#### Abstract

In this paper, we design a new lattice-based linearly homomorphic signature scheme over . The existing schemes are all constructed based on hash-and-sign lattice-based signature framework, where the implementation of preimage sampling function is Gaussian sampling, and the use of trapdoor basis needs a larger dimension . Hence, they cannot resist potential side-channel attacks and have larger sizes of public key and signature. Under Fiat–Shamir with aborting signature framework and general SIS problem restricted condition , we use uniform sampling of filtering technology to design the scheme, and then, our scheme has a smaller public key size and signature size than the existing schemes and it can resist side-channel attacks.

#### 1. Introduction

The idea of the linear homomorphic signature scheme comes from network coding routing mechanism. Specifically, after a signer sends a number of signatures for messages to router (verifier) in a computer network using network coding, the router can generate a random linear combination of the received messages. Using the homomorphic property, the router computes a signature of and transmits to the next router, and the process will be continued for different linear combined messages. The final router accepts properly signed signature and recovers the original message by solving a full-rank linear system over .

Then, one can easily abstract definition from applications. Informally, given dimensional message vectors and signatures , anyone can create a signature for any vector . At the same time, if any adversary cannot produce a valid signature for , we say the linear homomorphic signature scheme is secure. There exit many classical linearly homomorphic signatures [1–4] based on the difficulty in solving discrete logarithm or the difficulty in integer factoring. However, they have two obvious disadvantages.

First, the parameter must be large enough to guarantee the difficulties in classical problems, but implementations are generally given over in network coding. Second, these schemes cannot resist quantum computing attack as we all know. Hence, more and more people focus on designing postquantum linearly homomorphic signature scheme over , where lattice-based schemes are significant.

#### 2. Related Work

##### 2.1. Lattice-Based Signature Schemes

The existing lattice-based signature schemes are mostly based on short integer solution (SIS) problem first provided in [5] . There are two frameworks to construct lattice-based signature schemes: hash-and-sign type [6, 7] and Fiat–Shamir type [8–11]. In schemes of hash-and-sign type, the signer uses trapdoor basis to compute preimage sampling function to create signature satisfying , where is a hash function. Unlike the hash-and-sign lattice-based signature framework, aborting technology is used in schemes of Fiat–Shamir type without trapdoor. This is the output of the signature according to some probabilities (rejection sampling) or the norm of signature must be in a security range (filtering outputting), where and ( is a Gaussian distribution or uniform distribution).

Furthermore, Gaussian distribution is utilized in preimage sampling and rejection sampling, which cannot resist partial side-channel attacks (see [12, 13]). Although, the author in [14] showed that an almost perfect implementation could resist these attacks, and the designed programme errors might occur.

##### 2.2. Lattice-Based Linearly Homomorphic Signature

The first lattice-based linearly homomorphic signature scheme over was proposed by Boneh and Freeman [15] in 2011, which was based on SIS problem, that is, finding a solution satisfying under giving . In addition, the specific sign process is , where . Soon after, Wang et al. proposed an improved scheme [16] based on the general SIS problem, and the size of public key and signature is smaller than [15] by changing into . Compared to signature size, in scheme [15, 16] has the smaller size .

In fact, both of them are designed in terms of the hash-and-sign lattice-based signature framework [6], where Gaussian sampling is used inevitably. Meanwhile, the generation of trapdoor basis needs that lattice dimension is (see [17, 18]), which is larger than for SIS problem itself.

##### 2.3. Our Contributions

In this paper, our scheme overcomes the drawbacks of existing schemes. Specifically, based on the SIS problem, we use filtering technology of Fiat–Shamir with aborting signature framework to design a new linearly homomorphic signature scheme over , and the advantages can be seen as follows:(1)The signature size is smaller than existing lattice-based schemes. The signature of our scheme is , and the size is , where . Since our design does not utilize preimage trapdoor sampling, the signature size is smaller than in [16] with the same and , where . Here, we use a different lattice dimension to distinguish the difference in signature size.(2)Our scheme can resist side-channel attacks. Using filtering technology, the masked element is chosen uniformly at random under restriction , and must satisfy the condition ; otherwise, (aborting). Hence, the signature output can protect secret key, and the scheme can resist side-channel attacks without Gaussian sampling.

