An Efficient Homomorphic Aggregate Signature Scheme Based on Lattice

Homomorphic aggregate signature (HAS) is a linearly homomorphic signature (LHS) for multiple users, which can be applied for a variety of purposes, such as multi-source network coding and sensor data aggregation. In order to design an efficient postquantum secure HAS scheme, we borrow the idea of the lattice-based LHS scheme over binary field in the single-user case, and develop it into a new lattice-based HAS scheme in this paper. The security of the proposed scheme is proved by showing a reduction to the single-user case and the signature length remains invariant. Compared with the existing lattice-based homomorphic aggregate signature scheme, our new scheme enjoys shorter signature length and high efficiency.


Introduction
The homomorphic signature, proposed originally by Johnson et al. [1], is an important cryptographic primitive commonly used to secure computation.In a linear homomorphic signature scheme, a user generates a set of signatures on the corresponding messages in an information subspace.When the collection of messages is operated by a linear function which generates a new message belonging to the same information subspace, any other user, who does not know the signing private key, can produce a valid signature on this result of the linear function.
The linear homomorphic signature has been the subject of many researches in terms of its definitions, security model, and privacy property.The homomorphic property of signature scheme, proposed by Boneh et al. in [2], was viewed as signing a subspace and instantiated based on the bilinear maps over large prime fields in the random model.Later on, Gennaro et al. [3] showed the efficient homomorphic signature based on RSA over integers in the random model too.In the standard model, Freeman [4] defined a generic framework of linearly homomorphic signatures, in which three ordinary signature schemes having certain properties could be converted into linearly homomorphic signature schemes.More importantly, the framework provides enhanced security in the standard model under the computational Diffie-Hellman assumption, the qstrong Diffie-Hellman assumption, and the RSA assumption, respectively.Recently, the breakthrough has been achieved by Bohen and Freeman [5,6].Their works give an example of linearly homomorphic signature built using the lattice assumption over binary field [5], while they also show that a homomorphic signature supporting authenticated polynomial functions on signed data can be constructed by using "ideal lattice" in the random model [6].Follow-up work by Wang et al. [7] implements an efficient lattice-based linearly homomorphic signature scheme using an additive homomorphic hash function over  2 , in which both the public key size and signature length are shorter.In addition, for the privacy of homomorphic signature, a notion of the so-called "weakly context hiding" is defined in [5], which requires the derived signature not to leak any information about the original messages provided that the original signatures are kept private.For attaining the stronger privacy notion, Ahn et al. [8] defines the concept of "strong context hiding, " which requires the infeasibility of linking the derived signature to 2 Mathematical Problems in Engineering the signatures it was derived from even in the condition that the original signatures are public.After that, Attrapadung et al. [9,10] proposed a new definition of privacy, called "adaptively context hiding, " which requires context hiding on adversarially chosen signature with private key exposure.In other words, if a linearly homomorphic signature scheme guarantees unlinkability even when the original signatures are produced by illegitimate signing algorithm, this scheme holds the privacy of adaptively context hiding.
The linearly homomorphic signature can be used for many purposes, such as authenticating packets in network coding protocols and computing statistics on authenticated data.In particular for the secure network coding, it is the most effective cryptographic tool to prevent "pollution attack." Most of the above-mentioned linearly homomorphic signature schemes can be applied to prevent the pollution attack by the malicious node.
