Open Access
This article is

- freely available
- re-usable

*Sensors*
**2018**,
*18*(11),
4056;
doi:10.3390/s18114056

Article

Message Integration Authentication in the Internet-of-Things via Lattice-Based Batch Signatures

^{1}

State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

^{2}

Faculty of Mathematics and Information Science, Langfang Normal University, Langfang 065000, China

^{3}

Department of Computer Science, University of Surrey, Guildford GU2 7XH, UK

^{4}

School of Computer Science, Central China Normal University, Wuhan 430079, China

^{*}

Author to whom correspondence should be addressed.

Received: 23 October 2018 / Accepted: 13 November 2018 / Published: 20 November 2018

## Abstract

**:**

The internet-of-things (also known as IoT) connects a large number of information-sensing devices to the Internet to collect all kinds of information needed in real time. The reliability of the source of a large number of accessed information tests the processing speed of signatures. Batch signature allows a signer to sign a group of messages at one time, and signatures’ verification can be completed individually and independently. Therefore, batch signature is suitable for data integration authentication in IoT. An outstanding advantage of batch signature is that a signer is able to sign as many messages as possible at one time without worrying about the size of signed messages. To reduce complexity yielded by multiple message signing, a binary tree is usually leveraged in the construction of batch signature. However, this structure requires a batch residue, making the size of a batch signature (for a group of messages) even longer than the sum of single signatures. In this paper, we make use of the intersection method from lattice to propose a novel generic method for batch signature. We further combine our method with hash-and-sign paradigm and Fiat–Shamir transformation to propose new batch signature schemes. In our constructions, a batch signature does not need a batch residue, so that the size of the signature is relatively smaller. Our schemes are securely proved to be existential unforgeability against adaptive chosen message attacks under the small integer solution problem, which shows great potential resisting quantum computer attacks.

Keywords:

IoT; message integration authentication; batch signature; tree structure; intersection method; lattice## 1. Introduction

IoT connects all kinds of objects with the Internet, through various sensing technologies and various means of communication, to achieve remote monitoring and other purposes [1,2,3,4]. Because of large numbers of nodes, wide sources of information and fast updating of information, information authentication processing is very stressful, which brings forward a new research topic for digital signature.

Digital signature was firstly defined and designed in [5,6,7]. This security mechanism allows a message owner to put digital "stamp" on a message to declare the corresponding ownership. Since its introduction, digital signature has been widely employed in many real-world applications, e.g., authentication [8], message integrity check [9], electronic voting, electronic property ownership proof (cryptocurrencies—https://bitcoin.org/en/) and other cloud-based applications [10,11,12]. Due to various of construction techniques, there are many variants of digital signature systems by far, e.g., El-Gamal [13], RSA-based [7], DSA and ECDSA. When it comes to the environment of IoT, batch signature, which is a variant of conventional digital signature, is a good choice.

#### 1.1. Batch Signature

The notion of batch signature was firstly proposed by Fiat [14] in CRYPTO 1989. It allows a valid user to sign many messages with almost the cost of one signature operation. In other words, batch signature scheme could sign multiple messages simultaneously. Like carbon paper, someone only needs to sign the top file once by inserting each file in the middle of the carbon paper, all the documents are signed, and each message can be independently verified by recipients. This cryptographic primitive has greatly improved the efficiency of signing a large number of messages.

Following Fiat’s seminal work, a lot of works on batch signature have been proposed. In 1996, M’Raïhi and Naccache [15] gave a batch exponentiation strategy, and applied it to the batch generation of fixed-g-based signatures. In 1999, Pavlovski and Boyd [16] presented a batch signature scheme based on binary tree structure. Binary tree structure is a general construction to transform a common signature algorithm into a batch signature algorithm. In addition, Cheng et al. [17] and Korkmaz [18] analysed the efficiency of existed batch signatures independently.

Besides theoretical construction, there are many more scenarios to apply batch signature technology. In 1999, Boyd et al. [19] proposed an efficient electronic cash using batch signatures. In 2008, Youn et al. [20] applied batch signature in imbalanced communication. We find batch signature is also indispensable in IoT and blockchain. In IoT, when messages from multiple sensor nodes are imported into the host, batch signature of messages is a good way to improve the efficiency of signature. In blockchain, multiple transactions could be handled simultaneously in one-block-generated time. We may save time and space cost by using batch signature scheme.

Faced with a large number of application requirements, the theoretical research of batch signature is not perfect. There are some defects about the existed batch signature, for example, the limited number of signed messages, dependence of signature verification on batch residue and the risk of anti-quantum algorithm attack.

#### 1.2. Lattice-Based Signature

The above constructions are based on the traditional number theory assumptions. According to Shor’s results [21], they can not resist the quantum computer’s attack. In the aspect of anti-quantum, lattice-based cryptography is a hot spot for cryptologists, due to the following three advantages. Firstly, large integer factorization and discrete logarithm problems have been proven to be unable to resist quantum computer’s attacks, meanwhile, there is no quantum algorithm that could solve hard problems in lattice. Secondly, cryptographic schemes based on the difficulty assumptions of the average case lattice problems can be reduced to the difficulty assumptions of the worst case lattice problems. It means that the security of cryptographic schemes built on average case lattice problems depends on the worst case lattice problems. The majority of public key cryptosystems are lack of this feature. Thirdly, most of the operations in the lattice are linear operations, so that lattice-based cryptographic schemes have potential computational efficiency.

Lattice-based cryptography has achieved many results. Ajtai [22] proposed the small integer solution problem, known as the SIS problem, in 1996. It is an average case problem hard to solve for appropriate parameter settings, and its difficulty is based on worst case lattice hard problems. The SIS problem, as well as its extension, the inhomogeneous small integer solution problem ISIS, forms the foundation of lattice-based signature schemes.

The most important theoretical breakthrough of lattice-based signature began with the signature scheme in [23]. The main structure of this signature scheme includes a trapdoor generation algorithm and preimage sampleable algorithm; these two algorithms are both with relatively large computational complexity, which hinders the practicability of signature schemes.

In order to solve the efficiency problem of signature schemes, cryptologists have considered the issue from many different perspectives. Alwen and Peikert [24] showed the techniques to get better trapdoor at a faster speed. Micciancio and Peikert [25] proposed a different structure, converted the general lattice trapdoor generation algorithm into a simple lattice trapdoor generation algorithm, and designed a more efficient trapdoor generation algorithm. As a by-product of this new algorithm, the efficiency of preimage sampleable algorithm has also been greatly improved. Therefore, the signature scheme in [25] has better efficiency and security.

Signature schemes in [23,25] have the same construction idea and both belong to the hash-and-sign paradigm. In 2012, Lyubashevsky [26] followed the Fiat–Shamir transformation, managed to avoid the use of trapdoor generation algorithm and preimage sampleable algorithm, and constructed more efficient signature schemes using matrix-vector multiplications and rejecting samplings. These signature schemes make the lattice-based signature schemes practical. Since then, lattice-based signature has continued with more and more contributions, but the core idea still follows the above mentioned signature schemes from [23,25,26].