##### 2.4. Organization of the Paper

We will provide two main technical descriptions to show how our scheme can have the above advantages in Section 3. Then, we propose the basic notations and definitions of linearly homomorphic signature in Section 4. We show the detailed design and security proof of our lattice-based linearly homomorphic signature in Section 5 and Section 6, respectively. In Section 7, we present efficiency comparisons. Finally, we give a conclusion and further work in Section 8. Data availability, conflicts of interest, and funding statement can be seen in the last three sections, respectively.

#### 3. Technical Notes

In this part, we give detailed descriptions to show how we get a smaller signature size and the scheme can resist side-channel attacks.

##### 3.1. Different Lattice Dimension Assumptions

As we know, given security parameter , influences the signature size directly. Thus, we want to reduce it. Fortunately, compared to hash-and-sign signature framework, the Fiat–Shamir signature framework has advantage in this aspect. We show the main reason as follows.

*Definition 1. *(the short integer solution problem SIS). Given uniformly random elements , find a nonzero of norm satisfyingUsually, it is denoted , where forms the columns of . To guarantee the hardness (existence of solution) of this problem, the parameters satisfy conditions . Normally, people consider the inhomogeneous version of the SIS problem, which is to find a small solution of equation .

To design Fiat–Shamir signature schemes, the lattice dimension satisfies enough. However, hash-and-sign type needs to get trapdoor basis; thus, we provide the existing conclusion below.

Proposition 1 (see [6, 17, 18]). *Given any prime and , then there exists a PPT algorithm which outputs statistically close to uniform over and a full-rank set by input . Then, it further gets a good basis satisfying .*

From what has been discussed above, we get the smaller the better for the size of signature and secret key under the same . Hence, we design a new scheme using Fiat–Shamir signature framework without trapdoor (basis).

##### 3.2. Filtering Technology

Since the existing lattice-based linearly homomorphic signature schemes are based on the hash-and-sign signature framework in which they use preimage sampling function implemented by Gaussian sampling, the schemes cannot resist side-channel attacks. Hence, we unitize uniform sampling of Fiat–Shamir framework to generate signature.

The idea of filtering can be traced back to [10, 19], and it is formally provided in [20] to design a blind signature scheme. Here, we rewrite this lemma according to our construction.

Lemma 1. *For arbitrary and random , if with , then we have .*

Then, the repeat time of our scheme can be computed by . Intuitively, bigger size is better. However, this value has influence on the size of directly; thus, it leads to increased communication costs. Hence, we can assign this value according to different efficiency requirements, which is a nice advantage in practice. According to [20], the authors provide the condition is the best; then, the repeat time is no more than 2, which is also hold for our scheme.

In our scheme, the parameters satisfy . In addition, to facilitate comparisons with schemes [15, 16], we use to compute signature size instead of (see Table 1).

#### 4. Preliminaries

##### 4.1. Notions

We denote . The elements in (vector or matrix) are marked in bold, is norm, and is norm. means that is chosen according to some distribution (uniform or Gaussian) at random. If , it means that using uniform sampling. Using Gaussian sampling, we denote , where is the standard deviation.

##### 4.2. Definitions of Linearly Homomorphic Signature

*Definition 2. *Given a fixed ring , a linearly homomorphic signature over it contains a tuple of probabilistic polynomial-time algorithms and the detailed descriptions can be seen as follows:(1)Setup (, ). It is a probabilistic algorithm that outputs by inputting a security parameter and other public parameters .(2)Sign . It is a probabilistic algorithm that outputs a valid signature by inputting secret key , a basis vector of message set , and a tag (or an identifier id) of message .(3)Verify . It is a deterministic algorithm that outputs a bit by inputting the tuple . If is a valid signature of , the algorithm outputs (accept); otherwise, (reject).(4)Combine . This algorithm outputs a valid combined signature of , where . The parameter is the maximum circuit depth.In general, the security properties of a linearly homomorphic signature scheme contain correctness, unforgeability, and privacy. We will give the specific contents for them as follows:(1): the outputs from above algorithms and can be accepted by the algorithm.(2): we will show a game between challenger and a polynomial-time adversary .(1): the challenger runs algorithm to get and gives to the adversary .(2): the adversary makes adaptive signature queries on -dimensional subspaces of message space , and he chooses a basis vectors for . For each subspaces , the challenger chooses from at random and gives and signatures to the adversary , where .(3): the adversary outputs a tag , a nonzero message , and a signature .The adversary wins the game when his outputs satisfy the algorithmand this algorithm satisfies the following one of two conditions:(1)Type 1. for all .(2)Type 2. but .

*Definition 3. *A linearly homomorphic signature scheme is unforgeability if the probability advantage of adversary winning above game is negligible with security parameter . That is,(3): a game between challenger and a polynomial-time adversary is shown as follows:(1): the challenger runs algorithm Setup (, ) to get and gives to the adversary .(2): the adversary chooses two linear message subspaces and represented as vectors for . In addition, he selects functions , which satisfy , where .(3): the challenger chooses a random bit , a tag , and signs the vector space . Then, the challenger uses the combine algorithm to generate signatures for and sends to .(4): outputs a guess bit . If holds, the adversary succeeds in the game.

*Definition 4. *A linearly homomorphic signature scheme is privacy if the probability advantage of adversary winning above game is negligible with security parameter . That is, .

#### 5. Our Lattice-Based Linearly Homomorphic Signature

. and , where the public key is and secret key is . We denote the hash function as and another hash function . Obviously, this function satisfies a property . Especially, we assume in our scheme as below. we suppose the massage satisfies and choose a basis of it, that is, (for the sake of design, we have assumed that it is a full-rank space). In addition, the used linear function is . Then, signer does the following steps:(1)He chooses and computes vectors , where is a tag of massage basis vector .(2)He computes . Then, fixing the parameter for any message , he denotes a vector .(3)He computes . If , output the signature , or else, go to the first step. Here, holds. : the verifier verifies the conditions as follows:(1)He computes .(2)He computes whether the equation holds or not.(3). : given public key and an array for . This algorithm outputs signature of message .

#### 6. Proof of Security

##### 6.1. Correctness

Since correctness refers to two verifications from the outputs of and algorithms, we prove it one by one:(1)The signature from algorithm is valid. For each , when the verifier receives the signature , he computes Then, he computes whether the equation holds or not.(2)The signature from algorithm is valid. We let matrix be a composition of vectors ; that is, . Hence, we have . Since condition holds for each , we only need to verify the linear property of and linear bound of . At first, we consider the following equation:

Thus, holds because of when holds. Next, we can see that the bound of our signature size is linear obviously. That is,

Hence, as long as this in equation holds, the signature is accepted.

##### 6.2. Unforgeability

Theorem 1. *Our scheme is unforgeability if the lattice problem SIS is hard.*

*Proof. *We suppose that the defined unforgeability game is correctly performed between a challenger and a polynomial-time adversary . In addition, and are the times of random oracle and signature oracle. Specifically, given the public key , adaptively chooses some dimensional subspaces and chooses basis for . To return signatures to , the challenger makes query to above oracles and outputs for the chosen basis.

When above game is finished, the adversary outputs a tag , a nonzero message , and a signature . Next, we consider two types forgeries, respectively.

*Type 1. *If for all and Verify holds, the adversary has ability to solve the SIS problem. Suppose has gotten , then he chooses randomly and computes . Hence, he can combine equations as follows:Thus, he gets and computesNotice that if , the adversary forgeries a signature if and only is he can solve SIS instance. Furthermore, since = , we can see that the probability of success for this type of attack is negligible.

*Type 2. *If conditions and hold, the adversary also can solve the SIS problem. In this case, for the same hash value , the adversary chooses massage space and one of its basis . Then, he computes and . Since is a fixed value, the adversary can compute:Then, he obtains equation , which is marked as .

Since , the adversary cannot forgery a valid signature; otherwise, he is able to search a SIS problem solution. In addition, the reason why he does not use hash oracle is that the condition determines this oracle has the same input.

##### 6.3. Privacy

Theorem 2. *Our scheme is privacy.*

*Proof. *According to the definition of privacy game, challenger and adversary firstly finish the setup step. Then, chooses two basis vectors from message spaces , where . At the same time, he selects linear functions satisfying . Specifically, for a fixed , the condition holds.

When challenger obtains , he chooses and randomly. Then, he signs basis vectors under and outputs the signature computed using the Combine algorithm. And he sends to .

Finally, the adversary outputs a guess bit . Next, we will show that it is negligible for him to succeed in this game. That is, .

In fact, we let two distinguished signatures are of message , of message , and condition is . Then, we havewhere . Hence, we getBecause and are indistinguishable under for the adversary, we show holds.

#### 7. Efficiency Comparisons

In schemes of hash-and-sign type [15, 16], the signer uses trapdoor basis to compute preimage sampling function to create signature . However, the lattice dimension must satisfy to get a trapdoor basis (see [17, 18]) and a larger will result in a larger size of public key and signature.

Our design using the Fiat–Shamir signature framework without trapdoor has smaller public key and signature sizes mainly because is enough. Then, compared to public key size in [16], our result is smaller than theirs. In addition, signature size of our scheme is also smaller than in [16].

Furthermore, preimage sampling function utilizes Gaussian distribution which cannot resist partial side-channel attacks, and we use uniform distribution of aborting technology to resist such attacks effectively. The detailed comparisons can be seen in Table 1.

#### 8. Conclusion and Further Work

##### 8.1. Conclusion

In this paper, we provide a new lattice-based linearly homomorphic signature scheme over based on the SIS problem. Since we use Fiat–Shamir signature framework instead of hash-and-sign signature framework to design this signature scheme, we do not need to construct a trapdoor basis, and then the whole design is simpler than the existing schemes. At the same time, without the trapdoor basis, our scheme has the smallest public key size and signature size in the existing schemes because of parameter satisfying rather than . In addition, under the Fiat–Shamir framework, the use of filtering technology with uniform sampling can resist side-channel attacks.

##### 8.2. Further Work

Decreasing interaction and storage costs is the main work of our future research. In fact, new compression skill and decreasing parameters and must be improved efficiency. Since our scheme can be designed on R-SIS directly, we no longer give a special scheme. That is, if each element chosen forms the ring or , where , is power of 2, and is prime, then the parameter only needs to satisfy , rather than for SIS. Hence, it can improve the efficiency.

Specifically, we focus on [9], where it also uses filtering technology (uniform distribution), and special compression methods are used. Meanwhile, module lattice form brings an advantage to parameters and , which can be the 1/4 of existing set. In addition, this form can be transformed into lattice hard problem over ring (R-SIS) and general problem (SIS) by setting relative parameters.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported in part by the National Natural Science Foundation of China (grant nos. 61602287, 11531008, 11771252, and 61632020), State Key Program of National Natural Science of China, Natural Science Foundation of Shandong Province (grant no. ZR2017MF021), Major Innovation Project of Science and Technology, Shandong (grant no. 2018CXGC0702), Primary Research & Development Plan of Shandong Province (grant no. 2018GGX101037), National Innovation Demonstration Zone Development and Construction Fund Project of Shandong Peninsula (grant no. S190101010001), Innovative Research Team in University by Ministry of Education (grant no. IRT16R43), and Taishan Scholars Project.