Here we want to point out that all of the above-mentioned authentication schemes could only be applicable to the case of single user or single source network coding system.Usually, in real world some applications involve many signatures on messages produced by many different users or sources.For example, in the multi-source network coding system [11,12], packets from multiple different sources are needed to be linearly combined so as to exploit the benefits provided by network coding.For such multi-source network coding in an adversary situation, Agrawal et al. [13] constructed a complex scheme against pollution attack in the general case, in which a merged algorithm is used to generate several public keys and signatures in the mediate nodes.In order to find more efficient and practical solutions, the follow-up works [14][15][16] all considered the specific case where only the packets (or messages) that have the same identifier are combined together.Czap and Vajda's work [14] is obtained from the pairingbased homomorphic signature scheme proposed in [2], while Yan et al. [15] proposed an elegant homomorphic signature scheme based on the bilinear pairings and obtained a shorter homomorphic signature by using a novel homomorphic hash function.Recently, Zhang et al. [16] introduced aggregation property into homomorphic signature for multiple users case and formed a homomorphic aggregation signature scheme (HAS) by using preimage sampling function and Bonsai tree technique over random lattice.
However, these authentication schemes designed for multiuser case (or multi-source case) all have their own flaws.As is shown from the above, the unforgeability of both [14,15] is based on CDH (computational Diffie-Hellman problem) in the bilinear group.As a result, these schemes involve a large number of point multiplication on elliptic curve.If a homomorphic signature scheme for multi-source can be used in network coding, it is necessary that this scheme should support the linearly homomorphic operations over binary field, just like that in [5,7] for the single source.In addition, we need to emphasize that their security based on classical number theoretic problem is threatened by the power of quantum computers.As for the HAS proposed in [16], although its security is based on the hard assumption over lattice which is considered infeasible even under the quantum computer, the length of the aggregate signature is two times that of each original signature.We know the larger the length of the signature, the higher overhead of verification.Hence, it is significant to construct an efficient postquantum linearly homomorphic signature scheme for the multiple users case.
In this paper, we propose a short latticed-based linearly homomorphic aggregate signature scheme over binary field after optimizing our initial scheme in the multiple users case.Our scheme is an extension of the lattice-based linearly homomorphic signature scheme over  2 in [7].Each user, in our scheme, signs the original messages using their own private key, and the aggregate signature on aggregate message which is the combination of original messages from different users can be generated just by using the combination of original signatures without knowing any user's private key.In this way, these valid aggregate messages can be authenticated using a common public key formed by all the users' public keys.We point out that the common public key is independent of the signed message space, which means our signature scheme still supports signature on multiple message subspaces (or files) without updating the public keys.Compared to the HAS in [16], the length of aggregate signature in our scheme is as short as that of original signatures, which is only half the length of aggregate signature proposed in [16].More importantly, this length of aggregate signature is independent of the number of the signing users.In addition, we also prove that the security of our solution can be reduced to that of the latticed-based LHS scheme in the single user case in [7].
The rest of this paper is organized as follows.In Section 2, we introduce the background about lattice and briefly overview the model of linearly homomorphic signature based on lattice over binary field in [7].Our HAS scheme is described in detail in Section 3, including the general model definition, the initial scheme, and optimization.Section 4 proves the security of the presented scheme, and Section 5 is the analysis of the efficiency.Finally, in Section 6, we summarize this paper.

