Forward-Secure Linearly Homomorphic Signature Scheme in the Standard Model and Its Application

Abstract

Linearly homomorphic signatures (LHSs) are widely used in scenarios such as network coding and the Internet of Things, but their security faces the serious threat of key leakage. To address this issue, this paper introduces a forward secure mechanism into LHSs, aiming to construct a linearly homomorphic signature (LHS) scheme that can resist the risk of key leakage. By combining the binary tree minimal cover set mechanism with lattice-based extension algorithms, we construct an LHS scheme that supports time-period key updates. We prove its forward secure unforgeability under the standard model (SM) by reducing it to the Short Integer Solution (SIS) problem. To the best of our knowledge, this scheme is the first provably secure lattice-based forward secure linearly homomorphic signature (FSLHS) scheme in the SM, filling a theoretical gap in existing research. Furthermore, we apply this scheme to a smart grid data acquisition system and verify its practicality through concrete performance analysis.

1. Introduction

With the widespread application of network coding and cloud computing technologies, integrity authentication during data transmission and processing has become one of the core challenges in cybersecurity. In network coding architectures [1,2], the combination of data packets by intermediate nodes is vulnerable to pollution attacks, threatening the reliability of the entire network. In cloud computing outsourcing scenarios [3], users need to ensure that any combination of outsourced data by the cloud server is verifiable and authentic. As a cryptographic primitive that allows linear operations on signed data while maintaining validation effectiveness, LHSs offer an excellent solution to these challenges. They enable intermediate nodes or cloud servers to perform secure linear combination directly on signed data vectors, while recipients or users can still verify the integrity and source authenticity of the final results. This approach ensures end-to-end security while enhancing network efficiency and computational scalability.

In 2002, Johnson et al. first provided a formal definition of homomorphic signatures and analyzed their security at the Cryptographers’ Track at the RSA Conference (CT-RSA). The related findings were systematically elaborated in [4]. In 2009, Boneh et al. [5] proposed the first LHS scheme suitable for network coding environments. In 2010, Gennaro et al. [2] further introduced an LHS scheme based on the RSA assumption. Subsequently, scholars conducted extensive research on the efficiency, security, and application scenarios of LHSs, proposing various schemes based on number-theoretic assumptions such as RSA and discrete logarithms [6,7,8,9]. With the advent of quantum algorithms such as Grover’s algorithm [10] and Shor’s algorithm [11], a growing number of researchers have shifted their focus to cryptography resistant to quantum computing attacks. Currently, lattice-based cryptography has become a key research focus among scholars due to its favorable properties and structural advantages.

In 2011, Boneh et al. [12] proposed the first lattice-based LHS scheme. By constructing signatures on a lattice modulo $2q$, where the modulo 2 part encodes the message information and the modulo q part ensures security, this scheme cleverly resolves the difficulty of building homomorphic signatures over ${\mathbb{F}}_2$. Its security is based on the $k-{\mathrm{SIS}}_{q,m}$ hard problem introduced in that paper. In the same year, Boneh and Freeman [13] used the intersection method to encode messages and functions into different lattice cosets, and employed the short basis delegation technique over ideal lattices to construct a polynomial homomorphic signature scheme based on ideal lattices. In 2013, Wang et al. [14] combined a preimage sampling algorithm with a family of hash functions to construct a new LHS scheme. Compared with the scheme in [12], this scheme significantly improved the public key size and signature size, while its security remained based on the standard SIS problem. In 2016, Chen et al. [15] ingeniously combined the Bonsai Tree technique with the intersection method of dual integer lattices to construct the first lattice-based LHS scheme that is provably secure in the SM, where the security relies on the SIS problem over lattices. In 2020, Lin et al. [16] designed two lattice-based LHS schemes using full-rank difference hash functions and linear homomorphic chameleon hash functions, improving the key and signature sizes over the scheme in [15]. In the same year, Cai et al. [17] abandoned the traditional trapdoor-based ’Hash-and-Sign’ paradigm and instead built their scheme based on the SIS hard problem, utilizing the Fiat-Shamir with Aborting framework and uniform sampling techniques. This scheme not only achieves side-channel resistance by avoiding Gaussian sampling but also significantly reduces the sizes of public keys and signatures. In 2024, Chen et al. [18], based on the scheme in [15] and combining pseudorandom function techniques with key homomorphic algorithms, designed the first lattice-based almost tightly secure LHS scheme, which only satisfies unforgeability under selective-tag static-message attacks. Subsequently, Gou et al. [19] introduced the NewBasis and Decompose algorithms to improve the signature size, efficiency, and security of this scheme, constructing a tightly secure LHS scheme, and proved that in addition to satisfying the security properties of [18], this scheme also achieves existential unforgeability under chosen-message attacks.

The security premise of LHSs relies on the confidentiality of keys. However, in dynamic environments such as network coding or cloud computing, the risk of key leakage is high, which could lead to the forgery of all historical data. Forward-secure mechanisms address this issue by periodically updating keys, ensuring that key leaks do not compromise past signatures and limiting the damage to the current period. This technology serves as a core enabler for achieving long-term secure network authentication systems.

The concept of forward-secure signatures was initially proposed by Anderson [20], and later formally defined and instantiated by Bellare and Miner [21], who constructed the first specific scheme. In 2000, Abdalla et al. [22] addresses the problem of excessive computational overhead in the key update process in [21] and proposes a new scheme based on a “certification tree” structure. This scheme uses the underlying signature algorithm to sign tree nodes to generate child node keys, thereby achieving key evolution over time. Furthermore, the security proof of this scheme relies on the unforgeability of the underlying signature algorithm, laying an important foundation for subsequent forward-secure scheme designs based on tree structures. In 2001, Itkis et al. [23] proposes the first forward-secure digital signature scheme with optimal efficiency in both signing and verification. Based on the Guillou–Quisquater signature mechanism, the scheme requires only two modular exponentiations to complete signing and verification, while keeping key and signature sizes compact, significantly outperforming previous forward-secure schemes. Subsequently, a series of improvements were made to enhance the efficiency of forward-secure signatures [24,25,26]. To address the key leakage issue in lattice-based signature systems, forward security mechanisms have been introduced, leading to the construction of a series of forward-secure signature schemes based on lattices. In 2014, Zhang et al. [27] combined the key update algorithm in Reference [28] with lattice-based delegation techniques to propose the first lattice-based forward-secure identity-based signature scheme. In 2019, Ling et al. [29] constructs the first lattice-based forward secure group signature scheme. This scheme utilizes the Bonsai tree structure to realize a scalable key evolution mechanism, and combines zero-knowledge proof techniques to prove full anonymity and forward-secure traceability under the SIS and LWE hard problem assumptions in the random oracle model. In 2020, inspired by [29], Le et al. [30] addresses the key leakage problem in blind signatures by using a binary tree data structure to organize time periods and employing the minimal cover set mechanism to manage key update paths. Combining the Fiat-Shamir transform and rejection sampling techniques, it constructs the first lattice-based forward-secure blind signature scheme. This scheme achieves forward security based on the SIS problem while preserving the blindness property of signatures. Inspired by [29,30], this paper applies the binary tree-based minimum covering set mechanism and lattice-based extension techniques to lattice-based LHSs, constructing the first FSLHS scheme in SM.

To the best of our knowledge, there are currently only two LHS schemes related to forward security. In 2024, Wu et al. [31] first introduced forward security into LHS and proposed an identity-based FSLHS scheme using fixed-dimension lattice delegation techniques and a family of additive homomorphic hash functions. In 2025, Wu et al. [32] utilized bilinear maps and the computational Diffie-Hellman (CDH) hardness assumption to design a FSLHS scheme through binary tree key evolution techniques. The core idea is to regularly update the private key and securely delete old keys to ensure the security of historical signatures. However, the security of both schemes is proven in the random oracle model (ROM), implying that their security may not be guaranteed in practical applications. To address the research gap of provably secure FSLHS schemes in the SM, this paper proposes a lattice-based FSLHS scheme and proves its forward security and unforgeability in the SM.

Our contributions and techniques: To mitigate the impact of key leakage in lattice-based LHS schemes, we incorporate a forward-secure mechanism and propose the first FSLHS scheme in the SM. Technically, we employ a complete binary tree to associate each node with a distinct time period. The root key is generated using the TrapGen algorithm, and keys for subsequent periods are derived via the ExtBasis algorithm. After each key update, the previous key is irrevocably deleted, thereby achieving forward security. We provide the formal definition and security model for FSLHS, and prove that the proposed scheme is forward-secure unforgeable in the SM under the hardness of the SIS problem.

Article Structure: The remaining sections of this paper are organized as follows: Section 2 introduces the basic knowledge and symbolic notation used in this paper. Section 3 presents the formal definition and security model of the FSLHS scheme. Section 4 elaborates on the specific algorithmic procedures of the proposed scheme and provides corresponding security proofs. Section 5 compares and analyzes the strengths and weaknesses of our scheme against existing signature schemes of the same type. Section 6 presents a concrete application scenario of the proposed signature scheme and analyzes the feasibility of the scheme in this scenario. Section 7 summarizes the work of this paper and discusses future research directions.

2. Preliminaries

In this section, we present the basic definitions, lemmas, algorithms, and the meanings of the symbols used in this paper.

2.1. Notation

This section mainly explains the symbols appearing in this paper and their meanings, as shown in

Table 1. Symbols and meanings.

Symbol	Meaning
$O(·)$	$f\left(n\right)=O\left(g\right(n\left)\right)$ means $\exists c>0$ and $n_0\in \mathbb{N}$ such that for $\forall n\ge n_0$, $f\left(n\right)\le c·g\left(n\right)$.
$\tilde{O}(·)$	$f\left(n\right)=\tilde{O}\left(g\left(n\right)\right)$ means $f\left(n\right)=O(g\left(n\right)·{\left(\log n\right)}^c)$ for some constant c.
$\omega (·)$	$f\left(n\right)=\omega \left(g\right(n\left)\right)$ means that for $\forall c>0$, $\exists n_0\in \mathbb{N}$ such that $f\left(n\right)>c·g\left(n\right)$ for $n\ge n_0$.
$\mathrm{poly}\left(n\right)$	$f\left(n\right)=O\left(n^c\right)$ for some constant c.
$\mathrm{negl}\left(n\right)$	$f\left(n\right)=O\left(n^{-c}\right)$ for $c>0$.
$\mathrm{Pr}\left[\mathrm{Event}\right]\ge 1-\mathrm{negl}\left(n\right)$	The event occurs with overwhelming probability.
$\left[k\right]$	The set $\{1,2,3,\dots ,k\}$.
Bold lowercase letters	Vectors. e.g., $\mathbf{z}$, $\mathbf{h}$.
uppercase letters	Matrices. e.g., F, H.
$\mathbf{h}=\left(\begin{array}{c}{h}_1\\ ⋮\\ h_n\end{array}\right)$	An n-dimensional column vector.
$\parallel \mathbf{h}\parallel$	The $l_2$-norm of a vector $\mathbf{h}$.
$H=({\mathbf{h}}_1,\dots ,{\mathbf{h}}_m)$	An $n\times m$ matrix composed of column vectors ${\mathbf{h}}_i$.
$\tilde{T}$	The Gram–Schmidt orthogonalization of a matrix T.
$\mathbf{y}\leftarrow \mathcal{D}$	$\mathbf{y}$ is drawn uniformly at random according to the distribution $\mathcal{D}$.
$\mathbf{y}\stackrel{\$}{⟵}\mathcal{S}$	$\mathbf{y}$ is derived from uniform sampling over the set $\mathcal{S}$.
$y\leftarrow Alg\left(x\right)$	Running algorithm $Alg$ with input x yields output y.

