Abstract

Although the fully homomorphic signature (FHS) has made great progress, the low efficiency of existing FHS schemes as one main drawback cannot reach the requirements in practical application. It is well known that Number-Theory-Research-Unit (NTRU)-based cryptography is not only considered to be resistant to the quantum computer but also has high efficiency compared with the standard lattice-based cryptographic systems. In this paper, our goal is to construct a simple and highly efficient FHS scheme. To this end, we first devise an NTRU-based homomorphic trapdoor function (HTDF), which is more effective than the one proposed by Gorbunov et al. (STOC 2015). We then convert it into an efficient NTRU-based FHS scheme. Additionally, the HTDF we constructed is not only collision-resistant but is also claw-free, resulting in our FHS scheme is being strongly unforgeable.

1. Introduction

As the advantages of cloud computing increase, fully homomorphic cryptography has aroused great interest due to its remarkable characteristics. It not only allows the client to safely upload his/her data to some unreliable clouds but also allows the server to perform calculations on the data. Fully homomorphic cryptography consists of fully homomorphic encryption (FHE) and fully homomorphic signature (FHS). Gentry [1] designed the first fully homomorphic encryption system at STOC 2009 and Gorbunov et al. [2] constructed the first leveled fully homomorphic signature scheme at STOC 2015. In this work, we mainly discuss the issues related to FHS.

Rivest [3] first proposed the concept of homomorphic signature (HS) in 2000. Two years later, Johnson et al. [4] gave a security model and designed several provable secure HS schemes. In a HS scheme, a user signs a data in the message space using his/her signing key and then distributes the signed data to some unreliable remote server. The server can run arbitrary computations over the signed data and homomorphically derive a short signature , which can verify that is indeed the correct output of operation on message . Anyone can check the tuple by employing the user’s public verification key and then determine that is indeed the correct outcome of s calculation on . In addition, the verification process does not need the underlying data .

According to the homomorphic capability of HS schemes, we can divide the homomorphic signature schemes into three categories: linear homomorphic signature, somewhat homomorphic signature (SHS), and fully homomorphic signature.

Zhao et al. [5] proposed a linear HS scheme to resolve the inherent network pollution problem in network coding. This scheme allows an arbitrary linear combination calculation of the signature data, which can both conveniently verify the integrity of the received message and effectively prevent the application built on the network code from being attacked by pollution. In further research studies, many papers [6–11] have made further improvements in efficiency, security, and privacy protection.

In 2011, Boneh and Freeman [12] constructed the first SHS scheme, which is selectively secure in the random oracle (RO) model. Subsequently, Catalano et al. [13] proposed a new SHS scheme, which is adaptively secure, whose security no longer depends on RO model, and whose verification process is more efficient.

Different from the abovementioned homomorphic signature schemes, the FHS allows polynomial depth circuit operations on the signed data. In 2014, Gorbunov et al. [2] proposed the first leveled FHS scheme based on the hardness of the small integer solution (SIS) problem in standard lattices [14, 15]. To this end, a building block called the homomorphic trapdoor function (HTDF) is proposed. This new cryptographic primitive helps us to conceptually unify digital signatures [16–18] and fully homomorphic encryption [19]. They showed that if an HTDF function is claw-free, then you can directly use the HTDF function to construct an existentially unforgeable FHS scheme under a selective chosen-message attack (EU-sCMA), and that an EU-sCMA secure FHS can be converted into an existentially unforgeable under the adaptive chosen-message attack (EU-aCMA) one with the help of HTDF functions. Additionally, this solution has the following advantages: First, it allows quick amortization verification of calculations on multiple different datasets, even though these datasets belong to different users with different verification keys. Second, the scheme can be made context hiding, that is, the signature corresponding to will not expose any information about the underlying data . Third, the scheme also allows several different calculations to be combined on signed data. Inspired by the key-homomorphic function encryption of the circuit, Boyen et al. [20] constructed the first adaptively secure homomorphic signature scheme utilizing the vanishing trapdoor technique [21]. Compared with Gorbunov et al. FHS, the efficiency of this scheme has been significantly improved, and it can fight against stronger adversaries, but this scheme does not reach context hiding. Later, Tsabary [22] demonstrated the equivalence between FHS and attribute-based signature (ABS) [23]. They can be implied by each other under certain conditions, which opens up a new direction for constructing FHS schemes. Furthermore, Tsabary built an ABS from lattices and converted it into a new FHS scheme. All the abovementioned existing HS algorithms can only produce one signature for a single message at a time, which is inefficient. Therefore, Luo et al. [24] proposed a new leveled fully homomorphic signature scheme, which generates signatures for all messages in the dataset only by calling the signature algorithm twice. To the end, the vector coding technique [25] is used, which encodes all messages in the dataset into two matrices.

