Lattice-Based Linearly Homomorphic Signature Scheme over F 2

In this paper, we design a new lattice-based linearly homomorphic signature scheme over F2. &e existing schemes are all constructed based on hash-and-sign lattice-based signature framework, where the implementation of preimage sampling function is Gaussian sampling, and the use of trapdoor basis needs a larger dimension (m≥ 5n log q). Hence, they cannot resist potential side-channel attacks and have larger sizes of public key and signature. Under Fiat–Shamir with aborting signature framework and general SIS problem restricted condition (m≥ n log q), we use uniform sampling of filtering technology to design the scheme, and then, our scheme has a smaller public key size and signature size than the existing schemes and it can resist side-channel attacks.


Introduction
e idea of the linear homomorphic signature scheme comes from network coding routing mechanism. Specifically, after a signer sends a number of signatures for messages to router (verifier) in a computer network using network coding, the router can generate a random linear combination μ of the received messages. Using the homomorphic property, the router computes a signature (σ) of (μ) and transmits (σ, μ) to the next router, and the process will be continued for different linear combined messages. e final router accepts properly signed signature and recovers the original message by solving a fullrank linear system over F p . en, one can easily abstract definition from applications. Informally, given n− dimensional message vectors (μ 1 , . . . , μ k ∈ F n p ) and signatures σ 1 , . . . , σ k , anyone can create a signature for any vector μ ∈ span μ 1 , . . . , μ k . At the same time, if any adversary cannot produce a valid signature for μ ′ ∉ span μ 1 , . . . , μ k , we say the linear homomorphic signature scheme is secure. ere exit many classical linearly homomorphic signatures [1][2][3][4] based on the difficulty in solving discrete logarithm or the difficulty in integer factoring. However, they have two obvious disadvantages.
First, the parameter p must be large enough to guarantee the difficulties in classical problems, but implementations are generally given over F 2 in network coding. Second, these schemes cannot resist quantum computing attack as we all know. Hence, more and more people focus on designing postquantum linearly homomorphic signature scheme over F 2 , where lattice-based schemes are significant.

Lattice-Based Signature Schemes.
e existing latticebased signature schemes are mostly based on short integer solution (SIS) problem first provided in [5] (x : As � 0 mod q, ‖s‖ ≤ β, A ∈ Z n×m q , s ∈ Z m ). ere are two frameworks to construct lattice-based signature schemes: hash-and-sign type [6,7] and Fiat-Shamir type [8][9][10][11]. In schemes of hash-and-sign type, the signer uses trapdoor basis to compute preimage sampling function to create signature (σ) satisfying Aσ � H(μ) mod q, where H is a hash function. Unlike the hash-and-sign lattice-based signature framework, aborting technology is used in schemes of Fiat-Shamir type without trapdoor. is is the output of the signature (z � sc + y) according to some probabilities (rejection sampling) or the norm of signature must be in a security range (filtering outputting), where (c � H(Ay mod q, μ)) and (y ⟵ D y ) (D is a Gaussian distribution or uniform distribution). Furthermore, Gaussian distribution is utilized in preimage sampling and rejection sampling, which cannot resist partial side-channel attacks (see [12,13]). Although, the author in [14] showed that an almost perfect implementation could resist these attacks, and the designed programme errors might occur.

Lattice-Based Linearly Homomorphic Signature.
e first lattice-based linearly homomorphic signature scheme over F 2 was proposed by Boneh and Freeman [15] in 2011, which was based on k− SIS problem, that is, finding a solution s satisfying s ∉ span s 1 , . . . , s k under giving (As i � 0 mod q). In addition, the specific sign process is . Soon after, Wang et al. proposed an improved scheme [16] based on the general SIS problem, and the size of public key and signature is smaller than [15] by changing 2q into q. Compared to signature size, (2m + 2m log q + n) in scheme [15,16] has the smaller size (m log q + n).
In fact, both of them are designed in terms of the hashand-sign lattice-based signature framework [6], where Gaussian sampling is used inevitably. Meanwhile, the generation of trapdoor basis needs that lattice dimension is (m ≥ 5n log q) (see [17,18]), which is larger than (m ≥ n log q) for SIS problem itself.

