# Message Integration Authentication in the Internet-of-Things via Lattice-Based Batch Signatures

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Batch Signature

#### 1.2. Lattice-Based Signature

#### 1.3. Our Contributions

- We propose lattice-based batch signature schemes for the first time. Our schemes possess a general property, that is, our construction can be combined with any existing lattice-based signature scheme.
- The technique we use is an extension of the intersection method from [27]. The intersection method is as follows: for $n$—dimensional integer lattices ${\mathsf{\Lambda}}_{1}$ and ${\mathsf{\Lambda}}_{2}$ such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\bigcap {\mathsf{\Lambda}}_{2}\ne \varphi $, there exists a short vector $\mathbf{e}$, which belongs to ${\mathbf{v}}_{1}+{\mathsf{\Lambda}}_{1}\cap {\mathbf{v}}_{2}+{\mathsf{\Lambda}}_{2}$ and can be viewed as a signature of ${\mathbf{v}}_{1}\in {\mathbb{Z}}^{n}$ and ${\mathbf{v}}_{2}\in {\mathbb{Z}}^{n}$.We demonstrate this technique with a concrete example in terms of $k\ge 2$. In detail, let ${\mathsf{\Lambda}}_{1}={p}_{1}{\mathbb{Z}}^{n}$, ${\mathsf{\Lambda}}_{2}={p}_{2}{\mathbb{Z}}^{n},\cdots ,{\mathsf{\Lambda}}_{k}={p}_{k}{\mathbb{Z}}^{n}$ with k primes ${p}_{1},{p}_{2},\cdots ,{p}_{k}$. Because ${p}_{1},{p}_{2},\cdots ,{p}_{k}$ are different primes, ${p}_{1}{\mathbb{Z}}^{n}+{p}_{2}{\mathbb{Z}}^{n}+\cdots +{p}_{k}{\mathbb{Z}}^{n}={\mathbb{Z}}^{n}$ and ${p}_{1}{\mathbb{Z}}^{n}\cap {p}_{2}{\mathbb{Z}}^{n}\cap \cdots \cap {p}_{k}{\mathbb{Z}}^{n}={p}_{1}{p}_{2}\cdots {p}_{k}{\mathbb{Z}}^{n}\ne \varphi $. Therefore, for k messages ${\mathbf{v}}_{1},{\mathbf{v}}_{2},\cdots ,{\mathbf{v}}_{k}\in {\mathbb{Z}}^{n}$, there exists a short vector $\mathbf{e}\in {\mathbf{v}}_{1}+{p}_{1}{\mathbb{Z}}^{n}\cap {\mathbf{v}}_{2}+{p}_{2}{\mathbb{Z}}^{n}\cap \cdots \cap {\mathbf{v}}_{k}+{p}_{k}{\mathbb{Z}}^{n}$, which binds ${\mathbf{v}}_{1},{\mathbf{v}}_{2},\cdots ,{\mathbf{v}}_{k}$ and can be viewed as their batch signature.
- With the intersection method as core technique, we give two batch signature schemes based on hash-and-sign paradigm and Fiat–Shamir transformation, as well as a lattice-based batch signature scheme based on binary tree.

#### 1.4. Organization

## 2. Preliminaries

**Definition**

**1.**

**Definition**

**2.**

**Definition**

**3.**

**Definition**

**4.**

**Definition**

**5.**

**Definition**

**6.**

- (length-compressing):$m<n$
- (hard to find collisions): For all PPT A, there exists a negligible function ϵ such that for all security parameters$n\in \mathbb{N}$,$$Pr[({x}_{0},{x}_{1})\leftarrow A({1}^{n},h):{x}_{0}\ne {x}_{1}\cap h\left({x}_{0}\right)=h\left({x}_{1}\right)]\u2a7d\u03f5\left(n\right)$$

## 3. System Definition and Threat Model

#### 3.1. Definition of Batch Signature System

**Setup**($\lambda $): Inputting security parameter $\lambda $, this algorithm determines necessary system public parameters $PP$.**KeyGen**($\lambda $): With security parameter $\lambda $ and system parameters $PP$ as above, this algorithm provides public verification key $vk$ and secret signing key $sk$.**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$): Given signing key $sk$ and messages set $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$, this algorithm computes batch signature e.**Verify**($vk,{\varpi}_{j},e,j=1,\cdots ,k$): Given message ${\varpi}_{j}$ and its signature e associated with verification key $vk$, this algorithm tells whether the j-th message has gained valid authentication, and outputs 1 if the answer is yes, otherwise outputs 0.