In addition, Wang et al. [26] constructed an identity-based HTDF , which has better parameters and stronger security. The maximum noise compared with Gorbunov et al. HTDF is roughly reduced from to , which will lead to a polynomial modulus when , where is the maximum depth of the circuit and is the security parameter. The stronger security requires that IBHTDF be not only claw-free but also collision-resistant. Then, they converted the abovementioned IBHTDF into a leveled strongly unforgeable IBFHS scheme. However, the leveled IBFHS scheme is only secure in the selective security model under the hardness of the SIS problem. Recently, Wang et al. [27] used trapdoor vanishing [21] and vector coding techniques [25] to construct an efficient leveled strongly unforgeable IBFHS scheme based on the SIS problem on arbitrary lattices. Compared with [26], this scheme is adaptively secure against chosen identity and chosen message attacks under the standard SIS assumption. Concurrently, Wang and Wang [28] constructed a new leveled strongly unforgeable IBFHS scheme based on a new IBHTDF, whose homomorphic multiplication operation is very similar to the homomorphic addition operation, resulting in that the noise level of IBHTDF is used to evaluate circuits with depth was reduced from in [26] to .

1.1. Motivation and Contribution

Fully homomorphic signature is an important branch of digital signatures, which plays a significant role in the information age. At present, many achievements have been made in this research field. To our best knowledge, the existing FHS schemes are constructed on the standard lattices. They are not practical because of their low efficiency. Therefore, it is intriguing to design more efficient FHS schemes.

In 1998, Hoffstein et al. [29] put forward a new public key cryptography system called NTRU. NTRU features relatively short, easy to create key, high speed, and low memory requirements. The security of the NTRU cryptosystem comes from the interaction of the polynomial hybrid system and the independence of the reduced modulus of two relatively prime integers and . Stehlé and Steinfeld [30] present a provably secure NTRU-based signature (denoted by NTRUSign in this work) scheme, which is a novel adaption of the unfledged and heuristic NTRU-based signature scheme [31] and the standard lattice-based signature scheme [16]. However, NTRUSign has no homomorphic property. Therefore, it is necessary to design an NTRU-based FHS.

Following the blueprint of [2, 26], we first devise an NTRU-based HTDF function from the NTRUSign proposed by Stehlé et al., which is both collision-resistant and claw-free. We then convert it into a strongly unforgeable FHS scheme.

We point out that when only performing polylog-depth circuits, we can compute them by Barrington’s theorem [32]. Hence, a polynomial modulus is enough, resulting in improved efficiency and security [26]. In addition, we also could choose the ring used in [33] to construct an FHS scheme with similar efficiency.

1.2. Paper Organization

In Section 2, we provide some background used in this work. We then formally describe our NTRU-based HTDF functions in Section 3 and NTRU-based FHS in Section 4. Finally, we conclude in Section 5.

2. Preliminaries

Throughout, we use the bold lowercase letters (e.g., ) to denote row vectors. We use the to denote the -th entry of and to represent the infinity norm of . Sometimes, we denote and . We let denote the set .

Let denote the rings for some integer polynomials of degree . In this paper, we use the cyclotomic polynomial , where for positive integer and for some integer which is isomorphic to . We represent elements in as , where its coefficients are in the range and the infinity norm of is .

Then, we introduced a parameter and a negligible function negl . is used to denote the security parameter. The growth negl is slower than for any constant and any sufficiently large value of . An event with an overwhelming probability is equivalent to its occurrence with a probability of at least .

2.1. Basic Notions

2.1.1. Distributions

For a probability distribution , we use to denote that is sampled according to . For a set , we use S to denote that is sampled uniformly at random from . For two distributions and , and denote that and are computationally indistinguishable and statistically indistinguishable, respectively.

2.1.2. Entropy

The min entropy of a random variable , denoted by , is defined as . The average min entropy of conditioned on , denoted with , is defined as follows:

Given the correlation value , the optimal probability of an infinite attacker predicting is .

2.1.3. -Bounded

A distribution ensemble , supported over the ring , is called -bounded if .

Lemma 1. (see [34]). In a ring , for any two polynomials , we have the following norm .

Lemma 2. (see [34]). In a ring , let be a -bounded distribution over , let . Then, the value of is bounded.

2.2. Gaussian and Discrete Gaussian

For , the Gaussian function , supported on and centered at with parameter and , is defined as follows: .

2.2.1. Discrete Gaussian Distribution

For , the discrete Gaussian function , supported on and centered at with parameter and , is defined as follows: . When equals 0, it is denoted by . Take note that the following Lemma illustrates that a discrete Gaussian distribution outputs a -bounded polynomial with overwhelming probability. So, we define a -bounded distribution called Gaussian distribution which is statistically indistinguishable from discrete Gaussian distribution.

Lemma 3. (see [34]). For and , it holds that .