.

2.2. Definitions and Lemmas

In lattice cryptography, an m-dimensional lattice $\Lambda$ is a discrete additive subgroup within the m-dimensional real space ${\mathbb{R}}^m$. Beyond this, the following class of lattices is frequently employed.

Definition 1

(q-ary lattices). Let $X\in {\mathbb{Z}}_q^{n\times m}$, $\mathit{y}\in {\mathbb{Z}}^n$. Two q-ary lattices are

$$\begin{array}{c}\hfill \left(1\right){\Lambda }_q^{\perp }\left(X\right)=\left\{\mathit{u}\in {\mathbb{Z}}^m:X·\mathit{u}\equiv \mathbf{0}\left(\mathrm{mod}q\right)\right\}and\left(2\right){\Lambda }_q^{\mathit{y}}\left(X\right)=\left\{\mathit{u}\in {\mathbb{Z}}^m:X·\mathit{u}\equiv \mathit{y}\left(\mathrm{mod}q\right)\right\}.\end{array}$$

For any $\mathit{x}\in {\mathbb{Z}}^m$, ${\Lambda }_q^{\mathit{y}}\left(X\right)={\Lambda }_q^{\perp }\left(X\right)+\mathit{x}$ such that $X·\mathit{x}\equiv \mathit{y}\left(\mathrm{mod}q\right)$. Here, $\mathbf{0}$ is the zero vector.

Definition 2

(SIS problem [33]). Given an integer modulus $q>2$, an integer $m=poly\left(n\right)$, a dimension n and a randomly generated matrix $A\stackrel{\$}{⟵}{\mathbb{Z}}_q^{n\times m}$. Let β be a parameter such that $0<\beta <q$. The goal is to find a vector $\mathit{x}\in {\mathbb{Z}}^m\setminus \left\{\mathbf{0}\right\}$ satisfying $A·\mathit{x}\equiv \mathbf{0}\left(\mathrm{mod}q\right)$ with $\Vert \mathit{x}\Vert \le \beta .$

The hardness of SIS: With the parameter setting where $m=\mathrm{poly}\left(n\right)$, $\beta >0$, and q is a prime satisfying $q\ge \beta ·\omega \left(\sqrt{n\log n}\right)$, it was proven in [34] that breaking the average-case ${\mathrm{SIS}}_{q,m,\beta }$ is at least as hard as solving worst-case ${\mathrm{SIVP}}_{\gamma }$ (and related lattice problems) to within an approximation factor of $\gamma =\beta ·\tilde{O}\left(\sqrt{n}\right)$. Therefore, solving the SIS problem is hard, and the security of this scheme is based on this assumption. Where SIVP is the abbreviation for the Shortest Independent Vectors Problem.

Definition 3.

Let $s\in {\mathbb{R}}^{+}$ and $\mathit{w}\in {\mathbb{R}}^n$. The Gaussian function is ${\rho }_{s,\mathit{w}}\left(\mathit{x}\right)=e^{-{\displaystyle \frac{\pi }{s^2}}{\Vert \mathit{x}-\mathit{w}\Vert }^2}$, where $\mathit{w}$ is the central vector, and s is the Gaussian parameter. The Gaussian distribution measure ${\mathcal{D}}_{\Lambda ,s,\mathit{w}}$ on the lattice Λ is expressed as ${\mathcal{D}}_{\Lambda ,s,\mathit{w}}={\displaystyle \frac{{\rho }_{s,\mathit{w}}\left(\mathit{x}\right)}{{\rho }_{s,\mathit{w}}(\Lambda )}}$, where ${\rho }_{s,\mathit{w}}(\Lambda )={\sum }_{\mathit{z}\in \Lambda }{\rho }_{s,\mathit{w}}\left(\mathit{z}\right).$ and $\mathit{w}$ can be omitted when $\mathit{w}=\mathbf{0}$.

In the proof of the correctness and security of the scheme in this paper, the following lemmas will be utilized.

Lemma 1

([34]). Let Λ be an m-dimensional lattice, and T be a basis of Λ. If $s> \parallel \tilde{T}\parallel \omega \left(\sqrt{\log m}\right)$, then for any center $\mathbf{v}\in {\mathbb{R}}^m$, we have:

$$\mathrm{Pr}\left\{\parallel \mathbf{x}-\mathbf{v}\parallel >s\sqrt{m}:\mathbf{x}\leftarrow D_{\Lambda ,s,\mathbf{v}}\right\}\le \mathrm{negl}\left(m\right).$$

Equivalently, with overwhelming probability over $\mathbf{x}\leftarrow D_{\Lambda ,s,\mathbf{v}}$, it holds that $\parallel \mathbf{x}-\mathbf{v}\parallel \le s\sqrt{m}$.

In Ref. [12], Boneh and Freeman proved that a linear combination of several mutually independent vectors following discrete Gaussian distributions still follows a discrete Gaussian distribution. The detailed conclusions are presented below.

Lemma 2.

Let $\Lambda \subseteq {\mathbb{Z}}^m$ be a full-rank lattice and $\sigma \in {\mathbb{R}}^{+}$ be a Gaussian parameter. Let ${\mathit{c}}_i\in {\mathbb{Z}}^m$ and let ${\mathit{\alpha }}_i$ be mutually independent samples drawn from ${\mathcal{D}}_{\Lambda +{\mathit{c}}_i,s}$, for $i=1,2,\cdots ,k$. Let $\mathit{b}=(b_1,b_2,\cdots ,b_k)\in {\mathbb{Z}}^k$, and define $g:=gcd(b_1,b_2,\cdots ,b_k)$, $\mathit{c}:={\sum }_{i=1}^k{b}_i{\mathit{c}}_i$. Suppose that $\sigma >\Vert \mathit{b}\Vert {\eta }_{ϵ}(\Lambda )$ for some negligible ϵ. Then, $\mathit{z}={\sum }_{i=1}^k{b}_i{\mathit{\alpha }}_i$ is within negligible statistical distance of ${\mathcal{D}}_{g\Lambda +\mathit{c},\sigma \Vert \mathit{b}\Vert }$.

Lemma 3

([19]). Let $k=\mathrm{poly}\left(m\right)$ be even, $q=\mathrm{poly}\left(m\right)$ satisfy $q>{\left(mk\right)}^2$, and let $\delta >\omega \left(\sqrt{\log m}\right)$. Then the statistical distance between ${\mathcal{D}}_{{\mathbb{Z}}^m,\delta }$ and ${\mathcal{D}}_{{\mathbb{Z}}^m,\delta \sqrt{(k\pm 2)/k}}$ is negligible in m.

2.3. Algorithms

In this section, we introduce the main algorithms used to construct a lattice-based FSLHS scheme, as well as the relevant concepts and properties of SampleDom involved in the security proof.

Theorem 1

([35]). For an odd $q\ge 2$ and integer $m\ge 6n\log q$, $n>0$. There exists a probabilistic polynomial-time (PPT) algorithm $\mathit{TrapGen}(q,n)$ that outputs matrices $A\in {\mathbb{Z}}_q^{n\times m},T_A\in {\mathbb{Z}}^{m\times m}$ where $T_A$ is a basis of ${\Lambda }^{\perp }\left(A\right)$, $\Vert T_A\Vert \le O\left(n\log q\right)\mathrm{and}\Vert \widetilde{T_A}\Vert \le O\left(\sqrt{n\log q}\right)$. Moreover, A is statistically close to uniform over ${\mathbb{Z}}_q^{n\times m}$.

Theorem 2

([19]). Let k be an odd integer with $k=poly\left(m\right)$. Define the sets

$$\begin{array}{cc}\hfill \mathcal{V}& =\left\{\mathit{\upsilon }\in {\mathbb{F}}_2^{2k}\mid \parallel \mathit{\upsilon }\parallel =k-1\right\}\cup \left\{0\right\},\hfill \\ \hfill \mathcal{R}& =\left\{\mathit{\gamma }\in {\mathbb{F}}_2^{2k}\mid \parallel \mathit{\gamma }\parallel =k\right\}\cup \left\{0\right\},\hfill \\ \hfill \mathcal{K}& =\left\{\mathit{\kappa }\in {\mathbb{F}}_2^{2k}\mid \parallel \mathit{\kappa }\parallel =k+1\right\}\cup \left\{0\right\}.\hfill \end{array}$$

The polynomial-time algorithm $\mathit{Decompose}$ takes as input $\mathbf{m}\in {\mathbb{F}}_2^{2k}$ and outputs a pair of vectors $(\mathit{\upsilon },\mathit{\gamma })$ with $\mathit{\upsilon }\in \mathcal{V}$, $\gamma \in \mathcal{R}\cup \mathcal{K}$, and if $\mathbf{m}\ne \mathbf{0}$ then at least one of them is nonzero.

In Ref. [36], a trapdoor extension algorithm is defined: if a matrix F is composed of the concatenation of several matrices, and a trapdoor for one of these matrices is known, then this algorithm can generate a trapdoor for the entire matrix F, with the norm of the resulting trapdoor being equal to that of the known matrix trapdoor. This algorithm is referred to as ExtBasis, and its specific definition is as follows:

Theorem 3.

Let $F=[A_0\parallel A_1\parallel A_2]$ be the concatenation of three matrices $A_0,A_1,A_2\in {\mathbb{Z}}_q^{n\times m}$. If $T_{A_i}$ is a basis of ${\Lambda }_q^{\perp }\left(A_i\right)$, where $i\in \{0,1,2\}$, then there exists a deterministic polynomial-time algorithm $\mathit{ExtBasis}(F,T_{A_i})$ that outputs a basis $T_F$ of ${\Lambda }_q^{\perp }\left(F\right)$, satisfying $\parallel \widetilde{T_F}\parallel =\parallel \widetilde{T_{A_i}}\parallel$.

