Homomorphic Signature from Chameleon Hash ...

Download PDF
5 downloads 0 Views 4MB Size Report
Comment
Aug 31, 2016 - 274. Homomorphic Signature from Chameleon Hash. Functions. ITC 2/46. Journal of Information Technology and Control. Vol. 46 / No. 2 / 2017.
274

Information Technology and Control

ITC 2/46 Journal of Information Technology and Control Vol. 46 / No. 2 / 2017 pp. 274-286 DOI 10.5755/j01.itc.46.2.14320 © Kaunas University of Technology

2017/2/46

Homomorphic Signature from Chameleon Hash Functions Received 2016/08/31

Accepted after revision 2017/04/12

http://dx.doi.org/10.5755/j01.itc.46.2.14320

Homomorphic Signature from Chameleon Hash Functions Dong Xie, Haipeng Peng, Lixiang Li Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China

Yixian Yang

Guizhou Provincial Key Laboratory of Public Big Data, Guizhou University, Guiyang, 550025, China e-mail: [email protected] Information Security Center, State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China Corresponding author: [email protected] Homomorphic signature schemes provide a feasible solution to the authenticity of computations on an untrusted server (e.g. cloud). In a homomorphic signature scheme, given a k -length message set µ = {µ1 , µ 2 ,, µ k } and its corresponding signed dataset δ = {δ 1 , δ 2 ,, δ k } , anyone can publicly perform homomorphic computations and produce a new signature δ ' for the messages µ ' = f ( µ1 , µ 2 ,, µ k ) , where f is a function or a circuit. If the generated homomorphic signature δ ' is valid, then the owner of the dataset (e.g. cloud users) convinces that µ ' is indeed the correct output of the function f over the original messages even if he/she forgets them. In this work, the main contribution is to build a bridge between the leveled Fully Homomorphic Signature Scheme (FHSS) and Homomorphic Chameleon Hash Function (HCHF), which is a new cryptographic primitive introduced by us based on prior works. We first present the definition and specific construction of HCHF and then use this forceful technique to construct leveled fully homomorphic signature schemes for any polynomial-depth circuit. In our standard model scheme, the size of evaluated homomorphic signature grows polynomially in the depth of the circuit. The security of our scheme is based on the property of collision resistance of HCHF, which can be reduced to the Small Integer Solution (SIS) in hard random lattices. KEYWORDS: homomorphic signature schemes, chameleon hash functions, small integer solution, lattice.

Information Technology and Control

2017/2/46

Introduction Compared to some traditional number-theoretic primitives (e.g., factoring problem, discrete logarithm problem), the lattice-based cryptography has the following advantages: i) It is conceptual simple and can be efficient implemented; ii) It can resist so far to quantum cryptanalysis; iii) The lattice-based scheme enjoys the worst case complexity, i.e., any random instance is indeed asymptotically hard [4,22]. Due to these attractive and distinguishing features, lattice has been widely used to construct a large number of cryptographic schemes. Lattice-based cryptography can be used for constructing versatile theoretical applications ranging from functional encryption [2-3, 6, 9], to fully homomorphic encryption [11, 17-18, 25], and much more [7, 8, 19, 21]. Cloud computing enables users to store sensitive data in the untrusted sever and sometimes the untrusted cloud requires to perform computations on them. The privacy of data and the authentication of computation are two key secure challenges in this field. Homomorphic encryption schemes [11, 17-18,25] can maintain the privacy of user’s data by encrypting them and the server can also homomorphic perform computations over the ciphertexts. In this paper, we only focus on the authenticity of homomorphic computation through the notion of homomorphic signatures. In a homomorphic signature scheme, given a signed dataset vector δ and its corresponding message vector μ, anyone can homomorphically compute and produce a new signature δ´ for a message μ´and a circuit C. Given the public parameters and the tuple (C, μ´, δ´), anyone can verify that δ´ is indeed the signature of the message μ´. Note that the verification procedure can be performed without knowing the original dataset μ. In recent years, some homomorphic signature schemes have been proposed [7, 8, 10, 16, 26]. However, many prior works have many drawbacks. In particular, some of them are only homomorphic for linear functions [7, 16, 26] and the security proofs of several schemes are in the random oracle model [7, 16]. In 2011, Boneh and Freeman [7] introduced a linearly homomorphic signature scheme that authenticates vector subspaces of a given ambient space. In the same year, they presented a general definition of homomorphic signatures, and constructed the first homomorphic signature scheme which can compute

arbitrary polynomial functions over signed data [8]. In fact, if we translate these functions to the circuits, then the size of evaluated signatures can grow exponentially in the depth of the circuits. Furthermore, the construction is based on the SIS problem in ideal lattice. Recently, Boyen et al. presented the first adaptively secure fully homomorphic signature scheme that can evaluate any circuit over signed data [10]. Chameleon hash function, related to the notion of non-interactive chameleon commitment schemes, was originally introduced by Brassard et al. [12]. Roughly speaking, a chameleon trapdoor hash function is a collision-resistance function with chameleon property, i.e., the holder of the trapdoor can easily find collisions for every input. In addition, anyone can compute the hash function using public parameters and the resulting probability distribution is statistically close to uniform over the range. Chameleon hash functions have been proven to be an extremely useful tool in many scenarios, especially in signature schemes. Mohassel showed a general construction for transforming any chameleon hash function to a strongly unforgeable one-time signature scheme [23]. Recently, Micciancio and Peikert [21] proposed a signature scheme with short parameters and proved its security with strong unforgeability under static chosen-message attack (su-scma). Krawczyk and Rabin [20] showed that there is a generic transformation from su-scma to su-acma (strong unforgeability under adaptive chosen-message attack) security using a family of chameleon hash functions. The main contribution of this work is to build a bridge between FHSS and Homomorphic Chameleon Hash Function (HCHF). In [13], Cash et al. straightforwardly presented a simple chameleon hash function using the preimage sampleable function under standard lattice assumption. Along this line of work, we give the definition of HCHF and present a family of HCHFs, which is based on the SIS problem in hard random lattices. After that, we construct a leveled fully homomorphic signature scheme using the HCHF tool. Similar to [1], we use the SampleLeft algorithm to extract signatures in real scheme and use the SampleRight algorithm to response the adversary’s signature queries in the simulation game. The construction is straightforward and the security of our scheme

275

Recently, Micciancio and Peikert [12] proposed a , let sA denote the maximal singutrix A ∈ Zn×m chosen-message attack (su-scma). Krawczyk and Raq vector where ai is the column = max {a signature scheme with shortA parameters andi }, proved i∈[m] lar values of A and use A to denote the maxibin [20] showed that there is a generic transformation its security with strong unforgeability under static of A. from su-scma to su-acma (strong unforgeability unmum norm of column vector of the matrix A, i.e., chosen-message attack (su-scma). Krawczyk and Ra- function f (n) by negl(n) We denote a negligible der adaptive chosen-message attack) security using a vector A = max {a i }, where aSignatures i is the column Homomorphic from Chameleon Hash Fu −c bin [20] showed that there isifa generic transformation ) for any fixed constanti∈[m] c. We say 2017/2/46 it is o(n family of chameleon hash functions. Information Technology and Control 276 of c A. from su-scma to su-acma (strong unforgeability unf (n) is polynomial if it is O(n ) for any fixed conThe main contribution of this work is to build a We denote a negligible function f (n) by negl(n) der adaptive chosen-message attack) security using a stant c, and we use poly(n) to denote it. −c Given tbridge between FHSS and Homomorphic Chameleon if it is o(n ) for any fixed constant c. We say family of chameleon hash functions. wo distributions XAand Y over a countable domain Hash Function (HCHF). In [21], Cash et al. straightfamily of lattices, called as q-ary is any of fixed con-1. The Trap f (n) is polynomial if it is lattices, O(nc ) for The main contribution Z, of this work is to distance build a between the statistical them is defined n× forwardlyispresented a simple chameleon hash funcbased on the property of collision resistance of  matrix particular interest to many cryptographic applicationThe min-entropy of a random variable X is denotstant c, and we use poly(n) to denote it. Given t- A ∈ Zq 1 Chameleon bridge between FHSS and Homomorphic |X(z) − Y (z)|. The min-entropy as ∆ = tion usingHCHF. the preimage sampleable function under s2 In fact, ourHash scheme is homomorphic for anyetz∈Z ) =distributions − log(max x∈XX Pr[ x]) . aGiven s.al.ed andXY =over countable domain by H ∞ ( Xwo two Λ⊥ (A) so that th Function (HCHF). In [21], Cash straighttandard lattice assumption. Along this line of work, function, and not like those ones in [7,a 16, 26] for variable (X)Ydistance = of chameleon ajust random X isvariables denoted Hand Z, thebystatistical between them is defined ∞ forwardly presented simple hash funcrandom X , the average min-encally close to uni we give the definition of HCHF and present a family 1 For any positive integers 1 (q-ary lattices). P Definition r[X = x]). Given two random variables − log(max |X(z) − Y (z)|. The min-entropy as ∆ = linear function. Unlike several recent homomorphic tion using the preimage sampleable function under s2. The 2 tropy of X conditionedz∈Z on (correlated) variable Y x∈X of HCHFs, which is based on the SIS problem in hard n×m √ Sam be a matrix. Define n, m, q(m  n), let A ∈ Z tandard lattice assumption. Along this line of work, signature schemes [7-8, 16], our scheme is secure in q X and Y , the average min-entropy of X conditioned U  s m wh is defined asof a random variable X is denoted by H∞ (X) = random lattices. After that, we construct a leveled ful ∞ (X|Y weThese give the definition of HCHF andhopresent afollowing family the m-dimensional q-ary lattices: on (correlated) variable Y is defined as H ) = the standard model. results show that our m , where s D ly homomorphic signature scheme using the HCHF − log(max P r[X = x]). Given two random variables Z ,s x∈X of HCHFs, which is based on SISy←Y problem in hard = x|Y = y])). (max~ P r[X −the log(E momorphic scheme attractive. tool. Similar to [23], we use theisSampleLeft algotion V = AU i andEYy ← , the average min-entropy H ∞t (fulX Y ) = −Xlog( Pr[ X = x Y =of yX]))conditioned (2) m random lattices. After that, we construct a x∈X leveled Y (max xA ∈Xt c n×m ) = {z ∈ Z |∃ c s.t. z = mod q}; (2) Λ(A rithm to extract signatures in real scheme and use the .  Z on (correlated) variable Y is defined as H∞ (X|Y )q = The remainder of this paper is organized in the folly homomorphic signature Lemma scheme using theGiven HCHFtwo random 1 ([25]). variables X and SampleRight algorithm to response the adversary’s 3. Given a y←Y (max P r[X = x|Y = y])). lowing manner. We basic [14] − log(E tool.mainly Similar introduce to [23], we some use the SampleLeft algo1 Given two random x∈X ) variables X and Y , let Y , let Y be theLemma support of Y . Then H∞ signature queries in the simulation game. The con⊥ m(X|Y s trapdoor TA ∈ (3) Λthe(A) = {z ∈ Z |Az = 0 mod q}. rithm to extract signatures inHsignature real scheme and use aboutand lattice and homomorphic be the support of Y . Then struction knowledge is straightforward the security of our ∞ (X) − log(|Y|). the SamplePre Lemma 1 ([25]). Given two random variables X and response the adversary’s n scheme in section 2.SampleRight Inofsection 3algorithm we focustoon the defim scheme is based on the property collision resisanthe integral solution ∈ ZH ForThe anyconv ∈ Zq admitting  ∞ (X|Ythe ) conditional Y , let Y be support of Y . xThen signature queries construction in the simulation game. 2.2. Lattices and SIS problem nition of HCHF and the specific from ~ tance of HCHF. In fact, our scheme is homomorphic to Ax v Ymod q, define the shifted lattice as (3) (X) − log(|Y|). H H X ) ≥ H ( X ) − log( Ψ ) struction is straightforward and the security of∞=(our ∞ so that AU = for any function, and notSIS likeproblem. those onesWe in [13,15the standard describe our Generally homo- speaking, a lattice∞ is a discrete ad√ scheme is based on the property of collision resis TA w( log m) 16] just for linear function. Unlike severaland recent ho- the . A (full2.2. rank) lattice Λ can ditive subgroup of Rn ⊥ morphic signature scheme, provide paramem and Lattices SIS problem tance of HCHF. In fact, our scheme is homomorphic (4) Λ (A) = {z ∈ Z |Az = v mod q}. momorphic signature [13–15], our scheme is be viewed as the set ofv all integer linear combinaproblem ters settingschemes and security section 4. Section for anyanalysis function,inand not like those ones inLattices [13,15- and SIS Generally speaking, a lattice is a discrete ad-We also nee secure in the standard model. These results show that tions ofand n linearly independent basis vectors B = n 5 presents the comparison our scheme 16] just forbetween linear function. Unlike several recent ho- 2 (Gaussian . A rank) can (see Algo ditive subgroup Generally speaking, afunction). latticeofis R aFor discrete additive any(full real s > lattice 0 sub-Λ[21,23] our homomorphic scheme is attractive. }. Using the matrix notation, {b1 , b2 , · · · , bDefinition momorphic signature schemes [13–15], ournscheme is n be viewed as the set of all integer linear combinasome classical homomorphic signature schemes. Fily, The remainder of this paper is organized in the the(full n-dimensional Gaussian rank) lattice Λ can function be viewed as the algorithm andgroup any cof ∈ R ., A secure in the standard model. show that  tions of n linearly independent basis vectors nature we We draw our conclusions in basic section 6. These results followingnally, manner. mainly introduce some (x) is=defined set of allcinteger combinations of n linear- B = system, a Λ = L(B)ρs,c =the {Bc bas c 2∈, ·linear Z· ·n }. our homomorphic scheme is attractive. i{b i1:, b , bn }. (1) Using the matrix notation, knowledge about lattice and homomorphic signature ly independent basis vectors B = {b1 , b2 , , bn } . Using be used to exac The remainder of this paper is organized in thei∈[n] messages in the s the basic matrix notation, x − c2 following manner. We mainly introduce some = L(B) = {Bc = ), ci bi : c(5) ∈ Zn }. (1) ρs,c (x) =Λ exp(−π s2 i∈[n] Preliminaries knowledge about lattice and homomorphic signature  Algorithm 1 Sam Λ = L(B) = {Bc = ci bi : c ∈ Zn }.n (4)

Require: Homomorphic Signatures from Chameleon Hash Funct 1. A random mat

Notation

where x is a n-dimensional vector in R . i∈[n]

For any positive integer q , we denote the set {1,2, , q} by [q] and let Zq denote the integer ring which represents as integers in ( − q / 2, q / 2) . Vectors are assumed to be in column form and are written using bold lower-case letters (e.g. x ). Similarly, we use bold capital-case letters (e.g. A ) to represent matrices.

