following equality holds:
i=1
[ m ]
Dσ (z)
Definition 2 Given a matrix A ∈ Zn×m q , where Zq
n×m is a Pr m = O (1) : z ← Dσ = 1 − 2−ω(log m) .
m
Dv,σ (z)
module q residual matrix ring of n rows and m columns, where
m, n, q are the positive integers. Then, q-module lattice is
2.6 Multi-source transmission model
defined as follows:
As in Fig. 1, multi-source network coding (MSNC) has
{ }
Λ⊥ ( A) = e ∈ Zm : Ae = 0 mod q , multiple source nodes. Messages from each source node has a
{ } uniformly assigned two-dimension unique index to distinguish
Λ⊥
m ( A) = e ∈ Z : Ae = u mod q ,
m
which source node the message comes from. MSNC is
′
where the vector u ∈ Znq, n is the rank of lattice, and m is the described by a directed acyclic graph G = (N , E ′ ) [22−24],
dimension of lattice. where N ′ is the set of all nodes and E ′ is the set of all edges. In
MSNC, the set of source nodes is viewed as S =
2.2 Small integer solution problem {S 1 , S 2 , . . . , S m } ⊂ N ′ and the set of destination nodes is
Given an integer q, a matrix A ∈ Zn×m q and a positive real viewed as D = {d1 , d2 , . . . , dθ } ⊂ N’; remaining nodes in
number ϕ , then small integer solution (SIS) problem [19] is to network topology are the intermediate nodes.
find a non-zero vector e ∈ Λ⊥
q ( A) such that Ae = 0 (mod q) and Source node divides the message V into m multicast
∥e∥ ⩽ ϕ . message vectors: V = (V1 , V2 , . . . , Vm ). Message vector from
2.3 Discrete Gaussian distribution any source node is denoted as V k ∈ {V1 , V2 , . . . , Vm }, where
Assume Λ ∈ Rm is a lattice in linear space Rm and a vector c is each message vector V k ∈ {V1 , V2 , . . . , Vm } is composed of n
Gaussian distribution center, for any real parameter s > 0, elements over finite field F p which can be regarded as a vector
discrete Gaussian distribution of n-dimension lattice Λ is in n-dimension vector space V/F p and the large prime p is the
defined as follows: order of F p. Hence, for k = 1, 2, . . . , m, the message vector
∈ {V1 , V2 , . . . , Vm } can be expressed as follows:
ρ s,c (x) ρ s,c (x) ( )
∀x ∈ Λ, DΛ,s,c (x) = =∑ . Vk = vk,1 , vk,2 , . . . , vk,n ∈ F np .
ρ s,c (Λ) u∈Λ ρ s,c (x)
Assume the message from the edges in multi-source is
2.4 Lattice sampling technique W = (W1 ,W2 , . . . ,Wm ), then W can be written as W =
∑m
One-way trapdoor function is easy to calculate in forward k=1 αk Wk , where the encoded coefficient vector α =
direction but cannot be calculated in reverse direction. Gentry (α1 , α2 , . . . , αm ) is called local coding vector. By the induction,
[20] devised one-way trapdoor function f A (x) = Ax (mod q) the message W is also linear combination of original message
∑
based on SIS problem, and provided corresponding trapdoor Vi (1 ⩽ i ⩽ m) which is denoted as W = m k=1 βk Vk , where
generation function and preimage sampling algorithm. As the β = (β1 , β2 , . . . , βm ) is called global coding vector. Assume
trapdoor is known, the preimage with smaller norm to any sink node di obtains m linearly independent message vectors
value of function f A (x) can be calculated by preimage W = (W1 ,W2 , . . . ,Wm ), then W is denoted as (W1 ,W2 , . . . ,
sampling algorithm. But this problem is difficult without Wm )T = P(V1 , V2 , . . . , Vm )T ,whereP = (β1 , β2 , . . . , βm )T .Because-
knowing the trapdoor. Preimage sampling technique is an m vectors are linearly independent, then the matrix P is full-
important technique to construct lattice-based cryptosystem. rank and reversible, and so original message V =
Algorithms are devised by Gentry [20] as follows: (V1 , V2 , . . . , Vm ) can be obtained by (V1 , V2 , . . . , Vm )T =
Trapdoor generation algorithm T rapGen (1n ): Input the
security parameter 1n , q = q (n) ⩾ 2 and integer m ⩾ 5nlog q,
T rapGen (1n ) outputs a matrix A ∈ Zn×mq and a short base
B ∈ Zm×m on lattice Λ ⊥ ( A) such that AB = 0 ( mod q) and
q ( )
∥B∥ ⩽ O nlog q .
Preimage sampling algorithm S ampleMat( A, B, s, u): Input
matrix A ∈ Zn×m
q , short base B ∈ Zq
m×m , uniformly distributed
(√ )
random matrix u ∈ Zn×k
q and s ⩾ ∥B∥ · ω log m ,
S ampleMat( A, B, s, u) outputs a random matrix S ∈ Zm×k q
obeying Gaussian distribution DΛu (A),s and AS = u (mod q).
2.5 Rejection sampling technique
Rejected sampling technique [21] does not need to carry out
S ampleMat( A, B, s, u) in signature process, but it outputs a
candidate signature with certain probability, and the Fig. 1 Multi-source transmission network model
 Huifang YU et al. Certificateless network coding proxy signatures from lattice 3