Theorem 4

([37]). Let m-dimensional lattice Λ and $0<ϵ<1$. Matrix $T_B$ is a short basis for ${\Lambda }^{\perp }\left(B\right)$, $s\ge \Vert \widetilde{T_B}\Vert \omega \left(\sqrt{\log m}\right)$ and $\mathit{u}\in {\mathbb{Z}}^{\mathit{n}}$. There exists a PPT algorithm $\mathit{SamplePre}(B,T_B,\mathit{u},s)$ that returns a vector $\mathit{x}\in {\Lambda }_q^{\mathit{u}}$ sampled from a distribution statistically close to ${\mathcal{D}}_{{\Lambda }_q^{\mathit{u}}\left(B\right),s}$ whenever ${\Lambda }_q^{\mathit{u}}\left(B\right)$ is not empty.

$\mathbf{SampleDom}(1^m,s)$ is an algorithm that can sample from the distribution ${\mathcal{D}}_{{\mathbb{Z}}^m,s}$ on ${\mathbb{Z}}^m$, where $s\ge \omega \left(\sqrt{\log m}\right)$. That is, if $\mathbf{h}$ is output by $\mathbf{SampleDom}(1^m,s)$, then $\mathbf{h}$ is statistically close to a sample from ${\mathcal{D}}_{{\mathbb{Z}}^m,s}$.

Theorem 5

([37]). Let q be a prime, $m\ge 2n\log q$ be an integer, and the parameter $s\ge \omega \left(\sqrt{\log m}\right)$. Then for all but a 2$q^{-n}$ fraction of $A\in {\mathbb{Z}}_q^{n\times m}$, and for $\mathbf{h}\leftarrow \mathit{SampleDom}(1^m,s)$, the vector $\mathit{\alpha }=A·\mathbf{h}\mathrm{mod}q$ follows a distribution that is statistically close to the uniform one over ${\mathbb{Z}}_q^n$. Moreover, given α, the conditional distribution of $\mathbf{h}$ is ${\mathcal{D}}_{{\Lambda }_q^{\alpha }\left(A\right),s}$.

3. The FSLHS Scheme: Formal Definition and Security Model

In this section, we first present the formal definition of the FSLHS scheme, detailing its five constituent algorithms. We then proceed to construct its security model through a game-based experiment.

3.1. Formal Definition of FSLHS

FSLHS schemes employ a one-way key evolution mechanism, dividing the key lifecycle into multiple time periods, where each period uses a distinct key for signing. Keys are updated forward through one-way transformations, with old keys securely deleted, while the public key remains unchanged throughout. This design ensures that even if the current secret key is leaked, an attacker cannot forge signatures from previous time periods. This scheme includes five algorithms: Setup, KeyUpdate, Sign, Combine, Verify. The specific definition of the scheme is as follows.

Definition 4.

An FSLHS scheme is a tuple of probabilistic polynomial-time algorithms (Setup, KeyUpdate, Sign, Combine, Verify), as follows:

$(pp,pk,s{k}_0)⟵\mathit{Setup}(n,T)$: Taking the security parameter n and T time periods as input, where $T=2^d$ for some $d\in \mathbb{N}$, it generates the public parameters $pp$, public key $pk$, and initial private key $s{k}_0$. The public parameters $pp$ define the message space $\mathcal{M}$, signature space $\mathcal{S}$, tag space $\mathcal{T}$, and the maximum number L of messages that are allowed to be combined under a single tag.

$\left(s{k}_{t+1}\right)⟵\mathit{Keyupdate}(t,s{k}_t)$: Takes the time period $t\in \{0,1,2,\cdots ,T-1\}$ and $s{k}_t$ for that period as input, generates $s{k}_{t+1}$ for time period $t+1$, and finally deletes the y $s{k}_t$ from time period t.

$\left({\sigma }_i\right)⟵\mathit{Sign}(pp,pk,t,s{k}_t,\tau ,{\mathbf{m}}_i)$: Input the $pp$, the $pk$, the time period t, the $s{k}_t$ for that period, a tag $\tau \in \mathcal{T}$, and a message ${\mathbf{m}}_i$ from the message subspace V labeled by τ, where $V\subset \mathcal{M}$. Finally, output the signature ${\sigma }_i\in \mathcal{S}$ for message ${\mathbf{m}}_i$ in time period t.

$\left(\sigma \right)⟵\mathit{Combine}(pp,t,\tau ,{\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l)$: Input the $pp$, the time period t, the tag τ, and a set of tuples ${\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l$, where $c_i\in \{0,1\}$, $l<L$, and ${\sigma }_i\in \mathcal{S}$ is the signature of ${\mathit{m}}_i\in \mathcal{M}$ at time period t. This algorithm generates the signature $\sigma ={\sum }_{i=1}^l{c}_1{\sigma }_i\in \mathcal{S}$ for $\mathbf{m}={\sum }_{i=1}^l{c}_i{\mathbf{m}}_i\in \mathcal{M}$ at time period t.

$\left(0or1\right)⟵\mathit{Verify}(pk,t,\tau ,\mathbf{m},\sigma )$: Input the $pk$, the time period t, the tag $\tau \in \mathcal{T}$, the message $\mathbf{m}$ from $V\subset \mathcal{M}$ it identifies, and the signature $\sigma \in \mathcal{S}$. If the signature σ is valid, output “1” (accept). Otherwise, output “0” (reject).

$\mathit{Correctness}$: The FSLHS scheme requires that two types of signatures can be accepted by the verification algorithm: the original individual signature ${\sigma }_i\in \mathcal{S}$, and the combined signature $\sigma \in \mathcal{S}$ generated by the combination algorithm. The specific verification process is as follows:

(1) 

For any τ and any message ${\mathbf{m}}_i$ from the subspace $V\subset \mathcal{M}$ it identifies, if the signature ${\sigma }_i⟵\mathit{Sign}(pp,pk,t,s{k}_t,\tau ,{\mathbf{m}}_i)$ at time period t, then the verification algorithm satisfies

$$1⟵\mathit{Verify}(pk,t,\tau ,{\mathbf{m}}_i,{\sigma }_i).$$

(2) 

If the signature ${\sigma }_i⟵\mathit{Sign}(pp,pk,t,s{k}_t,\tau ,{\mathbf{m}}_i)$ at time period t, then the verification algorithm satisfies

$$1⟵\mathit{Verify}(pk,t,\tau ,\mathbf{m}={\displaystyle \sum _{i=1}^l}{c}_i{\mathbf{m}}_i,\mathit{Combine}(pp,t,\tau ,{\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l)).$$

To more intuitively demonstrate the logical relationships, execution order, and data flow among the five algorithms mentioned above (Setup, KeyUpdate, Sign, Combine, Verify), Figure 1 presents a schematic diagram of the overall workflow of the FSLHS scheme.

3.2. Security Model of FSLHS

The security model for FSLHS schemes is derived from the standard LHS security model by incorporating forward security requirements. Specifically, this model mandates that even after an adversary performs a series of queries, if the adversary outputs a forged tuple $({\mathbf{m}}^{*},t^{*},{\tau }^{*},{\sigma }^{*})$ containing the message ${\mathbf{m}}^{*}$, time period $t^{*}<T$, tag ${\tau }^{*}$, and signature ${\sigma }^{*}$, the advantage of the adversary in making the verification algorithm Verify$(pk,{\mathbf{m}}^{*},t^{*},{\tau }^{*},{\sigma }^{*})$ output “1” must be negligible. This security property is typically formalized through an interactive game between the adversary $\mathcal{A}$ and the challenger $\mathcal{C}$, with the detailed definition as follows:

Definition 5

(Forward-secure unforgeability). If for any PPT adversary $\mathcal{A}$, the advantage of winning the following game under the security parameter n is negligible, then the scheme satisfies forward-secure unforgeability.

Setup: $\mathcal{A}$ sends the security parameter n to $\mathcal{C}$. $\mathcal{C}$ obtains the public parameters $pp$, the public key $pk$, and the initial secret key $s{k}_0$ by executing the Setup. Finally, $\mathcal{C}$ sends $pp$ and $pk$ to $\mathcal{A}$, while keeping $s{k}_0$ confidential.

Queries: $\mathcal{A}$ can adaptively make a polynomial number of signature queries in any time period t. When $\mathcal{A}$ wishes to advance to the next period, it submits a key update query to $\mathcal{C}$ and obtains the key $s{k}_{t+1}$ for the time period $t+1$. Note that once $\mathcal{A}$ obtains $s{k}_{t+1}$, it can no longer make any queries for previous periods. $\mathcal{A}$ may choose to stop querying at any time by submitting a break-in time $\overline{t}\le T-1$, thereby initiating a break-in query. After that, $\mathcal{A}$ is not allowed to make any further queries. The specific response process of $\mathcal{C}$ to all the above queries is as follows:

Keyupdate queries: For time period t, $\mathcal{A}$ sends t to $\mathcal{C}$. $\mathcal{C}$ checks whether $t<T-1$ holds. If it does, $\mathcal{C}$ executes the $\mathbf{Keyupdate}(t,s{k}_t)$ to obtain the key $s{k}_{t+1}$ corresponding to $t+1$ and returns it to $\mathcal{A}$. Otherwise, $\mathcal{C}$ returns ⊥, indicating that the update has failed.

Sign queries: $\mathcal{A}$ submits to $\mathcal{C}$ the time period $t<T-1$ and the basis vectors ${\mathbf{m}}_1,\dots ,{\mathbf{m}}_k$ of the message subspace V to be signed. Upon receiving V, $\mathcal{C}$ selects a tag $\tau \stackrel{\$}{⟵}{\{0,1\}}^k$, then generates signatures ${\sigma }_i$ by executing the $\mathbf{Sign}(pp,t,s{k}_t,\tau ,{\mathbf{m}}_i)$ for $i=1,2,\dots ,k$ and returns the set of signatures ${\left\{{\sigma }_i\right\}}_{i=1}^k$ to $\mathcal{A}$.

Break-in query: $\mathcal{A}$ selects and sends a break-in time $\overline{t}$ (satisfying $\overline{t}<T-1$) to $\mathcal{C}$. $\mathcal{C}$ returns the corresponding secret key $s{k}_{\overline{t}}$ for time period $\overline{t}$ to $\mathcal{A}$. After this, the game immediately enters the output phase. That is to say, apart from being allowed to output only one forgery, $\mathcal{A}$ is not permitted to make any signature or key update queries.

