Sage Journals: Discover world-class research

Abstract

Ensuring the security of transmitted content is an important task in network communication. Signcryption technology combines signature and encryption operations in a single step to achieve message authentication and confidentiality. In practical applications, users are usually in different cryptographic systems, the ordinary signcryption technology cannot realize communication between two different cryptographic systems. And the ciphertext structure of the existing signcryption schemes is relatively complex, signcryption is not efficient. Therefore, in order to solve the problem of efficient communication between different cryptosystems and ensure quantum security, this paper proposes a lattice-based efficient heterogeneous signcryption scheme for secure network communications. This signcryption scheme accomplishes signcryption through matrix operations and hash functions, which avoids complex signcryption structures, efficiently realizes bidirectional message communication between identity-based cryptosystems and certificateless cryptosystems.

Keywords

Lattice heterogeneous signcryption network communications certificateless cryptography identity-based cryptography

1. Introduction

Research in the fields of cryptography and network security has greatly supported the development of network content transmission. Researchers are working on realizing secure network communication, such as in the fields of vehicle network, wireless networks and 5G [1,3,7]. Signature technology and encryption technology realize the secure transmission of network content. Signcryption technology combines digital signature and public key encryption to achieve encryption and signature operations at the same time. Signcryption technology was first proposed by Yuliang Zheng [14], which is significantly better than the method of signing first and then encrypting. Signcryption technology is widely used in the fields of IoT, blockchain and machine learning [4,11]. Through signcryption technology, the protection of transmitted content in machine learning is realized. Heterogeneous signcryption technology is the key technology to realize the content communication between two different systems, but most of the heterogeneous signcryption is based on the traditional PKI cryptosystem. The traditional PKI cryptosystem requires a trusted third party to issue a digital certificate to bind the user’s identity to the public key, which results in huge communication and storage costs. The emergence of identity-based cryptography (IBC) uses the user’s unique identity as the user’s public key and no longer requires a digital certificate. In 2003, a certificateless cryptosystem (CLC) was proposed. KGC is only used to generate the user’s partical private key, and the user’s complete private key is generated from the partical private key and the secret value selected by the user. Therefore, constructing a heterogeneous signcryption scheme based on a certificateless cryptosystem and an identity-based cryptosystem can not only realize message communication between different systems, but also improve system performance and scheme efficiency.

With the development of quantum computers, traditional signcryption schemes based on the decomposition of large integers and the difficulty of discrete logarithms have been unable to resist the attack of quantum algorithms. Since quantum algorithms for solving difficult problems on lattices in polynomial time have not yet been discovered, lattice-based cryptosystems are currently believed to be resistant to quantum attacks. In 2008, Gentry et al. proposed the GPV signature scheme and encryption scheme in the Reference [2], and proved their security based on the difficulty of the SIS problem and the LWE problem respectively. In 2014, Lu et al. proposed a signcryption scheme based on lattice [5], which has the advantage of resisting quantum computer attacks. In recent years, many researchers have studied signcryption schemes based on lattice. In 2019, Yang et al. proposed a heterogeneous signcryption scheme based on NTRU lattice [12], and proved its security under the random oracle model. But their research only achieved the one-way communication from PKI public key cryptosystem to identity-based cryptosystem. In 2021, Zhu et al. proposed an efficient identity-based proxy signcryption using lattice [15], which satisfies both IND-CCA security and EUF-CMA security. This scheme can only realize signcryption under the same identity-based cryptosystem. In 2022, Yu et al. proposed a certificateless anti-quantum ring signcryption for network coding [13], which has low communication cost. Most of the above researches can only realize one-way or same cryptosystem signcryption communication, and the ciphertext structure is relatively complex. In this paper, we combine lattice cryptography with heterogeneous signcryption scheme, and propose a lattice-based efficient heterogeneous signcryption scheme for secure network communications. The scheme improves the ciphertext structure while realizing the communication between certificateless cryptosystem and identity-based cryptosystem.