#### 1.3. Our Contributions

In this paper, we propose lattice-based batch signature schemes. Our batch signature schemes remove the batch residue in [19], which makes our batch signature has the same length as one ordinary signature.

- We propose lattice-based batch signature schemes for the first time. Our schemes possess a general property, that is, our construction can be combined with any existing lattice-based signature scheme.
- The technique we use is an extension of the intersection method from [27]. The intersection method is as follows: for $n$—dimensional integer lattices ${\mathsf{\Lambda}}_{1}$ and ${\mathsf{\Lambda}}_{2}$ such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\bigcap {\mathsf{\Lambda}}_{2}\ne \varphi $, there exists a short vector $\mathbf{e}$, which belongs to ${\mathbf{v}}_{1}+{\mathsf{\Lambda}}_{1}\cap {\mathbf{v}}_{2}+{\mathsf{\Lambda}}_{2}$ and can be viewed as a signature of ${\mathbf{v}}_{1}\in {\mathbb{Z}}^{n}$ and ${\mathbf{v}}_{2}\in {\mathbb{Z}}^{n}$.We demonstrate this technique with a concrete example in terms of $k\ge 2$. In detail, let ${\mathsf{\Lambda}}_{1}={p}_{1}{\mathbb{Z}}^{n}$, ${\mathsf{\Lambda}}_{2}={p}_{2}{\mathbb{Z}}^{n},\cdots ,{\mathsf{\Lambda}}_{k}={p}_{k}{\mathbb{Z}}^{n}$ with k primes ${p}_{1},{p}_{2},\cdots ,{p}_{k}$. Because ${p}_{1},{p}_{2},\cdots ,{p}_{k}$ are different primes, ${p}_{1}{\mathbb{Z}}^{n}+{p}_{2}{\mathbb{Z}}^{n}+\cdots +{p}_{k}{\mathbb{Z}}^{n}={\mathbb{Z}}^{n}$ and ${p}_{1}{\mathbb{Z}}^{n}\cap {p}_{2}{\mathbb{Z}}^{n}\cap \cdots \cap {p}_{k}{\mathbb{Z}}^{n}={p}_{1}{p}_{2}\cdots {p}_{k}{\mathbb{Z}}^{n}\ne \varphi $. Therefore, for k messages ${\mathbf{v}}_{1},{\mathbf{v}}_{2},\cdots ,{\mathbf{v}}_{k}\in {\mathbb{Z}}^{n}$, there exists a short vector $\mathbf{e}\in {\mathbf{v}}_{1}+{p}_{1}{\mathbb{Z}}^{n}\cap {\mathbf{v}}_{2}+{p}_{2}{\mathbb{Z}}^{n}\cap \cdots \cap {\mathbf{v}}_{k}+{p}_{k}{\mathbb{Z}}^{n}$, which binds ${\mathbf{v}}_{1},{\mathbf{v}}_{2},\cdots ,{\mathbf{v}}_{k}$ and can be viewed as their batch signature.
- With the intersection method as core technique, we give two batch signature schemes based on hash-and-sign paradigm and Fiat–Shamir transformation, as well as a lattice-based batch signature scheme based on binary tree.

#### 1.4. Organization

Our paper is organized as follows. First, we give some basic definitions and facts about lattice-based cryptography in Section 2. Then, we describe batch signature scheme definition and security in Section 3. In Section 4, we give lattice-based batch signature scheme based on binary tree. In Section 5, we propose lattice-based batch signature scheme based on hash-and-sign paradigm and the intersection method. In Section 6, we demonstrate lattice-based batch signature scheme based on Fiat–Shamir transformation and the intersection method. In Section 7, we present the comparison of our schemes with other lattice-based batch signatures, then describe batch signature’s application to IoT. Finally, we conclude the paper in Section 8.

## 2. Preliminaries

We make use of standard asymptotic notations in our paper. For any function $f\left(n\right)$ and $g\left(n\right)$ with positive real value set $\mathbb{R}$ as range, $f=O\left(g\right)$ means that there are constants a and b such that $f\left(n\right)\le ag\left(n\right)$ for all $n\ge b$; $f=o\left(g\right)$ if and only if ${lim}_{n\to \infty}f\left(n\right)/g\left(n\right)=0$; $f=\omega \left(g\right)$ if and only if $g=o\left(f\right)$; $f\left(n\right)$ is negligible if and only if $f=o(1/g)$ for any polynomial $g\left(n\right)={n}^{c}$; $f\left(n\right)$ is overwhelming if and only if $1-f\left(n\right)$ is negligible.

**Definition**

**1.**

${\mathcal{D}}_{{\mathbb{Z}}^{m},s,\mathbf{c}}$is the discrete Gaussian distribution in${\mathbb{Z}}^{m}$,its center is$\mathbf{c}$and Gaussian parameter is s. If the center is vector$\mathbf{0}$, $\mathbf{0}$may be omitted. If$\mathbf{e}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$,its Euclidean norm is$\parallel \mathbf{e}\parallel \le s\sqrt{m}$with overwhelming probability [23].

**Definition**

**2.**

Trapdoor generation algorithm TrapGen$(n,q,m)$inputs n, q and m, where n is an integer,$q\ge 3$is an odd, and$m=\lceil 6nlogq\rceil $is the minimum integer not less than$6nlogq$.The algorithm outputs a pair$(\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m},\mathbf{T}\in {\mathbb{Z}}^{m\times m})$such that$\mathbf{A}$is statistically close to a uniform random matrix in${\mathbb{Z}}_{q}^{n\times m}$, $\mathbf{T}$is a basis for${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$satisfying$\parallel \tilde{\mathbf{T}}\parallel \le O\left(\sqrt{nlogq}\right)$and$\parallel \mathbf{T}\parallel \le O(nlogq)$with overwhelming probability. Here,$\tilde{\mathbf{T}}$is the Gram-Schmidt orthogonalization matrix of$\mathbf{T}$, $\parallel \mathbf{T}\parallel $denotes the largest Euclidean norm of the column vectors in matrix$\mathbf{T}$[24].

**Definition**

**3.**

Let$\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$,$\mathbf{T}$is a basis for${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$,and$s\ge \parallel \tilde{\mathbf{T}}\parallel \xb7\omega \left(\sqrt{logm}\right)$. Then for$\mathbf{u}\in {\mathbb{Z}}_{q}^{n}$,preimage sampleable algorithm SamplePre$(\mathbf{A},\mathbf{T},\mathbf{u},s)$samples$\mathbf{x}$satisfying$\parallel \mathbf{x}\parallel $$\le s\sqrt{m}$and$\mathbf{Ax}=\mathit{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$[23].

**Definition**

**4.**

Small integer solution (SIS) [23]

SIS problem is defined as: for integer q, real β and matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, search an integer vector $\mathbf{e}\in {\mathbb{Z}}^{m}$ satisfying $\mathbf{Ae}=\mathbf{0}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, $\parallel \mathbf{e}\parallel \le \beta $ and $\mathbf{e}\ne \mathbf{0}$.