Forgery: $\mathcal{A}$ outputs a forged tuple $(t^{\prime },{\tau }^{\prime },{\mathbf{m}}^{\prime },{\sigma }^{\prime })$, where the time period satisfies $t^{\prime }<T-1$, ${\tau }^{\prime }$ is a tag, the message ${\mathbf{m}}^{\prime }\in V^{\prime }$ labeled by ${\tau }^{\prime }$, and ${\sigma }^{\prime }$ is the signature for ${\mathbf{m}}^{\prime }$. $\mathcal{A}$ is said to win the game if the forgery satisfies the following conditions:

(1)

For time period $t^{\prime }<\overline{t}$, the tuple $(t^{\prime },{\tau }^{\prime },{\mathbf{m}}^{\prime })$ has never been queried for a signature.

(2)

The signature verification result satisfies $1\leftarrow \mathbf{Verify}(pk,t^{\prime },{\tau }^{\prime },{\mathbf{m}}^{\prime },{\sigma }^{\prime })$.

(3)

It conforms to one of the following two types:

(a)

Type 1: For all signature queries involving a tag $\tau$ in time period $t^{\prime }$, ${\tau }^{\prime }\ne \tau$.

(b)

Type 2: There exists some $\tau$ such that ${\tau }^{\prime }=\tau$, but ${\mathbf{m}}^{\prime }\notin V$, where V denotes the subspace spanned by the vectors ${\left\{{\mathbf{m}}_i\right\}}_{i=1}^k$ and is labeled by $\tau$ in time period $t^{\prime }$.

The above security game involves multiple time periods and various types of adversary queries (Keyupdate queries, Sign queries, Break-in query). The temporal logic among these directly determines the constraints of forward-secure unforgeability. To more intuitively illustrate the relationship between these queries and time periods, we present a timeline diagram in Figure 2. In the figure, the black dots above the time axis represent signature queries for the corresponding time periods, and the blue arrows below the time axis indicate the signature queries for those time periods.

4. Lattice-Based FSLHS Scheme

In this section, we primarily focus on the foundation and core aspects of the scheme construction. First, we provide a detailed explanation of the correspondence between the leaf nodes of the binary tree and the time periods, and elaborate on how to construct the corresponding matrix and generate its trapdoor based on the binary representation of the nodes, in preparation for the key update algorithm. Subsequently, we present the specific design of the lattice-based FSLHS scheme and provide a complete proof of its correctness and security.

4.1. Time Periods on a Binary Tree

Inspired by [30], consider a complete binary tree of depth d. We assign the time periods $t\in \{0,1,\dots ,2^d-1\}$ to its leaf nodes, arranging them from left to right in increasing order. For a given time period t, there is a unique path $t=(t_1,\dots ,t_d)$ from the root node $ϵ$ to the corresponding leaf node, where at each level $i\in \left[d\right]$, $t_i=0$ indicates a left branch and $t_i=1$ indicates a right branch (as shown in Figure 3). Thus, for binary tree nodes with depth less than d, where $i\ne d$, a node ${\nu }^{\left(i\right)}$ at level i can be described by a unique binary bit string ${\nu }^{\left(i\right)}=({\nu }_1,\dots ,{\nu }_i)$ corresponding to the path from the root to that node, where ${\nu }_i\in \{0,1\}$. This means that for a node ${\nu }^{\left(i\right)}=({\nu }_1,\dots ,{\nu }_i)$, we can construct the corresponding matrix $F_{{\nu }^{\left(i\right)}}=\left[A_0\parallel A_1^{\left({\nu }_1\right)}\parallel \dots \parallel A_i^{\left({\nu }_i\right)}\right]$. Correspondingly, for a leaf node (the time period $t=(t_1,\dots ,t_d)$), we can construct the matrix $F_t=\left[A_0\parallel A_1^{\left(t_1\right)}\parallel \dots \parallel A_d^{\left(t_d\right)}\right]$. Here, $A_0$ and its associated trapdoor $T_{A_0}$ are generated by the TrapGen, and for all $i\in \left[d\right]$ and $b\in \{0,1\}$, the matrices $A_i^{\left(b\right)}$ are chosen uniformly at random.

Next, we describe the process of generating leaf node trapdoors from the root node trapdoor. Let $A_0$ be the matrix corresponding to the root node, and let $T_{A_0}$ be the trapdoor of ${\Lambda }^{\perp }\left(A_0\right)$. Each node ${\nu }^{\left(i\right)}=({\nu }_1,\cdots ,{\nu }_i)$ corresponds to the matrix $F_{{\nu }^{\left(i\right)}}$. By inputting $F_{{\nu }^{\left(i\right)}}$ and $T_{A_0}$ into the ExtBasis, we can obtain the trapdoor $T_{{\nu }^{\left(i\right)}}$ of ${\Lambda }^{\perp }\left(F_{{\nu }^{\left(i\right)}}\right)$, i.e.,

$$T_{{\nu }^{\left(i\right)}}\leftarrow \mathbf{ExtBasis}(F_{{\nu }^{\left(i\right)}},T_{A_0}),\mathrm{where}{F}_{{\nu }^{\left(i\right)}}=\left[A_0\parallel A_1^{\left({\nu }_1\right)}\parallel A_2^{\left({\nu }_2\right)}\parallel \cdots \parallel A_i^{\left({\nu }_i\right)}\right].$$

If the trapdoor $T_{{\nu }^{\left(k\right)}}$ of any ancestor node ${\nu }^{\left(k\right)}$ ($k<i$) of node ${\nu }^{\left(i\right)}$ is known, then $T_{{\nu }^{\left(i\right)}}$ can be derived. Let ${\nu }^{\left(i\right)}=({\nu }_1,\cdots ,{\nu }_k,{\nu }_{k+1},\cdots ,{\nu }_i)$, then we have

$$T_{{\nu }^{\left(i\right)}}\leftarrow \mathbf{ExtBasis}(F_{{\nu }^{\left(i\right)}},T_{{\nu }^{\left(k\right)}}),\mathrm{where}{F}_{{\nu }^{\left(i\right)}}=\left[A_0\parallel A_1^{\left({\nu }_1\right)}\parallel \cdots \parallel A_k^{\left({\nu }_k\right)}\parallel \cdots \parallel A_i^{\left({\nu }_i\right)}\right].$$

Therefore, as long as the trapdoor of any ancestor node of a given time period (corresponding to a leaf node) is known, the trapdoor for that time period can be derived.

4.2. Design of Our Scheme

As described in Section 3.1, the FSLHS scheme typically consists of the $\mathbf{Setup}$, $\mathbf{Keyupdate}$, $\mathbf{Sign}$, $\mathbf{Combine}$, and $\mathbf{Verify}$ algorithms. The lattice-based FSLHS scheme proposed in this paper also follows this framework, with the specific definitions of each algorithm as follows.

$\mathbf{Setup}(n,T)$: Taking the security parameter n and the total number of time periods $T=2^d$ (where d is the depth of the binary tree) as inputs, the Key Generation Center (KGC) selects the following parameters: L denotes the maximum number of signatures that can be combined, an even integer $k=\mathrm{poly}\left(n\right)$, an integer $m=\lceil 6n\log q\rceil$, a prime number $q>{\left(Lmk\right)}^2$, a Gaussian parameter $\delta \ge \sqrt{2km\log q}\log m$, a tag space $\mathcal{T}={\{0,1\}}^k$, a message space $\mathcal{M}={\mathbb{F}}_2^k$, and a signature space $\mathcal{S}={\mathbb{Z}}^{(d+1)m}$. The KGC then performs the following operations:

(1)

Randomly select k vectors ${\mathbf{a}}_1,{\mathbf{a}}_2,\cdots ,{\mathbf{a}}_k$ from ${\mathbb{Z}}_q^n$.

(2)

Randomly select $2d$ matrices $A_1^{\left(0\right)},A_1^{\left(1\right)},A_2^{\left(0\right)},A_2^{\left(1\right)},\cdots ,A_d^{\left(0\right)},A_d^{\left(1\right)}$ from ${\mathbb{Z}}_q^{n\times m}$.

(3)

Execute the TrapGen$(n,m,q)$ to obtain a pair of matrices $(A_0,T_{A_0})$, where $A_0$ is the matrix for the root node and $T_{A_0}$ is its associated trapdoor matrix.

(4)

Output the public parameters $pp=\{n,m,q,d,k,L,\delta ,\mathcal{T},\mathcal{M},\mathcal{S},{\left\{{\mathbf{a}}_j\right\}}_{j=1}^k,A_1^{\left(0\right)},A_1^{\left(1\right)},A_2^{\left(0\right)},$ $A_2^{\left(1\right)},\cdots ,A_d^{\left(0\right)},A_d^{\left(1\right)}\}$, the public key $pk=A_0$, and the initial secret key ${sk}_{ϵ}=T_{A_0}$.

$\mathbf{Keyupdate}(pp,pk,t,s{t}_t)$: Given the public parameters $pp$, the time period t, the secret key $s{k}_t$ for this time period, and the public key $pk$, the signer executes this algorithm to generate the secret key $s{k}_{t+1}$ for the next time period $t+1$. The specific key update process is as follows.

For any leaf node t, define its minimal cover set $\mathbf{Node}\left(t\right)$ as the smallest set of nodes that satisfies the following condition: the set contains all ancestors of the leaves in $\{t,\dots ,T-1\}$, but does not contain any ancestor of the leaves in $\{0,\dots ,t-1\}$. For example, in Figure 3, $\mathbf{Node}\left(0\right)=\left\{ϵ\right\}$, $\mathbf{Node}\left(1\right)=\{001,01,1\}$, $\mathbf{Node}\left(2\right)=\{01,1\}$ (i.e., two red circles in Figure 3), $\mathbf{Node}\left(3\right)=\{011,1\}$, $\mathbf{Node}\left(4\right)=\left\{1\right\}$, $\mathbf{Node}\left(5\right)=\{101,11\}$, $\mathbf{Node}\left(6\right)=\left\{11\right\}$, and $\mathbf{Node}\left(7\right)=\left\{111\right\}$.

The secret key $s{k}_t$ at time period t is defined as the set of trapdoors corresponding to all nodes in $\mathbf{Node}\left(t\right)$, i.e., $s{k}_t=\{T_{\nu }\mid \nu \in \mathbf{Node}\left(t\right)\}$. The key to this construction is the $\mathbf{ExtBasis}$ algorithm. If the trapdoor $T_{\mathsf{anc}}$ of an ancestor node $\mathsf{anc}$ is known, then the trapdoor $T_{\mathsf{desc}}$ of any descendant node $\mathsf{desc}$ can be derived, because the matrix $F_{\mathsf{desc}}$ is a concatenation of $F_{\mathsf{anc}}$ with additional random matrices (see Section 4.1 for details). This one-way derivability ($T_{\mathsf{anc}}\to T_{\mathsf{desc}}$) enables forward security: $\mathbf{Node}\left(t\right)$ contains the “latest” ancestor trapdoors that suffice to generate all necessary leaf trapdoors for time period t and future periods, while older trapdoors (which could have been compromised) are discarded. Consequently, the minimal cover set provides exactly the minimal set of trapdoors required for the current and all subsequent time periods.