Definition For is of B ∈ Zq 2 ; A family3of(Discrete lattices,Gaussian called asdistribution). q -ary lattices, 2. A relatively "sh n and ancryptographic n-dimensional applicalatanyparticular real s > 0,interest any c ∈ R to ,many u ∈ Zn q; 1. The TrapGen A family of lattices, called as q-ary lattices, of ticetions. Λ, the discrete Gaussian distribution DΛ,s,c isover 3. A Gaussian par matrix A ∈ Zn×m a interest to many cryptographic applicationq Λ isparticular defined as Ensure: A vector u Definition  1 ( q -ary lattices). For any positiveΛ⊥ s. (A) so that the o tistically close to D Homomorphic Signa A (x) ∈ Z nq×m be a matrix. De-cally close to unifor integers n, m, q( m ≥ n ) , letρs,c Definition 1 (q-ary lattices). For any positive integers D , (6) (x) = Λ,s,cm -dimensional q -ary lattices: 2. The fine the following √ Sample s,c (Λ) be a matrix. Define n, m, q(m  n), let A ∈ Zρn×m

Given two matrices A1∈Zqn×m and A2∈Zqn×m , we use [ A1 A2 ] to denote the n × ( m1 + m2 ) matrix formed by concatenating A1 and A2 . For a matrix A∈Zqn×m, let s A denote the maximal singular values of A and use A to denote the maximum norm of column vector of the matrix A , i.e., A = max i∈m { ai } , where ai is the column vector of A . 1

2

We denote a negligible function f (n ) by negl (n ) if it is o( n − c ) for any fixed constant c . We say f (n ) is polynomial if it is O ( n c ) for any fixed constant c , and we use poly (n ) to denote it. Given two distributions X and Y over a countable domain Z , the statistical distance between them is defined as ∆=

1 X ( z) − Y ( z) 2 z∈Z



(1)

n×m

q U  s m whose the following m-dimensional q-ary A lattices: , where s  DZmas,sq-ary t m t family of lattices, called lattices, }; Λ ( A ) = { z ∈ Z ∃ c s . t . z = A c mod q where x is a vector in Λ. We omit s and c when they (5) tion Algorithm 2isSam V = AU st particular interest to many cryptographic applica n×m are taken be{z1 ∈ and Require: )= Zm0,|∃respectively. c s.t. z = At c mod q}; (2) Λ(Atto . Z s. q (6) 1. matrixaAmat ∈Z  ( A)  {z  mm Az  0 mod q}. (6) 3. AGiven  ( A)  4{⊥z (Small   Az  0mmod q}. (SIS)).(6)Given 2.any A positive matrix B ∈Z Definition integer solution Definition 1q}. (q-ary (3) lattices). sFor inte ∈ trapdoor T  m = {z ∈ Z |Az = (A) 0 mod Λ A m Λ⊥ (B); nAz  0 mod q}.  For ( A)any integers {zv∈Zn, (6) n×m q positive m, q, a real constant β and a maadmitting an integral solution x ∈ Z be a matrix. D n, m, q(m  n), let A ∈ Z the SamplePre outp q q n×m admitting an integral solution x∈ Zm ∈ Znqq 3. Alattices: gaussian dist par the following m-dimensional q-ary (m  n), find a nonzero vector trixtoFor A ∈= vvZmod the conditional , define the shifted lattice as Axany q the maximal Axso=that v mod q, define theqshifted lattice as so that AU = singu V a u ∈ to Zm Au = 0 mod and u  β.  √ Ensure: A vector u t m  v ( A)  {z  mm Az  v modΛ(A q}.t ) = {z ∈(7)  Z |∃ c s.t. z = A c mod q};  T w( log m). A  v ( A)Λ⊥{(A) z mv|Az mod cally close to DΛvq = {zAz ∈Z =qv}. mod q}.(7) (4) (7)  In fact, v the mSIS(n, m, q, β) problem is equiva ( A)  {z   Az  v mod q}. (7) We also need t ⊥ lentv to find a short nonzero vector Λ u β ∈inZm |Az = 0 mod q}. (A)= {z [21,23] (see Algorith Definition 2 (Gaussian function). For any real s > 0 Definition 2 (Gaussian function). For any[2] realshowed s>0 Micciancio and Regev the lattice Λ⊥ (A). n ly, the algorithm n , the n -dimensional and any Gaussian function admitting an integral solution Sam x∈ For any v ∈ Z , the n-dimensional Gaussian function and any c ∈ R 2.4. Homomorp q , that ,the worst case of various promise problems (e.g. nature system, and to Ax = v mod q, define the shifted lattice as (x) is defined as is defined as ρρs ,s,c ( x ) and Securi c 2 2 GapSV P )can to the average be used to exact si 2 /s P,s ,cGapCV ( x )  exp(  xbe  creduced (8) , 2 ),  ( x )  exp(   x  c / s ), (8) , s c messages in theq}. sim case of the SIS problem. 2 x 2 ⊥ (A) = {z ∈ Zm |Az = v Throughout mod Λ v (8)  s ,c ( x )  exp(  =x exp(−π  c / s 2 ), −2c ), ρs,c (x) (5) (8) rameter. We den 2.3. Trapdoors for lattices ands Sampling algoAlgorithm let CFor beany a1 Sampl collec Definition 2 (Gaussian function). real s rithms n Require: n where x is a n-dimensional vector in R . s over the messa Gaussian fun any c in ∈ R ., the n-dimensional where x is a n -dimensionaland vector 1. A random matrix A Lemma 2 ([1, 11]). Given any ρintegers n  1,asq  M. Boneh n×m2 and F s,c (x) is defined B ∈ Zq ; Definition 3 (Discrete Gaussian distribution). For 2, and sufficiently large mn = O(n log q), there are mal definition o 2. A relatively "short" any real s > 0, any c ∈ R , and an n-dimensional lat2 ux∈ − Zan ;type threetice efficient algorithms TrapGen, SampleDom and for of c qc the DρΛ,s,c = exp(−π ), s,c (x) D Λ, x )discrete   s ,c ( xGaussian ) /  s ,c ( distribution ), (9)over 2 s , c ( having 3. AsGaussian parame SamplePre ture scheme is a Dis,s,defined  s ,c the ( x ) following /  s ,c (  ), description. (9) Λ , c ( x )  as Ensure: A vector u ∈ Z

D ,s ,c ( x )   s ,c ( x ) /  s ,c (  ), where x is a(9) n to DΛv tistically close n-dimensional vector in R . q ρ (x) DΛ,s,c (x) =

s,c

, (6) ρs,c (Λ) Definition 3 (Discrete Gaussian distribution). n

m  v ( A)  {z( A) Az  v mod q}. (7) 2 (7)(8) v  ({ xz)exp(Az  xvmmod c /qs}.2 ), s ,c ⊥ (A) = {z ∈ Z |Az = 0 mod q}. Λ Definition 2 (Gaussian function) For any real (3) n vector in  . where x is a n -dimensional admitting an integral solution x ∈ Zm For any s  0 and any c v∈n Z, nqthe n -dimensional Gaussian Definition 3 (Discrete Gaussian distribution) For v mod as q, define the , Information Technology andshifted Controllattice as defined function  s ,cto( xAx ) is= n any real s  0 , any c  2  2 , and an n -dimensional 2  s ,c ( x ),exp( x⊥) xexp( c  / s ), the / s=2(8) ),v mod q}. discrete D(8) lattice {z ∈xZmc|Azdistribution s ,c (Λ v (A) = Gaussian  , s ,c (4)

n×m together 3. Given a matrix A ∈ Z the algorithm SampleLeft used with in itreal q , T be Algorithm 1 SampleLeft ( Awill ,B A , v, s ) , Zm×m , and a matrix V ∈ Zn×m s trapdoor TA ∈ signature system, and the algorithm SampleRight q will with the SamplePre a matrix U ∈ Zm×m beRequire used to: exact outputs signatures for adversary's queried q n U m ← SampleDom the conditional distribution of messages in the simulation game. A   with rank n and a 1. A random matrix √ q 2017/2/46 1

so that AU = V and U  s m , where s  √ n m A w( matrix B  ; T log q m).

277

2

Algorithm 1 SampleLeft ( A, B, TA , v, s ) also need"short" two classic sampling 2. AWerelatively trapdoor basisalgorithms TA of q ( A) n over x isis adefined as : (see Algorithm 1 and Algorithm 2). EssentialRequire n -dimensional vector in  . where [21,23] Definition Definition 3 (Discrete Gaussian distribution). For s > 0 2 (Gaussian function). For any real n ,mv , s ) and athe vector u matrix SampleLeft D3,s ,c(Discrete ( x )   c Gaussian ( x ) /  s ,c (  ), (9) Algorithm 1random SampleLeft TAnwill q ; (A algorithm be usedrank in real sig- a Definition distribution) For A, B , with n and 1.ly,A any real an n -dimensional lats > and 0 , any q the n-dimensional Gaussian function any c ∈ Rn ,,s ,and n ~ nature system, and the algorithm SampleRight will Require: x sis a0(x) vector omit c Λwhen they where isGaussian defined ρs,c , any cin .asWe ,distribution and ans nand -dimensional any tice Λreal , the discrete D s  TA w( log(m1  m2 ) ) ; 3. A ,s ,c over matrix B Gaussian  tonqmexact ; parameter be used signatures for adversary’s queried n ×m , respectively. are taken 1 and 0 Gaussian  , to the distribution D ,s ,c Λlattice is defined asbediscrete 1 A random matrix A ∈ Z q with rank n and a mamessages in the simulation m  m game. 2 n × m x − c 2. A relatively "short" trapdoor basis TAaofdistributiq ( A) sampled from Definition integer solution (SIS)) Given (5) trixEnsure: B ∈ Z q A ;vector u   over  is defined 4as(Small ρs,c (x) = exp(−π ), . T of Λ⊥ ( A) onastatistically to D ( A Bbasis n s2and a matrix integers , a),real constant(9) Dpositive  s ,c ( x( x) n/) ,ms ,,c q(  (9) ), s T , v,  , s ,c ( x )  D relatively “short” vector u  close (9) 2 Aand Algorithm 1 SampleLeft(A, q As) A q ; trapdoor B,  , s ,c s ,c ( x ) /  s ,c (  ), n n m m n u ∈ Z Require: and a vector ; A   ( m  n ), find a nonzero vector u   , so where x is a n-dimensional vector in R . ~ q qis a vector in  . We omit s and c when they x where n×m 1 w(ranklog( m  m )) ; 3. A1. Gaussian parameter where x is a vector in Λ . We omit s and c when with n and a matrix A random matrix A ∈ Zsq~ T 3 A Gaussian parameter s ≥ TA w(A log(m1 + m1 2 ) ) ;2 2 03 ,(Discrete respectively. are taken toDefinition and Au  0bemod q1and that u0 ,respectively.  . Gaussian distribution). For B ∈ Zn×m ; q they are taken to1be and m m m 2. vector AA relatively "short" basis TA from offrom Λ⊥ (A)aand a vector Ensure: vector uZm+trapdoor sampled distributiA sampled Definition 4 SIS( (Small solution Given Ensure: uSampleRigh ∈ an n-dimensional any real s> ∈problem Rn , and (SIS)). ninteger ,0, minteger ,any q, c)solution is(SIS)) equivalent In fact,4 the 2 t ( A , B , C , Tq B a, vdistribu, s) Definition (Small Givento lat- Algorithm u ∈ Zn ; q D . on statistically close to  positive integers n , m , q , a real constant and a matrix  tion statistically close to  ( A  tice Λ, the discrete Gaussian distribution DΛ,s,c over B ), s positive constant n, m, q, a real 3. A Gaussian parameter s  TA w( log(m1 + m2 )); find nintegers am short nonzero vector u   βinand theammalattice : Require m1 +m2 sampled from a distribution stam n ×mΛ is defined as Ensure: A vector u ∈ Z A A  ( m(mn≥),n), find ∈ Z ,, so Algorithm 2 SampleRight ( A, Bn,C , T , v, s ) trix finda anonzero nonzero vector vector u   ∈q Z q A .  q l andB a matrix C   lm ; 1.tistically A random matrix close to DΛvq (AB),s Au ( A=).0Micciancio and Regev showed that the worst mod q that and u ≤ β . Require: that Au  0 mod q and u D   . (x) = ρs,c (x) , n m case of various promiseΛ,s,c problems (e.g. GapSVP, (6) 2. A matrix matrix B and athe "short" basis l×m TB of ρs,cequivalent (Λ) In fact, the problem is to SIS( n , m , q , β ) A ∈Zqnq×l and random , m, q,  ) to problem is equivalent In fact, the 2 SampleRigh t ( A, Bmatrix , C , TB , vC, s∈) Z ; GapCVP) canSIS( be nreduced the average case of to the 1 AAlgorithm findSIS a problem short nonzero vector u ≤ β in the lattice q ( B) ; B ∈ Z n×m and the "short" basis TB of [22]. 