**Definition**

**5.**

The intersection of lattice${\mathsf{\Lambda}}_{1}$and lattice${\mathsf{\Lambda}}_{2}$is not empty, and${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}={\mathbb{Z}}^{n}$for element wise addition.${\mathbf{v}}_{1},{\mathbf{v}}_{2}\in {\mathbb{Z}}^{n}$are the coset representatives of${\mathsf{\Lambda}}_{1}$and${\mathsf{\Lambda}}_{2}$,respectively. Then there exists a vector$\mathbf{e}\in {\mathbb{Z}}^{n}$such that$\mathbf{e}={\mathbf{v}}_{1}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{1}$and$\mathbf{e}={\mathbf{v}}_{2}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{2}$.This result can be generalized to multiple lattices [27].

**Definition**

**6.**

Target Collision Resistant (TCR) Hash function [28]

Let $h:{\{0,1\}}^{n}\to {\{0,1\}}^{m}$ is a collision-resistant hash function if it satisfies the following properties:

- (length-compressing):$m<n$
- (hard to find collisions): For all PPT A, there exists a negligible function ϵ such that for all security parameters$n\in \mathbb{N}$,$$Pr[({x}_{0},{x}_{1})\leftarrow A({1}^{n},h):{x}_{0}\ne {x}_{1}\cap h\left({x}_{0}\right)=h\left({x}_{1}\right)]\u2a7d\u03f5\left(n\right)$$

## 3. System Definition and Threat Model

In this section, we give batch signature definitions of generic algorithms and security, which divide into two parts.

#### 3.1. Definition of Batch Signature System

Batch signature can use a signing action to complete the signing of a number of different messages, and the verification of individual message is independent. Besides, the system setup algorithm and key generation algorithm in batch signature scheme are as same as that of ordinary signature scheme.

**Setup**($\lambda $): Inputting security parameter $\lambda $, this algorithm determines necessary system public parameters $PP$.**KeyGen**($\lambda $): With security parameter $\lambda $ and system parameters $PP$ as above, this algorithm provides public verification key $vk$ and secret signing key $sk$.**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$): Given signing key $sk$ and messages set $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$, this algorithm computes batch signature e.**Verify**($vk,{\varpi}_{j},e,j=1,\cdots ,k$): Given message ${\varpi}_{j}$ and its signature e associated with verification key $vk$, this algorithm tells whether the j-th message has gained valid authentication, and outputs 1 if the answer is yes, otherwise outputs 0.

#### 3.2. Threat Model

Batch signature scheme should also satisfy existential unforgeability against adaptive chosen message attacks (EUF-CMA). We introduce a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$ interacting with each other in the next game, to describe batch signature scheme’s security.

**Initialization**: In this period, challenger $\mathcal{C}$ executes algorithms**Setup**and**KeyGen**, provides system public parameters $PP$ and public verification key $vk$ for adversary $\mathcal{A}$.**Signing queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ invokes**Sign**algorithm, returns the result to adversary $\mathcal{A}$. Adversary $\mathcal{A}$ may repeat the query polynomial times in his favorite manner.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he offers a new message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},e)$.

If message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},e)$ is valid and has not been queried, adversary $\mathcal{A}$ wins the game.

**Theorem**

**1.**

Batch signature scheme is existential unforgeability against adaptive chosen message attacks(EUF-CMA), if for all adversary $\mathcal{A}$ with polynomial bounded computational power, the probability of he wins above game is negligible.

## 4. Lattice-Based Batch Signature with Binary Tree

#### 4.1. Proposed Construction

In this part, we combine the signature scheme in [23] and the structure of binary tree in [19], propose the first lattice-based batch signature scheme. The scheme includes the following steps, and the Figure 1 shows the binary tree for message processing.

**Setup**($\lambda $): In this stage, system parameters are provided with knowledge of security parameter $\lambda $.- n is a polynomial of $\lambda $, $q\ge 3$ is a polynomial of n, $m=\lceil 6nlogq\rceil $, $t=O\left(\sqrt{nlogq}\right)$.
- k is the number of messages to batch sign, and $s\ge t\xb7\omega \left(\sqrt{logm}\right)$ is the Gaussian parameter.
- ${H}_{0}:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}_{q}^{n}$ and ${H}_{1}:{\mathbb{Z}}_{q}^{2n}\u27f6{\mathbb{Z}}_{q}^{n}$ are two collision resistant hash functions.

**KeyGen**($\lambda $): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained as follows. Invoke trapdoor generation algorithm TrapGen$(n,q,m)$ to get a uniform and random matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, and the short basis $\mathbf{T}\in {\mathbb{Z}}^{m\times m}$ for lattice ${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$ with $\parallel \tilde{\mathbf{T}}\parallel \le t$.Finally output $vk=\mathbf{A}$, $sk=\mathbf{T}$.**Sign**($sk,\{{\varpi}_{0},\cdots ,{\varpi}_{k-1}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{T}$ and the set of messages $\{{\varpi}_{0},\cdots ,{\varpi}_{k-1}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Compute ${H}_{0}\left({\varpi}_{0}\right)$, ${H}_{0}\left({\varpi}_{1}\right)$,⋯, ${H}_{0}\left({\varpi}_{k-1}\right)$, let ${H}_{1}^{\left(0\right)}={H}_{0}\left({\varpi}_{0}\right)$, and execute for-loop as follows.for $i=1$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$
- Compute $\mathbf{e}=$ SamplePre$(\mathbf{A},\mathbf{T},{H}_{1}^{(k-1)},s)$.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, compute its brother ${B}_{i}$. Firstly, ${B}_{0}=({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R})$, the left are shown in the next for-loop.for $i=1$ to $k-1$:${B}_{i}=({H}_{1}^{(i-1)},\mathfrak{L})$$i=i+1$Here, for ${\varpi}_{i}$’s brother ${B}_{i}$, its first entry denotes ${\varpi}_{i}$’s brother note, its second entry denotes the brother locates on ${\varpi}_{i}$’s left $\left(\mathfrak{L}\right)$ or right $\left(\mathfrak{R}\right)$.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, compute its residue ${R}_{i}$. At first,$\begin{array}{l}{R}_{0}=\{({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R}),({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{0},({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,the left are shown in the next for-loop.for $i=1$ to $k-2$:$\begin{array}{l}{R}_{i}=\{({H}_{1}^{(i-1)},\mathfrak{L}),({H}_{0}\left({\varpi}_{i+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ \phantom{\rule{25.6073pt}{0ex}}=\{{B}_{i},({H}_{0}({\varpi}_{i+1},\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$$i=i+1$When $i=k-1$, ${R}_{i}={B}_{k-1}=\{({H}_{1}^{(k-2)},\mathfrak{L})\}$.Here, ${\varpi}_{i}$’s residue ${R}_{i}$ includes ${\varpi}_{i}$’s brother ${B}_{i}$ and all of its ancestor nodes’s brothers.
- For ${\varpi}_{i},i=0,\cdots ,k-1$, its signature is $(\mathbf{e},{R}_{i})$.

**Verify**($vk,{\varpi}_{j},(\mathbf{e},{R}_{j}),j=0,\cdots ,k-1$): Given message ${\varpi}_{j}$ and its signature $(\mathbf{e},{R}_{j})$ associated with verification key $vk=\mathbf{A}$,- ${H}_{1}^{(k-1)}$ should be recovered firstly.(1) If $j=0$,$\begin{array}{l}{R}_{0}=\{({H}_{0}\left({\varpi}_{1}\right),\mathfrak{R}),({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{0},({H}_{0}\left({\varpi}_{2}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,for $i=1$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$When for-loop terminates, ${H}_{1}^{(k-1)}$ is obtained.(2) If $j\ne 0$,$\begin{array}{l}{R}_{j}=\{({H}_{1}^{(j-1)},\mathfrak{L}),({H}_{0}\left({\varpi}_{j+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\\ =\{{B}_{j},({H}_{0}\left({\varpi}_{j+1}\right),\mathfrak{R}),\cdots ,({H}_{0}\left({\varpi}_{k-1}\right),\mathfrak{R})\}\end{array}$,for $i=j$ to $k-1$:${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$$i=i+1$When for-loop terminates, ${H}_{1}^{(k-1)}$ is obtained.
- Check whether $\parallel \mathbf{e}\parallel \le s\sqrt{m}$ and $\mathbf{A}\mathbf{e}={H}_{1}^{(k-1)}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$. If both relations are true, return 1 and accept the message-signature pair $({\varpi}_{j},(\mathbf{e},{R}_{j}))$; otherwise, return 0 and reject the message-signature pair.

#### 4.2. Security Analysis

Correctness of the scheme comes from the preimage sampleable algorithm. According to Definition 3, for messages set $\{{\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k}\}$, assume the root of the binary tree is ${H}_{1}^{(k-1)}$, due to $\mathbf{e}=$ SamplePre$(\mathbf{A},\mathbf{T},{H}_{1}^{(k-1)},s)$, $\parallel \mathbf{e}\parallel \le s\sqrt{m}$ and $\mathbf{A}\mathbf{e}={H}_{1}^{(k-1)}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$ hold. Moreover, without secret signing key $\mathbf{T}$, no one can call preimage sampleable algorithm to get a vector $\mathbf{e}$ that meets the verification criteria. Therefore, there is no problem with the correctness of the scheme.

Security of the scheme comes from the following Theorem 2.

**Theorem**

**2.**

If SIS problem is hard to solve, the lattice-based batch signature scheme based on binary tree has existential unforgeability against adaptive chosen message attacks (EUF-CMA).

**Proof.**

We assume that adversary $\mathcal{A}$ has breached the signature scheme, taking advantage of this attack power, challenger $\mathcal{C}$ can solve SIS problem for matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$. Because SIS problem is a hard problem, we ca not find the answer to SIS instance $\mathbf{A}$, which conflicts with our result. In this way, we get that no such adversary exists, and our scheme is secure.

**Initialization**: In this period, challenger $\mathcal{C}$ executes setup algorithm to set system parameters, he sets public verification key $vk=\mathbf{A}$, sends all of them to adversary $\mathcal{A}$.**Hash queries**: Challenger $\mathcal{C}$ creates a list to save the binary tree for k messages, and sets $\mathcal{H}=\left\{\right(({\varpi}_{0},\cdots ,{\varpi}_{k-1}),({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})\}$.When adversary $\mathcal{A}$ sends a set of messages $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ to challenger $\mathcal{C}$ for hash values. $\mathcal{C}$ searches list $\mathcal{H}$,If $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ do not exist in list $\mathcal{H}$, $\mathcal{C}$ chooses $\mathbf{e}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, sets ${H}_{1}^{(k-1)}=\mathbf{Ae}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$. Then $\mathcal{C}$ randomly picks ${H}_{0}\left({\varpi}_{i}\right)$, $i=0,\cdots ,k-1$, sets ${H}_{1}^{\left(i\right)}={H}_{1}({H}_{1}^{(i-1)}\parallel {H}_{0}\left({\varpi}_{i}\right))$ for $i=1$ to $k-1$, here ${H}_{1}^{\left(0\right)}={H}_{0}\left({\varpi}_{0}\right)$. $\mathcal{C}$ saves $(({\varpi}_{0},\cdots ,{\varpi}_{k-1}),$ $({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})$ in the list $\mathcal{H}$.If $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$ exist in list $\mathcal{H}$, $\mathcal{C}$ does nothing.At last, $\mathcal{C}$ returns $(({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),$ $({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}))$ to adversary $\mathcal{A}$.**Signature queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{0},\cdots ,{\varpi}_{k-1})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ firstly searches list $\mathcal{H}$ for the messages’ set. If it exists, $\mathcal{C}$ returns $(({H}_{0}\left({\varpi}_{0}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}\right)),({H}_{1}^{\left(1\right)},\cdots ,{H}_{1}^{(k-1)}),\mathbf{e})$ to adversary $\mathcal{A}$. If the messages’ set does not exist, $\mathcal{C}$ executes hash query firstly. Adversary $\mathcal{A}$ may repeat the query polynomial times in his favorite manner.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he forges a valid message-signature pair $(({\varpi}_{0}^{\ast},\cdots ,{\varpi}_{k-1}^{\ast}),({H}_{0}\left({\varpi}_{0}^{\ast}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}^{\ast}\right)),({H}_{1\ast}^{\left(1\right)},\cdots ,$${H}_{1\ast}^{(k-1)}),{\mathbf{e}}^{\ast})$.

$\mathcal{C}$ searches $(({\varpi}_{0}^{\ast},\cdots ,{\varpi}_{k-1}^{\ast}),({H}_{0}\left({\varpi}_{0}^{\ast}\right),\cdots ,{H}_{0}\left({\varpi}_{k-1}^{\ast}\right)),$ $({H}_{1\ast}^{\left(1\right)},\cdots ,{H}_{1\ast}^{(k-1)}),{\mathbf{e}}^{\prime})$ in list $\mathcal{H}$, then computes ${\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}$ as the solution to the SIS instance $\mathbf{A}$, and the analysis is as following.

Due to the validity of the message-signature pair, adversary $\mathcal{A}$ has not made signing query on $({\varpi}_{0}^{\ast},\cdots ,{\varpi}_{k-1}^{\ast})$, and hash query on $({\varpi}_{0}^{\ast},\cdots ,{\varpi}_{k-1}^{\ast})$ has been done. Given ${H}_{1\ast}^{(k-1)}$, according to preimage min-entropy property of hash function [23], the min-entropy of ${\mathbf{e}}^{\ast}$ is $\omega (logn)$, so that ${\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\ne \mathbf{0}$ with overwhelming probability. Because ${\mathbf{e}}^{\prime}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, $\parallel {\mathbf{e}}^{\prime}\parallel \le s\sqrt{m}$. $\parallel {\mathbf{e}}^{\ast}\parallel \le s\sqrt{m}$ depends on the validity of forged signature. Therefore, $\parallel {\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\parallel \le 2s\sqrt{m}$. □

## 5. Lattice-Based Batch Signature Based on Hash-and-Sign Paradigm

Lattice-based batch signature scheme based on binary tree is successfully constructed and proved, but the signature should associate with all other messages in the batch to complete signature verification, and batch signature length is, thus, longer. Inspired by [27,29], we make use of an intersection method to accomplish the second and third lattice-based batch signature schemes. These two schemes’ signature verification does not require involvement of other messages, so that the length of the signature is shorter, and their schematic of algorithms is shown in the Figure 2.