Preliminaries
2.1.Notation.We use Z and R to denote the set of integers and the set of real numbers, respectively.For any integer , let Z  denote the ring of integer mod .By convention, we use bold lower case letters for vectors (e.g., a) and bold upper case letters for matrix (e.g., A).The member of vector is denoted by lowercase (e.g.,   ), while the th column of a matrix is denoted by a  .For a positive integer , [] denotes {1, . . ., }.In this paper, let A denote the Gram-Schmidt orthogonalization of matrix A. The Euclidean norm of a vector is considered as its length (e.g., ‖a‖), and the length of a matrix is the norm of its longest column vector (e.g., ‖A‖ = max ‖a  ‖).In addition, the function negl() is negligible in  if it is smaller than all polynomial fractions for larger .

Random Lattice and Hard Assumption.
Let B = {b 1 , . . ., b  } ⊂ R  be a set of  linearly independent vectors; then, the lattice Λ generated by the basis B is Λ = {B ⋅ x : x ∈ Z  } ⊂ R  .In the cryptography based on lattice, we always focus on the integer lattice where the lattice points are contained in Z  .For some integer  ≥ 2, , , let A ∈ Z ×  be a random matrix.Then, the two kinds of full rank random lattice defined by A are used in this paper.Their specific definitions are as follows: In fact, the lattice where A ⋅ t = u mod .In addition, it is noted that the variable  is the security parameter as the prior works defined, and the other variables are the functions of .Typically,  is  ( log ) and the modulus  is some small polynomial, for example, ( 3 ).
Hard Assumption.The security of lattice-based LHS schemes [5,7] is all based on the hardness assumption of the short integer solution (SIS) problem over the lattice Λ ⊥  (A).The definition of SIS problem is as follows.
Definition 1.Given positive integers , ,  and a real , for a random matrix A ∈ Z ×  , the goal of SIS (, , ) is to find a nonzero vector k ∈ Λ ⊥  (A) such that ‖k‖ ≤ .
In [17], it has been proven that solving SIS problem on the average is as hard as approximating certain lattice problems in the worst case, such as SIVP problem (shortest independent vectors problem).

Gaussian Distribution on Lattices. Gaussian distribution
technique is widely used in the analysis of the results in the area of lattice-based cryptography.Here, we briefly review some important conclusion from previous works [5,15,16], which will be used to analyze our scheme.
Discrete Gaussian Distribution.For the parameter  > 0 and any vector c ∈ R  , the probability density function of Gaussian distribution  ,c on R  centered at c is defined as  ,c = exp(−‖x − c‖ 2 / 2 ).For the -dimensional lattice Λ, the discrete Gaussian distribution over Λ is a conditional probability distribution with center c and parameter , which is defined as  Λ,,c (x) =  ,c (x)/ ∑ k∈Λ  ,c (k), where x ∈ Λ. Micciancio and Regev [17] introduced the notion of "smoothing parameter" of lattice and showed that if the parameter  is greater than the smoothing parameter, then the discrete distribution  Λ,,c is statically close to the continuous distribution  ,c .In particular, Ρ x∼ Λ,,c {‖x − c‖ > √} ≤ negl().
Sampling from Discrete Gaussian.Gentry et al. [18] gave a new bound on the smoothing parameter relative to a certain lattice quality and showed algorithm for sampling from discrete Gaussian distribution which was commonly used in signature scheme [5,7,16,19].In addition, Boneh and Freeman in [5] showed that the sum of independent discrete Gaussian variables still remains discrete Gaussian distribution.Some relevant facts are listed as follows.
Lemma 2 (see [18,Theorem 4.1]).Given a basis T of any dimension lattice Λ, a parameter  > ‖T‖ ⋅ (√log ), and a center c ∈ R  , there is a PPT (probabilistic polynomialtime) algorithm that outputs a sample from a distribution that is statically close to  Λ,,c .Lemma 3 (see [18,Theorem 5.6]).Let  be a positive integer,  ≥ 2, and  > 2 log().For a matrix A ∈ Z ×  , let T be a basis of Λ ⊥  (A) and  > ‖T‖ ⋅ (√log ); then, one has the following.
(1) For any t ∈ Z  , there is a probability polynomial-time algorithm SamplePre (A, T, , t) that outputs a sample t  from a distribution that is statically close to  Λ t  (A),. .In particular, the vector t  satisfies ‖t  ‖ ≤ √ with overwhelming probability.
(2) For any t ∼  Z  ,,0 , the distribution of syndrome u = A ⋅ t mod  is statically close to uniform over Z   .

Short Basis of Lattice.
In cryptography based on lattice, a short basis of a lattice can be considered a trapdoor basis which was used as private key in cryptographic application.
For the lattice Λ ⊥  (A), its short basis T can be generated using the TrapGen algorithm proposed by Alwen and Peikert in [20].In addition, the common public key used to sign in our initial HAS scheme consists of the public keys of multiple users in the form of A = A 1 ‖ ⋅ ⋅ ⋅ ‖A  , where  is the number of the signing users.To derive a new short basis of the highdimension lattice Λ ⊥ (A) ⊂ Z   , some lemmas about the basis delegation mechanism proposed by Cash et al. in [21] will be employed.All of them are listed below.(2) (see [20,Lemma 3.3]) there is a probabilistic polynomial-time algorithm (T, ) that outputs another basis T  of the lattice Λ ⊥  (A), which is statically independent of the original basis T and is still short.