The secret key $s{k}_t$ at time period t contains the trapdoors corresponding to all nodes in $\mathbf{Node}\left(t\right)$. Taking Figure 3 as an example, we have $s{k}_0=s{k}_{ϵ}=\left\{T_{A_0}\right\}$, $s{k}_1=\{T_{001},T_{01},T_1\}$, where $T_{001}$, $T_{01}$, and $T_1$ are the trapdoors associated with the matrices $F_{001}=[A_0\parallel A_1^{\left(0\right)}\parallel A_2^{\left(0\right)}\parallel A_3^{\left(1\right)}]$, $F_{01}=[A_0\parallel A_1^{\left(0\right)}\parallel A_2^{\left(1\right)}]$, and $F_1=[A_0\parallel A_1^{\left(1\right)}]$, respectively.

To update the secret key from $s{k}_t$ to $s{k}_{t+1}$, the signer first determines the minimal cover set $\mathbf{Node}(t+1)$. Then, using the trapdoors in $s{k}_t$ (as described in Section 4.1), the signer derives the trapdoors for all nodes in $\mathbf{Node}(t+1)\setminus \mathbf{Node}\left(t\right)$. Finally, the signer deletes all trapdoors corresponding to the nodes in $\mathbf{Node}\left(t\right)\setminus \mathbf{Node}(t+1)$. For instance, since $\mathbf{Node}\left(2\right)\setminus \mathbf{Node}\left(1\right)=\{01,1\}$ and $\mathbf{Node}\left(1\right)\setminus \mathbf{Node}\left(2\right)=\left\{001\right\}$, it follows that $s{k}_2=\{T_{01},T_1\}$.

$\mathbf{Sign}(pp,\tau ,t,s{k}_t,{\mathbf{m}}_i)$: The signer takes as input the $pp$, the time period t along with its corresponding key $s{k}_t$, a tag $\tau =({\tau }_1,{\tau }_2,\cdots ,{\tau }_k)\in \mathcal{T}$, and the subspace $V\subset \mathcal{M}$ tagged by $\tau$ whose basis vectors are ${\mathbf{m}}_1,\cdots ,{\mathbf{m}}_k$. For each basis vector ${\mathbf{m}}_i=(m_{i1},m_{i2},\cdots ,m_{ik})(1\le i\le k)$, the signer performs the following operations:

(1)

Construct the matrix $F_t=[A_0\parallel A_1^{\left(t_1\right)}\parallel \cdots \parallel A_d^{\left(t_d\right)}]$ according to the time period $t=(t_1,\cdots ,t_d)$.

(2)

Check whether the trapdoor $T_t$ corresponding to $F_t$ is contained in $s{k}_t$. If not, extract the trapdoor corresponding to the ancestor nodes of t from $s{k}_t$ and invoke the ExtBasis to generate $T_t$ (this is because not all trapdoors corresponding to leaf nodes are directly stored in $s{k}_t$. For example, when $t=2$, its binary representation is $\left(010\right)$, while the corresponding trapdoor $T_{010}$ is not in $s{k}_2=\{T_{01},T_1\}$).

(3)

Execute the $\mathbf{Decompose}\left({\mathbf{m}}_i\right)$ to obtain a pair of vectors $({\upsilon }_i,{\gamma }_i)$, where ${\mathbf{m}}_i=(m_{i1},\cdots ,m_{ik})={\upsilon }_i+{\gamma }_i$, ${\upsilon }_i=({\upsilon }_{i1},\dots ,{\upsilon }_{ik})$ and ${\gamma }_i=({\gamma }_{i1},\dots ,{\gamma }_{ik})$.

(4)

Determine whether there exists a zero vector in $({\upsilon }_i,{\gamma }_i)$. If so, compute

$${\mathbf{h}}_i={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{m}_{ij}{\mathbf{a}}_j,$$

and invoke the $\mathbf{SamplePre}(F_t,T_t,{\mathbf{h}}_i,\delta )$ to output the signature ${\sigma }_i$. Otherwise, compute

$$\mathbf{h}\left({\mathit{\upsilon }}_i\right)={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{\upsilon }_{ij}{\mathbf{a}}_j\mathrm{and}\mathbf{h}\left({\mathit{\gamma }}_i\right)={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{\gamma }_{ij}{\mathbf{a}}_j,$$

then invoke

$$\mathbf{SamplePre}(F_t,T_t,\mathbf{h}\left({\mathit{\upsilon }}_i\right),\delta )\mathrm{and}\mathbf{SamplePre}(F_t,T_t,\mathbf{h}\left({\mathit{\gamma }}_i\right),\delta )$$

respectively to obtain $\sigma \left({\mathit{\upsilon }}_i\right)$ and $\sigma \left({\mathit{\gamma }}_i\right)$, and finally output

$${\sigma }_i=\sigma \left({\mathit{\upsilon }}_i\right)+\sigma \left({\mathit{\gamma }}_i\right).$$

(5)

Regard ${\sigma }_i$ as the signature of the vector ${\mathbf{m}}_i$ within time period t.

$\mathbf{Combine}(pp,\tau ,t,{\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l)$: Given the $pp$, the time period t, the tag $\tau =({\tau }_1,{\tau }_2,\cdots ,{\tau }_k)\in {\{0,1\}}^k$, and a tuple set ${\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l$, where $l\le L$, $c_i\in \{0,1\}$ and each ${\sigma }_i$ is obtained via $\mathbf{Sign}(pp,\tau ,t,s{k}_t,{\mathbf{m}}_i)$, the algorithm outputs the signature $\sigma ={\sum }_{i=1}^l{c}_i{\sigma }_i$ for the message $\mathbf{m}={\sum }_{i=1}^l{c}_i{\mathbf{m}}_i$ in time period t.

$\mathbf{Verify}(t,\tau ,p{k}_t,\mathbf{m},\sigma )$: Given the time period t, public key $p{k}_t$, a tag $\tau =({\tau }_1,{\tau }_2,\cdots ,{\tau }_k)\in {\{0,1\}}^k$, a vector $\mathbf{m}\in V$, and a signature $\sigma$, the verification process is as follows:

(1)

Compute $\mathbf{h}={\sum }_{j=1}^l{c}_j{\mathbf{h}}_j$, where ${\mathbf{h}}_j={\sum }_{i=1}^k{(-1)}^{{\tau }_i}{m}_{ji}{\mathbf{a}}_i$.

(2)

If the following conditions are satisfied:

(a)

$F_t\sigma \mathrm{mod}q=\mathbf{h}$;

(b)

$\parallel \sigma \parallel <2L\delta \sqrt{2k(d+1)m}$, then the algorithm outputs “1”. Otherwise, it outputs “0”.

Note: Since the methods for handling correctness and security proofs are the same whether the vector decomposition of the message ${\mathbf{m}}_i$ into a pair of vectors results in one zero vector or no zero vectors, without loss of generality, we only consider the case where ${\mathbf{m}}_i$ is decomposed into two non-zero vectors in the subsequent analysis.

4.3. Correctness

We demonstrate that signatures generated by the signature algorithm and the combination algorithm in this scheme can all be successfully verified by the verification algorithm.

Verify the signature ${\sigma }_i$: For the signature ${\sigma }_i$ generated by the $\mathbf{Sign}(pp,\tau ,t,s{k}_t,{\mathbf{m}}_i)$, according to Lemma 1 and Theorem 4, the following expressions hold:

$$\parallel {\sigma }_i\parallel = \parallel \sigma \left({\mathit{\upsilon }}_i\right)+\sigma \left({\mathit{\gamma }}_i\right)\parallel \le \parallel \sigma \left({\mathit{\upsilon }}_i\right)\parallel +\parallel \sigma \left({\mathit{\gamma }}_i\right)\parallel \le 2\delta \sqrt{(d+1)m} \le 2L\delta \sqrt{2k(d+1)m}$$

and

$$\begin{array}{cc}\hfill F_t{\sigma }_i\mathrm{mod}q& =F_t(\sigma \left({\mathit{\upsilon }}_i\right)+\sigma \left({\mathit{\gamma }}_i\right))\mathrm{mod}q=\mathbf{h}\left({\mathit{\upsilon }}_i\right)+\mathbf{h}\left({\mathit{\gamma }}_i\right)\hfill \\ \hfill & ={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{\upsilon }_{ij}{\mathbf{a}}_j+{\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{\gamma }_{ij}{\mathbf{a}}_j\hfill \\ \hfill & ={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}({\upsilon }_{ij}+{\gamma }_{ij}){\mathbf{a}}_j\hfill \\ \hfill & ={\displaystyle \sum _{j=1}^k}{(-1)}^{{\tau }_j}{m}_{ij}{\mathbf{a}}_j={\mathbf{h}}_i.\hfill \end{array}$$

Thus, the output result of the $\mathbf{Sign}$ passes the verification performed by the $\mathbf{Verify}$.

Verify the combined signature $\sigma$: Given a time period t, a tag $\tau$, and a tuple set ${\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l$, where $l\le L,$$c_i\in \{0,1\}$ and ${\sigma }_i$ generated by the $\mathbf{Sign}(pp,\tau ,t,s{k}_t,{\mathbf{m}}_i)$, it is required to prove that $\mathbf{Verify}(t,\tau ,p{k}_t,\mathbf{m}={\sum }_{i=1}^l{c}_i{\mathbf{m}}_i,\mathbf{Combine}(pp,\tau ,t,{\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l))$ outputs “1”. According to the Combine, $\sigma ={\sum }_{i=1}^l{c}_i{\sigma }_i$ is a signature for the message $\mathbf{m}={\sum }_{i=1}^l{c}_i{\mathbf{m}}_i$ output by the algorithm. Hence the following holds:

$$\begin{array}{c}\hfill \parallel \sigma \parallel = \parallel {\displaystyle \sum _{i=1}^l}{c}_i{\sigma }_i\parallel \le 2L\delta \sqrt{(d+1)m} \le 2L\delta \sqrt{2k(d+1)m}.\end{array}$$

Since ${\sigma }_i$ is generated by $\mathbf{sign}(pp,\tau ,t,s{k}_t,{\mathbf{m}}_i)$, we have $F_t{\sigma }_i\mathrm{mod}q={\mathbf{h}}_i$. It then follows that

$$\begin{array}{c}\hfill F_t\sigma \mathrm{mod}q=F_t{\displaystyle \sum _{i=1}^l}{c}_i{\sigma }_i\mathrm{mod}q={\displaystyle \sum _{i=1}^l}{c}_i{F}_t{\sigma }_i\mathrm{mod}q={\displaystyle \sum _{i=1}^l}{c}_i{\mathbf{h}}_i=\mathbf{h}.\end{array}$$

Therefore, the output of $\mathbf{Verify}(t,\tau ,p{k}_t,\mathbf{m}={\sum }_{i=1}^l{c}_i{\mathbf{m}}_i,\mathbf{Combine}(pp,\tau ,t,{\left\{(c_i,{\sigma }_i)\right\}}_{i=1}^l))$ being “1” is proved. In conclusion, the proposed scheme satisfies correctness.