2 ARequire matrix ⊥ short nonzero vector u We  omit in sthe lattice where x isand a vector inshowed Λ. and worst c when they q Algorithm 2 SampleRight(A, B, C, TB , v, s) : Λfind ( A a Micciancio Regev that the ⊥ ~ Λ q (B ); are taken to be 1 and 0, respectively. Require: n l  s a matrix T A gaussian case promise problems (e.g. GapSVP, GapAand  a~ and C(log  lmm;) , 1.3. A1. random matrix parameter B sC w 2.3. (of ATrapdoors ).various Micciancio Regev showed that algorithms the worst l×m q forand lattices and sampling A matrix A ∈ Zn×l matrix C ∈ Z ; q 3 A gaussian parameter , where s ≥ T s w ( log m ) B associated C CVP) reduced theproblems average the SISGiven where the "short" basis 2. As matrix B ∈ Zn×m Definition 4to(Small integer case solution (SIS)). q n m and B of case can of be various promise (e.g.ofGapSVP, singular . TT C is theBmaximal 2. A matrix singular  and the ofvalue "short" ⊥ (B); is the maximal value C . of Cbasis s Lemma 2 ([4, 19]) Given any B of q Λ C q problem [22]. positive integers n, a real constant β and GapCVP) can be reduced tom, theq, average case of the a ma√ m l  m+ l integers trix nA 1∈, Zn×m q (m2,  n), andfind a sufficiently  3. gaussian sampled TB sC w(from log m), where sC is A vector u  s > from distribution Ensure: AA vector sampled a adistribunonzero vector uparameter ∈Z Ensure: q SIS problem [22]. q ( B) ; the maximal singular value of C. m q ) , and Trapdoors lattices sampling large m ufor O∈( nZ log there efficiso that Au = 0 are modthree q algorithms and u  β.ent tion statistically close to . statistically close to D .  (sampled A AC  B from ), s ~ a distribution statistiA vector u ∈ Zm+l s  TB sC w( log m ) , 3.Ensure: A gaussian parameter algorithms TrapGen , SampleDom andalgorithms SamplePre cally close to DΛvq (AAC+B),s . 2.3. Trapdoors for lattices and sampling Lemma 2 ([4, 19]). Given any integers n ≥ 1, q ≥is2equiva, In fact, the SIS(n, m, q, β) problem Homomorphic scheme: having the following description: sC is the signature maximal singular valuedefinition of C . lent2 large to find nonzero vectorare u  β in where and sufficiently three ma =short O ( n19]) log q) , there Lemma ([4, Given any 2.4. Homomorphic signature scheme: definition and security 1. Thethe TrapGen randomly outputsand a Regev parity check ⊥ (A). Micciancio [2] showed lattice Λ m l caseand of the SISEnsure: problem. efficient TrapGen, SampleDom and security integers algorithms n n1m, q  2, and sufficiently A vector u   Signature sampled from a Definition distribution 2.4. Homomorphic Scheme: matrix A having   qthe worst andfollowing acase trapdoor short basis Τ A for(e.g. that of various promise problems case of the SIS problem. Throughout this paper, let λ be the security paramerameter. We denote the SamplePre the description: large m  O ( n log q) , there are three efficient and Security statistically close to D . 2.3. Trapdoors for lattices and Sampling algoThroughout this paper, let  be the security parameter.  ( A AC  B ), s GapSV P, GapCV P ) can be reduced to therameter. average  We denote the message space by M and C be ter. We denote the message space by and let be a collection of c  ( A ) so that the output distribution of A is algorithms TrapGen , SampleDom and SamplePre 2.3. Trapdoors for lattices and Sampling algorithms  and let  be a We denote the message space by 1 The TrapGen outputs a parity check caseproblem. of randomly the SIS problem. Throughout this paper,take let λkkbe the security palet C be a collection of circuits which take inputs over the message spac case of the SIS a collection of circuits which inputs over the n × m n m having the following description: rithms A ∈ Z k inputs collection of circuits matrix and a trapdoor TA for rameter. We thewhich message by Mover and the  . basisLemma statistically close to uniform over short s over the2.4. message space and generate an output in 2 ([1, 11]). Given anydenote integers nan output 1,take q space by Boneh and Freeman Homomorphic signature scheme: message space and generate indefinition . and Boneh rameter. We denote the message space MM. 2.3. qTrapdoors for outputs latticesq and Sampling algorandomly a of parity check let C bespace a collection of circuits which take k input2.3. Trapdoors for lattices and Sampling algo . Boneh of a hom message and generate an output in Λ2⊥1.([1, (2.AThe )The soTrapGen that the output distribution A is staLemma 11]). Given any integers n  1, q  M. Boneh and Freeman [14] first introduced the for2, and sufficiently large m = O(n log q), there are and security mal definition rithms SampleDom produces a matrix U with case of case the of SIS the problem. SIS problem. let C be a collection of circuits which take k inputand Freeman [8] first introduced the formal definin m n ×m s over the message space and generate an output in rithms and Freeman [8] first introduced the formal definition A close large and trapdoor Τ A for tistically to uniform over . basis q 2, and matrix sufficiently m =a O(n log Z q),qshort there are three mal definition arameter. homomorphic signature scheme efficient algorithms TrapGen, and aM type of and circuit C. stion over message space and generate anspace output intype ofthe aofhomomorphic signature scheme forfor athe rameter. We denote WeSampleDom denote the message the message space by byand M Lemma 2 ([1, 11]). Given any integers n  1, q  M. Boneh and Freeman [14] first introduced forwhose column vector is sampled from U  s m Throughout this paper, let  be the security parameter. of acircuit homomorphic signature scheme forture a scheme type of is a tuple of 2.3. Trapdoors 2.3. Trapdoors forany lattices for lattices and Sampling and Sampling algoalgo three 2 efficient algorithms TrapGen, SampleDom and for a type of C. A C-homomorphic signaproduces a matrix with U SamplePre having the following description. Lemma 2so([1, 11]). Given integers n  1, q  M. Boneh and Freeman [14] first introduced the forlet C let be C a collection be a collection of circuits of circuits which which take k take inputk inputof circuit . A -homomorphic signature scheme is The ( A) SampleDom that the output distribution of A is 2, and sufficiently large m = O(n log q), there are We mal definition of a homomorphic signature scheme  and scheme let  beisa a denote message space by circuit . Athe polynomial -homomorphic signature rithms rithms SamplePre the following description. ture scheme isfor tuple time algorithms U having ≤sufficiently s mthree whose column sampled from 2, and large m = vector O(nTrapGen, log there are mal definition ofofaof homomorphic signature scheme sofaover the over message the message space and generate and anover output anthe output in in a tuple polynomial time algorithms Πinputs =generate (KeyGen, efficient algorithms SampleDom and a stype circuit C. Aspace C-homomorphic signan is m q), k collection of circuits which take  . statistically close to uniform over q output distribuwhere DZ efficient s2≥([1, w(211]). log m three algorithms TrapGen, SampleDom for type of circuit A C-homomorphic signaLemma ([1, 11]). Given Given any integers any integers nand  1, n q  1, qa Eval, SamplePre having the The following description. ture scheme is with a C. tuple of polynomial time algorithms M. Boneh M. Boneh and Freeman and Freeman [14] first [14] introduced first introduced the forthe Sign, Verify) the following syntax. ,s ,Lemma message space and generate an output in  . Boneh forλ a ktuple 2. The SampleDom produces matrix Ulog with tion V AU is the statistically close toO(n uniform over SamplePre having following description. ture scheme ismal of time algorithms 2, =and 2, sufficiently and sufficiently large large m =am = log O(n q), there q), there are are mal (1definition definition ofpolynomial a homomorphic of ageneration homomorphic signature signature scheme scheme _9 _ KeyGen .The algorithm ,1 )[8] and Freeman first key introduced the formal definition n ×m . Z three three efficient efficient algorithms algorithms TrapGen, TrapGen, SampleDom SampleDom and and for a for type a type of circuit of circuit C. A C. C-homomorphic A C-homomorphic signatakes input the security parameter the of signaλ and U q s m whose column vector is sampled from of a as homomorphic signature scheme for a type n ×m SamplePre SamplePre having having the following the following description. description. ture scheme ture scheme is a tuple is a tuple of polynomial of polynomial time algorithms time maximum size the dataset k .signature It outputsscheme a signing 3 Given a matrix A ∈ Z q together with its trapdoor circuit . A of -homomorphic isalgorithms a m×m n ×m secret key sk and a public verification key pk. TA∈ Z , and a matrix V ∈ Z q , the SamplePre outputs a matrix U ∈ Z mq×m with the conditional dis- __ .The signing algorithm takes as input 9 and 9 tribution of U ← SampleDom so that AU=V e SIS problem. the secret key sk, a tag τ ∈ {0,1}λ, an index i ∈ [k ] and ~ U ≤ s m , where s ≥ TA w( rameter. log m ). We denote the message a message outputs a signature δ . M . It space µby∈ M and doors for lattices and Sampling algolet C algorithms be a collection of circuits which take k inputWe also need two classic sampling [1, 13] _ _ .The evaluation algoms s over the message space and generate an output in (see Algorithm 1 and Algorithm 2). Essentially, the rithm takes as input the public key pk, a tag τ , a case of the SIS problem. ([1, 11]). Givenalgorithm any integers n  1, q will beM. Boneh andsignature Freeman [14] first introduced the forSampleLeft used in real collection of message-signature , rameter. We denotepairs the message space by M and 2.3.are Trapdoors for lattices Sampling ficiently large msystem, = O(nand log q), mal definition aused homomorphic scheme the there algorithm SampleRight willofbeand and algoasignature circuit C It outputs a signature a take k inputδ ' for ∈C let C.. be a collection of circuits which ' rithms ient algorithms TrapGen, and for a queried type ofmessages circuit C. A C-homomorphic to exact SampleDom signatures for adversary’s message µ . ssignaover the message space and generate an output in e having the following ture scheme is aany tuple of polynomial time algorithms in thedescription. simulation game. Lemma 2 ([1, 11]). Given integers M. Boneh Freeman [14] first introduced the for_n_  1, q  .The and verification algorithm 2, and sufficiently large m = O(n log q), there are mal definition of a homomorphic signature scheme three efficient algorithms TrapGen, SampleDom and for a type of circuit C. A C-homomorphic signaSamplePre having the following description. ture scheme is a tuple of polynomial time algorithms 1