Linearly Homomorphic Signature Scheme (LHS) Based
on Lattice over  2 .Our homomorphic aggregate signature scheme is an extension of an efficient linearly homomorphic signature scheme proposed by Wang et al. in the single user case [7], which makes improvement on the scheme of Boneh and Freeman [5].At present, lattice-based LHS over  2 is called -limited, which means we can only guarantee successful verification for combination of a finite number of valid signatures where  is the maximal number.Here, we briefly describe the LHS1 as follows, and the details about lattice-based LHS over binary field can be referred to [5,7].
Homomorphic Hash ℎ  Based-on Lattice.Lyubashevsky and Micciancio in [22] defined a secure hash function based on the approximate SVP (short vector problem) of lattice, which was used in [5].This hash function family maps Z   to Z  in the way of inner product and holds homomorphic property.Specifically, given that vectors , k 1 , k 2 belonged to Z   with vector  fixed, the hash function ℎ  = ⟨, k  ⟩ ( is 1 or 2) satisfies linearly homomorphic conditions.Namely, it holds Wang's Signature Scheme.The Wang's lattice-based LHS scheme [7], which will be called LHS1, consists of four polynomial-time algorithms proposed as follows.
WSetup.Let the parameters (, , , ) be the same as those in Lemma 5. Given that  be a collision-resistant hash function which maps (0, 1) * to Z   and letting the coefficients  of the linearly function belong to  2 , the signer runs (1  ) algorithm to produce the pair of public key and private key WSign.To sign a subspace  id of the message space {0, 1}  , where id ∈ {0, 1}  is a identifier of , given the fact that the set of vectors {k 1 , . . ., k  } is the basis of , the signer does as follows to sign a basis vector k ∈[] .
(2) Compute the hash value of k  through homomorphic hash function ℎ  , and denote it as a column vector (3) Use the (A, T, , h  ) algorithm in Lemma 3 to attain a signature s  of the hash value h  , and the linearly homomorphic signature on k  can be denoted by (id, s  ).
WVerify.Let  be the maximal number of signatures that can be combined.To verify the linearly homomorphic signature of the message k  , the verifier firstly computes the hash value h  of k  just as steps (1) and (2) in Sign do and then outputs 1 (accept) if and only if the conditions hold, such as A ⋅ s  = h  mod  and ‖e  ‖ ≤ √, or outputs 0 (reject).
For the linearly homomorphic signature in adversary situation, there is two types of forgeability.For example, an output (id * , k * , s * ) produced by an adversary can be accepted by Verify algorithm where either (1) id * ̸ = id or (2) id * = id, but k * ∉  id .Theorem 2 in [7] shows that LHS1 is unforgeable against these types of adversaries in oracle model.
Lemma 7 (see [7,Theorem 2]).If an stateful adversary without knowing the signing private can output any kind of the above forgery with the probability , the SIS problem can be solved by a challenger with a probability 2.

Homomorphic Aggregate Signature Based on Lattice
For the most general setting of multiuser, Agrawal et al. in [13] have shown that it is difficult to find efficient solutions to homomorphic signature.In this paper, we deal with the specific case, the same one considered in [11][12][13], where only the messages tagged the same identifier are combined together.In addition, our signature scheme requires that a trusted private key generator (PKG) is available, which makes it possible that all users have their own public-private key pairs.In the HAS, assuming id ∈ {0, 1}  is a unique identifier of messages subspace, for a message k  from the subspace  id , the signed message is a tuple of (id, k  , s  ), where s  is the signature of k  from the th user using his (or her) own private key.So, the aggregate message is gained through linearly combination of different messages tagged the same id from distinct users.Now, we present the system model of HAS and give a detailed structure of our signature scheme.