Our Contributions.
In this paper, our scheme overcomes the drawbacks of existing schemes. Specifically, based on the SIS problem, we use filtering technology of Fiat-Shamir with aborting signature framework to design a new linearly homomorphic signature scheme over F 2 , and the advantages can be seen as follows: (1) e signature size is smaller than existing latticebased schemes. e signature of our scheme is σ � (z, h, τ), and the size is (2m log q + n), where (m ≥ n log q). Since our design does not utilize preimage trapdoor sampling, the signature size is smaller than (m ′ log q + n) in [16] with the same n and q, where (m ′ ≥ 5n log q). Here, we use a different lattice dimension m ′ to distinguish the difference in signature size.
(2) Our scheme can resist side-channel attacks. Using filtering technology, the masked element y is chosen uniformly at random under restriction (‖y‖ ∞ ≤ c), and z must satisfy the condition ‖z‖ ∞ ≤ c − β; otherwise, z ⟵ ⊥ (aborting). Hence, the signature output can protect secret key, and the scheme can resist side-channel attacks without Gaussian sampling.

2.4.
Organization of the Paper. We will provide two main technical descriptions to show how our scheme can have the above advantages in Section 3. en, we propose the basic notations and definitions of linearly homomorphic signature in Section 4. We show the detailed design and security proof of our lattice-based linearly homomorphic signature in Section 5 and Section 6, respectively. In Section 7, we present efficiency comparisons. Finally, we give a conclusion and further work in Section 8. Data availability, conflicts of interest, and funding statement can be seen in the last three sections, respectively.

Technical Notes
In this part, we give detailed descriptions to show how we get a smaller signature size and the scheme can resist sidechannel attacks.

Different Lattice Dimension Assumptions.
As we know, given security parameter n, m influences the signature size directly. us, we want to reduce it. Fortunately, compared to hash-and-sign signature framework, the Fiat-Shamir signature framework has advantage in this aspect. We show the main reason as follows.

Definition 1. (the short integer solution problem SIS). Given
To guarantee the hardness (existence of solution) of this problem, the parameters satisfy conditions �� m √ ≤ β < q, m ≥ n log q, q ∈ Z + , n ≥ 100. Normally, people consider the inhomogeneous version of the SIS problem, which is to find a small solution of equation To design Fiat-Shamir signature schemes, the lattice dimension m satisfies m ≥ n log q enough. However, hashand-sign type needs m ≥ 5n log q to get trapdoor basis; thus, we provide the existing conclusion below.
Proposition 1 (see [6,17,18]). Given any prime q and (m ≥ 5n log q), then there exists a PPT algorithm which outputs (A ∈ Z n×m q ) statistically close to uniform over (Z n×m q ) and a full-rank set (S ⊂ Λ ⊥ (A), ‖S‖ ≤ m 2.5 ) by input 1 n . en, it further gets a good basis From what has been discussed above, we get the smaller m the better for the size of signature and secret key under the same n. Hence, we design a new scheme using Fiat-Shamir signature framework without trapdoor (basis).

Filtering Technology.
Since the existing lattice-based linearly homomorphic signature schemes are based on the hash-and-sign signature framework in which they use preimage sampling function implemented by Gaussian sampling, the schemes cannot resist side-channel attacks. Hence, we unitize uniform sampling of Fiat-Shamir framework to generate signature. e idea of filtering can be traced back to [10,19], and it is formally provided in [20] to design a blind signature scheme. Here, we rewrite this lemma according to our construction.
en, the repeat time of our scheme can be computed by e (1/ϕ) . Intuitively, bigger ϕ size is better. However, this value has influence on the size of (‖a − b‖ ∞ ) directly; thus, it leads to increased communication costs. Hence, we can assign this value according to different efficiency requirements, which is a nice advantage in practice. According to [20], the authors provide the condition (ϕ � 4) is the best; then, the repeat time is no more than 2, which is also hold for our scheme.

Preliminaries
e elements in R (vector or matrix) are marked in bold, ‖y‖ is l 2 norm, and ‖y‖ ∞ is l ∞ norm. (y ⟵ D y ) means that y is chosen according to some distribution D y (uniform or Gaussian) at random. If y ⟵ D c , it means that ‖y‖ ∞ ≤ c using uniform sampling. Using Gaussian sampling, we denote y ⟵ D σ , where σ is the standard deviation.