The contributions of this paper are as follows:

In order to solve the problem of secure content transmission between different cryptosystems in network, this paper proposes a lattice-based efficient heterogeneous signcryption scheme, which realizes bidirectional content communication between certificateless cryptosystems and identity-based cryptosystems.

In the proposed heterogeneous signcryption scheme for secure network communications, we generate the security key based on the lattice algorithm, generate the signcryption triple through the hash function and matrix operation. The scheme realizes the encryption of the message through XOR operation, avoids the complex signcryption operation, and improves the efficiency of the signcryption process.

The rest of the paper is organized as follows. In Section 2, we give the preliminaries. In Section 3, we describe the formal definition of the heterogeneous signcryption scheme model. In Section 4, we propose a lattice-based efficient heterogeneous signcryption scheme for secure network communications. In Section 5, we analyze the correctness of this scheme. Finally, we conclude this work in Section 6.

2. Preliminaries

2.1. Basic knowledge of lattice

This section gives the basic definitions of lattice and LWE distribution. In algebra, lattice is a subgroup of the set $R^{n}$ . The section gives the definition and two forms of lattice in cryptography. In 2005, Regev proved the worst-case hardness theorem for LWE problem [10]. The relevant definition of LWE distribution come from Peikert16 [9]. The specific definitions of lattice are given as follows.

Definition 1 (Lattices [6]).

Let $B = {b_{1}, \dots, b_{m}} \in R^{m \times m}$ be a matrix constructed by m linearly independent vectors ${b_{1}, b_{2}, \dots, b_{m}}$ . The lattice L generated by B is the set $\begin{matrix} Λ = L (B) = {B c = \sum_{i = 1}^{m} c_{i} b_{i} | c_{i} \in Z} \end{matrix}$ Here $b_{1}, \dots, b_{m}$ constitutes a set of bases of the lattice Λ.

Definition 2.
Given a prime number q, a matrix $A \in Z_{q}^{n \times m}$ and $u \in Z_{q}^{n}$ . Two special integer lattices are as follows: $\begin{array}{l} Λ_{q}^{⊥} (A) = {e \in Z^{m} | A e = 0 mod q} \\ Λ_{q}^{u} (A) = {e \in Z^{m} | A e = u mod q, u \in Z^{n}} \end{array}$ where q is a prime number, $A \in Z_{q}^{n \times m}$ .
Definition 3 (LWE distribution).

For a vector $s \in Z_{q}^{n}$ called the secret, the LWE distribution $A_{s, χ}$ over $Z_{q}^{n} \times Z_{q}$ is sampled by choosing $a \in Z_{q}^{n}$ uniformly at random, choosing $e \leftarrow χ$ , and outputting $(a, b = ⟨ s, a ⟩ + e mod q)$ .

2.2. Trapdoor generation and pre-image sampling algorithm

This section mainly introduces the trapdoor generation algorithm and the pre-image sampling algorithm proposed in the reference [8]. $TrapGen$ is a trapdoor generation algorithm. This algorithm can generate a random matrix and the corresponding base. The trapdoor generation algorithm is mainly used to generate public parameters and master private keys. $SamplePre$ is a pre-image sampling algorithm. This algorithm can generate a vector. Extending $SamplePre$ algorithm, $SampleMat$ can get a small matrix. The pre-image sampling algorithm is mainly used to generate private keys. The details are as follows.

Lemma 1 (Trapdoor generation algorithm).

For any integer $n > 0$ , $q > 1$ and $m = O (n log q)$ , there is a $TrapGen (1^{n}, 1^{m}, q)$ algorithm that outputs a matrix $A \in Z_{q}^{n \times m}$ and a set $B \in Z_{q}^{m \times m}$ . The distribution of A is statistically uniform on $Z_{q}^{n \times m}$ , and B is a trapdoor basis of the lattice $Λ_{q}^{⊥} (A)$ . In particular, $A B = 0 mod q$ , $‖ B ‖ ⩽ O (\sqrt{n log q})$ .

