NTRU-Based Fully Homomorphic Signature

Li, Ruonan; Wang, Fuqun; Zhang, Renjun; Chen, Kefei

doi:https://doi.org/10.1155/2022/9942717

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 9942717 | https://doi.org/10.1155/2022/9942717

NTRU-Based Fully Homomorphic Signature

Ruonan Li,^1,2Fuqun Wang ,^1,2,3Renjun Zhang,^1,2and Kefei Chen^1,2,3

Academic Editor: Iqtadar Hussain

Received28 Nov 2021

Accepted13 May 2022

Published22 Jun 2022

Abstract

Although the fully homomorphic signature (FHS) has made great progress, the low efficiency of existing FHS schemes as one main drawback cannot reach the requirements in practical application. It is well known that Number-Theory-Research-Unit (NTRU)-based cryptography is not only considered to be resistant to the quantum computer but also has high efficiency compared with the standard lattice-based cryptographic systems. In this paper, our goal is to construct a simple and highly efficient FHS scheme. To this end, we first devise an NTRU-based homomorphic trapdoor function (HTDF), which is more effective than the one proposed by Gorbunov et al. (STOC 2015). We then convert it into an efficient NTRU-based FHS scheme. Additionally, the HTDF we constructed is not only collision-resistant but is also claw-free, resulting in our FHS scheme is being strongly unforgeable.

1. Introduction

As the advantages of cloud computing increase, fully homomorphic cryptography has aroused great interest due to its remarkable characteristics. It not only allows the client to safely upload his/her data to some unreliable clouds but also allows the server to perform calculations on the data. Fully homomorphic cryptography consists of fully homomorphic encryption (FHE) and fully homomorphic signature (FHS). Gentry [1] designed the first fully homomorphic encryption system at STOC 2009 and Gorbunov et al. [2] constructed the first leveled fully homomorphic signature scheme at STOC 2015. In this work, we mainly discuss the issues related to FHS.

Rivest [3] first proposed the concept of homomorphic signature (HS) in 2000. Two years later, Johnson et al. [4] gave a security model and designed several provable secure HS schemes. In a HS scheme, a user signs a data in the message space using his/her signing key and then distributes the signed data to some unreliable remote server. The server can run arbitrary computations over the signed data and homomorphically derive a short signature , which can verify that is indeed the correct output of operation on message . Anyone can check the tuple by employing the user’s public verification key and then determine that is indeed the correct outcome of s calculation on . In addition, the verification process does not need the underlying data .

According to the homomorphic capability of HS schemes, we can divide the homomorphic signature schemes into three categories: linear homomorphic signature, somewhat homomorphic signature (SHS), and fully homomorphic signature.

Zhao et al. [5] proposed a linear HS scheme to resolve the inherent network pollution problem in network coding. This scheme allows an arbitrary linear combination calculation of the signature data, which can both conveniently verify the integrity of the received message and effectively prevent the application built on the network code from being attacked by pollution. In further research studies, many papers [6–11] have made further improvements in efficiency, security, and privacy protection.

In 2011, Boneh and Freeman [12] constructed the first SHS scheme, which is selectively secure in the random oracle (RO) model. Subsequently, Catalano et al. [13] proposed a new SHS scheme, which is adaptively secure, whose security no longer depends on RO model, and whose verification process is more efficient.