4.4. Forward-Secure Unforgeability

This section proves the security of our scheme by reducing it to the hardness of the SIS problem over lattices. Specifically, if there exists a PPT adversary that can forge a signature for a certain time period with a non-negligible advantage, then a challenger can solve an instance of the SIS problem with non-negligible probability. Hence, this demonstrates that our scheme satisfies forward-secure unforgeability.

Theorem 6

(Forward-secure unforgeability). If there exists a PPT adversary $\mathcal{A}$ that achieves a non-negligible advantage ε in breaking the unforgeability of the forward-secure signature scheme with a total of $T=2^d$ time periods, then we can construct a PPT algorithm $\mathcal{C}$ such that $\mathcal{C}$ solves the ${\mathrm{SIS}}_{q,n,(2d+1)m,\beta }$ problem with probability at least ${\displaystyle \frac{(1-2^{-\omega \left(\log m\right)})\epsilon }{T}}$, where $\beta =2L\delta \sqrt{2k(d+1)m}$ and d is the depth of the binary tree.

Proof. 

Suppose $\mathcal{C}$ aims to solve an SIS instance $F\mathbf{v}=0\mathrm{mod}q$, where $F=[A_0\parallel U_1^{\left(0\right)}\parallel U_1^{\left(1\right)}\parallel U_2^{\left(0\right)}\parallel U_2^{\left(1\right)}\parallel \cdots \parallel U_d^{\left(0\right)}\parallel U_d^{\left(1\right)}]\in {\mathbb{Z}}_q^{n\times (2d+1)m}$ with $A_0,U_i^{\left(b\right)}\in {\mathbb{Z}}_q^{n\times m}$, $i=1,2,\cdots ,d$ and $b\in \{0,1\}$.

Setup: First, $\mathcal{C}$ selects a target time period $t^{*}=(t_1^{*},t_2^{*},\dots ,t_d^{*})\le T-1$, and $\mathcal{A}$ needs to guess this period. Therefore, $\mathcal{A}$ chooses a time period $t\stackrel{\$}{⟵}\{0,1,\dots ,T-1\}$. Hence, the probability that $\mathcal{A}$ correctly guesses $t^{*}$ is $1/T$. Then $\mathcal{C}$ obtains the secret key through the following procedure:

(1)

For each $i\in \left[d\right]$, $\mathcal{C}$ sets $A_i^{\left(t_i^{*}\right)}=U_i^{\left(t_i^{*}\right)}$. For $b\ne t_i^{*}$ and $b\in \{0,1\}$, $\mathcal{C}$ executes the $\mathbf{TrapGen}$ to obtain a pair of matrices $(A_i^{\left(b\right)},T_{A_i^{\left(b\right)}})$, where $T_{A_i^{\left(b\right)}}$ is the trapdoor of ${\Lambda }_q^{\perp }\left(A_i^{\left(b\right)}\right)$.

(2)

$\mathcal{C}$ invokes the $\mathbf{SampleDom}(1^{(d+1)m},\delta \sqrt{{\displaystyle \frac{2}{k}}})$ to generate k vectors ${\mathbf{v}}_1,{\mathbf{v}}_2,\cdots ,{\mathbf{v}}_k$, and computes ${\mathbf{a}}_j=F_{t^{*}}{\mathbf{v}}_j\mathrm{mod}q$ for $j=1,\dots ,k$, where $F_{t^{*}}=[A_0\parallel A_1^{\left(t_1^{*}\right)}\parallel A_2^{\left(t_2^{*}\right)}\parallel \cdots \parallel A_d^{\left(t_d^{*}\right)}]$.

Finally, $\mathcal{C}$ sends the public key $pk=(A_0,A_1^{\left(0\right)},A_1^{\left(1\right)},A_2^{\left(0\right)},A_2^{\left(1\right)},\cdots ,A_d^{\left(0\right)},A_d^{\left(1\right)},{\mathbf{a}}_1,\dots ,{\mathbf{a}}_k)$ to $\mathcal{A}$ and keeps $T_{A_i^{\left(b\right)}}$ confidential.

Queries: The adaptive query process of $\mathcal{A}$ and the response process of $\mathcal{C}$ are as follows:

Keyupdate queries: $\mathcal{A}$ sends the time period $t=(t_1,t_2,\cdots ,t_d)$ to $\mathcal{C}$. If $t\le t^{*}$, $\mathcal{C}$ aborts the query. If $t>t^{*}$, $\mathcal{C}$ finds the smallest index $h<d$ such that $t_h\ne t_h^{*}$. Then, $\mathcal{C}$ generates the trapdoor $T_{t^{\left(h\right)}}$ associated with node $t^{\left(h\right)}$ by the $\mathbf{ExtBasis}(B\parallel A_h^{(t_h)},T_{A_h^{(t_h)}})$, where $B=[A_0\parallel A_1^{\left(t_1\right)}\parallel A_2^{\left(t_2\right)}\parallel \cdots \parallel A_{h-1}^{\left(t_{h-1}\right)}]$, and $T_{A_h^{\left(t_h\right)}}$ is the trapdoor of ${\Lambda }_q^{\perp }\left(A_h^{\left(t_h\right)}\right)$. Subsequently, $\mathcal{C}$ computes all trapdoors in $s{k}_t$ by following the exact same key update procedure as in the actual scheme.

Sign queries: $\mathcal{A}$ submits to $\mathcal{C}$ a time period $t=(t_1,t_2,\cdots ,t_d)$ and a set of basis vectors ${\left\{{\mathbf{m}}_j^{\left(i\right)}\right\}}_{j=1}^k$ for the message subspace $V^{\left(i\right)}$, where $i<Q$ and Q is the number of signature queries. Upon receiving them, $\mathcal{C}$ first selects a tag ${\tau }^{\left(i\right)}=({\tau }_1^{\left(i\right)},{\tau }_2^{\left(i\right)},\cdots ,{\tau }_k^{\left(i\right)})\stackrel{\$}{⟵}{\{0,1\}}^k$ and returns it to $\mathcal{A}$, then proceeds with the following operations:

(1)

Construct $F_t=[A_0\parallel A_1^{\left(t_1\right)}\parallel \cdots \parallel A_d^{\left(t_d\right)}]$.

(2)

Check whether $t\ne t^{*}$ holds.

$\mathbf{Case}$ 1: If it holds, $\mathcal{C}$ performs the following steps:

(a)

Obtain ${\mathbf{T}}_t$ via $\mathbf{ExtBasis}(F_t,T_{A_h^{\left(t_h\right)}})$, where $h\le d$ is the smallest index such that $t_h\ne t_h^{*}$.

(b)

Execute $\mathbf{Decompose}\left({\mathbf{m}}_j^{\left(i\right)}\right)$ to obtain a pair of vectors $({\mathit{\upsilon }}_j^{\left(i\right)},{\mathit{\gamma }}_j^{\left(i\right)})$, where ${\mathbf{m}}_j^{\left(i\right)}=(m_{j1}^{\left(i\right)},\cdots ,m_{jk}^{\left(i\right)})={\mathit{\upsilon }}_j^{\left(i\right)}+{\mathit{\gamma }}_j^{\left(i\right)}$, ${\mathit{\upsilon }}_j^{\left(i\right)}=({\upsilon }_{j1}^{\left(i\right)},\dots ,{\upsilon }_{jk}^{\left(i\right)})$ and ${\mathit{\gamma }}_j^{\left(i\right)}=({\gamma }_{j1}^{\left(i\right)},\dots ,{\gamma }_{jk}^{\left(i\right)})$.

(c)

Compute $\mathbf{h}\left({\mathit{\upsilon }}_j^{\left(i\right)}\right)={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{a}}_u\mathrm{and}\mathbf{h}\left({\mathit{\gamma }}_j^{\left(i\right)}\right)={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{a}}_u$, then invoke $\mathbf{SamplePre}(F_t,T_t,\mathbf{h}\left({\mathit{\upsilon }}_j^{\left(i\right)}\right),\delta )\mathrm{and}\mathbf{SamplePre}(F_t,T_t,\mathbf{h}\left({\mathit{\gamma }}_j^{\left(i\right)}\right),\delta )$ respectively to obtain $\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)$ and $\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)$, and set ${\sigma }_j^{\left(i\right)}=\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)+\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)$ for $j=1,2,\cdots ,k$.

(d)

Output ${\left\{{\sigma }_j^{\left(i\right)}\right\}}_{j=1}^k$ and send $({\tau }^{\left(i\right)},{\left\{{\sigma }_j^{\left(i\right)}\right\}}_{j=1}^k)$ in time period t to $\mathcal{A}$.

$\mathbf{Case}$ 2: If it does not hold, the operation of $\mathcal{C}$ is as follows:

(a)

Execute $\mathbf{Decompose}\left({\mathbf{m}}_j^{\left(i\right)}\right)$ to obtain a pair of vectors $({\mathit{\upsilon }}_j^{\left(i\right)},{\mathit{\gamma }}_j^{\left(i\right)})$, where ${\mathbf{m}}_j^{\left(i\right)}=(m_{j1}^{\left(i\right)},\dots ,m_{jk}^{\left(i\right)})={\mathit{\upsilon }}_j^{\left(i\right)}+{\mathit{\gamma }}_j^{\left(i\right)}$, ${\mathit{\upsilon }}_j^{\left(i\right)}=({\upsilon }_{j1}^{\left(i\right)},\dots ,{\upsilon }_{jk}^{\left(i\right)})$ and ${\mathit{\gamma }}_j^{\left(i\right)}=({\gamma }_{j1}^{\left(i\right)},\dots ,{\gamma }_{jk}^{\left(i\right)})$.

(b)

Compute $\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{v}}_u$ and $\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{v}}_u$. Set ${\sigma }_j^{\left(i\right)}=\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)+\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)$ for $j=1,2,\cdots ,k$.

(c)

Output ${\left\{{\sigma }_j^{\left(i\right)}\right\}}_{j=1}^k$ and send $({\tau }^{\left(i\right)},{\left\{{\sigma }_j^{\left(i\right)}\right\}}_{j=1}^k)$ in time period t to $\mathcal{A}$.