#### 3.2. Threat Model

**Initialization**: In this period, challenger $\mathcal{C}$ executes algorithms**Setup**and**KeyGen**, provides system public parameters $PP$ and public verification key $vk$ for adversary $\mathcal{A}$.**Signing queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ invokes**Sign**algorithm, returns the result to adversary $\mathcal{A}$. Adversary $\mathcal{A}$ may repeat the query polynomial times in his favorite manner.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he offers a new message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},e)$.

**Theorem**

**1.**

## 4. Lattice-Based Batch Signature with Binary Tree

#### 4.1. Proposed Construction

**Setup**($\lambda $): In this stage, system parameters are provided with knowledge of security parameter $\lambda $.- n is a polynomial of $\lambda $, $q\ge 3$ is a polynomial of n, $m=\lceil 6nlogq\rceil $, $t=O\left(\sqrt{nlogq}\right)$.
- k is the number of messages to batch sign, and $s\ge t\xb7\omega \left(\sqrt{logm}\right)$ is the Gaussian parameter.
- ${H}_{0}:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}_{q}^{n}$ and ${H}_{1}:{\mathbb{Z}}_{q}^{2n}\u27f6{\mathbb{Z}}_{q}^{n}$ are two collision resistant hash functions.

**KeyGen**($\lambda $): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained as follows. Invoke trapdoor generation algorithm TrapGen$(n,q,m)$ to get a uniform and random matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, and the short basis $\mathbf{T}\in {\mathbb{Z}}^{m\times m}$ for lattice ${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$ with $\parallel \tilde{\mathbf{T}}\parallel \le t$.Finally output $vk=\mathbf{A}$, $sk=\mathbf{T}$.**Sign**($sk,\{{\varpi}_{0},\cdots ,{\varpi}_{k-1}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{T}$ and the set of messages $\{{\varpi}_{0},\cdots ,{\varpi}_{k-1}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Compute ${H}_{0}\left({\varpi}_{0}\right)$, ${H}_{0}\left({\varpi}_{1}\right)$,⋯, ${H}_{0}\left({\varpi}_{k-1}\right)$, let ${H}_{1}^{\left(0\right)}={H}_{0}\left({\varpi}_{0}\right)$, and execute for-loop as follows.for $i=1$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$
- Compute $\mathbf{e}=$ SamplePre$(\mathbf{A},\mathbf{T},{H}_{1}^{(k-1)},s)$.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, compute its brother ${B}_{i}$. Firstly, ${B}_{0}=({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R})$, the left are shown in the next for-loop.for $i=1$ to $k-1$:${B}_{i}=({H}_{1}^{(i-1)},\mathfrak{L})$$i=i+1$Here, for ${\varpi}_{i}$’s brother ${B}_{i}$, its first entry denotes ${\varpi}_{i}$’s brother note, its second entry denotes the brother locates on ${\varpi}_{i}$’s left $\left(\mathfrak{L}\right)$ or right $\left(\mathfrak{R}\right)$.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, compute its residue ${R}_{i}$. At first,$\begin{array}{l}{R}_{0}=\{({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R}),({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{0},({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,the left are shown in the next for-loop.for $i=1$ to $k-2$:$\begin{array}{l}{R}_{i}=\{({H}_{1}^{(i-1)},\mathfrak{L}),({H}_{0}\left({\varpi}_{i+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ \phantom{\rule{25.6073pt}{0ex}}=\{{B}_{i},({H}_{0}({\varpi}_{i+1},\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$$i=i+1$When $i=k-1$, ${R}_{i}={B}_{k-1}=\{({H}_{1}^{(k-2)},\mathfrak{L})\}$.Here, ${\varpi}_{i}$’s residue ${R}_{i}$ includes ${\varpi}_{i}$’s brother ${B}_{i}$ and all of its ancestor nodes’s brothers.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, its signature is $(\mathbf{e},{R}_{i})$.