Different from the abovementioned homomorphic signature schemes, the FHS allows polynomial depth circuit operations on the signed data. In 2014, Gorbunov et al. [2] proposed the first leveled FHS scheme based on the hardness of the small integer solution (SIS) problem in standard lattices [14, 15]. To this end, a building block called the homomorphic trapdoor function (HTDF) is proposed. This new cryptographic primitive helps us to conceptually unify digital signatures [16–18] and fully homomorphic encryption [19]. They showed that if an HTDF function is claw-free, then you can directly use the HTDF function to construct an existentially unforgeable FHS scheme under a selective chosen-message attack (EU-sCMA), and that an EU-sCMA secure FHS can be converted into an existentially unforgeable under the adaptive chosen-message attack (EU-aCMA) one with the help of HTDF functions. Additionally, this solution has the following advantages: First, it allows quick amortization verification of calculations on multiple different datasets, even though these datasets belong to different users with different verification keys. Second, the scheme can be made context hiding, that is, the signature corresponding to will not expose any information about the underlying data . Third, the scheme also allows several different calculations to be combined on signed data. Inspired by the key-homomorphic function encryption of the circuit, Boyen et al. [20] constructed the first adaptively secure homomorphic signature scheme utilizing the vanishing trapdoor technique [21]. Compared with Gorbunov et al. FHS, the efficiency of this scheme has been significantly improved, and it can fight against stronger adversaries, but this scheme does not reach context hiding. Later, Tsabary [22] demonstrated the equivalence between FHS and attribute-based signature (ABS) [23]. They can be implied by each other under certain conditions, which opens up a new direction for constructing FHS schemes. Furthermore, Tsabary built an ABS from lattices and converted it into a new FHS scheme. All the abovementioned existing HS algorithms can only produce one signature for a single message at a time, which is inefficient. Therefore, Luo et al. [24] proposed a new leveled fully homomorphic signature scheme, which generates signatures for all messages in the dataset only by calling the signature algorithm twice. To the end, the vector coding technique [25] is used, which encodes all messages in the dataset into two matrices.

In addition, Wang et al. [26] constructed an identity-based HTDF , which has better parameters and stronger security. The maximum noise compared with Gorbunov et al. HTDF is roughly reduced from to , which will lead to a polynomial modulus when , where is the maximum depth of the circuit and is the security parameter. The stronger security requires that IBHTDF be not only claw-free but also collision-resistant. Then, they converted the abovementioned IBHTDF into a leveled strongly unforgeable IBFHS scheme. However, the leveled IBFHS scheme is only secure in the selective security model under the hardness of the SIS problem. Recently, Wang et al. [27] used trapdoor vanishing [21] and vector coding techniques [25] to construct an efficient leveled strongly unforgeable IBFHS scheme based on the SIS problem on arbitrary lattices. Compared with [26], this scheme is adaptively secure against chosen identity and chosen message attacks under the standard SIS assumption. Concurrently, Wang and Wang [28] constructed a new leveled strongly unforgeable IBFHS scheme based on a new IBHTDF, whose homomorphic multiplication operation is very similar to the homomorphic addition operation, resulting in that the noise level of IBHTDF is used to evaluate circuits with depth was reduced from in [26] to .

1.1. Motivation and Contribution

Fully homomorphic signature is an important branch of digital signatures, which plays a significant role in the information age. At present, many achievements have been made in this research field. To our best knowledge, the existing FHS schemes are constructed on the standard lattices. They are not practical because of their low efficiency. Therefore, it is intriguing to design more efficient FHS schemes.

In 1998, Hoffstein et al. [29] put forward a new public key cryptography system called NTRU. NTRU features relatively short, easy to create key, high speed, and low memory requirements. The security of the NTRU cryptosystem comes from the interaction of the polynomial hybrid system and the independence of the reduced modulus of two relatively prime integers and . Stehlé and Steinfeld [30] present a provably secure NTRU-based signature (denoted by NTRUSign in this work) scheme, which is a novel adaption of the unfledged and heuristic NTRU-based signature scheme [31] and the standard lattice-based signature scheme [16]. However, NTRUSign has no homomorphic property. Therefore, it is necessary to design an NTRU-based FHS.

Following the blueprint of [2, 26], we first devise an NTRU-based HTDF function from the NTRUSign proposed by Stehlé et al., which is both collision-resistant and claw-free. We then convert it into a strongly unforgeable FHS scheme.

We point out that when only performing polylog-depth circuits, we can compute them by Barrington’s theorem [32]. Hence, a polynomial modulus is enough, resulting in improved efficiency and security [26]. In addition, we also could choose the ring used in [33] to construct an FHS scheme with similar efficiency.

1.2. Paper Organization

In Section 2, we provide some background used in this work. We then formally describe our NTRU-based HTDF functions in Section 3 and NTRU-based FHS in Section 4. Finally, we conclude in Section 5.

2. Preliminaries

Throughout, we use the bold lowercase letters (e.g., ) to denote row vectors. We use the to denote the -th entry of and to represent the infinity norm of . Sometimes, we denote and . We let denote the set .

Let denote the rings for some integer polynomials of degree . In this paper, we use the cyclotomic polynomial , where for positive integer and for some integer which is isomorphic to . We represent elements in as , where its coefficients are in the range and the infinity norm of is .