The truncated discrete Gaussian distribution centered at 0 and denoted by is that sample polynomials from , and if the polynomial is not -bounded, then discards it and repeats the sampling. According to Lemma 3, if and , then we have .

2.3. Lattices

2.3.1. RSIS

Choose polynomials uniformly and independently, find such that and , then this problem is called RSIS .

The following theorem shows that there is a reduction from the average-case hardness of RSIS to the worst-case hardness of ideal-SVP as follows:

Theorem 1. (see [30]). For , and . Let such that and . A polynomial-time algorithm solving with overwhelming probability can be used to solve - in polynomial time with the approximate factor .

2.3.2. Lattice Trapdoor

In this paper, for an odd integer and , we use the “powers of two” gadget first introduced by Micciancio and Peikert. [18]. For , is the deterministic bit decomposition function, which outputs a matrix so as to and .

Lemma 4. (see [30]). There are three efficient algorithms as follows:(1): It runs the key generation algorithm same as [30] and returns . Recall that is a signing key and is the corresponding trapdoor -basis for the module .(2): It samples such that with probability 1.(3): Given and the trapdoor , it returns such that and with probability 1.(4)We have the statistical indistinguishability:where , and .

2.4. Permutation Branching Program

Then, a permutation branching program is defined as follows [35]. with input space of , length , and width is a sequence of tuples of the form where.  is a function associates the -th tuple with an input bit .  are permutations over .

performs calculation on input as follows. Let the initial state be and the -th state be . Then, the state is calculated recursively according to the formula given below.

After steps, the final state is . If , the output of is 1, otherwise it is 0.

In order to handle the problem of excessive noise growth caused by homomorphic operation, we present the state in the form of bits, as described in [35]. Specifically, for , we use an -dimensional unit vector , e.g., instead of the state . The principal idea of this design is that holds only when . If holds, if and only if either:  and or  and .

Hence, for , we have the following:where and are fully determined by the description of and can be computed easily and publicly. In order to make the homomorphic operation more concise and efficient, we give another representation of permutation branching program, such that .

3. HTDF Functions

A homomorphic trapdoor function (HTDF) allows anyone to calculate a homomorphic input and an output . The input depends only on and the output depends on . That is, holds, where is an admissible function (or called circuit) defined very soon.

3.1. Definition

A HTDF consists of five polytime algorithms , with syntax as follows: : A key generation procedure. The security parameter defines the input space , the index space , and the output space and some efficiently sampleable input-distribution over . We require that elements in , and can be efficiently tested and that elements in can efficiently be sampled uniformly at random. : A deterministic function indexed by and . : A probabilistic inverter indexed by and . : A deterministic input homomorphic evaluation algorithm. It takes some function as input and values and outputs . : A deterministic  output  homomorphic evaluation algorithm. It takes some function as input and values and outputs .

3.1.1. Correctness of Homomorphic Computation

Let and be a function on , and set . Let and set for . Set , . The correctness requirement is established for and .

3.1.2. Relaxed Correctness of Leveled HTDFs

In a leveled fully homomorphic scheme, the size of noise carried by each input is . The initial samples selected from the input-distribution carries a small noise of and the noise size of the evaluated input depends on the noise size of , the indices , and the function . In fact, if the noise size , where is an extreme value of noise size, the correctness of the scheme cannot be guaranteed. Thus, we ought to pay attention to limiting the types of functions that can be calculated homomorphically. A function is admissible on indices if, whenever carries noise with size .

3.1.3. Distributional Equivalence of Inversion

In order to illustrate the security of our main construction FHS, we demand the following statistical indistinguishability:where , , .

3.1.4. HTDF Security

Gorbunov et al. [2] constructed an existential unforgeability FHS based on the security of claw-freeness HTDF. Here, we want to construct a FHS scheme that is strongly unforgeable like Wang et al. [26] did, so the security of HTDF is required to meet the two characteristics of claw-freeness and collision-resistance. In particular, it should be hard to find and such that . Notice that if holds, then is a collision, otherwise a claw. Formally, for any PPT attacker , the following holds:

3.2. Construction: Basic Algorithms and Security

It is to be remembered that is the security parameter. In order to illustrate the HTDF function concisely, we need to introduce some asymptotic public parameters, as shown below.

3.2.1. Parameters

We define flexible as the maximum depth of the circuit that supported by homomorphic trapdoor function. Choose an integer and a sufficiently large prime , and set . Set .

3.2.2. Construction of HTDF

Below, we give the basic algorithm of the HTDF function . Set and . Define the distribution and sample as in Lemma 4 so that . : Run and set and . Define . Define to output .

3.2.3. Distributional Equivalence of Inversion

Let and . Let , , . Obviously is uniformly random, then by Lemma 4 and a simple hybrid argument, we can obtain as follows:

We perform the following operations on both sides of the equation: put in an and then add to the last entry to both sides, we can obtain as follows: