Abstract

Homomorphic aggregate signature (HAS) is a linearly homomorphic signature (LHS) for multiple users, which can be applied for a variety of purposes, such as multi-source network coding and sensor data aggregation. In order to design an efficient postquantum secure HAS scheme, we borrow the idea of the lattice-based LHS scheme over binary field in the single-user case, and develop it into a new lattice-based HAS scheme in this paper. The security of the proposed scheme is proved by showing a reduction to the single-user case and the signature length remains invariant. Compared with the existing lattice-based homomorphic aggregate signature scheme, our new scheme enjoys shorter signature length and high efficiency.

1. Introduction

The homomorphic signature, proposed originally by Johnson et al. [1], is an important cryptographic primitive commonly used to secure computation. In a linear homomorphic signature scheme, a user generates a set of signatures on the corresponding messages in an information subspace. When the collection of messages is operated by a linear function which generates a new message belonging to the same information subspace, any other user, who does not know the signing private key, can produce a valid signature on this result of the linear function.

The linear homomorphic signature has been the subject of many researches in terms of its definitions, security model, and privacy property. The homomorphic property of signature scheme, proposed by Boneh et al. in [2], was viewed as signing a subspace and instantiated based on the bilinear maps over large prime fields in the random model. Later on, Gennaro et al. [3] showed the efficient homomorphic signature based on RSA over integers in the random model too. In the standard model, Freeman [4] defined a generic framework of linearly homomorphic signatures, in which three ordinary signature schemes having certain properties could be converted into linearly homomorphic signature schemes. More importantly, the framework provides enhanced security in the standard model under the computational Diffie-Hellman assumption, the q-strong Diffie-Hellman assumption, and the RSA assumption, respectively. Recently, the breakthrough has been achieved by Bohen and Freeman [5, 6]. Their works give an example of linearly homomorphic signature built using the lattice assumption over binary field [5], while they also show that a homomorphic signature supporting authenticated polynomial functions on signed data can be constructed by using “ideal lattice” in the random model [6]. Follow-up work by Wang et al. [7] implements an efficient lattice-based linearly homomorphic signature scheme using an additive homomorphic hash function over , in which both the public key size and signature length are shorter. In addition, for the privacy of homomorphic signature, a notion of the so-called “weakly context hiding” is defined in [5], which requires the derived signature not to leak any information about the original messages provided that the original signatures are kept private. For attaining the stronger privacy notion, Ahn et al. [8] defines the concept of “strong context hiding,” which requires the infeasibility of linking the derived signature to the signatures it was derived from even in the condition that the original signatures are public. After that, Attrapadung et al. [9, 10] proposed a new definition of privacy, called “adaptively context hiding,” which requires context hiding on adversarially chosen signature with private key exposure. In other words, if a linearly homomorphic signature scheme guarantees unlinkability even when the original signatures are produced by illegitimate signing algorithm, this scheme holds the privacy of adaptively context hiding.

The linearly homomorphic signature can be used for many purposes, such as authenticating packets in network coding protocols and computing statistics on authenticated data. In particular for the secure network coding, it is the most effective cryptographic tool to prevent “pollution attack.” Most of the above-mentioned linearly homomorphic signature schemes can be applied to prevent the pollution attack by the malicious node.

Here we want to point out that all of the above-mentioned authentication schemes could only be applicable to the case of single user or single source network coding system. Usually, in real world some applications involve many signatures on messages produced by many different users or sources. For example, in the multi-source network coding system [11, 12], packets from multiple different sources are needed to be linearly combined so as to exploit the benefits provided by network coding. For such multi-source network coding in an adversary situation, Agrawal et al. [13] constructed a complex scheme against pollution attack in the general case, in which a merged algorithm is used to generate several public keys and signatures in the mediate nodes. In order to find more efficient and practical solutions, the follow-up works [1416] all considered the specific case where only the packets (or messages) that have the same identifier are combined together. Czap and Vajda’s work [14] is obtained from the pairing-based homomorphic signature scheme proposed in [2], while Yan et al. [15] proposed an elegant homomorphic signature scheme based on the bilinear pairings and obtained a shorter homomorphic signature by using a novel homomorphic hash function. Recently, Zhang et al. [16] introduced aggregation property into homomorphic signature for multiple users case and formed a homomorphic aggregation signature scheme (HAS) by using preimage sampling function and Bonsai tree technique over random lattice.