Definition of HAS.
The presented system definition of lattice-based HAS is a variant of that of linearly homomorphic signature in [5].Compared with the model of single-user homomorphic signature [5,7], the Setup and Verify parts of HAS system need to define some new properties and additional operators, while the Sign part does not change.Formally, the definition of HAS is a tuple of polynomial-time algorithms (,    , ,   ), which is as follows.
(1  , ).This probabilistic algorithm takes as input the security parameter 1  and the maximum number of users  and outputs the public-private pair (  ,   ) for each user (0 <  ≤ ) and the common public key  shared with everyone.
(, m  ,   ).For the th user, this probabilistic algorithm takes as input a message m  of subspace  id and the private key   , and outputs the signature s  on message m  .
(, a, {(m  , s  )}  =1 ).Given the combination coefficient vector a and  ( ≤ ) pairs of message sharing the same id and the corresponding signature, output the aggregate signature s on the aggregate message ∑  =1   m  .
(, ∑  =1   m  , s).This is a deterministic algorithm.Given an identifier id, the common public key , the aggregate message ∑  =1   m  , and the corresponding signature s, output either 1 (accept) or 0 (reject).
In terms of the correctness and security for the homomorphic aggregate signature scheme, it should have not only the characteristics of general linearly homomorphic signature in case of one user, but also some features of its own in multiuser case.On the one hand, assume that each user is honest, the verification should be able to accept the valid signed message from each user, while a forged signed message must be rejected, which is the same as in the case of the single user.On the other hand, given a series of valid signed message (id, m  ,   ), where  ∈ [], a new valid signed message denoted by (id, ∑  =1   m  , s) can be produced without having access to any private key.

Our Scheme.
According to the definition of HAS, we show how to extend the homomorphic signature scheme LHS1 described in Section 2.5 to handle multiuser case.Our initial HAS scheme is as follows.
(1  , ).Given a security parameter  and the maximum number of users , the PKG initializes the scheme from four aspects.
(2) For  users, (1  ) algorithm is repeatedly run  times to generate matrix A  ∈ Z ×  and the corresponding trapdoor basis T  of Λ ⊥  (A  ), where 0 <  ≤ .
(3) Let  : {0, 1} * → Z   be a collision-resistant hash function which is viewed as a random oracle, and let ℎ be a lattice-based homomorphic hash function described in Section 2.5.(4) The pair of {A  , T  } is assigned to the corresponding user   as the user's private key and public key, respectively.Let be the common public key and publish it to all the users.Of course, it is required that delivering the private key should be done secretly.(, m  , T  ).For the th user, given the common signing key A 0 , private key T  , and one of basis vectors of message subspace  id , for example, m  ∈  id ⊂ Z  2 where id ∈ {0, 1}  , the signature on message m  is produced as follows.
(1) To obtain the short basis of Λ ⊥ (A 0 ) ⊂ Z  , the algorithm (T  , A 0 ) in Lemma 6 is run to get S  such that ‖S  ‖ = ‖T  ‖. (2) Use the homomorphic hash function to produce the hash value h  ∈ Z   of the message m  , as is done in the WSign of LHS1.
(3) Output the signature e  ∈ Z   on the hash value by using algorithm (A 0 , S  , , h  ).(, A 0 , {(  , m  , e  )}  =1 ).Given a common public key A 0 and the  ≤  messages tagged the same id from the corresponding users, output an aggregate signature ∑  =1   ⋅ e  on the combined message ∑  =1   ⋅ m  , where   ∈ {0, 1}.
(, A 0 , m  = ∑  =1   m  , e  = ∑  =1   e  ).Given a common public key A 0 , an identifier id, an aggregate message m agg , and the corresponding signature e agg , do the following.
(1) Compute the hash value h agg of m agg using the homomorphic hash function just like the step (2) of Sign does.
(3) Output 1 (accept) if and only if the above two conditions hold.Otherwise, output 0 (reject).