2

1

1

2

2

v q

1

1

2

2

v q

v q

v q

m

a public verification key pk. a public verification keyalgorithm pk. ataset k. It outputs a signing secret sk ∗ signa- tures k.and It outputs signing secret key sk evaluation takes public • Eval(pk, τ, {(µ , δikey )}i∈[k] , C) The aand ∗ as input thethe challenged tive unforgeability, the adversary can the query idataset chosen tag τthe ,aasignature message and the circuit chosen tag τ ∗δµ, ∗∗aoffor message µ∗ and messa the c • The adversary outputs atakes signature δtakes for the • The adversary outputs • Sign(sk, τ, i, µ) The signing algorithm • Sign(sk, τ, i, µ) The signing algorithm nd a public verification key pk. ∗ ∗ ∗ and a takes publicasverification key pk. key pk, a tag τ , a collection of evaluation algorithm input the public ∗ of ∗ make the challenger respons tures the challenged message vector µ . In order to C . ∗ ∗ C . chosen tag τ key ,τD.Xie, a∈message the circuit λ τ , a message µ and the circuit and Y.Yang as input key a tag {0,aH.Peng,L.Li, 1} ,τ ∈and assigning input thesk,secret sk, tagλµ {0,chosen 1}{(µ , tag gn(sk, τ, i, µ) The signing takes •τ ,4Sign(sk, τ, i, Thesecret takes message-signature , δi )} , and a ∗ meskey pk, a tagalgorithm a collection ofµ) the ∗ algorithm sage vector, we set the adveλ make the challenger pairs response thei∈[k] challenger ifor  ∗ C . ∗ ∗ ∗the adverC . λ an i ∈an [k],Sign, and µ aλ∈message M. ItC. µ index imessage [k] and ∈ M. Ita signature If Verify(pk, , δchooses , Ctext then Ifτ ∗Verify(pk, τ∗∗),= µa∗1, , δset ,C ) τ=i ∈ 1, {0, then1} th the = (KeyGen, Verify) input the secretmessage-signature key sk, a tag τ as ∈ {0, 1}the , index input secret a tag τ∈ ∈ {0, 1} ,with circuit C ∈the It δ  adversary for a, µ plainpairs {(µ and aaEval, as afresh oftag messages, rath sage vector, we followsetoutputs the adversary’s challenged i , δi )}key i∈[k]sk, ∗and ∗Control ∗ ∗ outputs a signature δ. Information Technology 2017/2/46 outputs a signature δ. sary A wins the game. Due to the definition of selec∗ ∗ ∗ ∗  sary A wins the game. Due to the definition ing syntax. and a k-length message set n index 278 i ∈ [k] and a message µ ∈ M. It If Verify(pk, τ , µ , δ , C ) = 1, then the adverindex ia ∈ [k] and aδ message Itas a setµof. messages, message If Verify(pk, τ ,aµsingle , δ , message. C ) = 1,In then thethere advercircuit C ∈ C. Itanoutputs signature for a µ ∈ M. fact, are two types oo text rather than k • Eval(pk, τ, {(µ , δ )} , C) The D.Xie, H.Peng,L.Li, and Y.Yang • Eval(pk, τ, {(µ , δ )} , C) The tive unforgeability, the adversary can query the signa 4  tive unforgeability, the adversary i i i∈[k] (µ , µ , · · · , µ ) ∈ M . The challenger utputs a signature δ. i i λquery th ∗ i∈[k] sary A wins the game. Due to the definition of seleci1 i1 ik a signature δ. Eval, λ Verify) •with τ,are µ,sary δ, C) Theof verification Atypes wins the game. Duechooses of message µ . outputs for all queried i,can and the oth adversary aτifresh tag τselec∈ {0, 1} = (KeyGen, Sign, the there followInVerify(pk, fact, two forgers: one istoτthe=definition i ∗ • KeyGen(1 , 1k )takes The key generation evaluation algorithm as input the public evaluation algorithm takes as input the public tures of the challenged message vector µ . In order to∗∗). tures of the challenged message vector µ . In val(pk, τ, {(µ•i , δVerify(pk, The generates the collection of signatures ∗ ∗ ∗ tive unforgeability, the adversary can query the signai )}i∈[k] , C) Eval(pk, τ,verification {(µ , δ )} , C) The algorithm takes as input public pk, a tag τ , tive unforgeability, the adversary can query the signaτ, •µ,ing δ, C) The i i i∈[k] index i but µ =  C (µ syntax. and a k-length message set for all queried i, and the other is τ = τ for some i algorithm takes as input the securityof se of the SIS problem. ∗∗make the challenger key pk, a tag τ , a collection of key pk, a tag τ , a collection response for the challenger mes∗ make the challenger response for the challeng valuation algorithm takes as input the public (δ , δ , · · · , δ ) for the i-th query and sends k ∗ ∗ tures of the challenged message vector µ . In order to i1 i2 ik evaluation algorithm takes as input the public a message-signature tures ofpair the challenged . In challenger order to algorithm takes as input the public aλtag τ ,the maximum (µδ), µi1 ,a·message ·circuit · , µik )vector ∈ M µ*. The index i but µof=the C (µ ). (µ, i1 , and parameter and size λ pk, takes as input the public ,key a messageτpairs  rameter. Wei ,Cδdenote message by M and •pk, KeyGen(1 ,make 1akamessage-signature )tag The generation {(µ )}C. ,outputs and a)}i∈[k] {(µ δmake , space and atypes fact, are two ofor forgers: one isset τDefinition ≠ τ ichallenged for 5 (Selective sage vector, we set the adversary’s plain- Un ipairs sage vector, we the adversary’s i∈[k] ey a tag τ , a for collection i ,there ithe it to the adversary. the challenger response for challenger meskeySampling amessage-signature tag , apk, collection of ∈ Itthe either 1 (accept) 0 a message-signature pair (µ, τδ), and circuit the challenger response for the challenger 3. pk, Trapdoors latticesof and= algogenerates the collection of signatures the adversary chooses a fresh tag τ {0, 1}λ∗challenge (KeyGen, Sign, Eval, Verify) with the followdataset k. It outputs a signing secret key sk i ∈mes*  C ∈C C signature pair aCcircuit It outputs ( µ,algorithm ,and δ circuit ) , and let C,.δ.the be asignature collection of circuits which take k inputtakes as input security ∈ C. It outputs a δ for a circuit ∈ C. It outputs a signature δ for a text as a set of messages, rather than a single message. all queried i, and the other is τ = τ for some index i text as a set of messages, rather than afor single m essage-signature pairs {(µ , δ )} a • The adversary outputs a signature δ the homomorphic signature sche Definition 5 (Selective Unforgeability). A leveled sage vector, we set the adversary’s challenged plaini i message-signature pairs {(µ )} , and a i i∈[k] C ∈ C. It outputs either 1 (accept) or 0 verification sage vector,and we challenged plaini i i∈[k](reject). rithms (δai1set , δi2the , · ·adversary’s · message , δik ) for the i-th query and sends ing syntax. k-length set  andλµ aand keyof pk.the public  the message ∗ * and* generate *  or ∗ are ∗of forgers: samaximum over space anthere output intwo either 1 (accept) 0 (reject). parameter the size message .  message µ . In fact, are types of forgers: one is τ =  τ but μ ≠ C (μ ). In fact, there two types one is rcuit C ∈ C. It outputs a signature δ for a chosen tag τ , a message µ and the circuit i Eval, Verify) is selectively k homomorphic signature scheme = (KeyGen, Sign, text as set of messages, rather than a single message. circuit C ∈ C. It outputs a signature δ for a (reject). text as a set(µ ofiti1messages, message. to the , µboth , ·adversary. ·the · ,rather µik ) ∈than Ma.single The challenger • Sign(sk, τ, δ, i,M. µ)signing The signing algorithm takes i1the λqIt ∗ For correctness, we require  ∗ emma Given any integers Boneh and Freeman [14] first introduced for∗ queried dataset aC) secret key skverification •nVerify(pk, τ, µ, The • KeyGen(1 , 1koutputs ) Verify(pk, The key generation •In τ, δ, C) The for all and the any other isleveled τ ∗τ ∗= τfor for allorigiqueried i,signature and the other is τsome = time τi fo essage2µ([1, . 11]).For .i,collection iτ for probability Eval, Verify) isIn selectively unforgeable ifof for fact, there areµ,verification two types of forgers: is•generates τthat =two τi C message µ . 1,k. λ one Definition 5 there (Selective Unforgeability). A fact, are types forgers: one is correctness, we require that both the original sigThe adversary outputs a δ ∗=polynomial i the the of signatures as input the secret key sk, a tag τ ∈ {0, 1} , ∗ ∗ ∗ nal signatures (generated by Sign) and the evaluated ∗ ∗ ∗ For correctness, we require that both the origiand sufficiently large m = O(n log q), there are mal definition of a homomorphic signature scheme ∗ and a public verification key pk. algorithm takes as input the public pk, a tag τ , algorithm takes asalgorithm input thetakes security as input the public pk, a tag τ , index i but µ =  C (µ ). ∗ erify(pk, τ, µ, δ, C) The verification index i but µ =  C (µ ). ∗ ∗ ty of wining the above game probability polynomial time adversary, the probabilifor all queried i, and the other is τ = τ for some • Verify(pk, τ, µ, δ, C) The verification i (δ chosen ∗ forIt all queried other τµ∗i-th for some homomorphic signature = (,KeyGen ,i Sign , 1, natures (generated by Sign) and the evaluated tag , )aΠ message circuit , i,δi2and ·signa· ·the ,τδik for and sends an index iThe ∈ [k] asignamessage µ ∈C.M. If,∗scheme Verify(pk, τis∗the ,= δµ∗query ,τand C ) the = then the adversignatures (generated by Eval) arei1 accepted. nalalgorithms signatures (generated by Sign) the ree efficient TrapGen, SampleDom aand circuit C-homomorphic ∗ of ∗ •parameter i, µ)the signing algorithm takes a message-signature pair (µ, δ), and a, (µ, circuit λτ,and and maximum size the aevaluated message-signature pair δ),A and aiiscircuit ∗is ∗Specifigorithm takes as tures input the publicalgorithm pk, aSign(sk, tag τ ,and ∗negligible. tyof wining the above game index ifor but µ∗type = C (µ ).τEval takes as input the public pk, aof tag index butselectively µto sary = CA (µ ). unforgeable if for any ,Verify ) (generated by Eval) are accepted. Specifically, C . it the adversary. outputs a signature δ. λ wins the game. Due to the definition of selecDefinition 5 (Selective Unforgeability). A leveled cally, we require that the following conditions hold. signatures (generated by Eval) are accepted. SpecifiDefinition 5 (Selective Unforgeability). A mplePre having the following description. ture scheme is a tuple of polynomial time algorithms as input the secret key sk, a tag τ ∈ {0, 1} , C ∈ C. It outputs either 1 (accept) or 0 k. It outputs signing secret key sk C ∈a (µ, C. It outputs either 1 (accept) or 0 message-signature pair (µ, δ), and adataset circuit ∗  Chamele a message-signature pair δ), and a circuit 3.  Homomorphic probability polynomial time adversary, probability λ tive we require that the following conditions hold. •homomorphic The adversary athe signature δscheme forquery the • Eval(pk, τ, {(µ , δ )} , C) The unforgeability, the adversary can the signa∗outputs ∗ ∗scheme ∗ i i i∈[k] 1. For all tags τ ∈ {0, 1} , all µ ∈ M, and signature = (KeyGen, Sign, cally, we require that the following conditions hold. homomorphic signature = (KeyGe an index i ∈ [k] and a message µ ∈ M. It (reject). Definition 5 (Selective Unforgeability). A leveled If5Verify(pk, , µ , δ ,DefC )∗ =inition 1,Athen the advera λpublic verification key pk.or3.0 Homomorphic (reject). ∈ C. It outputs either 1 (accept)Cor∈and 0C. It (Selective leveled ∗τ Unforgeability). outputs either 1algorithm (accept) and Construction Definition ∗ Chameleon Hash of wining the above isEval, negligible.  ismessage λ chosen τFunctions: ,we aselectively message µunforgeable and the circuit evaluation as scheme input public tures of the challenged vector . Inany orderifto 1 denote For tags τ• ∈{0, {0outputs ,11} }space ,, all , and and allalli ∈ [k∈ ] , if[k], ∈homomorphic by M itakes if δ the ←homomorphic Sign(sk, τ,game i,Verify) µ) tag then get Eval, isscheme ifµselecfor For all all tagsthe τ message ∈ all µµ) ∈M M, and Verify) selectively unforgeable ai,µ signature δ. signature = (KeyGen, Sign, Sign(sk, τ, The signing algorithm takes sary A wins the game. Due to the definition of eject).rameter.1.We signature = (KeyGen, Sign, ∗ (reject). inition and Construction For correctness, we require that both the origiFor correctness, we require that both the origiC . key pk, a tag τ , a collection of make the challenger response for the challenger mesλδ, Ii ) = 1. Inprobability let all C be which take k inputVerify(pk, τ, µ, order to maintain the , then we get polynomial time adversary, the probabilii a∈collection [k], if δ of←circuits Sign(sk, τ, i, µ) then we get probability polynomial time adversary, the pr In [24], Freeman •as Eval(pk, τ, {(µ , δ )} , C) The Eval, Verify) is selectively unforgeable if for any input the secreti key a tag τ ∈ {0, 1} , tive unforgeability, the adversary canifquery i sk, i∈[k] Eval, Verify) is selectively unforgeable for the anysigna- embed nal signatures by Sign) and the evaluated nal signatures (generated by and the evaluated pairs ,Sign) δItipublic )} , and aembed correctness, we message require that both the origisage vector, we set the adversary’s plain∗ challenged itime i∈[k] ∗ ∗ ∗ ∗ correctness, we require that both the origis over the and an(generated output consistency of the verification algorithm, we use the ty of wining the above game is negligible. Verify(pk, τ, )For = 1. In order to maintain the .IiIn order to maintain theain consistency of I i )µ,= δ, 1space ty of wining the above game is negligible. hash function to show the u evaluation algorithm takes as µinput the In [24], Freeman a homomorphic chameleon probability polynomial adversary, the probabiliangenerate index imessage-signature ∈ [k] and message ∈{(µ M. tures of the challenged µ the . Inadverorder to If Verify(pk, τ time , µ , adversary, δmessage , C ) =vector 1, then polynomial the probabili probability (generated by areby accepted. Specifisignatures (generated are accepted. Specificircuit ∈ C.Eval) It outputs aIEval) signature δnegligible. for aidentity tures M. (generated bythe Sign) and thesignatures evaluated text as a set of messages, rather than a single message nal signatures (generated by and the evaluated Boneh and Freeman [14] first introduced the forcircuit denote the mapping, namely, consistency of the verification algorithm, use the verification algorithm, use the circuit key pk, a tag ty τwe ,Cof aSign) collection of momorphic signature schem i to hash function to show the unforgeability of his hooutputs a signature δ. wining the above game is make the challenger response fordefinition the challenger mes- ∗ A wins the game. Due to the of selecty ofsary wining above game is negligible.  following wesignature require that the conditions hold. cally, we require the following hold.the Chameleon message µ)} .pairs es (generated by IEval) are accepted. SpecifiInBased fact, there are twothe types of forgers: one isDefτ = τi (generated by are accepted. Specifimalcircuit definition asignatures homomorphic scheme Ithat · · · ,,Homomorphic µ )conditions denote the•cally, identity mapping, the identity namely, I of message-signature δ,momorphic and a= µi .tive i (µ 2 ,i∈[k] k signature definition of signachameleon hash scheme. on this and i to 3. vector, Homomorphic Chameleon Hash Functions: Eval(pk, τ, {(µEval) C) sage we3. set the adversary’s challenged plainHomomorphic Chameleon Hash Functio iµ)} unforgeability, the adversary can query the i    to denote i , δmapping, inamely, λi ,1The i∈[k] , {(µ λ 1. For all tags τ τ, ∈all {0, 1} all µ ∈ 1. signaFor tags τ,2. ∈For {0, 1} M, ,tags alland µτ ∈∈ M, and λ all queried i, and the other∗ is τ ∗ = τ for some •C Verify(pk, µ, δ,as C) The verification require that the following conditions hold. all for cally, we require that the following conditions hold. for a type of circuit C. A C-homomorphic {0, 1} , all messages i I (µ , µ , · · · , µ ) = µ . circuit ∈ C. It outputs a signature δ for a . I ( µ , µ ,  , µ ) = µ definition of HCHF are given i 1 2 k i definition of chameleon hash function [18], a generic inition and Construction evaluation algorithm takes input the public textofasthe a set of messages, rather than aµsingle message. inition and Construction Hash Functions: Definition and tures challenged message vector . In order to Homomorphic Chameleon Hash Functions: Defi λ1 2 k i SISallproblem. 3. Chameleon Hash ∗Functions: Defall i {0, ∈tags [k], Sign(sk, τ, i,Sign(sk, then get λ if as iδ3. ∈← [k], δ(µ ← τ, i, µ) then weallget kHomomorphic λallif takes the pk, a tag τ , given or tagsscheme τ 2.∈ For {0, , tags allof ∈∈ M, and algorithms index isection. but µ∗C, = (µforgers: ). challenger ∗ 1.