**Verify**($vk,{\varpi}_{j},(\mathbf{e},{R}_{j}),j=0,\cdots ,k-1$): Given message ${\varpi}_{j}$ and its signature $(\mathbf{e},{R}_{j})$ associated with verification key $vk=\mathbf{A}$,- ${H}_{1}^{(k-1)}$ should be recovered firstly.(1) If $j=0$,$\begin{array}{l}{R}_{0}=\{({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R}),({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{0},({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,for $i=1$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$When for-loop terminates, ${H}_{1}^{(k-1)}$ is obtained.(2) If $j\ne 0$,$\begin{array}{l}{R}_{j}=\{({H}_{1}^{(j-1)},\mathfrak{L}),({H}_{0}\left({\varpi}_{j+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{j},({H}_{0}\left({\varpi}_{j+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,for $i=j$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$When for-loop terminates, ${H}_{1}^{(k-1)}$ is obtained.
- Check whether $\parallel \mathbf{e}\parallel \le s\sqrt{m}$ and $\mathbf{A}\mathbf{e}={H}_{1}^{(k-1)}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$. If both relations are true, return 1 and accept the message-signature pair $({\varpi}_{j},(\mathbf{e},{R}_{j}))$; otherwise, return 0 and reject the message-signature pair.

#### 4.2. Security Analysis

**Theorem**

**2.**

**Proof.**

**Initialization**: In this period, challenger $\mathcal{C}$ executes setup algorithm to set system parameters, he sets public verification key $vk=\mathbf{A}$, sends all of them to adversary $\mathcal{A}$.**Hash queries**: Challenger $\mathcal{C}$ creates a list to save the binary tree for k messages, and sets $\mathcal{H}=\left\{\right(({\varpi}_{0},\cdots ,{\varpi}_{k-1}),({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})\}$.When adversary $\mathcal{A}$ sends a set of messages $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ to challenger $\mathcal{C}$ for hash values. $\mathcal{C}$ searches list $\mathcal{H}$,If $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ do not exist in list $\mathcal{H}$, $\mathcal{C}$ chooses $\mathbf{e}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, sets ${H}_{1}^{(k-1)}=\mathbf{Ae}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$. Then $\mathcal{C}$ randomly picks ${H}_{0}\left({\varpi}_{i}\right)$, $i=0,\cdots ,k-1$, sets ${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$ for $i=1$ to $k-1$, here ${H}_{1}^{\left(0\right)}={H}_{0}\left({\varpi}_{0}\right)$. $\mathcal{C}$ saves $(({\varpi}_{0},\cdots ,{\varpi}_{k-1}),$ $({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})$ in the list $\mathcal{H}$.If $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ exist in list $\mathcal{H}$, $\mathcal{C}$ does nothing.At last, $\mathcal{C}$ returns $(({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}))$ to adversary $\mathcal{A}$.**Signature queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ firstly searches list $\mathcal{H}$ for the messages’ set. If it exists, $\mathcal{C}$ returns $(({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})$ to adversary $\mathcal{A}$. If the messages’ set does not exist, $\mathcal{C}$ executes hash query firstly. Adversary $\mathcal{A}$ may repeat the query polynomial times in his favorite manner.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he forges a valid message-signature pair $(({\varpi}_{0}^{\ast},\cdots ,{\varpi}_{k-1}^{\ast}),({H}_{0}\left({\varpi}_{0}^{\ast}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}^{\ast}\right)),({H}_{1\ast}^{\left(1\right)},\cdots ,$${H}_{1\ast}^{(k-1)}),{\mathbf{e}}^{\ast})$.