Then, we introduced a parameter and a negligible function negl . is used to denote the security parameter. The growth negl is slower than for any constant and any sufficiently large value of . An event with an overwhelming probability is equivalent to its occurrence with a probability of at least .

2.1. Basic Notions

2.1.1. Distributions

For a probability distribution , we use to denote that is sampled according to . For a set , we use S to denote that is sampled uniformly at random from . For two distributions and , and denote that and are computationally indistinguishable and statistically indistinguishable, respectively.

2.1.2. Entropy

The min entropy of a random variable , denoted by , is defined as . The average min entropy of conditioned on , denoted with , is defined as follows:

Given the correlation value , the optimal probability of an infinite attacker predicting is .

2.1.3. -Bounded

A distribution ensemble , supported over the ring , is called -bounded if .

Lemma 1. (see [34]). In a ring , for any two polynomials , we have the following norm .

Lemma 2. (see [34]). In a ring , let be a -bounded distribution over , let . Then, the value of is bounded.

2.2. Gaussian and Discrete Gaussian

For , the Gaussian function , supported on and centered at with parameter and , is defined as follows: .

2.2.1. Discrete Gaussian Distribution

For , the discrete Gaussian function , supported on and centered at with parameter and , is defined as follows: . When equals 0, it is denoted by . Take note that the following Lemma illustrates that a discrete Gaussian distribution outputs a -bounded polynomial with overwhelming probability. So, we define a -bounded distribution called Gaussian distribution which is statistically indistinguishable from discrete Gaussian distribution.

Lemma 3. (see [34]). For and , it holds that .

The truncated discrete Gaussian distribution centered at 0 and denoted by is that sample polynomials from , and if the polynomial is not -bounded, then discards it and repeats the sampling. According to Lemma 3, if and , then we have .

2.3. Lattices

2.3.1. RSIS

Choose polynomials uniformly and independently, find such that and , then this problem is called RSIS .

The following theorem shows that there is a reduction from the average-case hardness of RSIS to the worst-case hardness of ideal-SVP as follows:

Theorem 1. (see [30]). For , and . Let such that and . A polynomial-time algorithm solving with overwhelming probability can be used to solve - in polynomial time with the approximate factor .

2.3.2. Lattice Trapdoor

In this paper, for an odd integer and , we use the “powers of two” gadget first introduced by Micciancio and Peikert. [18]. For , is the deterministic bit decomposition function, which outputs a matrix so as to and .

Lemma 4. (see [30]). There are three efficient algorithms as follows:(1): It runs the key generation algorithm same as [30] and returns . Recall that is a signing key and is the corresponding trapdoor -basis for the module .(2): It samples such that with probability 1.(3): Given and the trapdoor , it returns such that and with probability 1.(4)We have the statistical indistinguishability:where , and .

2.4. Permutation Branching Program

Then, a permutation branching program is defined as follows [35]. with input space of , length , and width is a sequence of tuples of the form where. is a function associates the -th tuple with an input bit . are permutations over .

performs calculation on input as follows. Let the initial state be and the -th state be . Then, the state is calculated recursively according to the formula given below.

After steps, the final state is . If , the output of is 1, otherwise it is 0.

In order to handle the problem of excessive noise growth caused by homomorphic operation, we present the state in the form of bits, as described in [35]. Specifically, for , we use an -dimensional unit vector , e.g., instead of the state . The principal idea of this design is that holds only when . If holds, if and only if either: and or and .

Hence, for , we have the following:where and are fully determined by the description of and can be computed easily and publicly. In order to make the homomorphic operation more concise and efficient, we give another representation of permutation branching program, such that .

3. HTDF Functions

A homomorphic trapdoor function (HTDF) allows anyone to calculate a homomorphic input and an output . The input depends only on and the output depends on . That is, holds, where is an admissible function (or called circuit) defined very soon.

3.1. Definition

A HTDF consists of five polytime algorithms , with syntax as follows: : A key generation procedure. The security parameter defines the input space , the index space , and the output space and some efficiently sampleable input-distribution over . We require that elements in , and can be efficiently tested and that elements in can efficiently be sampled uniformly at random. : A deterministic function indexed by and . : A probabilistic inverter indexed by and . : A deterministic input homomorphic evaluation algorithm. It takes some function as input and values and outputs . : A deterministic output homomorphic evaluation algorithm. It takes some function as input and values and outputs .