However, these authentication schemes designed for multiuser case (or multi-source case) all have their own flaws. As is shown from the above, the unforgeability of both [14, 15] is based on CDH (computational Diffie-Hellman problem) in the bilinear group. As a result, these schemes involve a large number of point multiplication on elliptic curve. If a homomorphic signature scheme for multi-source can be used in network coding, it is necessary that this scheme should support the linearly homomorphic operations over binary field, just like that in [5, 7] for the single source. In addition, we need to emphasize that their security based on classical number theoretic problem is threatened by the power of quantum computers. As for the HAS proposed in [16], although its security is based on the hard assumption over lattice which is considered infeasible even under the quantum computer, the length of the aggregate signature is two times that of each original signature. We know the larger the length of the signature, the higher overhead of verification. Hence, it is significant to construct an efficient postquantum linearly homomorphic signature scheme for the multiple users case.

In this paper, we propose a short latticed-based linearly homomorphic aggregate signature scheme over binary field after optimizing our initial scheme in the multiple users case. Our scheme is an extension of the lattice-based linearly homomorphic signature scheme over in [7]. Each user, in our scheme, signs the original messages using their own private key, and the aggregate signature on aggregate message which is the combination of original messages from different users can be generated just by using the combination of original signatures without knowing any user’s private key. In this way, these valid aggregate messages can be authenticated using a common public key formed by all the users’ public keys. We point out that the common public key is independent of the signed message space, which means our signature scheme still supports signature on multiple message subspaces (or files) without updating the public keys. Compared to the HAS in [16], the length of aggregate signature in our scheme is as short as that of original signatures, which is only half the length of aggregate signature proposed in [16]. More importantly, this length of aggregate signature is independent of the number of the signing users. In addition, we also prove that the security of our solution can be reduced to that of the latticed-based LHS scheme in the single user case in [7].

The rest of this paper is organized as follows. In Section 2, we introduce the background about lattice and briefly overview the model of linearly homomorphic signature based on lattice over binary field in [7]. Our HAS scheme is described in detail in Section 3, including the general model definition, the initial scheme, and optimization. Section 4 proves the security of the presented scheme, and Section 5 is the analysis of the efficiency. Finally, in Section 6, we summarize this paper.

2. Preliminaries

2.1. Notation

We use and to denote the set of integers and the set of real numbers, respectively. For any integer , let denote the ring of integer mod . By convention, we use bold lower case letters for vectors (e.g., ) and bold upper case letters for matrix (e.g., ). The member of vector is denoted by lowercase (e.g., ), while the th column of a matrix is denoted by . For a positive integer , denotes . In this paper, let denote the Gram-Schmidt orthogonalization of matrix . The Euclidean norm of a vector is considered as its length (e.g., ), and the length of a matrix is the norm of its longest column vector (e.g., ). In addition, the function is negligible in if it is smaller than all polynomial fractions for larger .

2.2. Random Lattice and Hard Assumption

Let be a set of linearly independent vectors; then, the lattice generated by the basis is . In the cryptography based on lattice, we always focus on the integer lattice where the lattice points are contained in . For some integer , , let be a random matrix. Then, the two kinds of full rank random lattice defined by are used in this paper. Their specific definitions are as follows:

In fact, the lattice is a coset of . Namely, where . In addition, it is noted that the variable is the security parameter as the prior works defined, and the other variables are the functions of . Typically, is and the modulus is some small polynomial, for example, .

Hard Assumption. The security of lattice-based LHS schemes [5, 7] is all based on the hardness assumption of the short integer solution (SIS) problem over the lattice . The definition of SIS problem is as follows.

Definition 1. Given positive integers and a real , for a random matrix , the goal of SIS is to find a nonzero vector such that .

In [17], it has been proven that solving SIS problem on the average is as hard as approximating certain lattice problems in the worst case, such as SIVP problem (shortest independent vectors problem).

2.3. Gaussian Distribution on Lattices

Gaussian distribution technique is widely used in the analysis of the results in the area of lattice-based cryptography. Here, we briefly review some important conclusion from previous works [5, 15, 16], which will be used to analyze our scheme.

Discrete Gaussian Distribution. For the parameter and any vector , the probability density function of Gaussian distribution on centered at is defined as . For the -dimensional lattice , the discrete Gaussian distribution over is a conditional probability distribution with center and parameter , which is defined as , where . Micciancio and Regev [17] introduced the notion of “smoothing parameter” of lattice and showed that if the parameter is greater than the smoothing parameter, then the discrete distribution is statically close to the continuous distribution . In particular, .