## 5. Lattice-Based Batch Signature Based on Hash-and-Sign Paradigm

#### 5.1. Design

**Setup**($\lambda $): In this stage, system parameters are provided with knowledge of security parameter $\lambda $.- n is a polynomial of $\lambda $, $q\ge 3$ is a polynomial of n, $m=\lceil 6nlogq\rceil $, $l=O\left(\sqrt{nlogq}\right)$.
- k is the number of messages to batch sign, and $s\ge l\xb7\omega \left(\sqrt{logm}\right)$ is the Gaussian parameter.
- $H:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}^{n}$ is a collision resistant hash function.

**KeyGen**($\lambda $): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained in the following manners.- Invoke trapdoor generation algorithm TrapGen$(n,q,m)$ to get a uniform and random matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, and the short basis $\mathbf{T}\in {\mathbb{Z}}^{m\times m}$ for lattice ${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$ with $\parallel \tilde{\mathbf{T}}\parallel \le l$.
- Compute k different lattices ${\mathsf{\Lambda}}_{i},i=1,\cdots ,k$, such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}+\cdots +{\mathsf{\Lambda}}_{k}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\cap {\mathsf{\Lambda}}_{2}\cap \cdots \cap {\mathsf{\Lambda}}_{k}=\mathsf{\Lambda}$, which takes q as modulus.Then $vk=(\mathbf{A},\mathsf{\Lambda},{\mathsf{\Lambda}}_{i},i=1,\cdots ,k)$, $sk=\mathbf{T}$.

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{T}$ and the set of messages $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Construct equations:$$\left\{\begin{array}{c}\mathbf{v}=H\left({\varpi}_{1}\right)\mathrm{mod}{\mathsf{\Lambda}}_{1}\\ \mathbf{v}=H\left({\varpi}_{2}\right)\mathrm{mod}{\mathsf{\Lambda}}_{2}\\ \cdots \\ \mathbf{v}=H\left({\varpi}_{k}\right)\mathrm{mod}{\mathsf{\Lambda}}_{k}\end{array}\right.$$
- Invoke preimage sampleable algorithm SamplePre$(\mathbf{A},\mathbf{T},\mathbf{v},s)$ to get the signature $\mathbf{e}$.

**Verify**($vk,{\varpi}_{j},\mathbf{e})$: For the j-th message ${\varpi}_{j}$ and the signature $\mathbf{e}$, validation involves the following two relations:- $\parallel \mathbf{e}\parallel \le s\sqrt{m}$.
- $\mathbf{A}\mathbf{e}=H\left({\varpi}_{j}\right)\mathrm{mod}{\mathsf{\Lambda}}_{j}$.If they are both true, accept message ${\varpi}_{j}$; otherwise, reject it.