Lemma 2 (Pre-image sampling algorithm).

For the matrix $A \in Z_{q}^{n \times m}$ , $B \in Z_{q}^{m \times m}$ , the Gaussian parameter $s ⩾ ‖ \tilde{B} ‖ \cdot ω (\sqrt{log n})$ , and a random value $y \in Z_{q}^{n}$ , there is a $Sample Pr e (A, B, s, y)$ algorithm that, outputs $x \in {x_{i} \in Z^{m}, ‖ x_{i} ‖ ⩽ s \sqrt{m}}$ , where obeys the Gaussian distribution $D_{Λ_{q}^{y} (A), s}^{m}$ . In particular, $f (x) = A x = y mod q$ .

Lemma 3 (General pre-image sampling algorithm).

For the matrix $A \in Z_{q}^{n \times m}$ , $B \in Z_{q}^{m \times k}$ , the Gaussian parameter $s ⩾ ‖ \tilde{B} ‖ \cdot ω (\sqrt{log n})$ , and a random value $U \in Z_{q}^{n \times k}$ , there exist a valid polynomial time $SampleMat (A, B, s, U)$ that outputs a matrix $S \in Z^{m \times k}$ . The matrix S is obtained in discrete Gaussian distribution $D_{Λ_{q}^{U} (A), s}^{m}$ . In particular, $A S = U mod q$ .

2.3. Discrete Gaussian distribution from lattice

Definition 4 (Discrete Gaussian Distribution [8]).

For any $c > 0$ , real number $σ > 0$ , an m-dimensional lattice Λ, the discrete Gaussian distribution on lattice Λ is defined as $\begin{matrix} \forall x \in Λ, D_{Λ, σ, c} (x) = ρ_{σ, c} (x) / ρ_{σ, c} (Λ) \end{matrix}$

3. Heterogeneous signcryption scheme model

The lattice-based efficient heterogeneous signcryption model in this paper mainly includes three entities: Certificateless Cryptosystem(CLC) user, Identity-based Cryptosystem(IBC) user, and key generation center(KGC). The model consists of eight algorithms, namely: Setup, CLC Partial Key Generation (CLCExtract), CLC Key Generation (CLCKeyGen), IBC Key Generation (IBCKeyGen), CLC-IBC Heterogeneous Signcryption (CLC-IBC HSC), CLC-IBC Heterogeneous Unsigncryption (CLC-IBC HUSC), IBC-CLC Heterogeneous Signcryption (IBC-CLC HSC) and IBC-CLC Heterogeneous Unsigncryption (IBC-CLC HUSC). The identity of CLC user is ${id}_{a}$ , the identity of IBC user is ${id}_{b}$ . The details are as follows:

$Setup (1^{n}) \to param, MSK$ : The system initialization algorithm generates system parameters $param$ and master private key $MSK$ .

$CLCExtract (param, MSK, {id}_{a}) \to D$ : The CLCExtract algorithm generates partial private key D.

$CLCKeyGen (param, {id}_{a}, D) \to (T, S_{a}$ ): The CLCKeyGen algorithm generates public and private key pair $(T, S_{a})$ .

$IBCKeyGen (param, MSK, {id}_{b}) \to S_{b}$ : The IBCKeyGen algorithm generates the private key $S_{b}$ .

CLC-IBC $HSC (S_{a}, H ({id}_{b}), t) \to sign = (φ, η, ω)$ : CLC-IBC HSC algorithm generates the signcryption result $sign = (φ, η, ω)$ of the message t.

CLC-IBC $HUSC (S_{b}, H ({id}_{a}), T, sign) \to t$ : If IBC user authentication is passed, CLC-IBC HUSC algorithm outputs the original message t. Otherwise, IBC user rejects it.

IBC-CLC $HSC (S_{b}, H ({id}_{a}), T, t) \to sign = (φ, η, ω)$ : IBC-CLC HSC algorithm generates the signcryption result $sign = (φ, η, ω)$ of the message t.