3.1.1. Correctness of Homomorphic Computation

Let and be a function on , and set . Let and set for . Set , . The correctness requirement is established for and .

3.1.2. Relaxed Correctness of Leveled HTDFs

In a leveled fully homomorphic scheme, the size of noise carried by each input is . The initial samples selected from the input-distribution carries a small noise of and the noise size of the evaluated input depends on the noise size of , the indices , and the function . In fact, if the noise size , where is an extreme value of noise size, the correctness of the scheme cannot be guaranteed. Thus, we ought to pay attention to limiting the types of functions that can be calculated homomorphically. A function is admissible on indices if, whenever carries noise with size .

3.1.3. Distributional Equivalence of Inversion

In order to illustrate the security of our main construction FHS, we demand the following statistical indistinguishability:where , , .

3.1.4. HTDF Security

Gorbunov et al. [2] constructed an existential unforgeability FHS based on the security of claw-freeness HTDF. Here, we want to construct a FHS scheme that is strongly unforgeable like Wang et al. [26] did, so the security of HTDF is required to meet the two characteristics of claw-freeness and collision-resistance. In particular, it should be hard to find and such that . Notice that if holds, then is a collision, otherwise a claw. Formally, for any PPT attacker , the following holds:

3.2. Construction: Basic Algorithms and Security

It is to be remembered that is the security parameter. In order to illustrate the HTDF function concisely, we need to introduce some asymptotic public parameters, as shown below.

3.2.1. Parameters

We define flexible as the maximum depth of the circuit that supported by homomorphic trapdoor function. Choose an integer and a sufficiently large prime , and set . Set .

3.2.2. Construction of HTDF

Below, we give the basic algorithm of the HTDF function . Set and . Define the distribution and sample as in Lemma 4 so that . : Run and set and . Define . Define to output .

3.2.3. Distributional Equivalence of Inversion

Let and . Let , , . Obviously is uniformly random, then by Lemma 4 and a simple hybrid argument, we can obtain as follows:

We perform the following operations on both sides of the equation: put in an and then add to the last entry to both sides, we can obtain as follows:

3.2.4. HTDF Security

Next, it is proved that if the RSIS assumption holds, the HTDF function constructed above is safe. Recall that in the original HTDF security experiment, we generate the public key along with the secret key for .

Theorem 2. Suppose that the -assumption holds for the described parameters, then the function satisfies the security.

Proof. Assume that there exists a PPT adversary , which can have a nonnegligible probability win the HTDF security experiment. Then, we establish a probability polynomial time simulator that breaks the RSIS assumption with nonnegligible probability.

Next, we revise the HTDF security experiment, we sample , instead of sampling and setting and . Please note that has never been used anywhere in the primeval HTDF security experiment. Hence, adversary s point of view among the original HTDF security experiment and the simulated HTDF security experiment are indistinguishable by Lemma 4. Specifically, adversary attacks the security experiment of simulated HTDF and gains the security experiment with a probability of at least .

At present, we have proved that the PPT adversary , who won in the simulated HTDF security experiment, can be used to settle the RSIS problem. Suppose that the successful adversary outputs values such that . Let and . Then, we obtain as follows:

Additionally, because , it holds that and thus . Moreover, since , it holds that .

To solve the RSIS problem defined by , where , then we talk over the two situations given below: : In this situation, the small is a nonzero solution of the RSIS problem, as , . : On this event, we prove that the simulator pretty good at using the knowledge of a small and some satisfying the right side of the (9) to find a nonzero solution of the RSIS problem (similarly as [2]).

Sample and let . Calculate such that . Therefore,

Setting , we then have and . Below the , i.e., have to be proved. Here we show that, even given , the following inequality holds with overwhelming probability for uniformly random Actually, we have

The reason for the first inequality is that is completely determined by as is deterministic, and the reason for the second inequality comes from Lemma 4. Therefore, .

So, if the adversary wins any situation in the abovementioned simulated HTDF security game with a nonnegligible probability , the simulator will generate an effective and small enough solution to solve the RSIS problem with a probability of . The process of the proof ends. □

3.3. Basic Homomorphic Evaluation

In an HTDF scheme, in order to verify an evaluated function value, we demand to design two corresponding algorithms: one is the input algorithm, another kind is the output algorithm, and both algorithms are deterministic. This is different from a homomorphic encryption system; in a homomorphic encryption system, only one (random or deterministic) homomorphic algorithm that acts on the ciphertext needs to be designed.