#### 5.2. Security Analysis

**Theorem**

**3.**

**Proof.**

**Initialization**: In this period, challenger $\mathcal{C}$ sets appropriate system parameters, lets public verification key $vk=\mathbf{A}$, sends all of them to adversary $\mathbf{A}$.**Hash queries**: Challenger $\mathcal{C}$ creates a list to save the hash values for k messages, and sets $\mathcal{H}=\left\{(({\varpi}_{1},\cdots ,{\varpi}_{k}),(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right)),\mathbf{e})\right\}$.When adversary $\mathcal{A}$ sends a set of messages $({\varpi}_{1},\cdots ,{\varpi}_{k})$ to challenger $\mathcal{C}$ for hash values. $\mathcal{C}$ searches list $\mathcal{H}$.If $({\varpi}_{1},\cdots ,{\varpi}_{k})$ exist in list $\mathcal{H}$, $\mathcal{C}$ returns $(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right))$ directly.If $({\varpi}_{1},\cdots ,{\varpi}_{k})$ do not exist in list $\mathcal{H}$, $\mathcal{C}$ samples $\mathbf{e}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, sets $\mathbf{v}=\mathbf{Ae}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, and lets $\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{i}=H\left({\omega}_{i}\right)$, $i=1,\cdots ,k$. Then $\mathcal{C}$ saves $(({\varpi}_{1},\cdots ,{\varpi}_{k}),(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right)),\mathbf{e})$ in list $\mathcal{H}$, and returns $(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right))$ to adversary $\mathcal{A}$.**Signing queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ searches list $\mathcal{H}$ for messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$.If the messages exist in list $\mathcal{H}$, challenger $\mathcal{C}$ returns $\mathbf{e}$ directly.If the messages do not exist in list $\mathcal{H}$, Challenger $\mathcal{C}$ firstly executes Hash query, then returns $\mathbf{e}$ to adversary $\mathcal{A}$.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he offers a new message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},{\mathbf{e}}^{\ast})$.Challenger $\mathcal{C}$ searches $(({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast}),(H\left({\varpi}_{1}^{\ast}\right),$ $\cdots ,H\left({\varpi}_{k}^{\ast}\right)),{\mathbf{e}}^{\prime})$ in list $\mathcal{H}$, then computes ${\mathbf{e}}^{\ast}-{\mathbf{e}}^{\prime}$ as the solution to the SIS instance $\mathbf{A}$.Because message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},{\mathbf{e}}^{\ast})$ is valid, adversary $\mathcal{A}$ has not made signing query on $({\varpi}_{1}^{\ast},\cdots ,{\varpi}_{k}^{\ast})$, and hash query on $({\varpi}_{1}^{\ast},\cdots ,{\varpi}_{k}^{\ast})$ has been done. Given $\mathbf{A}{\mathbf{e}}^{\prime}=\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, according to preimage min-entropy property of hash function [23], the min-entropy of ${\mathbf{e}}^{\ast}$ is $\omega (logn)$, so that ${\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\ne \mathbf{0}$ with overwhelming probability. Because ${\mathbf{e}}^{\prime}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, $\parallel {\mathbf{e}}^{\prime}\parallel \le s\sqrt{m}$. $\parallel {\mathbf{e}}^{\ast}\parallel \le s\sqrt{m}$ depends on the validity of forged signature. Therefore, $\parallel {\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\parallel \le 2s\sqrt{m}$.

## 6. Lattice-Based Batch Signature Based on FS Transformation

#### 6.1. Design

**Setup**(n): In this stage, system parameters are provided with knowledge of security parameter n.- q may be ${2}^{25}$, d may be 1, r may be 512.
- $m>64+n\xb7logq/log(2d+1)$, $\kappa $ satisfies ${2}^{\kappa}\xb7\left(\begin{array}{c}n\\ \kappa \end{array}\right)\ge {2}^{100}$.
- s may be $12d\kappa \sqrt{m}$, and M may be ${e}^{(12d\kappa \sqrt{m}/s+{(d\kappa \sqrt{m}/\left(2s\right))}^{2})}$.
- ${H}_{1}:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}^{n}$ and ${H}_{2}:{\{0,1\}}^{\ast}{\u27f6\{\mathbf{g}:\mathbf{g}\in \{-1,0,1\}}^{r}{,\parallel \mathbf{g}\parallel}_{1}\le \kappa \}$ are collision resistant hash functions, where ${\parallel \mathbf{g}\parallel}_{1}$ is the 1-norm of vector $\mathbf{g}$, namely, it is the sum of the absolute values of each element of vector $\mathbf{g}$.

**KeyGen**(n): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained in the following manners.- Select $\mathbf{S}\leftarrow {\{-d,\cdots ,0,\cdots ,d\}}^{m\times r}$ randomly as secret signing key.
- Select $\mathbf{A}\leftarrow {\mathbb{Z}}_{q}^{n\times m}$, compute $\mathbf{T}=\mathbf{AS}$ as public verification key.
- Compute k different lattices ${\mathsf{\Lambda}}_{i},i=1,\cdots ,k$, such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}+\cdots +{\mathsf{\Lambda}}_{k}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\cap {\mathsf{\Lambda}}_{2}\cap \cdots \cap {\mathsf{\Lambda}}_{k}=\mathsf{\Lambda}$, which takes q as modulus.Then $vk=(\mathbf{A},\mathbf{T},\mathsf{\Lambda},{\mathsf{\Lambda}}_{i},i=1,\cdots ,k)$, $sk=\mathbf{S}$.