µpolynomial all τalgorithm {0, 1} , all µinput ∈µdefinition M, and ture is a1} tuple ,µ ,µ) · ,· ·public , µkof )we ∈ M and circuits C two ∈ ifC ∗of λ1} all τFor ,µ∈ message . ,messages 1,Construction 2 compared to τchameleon ha HCHF are in thisare Note that key pk, atime tag τall a messages collection of In fact, there types one is =  τi make the challenger response for the mesinition and 2 For all tags τ ∈ { 0 , 1 } , all ( µ ,  rameter. We denote the message space by M and inition and Construction 2= (µ, Verify(pk, τ, µ, δ, ICi ) ∈=τ,τ, 1. In to the µ, δ, I1order )pair 1. maintain In order to maintain the  k Construction In [24], τ, Freeman embed a,an homomorphic chameleon aVerify(pk, message-signature δ), and achameleon circuit InHCHF [24], Freeman [k], iffor δ(µ← Sign(sk, τ, i,∈iµ)M we i← ∗embed a homomorphic all ∈then [k], ifallδget ← Sign(sk, i, µ) then we get δ Sign(sk, τ, i, µ ) and δ ← Eval(pk, {(µ , δ )} doors lattices and Sampling algo, µ , · · · , µ ) and circuits C, if • Verify(pk, τ, µ, δ, C) The verification i i i i i∈[k] additional property, i.e., hc 1 2 k compared to hash function, has message-signature pairs {(µ , δ )} , and a forvector, queried i, the and the other isUnforgeability). τ = τi for some sage we set adversary’s challenged plaini i i∈[k] te the message space by M and C∈the ∈C.CCverification .It, be and all circuits ifoutputs let aofcollection of(accept) circuits which take kallinputconsistency of algorithm, we use the Definition 5 (Selective A leveled consistency the verification algorithm, we use the  hash function to show the unforgeability of his hoC either 1 or 0 k, τ, µ, δ, I ) = 1. In order to maintain the hash function to show the unforgeability of  Freeman a[15], homomorphic chameleon ∗homomorphic τ, µ, Ii )∈ = 1.τ,outputs In order to maintain the C), we Verify(pk, τ,text C(µ , ·of · · ,∗aµ= ),Cδ∗ (µ , C) s of circuits message. δii ←which Sign(sk, τ,Verify(pk, µi ) andcircuit δ algorithm ←δ,Eval(pk, {(µ , δia)}signature ,anhave In [24], Freeman embed aThen chameleon takes asIn input the public pk, aIn τproperty, , Freeman 1 ,aµ 2but k construct a class of HCHFs i[24], i∈[k] additional i.e., homomorphism. C C. δembed for atag index iset ).= we embed homomorphic chameleon as rather than a single on ki,inputs It over the message and generate an output inµmessages, and circuit ,space we itake , µalgorithm, Ithe to mapping, namely, homomorphic signature scheme =this (KeyGen, Sign i) circuit Iithe denote the identity mapping, namely, to identity momorphic signature scheme. Based on and the i verification (reject). ncy of theC), verification we use momorphic signature scheme. onpreim this ·denote hash function to show the unforgeability of his hoconsistency of the algorithm, we use the ∗ Based 1. we have Verify(pk, τ, C(µ , µ , · · , µ ), δ , C) = hash function to show the unforgeability of his a message-signature pair (µ, δ), and a circuit 1 2 k trapdoor function message µ . construct a class of HCHFs using the distinguished tothe show the unforgeability of his hoIn fact, there two types of forgers: one is τho= τiwith e([1, space andGiven generate an output nin 11]). any integers 1,namely, q, µ2 , · · I· i,(µ M. Boneh and [14]hash first function introduced for-are have .Freeman I (µ µ ) = µ . Eval, Verify) is selectively unforgeable if for any , µ , · · · , µ ) = µ . i 1 k i definition of chameleon hash function [18], a generic to denote the identity mapping, 1 2 k i definition of chameleon hash function [18], a signature scheme. Based on thisqueried and the i circuit I•i to the identity mapping, namely, Definition 5sampling Unforgeability). Atheleveled Atrapdoor signature scheme is fully homomorphic if other itBased 1.firstm momorphic signature scheme. on this Cdenote ∈ C. outputs (accept) or 0 both [11-12]. Verify(pk, τ,correctness, µ,momorphic δ, definition C)either The function with preimage technique i foreeman [14] introduced ForItall we1verification require the origifor all i,(Selective and the τ ∗ and = τand momorphic signature scheme. Based onisthis the λ that  λ signature i for some ficiently large =signature O(n the log q), there are mal ofit a1} homomorphic scheme 2. For tags τ ∈ {0, , all messages probability polynomial time adversary, the probabili2. For all tags τ ∈ {0, 1} , all messages A scheme is fully homomorphic if is hodefinition of HCHF are given in this section. Note that , · · · , µ ) = µ . definition of HCHF are given in this section. N 2a homomorphic k i signature ofischameleon hash function abut generic (µ ·algorithm , µµ )ihomomorphic µi . definition homomorphic signature scheme = (KeyGen, homomorphic all index polynomial-size circuits. ∗ hash ∗ function ATrapGen, signature scheme if it ischeme ksignatures Ii (µ1 ,ISampleDom µ · 2, ,µis = . =takes definition chameleon hash a generic Sign, (reject). asa(generated input public aA tag τfor , evaluated 2 , 1· ,· µ k·)·fully [11-12]. definition of[18], chameleon [18], a[18], nal by Sign) and the iof µof = C ∗function (µ ).In k the definition of chameleon hash function [12], ageneric generic kpk, ent algorithms and for type of circuit C. C-homomorphic signaλ (µ , µ , · · · , µ ) ∈ M and all circuits C ∈ C, if λ) ∈ ty wining the above game is negligible. (µ , µ , · · · , µ M and all circuits C ∈ C, if 1 2 k λ compared to chameleon hash function, HCHF has momorphic for all polynomial-size circuits. In this For all tags τ ∈ {0, 1} , all messages 1 2 k compared to chameleon hash function, HC Definition 6 (Homomorphic definition of HCHF are given in this section. Note 2.all For all ∈ {0, ,this all work, messages Verify) is given selectively for any we construct leveled fully homomorphic isC-homomorphic homomorphic polynomial-size circuits. 2. for For all τtags∈i τ ture {0, 1} , 1} allIn definition of HCHF are this unforgeable section. Note C. Athe signaatags message-signature pair (µ, δ), and circuit definition ofEval, HCHF arethat given in Note signatures (generated by Eval) are  messages definition of HCHF are given in this thisinsection. section. Notethat thatifthat polynomial ecuit description. scheme athat tuple ofaδaccepted. time algorithms k For we require both the origiδ·ileveled ←leveled µ and ← Eval(pk, τ,ifhash {(µ ,function, δSpecifi,an k· i, ← Sign(sk, i, µ )C and ← Eval(pk, τ, {(µ δiof)} ,anproperty, ISign(sk, (µ , µ2δfully ,i· τ, ·homomorphic ,compared µ µicircuits . δτ,is i(Homomorphic i )} k i∈[k] additional i.e., homomorphism. Then we ·ple ·having · ,ofµkpolynomial ) this ∈ following M and all circuits C, if icorrectness, 1fully k )i )= definition chameleon hash function [18], aHCHF generic isignai ,to work, we construct homomorphic i∈[k] additional property, i.e., homomorphism. tion). For a message spaceT (µ ) ∈ M and all ∈ C, Definition 6 Chameleon Hash Functo chameleon HCHF has signature schemes, i.e., they are homomorphic for alprobability polynomial time adversary, the probabiliwork, Definition 5 (Selective Unforgeability). A leveled (µwe k µconstruct · 2, ,τµ·kC )·C,∈ ∈µ M and all circuits C ∈ C, if compared chameleon hash function, has time ∈ C. It outputs either 1 (accept) or 0 1 ,algorithms 2 , 1· ,· µ compared to chameleon hash function, HCHF has λ cally, we require that the hold.  are  thisofsection. compared to chameleon hash function, HCHF has andistinguished using ,δ2.)}  For all tags τVerify(pk, ∈forfollowing {0, 1} ,the all,conditions definition ofmessages HCHF given in Note that nal signatures (generated by Sign) and evaluated C), we have Verify(pk, τ, C(µ , µ , · · · µ ), δ , C) = have definition HCHF are given in this section. Note that C), we τ, C(µ , µ , · · · , µ ), δ , C) = 1 2 k  construct a class of HCHFs the gn(sk, τ, i,signature µi ) andture δschemes, ← Eval(pk, τ, {(µ , , 1 2 k 3. Homomorphic Chameleon Hash Functions: De construct a class of HCHFs using the schemes, i.e., they are homomorphic all polypace U , a family of homom i i δi) ← Sign(sk, i,1. µii∈[k] δEval(pk, ←for Eval(pk, τ, ,all δFor ,an additional tion). a∈message space M randomness an additional property, i.e., Then we l{(µ polynomial-depth circuits. Next, weand define thehomomorphism. sety of wining theahomomorphism. above game iss-negligible. i.e., homomorphic signature scheme = (KeyGen, k (reject). i )} τ, i, are µ(µτ, δ)· ·and ← τ, ,1} δ{(µ )}, ii∈[k] i∈[k] property, i.e., Then weSign, distin i )1homomorphic icircuits iλ an property, i.e., Then we For tags τkal∈are {0, µ,homomorphism. and (µ1 , µ2 ,δ·i· ·← , µSign(sk, Mthey and C ∈ ,and µcircuits , µall ∈ C, Mif and all ∈ C,additional ifM, additional property, homomorphism. Then we k ∈ signatures compared chameleon hash function, HCHF has 2 , ·1. k )by compared to i.e., chameleon hash function, HCHF has technique  all (generated Eval) accepted. Specifi1.  Cto  trapdoor function with preimage sampling ave Verify(pk, τ, C(µ , µ , · · · , µ ), δ , C) = inition and Construction trapdoor function with preimage sampling te= nomial-depth circuits. Next, we define the selective1 2 k functions is a collection H have Verify(pk, τ, ,· µ ,µa·δkSign(sk, ·lectively ·←,,δµ ), δτ, ,i,C)  Next, pace Uµ) ,{(µ a= family of homomorphic chameleon hash construct class of HCHFs the distinguished unforgeable security for sigl polynomial-depth circuits. we define Eval, Verify) is HCHFs selectively 1·ithe 2,seC), weC), Verify(pk, C(µ ,C(µ ·← ), ,kC) = a of class of using the distinguished 1τ, 2 ,µδ δ← τ,µ{(µ Eval(pk, τ, ,using δi )}construct ,aa construct class ofhomomorphic HCHFs using the distinguished δi ← Sign(sk, τ,have i,we µ Eval(pk, iτ,Sign(sk, ∈ [k], ifi,signature we get i ← i,)δand ithen i∈[k] an additional property, i.e., homomorphism. Then if we for any i ) and δ all i )}i∈[k] an additional property, i.e., homomorphism. Then we construct class HCHFs using theunforgeable distinguished cally, we require that the following conditions hold. A signature scheme is fully homomorphic if it For correctness, we require that both the origiA scheme is fully homomorphic if it  [11-12]. [11-12].  ly unforgeable security for homomorphic signature where i is the index and V 1. ismaintain aofcollection Htechnique = {h : between M × U → V}, function with sampling following game a adversary, lectively security C), τ, C(µ µIn · order ·schemes · , µpreimage δ trapdoor , via C) =the probability polynomial time probabili1. Verify(pk, iwith trapdoor function preimage sampling technique C), we unforgeable have τ, C(µVerify(pk, , µwe , ·have · · , Verify(pk, µ ), δδ,, C) = 3. using Homomorphic Chameleon Hash Functions: Def1 ,construct 2 ,functions k ), construct a the class HCHFs using the distinguished function with preimage sampling technique 1for 2homomorphic class HCHFs distinguished τ,ktrapdoor )sig=nature to the λ1. Inof[24], Freeman embed athe homomorphic chamele iSign) trapdoor with preimage sampling technique 1.homomorphic For all tags τµ, ∈by , all µpolynomial-size ∈ifaicircuits. M, and isfollowing for allI{0, polynomial-size In function nal signatures (generated and the is homomorphic for all circuits. In the gnature scheme is fully itgame 1. ifscheme Athe is fully homomorphic itis[11-12]. schemes via between a1} where the index and V sampling is range. There is negligible. an algorithm [11-12]. probabilistic polynomial time A and a chaltrapdoor function with preimage sampling techniquewhich can genera nature via thesignature following game between aprobabilis1. schemes ty of adversary wining the above game A homomorphic signature scheme is fully homomorphic if itevaluated [11-12]. inition and Construction trapdoor function with preimage technique consistency of the verification algorithm, we use the hash function to show the unforgeability of hisHas ho[19, 21]. Definition 6 (Homomorphic Chameleon Hash FuncDefinition 6 (Homomorphic Chameleon all i ∈ [k], if δ ← Sign(sk, τ, i, µ) then we get this work, we leveled fully signatures (generated by Eval) are accepted. Specifithis work, fully signature scheme isconstruct fully homomorphic if it homomorphic morphic probabilistic for all Apolynomial-size circuits. In [11-12]. signature scheme isfor fully homomorphic itthe is homomorphic for allconstruct polynomial-size circuits. In which s algorithm can generate a public index i and the corresponding trapdoor tic time adversary and challenger . homomorphic lenger S. polynomial time adversary A and aaifwe chalispolynomial homomorphic allA polynomial-size circuits. Inleveled [11-12]. circuit I to denote identity mapping, namely, i momorphic signature scheme. Based on this and the i tion). For a message space M and a randomness sis homomorphic for all polynomial-size circuits. In tion). For a message space M and a random Verify(pk, τ, µ, δ, I ) = 1. In order to maintain the signature schemes, i.e., they are homomorphic for alcally, we require that the following conditions hold. signature i.e., they are homomorphic for al6 (Homomorphic Chameleon Hash FuncIn [24], Freeman embed a homomorphic chameleon * icircuits. *Definition * schemes, case of the SIS problem. k, we construct leveled fully homomorphic Definition  6 (Homomorphic Chameleon Hash is homomorphic for all polynomial-size In Definition 6 (Homomorphic Chameleon Hash Functhis work, we construct leveled fully homomorphic phic chameleon hash functio Definition (Homomorphic Chameleon Hash Functhe corresponding trapdoor secret key T _ _ this Thework, adversary chooses challenglenger S. we construct fully homomorphic i . Homomor∗ definition 3.6 Homomorphic Chameleon Hash Functions: Def-hash I2i,,(µ ,C µcircuits. , as ·the ,µλµalgorithm, =fully µ Ithis ,leveled µ(τ ·τμverification ·1·,construct µ2){0, )· ·= 6U∗(Homomorphic Chameleon Hash Funck. ) Definition i . homomorphic of chameleon hash [18], a work, we i (µ 1of k definition of chameleon hash function [18], achamele generic •rameter. The adversary chooses (τaa∗function ,message µ )pace as the pace ,, aC family ofM homomorphic chameleon U, afollowfamily of homomorphic consistency we use the l schemes, polynomial-depth we define the se6We (Homomorphic Chameleon Hash Func1. For allaltags ∈,information 1}leveled lthe polynomial-depth Next, we define the seallcircuits. µphic ∈for M, and tion). For ai,Next, message space M aDefinition randomness si homomorphic this they work, construct leveled fully homomorphic hash to show the unforgeability offunction e schemes, i.e., arewe homomorphic for Function). For message space and aing randomdenote the message space bythe M and tion). For space and arandomness randomness s-his hoλand signature i.e., they are four properties: λaltion). For a message space M and a randomness schameleon hash functions consist of ed information and gives all to the signature schemes, i.e., they are homomorphic for altion). For a message space M and a sinition and Construction ∗ ∗ ∗ signature schemes, i.e., they are homomorphic for al2. For all tags τ ∈ {0, 1} , all messages 2. For all tags τ ∈ {0, 1} , all messages definition of HCHF are given in this section. 2.3. Trapdoors for lattices and Sampling algodefinition of HCHF are given in this section. Note challenged information and gives all • The adversary chooses (τ , µ , C ) as the tion). For a message space M and a randomness sfunctions is a collection H = {h : M × U → V}, I (µ , µ , · · · , µ ) = µ . circuit I to denote the identity mapping, namely, functions is a collection H = {h : M ×tha UaN lectively unforgeable security for homomorphic sigsignature schemes, i.e., they are homomorphic for alsecurity homomorphic sigalldefine i ∈ the [k], if circuits. δlectively Sign(sk, τ, i,define µ)let then get i onhash i ←1pace 2unforgeable ikC U,define awe family of homomorphic hash of chameleon function signature Based this andi the [18], i semial-depth circuits.l challenger. Next, we bewe afor collection of circuits which take scheme. k inputness space family of homomorphic chameleon pace Umomorphic ,∈ aUa ,C, family of homomorphic chameleon hash l polynomial-depth Next, the sekkNext, pace U , C, achameleon family homomorphic chameleon hash ing four properties: pace aof family ofdefinition homomorphic chameleon hash polynomial-depth Next, the sel circuits. polynomial-depth we define the se(µ µµ2µ ,the ·we ·circuits. ·se,following µ ∈ M and all circuits C if (µ , µ , · · , ) ∈ M and all circuits C ∈ if λ 1)·,all k )tags compared to chameleon hash function, HC rithms 1 2 k compared to chameleon hash function, HCHF has • Uniformity property pace U , a family of homomorphic chameleon hash information to the challenger. challenged information and gives l polynomial-depth circuits. Next, we define where i is the index and V is the range. There is an 2. For all τ ∈ {0, 1} , all messages I (µ , µ , · · · , µ = . where i is the index and V is the range. The nature schemes via the game between a the following game between acollection Verify(pk, µ, δ,nature Isecurity = schemes 1. In order to maintain the is via a for collection Hhash =sig{h M U → V}, of given this section. N i unforgeable 1 lectively 2τ,sigki functions i for definition of chameleon hash function [18], aingeneric [24], embed ai iHCHF homomorphic unforgeable security forlectively homomorphic over the message and generate an functions a Freeman collection H output :in Uare→ V}, i : space functions is H =:{h {h :M M × UV}, →chameleon V}, functions is ais unforgeable security sighomomorphic s functions is a=×In collection H,Udefinition =→ {h M × U× → unforgeable security for homomorphic sigi= δpolynomial ← Sign(sk, µ )homomorphic ← Eval(pk, τ, {(µ ,(pk, )} δFor ← Sign(sk, τ, µtime )τ, and δfunctions ← τ,chal{(µ δCi )} kEval(pk, _ _ lectively The challenger generates sk) and gives pk to i(pk, iλ iC, isUniformity aall collection H {h M × V}, i∈[k] an additional property, i.e., homomorphism. ifor iµ i ,property i∈[k] additional property, i.e., Then weT