Sampling from Discrete Gaussian. Gentry et al. [18] gave a new bound on the smoothing parameter relative to a certain lattice quality and showed algorithm for sampling from discrete Gaussian distribution which was commonly used in signature scheme [5, 7, 16, 19]. In addition, Boneh and Freeman in [5] showed that the sum of independent discrete Gaussian variables still remains discrete Gaussian distribution. Some relevant facts are listed as follows.

Lemma 2 (see [18, Theorem 4.1]). Given a basis of any dimension lattice , a parameter , and a center , there is a PPT (probabilistic polynomial-time) algorithm that outputs a sample from a distribution that is statically close to .

Lemma 3 (see [18, Theorem 5.6]). Let be a positive integer, , and . For a matrix , let be a basis of and ; then, one has the following.(1)For any , there is a probability polynomial-time algorithm SamplePre that outputs a sample from a distribution that is statically close to . In particular, the vector satisfies with overwhelming probability.(2)For any , the distribution of syndrome is statically close to uniform over .

Lemma 4 (see [5, Theorem 9]). For a lattice , the parameter , and , let be mutually independent random variables sampled from a discrete Gaussian distribution . Let , , and . Suppose that where is the smooth parameter of lattice for some negligible number ; then, is statically close to .

2.4. Short Basis of Lattice

In cryptography based on lattice, a short basis of a lattice can be considered a trapdoor basis which was used as private key in cryptographic application. For the lattice , its short basis can be generated using the TrapGen algorithm proposed by Alwen and Peikert in [20]. In addition, the common public key used to sign in our initial HAS scheme consists of the public keys of multiple users in the form of , where is the number of the signing users. To derive a new short basis of the high-dimension lattice , some lemmas about the basis delegation mechanism proposed by Cash et al. in [21] will be employed. All of them are listed below.

Lemma 5 (see [19, Theorem 3.2]). For and , there is a probabilistic polynomial-time algorithm that outputs a matrix statically close to a uniform matrix in and a basis of the lattice such that with overwhelming probability.

Lemma 6. For an arbitrary basis of the lattice about a random matrix and the parameter ; then,(1)(see [20, Lemma 3.2]) for any matrix , there is a deterministic polynomial-time algorithm that outputs a basis of the lattice such that ;(2)(see [20, Lemma 3.3]) there is a probabilistic polynomial-time algorithm that outputs another basis of the lattice , which is statically independent of the original basis and is still short.

2.5. Linearly Homomorphic Signature Scheme (LHS) Based on Lattice over

Our homomorphic aggregate signature scheme is an extension of an efficient linearly homomorphic signature scheme proposed by Wang et al. in the single user case [7], which makes improvement on the scheme of Boneh and Freeman [5]. At present, lattice-based LHS over is called -limited, which means we can only guarantee successful verification for combination of a finite number of valid signatures where is the maximal number. Here, we briefly describe the LHS1 as follows, and the details about lattice-based LHS over binary field can be referred to [5, 7].

Homomorphic Hash    Based-on Lattice. Lyubashevsky and Micciancio in [22] defined a secure hash function based on the approximate SVP (short vector problem) of lattice, which was used in [5]. This hash function family maps to in the way of inner product and holds homomorphic property. Specifically, given that vectors , , belonged to with vector fixed, the hash function ( is 1 or 2) satisfies linearly homomorphic conditions. Namely, it holds and where .

Wang’s Signature Scheme. The Wang’s lattice-based LHS scheme [7], which will be called LHS1, consists of four polynomial-time algorithms proposed as follows.

WSetup. Let the parameters be the same as those in Lemma 5. Given that be a collision-resistant hash function which maps to and letting the coefficients of the linearly function belong to , the signer runs algorithm to produce the pair of public key and private key .

WSign. To sign a subspace of the message space , where is a identifier of , given the fact that the set of vectors is the basis of , the signer does as follows to sign a basis vector .(1)Compute vectors .(2)Compute the hash value of through homomorphic hash function , and denote it as a column vector , where the element is .(3)Use the algorithm in Lemma 3 to attain a signature of the hash value , and the linearly homomorphic signature on can be denoted by .

WVerify. Let be the maximal number of signatures that can be combined. To verify the linearly homomorphic signature of the message , the verifier firstly computes the hash value of just as steps and in Sign do and then outputs 1 (accept) if and only if the conditions hold, such as and , or outputs 0 (reject).

WCombine. Given pairs of , where , it outputs a vector as the signature of the message .