The two basic homomorphic algorithms addition and multiplication are described as follows. Here, we will simplify some notations (e.g., instead of ). Recall that for , . Let and .

3.3.1. Homomorphic Addition Algorithms

They calculate the sum of the corresponding input and output vectors, respectively.

The noise of the addition is bounded by . The correctness comes from .

3.3.2. Homomorphic Multiplication Algorithms

The homomorphic output multiplication algorithm is a multiplication of the output vectors which is performed the multiplication defined in Section 3.1. The homomorphic input multiplication algorithm is asymmetric and it needs partial output, index, and the whole input to compute.

The noise of multiplication is bounded by . Assuming , the correctness follows by the computation:

3.4. Homomorphic Output and Input Evaluation

According to the abovementioned discussion, it is very easy to homomorphically calculate an arithmetic circuit or Boolean circuit similar as [2], we are not satisfied. We want to show how to design the scheme as well as [26] based on the fact that the noise growth is asymmetric.

3.4.1. Homomorphic Output Evaluation

Below we describe the definition of the homomorphic output evaluation algorithmfor a length is and a width is permutation branching program . In the initialization stage, we will assign below and is the vector such that , where . Recall that is a description of the permutation branching program , and the initial state vector is defined as the first -dimensional unit vector . For and , it holds that:

Here, we give the full description of the process of the homomorphic output evaluation algorithm of the permutation branching program . Initialization: Let be an output relevant to the state , where ,(1)Choose and set it to be a corresponding output of the state 1.(2)Choose and set it to be a corresponding initial output of the initial state .(3)Set , where (such that ) is an output corresponding to , and set it to be a corresponding output of . Calculation: For , suppose that at step , we have . Then, we can calculate inductively as follows: Final output: After finishing the computation, we have the value of . Finally, output the final output corresponding to the state , i.e., .

3.4.2. Homomorphic Input Evaluation

Here, we give the full description of the process of the homomorphic input evaluation algorithm , , of the permutation branching program . Initialization: Let be an input relevant to the state , where .(1)Sample (such that ) and set it as input relevant to the state 1.(2)Sample (such that ) and set it as the initial input relevant to the initial state .(3)Set , where (such that ) is an input corresponding to , and set it to the input relevant to . Calculation: For , suppose that at step , we have . Then, we can calculate inductively as follows. Final input: After finishing the computation process, we have the value of . Finally, output the final input corresponding to , i.e., .

3.5. Correctness of Homomorphic Evaluation and Noise Analysis

In the following lemmas, we testify the validity of homomorphic input and homomorphic output algorithms and explain in detail the noise growth in the above homomorphic evaluation.

Lemma 5. Suppose that , and , , , where , and for . Then for all , we have . For , we have .

Proof. Using formulas (1), (4), and (5) and the above conditions, for all , it holds as follows:

The process of proof ends. □

Lemma 6. Assuming that , , and all the noises of the inputs are bounded by , i.e., , , then we have .

Proof. We use the inductive method to prove the lemma. That is, for any step and , we will show that .

If , it is not difficult to find that all the initial noises are such that .

Suppose that at step , we have . Then, according to formula (16), we have as follows:where .

Through induction, we obtain . The process of proof ends. □

Remark 1. Barrington’s theorem [32] states that a circuit with a depth of can be transformed into a permutation branching program with a length of . Thus, simply by setting , the resulting maximum noise level is less than . In particular, in the setting where it only requires , we obtain the modulus to be a middle large polynomial, which can supply a better security for the scheme. In other words, it is based on Ideal-SVP assumption with polynomial approximation factors.

4. Strongly Unforgeable NTRU-Based FHS

We construct a single key FHS scheme that is strongly unforgeable against selective chosen-message-attack (SU-sCMA) using the HTDF function, which appears in the form of a black box in the fore chapter.

4.1. Definition

A single data-set homomorphic signature scheme consists of the following seven PPT algorithms PrmsGen, KeyGen, Sign, SignEval, Process, and Verify: : Input the security parameter and the maximum data-size , and output public parameters . In addition, the security parameters define the message space . : Take the security parameter as input. Output the key pair of verification key and signing key. : Sign data . : Deterministically and homomorphically evaluate a signature for some function over . : A deterministic algorithm that can homomorphically evaluate a certificate from the public parameters . : Verify that is indeed the output of function by proving that and are corresponding.