unforgeable security homomorphic sigindex i, afunction, µho∈ iδ,i:an •M The generates sk) and gives pk •δAchallenger For ato randomized toGiven the challenger. algorithm which can generate ahomomorphism. public index i M, and and (µ ,following µ · the ·∈ ,polynomial )i, ∈ and circuits ∈ if 2.any all tags τ, ·1,i, {0, 1} ,and all messages algorithm which can generate public inde probabilistic adversary and a probabilistic time adversary A and a chalconsistency of the verification algorithm, we use the where i is the index and V is the range. There is an 1n 2via k where i is the index and V is the range. There is an compared to chameleon hash HC nature schemes following game between a definition of HCHF are given in this section. Note that chemes Lemma via lectively the information following game between a hash function show the unforgeability of his 2 nature ([1, 11]). integers q  M. Boneh and Freeman [14] first introduced the forwhere i is the index and V is the range. There is an where is the index and is the range. There is an i  nature schemes via the game between a  i, is index andThere Vconstruct is the There is an using schemes viaC), thewefollowing between aiC(µ C), we have Verify(pk, τ, ,awhere µ ,i,), ·if·µδ·and µ ),{(µ , ,C) = have Verify(pk, τ, C(µ , µ , · · · , µ C) = where is the index Vthe isδand the range. isclass anrange. and kgame nature schemes via the following game between a 1∈ 2k k the adversary. a class of HCHFs the distin 1 2 construct a of HCHFs using the distinguished distance ((h , h (µ, to the adversary. index ∈ M, u ∈ U , the statistical • The challenger generates (pk, sk) and gives pk algorithm which can generate a public index i and probabilistic polynomial time adversary A chalthe corresponding trapdoor secret key T . Homomorδ ← Sign(sk, τ, i, µ ) and δ ← Eval(pk, τ, δ )} , i i (µ , µ , · · · , µ ) ∈ M and all circuits C C, lenger S. the corresponding trapdoor secret key T . Ho lenger S.identity circuit I= denote the mapping, namely, ihomomorphism. i q), ican i igenerate 1 2i ato k i∈[k] algorithm which canadefinition generate aofalgorithm public index and an additional property, i.e., T compared tocan chameleon function, stic polynomial time adversary A and chalsignature Based on this and thehas i 2, and sufficiently large m O(n log there are mal a momorphic homomorphic signature scheme which generate ahash public iHCHF probabilistic time Aaichaland chalalgorithm which a scheme. public index and the i index algorithm which can generate aand public index i and probabilistic polynomial time which can generate public index probabilistic polynomial timepolynomial adversary Aadversary andhave aadversary chal1.i, 1.  (µ, A and algorithm the trapdoor key Tpreimage Homomortrapdoor function preimage sampling te lenger S.τ, trapdoor with sampling technique negligible, where U i . with •fortrapdoor The adversary can make polynomial distance ((h ,icorresponding hδphic u)), (U ,function Uihash ))secret isfunctions to__the adversary. chameleon consist ofgeneric the followC), we τ, C(µ , secret µ ·the ·key ,∗µcorresponding ,aarbitrary C) = chameleon H δS. Sign(sk, µ δVerify(pk, ← Eval(pk, τ,type {(µ , , i), iA H Vchameleon phic hash functions consist of the The adversary can make arbitrary polynomial I (µ , µ , · · · , µ ) = µ 1corresponding 2δ,i·∗)} kT i 1← i )i .and i the corresponding . Homomorconstruct a class of HCHFs using the distin i∈[k] an additional property, i.e., homomorphism. Then we . i 2 k definition of hash function [18], a ∗ ∗ ∗ threelenger efficient algorithms TrapGen, SampleDom and a of circuit C. C-homomorphic signa∗ trapdoor secret key T . Homomorlenger trapdoor secret key . Homomorphic T i followtrapdoor secret keyconsist lenger S. trapdoor key . Homomor• The adversary chooses (τ ,chooses µcorresponding ,is C )(τasof S. •polynomial adversary ,the µcorresponding , Cwhere )phic as the iTi . Homomorihash chameleon functions of the A The signature scheme homomorphic iffour it Tproperties: AThe signature scheme isthe fully homomorphic if itsecret the [11-12]. ∗ fully [11-12]. signing queries. In i-th query, uniform distributions negligible, UH and U denote the • The adversary can make arbitrary 1. adversary ing we have C(µ µ ,∗query, ·all ·∗number µmessages , C) = V ing properties: •Verify(pk, chooses (τλ ,·hash µ ,,Cscheme asδchameleon the 2. For all tags τInτ, ∈chameleon {0,i1 ,1} number ofC), signing queries. the -th 2phic k)), phic functions the followtrapdoor function with sampling te construct aHCHF class offour HCHFs using the distinguished definition ofthe are given in this section. Note that SamplePre having description. ture is aconsist tuple of polynomial time algorithms phic chameleon hash functions consist of thepreimage follow∗ the ∗ following ∗ chameleon hash functions consist of the followhash functions consist of the following four phic chameleon hash functions consist of the following four properties: challenged information and gives all ∗ ∗ ∗ challenged information and gives all ∗ ∗ ∗ is homomorphic for all polynomial-size circuits. In ∗ ∗ ∗ is homomorphic for all polynomial-size circuits. In he adversary chooses (τ , µ , C ) as the λ k • The adversary chooses (τ , µ , C ) as the •number The adversary chooses (τ , µ , C ) as the challenged information and gives all of signing queries. In the i-th query, uniform distributions on H and V. • The adversary chooses (τ , µ , C ) as the A signature scheme is fully homomorphic if it 1. (µ , µ , · · · , µ ) ∈ M and all circuits C ∈ C, if the adversary tag τ ∈ { 0 , 1 } and a ing four properties: [11-12]. trapdoor function with preimage sampling technique 1 2choosesk a fresh compared to chameleon hash function, HCHF has ing four properties: ing four properties: i ing fourhomomorphic properties: properties: •Definition Uniformity property For aChameleon randomized information toconstruct the Definition Chameleon Has Uniformity property For Hash a randomiz information to the polynomial-size challenger. 6• (Homomorphic Functhishomomorphic work, wechallenger. construct leveled fully this work, we leveled hallenged information andchallenged gives allSign(sk, • Uniformity property For6a (Homomorphic randomized information to the challenger. k all challenged and gives all challenged gives all gives all circuits. In property, A information signature fully if)}it δinformation ← τ, )and δand τ,fully {(µi_,homomorphic δiUniformity We denote the message M -length setinformation (i,isµµischeme µand ,space  ,is µ← )Eval(pk, ∈ for Mhomomorphic .and The krameter. [11-12]. i message i∈[k] ,an additional i.e., homomorphism. Then we 1i, • i 2The ik by roblem. _ property. For a randomized index index i, µ ∈ M, and u ∈ U , the statistical • The challenger generates (pk, sk) and gives pk tion). For a message space M and a random index i, µ ∈ M, and u ∈ U , the statist index i, µ ∈ M, and u ∈ U , the statistical challenger generates (pk, sk) and gives pk • The challenger generates (pk, sk) and gives pk tion). For a message space M and a randomness sampling signature schemes, i.e., they are homomorphic for al• Uniformity property For a randomized • Uniformity property For a randomized signature schemes, i.e., they are homomorphic for alinformation to the challenger. formationalgoto the challenger. • Uniformity property a(Homomorphic randomized Chameleon Has information to the challenger. Definition 6using Uniformity property For a For randomized information to the challenger. this work, we construct homomorphic for allC(µ polynomial-size let C be a is collection of the circuits which take C), we have Verify(pk, τ, ,µ · · , µkleveled ),circuits. δ  , C)fully =In• homomorphic challenger generates collection signatures 1of 2k, ·inputconstruct athe class of HCHFs the distinguished distance ((h h((h u)), (U ,((h U )) is tosk) the adversary. distance , h (µ, u)), (U , U )) is , , and , statistical distance i µ ∈ M ia,the i (µ, H Vof to the adversary. rameter. We denote the message space by M and u ∈ Υ pace U , a family homomorphic chamele distance , h (µ, u)), (U , U )) index i, µ ∈ M, and u ∈ U , statistical to the adversary. • The challenger generates (pk, and gives pk pace U , family of homomorphic chameleon hash l polynomial-depth circuits. Next, we define the sei i H V index i, µ ∈ M, and u ∈ U , the statistical l polynomial-depth circuits. Next, we define the sei i H V he challenger generates (pk, sk) and gives pk index i,M, µ 6∈and M, u, the ∈ Ustatistical , Chameleon the statistical Thework, challenger generates (pk, sk) anditin gives pk homomorphic tion). For message space M Funcand a random Definition (Homomorphic Hash index i, for µnegligible, ∈alu and ∈U •δ The generates (pk, schemes, sk) and gives pk signature i.e., they are this we construct leveled fully homomorphic sδover the message space and generate an output for lattices and Sampling algo1.•challenger the -th and sends to iadversary function with preimage sampling andisaUU denote the •letThe adversary can make arbitrary polynomial H i1 ,adversary. i 2 , , δ ik ) for distance ((h u)), (U , UVwhere ))functions isis to (the where and Uahomomorphic the •adversary. The can make C unforgeable bequery collection ofarbitrary circuits take ktrapdoor aVM collection Htechnique {h M Ut negligible, where U and U denote • aThe adversary can arbitrary polynomial i, h i (µ, Hnegligible, functions isiU(µ, anegligible, collection H = M × →×V} lectively unforgeable security for homomorphic sigH V{h lectively security formake sigdistance ((h , hpolynomial (µ, u)), (U , inputUdistance ))((h is thenadversary. i V:U iH:= i homomorphic iwhich H Vthe ((h u)), (U ,where U isdenote to the pace U , a family of tion). For a message space and randomness s-chamele ers  1, q  i, h H V )) distance , h (µ, u)), (U , U )) is to the adversary. M. Boneh and Freeman [14] first introduced the forl polynomial-depth circuits. Next, we define sesignature schemes, i.e., they are homomorphic for ali i H V A signature scheme is fully homomorphic if it number of signing queries. In the i-th query, uniform distributions on H and V. theadversary adversary. [11-12]. negligible, where Ubetween and UVwhere denote the • make The can make arbitrary polynomial Haquery, number of signing queries. In the i-th query, uniform distributions on H and V. s over the message space and generate an output in where i is the index and V is the range. The number of signing queries. In the i-th uniform distributions on H and V. and denote the uniform distributions on and . i is the index and V is the range. There is an nature schemes via the following game a nature schemes via the following game between negligible, where U and U denote the he adversary can arbitrary polynomial ofmal the SIS H In V negligible, where UHU and U denote the The adversary canall make arbitrary polynomial og q), there arecasenumber of a homomorphic signature scheme functions a Vcollection H = {hhash pace Uwhere , a V. family of homomorphic UH and denote the chameleon • definition The adversary canInmake arbitrary polynomial lectively unforgeable for homomorphic lhomomorphic polynomial-depth circuits. Next, wesecurity define the se- negligible, i : M×U is•problem. for polynomial-size circuits. V is of queries. the i-th query, uniform distributions on Hsigand 1]). Given any integers signing 1,number q  _queries. _ The outputs aBoneh signature for the δ ∗the M. anduniform Freeman [14] first introduced the foralgorithm which can: and generate a index public algorithm which can generate a× public and probabilistic polynomial time adversary A and aproperty. chalprobabilistic polynomial time adversary Aon and auniform chalumber of signing In the i-th query, distributions H and V. of signing queries. In i-th query, uniform distributions on H and V. _ _ Chameleon For any and , µ ∈ M ampleDom and for anadversary type of circuit C. A C-homomorphic signarameter. We denote the message space by M v ∈ ς where i is the index V is the range.i inde The functions is a collection H = {h M U → V}, number of signing queries. In the i-th query, distributions on H and V. nature schemes via the following game between a Definition 6 (Homomorphic Chameleon Hash Funclectively unforgeable security for homomorphic sigi this work, we construct leveled fully homomorphic ∗ * * 2.3. Trapdoors for lattices and Sampling algoy large m = O(n log q), there are mal definition of a homomorphic signature scheme chosen tag , a message μ and the circuit . τ C the corresponding trapdoor secret key T . Ho the corresponding trapdoor secret key T . Homomorlenger S. lenger S. i i ription. ture scheme is a tuple of polynomial algorithms let C albe aa collection ofi circuits take k and inputgiven trapdoor ,which anyone can algorithm which can generate public where is theTiindex and V is theefficiently Therea issan inde probabilistic polynomial time adversary Athe and a chaltion). For a message space M arange. randomness nature schemes via following game between signature schemes, i.e., the theytime are homomorphic for gorithms TrapGen, rithms SampleDom and for a type of circuit C. A ∗C-homomorphic signaphic chameleon hash functions consist of the phic chameleon hash functions consist of the follow∗ message ∗pace s the over the space and in ∗ ∗compute soa that hgenerate (of µcan , corresponding uhomomorphic ) =generate van. output secret algorithm which a trapdoor public index i key and Ti . Ho ∈the Υ lenger U, family chameleon hash probabilistic•polynomial time adversary chalIf , then the adversary l polynomial-depth circuits. Next, we chooses define ithe • S. The adversary ,time , the C )uas The adversary chooses (τA, and µ ,(τaC∗se)µas ng the following description. ture scheme is a tuple of polynomial algorithms ing four properties: ing four properties: Lemma 2 ([1, 11]). Given anychallenged integers nof for 1, homomorphic q information  and and Freeman first introduced theihash forphic chameleon the corresponding trapdoor T lenger S. is[14] a collection H =secret {h : key M ×i .UHomomor→ consist V}, of the lectively unforgeable sigwins the game. Due to the definition selective un-M. challenged and gives information gives _Boneh _∗all Collision Given a public index , there i functions ∗ ∗functions •security The chooses (τ ,µ , C all )ofasresistance. the 2, and sufficiently m = information O(n log q), adversary there are mal definition a homomorphic signature scheme ing four properties: phic chameleon hash functions consist of the followwhere i is the index and V is the range. There is an nature schemes via the following game between a • Uniformity property For a randomiz forgeability, thelarge adversary can query the signatures information to the challenger. • Uniformity property For aa randomized to the challenger. are no all polynomial time adversary which can find challenged information gives • The adversary chooses (τ ∗and , µ∗ , C ∗ )for as and the three efficient algorithms TrapGen, SampleDom a type of circuit signa* *C.which * A C-homomorphic *M, * index ing four properties: algorithm can generate a public i and probabilistic polynomial time adversary A and a chalindex i, µ ∈ and u ∈ U statist • The challenger generates (pk, sk) and gives pk of the challenged message vector μ . In order to make indexh•i, statistical • Theinformation challenger generates sk) and pairgives ( µ , upk ) ≠ ( µ , u ) so that µµ, u∈) M, = hi (and µ property ,u ∈ ) . U , theFor i (Uniformity a, the randomiz information the(pk, challenger. challenged and to gives all SamplePre having the following description. ture scheme is a tuple of polynomial time algorithms the corresponding trapdoor secret key T . Homomorlenger S. distance ((h , h (µ, u)), (U , U to the adversary. i distance ((hi,i ,For , UUV,))the to the theto the challenger response for challenger message iu)), i (Uu His statist V )) H∈ index µhai∈(µ, and • pk Uniformity property aM, randomized •adversary. Thechallenger. challenger generates__(pk, sk) and gives information the Homomorphic property. Given dataset phic chameleon hash functions consist of the follownegligible, where U and U denote t • The adversary can make arbitrary polynomial where U and (µ, UHV u)), denote • The adversary can make polynomial vector, we set •the adversary's challenged plaintext V the ∗ (pk, ∗ sk) (U to the (τ adversary. µ ∈ M,distance and u ∈((h UH , the •The The challenger generates gives thati,hnegligible, ( µpkj , u j , v j ) j∈[ k ] soindex adversary chooses ,µ , C ∗arbitrary )and as the i , hstatistical i H , UV )) i ( µ j , u j ) = v j and a circuit ing four properties: number of signing queries. In the i-th query, uniform distributions on H and V. number of signing queries. In thearbitrary i-th query, distributions H as a set of messages, than single message. U and • aThe adversary can make polynomial distanceuniform ((h ,negligible, h (µ, u)), where (Uon, U ))and isV.U denote t torather the adversary. challenged information and gives allIn i