#### 5.1. Design

Here is our second lattice-based batch signature scheme, which follows the hash-and-sign paradigm and the core technique is the intersection method.

**Setup**($\lambda $): In this stage, system parameters are provided with knowledge of security parameter $\lambda $.- n is a polynomial of $\lambda $, $q\ge 3$ is a polynomial of n, $m=\lceil 6nlogq\rceil $, $l=O\left(\sqrt{nlogq}\right)$.
- k is the number of messages to batch sign, and $s\ge l\xb7\omega \left(\sqrt{logm}\right)$ is the Gaussian parameter.
- $H:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}^{n}$ is a collision resistant hash function.

**KeyGen**($\lambda $): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained in the following manners.- Invoke trapdoor generation algorithm TrapGen$(n,q,m)$ to get a uniform and random matrix $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, and the short basis $\mathbf{T}\in {\mathbb{Z}}^{m\times m}$ for lattice ${\mathsf{\Lambda}}_{q}^{\perp}\left(\mathbf{A}\right)$ with $\parallel \tilde{\mathbf{T}}\parallel \le l$.
- Compute k different lattices ${\mathsf{\Lambda}}_{i},i=1,\cdots ,k$, such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}+\cdots +{\mathsf{\Lambda}}_{k}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\cap {\mathsf{\Lambda}}_{2}\cap \cdots \cap {\mathsf{\Lambda}}_{k}=\mathsf{\Lambda}$, which takes q as modulus.Then $vk=(\mathbf{A},\mathsf{\Lambda},{\mathsf{\Lambda}}_{i},i=1,\cdots ,k)$, $sk=\mathbf{T}$.

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{T}$ and the set of messages $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Construct equations:$$\left\{\begin{array}{c}\mathbf{v}=H\left({\varpi}_{1}\right)\mathrm{mod}{\mathsf{\Lambda}}_{1}\\ \mathbf{v}=H\left({\varpi}_{2}\right)\mathrm{mod}{\mathsf{\Lambda}}_{2}\\ \cdots \\ \mathbf{v}=H\left({\varpi}_{k}\right)\mathrm{mod}{\mathsf{\Lambda}}_{k}\end{array}\right.$$
- Invoke preimage sampleable algorithm SamplePre$(\mathbf{A},\mathbf{T},\mathbf{v},s)$ to get the signature $\mathbf{e}$.

**Verify**($vk,{\varpi}_{j},\mathbf{e})$: For the j-th message ${\varpi}_{j}$ and the signature $\mathbf{e}$, validation involves the following two relations:- $\parallel \mathbf{e}\parallel \le s\sqrt{m}$.
- $\mathbf{A}\mathbf{e}=H\left({\varpi}_{j}\right)\mathrm{mod}{\mathsf{\Lambda}}_{j}$.If they are both true, accept message ${\varpi}_{j}$; otherwise, reject it.

#### 5.2. Security Analysis

Correctness of the second scheme is similar to that of the first scheme. By Definition 3, $\parallel \mathbf{e}\parallel \le s\sqrt{m}$ and $\mathbf{Ae}=\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$. By Definition 2, $\mathbf{v}=H\left({\varpi}_{j}\right)\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{j}$. Combining $\mathbf{Ae}=\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$ and $\mathbf{v}=H\left({\varpi}_{j}\right)\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{j}$, $\mathbf{Ae}=H\left({\varpi}_{j}\right)\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{j}$. Moreover, without signing key $\mathbf{T}$, nobody can invoke preimage sampleable algorithm to get a vector $\mathbf{e}$ satisfying the verification relations.

Security of the scheme comes from the following Theorem 3.

**Theorem**

**3.**

If SIS problem is a hard problem, the lattice-based batch signature scheme based on hash-and-sign paradigm has existential unforgeability against adaptive chosen message attacks (EUF-CMA).

**Proof.**

If there exists an adversary $\mathcal{A}$ who has the ability to forge batch signature for some messages, there exists a challenger $\mathcal{C}$ has the ability to give the solution to SIS instance $\mathbf{A}\in {\mathbb{Z}}_{q}^{n\times m}$, here the challenger $\mathcal{C}$ will seek the help of the adversary $\mathcal{A}$. Since SIS problem is a hard problem, the solution to SIS instance $\mathbf{A}$ is hard to obtained, this is in contradiction with our result. Therefore, the adversary $\mathcal{A}$ who has the ability to forge batch signature does not exist, and our lattice-based batch signature scheme based on hash-and-sign paradigm has EUF-CMA security.

**Initialization**: In this period, challenger $\mathcal{C}$ sets appropriate system parameters, lets public verification key $vk=\mathbf{A}$, sends all of them to adversary $\mathbf{A}$.**Hash queries**: Challenger $\mathcal{C}$ creates a list to save the hash values for k messages, and sets $\mathcal{H}=\left\{(({\varpi}_{1},\cdots ,{\varpi}_{k}),(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right)),\mathbf{e})\right\}$.When adversary $\mathcal{A}$ sends a set of messages $({\varpi}_{1},\cdots ,{\varpi}_{k})$ to challenger $\mathcal{C}$ for hash values. $\mathcal{C}$ searches list $\mathcal{H}$.If $({\varpi}_{1},\cdots ,{\varpi}_{k})$ exist in list $\mathcal{H}$, $\mathcal{C}$ returns $(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right))$ directly.If $({\varpi}_{1},\cdots ,{\varpi}_{k})$ do not exist in list $\mathcal{H}$, $\mathcal{C}$ samples $\mathbf{e}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, sets $\mathbf{v}=\mathbf{Ae}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, and lets $\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\mathsf{\Lambda}}_{i}=H\left({\omega}_{i}\right)$, $i=1,\cdots ,k$. Then $\mathcal{C}$ saves $(({\varpi}_{1},\cdots ,{\varpi}_{k}),(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right)),\mathbf{e})$ in list $\mathcal{H}$, and returns $(H\left({\varpi}_{1}\right),\cdots ,H\left({\varpi}_{k}\right))$ to adversary $\mathcal{A}$.**Signing queries**: In this stage, adversary $\mathcal{A}$ selects a set of messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$, sends the messages’ set to challenger $\mathcal{C}$ for the associated signature. Challenger $\mathcal{C}$ searches list $\mathcal{H}$ for messages $({\varpi}_{1},{\varpi}_{2},\cdots ,{\varpi}_{k})$.If the messages exist in list $\mathcal{H}$, challenger $\mathcal{C}$ returns $\mathbf{e}$ directly.If the messages do not exist in list $\mathcal{H}$, Challenger $\mathcal{C}$ firstly executes Hash query, then returns $\mathbf{e}$ to adversary $\mathcal{A}$.**Forgery**: Once adversary $\mathcal{A}$ terminates signing queries, he offers a new message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},{\mathbf{e}}^{\ast})$.Challenger $\mathcal{C}$ searches $(({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast}),(H\left({\varpi}_{1}^{\ast}\right),$ $\cdots ,H\left({\varpi}_{k}^{\ast}\right)),{\mathbf{e}}^{\prime})$ in list $\mathcal{H}$, then computes ${\mathbf{e}}^{\ast}-{\mathbf{e}}^{\prime}$ as the solution to the SIS instance $\mathbf{A}$.Because message-signature pair $({\varpi}_{1}^{\ast},{\varpi}_{2}^{\ast},\cdots ,{\varpi}_{k}^{\ast},{\mathbf{e}}^{\ast})$ is valid, adversary $\mathcal{A}$ has not made signing query on $({\varpi}_{1}^{\ast},\cdots ,{\varpi}_{k}^{\ast})$, and hash query on $({\varpi}_{1}^{\ast},\cdots ,{\varpi}_{k}^{\ast})$ has been done. Given $\mathbf{A}{\mathbf{e}}^{\prime}=\mathbf{v}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, according to preimage min-entropy property of hash function [23], the min-entropy of ${\mathbf{e}}^{\ast}$ is $\omega (logn)$, so that ${\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\ne \mathbf{0}$ with overwhelming probability. Because ${\mathbf{e}}^{\prime}\u27f5{\mathcal{D}}_{{\mathbb{Z}}^{m},s}$, $\parallel {\mathbf{e}}^{\prime}\parallel \le s\sqrt{m}$. $\parallel {\mathbf{e}}^{\ast}\parallel \le s\sqrt{m}$ depends on the validity of forged signature. Therefore, $\parallel {\mathbf{e}}^{\prime}-{\mathbf{e}}^{\ast}\parallel \le 2s\sqrt{m}$.