Definitions of Linearly Homomorphic Signature
Definition 2. Given a fixed ring R, a linearly homomorphic signature over it contains a tuple of probabilistic polynomial-time algorithms (Setup, Sign, Verify, Combine) and the detailed descriptions can be seen as follows: (1) Setup (n, params). It is a probabilistic algorithm that outputs (pk, sk) by inputting a security parameter n and other public parameters (params). (2) Sign (μ, sk, τ). It is a probabilistic algorithm that outputs a valid signature σ by inputting secret key (sk), a basis vector μ of message set (M (μ ∈ M ⊂ F n 2 )), and a tag (or an identifier id) Verify (μ, pk, σ, τ). It is a deterministic algorithm that outputs a bit b by inputting the tuple (μ, pk, σ, τ). If σ is a valid signature of μ, the algorithm outputs b � 1 (accept); otherwise, b � 0 (reject). (4) Combine (pk, τ, a i , μ i , σ i l i�1 , L).
In general, the security properties of a linearly homomorphic signature scheme contain correctness, unforgeability, and privacy. We will give the specific contents for them as follows: (1) Correctness: the outputs from above algorithms Sign and Combine can be accepted by the Verify algorithm.
(2) Unforgeability: we will show a game between challenger C and a polynomial-time adversary A.
(1) Setup: the challenger C runs algorithm (Setup(n, params)) to get (pk, sk) and gives (pk) to the adversary A.
(2) Sign queries: the adversary A makes adaptive signature queries on k-dimensional subspaces U i of message space M, and he chooses a basis vectors (μ i1 , . . . , μ ik ) for U i . For each subspaces U i , the challenger C chooses τ i from 0, 1 { } n at random and gives τ i and j signatures (σ ij ⟵ Sign(sk, τ i , μ ij )) to the adversary A, where j � 1, 2, . . . , k.
(3) Output: the adversary A outputs a tag τ * , a nonzero message U * , and a signature σ * . e adversary wins the game when his outputs satisfy the algorithm and this algorithm satisfies the following one of two conditions: (1) Type 1. (τ * ≠ τ i ) for all i.

Definition 3.
A linearly homomorphic signature scheme (Setup, Sign, Verify, Combine) is unforgeability if the probability advantage of adversary winning above game is negligible with security parameter n. at is, or Pr Verify U * , pk, σ * , (3) Privacy: a game between challenger C and a polynomial-time adversary A is shown as follows: (1) Setup: the challenger C runs algorithm Setup (n, (params)) to get (pk, sk) and gives (pk) to the adversary A.
) and sends σ i to A.

Security and Communication Networks 3
(4) Outputs: A outputs a guess bit b ′ . If b ′ � b holds, the adversary A succeeds in the game.

Definition 4.
A linearly homomorphic signature scheme (Setup, Sign, Verify, Combine) is privacy if the probability advantage of adversary winning above game is negligible with security parameter n. at is,

Our Lattice-Based Linearly Homomorphic Signature
Setup. (A ⟵ Z n×m q ) and (T � AS mod q), where the public key is (T, A) and secret key is S. We denote the hash function as (H: 0, 1 { } * ⟶ Z m q ) and another hash function (h α (μ) � 〈α, μ〉 mod q). Obviously, this function satisfies a property . Especially, we assume (a i ∈ 0, 1 { }) in our scheme as below. Sign: we suppose the massage satisfies (μ ∈ Z m 2 ) and choose a basis of it, that is, μ 1 , . . . , μ m (for the sake of design, we have assumed that it is a full-rank space). In addition, the used linear function is (f(μ) � m j�1 a j μ j ). en, signer does the following steps: (1) He chooses (y i ⟵ R D m c ) (c < q) and computes m vectors en, fixing the parameter j for any message μ j , he denotes a vector (h j � (h 1j , . . . , h jj , . . . , h mj output the signature (z j , h j , τ), or else, go to the first step. Here, (y j � y i ) holds.
Combine: given public key A and an array (a j , μ j , z j , h j ) for (j � 1, . . . , m).
is algorithm outputs signature ( m j�1 a j z j , m j�1 a j h j ) of message ( m j�1 a j μ j ).

Proof of Security
6.1. Correctness. Since correctness refers to two verifications from the outputs of Sign and Combine algorithms, we prove it one by one: (1) e signature from Sign algorithm is valid. For each j, when the verifier receives the signature (z j , h j , τ), he computes en, he computes whether the equation (〈α j , μ j 〉 mod q � h jj ) holds or not.
(2) e signature from Combine algorithm is valid. We let matrix H be a composition of vectors (α j (1 ≤ j ≤ m)); that is, (H � (α 1 , α 2 , . . . , α m ) T ). Hence, we have (h j � Hμ j mod q). Since condition (α j � H(Ay j , τ)) holds for each j, we only need to verify the linear property of ( m j′�1 a j′ h jj′ ) and linear bound of ( m j�1 a j z j ). At first, we consider the following equation: us, ( m j′�1 a j′ h jj′ � 〈α j , m j′�1 a j′ μ j′ 〉 mod q) holds because of (h jj′ � 〈α j , μ j ′ 〉 mod q) when (α j � H(Az j − Th j mod q, τ)) holds. Next, we can see that the bound of our signature size is linear obviously. at is, Public key size Signature size Dimension Resist side-channel attacks [15] (m′n + m ′ n log q) (2m′ + 2m ′ log q + n) (m′ ≥ 5n log q) × [16] (m′n log q) (m′ log q + n) (m′ ≥ 5n log q) × Ours (mn log q) (2m log q + n) (m ≥ n log q) √ Hence, as long as this in equation holds, the signature is accepted.