P−1 (W1 ,W2 , . . . ,Wm )T . For the sink nodes to easily decode, d, γ, l, m , where the integer
( √ m > )5nlog q. Gaussian parameters
√
original message is extended as below: σ = 12dγ m , s =L ·ω log n , complexity function e L=
( ) (√ )
Vk = vk,1 , vk,2 , . . . , vk,n , 0, . . . , 1, 0, 0, . . . , 0 ∈ F m+n O nlog q . Then, KGC selects anti-collision hash functions
p ,
as follows:
where k = 1, 2, . . . , m, the combined message can be denoted as { }
H1 : {0, 1}∗ → Zq , H2 : {0, 1}∗ → c : c ∈ {−1, 0, 1}γ , ∥c∥ ⩽ κ1 ,
n×γ
follow:
Wi = (wk,1 , wk,2 , . . . , wk,n , β1 , β2 , . . . , βm ). { }
H3 :{0, 1}∗ → c : c ∈ {−1, 0, 1}l , c ⩽ κ2 , H4 : {0, 1}∗ →{−1, 0, 1}γ×l ,
For more convenience, the encoded message can be denoted ( ) ( )
as: Wi = (wk,1 , wk,2 , . . . , wk,m+n ). where l < γ < m, 2κ1 · κγ1 ⩾ 2100 , 2κ2 · κl2 ⩾ 2100 . KGC runs
T rapGen (q, n) to obtain a matrix A and a base B on lattice
3 Algorithm definition Λ⊥ ( A), where A ∈ Zn×mq is the system public key, B ∈ Zm×m q is
LCL-NCPS (Certificateless network coding proxy signatures the system master private key, AB = 0 (modq) , and ∥B∥ ⩽ e L.
from lattice) includes nine polynomial time algorithms. Each Finally, msk = B is kept secret but KGC publishes the system
algorithm is described as follows. public parameter set as follows:
Setup: It is an initialization algorithm that inputs a security pp = {σ, s, A, H1 , H2 , H3 , H4 } .
parameter 1n and outputs (pp, msk), where pp is the system
parameter set and msk is the master private key. 4.2 Extract
Extract: It is a partial private key extraction algorithm that KGC calculates bi = H1 (idi ), where i ∈ {o, p}, ido is the
takes pp and a user identity idi (i = o, p) as input and outputs identity of original signer and id p is the identity of proxy
the partial private key di of user idi (i = o, p). Here, ido is the signer. Then, KGC carries out S ampleMat( A, B, s, bi ) to
identity of original signer and id p is the identity of proxy obtain √ a matrix di ∈ Zm×γ, where Adi = bi (mod q) and
signer; do is the partial private key of original signer, d p is the ∥di ∥ ⩽ s m . KGC delivers the partial private key di to the
partial private key of proxy signer. user with identity idi.
KeyGen: It is a private key generation algorithm that takes
pp as input and outputs a secret value ui ∈ Zm×k and public 4.3 KeyGen
key Ti of user idi (i = o, p). Here, (To , So ) is the public-private Each source node user idi selects a random matrix ui =
key pair of original signer, (T p , S p ) is the public-private key {−d, . . . , 0, . . . , d}m×γ as secret value in this algorithm, √ where ui
pair of proxy signer. obeys random uniform distribution and ∥xi ∥ ⩽ d m. After
Delegation generation: It is a signature delegation algorithm that, source node user calculates the public key
n×γ
that inputs the private key So of original signer ido, this Ti = Aui (mod q) and private key Si = di + ui , where Ti ∈ Zq
algorithm generates an authorization certificate mω and a and Si ∈ Z . m×γ

signature λ . Here, ido is the identity of original signer and id p is the

Authorization verification: Proxy signer verifies the identity of proxy signer; ( (T)o , So ) is the public-private key pair
legitimacy of authorization in this algorithm. Input the of original signer, T p , S p is the public-private key pair of
authorization certificate mω and signature λ , if the verification proxy signer.
is true, the authorization is legal and illegal otherwise.
Proxy key generation: It is a proxy public-private key 4.4 Delegation generation
generation algorithm for proxy signatures. Input the Original signer generates an authorization certificate mω
authorization certificate mω and signature λ , this algorithm according to own requirements, where mω includes some
outputs a public-private key pair (Tω , Sω ) of proxy signature. restriction contents, the identity information of original signer
Proxy signature: It is proxy signature algorithm for message and proxy signer.
vector. Input pp , message vector vk and proxy public-private Original signer selects the vector yω ← Dm σ to calculate
key pair, this algorithm outputs the proxy signatures τ. cω = H2 ( Ay1 , mω ) ∈ {−1, 0, 1}γ , zω = So cω + yω . Then, original
Combine: It is combination algorithm for original message. signer outputs the signature
 λ = (cω , zω ) to proxy signer with