## 6. Lattice-Based Batch Signature Based on FS Transformation

In lattice-based cryptography, trapdoor generation algorithm (Definition 2) and preimage sampleable algorithm (Definition 3) are fundamental algorithms of signature scheme, but both algorithms have high computational complexity. To improve signature scheme’s efficiency, we take lattice signature based on Fiat–Shamir transformation in [26], apply to lattice-based batch signature with intersection method, obtain a new and more efficient batch signature scheme.

#### 6.1. Design

**Setup**(n): In this stage, system parameters are provided with knowledge of security parameter n.- q may be ${2}^{25}$, d may be 1, r may be 512.
- $m>64+n\xb7logq/log(2d+1)$, $\kappa $ satisfies ${2}^{\kappa}\xb7\left(\begin{array}{c}n\\ \kappa \end{array}\right)\ge {2}^{100}$.
- s may be $12d\kappa \sqrt{m}$, and M may be ${e}^{(12d\kappa \sqrt{m}/s+{(d\kappa \sqrt{m}/\left(2s\right))}^{2})}$.
- ${H}_{1}:{\{0,1\}}^{\ast}\u27f6{\mathbb{Z}}^{n}$ and ${H}_{2}:{\{0,1\}}^{\ast}{\u27f6\{\mathbf{g}:\mathbf{g}\in \{-1,0,1\}}^{r}{,\parallel \mathbf{g}\parallel}_{1}\le \kappa \}$ are collision resistant hash functions, where ${\parallel \mathbf{g}\parallel}_{1}$ is the 1-norm of vector $\mathbf{g}$, namely, it is the sum of the absolute values of each element of vector $\mathbf{g}$.

**KeyGen**(n): With system parameters as above, public verification key $vk$ and secret signing key $sk$ are obtained in the following manners.- Select $\mathbf{S}\leftarrow {\{-d,\cdots ,0,\cdots ,d\}}^{m\times r}$ randomly as secret signing key.
- Select $\mathbf{A}\leftarrow {\mathbb{Z}}_{q}^{n\times m}$, compute $\mathbf{T}=\mathbf{AS}$ as public verification key.
- Compute k different lattices ${\mathsf{\Lambda}}_{i},i=1,\cdots ,k$, such that ${\mathsf{\Lambda}}_{1}+{\mathsf{\Lambda}}_{2}+\cdots +{\mathsf{\Lambda}}_{k}={\mathbb{Z}}^{n}$ and ${\mathsf{\Lambda}}_{1}\cap {\mathsf{\Lambda}}_{2}\cap \cdots \cap {\mathsf{\Lambda}}_{k}=\mathsf{\Lambda}$, which takes q as modulus.Then $vk=(\mathbf{A},\mathbf{T},\mathsf{\Lambda},{\mathsf{\Lambda}}_{i},i=1,\cdots ,k)$, $sk=\mathbf{S}$.

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$): Given $sk=\mathbf{S}$ and the set of messages $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}\in {\left\{{\{0,1\}}^{\ast}\right\}}^{k}$, the following steps lead to batch signature on such messages.- Construct equations:$$\left\{\begin{array}{c}\mathbf{v}={H}_{1}\left({\varpi}_{1}\right)\mathrm{mod}{\mathsf{\Lambda}}_{1}\\ \mathbf{v}={H}_{1}\left({\varpi}_{2}\right)\mathrm{mod}{\mathsf{\Lambda}}_{2}\\ \cdots \\ \mathbf{v}={H}_{1}\left({\varpi}_{k}\right)\mathrm{mod}{\mathsf{\Lambda}}_{k}\end{array}\right.$$
- Sample $\mathbf{y}\leftarrow {\mathcal{D}}_{{\mathbb{Z}}^{m},s}$ randomly, compute $\mathbf{c}={H}_{2}(\mathbf{Ay},\mathbf{v})$.
- Let $\mathbf{z}=\mathbf{Sc}+\mathbf{y}$, output $(\mathbf{v},\mathbf{z},\mathbf{c})$ as signature with probability $min(\frac{{\mathcal{D}}_{{\mathbb{Z}}^{m},s}\left(\mathbf{z}\right)}{M{\mathcal{D}}_{{\mathbb{Z}}^{m},s,\mathbf{Sc}}\left(\mathbf{z}\right)},1)$.

**Verify**($vk,{\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$: For the j-th message ${\varpi}_{j}$ and the signature $(\mathbf{v},\mathbf{z},\mathbf{c})$, validation involves the following three relations:- $\parallel \mathbf{z}\parallel \le 2s\sqrt{m}$.
- $\mathbf{c}={H}_{2}(\mathbf{Az}-\mathbf{Tc},\mathbf{v})$.
- $\mathbf{v}\mathrm{mod}{\mathsf{\Lambda}}_{j}={H}_{1}\left({\varpi}_{j}\right)$.If they are true, accept message ${\varpi}_{j}$; otherwise, reject it.

#### 6.2. Security Analysis

The batch signature scheme in Section 5 and the batch signature scheme in Section 6 are different in terms of basic signature schemes: the first basic signature scheme comes from the literature [23], the second basic signature scheme comes from the literature [26]. According to literature [30], for the same security, the second bath signature scheme has better efficiency.