4.1.1. Correctness

For , , , , and , we need the following equation:holds, where and .

Notice that the correctness of singing by setting and hence omitted, where is the -th identity mapping.

4.1.2. Relaxed Correctness of Leveled FHS

Since the relaxed correctness of the leveled FHS can be deduced from the correctness of the leveled HTDF, we omit this process.

4.1.3. Security Experiment

The SU-sCMA security experiment for FHS describes the adversary needs to determine the data to be signed before receiving public parameters and verification key. Then, the adversary struggled to discover so that it could meet the conditions for winning the experiment. It is noted that here we do not require or . Therefore, if holds, then is a strongly forgeable signature, otherwise it is an existentially forgeable signature.

We now proceed to define the SU-sCMA security experiment for FHS among an adversary and a challenger as follows: The adversary selects at one-time data and sends it to the challenger . The challenger runs and and returns back to the adversary . The challenger runs and sends the signatures to the adversary . The adversary selects a function and values . Let . If all the following conditions are met, wins:(1) is admissible on the data-set ;(2), where ;(3) accept, where .

If for all PPT adversary , inequality always holds. We say that the FHS scheme is SU-sCMA secure.

Remark 2. Define the stronger SU-aCMA security notion for FHS describing the strongly unforgeable adaptive chosen-message-attack game, where the adversary can select data to be signed after seeing the public parameters and the verification key. It is to be noted that an adaptively secure FHS can be transformed from a selectively secure FHS together with a chameleon hash with homomorphism [2], and that our HTDF built in the previous section is a chameleon hash. Therefore, we believe that we can obtain an adaptively secure NTRU-based FHS via the transformation.

4.2. Construction

Let , be an HTDF with index space , input space , output space and some efficiently sampleable input distribution over . We construct an FHS scheme , with message space as follows. : Sample and set public parameters . : Choose and set . : Sample and set . : Run , and output , then set . : Run and output the result . : If accept, else reject.

4.2.1. Correctness

The discussion on the correctness of the above-built leveled FHS is the same as the discussion on the correctness of the underlying leveled , so it is omitted.

4.2.2. Security

Now, we testify that the above FHS scheme is SU-sCMA secure.

Theorem 3. Suppose is a secure HTDF function, then the above FHS scheme is SU-sCMA secure.

Proof. Assume there exists a PPT adversary that wins the SU-sCMA security experiment of FHS with nonnegligible probability . We build a PPT reduction that breaks the HTDF security of .

In the SU-sCMA experiment, adversary first selects a data and then receives , and , where and . Next, we revise the experiment by sampling and setting . Adversary s point of view among the original security experiment and the changed security experiment are indistinguishable by the distributional equivalence of inversion property of the underlying HTDF function. Therefore, attacks the changed experiment and wins with a probability of at least .

Then, we prove that there is a PPT reduction , which can take any PPT adversary , and the adversary has the ability to win the changed experiment with nonnegligible advantage . Hence, the probability of breaking the HTDF security experiment of the underlying is .

After receiving a challenge public key and a data-set , the reduction selects and computes as in the changed experiment and returns back to .

Suppose that the adversary winning the changed experiment outputs values , where is an admissible function and . Let , , . So, on the one hand, holds as the forged signature verifies. On the other hand, also holds as is admissible. Thus, we have values and satisfying , which allows to break HTDF security of with probability whenever wins the changed experiment with probability . □

5. Conclusion and Open Problem

In this paper, we propose an SU-sCMA secure NTRU-based FHS scheme, which can be transformed to an SU-aCMA one with the help of NTRU-based HTDF functions (and without additional assumptions) using a similar transformation as introduced in [2]. Our next station is improving the efficiency of our FHS scheme and accomplishing the implementation with the consideration of practical attacks [36–39]. In addition, it is well known that the leveled FHE can be transformed into pure FHE via bootstrapping [40], the only workable way to get pure FHE at the present. However, there is no similar bootstrapping to improve homomorphic capability in the HS scenario, as the evaluated signature not only certifies the corresponding message, but also certifies the computation process. Therefore, it is still open to build a pure FHS.