Break-in query: $\mathcal{A}$ sends the time period t to $\mathcal{C}$. Upon receiving t, $\mathcal{C}$ first checks whether $t\le t^{*}$ holds. If so, $\mathcal{C}$ aborts the query. Otherwise, $\mathcal{C}$ sets t as the break-in time $\overline{t}$. Then, following the same procedure as in a key-update query, $\mathcal{C}$ generates the secret key $s{k}_{\overline{t}}$ in time period $\overline{t}$ and returns it to $\mathcal{A}$.

Forgery: After the query phase, $\mathcal{A}$ outputs a forgery tuple $({\tau }^{\prime },t^{\prime },{\mathbf{m}}^{\prime },{\sigma }^{\prime })$. $\mathcal{C}$ first checks whether $t^{\prime }=t^{*}$ holds. If not, $\mathcal{C}$ aborts the game. Otherwise, $\mathcal{C}$ accepts the forgery. For the tuple $({\tau }^{\prime },t^{\prime },{\mathbf{m}}^{\prime },{\sigma }^{\prime })$, it satisfies $F_{t^{\prime }}{\sigma }^{\prime }\mathrm{mod}q={\mathbf{h}}^{\prime }$ and $\parallel {\sigma }^{\prime }\parallel <2L\delta \sqrt{2k(d+1)m}$, where $F_{t^{\prime }}=[A_0\parallel A_1^{\left(t_1^{\prime }\right)}\parallel \cdots \parallel A_d^{\left(t_d^{\prime }\right)}]$ and ${\mathbf{h}}^{\prime }={\sum }_{i=1}^k{(-1)}^{{\tau }_i^{\prime }}{m}_i^{\prime }{\mathbf{a}}_i$.

Analysis: We argue that from $\mathcal{A}$’s perspective, it cannot distinguish between the experiment simulated by $\mathcal{C}$ and the actual scheme. The reasons are as follows:

(1)

In the simulated game, not all matrices $A_i^{\left(b\right)}$ used in constructing the matrix $F_t$ are randomly sampled from ${\mathbb{Z}}_q^{n\times m}$, some are generated by $\mathbf{TrapGen}(n,m,q)$. According to Theorem 1, matrices produced by this algorithm are statistically indistinguishable from the uniform distribution over ${\mathbb{Z}}_q^{n\times m}$.

(2)

In the simulated game, the vectors are computed as ${\mathbf{a}}_1=F_t{\mathbf{v}}_1\mathrm{mod}q,{\mathbf{a}}_2=F_t{\mathbf{v}}_2\mathrm{mod}q,\dots ,{\mathbf{a}}_k=F_t{\mathbf{v}}_k\mathrm{mod}q,$ where the vectors ${\mathbf{v}}_1,{\mathbf{v}}_2,\dots ,{\mathbf{v}}_k$ are obtained by running $\mathbf{SampleDom}(1^{(d+1)m},\delta \sqrt{{\displaystyle \frac{2}{k}}})$. By Theorem 5, the vectors ${\mathbf{a}}_1,{\mathbf{a}}_2,\dots ,{\mathbf{a}}_k$ are statistically indistinguishable from vectors uniformly sampled from ${\mathbb{Z}}_q^n$.

(3)

In $\mathbf{Case}$ 1 of the signature query phase, the signature is generated in the same way as in the actual scheme.

(4)

In $\mathbf{Case}$ 2 of the signature query phase, the simulated signatures $\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)$ and $\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)$ are, by Lemmas 2 and 3, statistically close to samples drawn from distribution ${\mathcal{D}}_{{\mathbb{Z}}^{(d+1)m},\delta }$. Moreover, since $F_t\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)\mathrm{mod}q=F_t{\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{F}_t{\mathbf{v}}_u\mathrm{mod}q={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{a}}_u=\mathbf{h}\left({\mathit{\upsilon }}_j^{\left(i\right)}\right)$ and $F_t\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)\mathrm{mod}q=F_t{\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{F}_t{\mathbf{v}}_u\mathrm{mod}q={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{a}}_u=\mathbf{h}\left({\mathit{\gamma }}_j^{\left(i\right)}\right)$, it follows from Theorem 5 that $\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)$ and $\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)$ are also approximately distributed as ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{h}\left({\mathit{\upsilon }}_j^{\left(i\right)}\right)}\left(F_t\right),\delta }$ and ${\mathcal{D}}_{{\Lambda }_q^{\mathbf{h}\left({\mathit{\gamma }}_j^{\left(i\right)}\right)}\left(F_t\right),\delta }$, respectively.

(5)

Verifying that $F_t{\sigma }_j^{\left(i\right)}\mathrm{mod}q={\mathbf{h}}_j^{\left(i\right)}$ holds, the process is as follows:

$$\begin{array}{cc}\hfill F_t{\sigma }_j^{\left(i\right)}\mathrm{mod}q& =F_t(\sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)+\sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)\mathrm{mod}q\hfill \\ \hfill & =F_t({\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q+{\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q)\hfill \\ \hfill & ={\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\left(i\right)}}({\upsilon }_{ju}^{\left(i\right)}+{\gamma }_{ju}^{\left(i\right)})F_t{\mathbf{v}}_u\mathrm{mod}q={\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\left(i\right)}}{m}_{ju}^{\left(i\right)}{\mathbf{a}}_u={\mathbf{h}}_j^{\left(i\right)}.\hfill \end{array}$$

(6)

Next, we verify that $\parallel {\sigma }_j^{\left(i\right)}\parallel <2L\delta \sqrt{2k(d+1)m}$ holds. By Lemma 1, the probability that $\parallel \sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)\parallel =\parallel {\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\upsilon }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q\parallel \le \delta k\sqrt{{\displaystyle \frac{2}{k}}}\sqrt{(d+1)m}\le L\delta \sqrt{2k(d+1)m}$ and $\parallel \sigma \left({\mathit{\gamma }}_j^{\left(i\right)}\right)\parallel =\parallel {\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\left(i\right)}}{\gamma }_{ju}^{\left(i\right)}{\mathbf{v}}_u\mathrm{mod}q\parallel \le \delta k\sqrt{{\displaystyle \frac{2}{k}}}\sqrt{(d+1)m}\le L\delta \sqrt{2k(d+1)m}$ is overwhelming. Hence it follows that $\parallel {\sigma }_j^{\left(i\right)}\parallel =\parallel \sigma \left({\mathit{\upsilon }}_j^{\left(i\right)}\right)+\sigma ({\mathit{\gamma }}_j^{\left(i\right)}\parallel \le 2L\delta \sqrt{2k(d+1)m}$.

Now, let’s demonstrate how to obtain a solution for an instance of the ${\mathrm{SIS}}_{q,n,(2d+1)m,\beta }$ problem. Regardless of whether the forgery of $\mathcal{A}$ is of type 1 or type 2, we have

$$\begin{array}{cc}\hfill F_{t^{\prime }}{\sigma }^{\prime }\mathrm{mod}q& ={\mathbf{h}}^{\prime }={\displaystyle \sum _{j=1}^l}{c}_j{\mathbf{h}}_j={\displaystyle \sum _{j=1}^l}{c}_j\left({\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\prime }}{m}_{ju}^{\prime }{\mathbf{a}}_u\right)\hfill \\ \hfill & ={\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\prime }}({\displaystyle \sum _{j=1}^l}{c}_j{m}_{ju}^{\prime }){\mathbf{a}}_u={\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\prime }}{m}_u^{\prime }{\mathbf{a}}_u\hfill \\ \hfill & =F_{t^{\prime }}{\displaystyle \sum _{u=1}^k}{(-1)}^{{\tau }_u^{\prime }}{m}_u^{\prime }{\mathbf{v}}_u\mathrm{mod}q=F_{t^{\prime }}{\mathbf{v}}^{\prime },\hfill \end{array}$$

where ${\mathbf{v}}^{\prime }={\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\prime }}{m}_u^{\prime }{\mathbf{v}}_u\mathrm{mod}q$. The fifth equality is due to the fact that ${\mathbf{m}}^{\prime }=(m_1^{\prime },m_2^{\prime },\cdots ,m_k^{\prime })={\sum }_{j=1}^l{c}_j{\mathbf{m}}_j^{\prime }$, which implies that $m_u^{\prime }={\sum }_{j=1}^l{c}_j{m}_{ju}^{\prime }$. Then $F_{t^{\prime }}({\sigma }^{\prime }-{\mathbf{v}}^{\prime })=0\mathrm{mod}q$. From [37], we know that $Pr[{\sigma }^{\prime }\ne {\mathbf{v}}^{\prime }]\ge 1-2^{-\omega \left(\log n\right)}$, which means $\widehat{\mathbf{v}}={\sigma }^{\prime }-{\mathbf{v}}^{\prime }$ is a solution to the ${\mathrm{SIS}}_{q,n,(d+1)m,\beta }$ problem.

According to $\mathbf{SampleDom}$, we have $\parallel {\mathbf{v}}^{\prime }\parallel =\parallel {\sum }_{u=1}^k{(-1)}^{{\tau }_u^{\prime }}{m}_u^{\prime }{\mathbf{v}}_u\mathrm{mod}q\parallel \le 2L\delta \sqrt{2k(d+1)m}$, which implies $\parallel {\sigma }^{\prime }-{\mathbf{v}}^{\prime }\parallel \le \parallel {\sigma }^{\prime }\parallel +\parallel {\mathbf{v}}^{\prime }\parallel \le 4L\delta \sqrt{2k(d+1)m}=\beta$.

Note that $F_{t^{\prime }}=[A_0\parallel A_1^{\left(t_1^{\prime }\right)}\parallel \cdots \parallel A_d^{\left(t_d^{\prime }\right)}]=[A_0\parallel U_1^{\left(t_1^{\prime }\right)}\parallel \cdots \parallel U_d^{\left(t_d^{\prime }\right)}]$, while in the instance we have $F=[A_0\parallel U_1^{\left(0\right)}\parallel U_1^{\left(1\right)}\parallel U_2^{\left(0\right)}\parallel U_2^{\left(1\right)}\parallel \dots \parallel U_d^{\left(0\right)}\parallel U_d^{\left(1\right)}]$. Therefore, we “embed” the missing $\left\{U_i^{1-t_i^{\prime }}\right\}$ into $F_{t^{\prime }}$ to form the target matrix F. To match the dimension of the vector $\mathbf{v}$ with F, we pad the corresponding positions in $\widehat{\mathbf{v}}$ (which correspond to the newly inserted matrix blocks) with zero vectors of appropriate dimensions. This yields $F\mathbf{v}=0\mathrm{mod}q$, and at this point we have $\parallel \mathbf{v}\parallel = \parallel \widehat{\mathbf{v}}\parallel$.