IBC-CLC $HUSC (S_{a}, H ({id}_{b}), sign) \to t$ : If CLC user authentication is passed, IBC-CLC HUSC algorithm output the original message t. Otherwise, CLC user rejects it.

4. Lattice-based efficient heterogeneous signcryption scheme for secure network communications

In this section, we propose a lattice-based efficient heterogeneous signcryption scheme for secure network communications. The section includes a communication model and a specific scheme. This section designs a secure communication model for certificateless cryptosystems and identity-based cryptosystems. The model can realize the bidirectional heterogeneous signcryption process of these two different systems. The specific scheme avoids the number of symmetric encryption operations and complex signcryption operations. By designing the ciphertext structure, the scheme reduces the number of ciphertexts and improves the efficiency of heterogeneous signcryption.

4.1. Communication model of heterogeneous signcryption schemes

In practical applications, when users are in different cryptographic systems, how to realize secure network communication between the different cryptographic systems has become the focus of attention. In this paper, we mainly focus on implementing secure network communication for certificateless cryptosystems and identity-based cryptosystems. The simple communication model is shown in the Fig. 1. In CLC system, D is the partial private key of CLC users, and $S_{a}$ is the private key of CLC users, which consists of D and the secret value C. In IBC system, $S_{b}$ is the private key of IBC user. This communication model can realize bidirectional communication between CLC-IBC and IBC-CLC.

Fig. 1.

Heterogeneous signcryption communication model.

4.2. Lattice-based efficient heterogeneous signcryption scheme

In the Lattice-based efficient heterogeneous signcryption scheme proposed in this paper, based on the signcryption scheme structure [15], we generate the master private key through the trapdoor generation algorithm on lattice. We generate the user private key through the pre-image sampling algorithm, and realize the signcryption process through matrix operation and hash operation.

In this section, we propose a lattice-based efficient heterogeneous signcryption scheme. This scheme has three entities: CLC user ${id}_{a}$ , IBC user ${id}_{b}$ , and the key generation center KGC. The specific heterogeneous signcryption scheme is as follows:

4.2.1. Setup

KGC chooses n as the system security parameter, the prime number $q ⩾ 3$ , $m > 5 n log q$ , the Gaussian parameter s, $σ = 12 s λ m$ . KGC chooses three hash functions: $\begin{array}{l} (1) & H : {0, 1}^{*} \to Z_{q}^{n \times k} \\ (2) & H_{1} : {0, 1}^{*} \to {c : c \in {- 1, 0, 1}^{k}, ‖ c ‖_{1} ⩽ κ} \\ (3) & H_{2} : {0, 1}^{*} \to Z_{q}^{k} \end{array}$

KGC runs the algorithm $(A, B) \leftarrow TrapGen (n, m, q)$ . The public parameters are set to $param = {A, H, H_{1}, H_{2}}$ , and the master private key is $MSK = B$ .

4.2.2. CLCExtract

CLC user ${id}_{a}$ sends the partial private key request to the KGC. After receiving the user request, KGC runs the algorithm $D \leftarrow SampleMat (A, B, s, H ({id}_{a}))$ to generate the partial private key $D \in Z_{q}^{m \times k}$ of CLC user ${id}_{a}$ , where D satisfies $A D = H ({id}_{a}) = F \in Z_{q}^{n \times k}$ . KGC sends the partial private key D to CLC user.

4.2.3. CLCKeyGen

After CLC user ${id}_{a}$ receives the partial private key D, ${id}_{a}$ randomly selects $C \in Z_{q}^{m \times k}$ and sets it as the secret value. CLC user ${id}_{a}$ calculates the public key $T = A C mod q \in Z_{q}^{n \times k}$ , the private key $S_{a} = C + D$ . $(T, S_{a})$ is the user’s public-private key pair.