 Dσ (zω )
 m 


Input the global coding vector β = (β1 , β2 , . . . , βm ) and the probability min  , and publishes (mω , λ),
 MDS c ,σ (zω ) 
 1
message vectors (v1 , v2 , . . . , vm ) , this algorithm outputs a m 
o ω
combined message vector w and a corresponding combined where M is a constant.
signature z .
Verify: It is verification algorithm for original message. 4.5 Authorization verification
Input pp , proxy signature τ, proxy public key Tω and original Authorization behavior is verified by proxy signer with
message vk . If the verification is true, the signature is valid and identity id p . Legitimacy verification of authorization is as
invalid otherwise. follows: √
(1) Proxy signer verifies whether ∥zω ∥ ⩽ ησ m . If not,
4 LCL-NCPS scheme reject; otherwise, the proxy signer carries out (2).
4.1 Setup (2) Proxy signer calculates the verification parameter
′
Given the security parameter 1n , KGC (Key Generation cω = H2 ( Azω − (H1 (ido ) + To ) cω , mω ), the proxy signer
′
Center) selects the prime number q ⩾ 2 and positive integers approves this authorization if cω = cω and rejects otherwise.
4 Front. Comput. Sci., 2023, 17(5): 175810

′
4.6 Proxy key generation cω = H2 ( Azω − (H1 (ido ) + To ) cω , mω )
Proxy signer calculates uω = H4 (mω , λ) ∈ {−1, 0, 1}γ×l , Sω = = H2 ( A (So cω + yω ) − A (do + uo ) cω , mω )
S p uω, Tω = T p uω, where Tω ∈ Zn×l
q is the proxy public key and = H2 ( Ayω , mω )
Sω ∈ Zm×l is the proxy private key. = cω .

4.7 Proxy signature 5.2 Verification about signed packets

Source nodes can generate final signatures, where the According to sampling algorithm and Gaussian distribution, it
√
identifier id has to be shared. As source node user, the proxy can be known that z satisfies ∥z∥ ⩽ ησ m with the probability
signer carries out the operations as follows. ∂, where ∂ ⩾ 1 − 2−100 . H3 (·) is homomorphic hash function.
(1) Proxy signer randomly selects a vector y ← Dm σ and Then, the verification process of a signed packet is as follows:
calculates ck = H3 ( Ay, vk , id) ∈ {−1, 0, 1}l, where id is assigned ∏m ( ( ( )) )βk
to each packet and the packets with the same id have to be c′ = H3 Az − H4 (mω , λ) H1 (ido ) + T p ck , vk , id
k=1
encoded together. ∑ βk
( ( )) m
(2) Proxy signer calculates z = Sω ck + y, and then sends = H3 ( Az − H4 (mω , λ) H1 (ido ) + T p ck , vk , id)
τk ← (ck , z ) to  intermediate  node and sink node with k=1


 Dm 

 ( ( )) ∑m
σ (z)
probability min   , 1 , where M is a constant. = H3 ( Az − H4 (mω , λ) H1 (ido ) + T p ck , βk vk , id)
 MDS σ (z) 
m 
ω k=1
4.8 Combine ∑
m
In this algorithm, the intermediate node receives the encoding = H3 ( ASω ck + Ay − AS p uω ck , βk vk , id)
message vector w = (w1 , w2 , . . . , wm ), then the combined k=1
∑ ∑
m
message is w = m i=1 αi wi, where {α1 , α2 , . . . , αm } is the local
= H3 (Ay, βk vk , id)
coding vector set. Relationship between combined message w
k=1
and original message vector v can be denoted as: ∏m
∑ = H3 ( Ay, vk , id)βk
w= m k=1 βk vk , where {β1 , β2 , . . . , βm } is the global coding
∏k=1
vector set. So, proxy signatures (τ1 , τ2 , . . . , τm ) are =
m
c k βk
corresponding to original message vectors (v1 , v2 , . . . , vm ) . A k=1
= c.
packet is viewed as a vector v of m-dimension. Combined
∏ βk
signature is c = m k=1 ck . Figure 2 shows the working 5.3 Batch verification
flowchart about proxy signature and combination. In this article, new multi-source signatures can deal with batch
verification as homomorphic signatures usually do. Verifier
4.9 Verify
calculates the linear combination from the signed packets in
In this algorithm, sink node carries out the operations as the batch, resulting in a single signed packet as if it calculated
follows. √ a combined packet for forwarding. If the verification for
(1) Verify whether ∥zi ∥ ⩽ ησ m . If not, reject; otherwise, combined packet wins, all signed packets are valid. If the
run (2). ( ( )) verification fails, this shows that at least one polluted packet is
∏
(2) Calculate c′ = m i=1 H3 ( Az − H4 (mω , λ) H1 (id o ) + T p in the batch. In order to find out which one is polluted, using
ck , vk , id)βk . If c = c′, the signature is valid and invalid binary-checking is to test the half of batch in each step.
otherwise. Batch verification fails if there are some inconsistent
packets, because the combining process cannot generate the
5 Correctness analysis valid signed packet including the random linear combination
5.1 Authorization verification of packets in the batch.
According to sampling algorithm and Gaussian√distribution, it
can be known that zω satisfies zω ⩽ ησ m with the 6 Security analysis
probability ∂, where ∂ ⩾ 1 − 2−100 . So, we can obtain: Theorem 1 Assume outside attacker AIcan break UF-CMA-I