For the linearly homomorphic signature in adversary situation, there is two types of forgeability. For example, an output produced by an adversary can be accepted by Verify algorithm where either (1) or (2) , but . Theorem 2 in [7] shows that LHS1 is unforgeable against these types of adversaries in oracle model.

Lemma 7 (see [7, Theorem 2]). If an stateful adversary without knowing the signing private can output any kind of the above forgery with the probability , the SIS problem can be solved by a challenger with a probability .

3. Homomorphic Aggregate Signature Based on Lattice

For the most general setting of multiuser, Agrawal et al. in [13] have shown that it is difficult to find efficient solutions to homomorphic signature. In this paper, we deal with the specific case, the same one considered in [1113], where only the messages tagged the same identifier are combined together. In addition, our signature scheme requires that a trusted private key generator (PKG) is available, which makes it possible that all users have their own public-private key pairs.

In the HAS, assuming is a unique identifier of messages subspace, for a message from the subspace , the signed message is a tuple of , where is the signature of from the th user using his (or her) own private key. So, the aggregate message is gained through linearly combination of different messages tagged the same id from distinct users. Now, we present the system model of HAS and give a detailed structure of our signature scheme.

3.1. Definition of HAS

The presented system definition of lattice-based HAS is a variant of that of linearly homomorphic signature in [5]. Compared with the model of single-user homomorphic signature [5, 7], the Setup and Verify parts of HAS system need to define some new properties and additional operators, while the Sign part does not change. Formally, the definition of HAS is a tuple of polynomial-time algorithms , which is as follows.

. This probabilistic algorithm takes as input the security parameter and the maximum number of users and outputs the public-private pair for each user and the common public key shared with everyone.

. For the th user, this probabilistic algorithm takes as input a message of subspace and the private key , and outputs the signature on message .

. Given the combination coefficient vector and () pairs of message sharing the same id and the corresponding signature, output the aggregate signature on the aggregate message .

. This is a deterministic algorithm. Given an identifier id, the common public key , the aggregate message , and the corresponding signature , output either 1 (accept) or 0 (reject).

In terms of the correctness and security for the homomorphic aggregate signature scheme, it should have not only the characteristics of general linearly homomorphic signature in case of one user, but also some features of its own in multiuser case. On the one hand, assume that each user is honest, the verification should be able to accept the valid signed message from each user, while a forged signed message must be rejected, which is the same as in the case of the single user. On the other hand, given a series of valid signed message , where , a new valid signed message denoted by can be produced without having access to any private key.

3.2. Our Scheme

According to the definition of HAS, we show how to extend the homomorphic signature scheme LHS1 described in Section 2.5 to handle multiuser case. Our initial HAS scheme is as follows.

. Given a security parameter and the maximum number of users , the PKG initializes the scheme from four aspects.(1)Choose parameters . For and let and , where is a constant.(2)For users, algorithm is repeatedly run times to generate matrix and the corresponding trapdoor basis of , where .(3)Let be a collision-resistant hash function which is viewed as a random oracle, and let be a lattice-based homomorphic hash function described in Section 2.5.(4)The pair of is assigned to the corresponding user as the user’s private key and public key, respectively. Let be the common public key and publish it to all the users. Of course, it is required that delivering the private key should be done secretly.

. For the th user, given the common signing key , private key , and one of basis vectors of message subspace , for example, where , the signature on message is produced as follows.(1)To obtain the short basis of , the algorithm in Lemma 6 is run to get such that .(2)Use the homomorphic hash function to produce the hash value of the message , as is done in the WSign of LHS1.(3)Output the signature on the hash value by using algorithm .

. Given a common public key and the messages tagged the same id from the corresponding users, output an aggregate signature on the combined message , where .

. Given a common public key , an identifier id, an aggregate message , and the corresponding signature , do the following.(1)Compute the hash value of using the homomorphic hash function just like the step of Sign does.(2)Verify two conditions such as and .(3)Output 1 (accept) if and only if the above two conditions hold. Otherwise, output 0 (reject).

3.3. Correctness

First of all, we show the correctness of the proposed HAS scheme provided that the related functions are all computed successfully, such as homomorphic hash function , preimage sampling function, and collision-resistant hash function .

We know that , , and , where , , and the vector . Since the messages combined are tagged the same identifier, the vectors originated from are the same for each user. Thus, we can directly use to represent the hash value of in order to simplify the notations. Then Hence, the condition one in the progress of Verify holds, while ((2)) holds because of the homomorphic property of function . Furthermore, since each signature on massage is obtained by preimage sampling algorithm , the length of denoted by the Euclidean norm is not larger than . Thus, the upper length bound of aggregate signature is as follow: where and the first inequality over ((3)) holds by the triangle inequality theorem. It is inferred from the above analysis that the signature on message can be verified and can satisfy the requirement of correctness of aggregate signature model defined in Section 2.1.