i

H

VH

V

number signing polynomial queries. In the i-th query, uniform distributions negligible,property where UHFor and theH and V. •information The adversary makeofarbitrary • Uniformity aU randomized to thecan challenger. V denote on number of signing queries. In the i-th query, uniform distributions on H and V. index i, µ ∈ M, and u ∈ U , the statistical • The challenger generates (pk, sk) and gives pk distance ((hi , hi (µ, u)), (UH , UV )) is to the adversary. negligible, where UH and UV denote the • The adversary can make arbitrary polynomial number of signing queries. In the i-th query, uniform distributions on H and V.

 h A (Uk.2 ,Itoutputs (11) key sk 2) inition and Construction dataset a signing secret τ, i, µ) then we get  AU 2  2G mod q. • The and a public verification key pk. order to maintain the In [24], Freeman embed a homomorphic chameleon chos • Sign(sk, τ, i, µ) The signing algorithm takes lgorithm, we use the4 µi . hash function to show the unforgeability of his [18], ho- and D.Xie, H.Peng,L.Li, Y.Yang C ∗. definition of chameleon hash function a generic λ as input the secret key sk, a tag τ ∈ {0, 1} , λ yτ mapping, namely, ∈ {0, 1} , all messages momorphic signature Based oninthis the definition ofscheme. HCHF are given thisand section. Note AUh1that (U (U1and , 1 )a message µ ∈ M. It 11G Information Technology and Control 279 If Veri AU , 1i)h∈2017/2/46 A [k] 1  1G  an A index Mk and all circuits C ∈ definition C, if of chameleon functionhash [18],function, a genericHCHF 2 )h A (U 2 , 2 ) (11) compared to hash chameleon has U  h ( ,  (11) 2 A a,signature δ. sary A win U1 AU h A ( 1Goutputs AU 0,) and 1}λ ,δ  all messagesτ, {(µidefinition ← Eval(pk, , δi )}i∈[k]of ,anHCHF 1 )mod are given in this section. NoteAU that1  Then . 2G mod q. 2 q additional property, i.e., homomorphism. we 2 2G λ • Eval(pk, τ, {(µ , δ )} , C) The the adversary chooses a fresh tag τ ∈ {0, 1} = (KeyGen, Sign, Eval, Verify) with the followtive unforge i i U  h ( ,  ) (11)  i∈[k] i 2 2 A llk, circuits τ, C(µ1 ,Cµ2∈ , · ·C, · ,ifµk ), δ ,compared C) = to chameleon hash function,using HCHF construct a class of HCHFs thehas distinguished AU G    mod q . evaluation algorithm takes as input the public ing syntax. and a k-length message set tures of the 2 2 Eval(pk, {(µ )} i , δiby an property, i.e., homomorphism. Then we technique trapdoor function with preimage sampling can homomorphically he enote message the τ, message space space and M C i∈[k] :M M k,by →additional M , andanyone k ofq . That is, A ( U − U ) = ( µ − µ ) G mod key pk, a tag τ , a collection (µ , µ , · · · , µ ) ∈ M . The challenger make the ch  1 2 2 1 i1 i1 ik λ k ' ' · ·offully , µcircuits δ , C) =k inputeme if kaitinput2 , ·is k ),homomorphic a[11-12]. class HCHFs using the distinguished • construct KeyGen(1 ,µ1 j ,)uof The key generation compute u from ection fµcircuits which take which take j and a v from v j so that message-signature pairs {(µ , δ )} , and a generates the collection of signatures sage vector i i i∈[k] µ = µ If , then we have a nonzero matrix ' U = U1 − U 2 2 all polynomial-size function sampling technique 1 algorithm takes the security sage ace and space generate and generate anhcircuits. output output in µtrapdoor µIn , u ' ) =aswith vinput . preimage i (C (an 1 ,in 2 , , µ k) circuit C ∈ C. It outputs a signature δ for a (δ , δ , · · · , δ ) for the i-th query and sends text as a set i1 i2 ik so that . Note that U ≤ B , so we have 6 (Homomorphic Chameleon Hash Funcyuct homomorphic ifhomomorphic it the forleveled fully i [11-12]. parameter λ and the maximum size of the  nFreeman [14] first[14] introduced first introduced the for-Definition message µ . it to the adversary. In fact, ther Next, we construct a class of specific HCHFs using U ≤ 2 B . Foraasigning message space Mskand a randomness smial-size Insignature e., they arecircuits. homomorphic fordataset alk. tion). It outputs secret key of momorphic a homomorphic signature scheme scheme ∗ • Verify(pk, τ, µ, δ, C) The verification • The adversary outputs a signature δ for the for all quer m the trapdoor technique from standard lattices [19, 21] Definition 6 (Homomorphic Chameleon Hash Funcpace U , a family hash homomorphic ircuits. Next, we define signatheand se-signaa public verification key of pk.homomorphic chameleon If µ1 ≠ µalgorithm choose a vector r ∈ {0,pk, 1} aat rancircuit C.fully A C-homomorphic C. A C-homomorphic 2 , we firsttakes ∗ as input ∗public the tag τ , chosen tag τ , a message µ and the circuit index i but and prove that it satisfies the above four properties. tion). For a message space M and a randomness sa collection H = takes {hi : Mdom, × Uand → V}, for alsecurity homomorphic sig• algorithms Sign(sk, τ,functions i, µ)m×mTheis signing algorithm ' ' is a public primitive malet of ahomomorphic tuple polynomial of for polynomial time algorithms time n ×A m((U1  U 2 ) r aC rmessage-signature )∗. (( 2 . Since )G ) rG pair Ar (µ, δ),(12)  and a circuit 1 λ M = Z Y = { U ∈ Z : U ≤ B } Let , and . pace U, a family of homomorphic chameleon hash ς = Z e message space by M and xt, define the se- between where is the index There an the we following game a q i key q , range. asqinput the secret sk, a tag and τ ∈V {0,is1}the 2 trix and is naturally a trapdoor can TG , we or z Itz outputs has 0 mod q. 1 (accept) Definition Cand ∈ C. either 0m invoke functions collection H = Msize × → V}, f circuits which take k inputWe remark isa [k] the upper bound or homomorphic sigcan{h generate public index i∈:the mial time adversary A and a chalanthat indexBiisalgorithm ∈ and awhich message µof M. It aUof Ifi(reject). Verify(pk, τ ∗ , µ∗ , δa∗ ,vector C ∗ ) = r1,' ∈then adverthe SamplePre to compute {0,1}the so that homomorph i is theincorresponding index and V istrapdoor the range. There ace an aoutputwhere in evaluated signatures our δ.homomorphic schemes. ng and gamegenerate between secret keyisTan Homomori . sary outputs a signature A wins the game. Duehave to the definition of selec. We Eval, Verif nversary [14] first introduced algorithm can i∈[k] generate public A and a chalEverythecolumn of the matrix is,sampled fromindex the i and phic chameleon hash functions consist of tive the followFor correctness,theweadversary require that both the origi•forEval(pk, τ,which {(µ C) aThe unforgeability, can query the signai , δi )}U probability chooses (τ ∗signature , µ∗ , C ∗ ) scheme as the momorphic ∗ evaluated the corresponding trapdoor secret key T . Homomoring fours properties: DZ , s, where distribution istakes the Gaussian paramei nal signatures by Sign) the ' (generated ' andµ evaluation algorithm as input the public tures of the challenged message vector . In order to ' ' A (( U  U ) r  r )  (( ) G ) r  Ar   ty of wining ormation and gives all A (( U  U ) r  r )  ((  ) G ) r  Ar   1 2 2 1 (12) 1 2 signatures 2 1 (12) C. phic chameleon consist of the (12) ter. Allsignarelated parameters arefunctions defined in section 4.2.follow(generated by Eval) are accepted. Specifikey pk, a tag τ ,•hash a Uniformity collection ofproperty ∗ A∗ C-homomorphic make the challenger response for the challenger mes z  z  0 mod q .  z  z  0 mod q . , µchallenger. , C ∗ ) as the For a randomized the ' ' of polynomial time algorithms ingTrapGen four properties: A((U  Ucally, r ) require  ((we )G rfollowing  Ar 2 set 1the we that the)adversary’s conditions hold. We use the algorithm to{(µ generate the, index pairsi, δi )}and sage vector, challenged plain2 )r  i∈[k] (12) nd gives all (pk, sk) index µ ∈i , M, u and ∈ Ua, the1 statistical r generates and givesmessage-signature pk 3. Homom λ   z  z  0 mod q . ' ∈ M, and 1. For all tags τ ∈ {0, 1} , all µ and the corresponding trapdoor for our HCHF. circuit C ∈ C. It outputs a signature δ for a text as a set of messages, rather than a single message. Hence, we get a vector u = (U1 − U 2 ) r − r so that • Uniformity property For a randomized nger. distance ((h , h (µ, u)), (U , U )) is y. inition a i i H V ∗ get n log q  ' all i ∈ there [k], if δtwo ←types Sign(sk, τ, i, µ)one then message µ . i, µG∈ In the fact, are of forgers: is τwe = τi . Using the Cauchy-Schwarz inequality, primitive matrix , ∈introduced inV denote ∈M, Z nq×and index uwhere U, U the (pk, sk) and givesThe pkpolynomial negligible, and U can make arbitrary H statistical ⊥ ' τ, µ, δ, Iand In order maintain the • public Verify(pk, τ, µ,((h δ,short C) , The verification In [24] i) = ~ all queried ~ i, for the1.other τ ∗to=we τionly for some ' weVerify(pk, easily have .isNext, need G )and [21], trapdoor for . V. TG (U distance u)), U ning queries. In the i-thhas query, uniform distributions onV()) H is i hbasis i (µ, H ,Λ H  H ( ) r r r z ( )   ∗ ∗ ∗ consistency of the verification algorithm, we use the ' pk, ' a tag n ×τ m, algorithm takes as input the public hash functi index i but µ =  C (µ ). Here we construct a newwhere matrix , to prove that the probability negligible, UHGand arbitrary polynomial = [GUVRdenote ] ∈ Z q the n of u = 0 is negligible in  Hdenote qidentity ) (13) m circuit I to the mapping, namely, ' n ×m − n log q  ' a message-signature  ( r )  log( pair (µ, δ), and a circuit momorphic i chosen from {0,1} , r is n . Althoughrmis nrandomly s. In the i-th query, on H and V. Extwhere R ∈ Z q uniform is distributions a random matrix. Using A leveled IDefinition , µ2 , · ·5· ,(Selective µkon )log =zqµ C ∈ C. in It outputs either (accept) or 0 basis mainly i (µ1 dependent i . Unforgeability). definition o  λ . Hence, Basis algorithm [13], we can 1obtain a short  w (log n ). homomorphic signature scheme = (KeyGen, Sign, 2. For all tags τ ∈ {0, 1} , all messages ⊥(reject). definition o TG for Λ (G ) so that TG = TG' [10]. Hence, anyone Eval, forC,any (µ , · ·~·~ , µkis') selectively ∈ ~Mk andunforgeable all circuits Cif ∈ if 1 , µ'2Verify) compared t ~ can efficiently perform SamlePre the For correctness, we requirealgorithm that both using the origir z) ( r r z))  H  (time Hδprobability ( r r ) HHpolynomial   (r theτ,probabiliτ, i, µi ) and δ  adversary, ← Eval(pk, {(µ , δ )} , i ← Sign(sk, i i i∈[k] an addition trapdoor the homomorphic chameleon TG . We define nr )  log( nal signatures (generated by Sign) and the evaluated ~uofwe ~the   H1 qgame (U q2n(13) ) · · · , µk ),(13)  ( r )(rabove log( )C(µ Pr[ rwining ]' )H Pr[ 0rhave (U )r'is]1 ,negligible. tyH C), Verify(pk, τ, µ , δ , C) = (13) H 2 construct a  ) z ( (14)  n )qm  n log q signatures by Eval) accepted. Specifihash function(generated A asare follows: h A with index m2 wn(log log  negl (nn ). 1. trapdoor fu  (log H  (nr).)wlog( (logqn)). (13) cally, we require that the following conditions hold. w A signature scheme is fullyHash homomorphic it 3. Homomorphic Chameleon Functions:ifDef[11-12].  m  n log q λ 1.) For all tags τ ∈q. {0, 1} ,(10) all µ ∈ M,(10) and h A (U ,   AU G mod is homomorphic for w(log n ). all polynomial-size circuits. In initionand Construction all i ∈ [k], if δ ← Sign(sk, τ, i, µ) then we get The second inequality follows from Lemma 1. ThereDefinition this work, we construct leveled fully homomorphic ' τ, µ,toδ,verify Ii ) =the 1. In order to and maintain the fore, from It isVerify(pk, not difficult uniformity chamethe definition of average min-entropy, ' ahomomorphic In [24], Freeman embed chameleon Pr[  ]  Pr[  ] u 0 r (U U )r tion). For a signature schemes, i.e., they are homomorphic for alPr[ u  0 ]  Pr[ r  (U 1  U 2 )r ] 1 2 (14) (14)  w (log the n) algorithm, use the leonconsistency propertiesofoftheh Averification . Specifically, if µ is we randomly function of his ho2negl negl ( n ). pace U, a f  2  w (log n )to  show ( n ). unforgeability lhash polynomial-depth circuits. Next, we define the sePr[ u  0 ]  Pr[signature r  (U 1 scheme. U 2 )r' ] Based(14) circuitfrom Ii toZgdenote the identity mapping, namely, sampled , we naturally get the result that the momorphic on this and the (14) functions is lectively unforgeable security for homomorphic sig(log n )  2of wchameleon  neglhash ( n ). function [18], a generic (2U µmod q. I (µ h, µAU , ·,··),G ) =qµ.iG . mod(10) hstatistical distance is(10) negligible kAU definition A (U ,i ) 1 A where i is t nature schemes via the following game between a λ 2. Given For all tags τ ∈matrix {0, 1} ,we allcan messages inh n(U[19]. the trapdoor , use the T definition of HCHF are given in this section. Note that A algorithm w probabilistic polynomial time adversary A and a chalIn summary, if there is an adversary that finds ,  )  AU  G mod qk. (10) A (µ1 , µ2 ,SamplePre · · · , µk ) ∈ to Mcompute and all U circuits C has ∈ C,the if compared to achameleon hash function, HCHF has algorithm which the correspo lenger S. for a collision random function we can f A , then  δi distribution ← Sign(sk, τ,asi,D µi ) and δ ← Eval(pk, τ, {(µi , δi )}i∈[k] ,an additional property, i.e., homomorphism. Then we same phic chame Z , s [19]. Next, we prove that the construct anadversary algorithmchooses to solve ∗ SIS( ∗ n , m , q, m  • The (τ ∗the , µthe , Cdistinguished ) as the C), weconstructed have Verify(pk, τ, satisfy C(µ1 , µthe · · , µktwo ), δprop, C) = 2 , ·other construct a class of HCHFs using functions by us ing four pro problem with probability 1 − negl ( n ) . This challenged andsampling gives all technique 1. i.e., collision resistance and homomorphism. trapdoor function information with preimage erties, the proof. to the challenger. • Unif information A signature scheme is fully homomorphic if it concludes Theorem  1. Given an integer n = poly (λ ) , let For[11-12]. the• homomorphic general inde The challenger property, generates we (pk,consider sk) and gives pk is homomorphic for all polynomial-size circuits. In q = poly (λ ) be a prime, m = n log q + w(log n ) and B circuit we consider four C . Specifically, Definition 6 adversary. (Homomorphic Chameleon Hash Funcdista to the this work, we construct leveled fully homomorphic arithmetic be the upper schemes, bound of i.e., the size defined in types tion). For aadversary messagecan space Marbitrary and a randomness snegl • gates: The make polynomial of addition, multiplication, addition with signature they of aresignatures homomorphic for alsection 4.2. If the problem is constant, pace Unumber , and a family of homomorphic chameleon hash of signing queries. the i-th query, unifo multiplication withInconstant. These l polynomial-depth circuits. Next, we define the sehard, then the function security above is collih A constructed functions a collection H = {hused U → V}, lectively unforgeable for homomorphic sig- four special is gates are completely to × compute an i : M sionnature resistance with probability 1 − negl ( n ) . between a arbitrary where iarithmetic is the index and V[24]. is the range. There is an schemes via the following game circuit m

'

m

Proof. Suppose polynomial that there istime an adversary thatafinds probabilistic adversary A and chala collision (U1 , µ1 ) and (U 2 , µ2 ) for a random function lenger S. f A . Obviously, we have • The adversary chooses (τ ∗ , µ∗ , C ∗ ) as the and gives all AU1  1challenged G  h A (U1 ,information 1 ) information to the challenger.  h A (U 2 , 2 ) (11) (11) • The challenger AU 2  2Ggenerates mod q. (pk, sk) and gives pk to the adversary. • The adversary can make arbitrary polynomial number of signing queries. In the i-th query,

algorithm which a public index Theorem  2. Givencanangenerate integer let n = poly (λ )i, and the corresponding trapdoor secret key T . Homomori q = poly (λ ) be a prime and m = O ( n log q) . The funcphic hashabove functions consist of the for followtion constructed is homomorphic any h Achameleon ing four properties: arithmetic circuit. • Uniformity property For a randomized Proof. In order to prove this theorem, we consider the index i, µ ∈ M, and u ∈ U , the statistical four types of gates in turn. distance ((hi , hi (µ, u)), (UH , UV )) is negligible, where UH and UV denote the uniform distributions on H and V.

280

Information Technology and Control

1 For an addition gate f , f ( µ1 , µ 2 ) = µ1 + µ 2 . Sup-

pose that there are two datasets (U i , µi ,Vi ) i =1, 2 so that h A (U i , µi ) = Vi . Then we have V1  AU1  1G mod q, (15) V1  AU1  1VG mod q,   G mod(15)  AU q, 1 1 1 V2  AU 2  2G mod q. (16) V2  AU 2  V2G mod q . (16) AU   G mod q. 2

2

2

(15)

(15)

(16) (16)

Define U * = U1 + U 2 and V *= V1 + V2. We can easily verify that h A (U * , µ1 + µ2 ) = V * mod q .

2 Similarly,

for

a multiplication gate, let f ( µ1 , µ2 ) = µ1µ2 . This time we firstly compute the matrix R ∈ {0,1}m×m so that [12]. Then we define and V * = V2 R mod q .

2017/2/46

Our construction In our construction, we employ the public primitive matrix G introduced by Micciancio and Peikert [21], which naturally has a short basis TG for Λ⊥ (G ) . Our homomorphic signature scheme Π = (KeyGen, Sign, Eval, Verify) specifically works as follows. λ k __ KeyGen(1 ,1 ). The algorithm takes the security parameter λ and the maximum size of the dataset k as input. 1 Choose the parameters n, q, m, s and B as in sec-

tion 4.2.

2 Sample a matrix A ∈ Z nq×m and its corresponding

trapdoor matrix TA ∈ Z m×m.

3 Choose k + 1 random matrices B and {Vi }i∈[ k ] ∈ n ×m

Zq . Hen'ce, 4 Output the secret key and the public key AU *  ( 1 2 )G  A( 2U1  U 2 R)  ( 1 2 )G , .    AU *  ( 1 2 )AU G *  A ( U U R ) ( ) G ,   R 2 ,A(  U1 2 U R )  (   )G , )G 2(V12112AU 2 2 1 2 (17) 1 2 * R, AU  __ . The algorithm takes the secret key 2 22V V11  ,  V  2V 2V1  AU 2 R, (17) * (17) * (17) 2Vmod  , V *   V ,  em. , a tag τ ∈ { 0 ,1}λ , an index i ∈ [k ] and a message T 1  Vq.  2VV V A 2 1 2 * *  V mod q. rameter. input. M as by∈ M and V mod We q. denote the message space µ lattices and Sampling algolet C be a collection of circuits which take k input1 Choose a specific homomorphic chameleon hash s over the message an output in 3 For an addition with constant gate, fspace ( µ , a )and = µ generate + a. function h A for the tag τ , where Aτ = [ A B + τG ] Given any integers For n  the 1, qmessage  M. andthat Freeman ×2 m suppose there[14] arefirst twointroduced∈the µ , Boneh Z nqfor. rge m = O(n log q), there are mal definition of a homomorphic signature scheme matrices U and V so that h A (U , µ ) = V . We de2 Use the secret key TA to compute U so that hms TrapGen, SampleDom A C-homomorphic signafine U *and V − aofG circuit mod q . C.Obviously, = U andforV a* =type h ( U , µ ) = Vi . Namely, * *ture scheme is a tuple of polynomial time algorithms e following description. A h A (U , µ + a ) = V mod q holds. TA ,Vi − µG , s ). 4 For a multiplication by constant gate, f ( µ , a ) = aµ . 3 Output the signature δ = U . We define and , where __ . The evaluation algor. It is also easy to check that the case of ithm takes the public key pk, the tag τ , a collection * the SIS problem. * equation h A (U , aµ ) = V mod q holds. of message-signature pairsthe message ,space and bya M and rameter. We denote 2.3. Trapdoors for lattices algoNote that an arbitrary arithmetic circuitand can be C Sampling ∈Χ C be collection of circuitscomputes which takea k inputcircuit Clet as ainput. It recursively expressed as the rithms above four gate operations. For a cirs over signature the message and generate an output in homomorphic gatespace by gate. * cuit C , we compute and11]). by gate V * recursively LemmaU2 ([1, Given anygate integers n  1, q  M. Boneh and Freeman [14] first introduced the for1 Compute the homomorphic chameleon hash according to2,the rules. Therefore, function andabove sufficiently large m =the O(n log q), there are mal definition of a homomorphic signature scheme for the τ . C. A C-homomorphic signaby us is homomorphic for any arithh A constructed three efficient algorithms TrapGen, SampleDom and function for haA type of tag circuit metic circuit. 2 Let be a gate in , where C of f ( µ , µ ) µ1 andtime µ2 are SamplePre having the following description. ture is a tuple polynomial algorithms 1 scheme 2 the input messages. By induction, we have two signatures U1 and U 2 so that and   + µ2G = V2 . According to Theorem 2, we Our leveled homomorphic can homomorphically output the signature U * . Taking the multiplication gate as an example, signature scheme U * = µ2U1 + U 2 R , where R ∈ {0,1}m×m so that In this section, we firstly describe our proposed ho. momorphic signature scheme and then set related 3 Output the evaluated signature δ ' = U C . parameters for some types of circuits. After that, we __ . The verification algorithm give the correctness analysis and security proof for takes the public pk, the tag τ , a message-signature our scheme. τ