Fig. 2 Flowchart about proxy signature and combination

 Huifang YU et al. Certificateless network coding proxy signatures from lattice 5

security of LCL-NCPS with advantage ϵ , then there must exist proxy key Sω = (d p + u p )uω and continues as follows: T
an algorithm T to solve the SIS problem with advantage randomly selects the vector y ← Dm σ and calculates
′
ϵ = ϵ(1 − 2−ω(log n) ), where AI does not know the master ck = H3 ( Ay, vk , id) ∈ {−1, 0, 1}l , z = Sω c + y. Finally, T outputs
private key but can replace any user public key. 

 Dσ m (z) 


the signature (z, ck ) with the probability min   , 1 .
 MDS σ (z) 
m 
Proof Assume T receives a random instance of SIS problem, ω
the aim of T is to find a non-zero short vector e such that
′
Combination queries: AI requests a combination query. If it
′
Ae = 0 (mod q) and ∥e′ ∥ ⩽ ϕ . In interactive game, AI acts as a is not t-th query, T runs actual combined query to return a
subroutine of T . T creates the initially empty lists called combined signature z . Otherwise, T calculates the combined
∑
list_1, list_2, list_3, list_4, list_5, list_6. δ is the probability message w = m k=1 βk vk , where β = (β1 , β2 , . . . , βm ) is the
of idi = idt , t ∈ {1, 2, . . . , q1 } is unknown to AI, idt acts as global coding vector and w = (w1 , w2 , . . . , wm ) is combined
message vector. Lastly, T returns a combined signature
challenge identity and q1 is query times to H1 oracle. Firstly, ∏ βk
T returns pp ← Setup (1n ) to AI. Outside attacker AI c← m k=1 ck .
adaptively queries the various oracles. Verification queries: AI submits a verification query. If it is
H1 queries: AI issues an H1 query for idi. If list_1 contains not t-th query, T runs the verification algorithm and returns a
(idi , bi ), T returns bi to AI; otherwise, T returns the random result; √ otherwise, T answers as follow: (1) verify whether
n×γ
bi ∈ Zq to AI and adds (idi , bi ) into list_1. z ⩽ ησ m. If not, reject; otherwise, run (2). (2) Calculate
∏ ( ( )) βk
H2 queries: AI issues an H2 query. AI wants to obtain the c′ = m i=1 H3 ( Az − H4 (mω , λ) H1 (id o ) + T p ck , vk , id) , if
′
hash value for ( A, yω , mω ). T checks whether there is such a c = c , T returns a message vector and ⊥ otherwise.
tuple in list_2. If yes, T returns cω; otherwise, T returns the Forgery phase: As adaptive queries are over, AI outputs a
random cω ∈ Z γ to AI and stores ( A, yω , mω , cω ) in list_2. forged signature (c∗ , z∗ ) to T . In forgery phase, AI cannot
H3 queries: AI queries an hash value for ( Ay, vi , id). T query the partial private key and secret value of id∗p . If
checks whether a relevant tuple is in list_3. If yes, T returns id∗p , idt , T fails and aborts; otherwise, T forges another
′
c; otherwise, T returns a random c ∈ {−1, 0, 1}l and stores signature (ck , z′ ). Then, we can obtain:
( Ay, vi , ck , id) in list_3.  ( ( ( ) ) )
H4 queries: For an H4 query. T checks whether a relevant 

 Az∗ − H4 (mω , λ) H1 id∗p + T ∗p ck ∗ =

 ′ ( ( ( ) ) )
− , λ) ∗
+ ∗ c ′ ,
tuple exists in list_4. If yes, T returns uω ; otherwise, T 

 Az H4 (m ω H1 id p T p k

 ′
returns a random uω ← {−1, 0, 1}γ×l and stores (mω , λ, uω ) in ck , ck ∗ ,
list_4. ( )
where H1 id∗p = Ad∗p (mod q), T ∗p = Au∗p (mod q) and
Public key queries: AI requests a public key for idi. T
checks whether Ti is in list_5. If yes, T returns Ti ; otherwise, H4 (mω , λ) = uω , then the above equation can be denoted as:
 ( ′) ( ′ ) ( ′ )
T randomly chooses ui ∈ {−d, . . . , 0, . . . , d}m×γ to calculate 

 A z∗ − z + Au∗p uω ck − ck ∗ + Ad∗p uω ck − ck ∗ = 0,
Ti = Aui (mod q) ; T delivers Ti to AI and records (idi , ui , Ti ) 

