#### Abstract

Although the fully homomorphic signature (FHS) has made great progress, the low efficiency of existing FHS schemes as one main drawback cannot reach the requirements in practical application. It is well known that Number-Theory-Research-Unit (NTRU)-based cryptography is not only considered to be resistant to the quantum computer but also has high efficiency compared with the standard lattice-based cryptographic systems. In this paper, our goal is to construct a simple and highly efficient FHS scheme. To this end, we first devise an NTRU-based homomorphic trapdoor function (HTDF), which is more effective than the one proposed by Gorbunov et al. (STOC 2015). We then convert it into an efficient NTRU-based FHS scheme. Additionally, the HTDF we constructed is not only collision-resistant but is also claw-free, resulting in our FHS scheme is being strongly unforgeable.

#### 1. Introduction

As the advantages of cloud computing increase, fully homomorphic cryptography has aroused great interest due to its remarkable characteristics. It not only allows the client to safely upload his/her data to some unreliable clouds but also allows the server to perform calculations on the data. Fully homomorphic cryptography consists of fully homomorphic encryption (FHE) and fully homomorphic signature (FHS). Gentry [1] designed the first fully homomorphic encryption system at STOC 2009 and Gorbunov et al. [2] constructed the first leveled fully homomorphic signature scheme at STOC 2015. In this work, we mainly discuss the issues related to FHS.

Rivest [3] first proposed the concept of homomorphic signature (HS) in 2000. Two years later, Johnson et al. [4] gave a security model and designed several provable secure HS schemes. In a HS scheme, a user signs a data in the message space using his/her signing key and then distributes the signed data to some unreliable remote server. The server can run arbitrary computations over the signed data and homomorphically derive a short signature , which can verify that is indeed the correct output of operation on message . Anyone can check the tuple by employing the user’s public verification key and then determine that is indeed the correct outcome of *s* calculation on . In addition, the verification process does not need the underlying data .

According to the homomorphic capability of HS schemes, we can divide the homomorphic signature schemes into three categories: linear homomorphic signature, somewhat homomorphic signature (SHS), and fully homomorphic signature.

Zhao et al. [5] proposed a linear HS scheme to resolve the inherent network pollution problem in network coding. This scheme allows an arbitrary linear combination calculation of the signature data, which can both conveniently verify the integrity of the received message and effectively prevent the application built on the network code from being attacked by pollution. In further research studies, many papers [6–11] have made further improvements in efficiency, security, and privacy protection.

In 2011, Boneh and Freeman [12] constructed the first SHS scheme, which is selectively secure in the random oracle (RO) model. Subsequently, Catalano et al. [13] proposed a new SHS scheme, which is adaptively secure, whose security no longer depends on RO model, and whose verification process is more efficient.

Different from the abovementioned homomorphic signature schemes, the FHS allows polynomial depth circuit operations on the signed data. In 2014, Gorbunov et al. [2] proposed the first leveled FHS scheme based on the hardness of the small integer solution (SIS) problem in standard lattices [14, 15]. To this end, a building block called the homomorphic trapdoor function (HTDF) is proposed. This new cryptographic primitive helps us to conceptually unify digital signatures [16–18] and fully homomorphic encryption [19]. They showed that if an HTDF function is claw-free, then you can directly use the HTDF function to construct an existentially unforgeable FHS scheme under a selective chosen-message attack (EU-sCMA), and that an EU-sCMA secure FHS can be converted into an existentially unforgeable under the adaptive chosen-message attack (EU-aCMA) one with the help of HTDF functions. Additionally, this solution has the following advantages: First, it allows quick amortization verification of calculations on multiple different datasets, even though these datasets belong to different users with different verification keys. Second, the scheme can be made context hiding, that is, the signature corresponding to will not expose any information about the underlying data . Third, the scheme also allows several different calculations to be combined on signed data. Inspired by the key-homomorphic function encryption of the circuit, Boyen et al. [20] constructed the first adaptively secure homomorphic signature scheme utilizing the vanishing trapdoor technique [21]. Compared with Gorbunov et al. FHS, the efficiency of this scheme has been significantly improved, and it can fight against stronger adversaries, but this scheme does not reach context hiding. Later, Tsabary [22] demonstrated the equivalence between FHS and attribute-based signature (ABS) [23]. They can be implied by each other under certain conditions, which opens up a new direction for constructing FHS schemes. Furthermore, Tsabary built an ABS from lattices and converted it into a new FHS scheme. All the abovementioned existing HS algorithms can only produce one signature for a single message at a time, which is inefficient. Therefore, Luo et al. [24] proposed a new leveled fully homomorphic signature scheme, which generates signatures for all messages in the dataset only by calling the signature algorithm twice. To the end, the vector coding technique [25] is used, which encodes all messages in the dataset into two matrices.