Since the probability of the game not aborting is ${\displaystyle \frac{1}{T}}$, combining the above analysis gives the advantage of $\mathcal{C}$ in solving the ${\mathrm{SIS}}_{q,n,(2d+1)m,\beta }$ problem as ${\displaystyle \frac{(1-2^{-\omega \left(\log n\right)})·\epsilon }{T}}$. This advantage is non-negligible under the given parameters, which contradicts the hardness assumption of the SIS problem. Therefore, the proposed scheme satisfies forward-secure unforgeability. □

5. Comparative Analysis

To ensure the comparability of the schemes, we select the recent lattice-based LHS scheme [19] and the lattice-based FSLHS scheme [32], and analyze them together with our scheme in four aspects: security model, forward security, underlying assumptions, and efficiency. The detailed comparison results are summarized in

Table 2. Comparison of schemes.

Schemes	[19]	[32]	Our Scheme
Public key size	$nm\log q+kn\log q$	$nm\log q$	$nm\log q$
Signature size	$m\log q$	$m\log q+n$	$dm\log q$
Signing time	$2T_{sp}$	$T_{sp}$	$2{(d+1)}^2{T}_{sp}$
Forward secure	No	Yes	Yes
Security model	SM	ROM	SM
Assumption	SIS	SIS	SIS

n is the number of rows in the matrix. m is the number of columns in the matrix, where $m\ge 6n\log q$. $q>2$ is a prime number; k: polynomial in n; d: binary tree depth; $T_{sp}$: time of one execution of algorithm SamplePre.

.

As shown in Table 2, all three schemes rely on the hardness of SIS to ensure security. Among them, our scheme and the scheme in [19] are proven secure in the SM, while the scheme in [32] is proven secure in the ROM. However, the scheme in [19] does not satisfy forward security.

In terms of efficiency, as shown in Table 2, we compare the three schemes from three dimensions: public key size, signature size, and signing time. In terms of public key length, our scheme is equivalent to that in [32] and smaller than that in [19].

To provide an intuitive comparison of signature sizes, we take the 128-bit security level as an example, with parameters set as $n=512$, $q\approx 2^{32}$, binary tree depth $d=10$, and $m=6n\log q$. The specific values are calculated according to the signature length formula of each scheme, and the results are shown in

Table 3. Comparison of signature sizes at 128-bit security level.

Scheme	Signature Size	Approximate Numerical Value	Actual Size (MB)
[19]	$m\log q$	$512\times 6\times 512\times 32$	≈48
[32]	$m\log q+n$	$512\times 6\times 512\times 32+512$	≈48
Our scheme	$d·m\log q$	$10\times 512\times 6\times 512\times 32$	≈480

.

As can be seen from Table 3, the signature size of our scheme is approximately d times that of the other two schemes. This additional overhead mainly stems from the binary tree forward security mechanism introduced to achieve provable security in the standard model.

Regarding the signing time, to mitigate the impact of different devices, we analyze the time complexity of the signing algorithms. For simplicity, we ignore the complexity of hash functions and multiplications, which have a minor impact on the signing algorithm. According to [38], the time complexity of the $\mathbf{SamplePre}$ algorithm is $T_{sp}=O\left(m^2\right)$. Let $T_{\mathrm{ours}}$, $T_{\mathrm{Guo}}$, and $T_{\mathrm{Wu}}$ denote the signing time complexities of our scheme, the scheme in [19], and the scheme in [32], respectively. Under the same security parameters, the relationship among the three is $T_{\mathrm{Wu}}<T_{\mathrm{Guo}}<T_{\mathrm{ours}}$. This indicates that our signing time is not only longer than that in [32], but also longer than that in [19] due to the binary tree mechanism.

In summary, compared with the scheme in [19], our scheme achieves a smaller public key size and is resilient to key leakage attacks. Meanwhile, our scheme provides stronger security guarantees than the scheme in [32], which is only proven secure in the ROM.

Based on the above comparative results, the next section will use the concrete parameters (e.g., $n=512$, $q\approx 2^{32}$, $d=10$) and performance estimates (signature size ≈ 480 MB) set in this section to further analyze the feasibility of our scheme in a smart grid distributed data acquisition system.

6. Application Feasibility Analysis: Smart Grid Data Acquisition

To comprehensively evaluate the practicality and applicability of the proposed scheme, this section first takes the smart grid data acquisition system as a concrete example and conducts a feasibility analysis based on the performance data from Section 5. Subsequently, we further discuss the potential applications of the scheme in other typical scenarios.

Scenario description: Consider a large-scale smart grid system consisting of a massive number of smart meters, multiple regional aggregation nodes, and a central data center. The workflow follows the five stages defined in our scheme: setup, key update, signing, combination, and verification. In each time period t, each smart meter signs its collected data vector ${\mathbf{m}}_i$ using its current secret key $s{k}_t$ and sends $({\mathbf{m}}_i,{\sigma }_i)$ to its regional aggregation node. Without accessing any private keys, the aggregation node combines l signatures (where $l<L$, and L is the maximum batch size) into an aggregated signature $\sigma =\sum c_i{\sigma }_i$ and aggregated data $\mathbf{m}=\sum c_i{\mathbf{m}}_i$. The data center then verifies the aggregated data packet $(\mathbf{m},\sigma ,\tau )$ using the public key $pk$. A successful verification proves that the aggregated data originates from legitimate meters and has not been tampered with.

Performance feasibility analysis: Using the parameter settings from Section 5 (128-bit security level, $n=512$, $q\approx 2^{32}$, $d=10$, $m=6n\log q$), we evaluate the suitability of our scheme for the smart grid scenario.

Signature size: The signature size of our scheme is approximately 480 MB, which is d times larger than that of [19,32]. In the smart grid environment, each aggregation node processes up to l signatures per time period. After combination, the aggregated signature size remains the same as a single signature (480 MB), rather than being l times larger. Therefore, the transmission overhead from the aggregation node to the data center is a constant factor per batch, which is feasible in wired or high-bandwidth industrial networks.

Signing time: According to Table 2, when $d=10$, the signing time complexity of our scheme is approximately $2{(d+1)}^2{T}_{sp}=242T_{sp}$. In typical lattice-based implementations, $T_{sp}\approx 0.1$–1 s (depending on the specific implementation and hardware), so the signing time per smart meter ranges from 24.2 to 242 s. This is suitable for low-frequency reporting scenarios, such as smart meters transmitting data every 15–30 min. For high-frequency or real-time applications, this overhead would be prohibitive.

Key update: The key update operation is performed locally on each meter and does not involve communication, thus it does not affect network scalability.

Based on the above analysis, our scheme is suitable for smart grid deployment scenarios that satisfy the following conditions:

• Low-frequency reporting: The time interval between consecutive signatures should be at least several minutes to accommodate the signing time of 24.2–242 s.
• Need for forward security in the standard model: Our scheme is intended for applications where key leakage is a major security concern and security under the random oracle model is insufficient.
• Sufficient bandwidth: The 480 MB aggregated signature requires adequate network capacity between the aggregation nodes and the data center. This is typically available in industrial-grade smart grid backhaul networks.

In summary, our scheme enables regional aggregation nodes to compute valid linear combinations of signatures without knowing any private key, while ensuring that the data center can verify the integrity and authenticity of the aggregated data. Even if the private keys of some smart meters are compromised, previously signed data remain unforgeable due to forward security. The security of our scheme reduces to the hardness of the SIS problem on lattices, thus resisting quantum attacks. The quantitative analysis in this section shows that for low-frequency reporting scenarios, the signing time and signature size are practically feasible, making our scheme a viable option for secure and verifiable data aggregation in smart grids.

Other Potential Application Scenarios

Beyond smart grid data acquisition, the proposed scheme can also be applied to scenarios such as industrial IoT data aggregation, distributed healthcare monitoring, vehicular network security communication, and blockchain cross-chain verification. These application scenarios share the common characteristic of requiring data aggregation and verification at the edge side, while also demanding forward security to cope with the risk of key leakage.

Industrial IoT data aggregation: In Industry 4.0 environments, multiple sensors periodically transmit production data to edge gateways. Our scheme enables edge gateways to perform linear combinations of multiple sensor signatures without accessing private keys, generating aggregated signatures for transmission to central monitoring systems. Even if certain sensor nodes’ private keys are compromised in the future, the integrity of historical data remains protected due to forward security.

Distributed healthcare monitoring systems: In remote healthcare scenarios, multiple wearable devices periodically upload patients’ physiological data to hospital data centers. Our scheme supports hospital edge servers in securely aggregating data from multiple devices for the same patient, while ensuring that even if device private keys are leaked, patients’ historical health records cannot be tampered with.

Vehicular networks security communication: In intelligent transportation systems, multiple vehicles periodically send location and status information to Roadside Units (RSUs). Our scheme can be used for RSUs to aggregate and verify data from multiple vehicles, ensuring the authenticity and integrity of traffic data while providing forward security against potential vehicle device compromises.

Blockchain cross-chain data verification: In multi-chain architectures, different blockchain networks need to verify each other’s data. Our scheme can be employed to build cross-chain data verification mechanisms, allowing verification nodes to perform linear combination verification of transaction data from multiple source chains, while ensuring that even if certain verification nodes’ private keys are compromised, historical verification records remain unforgeable.

Applicability conditions: It should be emphasized that due to the signature size of approximately 480 MB (at 128-bit security level), this scheme is primarily suitable for resource-rich edge gateway devices rather than ultra-low-power micro-sensors. These application scenarios typically share the following characteristics:

• Low-frequency data reporting
• Stable power supply
• Sufficient storage capacity (GB-level)
• High-bandwidth network connections

7. Conclusions

This paper investigates the FSLHS scheme to address the security challenges posed by key leakage. Its main contribution lies in constructing the first provably secure lattice-based FSLHS scheme in the SM, filling the gap in existing research that lacks security proofs in the SM. Through a comparative analysis with existing schemes in terms of security model, underlying assumptions, and efficiency, we demonstrate the security advantages of our scheme while also pointing out its efficiency limitations. To verify the practicality of the proposed scheme, we apply it to a smart grid data acquisition system, analyze its feasibility under specific performance metrics, and present several potential application scenarios. It should be noted that this scheme is not suitable for high-frequency metering or ultra-low-power devices; therefore, it is primarily designed for edge-gateway-level devices with sufficient computational resources and storage capacity. In future work, we plan to: conduct performance evaluation and energy consumption measurement on real high-end edge computing hardware platforms; further optimize the signature size to make it applicable to a wider range of IoT devices; and extend forward security to certificateless and identity-based LHS frameworks, thereby enriching the cryptographic primitives for building network data authentication infrastructure that resists key leakage risks.