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{S}$ and the set of messages $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Construct equations:$$\left\{\begin{array}{c}\mathbf{v}={H}_{1}\left({\varpi}_{1}\right)\mathrm{mod}{\mathsf{\Lambda}}_{1}\\ \mathbf{v}={H}_{1}\left({\varpi}_{2}\right)\mathrm{mod}{\mathsf{\Lambda}}_{2}\\ \cdots \\ \mathbf{v}={H}_{1}\left({\varpi}_{k}\right)\mathrm{mod}{\mathsf{\Lambda}}_{k}\end{array}\right.$$
- Sample $\mathbf{y}\leftarrow {\mathcal{D}}_{{\mathbb{Z}}^{m},s}$ randomly, compute $\mathbf{c}={H}_{2}(\mathbf{Ay},\mathbf{v})$.
- Let $\mathbf{z}=\mathbf{Sc}+\mathbf{y}$, output $(\mathbf{v},\mathbf{z},\mathbf{c})$ as signature with probability $min(\frac{{\mathcal{D}}_{{\mathbb{Z}}^{m},s}\left(\mathbf{z}\right)}{M{\mathcal{D}}_{{\mathbb{Z}}^{m},s,\mathbf{Sc}}\left(\mathbf{z}\right)},1)$.

**Verify**($vk,{\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$: For the j-th message ${\varpi}_{j}$ and the signature $(\mathbf{v},\mathbf{z},\mathbf{c})$, validation involves the following three relations:- $\parallel \mathbf{z}\parallel \le 2s\sqrt{m}$.
- $\mathbf{c}={H}_{2}(\mathbf{Az}-\mathbf{Tc},\mathbf{v})$.
- $\mathbf{v}\mathrm{mod}{\mathsf{\Lambda}}_{j}={H}_{1}\left({\varpi}_{j}\right)$.If they are true, accept message ${\varpi}_{j}$; otherwise, reject it.

#### 6.2. Security Analysis

## 7. Efficiency Comparison and the Application to IoT

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$), obtain $(\mathbf{v},\mathbf{z},\mathbf{c})$, store it with the message ${\varpi}_{i}$, $i=1,\cdots ,k$. When the j-th central control unit’s data ${\varpi}_{j}$ is called, (${\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$ is provided, and the algorithm

**Verify**(${\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$ can be invoked to verify the validity of data ${\varpi}_{j}$. If the answer is yes, the data is authoritative and credible. Otherwise, the data is unusable. The data flow diagram is shown in the Figure 3.

