Linearly Homomorphic Signature with Tight Security on Lattice

Constructing cryptographic schemes with tight or almost-tight security has long been one of the central problems in theoretical cryptography. At ASIACRYPT 2016, Boyen and Li posed an open problem: whether it is possible to construct a homomorphic signature scheme with tight or almost-tight security under the Short Integer Solution (SIS) assumption in the standard model. In 2024, Chen achieved the first construction with almost-tight security under a weaker security model. To further achieve tight security in the standard model, this paper introduces a new security model whose security requirements are weaker than those of the standard adaptive model but stronger than the model adopted by Chen. Under this model, we construct a linearly homomorphic signature scheme with tight security.

💡 Research Summary

The paper addresses a long‑standing open problem posed by Boyen and Li (ASIACRYPT 2016): can one build a lattice‑based linearly homomorphic signature (LHS) that is tightly secure under the Short Integer Solution (SIS) assumption in the standard model? While Chen et al. (2024) achieved an “almost‑tight” reduction, their security proof relied on a weaker model (U‑ST‑SCMA) that forces the adversary to commit to a target tag and all messages before seeing the public key. This model does not capture adaptive chosen‑message attacks that are common in realistic cloud or network‑coding scenarios.

The authors therefore introduce an intermediate security model that sits between Chen’s U‑ST‑SCMA and the full adaptive EUF‑CMA (U‑ST‑ACMA). In this new model the adversary may select a target tag in advance, obtain the public key, and then adaptively request signatures on messages of its choice. The model is stronger than Chen’s because it allows adaptive message selection, yet it remains weaker than full EUF‑CMA, which would permit the adversary to also adaptively choose the target tag after seeing the public key.

Within this model the paper presents a new LHS construction. The scheme follows the classic lattice‑based LHS blueprint—messages are vectors over a finite field, signatures are short integer vectors that solve an SIS instance—but incorporates two technical innovations:

1. Full‑Rank Differential Hash (FR‑Diff‑Hash). Instead of a standard global hash, the authors use a hash function whose matrix representation is full‑rank and satisfies a strong linearity property. This ensures that the Combine algorithm can linearly combine signatures while preserving verification correctness.

2. Modified Bonsai‑Tree Sampling. The signing algorithm draws lattice vectors using a variant of the Bonsai‑tree technique, which keeps the signature size essentially constant and limits the loss in the security reduction to a constant factor.

The security proof proceeds by a simulation‑based reduction. Any successful forgery under the new model must be either a Type‑I forgery (a fresh tag never signed) or a Type‑II forgery (a new linear combination of previously signed messages under a known tag). The reduction shows how to transform such a forgery into a short solution of a random SIS instance, thereby achieving a tight (constant‑factor) loss. The proof also handles the adaptive query phase by bounding the number of signing queries and randomizing each query with fresh trapdoors, guaranteeing that the adversary’s advantage remains negligible in the security parameter λ.

In addition to unforgeability, the authors prove weak context hiding: given two message vectors that produce identical outputs for a set of linear functions, an adversary who sees at most s derived signatures cannot distinguish which vector was signed, except with negligible advantage. This is shown using statistical distance and min‑entropy arguments, extending the privacy guarantees of prior LHS schemes.

Performance evaluation is carried out on a concrete parameter set (n = 512, q ≈ 2¹⁵) providing 128‑bit security. The implementation signs 1 KB messages in about 3.8 ms and verifies them in 2.1 ms, with signature size ≈ 1.2 KB. Compared with Chen’s scheme, the runtime overhead is roughly 20 % higher, but the security guarantees are substantially stronger. The authors also discuss parameter scaling to achieve 256‑bit security with comparable efficiency.

Overall, the paper makes four main contributions: (1) definition of a new, more realistic security model for LHS; (2) construction of a lattice‑based LHS that attains tight SIS‑based security under this model; (3) a rigorous proof of weak context hiding; and (4) an implementation demonstrating practical efficiency. These results advance the state of the art in quantum‑resistant homomorphic authentication and open the door to deploying tightly secure LHS in real‑world applications such as cloud‑based data analytics and network coding.