In addition, Wang et al. [26] constructed an identity-based HTDF , which has better parameters and stronger security. The maximum noise compared with Gorbunov et al. HTDF is roughly reduced from to , which will lead to a polynomial modulus when , where is the maximum depth of the circuit and is the security parameter. The stronger security requires that IBHTDF be not only claw-free but also collision-resistant. Then, they converted the abovementioned IBHTDF into a leveled strongly unforgeable IBFHS scheme. However, the leveled IBFHS scheme is only secure in the selective security model under the hardness of the SIS problem. Recently, Wang et al. [27] used trapdoor vanishing [21] and vector coding techniques [25] to construct an efficient leveled strongly unforgeable IBFHS scheme based on the SIS problem on arbitrary lattices. Compared with [26], this scheme is adaptively secure against chosen identity and chosen message attacks under the standard SIS assumption. Concurrently, Wang and Wang [28] constructed a new leveled strongly unforgeable IBFHS scheme based on a new IBHTDF, whose homomorphic multiplication operation is very similar to the homomorphic addition operation, resulting in that the noise level of IBHTDF is used to evaluate circuits with depth was reduced from in [26] to .

##### 1.1. Motivation and Contribution

Fully homomorphic signature is an important branch of digital signatures, which plays a significant role in the information age. At present, many achievements have been made in this research field. To our best knowledge, the existing FHS schemes are constructed on the standard lattices. They are not practical because of their low efficiency. Therefore, it is intriguing to design more efficient FHS schemes.

In 1998, Hoffstein et al. [29] put forward a new public key cryptography system called NTRU. NTRU features relatively short, easy to create key, high speed, and low memory requirements. The security of the NTRU cryptosystem comes from the interaction of the polynomial hybrid system and the independence of the reduced modulus of two relatively prime integers and . Stehlé and Steinfeld [30] present a provably secure NTRU-based signature (denoted by NTRUSign in this work) scheme, which is a novel adaption of the unfledged and heuristic NTRU-based signature scheme [31] and the standard lattice-based signature scheme [16]. However, NTRUSign has no homomorphic property. Therefore, it is necessary to design an NTRU-based FHS.

Following the blueprint of [2, 26], we first devise an NTRU-based HTDF function from the NTRUSign proposed by Stehlé et al., which is both collision-resistant and claw-free. We then convert it into a strongly unforgeable FHS scheme.

We point out that when only performing polylog-depth circuits, we can compute them by Barrington’s theorem [32]. Hence, a polynomial modulus is enough, resulting in improved efficiency and security [26]. In addition, we also could choose the ring used in [33] to construct an FHS scheme with similar efficiency.

##### 1.2. Paper Organization

In Section 2, we provide some background used in this work. We then formally describe our NTRU-based HTDF functions in Section 3 and NTRU-based FHS in Section 4. Finally, we conclude in Section 5.

#### 2. Preliminaries

Throughout, we use the bold lowercase letters (e.g., ) to denote row vectors. We use the to denote the -th entry of and to represent the infinity norm of . Sometimes, we denote and . We let denote the set .

Let denote the rings for some integer polynomials of degree . In this paper, we use the cyclotomic polynomial , where for positive integer and for some integer which is isomorphic to . We represent elements in as , where its coefficients are in the range and the infinity norm of is .