## 7. Efficiency Comparison and the Application to IoT

Refs. [14,15,16] are among the several most important batch signature schemes and improved techniques so far. Ref. [14] first introduced the idea and provide the construction based on RSA scheme. Later in [15], the authors focused on speeding up the modular exponentiation operation which is used in many DLP based signatures. In other words, the work [15] focuses on signature schemes which were built in the traditional multiplicative group, and then the authors in [16] managed to achieve the constant complexity for signature generation and verification, which does not rely on the number of messages. Our second and third schemes enjoy the same advantage as [16] regarding constant generation and verification complexity. Comparing the concrete efficiency for those schemes boils down to the issue of comparing the underlined algebraic primitives. According to [31], the key parameters, namely $n,q$ in our lattice based scheme should be chosen at around 500 and 200,000 to achieve approximately the 128-bit level security. Generally speaking, our signature size will be larger than the ones constructed in the group where DLP or ECDLP problem is hard. According to [32], the computation of the lattice is very fast, and at the same security level the current lattice scheme will outperform the RSA and DLP or ECDLP based schemes. Most importantly, up to now, none of the previous listed batch signature schemes are able to resist against quantum attacks, which makes our scheme a very attractive choice in a long run. Lattice primitives are also being optimized by taking advantage of the modern CPU instruction such as AVX, AVX2 and so on [33], thus, the computation speed can be expected to be further improved.

In our constructions, we make use of two different approaches to integrate a group of messages to fulfill batch signatures, namely, binary tree and intersection methods. The schemes are existentially unforgeable against adaptive chosen message attacks. Table 1 shows the efficiency of our scheme regarding the different signature stages and parameter sizes in the asymptotic manner. From Table 1, it can be seen that all of the schemes require $O\left({n}^{2}lo{g}^{3}n\right)$ complexity on the secret key generation, while the 2nd and 3rd constructions only take $O\left(n\right)$ for the size of signature, which means that a batch signature is independent of the parameter k. For computational comparison, it can be seen that the 3rd construction requires least computational complexity, $O\left({n}^{3}\right)$, while others have to take S and other operations. In the verification stage, the 2nd and 3rd scheme are constant cost instead of being linear with k, unlike the 1st construction. In all aspects, 3rd construction is the most efficient, and we describe its application in wireless body sensor network, which is a typical application of IoT.

A wireless body sensor network [34] is composed of three sides: a receiver station(RS), many central control units (CCU), and many sensors (SS). A receiver station manages multiple central control units and a central control unit manages many sensors. Specifically, A patient’s body is implanted with many sensors and a central control unit, which collects human medical data and sends it to the receiver station. The receiver station is responsible for verifying data and warehousing for all central control units, that is, the receiver station checks medical data and signs all of them. When a large number of medical data, which is from different patients, come in at the same time, the receiver station will become the bottleneck of data processing. Batch signature can solve the requirement of batch signing and individual verification for patients’ medical data; the process is as follows.

Firstly, according to the 3rd batch signature scheme, wireless body sensor network sets up system parameters and public/private keys for the receiver station. A central control unit collects medical data in real time and sends it to the receiver station. The receiver station divides k central control unit data into one group, such as $\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$, executes algorithm

**Sign**($sk,\{{\varpi}_{1},\cdots ,{\varpi}_{k}\}$), obtain $(\mathbf{v},\mathbf{z},\mathbf{c})$, store it with the message ${\varpi}_{i}$, $i=1,\cdots ,k$. When the j-th central control unit’s data ${\varpi}_{j}$ is called, (${\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$ is provided, and the algorithm**Verify**(${\varpi}_{j},(\mathbf{v},\mathbf{z},\mathbf{c}))$ can be invoked to verify the validity of data ${\varpi}_{j}$. If the answer is yes, the data is authoritative and credible. Otherwise, the data is unusable. The data flow diagram is shown in the Figure 3.## 8. Conclusions

In this paper, we presented three new lattice-based batch signature schemes by using binary tree and intersection methods, with hash-and-sign paradigm and Fiat–Shamir transformation, respectively. Our schemes were existential unforgeability against adaptive chosen message attacks based on the difficulty of a small integer solution problem, which provided quantum security. A detailed efficiency analysis was also given, which showed that our schemes optimized the size of the public key, private key and signature. Moreover, we applied our batch signature schemes to a wireless body sensor network, which was a typical application of IoT, improved signature efficiency and security. In addition, batch signatures can also be applied to blockchain systems for speeding up the process of block signing operations, which we aim to be our next work.

## Author Contributions

The first author X.L., proposed the main idea “intersection method” for batch signature and gave three schemes. The second author W.Y., gave all the figures and tables, as well as Section 1 and Section 2. The third author Q.W., is the doctoral supervisor of the first two authors, guided the whole writing. The fourth author K.L., proposed the idea to describe signature from two frames: hash-and-sign paradigm and Fiat–Shamir transformation, which make the paper more comprehensive and systematic. The fifth author L.C., was responsible for the English writing of the whole paper. The sixth author J.C., the corresponding author, was responsible for efficiency analysis and application scenario description as well as the management of the research project.

## Funding

This work was funded by the National Natural Science Foundation of China [no. 61502044, 61402015, 61702212]; the Fundamental Research Funds for the Central Universities [no. 2015RC23]; the Natural Science Foundation of Hebei Province [no. F2018408040]; the Natural Science Foundation of Shandong Province [no. ZR201702180067]; and the Hebei Education Funds for Youth Project [no. QN2018047].

## Conflicts of Interest

We declare that no conflict of interest among six authors.