Correctness.
First of all, we show the correctness of the proposed HAS scheme provided that the related functions are all computed successfully, such as homomorphic hash function ℎ  , preimage sampling function, and collisionresistant hash function .
We know that m agg = ∑  =1   m  , e agg = ∑  =1   e  , and  , where   ∈ {0, 1}, 0 <  ≤  ≤ , 0 <  ≤  and the vector  , = (id‖).Since the messages combined are tagged the same identifier, the vectors  ∈[],∈[] originated from (id‖) are the same for each user.Thus, we can directly use ℎ  (m  ) to represent the hash value of m  in order to simplify the notations.Then Hence, the condition one in the progress of Verify holds, while (2) holds because of the homomorphic property of function ℎ  .Furthermore, since each signature e  on massage is obtained by preimage sampling algorithm (A 0 , S  , , h  ), the length of e  denoted by the Euclidean norm is not larger than  √ .Thus, the upper length bound of aggregate signature is as follow: where   ∈ {0, 1} and the first inequality over (3) holds by the triangle inequality theorem.It is inferred from the above analysis that the signature e agg on message ∑  =1   m  can be verified and can satisfy the requirement of correctness of aggregate signature model defined in Section 2.1.

Optimization.
The aggregated signature (id, m agg , e agg ) of the proposed HAS scheme is accepted by Verify algorithm and confirms to the definition of HAS.However, compared with the signature of single user scheme in [7], it is easy to observe that, in our scheme, the length of each signature on message grows linearly with the number of users.The cause for this problem is that the dimension of random lattice used to sign in our multiuser scheme increases with the number of users, which can be clearly seen from the common public key A 0 ∈ Z ×  .Obviously, the larger the common public key size, the longer the length of aggregate signature and the larger communication cost.Through the observation of the entire HAS scheme, it is clear that the common public key A 0 is shared by each user.In order to reduce the common public key size, the algorithm  in Lemma 6 is introduced to our signature scheme, which could generate several different short bases through an arbitrary basis of a lattice.So, we can optimize the proposed HAS scheme from the following aspects.
In the (1  , ) phase, while the parameters are consistent with those of the initial scheme, we firstly use (1  ) algorithm only once to get a matrix A ∈ Z ×  and a short basis T 1 of lattice Λ ⊥ (A) ∈ Z   , and then, call (T 1 , ) algorithm repeatedly to generate  − 1 independent short basis T  (2 ≤  < ) of lattice Λ ⊥ (A).Therefore, let the vectors T  (1 ≤  < ) be user's private key, respectively, and let A be the common public key shared by everyone, just like the way in [16].In (id, m  , T  ), we can directly take preimage sampling algorithm (A, T  , , ℎ  (m  )) to get the signature e  ∈ Z   on the hash value of m  denoted by ℎ  (m  ), where ℎ  (m  ) is obtained as done in the initial scheme.It should be noted that each user should use his private key in the signing progress.As for the Combine and Verify, the operation of both sections is almost unchanged except that one of verification conditions becomes ‖e agg ‖ ≤ √.
It can be proved that the optimized solution meets the correctness of homomorphic aggregate signature model, just like the way of proving in the initial HAS scheme.More importantly, the optimization reduces the size of the common public key and signature to as short as the sizes of those in the single user scheme LHS1.