Data Availability

No data were used in this work.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Nature Science Foundation of China (Nos. 61972124, 11974096, and U1705264), Ningbo 2025 Major Project of Science and Technology Innovation (No. 2021Z109), the Zhejiang Provincial Natural Science Foundation of China (No. LY19F020019), and the Research Foundation of Hangzhou Normal University (No. 2020QDL016).

References

C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178, Bethesda, MD, USA, June, 2009.
View at: Publisher Site | Google Scholar
S. Gorbunov, V. Vaikuntanathan, and D. Wichs, “Leveled fully homomorphic signatures from standard lattices,” in Proceedings of the Forty-Seventh Annual ACM STOC, pp. 469–477, Portland, OR, USA, June, 2015.
View at: Publisher Site | Google Scholar
R. L. Rivest, “Two Signature schemes,” 2000, http://people.csail.mit.edu/rivest/pubs.html.
View at: Google Scholar
R. Johnson, D. Molnar, D. Song, and D. Wagner, “Homomorphic signature schemes,” Cryptographers Track at the Rsa Conference on Topics in Cryptology, Springer, Berlin Heidelberg, pp. 244–262, 2002.
View at: Publisher Site | Google Scholar
F. Zhao, T. Kalkert, M. Medard, and K. J. Han, “Signatures for content distribution with network coding,” in Proceedings of the International Symposium on Information Theory, pp. 556–560, Nice, France, June, 2007.
View at: Google Scholar
D. Charles, K. Jain, and K. Lauter, “Signatures for network coding,” International Journal of Information and Coding Theory, vol. 1, no. 1, p. 3, 2009.
View at: Publisher Site | Google Scholar
R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin, “Secure network coding over the integers,” in Proceedings of the International Association for Cryptologic Research, pp. 142–160, Paris, France, May, 2010.
View at: Publisher Site | Google Scholar
N. Attrapadung and B. Libert, “Homomorphic network coding signatures in the standard model,” Public Key Cryptography - PKC 2011, vol. 6571, pp. 17–34, 2011.
View at: Publisher Site | Google Scholar
D. Boneh and D. M. Freeman, “Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures,” Public Key Cryptography - PKC 2011, vol. 6571, pp. 1–16, 2011.
View at: Publisher Site | Google Scholar
X. Hu, S. Zheng, J. Gong, G. Cheng, G. Zhang, and R. Li, “Enabling linearly homomorphic signatures in network coding-based named data networking,” CFI, vol. 2, pp. 1-2, 2019.
View at: Publisher Site | Google Scholar
C. J. Lin, R. Xue, S. J. Yang, X. Huang, and S. Li, “Linearly homomorphic signatures from lattices,” The Computer Journal, vol. 63, no. 12, pp. 1871–1885, 2020.
View at: Publisher Site | Google Scholar
D. Boneh and D. M. Freeman, “Homomorphic signatures for polynomial functions,” Advances in Cryptology - EUROCRYPT 2011, vol. 6632, pp. 149–168, 2011.
View at: Publisher Site | Google Scholar
D. Catalano, D. Fiore, and B. Warinschi, “Homomorphic signatures with efficient verification for polynomial functions,” Advances in Cryptology - CRYPTO 2014, vol. 8616, pp. 371–389, 2014.
View at: Publisher Site | Google Scholar
M. Ajtai, “Generating Hard Instances of Lattice Problems,” in Proceedings of the twenty-eighth annual ACM symposium on Theory of Computing STOC, pp. 99–108, Philadelphia Pennsylvania USA, July, 1996.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science FOCS, pp. 372–381, Rome, Italy, October, 2004.
View at: Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing STOC, pp. 197–206, Victoria, British Columbia, Canada, May, 2008.
View at: Publisher Site | Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” Advances in Cryptology - EUROCRYPT 2010, vol. 6110, pp. 523–552, 2010.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” Advances in Cryptology - EUROCRYPT 2012, vol. 7237, pp. 700–718, 2012.
View at: Publisher Site | Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” CRYPTO, LNCS, vol. 8042, pp. 75–92, 2013.
View at: Google Scholar
X. Boyen, X. Fan, and E. Shi, “Adaptively secure fully homomorphic signatures based on lattices,” 2014, http://eprint.iacr.org/2014/916.