 ′
ck , ck ∗ .
in list_5.
Partial private key queries: AI requests a partial private key According to forking Lemma [25], there is another partial
′ ′
for idi. If idi = idt , T fails and gives up. If idi , idt , T returns private key d p with probability ϵ = ϵ(1 − 2−ω(log n) ) such that
m×γ ( ) ′ ′
a random di ∈ Zq such that Adi = bi (modq) , and then sends H1 id∗p = Ad∗p (mod q) = Ad p (mod q) and d∗p , d p . Assume
( ) ( ′ )
it to AI and updates (idi , ui , Ti , −, −) with (idi , ui , Ti , di , −) in ′
there is d∗p satisfying A z∗ − z + Au∗p uω ck − ck ∗ +
list_5. ( ′ )
Ad∗p uω ck − ck ∗ = 0. So, there must exist one partial
Private key queries: AI requests a private key for idi. If the ′ ( ′) ( ′ )
public key of idi is not replaced, T checks whether a relevant private key d p such that A z∗ − z + Au∗p uω ck − ck ∗ +
′ ( ′ ) ( ′ ( ′ ))
tuple Si exists in list_5. If yes, T returns them to AI; If Ad p uω ck − ck ∗ , 0, then: A z∗ − z + S∗ω ck − ck ∗ =
idi = idt , T fails and aborts; otherwise, T obtains (di , ui ) from 0 (mod q) , where S∗ω = S∗p uω, S∗p = d∗p + u∗p. SIS problem is to
′
list_5 to return Si ← di + xi and updates (idi , ui , Ti , di , −) with find a non-zero (short vector e′ such that Ae = 0 (mod q). Let
(idi , ui , Ti , di , Si ) in list_5. ′ ′ ′ ) ′
e = z∗ − z + S∗ω ck − ck ∗ , we can obtain: e , 0 and
Public key replacement: AI wants to replace the public key √ )√ )
for idi. If idi = idt , T fails and aborts; otherwise, T uses the e′ ⩽ (2ησ m + 2κ1 (s + d m , then SIS problem can be
′
random Ti to replace the current public key Ti in list_5. solved. Here, S∗ω is unknown to AI, then AI cannot determine
the values of S∗ω and partial private key. Finally, the
Proxy key queries: AI submits a proxy key query for
probability of T in solving the SIS problem is
(ido , id p , mω ) . If ido = idt , T fails and aborts; otherwise, T ′
′ ϵ = ϵ(1 − 2−ω(logn) ) . LCL-NCPS is UF-CMA-I secure because
calculates cω = H2 ( Azω − (H1 (ido ) + To ) cω , mω ) and ′
′ ϵ is an ignorable probability.
determines whether cω = cω . If yes, T calls related oracles to
return Sω ← S p uω and records (mω , λ, cω , Sω ) in list_6. Theorem 2 Assume inside attacker AII can break UF-CMA-II
Proxy signature queries: AI requests a proxy signature for security of LCL-NCPS with advantage ϵ , then there must exist
original message vector vk , if id p , idt , T runs proxy an algorithm T to solve the SIS problem with advantage
′
signature algorithm to return (c, z); otherwise, T obtains ϵ = ϵ(1 − 2−ω(log n) ), where AII knows the system master key
(d p , u p ) from list_5 and uω from list_4, then T calculates the but cannot replace any user public key.
6 Front. Comput. Sci., 2023, 17(5): 175810

 ( ( ( ) ) )
Proof T receives a random instance of SIS problem, the aim 
 Az∗ − H4 (mω , λ) H1 id∗p + T ∗p ck ∗ =


 ( ( ( ) ) ′)
of T is to find a non-zero short vector e′ with satisfying 
′
Az − H4 (mω , λ) H1 id∗p + T ∗p ck ,
′ 


Ae = 0 (mod q) and ∥e′ ∥ ⩽ ϕ . In whole game, AII acts as a  ′
ck , ck ∗ ,
subroutine of T . T creates the initially empty lists called ( )
list_1, list_2, list_3, list_4, list_5, list_6. δ is the probability where H1 id∗p = Ad∗p (mod q), T ∗p = Au∗p (mod q) and
of idi = idt , idt acts as the challenge identity and H4 (mω , λ) = uω , the above-mentioned equation can be denoted
t ∈ {1, 2, . . . , q1 } is unknown to AII and q1 is query times to H1 as:
 ( ′) ( ′ ) ( ′ )
oracle. 