## 8. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Future Gener. Comput. Syst.
**2013**, 29, 1645–1660. [Google Scholar] [CrossRef] [Green Version] - Bennett, T.R.; Savaglio, C.; Lu, D.; Massey, H.; Wang, X.; Wu, J.; Jafari, R. MotionSynthesis Toolset (MoST): A Toolset for Human Motion Data Synthesis and Validation. In Proceedings of the 4th ACM MobiHoc Workshop on Pervasive Wireless Healthcare (MobileHealth ’14), Philadelphia, PA, USA, 11 August 2014; pp. 25–30. [Google Scholar] [CrossRef]
- Li, S.; Xu, L.D.; Zhao, S. The internet of things: A survey. Inf. Syst. Front.
**2015**, 17, 243–259. [Google Scholar] [CrossRef] - Fortino, G.; Russo, W.; Savaglio, C.; Viroli, M.; Zhou, M. Modeling Opportunistic IoT Services in Open IoT Ecosystems. In Proceedings of the 18th Workshop “From Objects to Agents” (WOA 2017), Scilla (RC), Italy, 15–16 June 2017; pp. 90–95. [Google Scholar]
- Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] [Green Version] - Goldwasser, S.; Micali, S.; Yao, A.C. On Signatures and Authentication. In Advances in Cryptology: Proceedings of CRYPTO ’82, Santa Barbara, CA, USA, 23–25 August 1982; Chaum, D., Rivest, R.L., Sherman, A.T., Eds.; Plenum Press: New York, NY, USA, 1982; pp. 211–215. [Google Scholar]
- Rivest, R.L.; Shamir, A.; Adleman, L.M. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Reprint). Commun. ACM
**1983**, 26, 96–99. [Google Scholar] [CrossRef] - Huang, X.; Liu, J.K.; Tang, S.; Xiang, Y.; Liang, K.; Xu, L.; Zhou, J. Cost-Effective Authentic and Anonymous Data Sharing with Forward Security. IEEE Trans. Comput.
**2015**, 64, 971–983. [Google Scholar] [CrossRef] - Liang, K.; Chu, C.; Tan, X.; Wong, D.S.; Tang, C.; Zhou, J. Chosen-ciphertext secure multi-hop identity-based conditional proxy re-encryption with constant-size ciphertexts. Theor. Comput. Sci.
**2014**, 539, 87–105. [Google Scholar] [CrossRef] - Ning, J.; Cao, Z.; Dong, X.; Liang, K.; Ma, H.; Wei, L. Auditable σ-Time Outsourced Attribute-Based Encryption for Access Control in Cloud Computing. IEEE Trans. Inf. Forensics Secur.
**2018**, 13, 94–105. [Google Scholar] [CrossRef] - Zhou, J.; Duan, H.; Liang, K.; Yan, Q.; Chen, F.; Yu, F.R.; Wu, J.; Chen, J. Securing Outsourced Data in the Multi-Authority Cloud with Fine-Grained Access Control and Efficient Attribute Revocation. Comput. J.
**2017**, 60, 1210–1222. [Google Scholar] [CrossRef] - Shao, J.; Lu, R.; Lin, X.; Liang, K. Secure bidirectional proxy re-encryption for cryptographic cloud storage. Pervasive Mob. Comput.
**2016**, 28, 113–121. [Google Scholar] [CrossRef] - Gamal, T.E. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory
**1985**, 31, 469–472. [Google Scholar] [CrossRef] [Green Version] - Fiat, A. Batch RSA. In Proceedings of the Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 1989; pp. 175–185. [Google Scholar] [CrossRef]
- M’Raïhi, D.; Naccache, D. Batch Exponentiation: A Fast DLP-Based Signature Generation Strategy. In Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS ’96), New Delhi, India, 14–16 March 1996; pp. 58–61. [Google Scholar] [CrossRef]
- Pavlovski, C.; Boyd, C. Efficient batch signature generation using tree structures. In Proceedings of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC), Hong Kong, China, 5–8 July 1999; Volume 99, pp. 70–77. [Google Scholar]
- Cheng, W.C.; Chou, C.; Golubchik, L. Performance of Batch-Based Digital Signatures. In Proceedings of the 10th International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS 2002), Fort Worth, TX, USA, 11–16 October 2002; p. 291. [Google Scholar] [CrossRef]
- Korkmaz, T.; Tek, S. Analyzing Response Time of Batch Signing. J. Internet Serv. Inf. Secur.
**2011**, 1, 70–85. [Google Scholar] - Boyd, C.; Foo, E.; Pavlovski, C. Efficient Electronic Cash Using Batch Signatures. In Proceedings of the Information Security and Privacy, 4th Australasian Conference, ACISP’99, Wollongong, NSW, Australia, 7–9 April 1999; pp. 244–257. [Google Scholar] [CrossRef]
- Youn, T.; Park, Y.; Kwon, T.; Kwon, S.; Lim, J. Efficient Flexible Batch Signing Techniques for Imbalanced Communication Applications. IEICE Trans.
**2008**, 91-D, 1481–1484. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput.
**1997**, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version] - Ajtai, M. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 99–108. [Google Scholar] [CrossRef]
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar] [CrossRef]
- Alwen, J.; Peikert, C. Generating Shorter Bases for Hard Random Lattices. Theory Comput. Syst.
**2011**, 48, 535–553. [Google Scholar] [CrossRef] - Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Pointcheval, D., Johansson, T., Eds.; Springer: Cambridge, UK, 2012; Volume 7237, pp. 700–718. [Google Scholar] [CrossRef]
- Lyubashevsky, V. Lattice Signatures without Trapdoors. In Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Pointcheval, D., Johansson, T., Eds.; Springer: Cambridge, UK, 2012; Volume 7237, pp. 738–755. [Google Scholar] [CrossRef]
- Boneh, D.; Freeman, D.M. Homomorphic Signatures for Polynomial Functions. In Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Paterson, K.G., Ed.; Springer: Tallinn, Estonia, 2011; Volume 6632, pp. 149–168. [Google Scholar] [CrossRef]
- Bellare, M.; Rogaway, P. Collision-Resistant Hashing: Towards Making UOWHFs Practical. In Proceedings of the Advances in Cryptology—CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; pp. 470–484. [Google Scholar] [CrossRef]
- Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) Fully Homomorphic Encryption without Bootstrapping. TOCT
**2014**, 6, 13. [Google Scholar] [CrossRef] - Howe, J.; Pöppelmann, T.; O’Neill, M.; O’Sullivan, E.; Güneysu, T. Practical Lattice-Based Digital Signature Schemes. ACM Trans. Embed. Comput. Syst.
**2015**, 14, 41. [Google Scholar] [CrossRef] [Green Version] - Alkadri, N.A.; Buchmann, J.; Bansarkhani, R.; Krämer, J. A Framework to Select Parameters for Lattice-Based Cryptography. Cryptology ePrint Archive, Report 2017/615. Available online: https://eprint.iacr.org/2017/615 (accessed on 26 June 2017).
- Yuan, Y.; Cheng, C.M.; Kiyomoto, S.; Miyake, Y.; Takagi, T. Portable implementation of lattice-based cryptography using JavaScript. Int. J. Netw. Comput.
**2016**, 6, 309–327. [Google Scholar] [CrossRef] - Longa, P.; Naehrig, M. Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In Proceedings of the International Conference on Cryptology and Network Security, Milan, Italy, 14–16 November 2016; pp. 124–139. [Google Scholar]
- Yuce, M.R.; Ng, S.W.P.; Myo, N.L.; Khan, J.Y.; Liu, W. Wireless Body Sensor Network Using Medical Implant Band. J. Med. Syst.
**2007**, 31, 467–474. [Google Scholar] [CrossRef] [PubMed]