Then, we introduced a parameter and a negligible function negl . is used to denote the security parameter. The growth negl is slower than for any constant and any sufficiently large value of . An event with an overwhelming probability is equivalent to its occurrence with a probability of at least .

##### 2.1. Basic Notions

###### 2.1.1. Distributions

For a probability distribution , we use to denote that is sampled according to . For a set , we use *S* to denote that is sampled uniformly at random from . For two distributions and , and denote that and are computationally indistinguishable and statistically indistinguishable, respectively.

###### 2.1.2. Entropy

The min entropy of a random variable , denoted by , is defined as . The average min entropy of conditioned on , denoted with , is defined as follows:

Given the correlation value , the optimal probability of an infinite attacker predicting is .

###### 2.1.3. -Bounded

A distribution ensemble , supported over the ring , is called -bounded if .

Lemma 1. *(see [34]). In a ring , for any two polynomials , we have the following norm .*

Lemma 2. *(see [34]). In a ring , let be a -bounded distribution over , let . Then, the value of is bounded.*

##### 2.2. Gaussian and Discrete Gaussian

For , the Gaussian function , supported on and centered at with parameter and , is defined as follows: .

###### 2.2.1. Discrete Gaussian Distribution

For , the discrete Gaussian function , supported on and centered at with parameter and , is defined as follows: . When equals 0, it is denoted by . Take note that the following Lemma illustrates that a discrete Gaussian distribution outputs a -bounded polynomial with overwhelming probability. So, we define a -bounded distribution called Gaussian distribution which is statistically indistinguishable from discrete Gaussian distribution.

Lemma 3. *(see [34]). For and , it holds that .*

The truncated discrete Gaussian distribution centered at 0 and denoted by is that sample polynomials from , and if the polynomial is not -bounded, then discards it and repeats the sampling. According to Lemma 3, if and , then we have .

##### 2.3. Lattices

###### 2.3.1. RSIS

Choose polynomials uniformly and independently, find such that and , then this problem is called RSIS .

The following theorem shows that there is a reduction from the average-case hardness of RSIS to the worst-case hardness of ideal-SVP as follows:

Theorem 1. *(see [30]). For , and . Let such that and . A polynomial-time algorithm solving with overwhelming probability can be used to solve - in polynomial time with the approximate factor .*

###### 2.3.2. Lattice Trapdoor

In this paper, for an odd integer and , we use the “powers of two” gadget first introduced by Micciancio and Peikert. [18]. For , is the deterministic bit decomposition function, which outputs a matrix so as to and .

Lemma 4. *(see [30]). There are three efficient algorithms as follows:*(1)*: It runs the key generation algorithm same as [30] and returns . Recall that is a signing key and is the corresponding trapdoor -basis for the module .*(2)*: It samples such that with probability 1.*(3)*: Given and the trapdoor , it returns such that and with probability 1.*(4)*We have the statistical indistinguishability:**where , and .*

##### 2.4. Permutation Branching Program

Then, a permutation branching program is defined as follows [35]. with input space of , length , and width is a sequence of tuples of the form where. is a function associates the -th tuple with an input bit . are permutations over .

performs calculation on input as follows. Let the initial state be and the -th state be . Then, the state is calculated recursively according to the formula given below.

After steps, the final state is . If , the output of is 1, otherwise it is 0.

In order to handle the problem of excessive noise growth caused by homomorphic operation, we present the state in the form of bits, as described in [35]. Specifically, for , we use an -dimensional unit vector , e.g., instead of the state . The principal idea of this design is that holds only when . If holds, if and only if either: and or and .

Hence, for , we have the following:where and are fully determined by the description of and can be computed easily and publicly. In order to make the homomorphic operation more concise and efficient, we give another representation of permutation branching program, such that .

#### 3. HTDF Functions

A homomorphic trapdoor function (HTDF) allows anyone to calculate a homomorphic input and an output . The input depends only on and the output depends on . That is, holds, where is an admissible function (or called circuit) defined very soon.