 A z∗ − z + Au∗p uω ck − ck ∗ + Ad∗p uω ck − ck ∗ = 0,
Firstly, T returns (pp, msk = B) ← S etup (1n ). Afterwards, 
 ′
 ck , ck ∗ ,
the polynomial bounded number of adaptive queries are
carried out by AII . Here, H1 , H2 , H3 , H4 queries are same as According to forking Lemma [25], there exists another
′ ′
those in the first phase in Theorem 1 and so we omit them. secret value u p with probability ϵ = ϵ(1 − 2−ω(log n) ) such that
′ ′
Public key queries: AII requests a public key for idi. T T ∗p = Au∗p (mod q) = Au p (mod q) and u∗p , u p. Assume
( ) ( ′ )
checks whether Ti exists in list_5. If yes, T returns Ti to AII ; ′
there exists u∗p such that A z∗ − z + Au∗p uω ck − ck ∗ +
otherwise, T selects ui ∈ {−d, . . . , 0, . . . , d}m×γ and returns ( ′ ) ′
Ad∗p uω ck − ck ∗ = 0. So, there must exist a secret value u p
Ti = Aui (mod q) , then T delivers Ti to AII and records ( ′ ) ′ ( ′ ) ( ′ )
(idi , ui , Ti , −, −) in list_5. such that A z∗ − z + Au p uω ck − ck ∗ + Ad∗p uω ck − ck ∗ ,
( ′ ( ′ ))
Private key queries: AII requests a partial private key for idi. 0, then: A z∗ − z + S∗ω ck − ck ∗ = 0 (mod q), where S∗ω =
If idi = idt , T fails and aborts. Otherwise, T runs S∗p uω, S∗p = d∗p + u∗p. SIS problem is to find a non-zero short
′ ′ ′ ′
(mod q). Let e = z∗ − z +
( ′ e )such that Ae = 0
m×γ
S ampleMat( A, B, s, bi ) to obtain di ∈ Zq and obtains ui vector
′
from list_5, then T returns Si ← di + ui to AII and updates S∗ω ck − ck ∗ , we can obtain: ∥e ∥ , 0 and
√ )√ )
(idl , ui , Ti , di , −) with (idl , ui , Ti , di , Si ) in list_5. e′ ⩽ (2ησ m + 2κ1 (s + d m , then SIS problem can be
Proxy key queries: AII submits a proxy key query for solved. Here, S∗ω is unknown to AII , then AII cannot
(ido , id p , mω ) . If ido = idt , T fails and aborts; otherwise, T determine the values of S∗ω and secret value. Finally, the
′
calculates cω = H2 ( Azω − (H1 (ido ) + To ) cω , mω ) and probability of T in solving SIS problem is
′
determines whether cω = cω . If yes, T extracts uω from list_4 ′
ϵ = ϵ(1 − 2 −ω ( log n ) ). LCL-NCPS is UF-CMA-II secure
and returns Sω = S p uω to AII and adds (mω , λ, cω , Sω ) into because ϵ ′ is an ignorable probability.
list_6.
Proxy signature queries: AII requests a proxy signature for Theorem 3 In multi-source network coding environment,
message vector vk . If id p , idt , T runs the proxy signature LCL-NCPS is secure if and only if it can resist the pollution
algorithm and returns z ; otherwise, T obtains (d p , u p ) from attacks.
list_5and uω from list_4, then T calculates the proxy key Proof For LCL-NCPS, an attacker can tamper the message in
Sω = (d p + u p )uω and answers as follows: T randomly selects network. Forged message with a legal signature will not pass
the vector y ← Dm σ and calculates ck = H3 ( Ay, vk , id) ∈ the verification. If the attacker wants to forge a signature, it
{−1, 0, 1}l , z = Sω ck + y. Finally, T outputs the signature must obtain the proxy signer’s private key; however, the
 

 Dm
 

 attacker wants to obtain the private key of proxy signer is
σ (z)
(z, ck ) with probability min   , 1 .
 MDm S σ
(z)   equivalent to solving the SIS problem. It is not feasible to
ω
solve the SIS problem according to the proof in Theorems 1
Combination queries: AII sends idi to T for a combination
and 2. If the attacker wants to forge a valid signature, the
query. If it is not t-th query, T calls the combined query and
attacker has to perform the following operation:
returns a combined result. If id p = idt , T calculates combined
∑ Attacker attempts to sign a forged message directly. In
message w = m k=1 βk vk , where β = (β1 , β2 , . . . , βm ) is the global above proxy signature algorithm, it is very necessary to obtain
coding vector and w = (w1 , w2 , . . . , wm ) is the combined a vector y ← Dm σ and proxy signer’s private key, thus the
message vector. Finally, T returns a combined proxy attacker will be able to sign message vector vk. Because the
∏ βk
signature c ← m k=1 ck to AII . private key of proxy signer is obtained via
Verification queries: AII submits a verification query. If S ampleMat( A, B, s, bi ) which is one-way function and it is
idr , idt , T runs the verification algorithm and returns a also equivalent to solving the SIS problem, therefore, it is
result; otherwise, T responds as follow: (1) verify whether impossible for the attacker to obtain a valid proxy signature.
√
z ⩽ ησ m. If not, reject; otherwise, run (2). (2) Calculate
∏ ( ( )) βk 7 Performance analysis
c′ = m i=1 H3 ( Az − H4 (mω , λ) H1 (id o ) + T p ck , vk , id) . T
′ In this section, we compare LCL-NCPS with related schemes
returns a valid signature if c = c and ⊥ otherwise. [26−28] in terms of computational complexity and some
Forgery phase: As above queries end, AII outputs a forged security feature. Experimental platform is as follows: Inter(R)
signature (c∗ , z∗ ) to T . In forgery phase, AII cannot query the Core-i7 processor, 16GB RAM, 64-bit Windows 10 operating
private key of id∗p . If id∗p , idt , T abandons the game; system laptop. Test platform is as follow: Visual C 6.0.
′
otherwise, T forges another signature (c , z′ ). Then, we have: Table 1 shows the feature of several comparison schemes,
 Huifang YU et al. Certificateless network coding proxy signatures from lattice 7