Unforgeability
Theorem 1. Our scheme is unforgeability if the lattice problem SIS is hard.
Proof. We suppose that the defined unforgeability game is correctly performed between a challenger C and a polynomial-time adversary A. In addition, q H,h and q sig are the times of random oracle and signature oracle. Specifically, given the public key (A, T), A adaptively chooses some m− dimensional subspaces U i(n) and chooses basis (μ i1 , . . . , μ im ) for U i . To return m signatures to A, the challenger makes query to above oracles and outputs (σ i1 , . . . , σ im ) for the chosen basis.
Type 2. If conditions (τ * � τ i ) and (U * ∉ U i ) hold, the adversary also can solve the SIS problem. In this case, for the same hash value (α ij ), the adversary chooses massage space U * and one of its basis (μ * j ∉ U i ). en, he computes (〈α ij , μ * j 〉 mod q) and h * j . Since (α ij ) is a fixed value, the adversary can compute: en, he obtains equation (A(z ij − z * j ) � T(h ij − h * j )), which is marked as (AΔz � TΔh).
Since |Pr[Verify(U * , pk, σ * , , the adversary cannot forgery a valid signature; otherwise, he is able to search a SIS problem solution. In addition, the reason why he does not use hash oracle is that the condition (τ * � τ i ) determines this oracle has the same input.

Privacy
Theorem 2. Our scheme is privacy.
Proof. According to the definition of privacy game, challenger C and adversary A firstly finish the setup step. en, A chooses two basis vectors (μ { } m randomly. en, he signs basis vectors under f i and outputs the signature σ i computed using the Combine algorithm. And he sends σ i to A.
Finally, the adversary outputs a guess bit b ′ . Next, we will show that it is negligible for him to succeed in this game.

Efficiency Comparisons
In schemes of hash-and-sign type [15,16], the signer uses trapdoor basis to compute preimage sampling function to create signature σ. However, the lattice dimension m must satisfy (m ≥ 5n log q) to get a trapdoor basis (see [17,18]) and a larger m will result in a larger size of public key and signature.
Our design using the Fiat-Shamir signature framework without trapdoor has smaller public key and signature sizes mainly because (m ≥ n log q) is enough. en, compared to public key size (m ′ n log q ≈ 5n 2 (log q) 2 ) in [16], our result (mn log q ≈ n 2 (log q) 2 ) is smaller than theirs. In addition, signature size of our scheme (2m log q + n ≈ 2n(log q) 2 + n) is also smaller than (m ′ log q + n ≈ 5n(log q) 2 + n) in [16].

Security and Communication Networks
Furthermore, preimage sampling function utilizes Gaussian distribution which cannot resist partial sidechannel attacks, and we use uniform distribution of aborting technology to resist such attacks effectively. e detailed comparisons can be seen in Table 1.

Conclusion and Further Work
8.1. Conclusion. In this paper, we provide a new latticebased linearly homomorphic signature scheme over F 2 based on the SIS problem. Since we use Fiat-Shamir signature framework instead of hash-and-sign signature framework to design this signature scheme, we do not need to construct a trapdoor basis, and then the whole design is simpler than the existing schemes. At the same time, without the trapdoor basis, our scheme has the smallest public key size (n 2 (log q) 2 ) and signature size (2n(log q) 2 + n) in the existing schemes because of parameter m satisfying (m ≈ n log q) rather than (m ≈ 5n log q). In addition, under the Fiat-Shamir framework, the use of filtering technology with uniform sampling can resist side-channel attacks.

Further Work.
Decreasing interaction and storage costs is the main work of our future research. In fact, new compression skill and decreasing parameters m and n must be improved efficiency. Since our scheme can be designed on R-SIS directly, we no longer give a special scheme. at is, if each element chosen forms the ring (R � (Z[x]/f(x))) or (R q � (Z q [x]/f(x))), where (f(x) � x n + 1), n is power of 2, and q is prime, then the parameter m only needs to satisfy m ≈ log q, rather than m ≈ n log q for SIS. Hence, it can improve the efficiency.
Specifically, we focus on [9], where it also uses filtering technology (uniform distribution), and special compression methods are used. Meanwhile, module lattice form brings an advantage to parameters m and n, which can be the 1/4 of existing set. In addition, this form can be transformed into lattice hard problem over ring (R-SIS) and general problem (SIS) by setting relative parameters.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.