Security Analysis
For the security of linearly homomorphic signature (LHS), two aspects, including unforgeability and privacy, are generally considered in solutions [4].Clearly, this consideration also can apply to the security of linearly homomorphic aggregate signature scheme (HAS).In this section, we focus on the security of LHS scheme.
To prove the unforgeability and privacy of the proposed signature scheme, a reduction to the case of the single user is shown [7].Obviously, if the number of users equals one ( = 1), our (optimized) scheme is almost identical to LHS1 scheme.Next, we discuss unforgeability and privacy of the proposed HAS scheme in the multiuser case.
4.1.Unforgeability.Assuming that no polynomial-time algorithm can solve SIS problem in the average case, Lemma 7 proves that in LHS1 the advantage in winning the unforgeability game is negligible.Based on this result, it is able to prove computational security from a reduction of our HAS signature scheme to LHS1 and get the following theorem.
Theorem 8.The presented HAS scheme is unforgeable, if the lattice-based linearly homomorphic signature scheme LHS1 in [7] is unforgeable.
Proof.With the usual method of reduction, assuming there is a polynomial-time algorithm  * to generate a forged signed aggregate message in HAS, an efficient algorithm  is able to be constructed to produce a forged signed message for LHS1 in polynomial time.
The algorithm  * takes as input the tuple of public parameters, the common signing key shared by all users, and the set of corresponding signed messages in the subspace  id from  ≤  users.The signed message from the th user is denoted by (id, m  , s  ), where id is the valid identifier for message subspace.The output of algorithm  * , denoted by (id * ,  * , y * , s * ), can be accepted by the Verify algorithm of the presented homomorphic aggregated signature, where  * ∈   2 is the aggregate coefficient vector.However, this is a forged signed aggregate message, in which either id * ̸ = id or id * = id and y * ̸ = ∑  =1  *  m  for y * ̸ = 0. We assume that the challenger takes the system parameters (, , , , , ) and the key-pair (A, T) to employ  * algorithm, where T is a short vector of lattice Λ ⊥ (A) ∈ Z   and  is the dimension of the subspace  id .Thus, the construction of algorithm  by challenger is as follows.
(1) Construct a homomorphic aggregated signature scheme (HAS) with  users.First of all, the challenger extends the WSetup of LHS1 to generate the  keypairs (A, T ∈[] ) for users.Specifically, let matrix A be the common public key shared by users, and the corresponding private key T  of the th user is the output of the algorithm (T, ), which run repeatedly  times.Then, for message subspace  id , assume that challenger keeps several answers from the random oracle  and is stored in a list (e.g., 1), which is just like what the - does in LHS1.As a result, each element  id of 1 is a tuple (id, {(e  , u  )}  =1 ) where e  ∼  Z  ,,0 is directly sampled from the discrete Gaussian distribution  Z  for Gaussian parameter , and u  = Ae  mod  is statically close to uniform distribution according to Lemma 3, which could be considered as the basis vectors of  id .Thereby, a signature s  on message u  from the th user can be produced by calling the algorithm (A, T  , u  ).
(2) Call algorithm  * , which takes on inputs the system parameters and  signed messages (id, k  , s  ).The output of  * is a forged signed message (id * ,  * , y * , s * ) in the HAS scheme, where  * ∈   2 is the aggregate coefficient vector and s * is the aggregate signature on the aggregate message y * = ∑  =1 u *  .It is worth noting that the vectors u *  ∈ Z   eventually exist, though they are not known and may not be unique.
(3) The algorithm  outputs the signed message (id * ,  * , y * , s * * ) where s * * = s * .Now, we analyze the reduction and show that the output of  is a forged signed message in LHS1.Firstly, it should be determined whether the output of  can be accepted by LHS1.Since the output of A * passes the verification of the homomorphic aggregate signature (HAS) scheme, we can know As * = y * (mod ) and ‖s * ‖ ≤ √.According to this result, it is easy to obtain that it can pass the verification in LSH1 because the parameters used to verify in both schemes are the same, for example, the matrix A and .On the other hand, the output of  is a forged signed message in LHS1 if and only if either id * ̸ = id or id * = id and y * ̸ = ∑  =1  *  m  for y * ̸ = 0. Since the signed message (id * ,  * , y * , s * ) is a forged signed aggregate message, this means that the condition above is satisfied.Consequently, this signed message (id * , y * , s * * ) is a forged signed message in LHS1, and Theorem 8 is proved.