Table 1 Feature comparison of several schemes

Feature comparison Literature [26] Literature [27] Literature [28] LCL-NCPS
Anti-quantum attacks No No No Yes
Anti-pollution attacks Yes Yes Yes Yes
Key escrow Yes No No No
Unforgeability Yes Yes Yes Yes
( ) ( ) ( )
Signature length O l2n−1 nlb (n) O 2m+n n2 lb (n) O 2n−1 nlb (n) O (mlb (12σ))

Table 2 Symbolic representation of various cryptographic operations pollution. Due to short signature length, LCL-NCPS has better
Various cryptography operation Symbols
communication efficiency.
Time to execute an elliptic curve point multiplication operation Cecp Table 2 shows the symbolic representation of cryptographic
Time to execute a scalar multiplication Cmul operations involved in four schemes. By running
Time to execute a hash operation Cmtp cryptographic open-source library PBC on Visual C 6.0, we
Time to execute an exponential operation Cme test the time of cryptographic operations, and show their
Time to execute a bilinear operation C par average operation time in Table 3.
Time to execute image sampling algorithm ST Comparison efficiency of LCL-NCPS and schemes in
Time to execute Gaussian sampling algorithm SD [26−28] are in terms of time dimension. Operation time of
Time to execute matrix vector multiplication Mv signature and verification is in Table 4. For more intuitive
description to computation efficiency, the efficiency of these
where lb (n) is the logarithm of n based on 2 and can reflect schemes in signature and verification is based on dimension
the communication efficiency of several schemes. LCL-NCPS change of original message vector. Matlab 2018b is used to do
avoids the certificate management and key escrow, and it has the simulation experiments and we obtain the simulation
the characteristics of anti-forgery, anti-quantum and anti- results as in Figs. 3 and 4. The change of m + n of message
vector in network coding is described by Table 5.
Table 3 Operation time of various cryptographic operations As in Figs. 3 and 4, when the dimension of message vector
Symbols Operation time/ms in network coding is 200, 300, 400, 500, 600, LCL-NCPS
Cecp 7.67 consumes significantly less time in signature algorithm or
Cmul 0.02 verification, this shows LCL-NCPS is more efficient than
Cmtp 19.4 other schemes.
Cme 7.4
C par 25.38 8 Conclusion
ST 35.42 With the rapid development of quantum computing
SD 23.03 technology, the network coding schemes based on traditional
Mv 5.32
cryptosystem are faced with quantum computing attacks. In

Table 4 Efficiency comparison between LCL-NCPS and similar schemes

Schemes Signature time Verification time
Literature [26] 2nCmul + (2n + 2)Cme (m + n)Cmul + (m + n + 1)Cme + C par
Literature [27] (m + 2)Cmul + mCme + nCecp + 2Cmtp (2m − 2)Cmul + (n + 2)Cecp + 2Cmtp
Literature [28] (m + n)Cmul + (m + n + 1)Cme + Cmtp (m + n)Cmul + 2mC par + Cmtp
LCL-NCPS (m + 2) Mv + mS D + 3Cmtp + S T (2m + 3) Mv + mS D + 3Cmtp + mCmul