## References

- Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Future Gener. Comput. Syst.
**2013**, 29, 1645–1660. [Google Scholar] [CrossRef] - Bennett, T.R.; Savaglio, C.; Lu, D.; Massey, H.; Wang, X.; Wu, J.; Jafari, R. MotionSynthesis Toolset (MoST): A Toolset for Human Motion Data Synthesis and Validation. In Proceedings of the 4th ACM MobiHoc Workshop on Pervasive Wireless Healthcare (MobileHealth ’14), Philadelphia, PA, USA, 11 August 2014; pp. 25–30. [Google Scholar] [CrossRef]
- Li, S.; Xu, L.D.; Zhao, S. The internet of things: A survey. Inf. Syst. Front.
**2015**, 17, 243–259. [Google Scholar] [CrossRef] - Fortino, G.; Russo, W.; Savaglio, C.; Viroli, M.; Zhou, M. Modeling Opportunistic IoT Services in Open IoT Ecosystems. In Proceedings of the 18th Workshop “From Objects to Agents” (WOA 2017), Scilla (RC), Italy, 15–16 June 2017; pp. 90–95. [Google Scholar]
- Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] - Goldwasser, S.; Micali, S.; Yao, A.C. On Signatures and Authentication. In Advances in Cryptology: Proceedings of CRYPTO ’82, Santa Barbara, CA, USA, 23–25 August 1982; Chaum, D., Rivest, R.L., Sherman, A.T., Eds.; Plenum Press: New York, NY, USA, 1982; pp. 211–215. [Google Scholar]
- Rivest, R.L.; Shamir, A.; Adleman, L.M. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Reprint). Commun. ACM
**1983**, 26, 96–99. [Google Scholar] [CrossRef] - Huang, X.; Liu, J.K.; Tang, S.; Xiang, Y.; Liang, K.; Xu, L.; Zhou, J. Cost-Effective Authentic and Anonymous Data Sharing with Forward Security. IEEE Trans. Comput.
**2015**, 64, 971–983. [Google Scholar] [CrossRef] - Liang, K.; Chu, C.; Tan, X.; Wong, D.S.; Tang, C.; Zhou, J. Chosen-ciphertext secure multi-hop identity-based conditional proxy re-encryption with constant-size ciphertexts. Theor. Comput. Sci.
**2014**, 539, 87–105. [Google Scholar] [CrossRef] - Ning, J.; Cao, Z.; Dong, X.; Liang, K.; Ma, H.; Wei, L. Auditable σ-Time Outsourced Attribute-Based Encryption for Access Control in Cloud Computing. IEEE Trans. Inf. Forensics Secur.
**2018**, 13, 94–105. [Google Scholar] [CrossRef] - Zhou, J.; Duan, H.; Liang, K.; Yan, Q.; Chen, F.; Yu, F.R.; Wu, J.; Chen, J. Securing Outsourced Data in the Multi-Authority Cloud with Fine-Grained Access Control and Efficient Attribute Revocation. Comput. J.
**2017**, 60, 1210–1222. [Google Scholar] [CrossRef] - Shao, J.; Lu, R.; Lin, X.; Liang, K. Secure bidirectional proxy re-encryption for cryptographic cloud storage. Pervasive Mob. Comput.
**2016**, 28, 113–121. [Google Scholar] [CrossRef] - Gamal, T.E. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory
**1985**, 31, 469–472. [Google Scholar] [CrossRef] - Fiat, A. Batch RSA. In Proceedings of the Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 1989; pp. 175–185. [Google Scholar] [CrossRef]
- M’Raïhi, D.; Naccache, D. Batch Exponentiation: A Fast DLP-Based Signature Generation Strategy. In Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS ’96), New Delhi, India, 14–16 March 1996; pp. 58–61. [Google Scholar] [CrossRef]
- Pavlovski, C.; Boyd, C. Efficient batch signature generation using tree structures. In Proceedings of the International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC), Hong Kong, China, 5–8 July 1999; Volume 99, pp. 70–77. [Google Scholar]
- Cheng, W.C.; Chou, C.; Golubchik, L. Performance of Batch-Based Digital Signatures. In Proceedings of the 10th International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS 2002), Fort Worth, TX, USA, 11–16 October 2002; p. 291. [Google Scholar] [CrossRef]
- Korkmaz, T.; Tek, S. Analyzing Response Time of Batch Signing. J. Internet Serv. Inf. Secur.
**2011**, 1, 70–85. [Google Scholar] - Boyd, C.; Foo, E.; Pavlovski, C. Efficient Electronic Cash Using Batch Signatures. In Proceedings of the Information Security and Privacy, 4th Australasian Conference, ACISP’99, Wollongong, NSW, Australia, 7–9 April 1999; pp. 244–257. [Google Scholar] [CrossRef]
- Youn, T.; Park, Y.; Kwon, T.; Kwon, S.; Lim, J. Efficient Flexible Batch Signing Techniques for Imbalanced Communication Applications. IEICE Trans.
**2008**, 91-D, 1481–1484. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput.
**1997**, 26, 1484–1509. [Google Scholar] [CrossRef] - Ajtai, M. Generating Hard Instances of Lattice Problems (Extended Abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 99–108. [Google Scholar] [CrossRef]
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar] [CrossRef]
- Alwen, J.; Peikert, C. Generating Shorter Bases for Hard Random Lattices. Theory Comput. Syst.
**2011**, 48, 535–553. [Google Scholar] [CrossRef] - Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Pointcheval, D., Johansson, T., Eds.; Springer: Cambridge, UK, 2012; Volume 7237, pp. 700–718. [Google Scholar] [CrossRef]
- Lyubashevsky, V. Lattice Signatures without Trapdoors. In Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Pointcheval, D., Johansson, T., Eds.; Springer: Cambridge, UK, 2012; Volume 7237, pp. 738–755. [Google Scholar] [CrossRef]
- Boneh, D.; Freeman, D.M. Homomorphic Signatures for Polynomial Functions. In Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques; Lecture Notes in Computer Science; Paterson, K.G., Ed.; Springer: Tallinn, Estonia, 2011; Volume 6632, pp. 149–168. [Google Scholar] [CrossRef]
- Bellare, M.; Rogaway, P. Collision-Resistant Hashing: Towards Making UOWHFs Practical. In Proceedings of the Advances in Cryptology—CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; pp. 470–484. [Google Scholar] [CrossRef]
- Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) Fully Homomorphic Encryption without Bootstrapping. TOCT
**2014**, 6, 13. [Google Scholar] [CrossRef] - Howe, J.; Pöppelmann, T.; O’Neill, M.; O’Sullivan, E.; Güneysu, T. Practical Lattice-Based Digital Signature Schemes. ACM Trans. Embed. Comput. Syst.
**2015**, 14, 41. [Google Scholar] [CrossRef] - Alkadri, N.A.; Buchmann, J.; Bansarkhani, R.; Krämer, J. A Framework to Select Parameters for Lattice-Based Cryptography. Cryptology ePrint Archive, Report 2017/615. Available online: https://eprint.iacr.org/2017/615 (accessed on 26 June 2017).
- Yuan, Y.; Cheng, C.M.; Kiyomoto, S.; Miyake, Y.; Takagi, T. Portable implementation of lattice-based cryptography using JavaScript. Int. J. Netw. Comput.
**2016**, 6, 309–327. [Google Scholar] [CrossRef] - Longa, P.; Naehrig, M. Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In Proceedings of the International Conference on Cryptology and Network Security, Milan, Italy, 14–16 November 2016; pp. 124–139. [Google Scholar]
- Yuce, M.R.; Ng, S.W.P.; Myo, N.L.; Khan, J.Y.; Liu, W. Wireless Body Sensor Network Using Medical Implant Band. J. Med. Syst.
**2007**, 31, 467–474. [Google Scholar] [CrossRef] [PubMed]

Scheme (Size/Computation) | Our 1st Scheme (with Binary Tree) | Our 2nd Scheme (With Intersection Method) | Our 3rd Scheme (With FS Transformation) |
---|---|---|---|

$sk$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ | $\mathcal{O}\left({n}^{2}lo{g}^{3}n\right)$ |

$vk$ | $\mathcal{O}\left({n}^{2}lo{g}^{2}n\right)$ | $\mathcal{O}\left(k{n}^{2}\right)$ | $\mathcal{O}\left(k{n}^{2}\right)$ |

signature | $\mathcal{O}\left(kn\right)$ | $\mathcal{O}\left(n\right)$ | $\mathcal{O}\left(n\right)$ |

$Sign$ | $(2k-1)\mathcal{H}+\mathcal{S}+\mathcal{O}\left({n}^{2}\right)$ | $\mathcal{O}\left({n}^{3}\right)+\mathcal{S}$ | $\mathcal{O}\left({n}^{3}\right)$ |

$Verify$ | $2\mathcal{V}+k\mathcal{H}$ | $2\mathcal{V}+\mathcal{H}$ | 3$\mathcal{V}$+$\mathcal{H}$ |

Anti-quantum | √ | √ | √ |

Notation: $\mathcal{H}$ denotes Hash function, $\mathcal{S}$ denotes SamplePre, $\mathcal{V}$ denotes verification.

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).