4.2.4. IBCKeyGen

IBC user ${id}_{b}$ sends the key generation request to KGC. After receiving the user ${id}_{b}$ request, KGC runs the algorithm $S_{b} \leftarrow SampleMat (A, B, s, H ({id}_{b}))$ to generate the user’s private key $S_{b} \in Z_{q}^{m \times k}$ , where $S_{b}$ satisfies $A S_{b} = H ({id}_{b}) \in Z_{q}^{n \times k}$ . KGC sends the private key $S_{b}$ to ${id}_{b}$ .

4.2.5. CLC-IBC HSC

In this algorithm, CLC user ${id}_{a}$ is the sender of the heterogeneous signcryption algorithm, and IBC user ${id}_{b}$ is the receiver. $t \in {0, 1}^{*}$ is the message that needs to be signcrypted. CLC user ${id}_{a}$ uses its own private key $S_{a}$ and the hash value $H ({id}_{b})$ of ${id}_{b}$ to signcrypt. The specific process is as follows:

CLC user ${id}_{a}$ randomly selects $β \leftarrow D_{σ}^{m}$ .

Calculates $φ = H_{1} (A β, H ({id}_{b}))$ , $η = H_{2} (φ, A S_{a}) \oplus t$ , $ω = S_{a} φ + β$ .

Sends $sign = (φ, η, ω)$ as the signcrypted ciphertext with the probability of $(\frac{D_{σ}^{m} (z)}{M D_{σ, S_{a}, h}^{m} (z)}, 1)$ to IBC user ${id}_{b}$ .

4.2.6. CLC-IBC HUSC

After IBC user ${id}_{b}$ receives the signcrypted ciphertext, it uses its own private key $S_{b}$ , the CLC user’s public key ${id}_{a}$ and the hash value $H ({id}_{a})$ of ${id}_{a}$ to get the original message t. The specific process is as follows:

IBC user ${id}_{b}$ calculates $h = H_{1} (A ω - (H ({id}_{a}) + T) φ, A S_{b})$ .

Substitutes the calculated value h, ${id}_{b}$ calculates $t = H_{2} (h, (H ({id}_{a}) + T)) \oplus η$ , and finally gets the original message t.

4.2.7. IBC-CLC HSC

In this algorithm, IBC user ${id}_{b}$ is the sender of the heterogeneous signcryption algorithm, and CLC user ${id}_{a}$ is the receiver. $t \in {0, 1}^{*}$ is the message that needs to be signcrypted. IBC user uses his private key $S_{b}$ , the CLC user’s public key T and the identity hash value $H ({id}_{a})$ for signcryption. The specific process is as follows:

IBC user ${id}_{b}$ randomly selects $β \leftarrow D_{σ}^{m}$ .

Calculates $φ = H_{1} (A β, H ({id}_{a}) + T)$ , $η = H_{2} (φ, A S_{b}) \oplus t$ , $ω = S_{b} φ + β$ .

Sends $sign = (φ, η, ω)$ as the signcrypted ciphertext with the probability of $(\frac{D_{σ}^{m} (z)}{M D_{σ, S_{b}, h}^{m} (z)}, 1)$ to CLC user ${id}_{a}$ .

4.2.8. IBC-CLC HUSC

After CLC user ${id}_{a}$ receives the signcrypted ciphertext, it uses its own private key $S_{a}$ and the hash value $H ({id}_{b})$ of ${id}_{b}$ to get the original message t. The specific process is as follows:

CLC user ${id}_{a}$ calculates $h = H_{1} (A ω - H ({id}_{b}) φ, A S_{a})$ .

Substitutes the calculated value h, ${id}_{a}$ calculates $t = H_{2} (h, (H ({id}_{b})) \oplus η$ , and finally gets the original message t.

5. Correctness analysis

In this section, we present the proof process for the correctness of the lattice-based efficient heterogeneous signcryption scheme.