Fig. 3 Signature time comparison Fig. 4 Signature time comparison verification time comparison
8 Front. Comput. Sci., 2023, 17(5): 175810
Table 5 Change of m + n of message vector network coding
m+n
m n
20 180 200
30 270 300
40 360 400
50 450 500
60 540 600
this work, we construct certificateless network coding proxy
signatures from lattice (LCL-NCPS) by using trapdoor
generation and preimage sampling algorithm. LCL-NCPS
delegates the signature authority to proxy signer and can
realize the public verification. LCL-NCPS is multi-source
signature scheme which has the characteristics of anti-
quantum, anti-forgery and anti-pollution; in addition, it has
high computation efficiency and low communication cost.
As a multi-source signature scheme with anti-quantum
security, LCL-NCPS has broad application prospect in UAN
communication network, 5G wireless network, internet of
vehicle, wireless sensors network or wireless ad hoc network.
Acknowledgements This work was supported by the Key Project of Natural
Science Basis Research Plan of Shaanxi Province (2020JZ-54).
References
1. Shamir A. Identity-based cryptosystem and signature schemes. In:
Proceedings of the CRYPTO 1984. 1984, 47–53
2. Al-Riyami S S, Paterson K G. Certificateless public key cryptography.
In: Proceedings of the 9th International Conference on the Theory and
Application of Cryptology and Information Security. 2003, 452–473
3. Yu H, Wang S. Certificateless threshold signcryption scheme with
secret sharing mechanism. Knowledge-Based System, 2021, 221:
106981
4. Mambo M, Usuda K, Okamoto E. Proxy signatures for delegating
signing operation. In: Proceedings of the 3rd ACM Conference on
Computer and Communications Security. 1996, 48–57
5. Deng L Z, Hu Z Y, Ruan Y, Wang T. Provably secure certificateless
proxy scheme in the standard model. Journal of Internet Technology,
2022, 23(2): 279-288
6. Tang Y, Wang F, Ye Q, Yan X. Provably secure efficient certificateless
proxy signature scheme. Journal of Frontiers of Computer Science and
Technology, 2016, 10(9): 1282–1289
7. Zhang Y, Li J, Yuan H. Certificateless proxy signature scheme. Journal
of Nanjing University of Information Science and Technology: Natural
Science Edition, 2017, 9(5): 490–496
8. Shor P W. Algorithms for quantum computation: discrete logarithms
and factoring. In: Proceedings of the 35th Annual Symposium on
Foundations of Computer Science. 1994, 124–134
9. Xia F, Yang B, Ma S, Sun W, Zhang M. Lattice-based proxy signature
scheme. Journal of Hunan University: Natural Sciences, 2011, 38(6):
84–88
10. Li M X, Zheng Y Y, Xu M. Lattice-based proxy signature scheme in the
standard model. Journal of Sichuan University: Engineering Science
Edition, 2014, 46(1): 102–106
11. Jiang M M, Hu Y P, Wang B C, Wang F H, Lai Q Q. Efficient proxy
signature over lattices. Journal of Beijing University of Posts and
Telecommunications, 2014, 37(3): 89–92
12. Lu X, Wen Q, Wang L. Efficient lattice-based proxy signature
supporting revocation. Journal of Sichuan University: Engineering
Science Edition, 2016, 48(1): 139–145
13. Fan Z, Ou H W, Pei T. A certificateless proxy re-signature scheme
based on lattice. Journal of Cryptologic Research, 2020, 7(1): 15–25
14. Chen J S, Hu Y P, Liang H M, Gao W. Novel efficient identity-based
signature on lattices. Frontiers of Information Technology & Electronic
Engineering, 2021, 22(2): 244–250
15. Zhu H, Wang Y, Wang C, Cheng X. An efficient identity-based proxy
signcryption using lattice. Future Generation Computer Systems, 2021,
117: 321–327
16. Luo H, Wang C F, Fen F, Yu Z X. On homomorphic signature scheme
for multi-source network coding. Application Research of Computers,
2011, 28(4): 1465–1469
17. Yu H, Gao X. Homomorphic ring signature scheme technology for
multi-source network coding. Netinfo Security, 2019, 19(2): 36–42
18. Yu H, Li W. Homomorphic signature schemes for single-source and
multi-source network coding. Journal on Communications, 2019,
40(11): 112–121
19. Yu H, Bai L, Hao M, Wang N. Certificateless signcryption scheme from
lattice. IEEE Systems Journal, 2021, 15(2): 2687–2695
20. Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and
new cryptographic constructions. In: Proceedings of the 40th Annual
ACM Symposium on Theory of Computing. 2008, 197–206
21. Lyubashevsky V. Lattice signatures without trapdoors. In: Proceedings
of the 31st Annual International Conference on the Theory and
Applications of Cryptographic Techniques. 2012, 738–755
22. Yu H, Qi Z, Liu D, Yang K. Certificateless multisignature scheme
suitable for network coding. Security and Communication Networks,
2021, 2021: 1609873
23. Yang M, Luo J, Li L. Signatures for multi-source network coding.
China Communications, 2010, 7(1): 131–137
24. Niu S F, Wang C F. Homomorphic signature algorithm for multi-source
linear network coding. Computer Engineering, 2012, 38(2): 126–128
25. Pointcheval D, Stern J. Security arguments for digital signatures and
blind signatures. Journal of Cryptology, 2000, 13(3): 361–396
26. Li T, Chen W, Tang Y, Yan H. A homomorphic network coding
signature scheme for multiple sources and its application in IoT.
Security and Communication Networks, 2018, 2018: 9641273
27. Yu H, Li W. A certificateless signature for multi-source network
coding. Journal of Information Security and Applications, 2020, 55:
102655
28. Yu H, Wang W. Certificateless network coding ring signature scheme.
Security and Communication Networks, 2021, 2021: 8029644
Huifang Yu received PhD degreee in
cryptography from Shaanxi Normal University,
China. She is a professor of Xi’an University of
Posts & Telecommunications, China. Her research
interests include cryptographic theory, data
security, anti-quantum cryptography and network
coding schemes. She has completed more than
twenty research projects including 973 Basic Research Project of
China and National Natural Science Foundation of China. She has
published three books, sixteen national invention patent and more
than eighty papers.
Ning Wang received master degree in cyberspace
security in 2022 from Xi’an University of Posts &
Telecommunications, China. His main research
interests include lattice-based public key
cryptography and secure network coding.