Privacy.
In order to prove the privacy of this presented signature scheme, we introduce the "weakly context hiding" of the linearly homomorphic aggregate signature, which is adapted from [5] in the case of single user.The "weakly context hiding" property of the linearly homomorphic signature means the signature on the derived message in some message subspace spanned by {k 1 , . . ., k  } does not disclose any information about the original messages {k 1 , . . ., k  }.However, the linear function to combine the messages k  is not hidden while the original signatures on these messages are kept private, which is why it is called "weakly context hiding." According to the definition of the linearly homomorphic aggregate signature, we know that this property also applies to our scheme in the case of multiuser, which is shown through proving Theorem 9.
Theorem 9.The proposed linearly homomorphic aggregate signature scheme has the "weakly context hiding" property.
Proof.Suppose that there are  ≤  users who are assigned the corresponding private key T ∈[] by running the  of the proposed signature scheme.In the proposed signature scheme, the th user employs the algorithm  to sign original message m  , and the aggregate signature s agg on message ∑  =1   m  is generated through combining the original signatures s  of the corresponding messages m  , where each message combined should be tagged the same id and   ∈ {0, 1}.According to Lemma 3 about the distribution of original signatures, despite coming from different users, we know they are all statically close to the Gaussian distribution, for example, s  ∼  t  +Λ ⊥ (A),,0 , where t  ∈ Z  is an arbitrary solution to At  = ℎ  (m  ) mod  and the definitions of remaining variables are the same as those in the Sign part of proposed scheme.Hence, by knowledge of Lemma 4, the distribution of the aggregate signature s agg = ∑     ⋅ s  (mod ) on the aggregate message ∑  =1   m  is statically close to Gaussian distribution, for example, s agg ∼  t+Λ,‖c‖,0 , where t = ∑  =1   ⋅ t  and   ∈ {0, 1}.Formally, the distribution of signature on aggregate message only depends on the linear function that was used to compute m agg rather than on each original message m  .Thus, it follows that the aggregate signature does not leak any of the original message except for the aggregate message itself, and Theorem 9 above is true.

Efficiency
In order to analyze the performance, we compare the proposed signatures scheme with previous lattice-based linearly homomorphic signature schemes [5,7,16] in terms of public key size, signature length, signing cost, verifying overhead, and multiuser supporting, respectively.
Let  ps denote the time cost to run once  algorithm and let  bs denote the time cost to run once  algorithm.Since these two algorithms commonly used in lattice-based signature scheme take up most of the time cost throughout the whole signature process,  ps and  bs could be the main indicators in comparison of signing cost.However, the verifying part of schemes mainly involves simple addition and multiplication operations over the modulo, so we use space overhead as the indicator in comparison of the verifying cost.In addition, in the comparison of signature length, for example, (id, s), the length of id can be ignored because this length is the same for each scheme.
Table 1 shows that Wang's scheme [7] is more efficient than Boneh's scheme [5] in the case of single user.In the case of multiple users, our scheme displays the same efficiency as Wang's in the single user case.Compared with our scheme, the length of signature in Zhang's scheme [16] is twice that of our scheme, and its verifying cost is four times.

Conclusions
In this paper, we propose a novel lattice-based HAS scheme with short signature, which is an extension of LHS scheme based on lattice over binary field in the single user case [7].Our scheme holds both homomorphic property and aggregate property, in which a signed aggregate message can be verified by using the combination of signatures of the original messages and the common public key derived from the public keys of the corresponding users.We prove its security through decreasing to the single user case.At the same time, the "weakly context hiding" property holds in the proposed scheme.Furthermore, it is more practical than the Zhang's HAS scheme [16].However, there is still much work to be done in order to improve the capability of the scheme, such as how to design a variant of the scheme with "strong context hiding" property and how to take advantage of "ideal lattice" to decrease the public key size.