5.1. CLC-IBC heterogeneous signcryption correctness

When CLC user is the sender of the heterogeneous signcryption algorithm and IBC user is the receiver, after IBC user receives $sign = (φ, η, ω)$ , IBC user can recover $A β$ using the public key T and identity hash value $H ({id}_{a})$ . Referring to the key generation process in Section 4, the relationship between public and private key satisfies $S_{a} = C + D$ , $A D = H ({id}_{a})$ , $A C mod q = T$ , we can get: $\begin{matrix} (4) & \begin{array}{l} A ω - (H ({id}_{a}) + T) φ \\ = A (S_{a} φ + β) - (H ({id}_{a}) + T) φ \\ = A S_{a} φ + A β - H ({id}_{a}) φ - T φ \\ = A β + A (C + D) φ - H ({id}_{a}) φ - T φ \\ = A β \end{array} \end{matrix}$

IBC user ${id}_{b}$ substitutes $A ω - (H ({id}_{a}) + T) φ = A β$ into the formula h, and ${id}_{b}$ can verify h with $A S_{b} = H ({id}_{b})$ : $\begin{matrix} (5) & \begin{matrix} h & = H_{1} (A ω - (H ({id}_{a}) + T) φ, A S_{b}) \\ = H_{1} (A β, A S_{b}) \\ = H_{1} (A β, H ({id}_{b})) \\ = φ \end{matrix} \end{matrix}$

IBC user ${id}_{b}$ substitutes $h = φ$ into the formula $H_{2} (h, (H ({id}_{a}) + T)) \oplus η$ : $\begin{matrix} (6) & \begin{array}{l} H_{2} (h, (H ({id}_{a}) + T)) \oplus η \\ = H_{2} (φ, (H ({id}_{a}) + T)) \oplus η \\ = H_{2} (φ, (A D + A C)) \oplus η \\ = H_{2} (φ, A S_{a}) \oplus H_{2} (φ, A S_{a}) \oplus t \\ = t \end{array} \end{matrix}$

IBC user ${id}_{b}$ recovers the message t through the XOR operation, and the correctness is verified.

5.2. IBC-CLC heterogeneous signcryption correctness

When IBC user ${id}_{b}$ is the sender of the heterogeneous signcryption algorithm and CLC user ${id}_{a}$ is the receiver, after CLC user receives the ciphertext $sign = (φ, η, ω)$ , CLC user can recover $A β$ using the identity hash $H ({id}_{b})$ of ${id}_{b}$ . Referring to the key generation process in Section 4, the relationship satisfies $A S_{b} = H ({id}_{b})$ , we can get: $\begin{matrix} (7) & \begin{array}{l} A ω - H ({id}_{b}) φ \\ = A (S_{b} φ + β) - H ({id}_{b}) φ \\ = A S_{b} φ + A β - H ({id}_{b}) φ \\ = A β \end{array} \end{matrix}$

CLC user ${id}_{a}$ substitutes $A ω - H ({id}_{b}) φ = A β$ into the formula h, and ${id}_{a}$ can verify h with $S_{a} = C + D$ : $\begin{matrix} (8) & \begin{matrix} h & = H_{1} (A ω - H ({id}_{b}) φ, A S_{a}) \\ = H_{1} (A β, A S_{a}) \\ = H_{1} (A β, A (C + D)) \\ = H_{1} (A β, H ({id}_{a}) + T) \\ = φ \end{matrix} \end{matrix}$

CLC user ${id}_{a}$ substitutes $h = φ$ into the formula $H_{2} (h, (H ({id}_{b})) \oplus η$ : $\begin{matrix} (9) & \begin{array}{l} H_{2} (h, H ({id}_{b})) \oplus η \\ = H_{2} (φ, H ({id}_{b})) \oplus η \\ = H_{2} (φ, A S_{b}) \oplus H_{2} (φ, A S_{b}) \oplus t \\ = t \end{array} \end{matrix}$

CLC user ${id}_{a}$ recovers the message t through the XOR operation, and the correctness is verified.