View at: Google Scholar
S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” Advances in Cryptology - EUROCRYPT 2010, vol. 6110, pp. 553–572, 2010.
View at: Publisher Site | Google Scholar
R. Tsabary, “An equivalence between attribute-based signatures and homomorphic signatures, and new constructions for both,” Theory of Cryptography, vol. 10678, pp. 489–518, 2017.
View at: Publisher Site | Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures,” Topics in Cryptology - CT-RSA 2011, Springer, New York, NY, USA, pp. 376–392, 2011.
View at: Publisher Site | Google Scholar
F. Luo, F. Wang, K. Wang, and K. Chen, “A more efficient leveled strongly-unforgeable fully homomorphic signature scheme,” Information Sciences, vol. 480, pp. 70–89, 2019.
View at: Publisher Site | Google Scholar
D. Apon, X. Fan, and F. Liu, “Vector encoding over lattices and its applications,” 2017, https://eprint.iacr.org/2017/455.
View at: Google Scholar
F. Wang, K. Wang, B. Li, and Y. Gao, “Leveled strongly-unforgeable identity-based fully homomorphic signatures,” Lecture Notes in Computer Science, vol. 9290, pp. 42–60, 2015.
View at: Publisher Site | Google Scholar
C. Wang, B. Wu, and H. Yao, “Leveled adaptively strong-unforgeable identity-based fully homomorphic signatures,” IEEE Access, vol. 8, no. 99, Article ID 119431, 2020.
View at: Publisher Site | Google Scholar
Y. Wang and M. Wang, “A New Fully Homomorphic Signatures from Standard Lattices,” in Proceedings of the International Conference on Wireless Algorithms, Systems, and Applications, Qingdao, China, September, 2020.
View at: Google Scholar
J. Hoffstein, J. Pipher, and J. H. Silverman Ntru, “NTRU: a ring-based public key cryptosystem,” Lecture Notes in Computer Science, vol. 1423, pp. 267–288, 1998.
View at: Publisher Site | Google Scholar
D. Stehlé and R. Steinfeld, “Making NTRU as secure as worst-case problems over ideal lattices,” Advances in Cryptology - EUROCRYPT 2011, vol. 6632, pp. 27–47, 2011.
View at: Publisher Site | Google Scholar
J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte, “NTRUSign: digital signatures using the NTRU lattice,” Topics in Cryptology - CT-RSA 2003, Springer, New York, NY, USA, vol. 2612, pp. 122–140, 2003.
View at: Publisher Site | Google Scholar
D. Barrington, “Bounded-width polynomial-size branching programs recognize exactly those languages in NC¹,” Journal of Computer and System Sciences, vol. 38, pp. 1–5, 1986.
View at: Google Scholar
Y. Yu, G. Xu, and X. Wang, “Provably secure NTRU instances over prime cyclotomic rings,” in Proceedings of the Public-Key Cryptography – PKC 2017, pp. 409–434, Amsterdam, The Netherlands, March, 2017.
View at: Publisher Site | Google Scholar
A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” in Proceedings of the Annual ACM Symposium on Theory of Computing STOC, pp. 1219–1234, Quebec, Canada, May, 2012.
View at: Publisher Site | Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” ACM Transactions on Computation Theory, vol. 6, no. 3, pp. 1–36, 2014.
View at: Publisher Site | Google Scholar
M. Albrecht, S. Bai, and L. Ducas, “A subfield lattice attack on overstretched NTRU assumptions,” Advances in Cryptology - CRYPTO 2016, vol. 9814, pp. 153–178, 2016.
View at: Publisher Site | Google Scholar
P. Kirchner and P.-A. Fouque, “Revisiting lattice attacks on overstretched NTRU parameters,” Lecture Notes in Computer Science, vol. 10210, pp. 3–26, 2017.
View at: Publisher Site | Google Scholar
J. Ding, J. Deaton, K. Schmidt, Vishakha, and Z. Zhang, “A simple and efficient key reuse attack on NTRU cryptosystem,” 2019, http://eprint.iacr.org/2019/1022.
View at: Google Scholar
M. Albrecht and L. Ducas, “Lattice attacks on NTRU and lwe: a history of refinements,” 2021, http://eprint.iacr.org/2021/799.
View at: Google Scholar
J. Alperin-Sheriff and C. Peikert, “Faster bootstrapping with polynomial error,” Advances in Cryptology - CRYPTO 2014, vol. 8618, pp. 297–314, 2014.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Ruonan Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

294

Downloads

376

Citations