##### 3.1. Definition

A HTDF consists of five polytime algorithms , with syntax as follows: : A key generation procedure. The security parameter defines the input space , the index space , and the output space and some efficiently sampleable input-distribution over . We require that elements in , and can be efficiently tested and that elements in can efficiently be sampled uniformly at random. : A deterministic function indexed by and . : A probabilistic inverter indexed by and . : A deterministic input homomorphic evaluation algorithm. It takes some function as input and values and outputs . : A deterministic output homomorphic evaluation algorithm. It takes some function as input and values and outputs .

###### 3.1.1. Correctness of Homomorphic Computation

Let and be a function on , and set . Let and set for . Set , . The correctness requirement is established for and .

###### 3.1.2. Relaxed Correctness of Leveled HTDFs

In a leveled fully homomorphic scheme, the size of noise carried by each input is . The initial samples selected from the input-distribution carries a small noise of and the noise size of the evaluated input depends on the noise size of , the indices , and the function . In fact, if the noise size , where is an extreme value of noise size, the correctness of the scheme cannot be guaranteed. Thus, we ought to pay attention to limiting the types of functions that can be calculated homomorphically. A function is admissible on indices if, whenever carries noise with size .

###### 3.1.3. Distributional Equivalence of Inversion

In order to illustrate the security of our main construction FHS, we demand the following statistical indistinguishability:where , , .

###### 3.1.4. HTDF Security

Gorbunov et al. [2] constructed an existential unforgeability FHS based on the security of claw-freeness HTDF. Here, we want to construct a FHS scheme that is strongly unforgeable like Wang et al. [26] did, so the security of HTDF is required to meet the two characteristics of claw-freeness and collision-resistance. In particular, it should be hard to find and such that . Notice that if holds, then is a collision, otherwise a claw. Formally, for any PPT attacker , the following holds:

##### 3.2. Construction: Basic Algorithms and Security

It is to be remembered that is the security parameter. In order to illustrate the HTDF function concisely, we need to introduce some asymptotic public parameters, as shown below.

###### 3.2.1. Parameters

We define flexible as the maximum depth of the circuit that supported by homomorphic trapdoor function. Choose an integer and a sufficiently large prime , and set . Set .

###### 3.2.2. Construction of HTDF

Below, we give the basic algorithm of the HTDF function . Set and . Define the distribution and sample as in Lemma 4 so that . : Run and set and . Define . Define to output .

###### 3.2.3. Distributional Equivalence of Inversion

Let and . Let , , . Obviously is uniformly random, then by Lemma 4 and a simple hybrid argument, we can obtain as follows:

We perform the following operations on both sides of the equation: put in an and then add to the last entry to both sides, we can obtain as follows:

###### 3.2.4. HTDF Security

Next, it is proved that if the RSIS assumption holds, the HTDF function constructed above is safe. Recall that in the original HTDF security experiment, we generate the public key along with the secret key for .

Theorem 2. *Suppose that the -assumption holds for the described parameters, then the function satisfies the security.*

*Proof*. Assume that there exists a PPT adversary , which can have a nonnegligible probability win the HTDF security experiment. Then, we establish a probability polynomial time simulator that breaks the RSIS assumption with nonnegligible probability.

Next, we revise the HTDF security experiment, we sample , instead of sampling and setting and . Please note that has never been used anywhere in the primeval HTDF security experiment. Hence, adversary *s* point of view among the original HTDF security experiment and the simulated HTDF security experiment are indistinguishable by Lemma 4. Specifically, adversary attacks the security experiment of simulated HTDF and gains the security experiment with a probability of at least .

At present, we have proved that the PPT adversary , who won in the simulated HTDF security experiment, can be used to settle the RSIS problem. Suppose that the successful adversary outputs values such that . Let and . Then, we obtain as follows:

Additionally, because , it holds that and thus . Moreover, since , it holds that .

To solve the RSIS problem defined by , where , then we talk over the two situations given below: : In this situation, the small is a nonzero solution of the RSIS problem, as , . : On this event, we prove that the simulator pretty good at using the knowledge of a small and some satisfying the right side of the (9) to find a nonzero solution of the RSIS problem (similarly as [2]).

Sample and let . Calculate such that . Therefore,

Setting , we then have and . Below the , i.e., have to be proved. Here we show that, even given , the following inequality holds with overwhelming probability for uniformly random Actually, we have

The reason for the first inequality is that is completely determined by as is deterministic, and the reason for the second inequality comes from Lemma 4. Therefore, .

So, if the adversary wins any situation in the abovementioned simulated HTDF security game with a nonnegligible probability , the simulator will generate an effective and small enough solution to solve the RSIS problem with a probability of . The process of the proof ends. □

##### 3.3. Basic Homomorphic Evaluation

In an HTDF scheme, in order to verify an evaluated function value, we demand to design two corresponding algorithms: one is the input algorithm, another kind is the output algorithm, and both algorithms are deterministic. This is different from a homomorphic encryption system; in a homomorphic encryption system, only one (random or deterministic) homomorphic algorithm that acts on the ciphertext needs to be designed.

The two basic homomorphic algorithms addition and multiplication are described as follows. Here, we will simplify some notations (e.g., instead of ). Recall that for , . Let and .

###### 3.3.1. Homomorphic Addition Algorithms

They calculate the sum of the corresponding input and output vectors, respectively.

The noise of the addition is bounded by . The correctness comes from .

###### 3.3.2. Homomorphic Multiplication Algorithms

The homomorphic output multiplication algorithm is a multiplication of the output vectors which is performed the multiplication defined in Section 3.1. The homomorphic input multiplication algorithm is asymmetric and it needs partial output, index, and the whole input to compute.

The noise of multiplication is bounded by . Assuming , the correctness follows by the computation:

##### 3.4. Homomorphic Output and Input Evaluation

According to the abovementioned discussion, it is very easy to homomorphically calculate an arithmetic circuit or Boolean circuit similar as [2], we are not satisfied. We want to show how to design the scheme as well as [26] based on the fact that the noise growth is asymmetric.

###### 3.4.1. Homomorphic Output Evaluation

Below we describe the definition of the homomorphic output evaluation algorithmfor a length is and a width is permutation branching program . In the initialization stage, we will assign below and is the vector such that , where . Recall that is a description of the permutation branching program , and the initial state vector is defined as the first -dimensional unit vector . For and , it holds that:

Here, we give the full description of the process of the homomorphic output evaluation algorithm of the permutation branching program . Initialization: Let be an output relevant to the state , where ,(1)Choose and set it to be a corresponding output of the state 1.(2)Choose and set it to be a corresponding initial output of the initial state .(3)Set , where (such that ) is an output corresponding to , and set it to be a corresponding output of . Calculation: For , suppose that at step , we have . Then, we can calculate inductively as follows: Final output: After finishing the computation, we have the value of . Finally, output the final output corresponding to the state , i.e., .

###### 3.4.2. Homomorphic Input Evaluation

Here, we give the full description of the process of the homomorphic input evaluation algorithm , , of the permutation branching program . Initialization: Let be an input relevant to the state , where .(1)Sample (such that ) and set it as input relevant to the state 1.(2)Sample (such that ) and set it as the initial input relevant to the initial state .(3)Set , where (such that ) is an input corresponding to , and set it to the input relevant to . Calculation: For , suppose that at step , we have . Then, we can calculate inductively as follows. Final input: After finishing the computation process, we have the value of . Finally, output the final input corresponding to , i.e., .

##### 3.5. Correctness of Homomorphic Evaluation and Noise Analysis

In the following lemmas, we testify the validity of homomorphic input and homomorphic output algorithms and explain in detail the noise growth in the above homomorphic evaluation.

Lemma 5. *Suppose that , and , , , where , and for . Then for all , we have . For , we have .*

*Proof*. Using formulas (1), (4), and (5) and the above conditions, for all , it holds as follows:

The process of proof ends. □

Lemma 6. *Assuming that , , and all the noises of the inputs are bounded by , i.e., , , then we have .*

Proof. We use the inductive method to prove the lemma. That is, for any step and , we will show that .

If , it is not difficult to find that all the initial noises are such that .

Suppose that at step , we have . Then, according to formula (16), we have as follows:where .

Through induction, we obtain