6. Conclusions

A lattice-based efficient heterogeneous signcryption scheme for secure network communications is proposed in this paper. In the scheme, the security key is generated based on the algorithm on lattice, the signcryption ciphertext is generated by the hash function and matrix operation, the encryption of the message is realized by the XOR operation. The scheme realizes the secure bidirectional content transmission of identity-based cryptosystem and certificateless cryptosystem, and also achieves quantum resistance. Compared with other heterogeneous signcryption schemes, the computational complexity of the signcryption process in this paper is lower, and the ciphertext structure is relatively simple. About the future work, we consider extending this scheme to machine learning or the Internet of Things to realize secure network communications between different systems in practical application.

Conflict of interest

The authors declare that there are no conflict of interests.

References

Adat,

Politis,

Tselios,

Galiotos and

Kotsopoulos, On blockchain enhanced secure network coding for 5G deployments, in: 2018 IEEE Global Communications Conference (GLOBECOM), IEEE, 2018, pp. 1–7.

Gentry,

Peikert and

Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17–20, 2008,

Dwork, ed., ACM, 2008, pp. 197–206.

Koripi, A review on secure communications and wireless personalarea networks (WPAN), Wutan Huatan Jisuan Jishu 17 (2021).

Kumar,

Saha,

Alazab and

Kumar , A lightweight signcryption method for perception layer in Internet-of-things, J. Inf. Secur. Appl. 55 (2020), 102662.

Lu,

Wen,

Jin,

Wang and

Yang, A lattice-based signcryption scheme without random oracles, Frontiers Comput. Sci. 8(4) (2014), 667–675. doi:10.1007/s11704-014-3163-1.

Lyubashevsky, Lattice signatures without trapdoors, in: Advances in Cryptology – EUROCRYPT 2012–31st Annual International Conference on the Theory and Applications of Cryptographic Techniques. April 15–19, 2012. Proceedings,

Pointcheval and

Johansson, eds, Lecture Notes in Computer Science, Vol. 7237, Springer, Cambridge, UK, 2012, pp. 738–755. doi:10.1007/978-3-642-29011-4_43.

Maria,

Pandi,

J.D.

Lazarus,

Karuppiah and

M.S.

Christo , BBAAS: Blockchain-based anonymous authentication scheme for providing secure communication in VANETs, Security and Communication Networks 2021 (2021).

Micciancio and

Regev, Worst-case to average-case reductions based on Gaussian measures, SIAM J. Comput. 37(1) (2007), 267–302. doi:10.1137/S0097539705447360.

Peikert, A decade of lattice cryptography, Found. Trends Theor. Comput. Sci. 10(4) (2016), 283–424. doi:10.1561/0400000074.

10.

Regev, On lattices, learning with errors, random linear codes, and cryptography, Journal of the ACM (JACM) 56(6) (2009), 1–40. doi:10.1145/1568318.1568324.

11.

Wang,

M.H.

Fida,

Lian,

Yin,

Q.-V.

Pham,

T.R.

Gadekallu,

Dev and

Su , Secure-enhanced federated learning for ai-empowered electric vehicle energy prediction, IEEE Consumer Electronics Magazine (2021).

12.

Yang and

Li, Heterogeneous signcryption based on NTRU lattice, Computer Applications and Software 3 (2019).

13.

Yu,

Wang and

Zhang, Certificateless anti-quantum ring signcryption for network coding, Knowl. Based Syst. 235 (2022), 107655. doi:10.1016/j.knosys.2021.107655.

14.

Zheng, Digital signcryption or how to achieve cost (signature & encryption) ⩽ cost (signature) + cost (encryption), in: Annual International Cryptology Conference, Springer, 1997, pp. 165–179.

15.

Zhu,

Wang,

Wang and

Cheng, An efficient identity-based proxy signcryption using lattice, Future Gener. Comput. Syst. 117 (2021), 321–327. doi:10.1016/j.future.2020.11.025.