Scheme (Size/Computation) | Our 1st Scheme (with Binary Tree) | Our 2nd Scheme (With Intersection Method) | Our 3rd Scheme (With FS Transformation) |
---|---|---|---|

$sk$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ |

$vk$ | $\mathcal{O}\left({n}^{2}lo{g}^{2}n\right)$ | $\mathcal{O}\left(k{n}^{2}\right)$ | $\mathcal{O}\left(k{n}^{2}\right)$ |

signature | $\mathcal{O}\left(kn\right)$ | $\mathcal{O}\left(n\right)$ | $\mathcal{O}\left(n\right)$ |

$Sign$ | $(2k-1)\mathcal{H}+\mathcal{S}+\mathcal{O}\left({n}^{2}\right)$ | $\mathcal{O}\left({n}^{3}\right)+\mathcal{S}$ | $\mathcal{O}\left({n}^{3}\right)$ |

$Verify$ | $2\mathcal{V}+k\mathcal{H}$ | $2\mathcal{V}+\mathcal{H}$ | 3$\mathcal{V}$+$\mathcal{H}$ |

Anti-quantum | √ | √ | √ |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lu, X.; Yin, W.; Wen, Q.; Liang, K.; Chen, L.; Chen, J.
Message Integration Authentication in the Internet-of-Things via Lattice-Based Batch Signatures. *Sensors* **2018**, *18*, 4056.
https://doi.org/10.3390/s18114056

**AMA Style**

Lu X, Yin W, Wen Q, Liang K, Chen L, Chen J.
Message Integration Authentication in the Internet-of-Things via Lattice-Based Batch Signatures. *Sensors*. 2018; 18(11):4056.
https://doi.org/10.3390/s18114056

**Chicago/Turabian Style**

Lu, Xiuhua, Wei Yin, Qiaoyan Wen, Kaitai Liang, Liqun Chen, and Jiageng Chen.
2018. "Message Integration Authentication in the Internet-of-Things via Lattice-Based Batch Signatures" *Sensors* 18, no. 11: 4056.
https://doi.org/10.3390/s18114056