3.4. Optimization

The aggregated signature of the proposed HAS scheme is accepted by Verify algorithm and confirms to the definition of HAS. However, compared with the signature of single user scheme in [7], it is easy to observe that, in our scheme, the length of each signature on message grows linearly with the number of users. The cause for this problem is that the dimension of random lattice used to sign in our multiuser scheme increases with the number of users, which can be clearly seen from the common public key . Obviously, the larger the common public key size, the longer the length of aggregate signature and the larger communication cost. Through the observation of the entire HAS scheme, it is clear that the common public key is shared by each user. In order to reduce the common public key size, the algorithm in Lemma 6 is introduced to our signature scheme, which could generate several different short bases through an arbitrary basis of a lattice. So, we can optimize the proposed HAS scheme from the following aspects.

In the phase, while the parameters are consistent with those of the initial scheme, we firstly use algorithm only once to get a matrix and a short basis of lattice , and then, call algorithm repeatedly to generate independent short basis () of lattice . Therefore, let the vectors () be user’s private key, respectively, and let be the common public key shared by everyone, just like the way in [16]. In , we can directly take preimage sampling algorithm to get the signature on the hash value of denoted by , where is obtained as done in the initial scheme. It should be noted that each user should use his private key in the signing progress. As for the Combine and Verify, the operation of both sections is almost unchanged except that one of verification conditions becomes .

It can be proved that the optimized solution meets the correctness of homomorphic aggregate signature model, just like the way of proving in the initial HAS scheme. More importantly, the optimization reduces the size of the common public key and signature to as short as the sizes of those in the single user scheme LHS1.

4. Security Analysis

For the security of linearly homomorphic signature (LHS), two aspects, including unforgeability and privacy, are generally considered in solutions [4]. Clearly, this consideration also can apply to the security of linearly homomorphic aggregate signature scheme (HAS). In this section, we focus on the security of LHS scheme.

To prove the unforgeability and privacy of the proposed signature scheme, a reduction to the case of the single user is shown [7]. Obviously, if the number of users equals one , our (optimized) scheme is almost identical to LHS1 scheme. Next, we discuss unforgeability and privacy of the proposed HAS scheme in the multiuser case.

4.1. Unforgeability

Assuming that no polynomial-time algorithm can solve SIS problem in the average case, Lemma 7 proves that in LHS1 the advantage in winning the unforgeability game is negligible. Based on this result, it is able to prove computational security from a reduction of our HAS signature scheme to LHS1 and get the following theorem.

Theorem 8. The presented HAS scheme is unforgeable, if the lattice-based linearly homomorphic signature scheme LHS1 in [7] is unforgeable.

Proof. With the usual method of reduction, assuming there is a polynomial-time algorithm to generate a forged signed aggregate message in HAS, an efficient algorithm is able to be constructed to produce a forged signed message for LHS1 in polynomial time.
The algorithm takes as input the tuple of public parameters, the common signing key shared by all users, and the set of corresponding signed messages in the subspace from users. The signed message from the th user is denoted by , where id is the valid identifier for message subspace. The output of algorithm , denoted by , can be accepted by the Verify algorithm of the presented homomorphic aggregated signature, where is the aggregate coefficient vector. However, this is a forged signed aggregate message, in which either or and for .
We assume that the challenger takes the system parameters and the key-pair to employ algorithm, where is a short vector of lattice and is the dimension of the subspace . Thus, the construction of algorithm by challenger is as follows.(1)Construct a homomorphic aggregated signature scheme (HAS) with users. First of all, the challenger extends the WSetup of LHS1 to generate the key-pairs for users. Specifically, let matrix be the common public key shared by users, and the corresponding private key of the th user is the output of the algorithm , which run repeatedly times. Then, for message subspace , assume that challenger keeps several answers from the random oracle and is stored in a list (e.g., ), which is just like what the - does in LHS1. As a result, each element of is a tuple where is directly sampled from the discrete Gaussian distribution for Gaussian parameter , and is statically close to uniform distribution according to Lemma 3, which could be considered as the basis vectors of . Thereby, a signature on message from the th user can be produced by calling the algorithm .(2)Call algorithm , which takes on inputs the system parameters and signed messages . The output of is a forged signed message in the HAS scheme, where is the aggregate coefficient vector and is the aggregate signature on the aggregate message . It is worth noting that the vectors eventually exist, though they are not known and may not be unique.(3)The algorithm outputs the signed message where .
Now, we analyze the reduction and show that the output of is a forged signed message in LHS1. Firstly, it should be determined whether the output of can be accepted by LHS1. Since the output of passes the verification of the homomorphic aggregate signature (HAS) scheme, we can know and . According to this result, it is easy to obtain that it can pass the verification in LSH1 because the parameters used to verify in both schemes are the same, for example, the matrix and . On the other hand, the output of is a forged signed message in LHS1 if and only if either or and for . Since the signed message is a forged signed aggregate message, this means that the condition above is satisfied. Consequently, this signed message is a forged signed message in LHS1, and Theorem 8 is proved.

4.2. Privacy

In order to prove the privacy of this presented signature scheme, we introduce the “weakly context hiding” of the linearly homomorphic aggregate signature, which is adapted from [5] in the case of single user. The “weakly context hiding” property of the linearly homomorphic signature means the signature on the derived message in some message subspace spanned by does not disclose any information about the original messages . However, the linear function to combine the messages is not hidden while the original signatures on these messages are kept private, which is why it is called “weakly context hiding.” According to the definition of the linearly homomorphic aggregate signature, we know that this property also applies to our scheme in the case of multiuser, which is shown through proving Theorem 9.

Theorem 9. The proposed linearly homomorphic aggregate signature scheme has the “weakly context hiding” property.

Proof. Suppose that there are users who are assigned the corresponding private key by running the of the proposed signature scheme. In the proposed signature scheme, the th user employs the algorithm to sign original message , and the aggregate signature on message is generated through combining the original signatures of the corresponding messages , where each message combined should be tagged the same id and . According to Lemma 3 about the distribution of original signatures, despite coming from different users, we know they are all statically close to the Gaussian distribution, for example, , where is an arbitrary solution to and the definitions of remaining variables are the same as those in the Sign part of proposed scheme. Hence, by knowledge of Lemma 4, the distribution of the aggregate signature on the aggregate message is statically close to Gaussian distribution, for example, , where and . Formally, the distribution of signature on aggregate message only depends on the linear function that was used to compute rather than on each original message . Thus, it follows that the aggregate signature does not leak any of the original message except for the aggregate message itself, and Theorem 9 above is true.

5. Efficiency

In order to analyze the performance, we compare the proposed signatures scheme with previous lattice-based linearly homomorphic signature schemes [5, 7, 16] in terms of public key size, signature length, signing cost, verifying overhead, and multiuser supporting, respectively.

Let denote the time cost to run once algorithm and let denote the time cost to run once algorithm. Since these two algorithms commonly used in lattice-based signature scheme take up most of the time cost throughout the whole signature process, and could be the main indicators in comparison of signing cost. However, the verifying part of schemes mainly involves simple addition and multiplication operations over the modulo, so we use space overhead as the indicator in comparison of the verifying cost. In addition, in the comparison of signature length, for example, , the length of id can be ignored because this length is the same for each scheme.

Table 1 shows that Wang’s scheme [7] is more efficient than Boneh’s scheme [5] in the case of single user. In the case of multiple users, our scheme displays the same efficiency as Wang’s in the single user case. Compared with our scheme, the length of signature in Zhang’s scheme [16] is twice that of our scheme, and its verifying cost is four times.

6. Conclusions

In this paper, we propose a novel lattice-based HAS scheme with short signature, which is an extension of LHS scheme based on lattice over binary field in the single user case [7]. Our scheme holds both homomorphic property and aggregate property, in which a signed aggregate message can be verified by using the combination of signatures of the original messages and the common public key derived from the public keys of the corresponding users. We prove its security through decreasing to the single user case. At the same time, the “weakly context hiding” property holds in the proposed scheme. Furthermore, it is more practical than the Zhang’s HAS scheme [16]. However, there is still much work to be done in order to improve the capability of the scheme, such as how to design a variant of the scheme with “strong context hiding” property and how to take advantage of “ideal lattice” to decrease the public key size.

Conflict of Interests

The author declares that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research has been supported by the National Natural Science Foundation of China (no. 61374180, 61373136), the Research Foundation for Humanities and Social Sciences of Ministry of Education, China (no. 12YJAZH120, 14YJAZH023), the Research Fund for the Graduate Innovation Program of Jiangsu Province (no. CXZZ13_0493), and the Natural Science Foundation of Universities of Jiangsu province (no. 13KJB520005).