τ

τ

function wit i hold. chosen tag τtrapdoor i , a message µ Uand cally, require thatcally, thealgorithm following conditions we require that following conditions hold. For correctness, wethe that origisignature so • Sign(sk, τ, i,we µ) A The signing takes index irequire ∈C), [k]we and a∗both message µ ∈τ,M. It1follow(KeyGen, Sign, Eval, with the 3.theHomomorphic signature scheme is= fully homomorphic itVerify) have C(µ ,probabilit µ2Chame , · ·ijHo · ,µ 3. λan 4.3.tags Correctness and Security Proof [11-12]. λCif. Verify(pk, 1. For all τ ∈ {0, 1} , all µ ∈ M, and λ 1. For all tags τ ∈ {0, 1} , all µ ∈ M, and Namely, U ← nalasignatures (generated by Sign) and the evaluated ij as input the issecret key sk, tag τ ∈ {0, 1} , outputs a signature δ. syntax. s inition and Construct ty of wini homomorphic for alling polynomial-size circuits. In 1. we init ∗ alli i∈ ∈ δsignatures ← µ)by then get From parameters defined ∗ we∗ get V all the iSign(sk, [k], ifi,δsetting ← τ,section i, µ) then Eval) are accepted. SpecifiG , th an index [k] [k], and aif message µ∈ ∈(generated M. It Verify(pk, τDefinition , µ ,isδτ∗fully ,)G, C6∗W, )(Homom =T1, • τ, Eval(pk, τ,Sign(sk, {(µ , If δin The t iA i )} i∈[k] , C) this work, we construct leveled fully homomorphic λ k signature scheme homom 4.2, itIis to see that theto signatures produced by •that KeyGen(1 ,In 1the )conditions Theto key generation •the The challenger τ,δ. µ, δ,cally, ) easy = In τ, order In [24], Freeman embe iVerify(pk, µ, δ, Ithe =algorithm 1. order maintain we41. require following hold. D.Xie, H.Peng,L.Li, InS i )maintain outputsVerify(pk, a signature sary A wins the game. Due to the defini evaluation takes as input the public t tion). For a message signature schemes, i.e., they are homomorphic for alis homomorphic for all polynomial-size 3. Homo Sign correct. Thealgorithm, of signatures λthe Information Technology and Controlconsistency of 2017/2/46 {U281 and algorithm takes as input the ij }j∈[k] theare verification use function to show the of the wesecurity use the 1. For all correctness tags τ verification ∈a we {0,tive ,algorithm, allgenerµ ∈hash M, and hash fsm • Eval(pk, τ, l{(µ ,consistency C) The the adversary can qu key pk, tag τ1} , work, aunforgeability, collection of i , δi )} i∈[k] pace U, a family of polynomial-depth circuits. Next, we define the seated by Eval follows from the homomorphic property this we construct leveled fully ho inition parameter λ and the maximum size ofshow the that circuit Ii 4to denote identity mapping, namely, momorphic signature sche Iithe to the identity mapping, namely, all circuit i the ∈ [k], if public δdenote ← we Sign(sk, τ, i, µ) then we get We theµs D.Xie, H.Peng,L.Li, and Y.Yang momo evaluation algorithm takes as input tures of the challenged message message-signature pairs {(µ , are and i , δi.e., i )}i∈[k] ofunforgeable HCHF. In this subsection, mainly discuss the functions is sk aavector collecti lectively security for homomorphic sigSIS problem. signature schemes, they homomo dataset k. It outputs a signing secret key I (µ , µ , · · · , µ ) = µ .  i 1 2 k i definition of for chameleon ha the real scheme andcha i Iof (µour ,µ · · ·δ, , Iµik)) = = µ Verify(pk, τ, 1. In order tochallenger maintain the iof 1 2 , µ, i .C. In definit key pk, a tag τ , a collection make the response for the circuit C ∈ It outputs a signature δ a security scheme. where i isNext, the index nature schemes via following between l polynomial-depth circuits. we [24 det λ agame rameter. We denote the message space bythe M and =of{0, (KeyGen, Sign, Verify) with theoffollowλa definition verification key pk. 2. For all consistency tags τ, δ2. ∈For 1}and ,a allpublic tatistically indistinguis HCHF arechal givI all tags τ messages ∈ Eval, {0, 1} , we all messages the verification algorithm, we use the oors for lattices and Sampling algohash func definit message-signature pairs {(µ )} , and sage vector, set the adversary’s message µ . i i i∈[k] algorithm which can 3.king For any adversary mounting a selective probabilistic polynomial time adversary A∈ aifchallectively unforgeable securityby for C be a collection circuits take k any input∈Χ pair ( µ , δ ) , and a circuit Clet as input. It(µ outputs Theorem 3. A mounting a sek •adversary Sign(sk, τ, i,and µ)all The signing algorithm takes thehomom TrapG , of µ · ,Theorem µkwhich )circuit M all circuits C C, ,µ  (µ µiFor ,to·syntax. ·δ•·denote ) ∈theM and circuits C produced ∈ C,to if chameleon identity mapping, namely, 1, I 2and ka momorph compa C 1∈ C.2 ,It· ·and outputs a∈unforgeability signature for text aqueries set ofcompared messages, rather than a tra sinf Verify(pk, τ, µ, δ,as C) The verification the corresponding unforgeability with at most on our Q lenger S. λ lective attack with at most Q queries nature schemes via the following game attack s overhold, the circuit message space generate an output in 1 if the following conditions otherwise it the adver = (KeyGen, Sign, Eval, Verify) with the followtem is 1} chosen unif i as input secret key sk, aτ, tag τi ,and ∈δi{0, , add λthe k δi µ ← . Sign(sk, τ, Ii,i (µ µδii1),← and δ· · ·← Eval(pk, τ, {(µ ,as δThe )} ,generation iinput i∈[k] an additional property, i.e. Sign(sk, τ, i, µ ) and δ ← Eval(pk, {(µ )} , µ , , µ ) = . • KeyGen(1 , 1 ) key i 2 k i definition message i∈[k] an algorithm takes the public pk, a tag τ , In fact, there are two types of forgers: oi on our homomorphic signature scheme , there is is a a probphic chameleon hash homomorphic signature scheme there [1, 11]). Given any outputs integers 0: n  1, q  probabilistic time adversary A Π M. Boneh and Freeman [14] first introduced the1 ,forgame. For athe m syntax. and k-le ∗ λ , ·apolynomial an [k] and M. C), we have Verify(pk, C(µ µatags ,(τ · ·∗·index , µ∗takes ), δ∈{0, C) = ∗ 2message-signature k •ing The adversary chooses ,τµ ,∈ Cifor ),as as a∈ class of HCH C), we have Verify(pk, τ, C(µ ,the µ · message · construct ,security µ ),lation δ µ,the C) = It 2. τ, For allalgorithm 1} messages input the 1 2, all kand • Verify(pk, τ, µ, δ, C) The verification definition constru pair (µ, δ), and a circuit all queried i, other is τ = probabilistic polynomial time algorithm S that can ing at random in(µ the abilistic polynomial algorithm can find afour properties: ciently large m = O(n log q), there are S. that mal definition of1.a homomorphic signature , µpre , k alenger i1real i1sc outputs signature δ. the λscheme k time ∗C, or ∗0 and gives allalltheeither trapdoor function with ,µ , · · ·for ,µ ∈∈ M and circuits C= ∈ if • (µ KeyGen(1 1the The generation D λ and maximum size 11. 2information kparameter 1 Let δ = U C and verify U C ≤ B ; algorithm as challenged input public pk, a)Ctag τC. ,key find athe collision randomized HCHF trapdo It HCHF outputs 1∗(accept) index i with butthe µ C (µof ).the compared the simulation game, w nt algorithms TrapGen, SampleDom and for a type of circuittakes C. A C-homomorphic signacollision for the randomized with following generates τ, ∗ ∗ pr ∗ •i,homomorphic Eval(pk, {(µ ,aδihomomorphic )} ,secret C)i ,chooses The A signature scheme isthe fully if it iThe i∈[k] •)} Uniformity information toand challenger. A signature scheme is fully if it [11-12]. δ ← Sign(sk, τ, µ ) and δ ← Eval(pk, τ, {(µ δ , • adversary (τ , µ , C following advantage, algorithm takes as input the security h dataset k. It outputs signing key sk i i i a message-signature pair (µ, δ), a circuit i∈[k] an additio [11-12 (reject). at random. For each i, Let Aτ = [ A B + τG ] ture andscheme check whether having the following2 description. is a tuple of polynomial time algorithmsevaluation advantage, (δi,i1gives , δ∈i2 M , a· algorithm takes as input the public isIthomomorphic for(accept) all polynomial-size circuits. In,of index µ • either The challenger generates (pk, sk) and pk,key iswe homomorphic for polynomial-size circuits. In Definition 5µk(Selective Unforgeability C), have Verify(pk, τ,all C(µ , µgives · · ·the ), δ  ,dom C) = information and C parameter λ and the maximum and a public verification pk. E 1 size 2challenged C ∈ C. outputs 1 or 0 construct in the real system h A (U , µ ) = C (Vi ) holds or not. it  toDefini the a correctness, we that both origiDefinition 6uniformly (Homomorph key pk, a leveled tag τThe , information arequire collection of construct fully homomorphic distance ((h to the adversary. this work, we construct fully 1. homomorphic signature scheme = (K to the the challenger. dataset k.leveled a signing secret key skhomomorphic •For Sign(sk, τ, i, µ) signing algorithm takes using random p (reject).this work, we trapdoor selective AIt outputs  (S )  Adv (A)/Q − negl(n). Adv • The adve HCHF nal signatures (generated by Sign) the aalmessage spac message-signature pairs {(µ ,From δFor and athe λ,unforgeabl signature •schemes, i.e., they are homomorphic for i )} i∈[k] negligible, whpat The adversary can make arbitrary polynomial signature schemes, i.e., are homomorphic for signature scheme isthey fully homomorphic ifgenerates itevaluated Eval, Verify) isand selectively • alThe challenger (pk, sk) Lemma 2,tion). and aApublic verification key pk. as input the secret key sk, ation). tag τi(18) ∈ {0, 1} , [11-12]. Parameters For correctness, we require both the origichosen taUgt signatures (generated by Eval) are Specifipace ain family of hom circuit C ∈ C. Itto outputs aaccepted. signature δIt adversary, for apace l polynomial-depth circuits. we define the seand the simulation number of signing queries. In the i-th query, uniform distrib lthat polynomial-depth circuits. Next, wepolynomial define the sehomomorphic for all circuits. In adversary. probability time • is Sign(sk, τ, i,Next, µ) signing algorithm takes anThe index ipolynomial-size ∈ [k] and athe message µU, ∈ M. ∗  (generated by Sign) and the evaluated C . Let λ be the security parameternal in signatures our scheme. Supcally, we require following functions ismake ahold. collection H message µty.the λ Proof. Let Athe be an adversary that wins the selective lectively unforgeable security for homomorphic guishable. For the suffic Proof. Let Awe Definition functio lectively unforgeable security for homomorphic sigthis work, construct leveled fully homomorphic The adversary cangame arbitrary of wining above is negligibl as input secret key sk, athat tag τ•sig∈ 1}λthe , conditions outputs a signature δ.{0, sa3p signatures (generated by Eval) areunforgeability accepted. Specifipose that the maximum depth of the circuits in our 1. For all tags τ ∈ {0, 1} , all µ ∈ M, and s, the outputs of Samp lective security game defined in sec• Verify(pk, τ, µ, δ, C) The verification where i is the index and nature schemes via the following game between a unforgeability security game defined in section 2.4 tion). Fo where nature schemes via the following game between a signature schemes, i.e., they are homomorphic for alnumber of signing queries. In the an index i ∈ •[k]Eval(pk, and a message τ, {(µi ,µδi∈)}M. If Verify(pk tiiV i∈[k]It, C) The selective we require that the following conditions hold. scheme is d = d (λ ) . We use B cally, to denote the upper all i ∈ [k], if δ ← Sign(sk, τ, i, µ) then we get algorithm takes as input the public pk, a tag τ , algorithm which can gene probabilistic polynomial time adversary A and a chalAdv (A ) with advantage . Our aim is to construct pace U, algorit probabilistic polynomial time adversary A and a challoutputs polynomial-depth circuits. Next, we define the seΠ a signature δ. evaluation algorithm takes as input the public sary A wins 3. Homomorphic Chameleon Hashthe Fu tua λ 1. Forand alllenger tagsBint τS. ∈ an {0,algorithm 1} , all µVerify(pk, ∈which M, aand bound of the size of evaluated signatures, use τ, µ, δ, I ) = 1. In order to maintain the message-signature pair (µ, δ), and a circuit the corresponding trapdoo i can find a collision for fully hofunctions the cor lenger S. lectively unforgeable security for homomorphic sig• Eval(pk, τ, {(µkey , C) pk,i∈[k] a tag τ , aThe collection tive unforgeabilim inition andof Construction i , δi )} i ∈ [k],generated if δ ← Sign(sk, τ, i, µ) then we to denote the size of the original all signatures consistency of C. algorithm, we the Cget ∈ Itasverification outputs either 1random (accept) or 0ofhash phic chameleon func momorphic chameleon function the h A over where i ch ih nature schemes following between atures ∗via ∗ the ∗the evaluation algorithm takes input the public message-signature pairs {(µ , use and athephic chall ∗game ∗ ∗, δi )}i∈[k] sa i • The adversary chooses (τ , µ , C ) as the • circuit The adversary chooses (τidentity , µ ,Freeman C ) four as the n ×m to Verify(pk, τ, µ, δ, Ii ) = 1.A In order maintain the by Sign algorithm. I to denote the mapping, namely, In [24], embed a homomor (reject). ing properties:  i ∈ Z algorithm ing fou , where are defined in section 4.2. The n , q , m probabilistic polynomial time adversary A and a chal,circuit a collection ofIt outputs C all ∈ C. a signature for athe challen q pk, a tag τand tem challengedkey information gives challenged information and gives allshowδmake verification algorithm, we1 , ause the I (µ µ , · · · , µ ) = µ . hash function to the unforgeabili  i 2 k i the corres algorithm takes matrix A whose columns are inlenger S. We assume that n = poly (λ ) , consistency q = n O (d ) isof athelarge message-signature , δi )}we , and aλthat message . ichallenger. sagethevector, we•Ind i∈[k] Forpairs correctness, require both origi• Uniformity proper tomapping, the challenger. information toµ{(µ the circuit Ii to denote information the identity namely, n messages 2. For all tags τ ∈ 1} , all momorphic signature scheme. Based on  {0, phic cham dependent and uniformly random samples from Z circuit The C ∈ C. ItVerify(pk, outputs agenerates signature δ∗The for • challenger τ, µ,(τδ,∗kC) verification prime, and . Due to the TrapGen •and text asµa∈setM, of an mfod ∗Sign) nal signatures (generated by and evaluated index (pk, sk)µand gives qthe • (µ The (pk, sk) andthe gives pk∈i, adversary ,pk µ , of Call )acircuits as Ii (µ1 , µ2 , · · · , µk ) =The µi .challenger•generates *2 , · ·* · ,chooses µ ) ∈ M and C C, if definition chameleon hash function [1  1* ,, µ k ing four p(c as input. Let be the challenge information , C τ message µto.signatures algorithm takes and as by input the public pk,Inafact, tag τthere , i , are Theorem 1, set the parameter (generated Eval) are accepted. Specifidistance ((h hiin  the adversary. information gives all 2. For all tagstoτthe∈adversary. {0, 1}λchallenged , δall messages ← Sign(sk, τ, i, µ ) and δ ← Eval(pk, τ, {(µ , δ )} , definition of HCHF are given in this sect i τ, i i i i∈[k] about tag, messages, and circuit. Suppose that the ad• Verify(pk, µ, δ, C) The verification a message-signature pair (µ, polynomial δ), conditions and afor circuit all queried ia cally, we require that the following . In(µorder to use Samnegligible, where U • Thekadversary can arbitrary  hold. • Un • make The adversary can make arbitrary information thepolynomial challenger. Cwe ∈have C,toif C), Verify(pk, τ, C(µ , µ , · · · , µ ), δ , C) = 1 , µ2 , · · · , µk ) ∈ M and all circuits compared to chameleon hash function 1 2 k ∗ λ D algorithm takes as input the public pk, a tag τ , C1.In ∈For C. It outputs either 1the (accept) or 0∈ M, versary makes and everytime the tag , index ~ ~ number τuniform Q queries i but µ ind =c all tags τ(pk, ∈ sk) {0, 1} , is all and queries. i-th query, distribution iµ  of signing number queries. In i-th query, • The challenger and gives pk pleLeft, we need s ≥ TA w( δlog m Sign(sk, ) whereτ,Ti,Aµ≤ τ, {(µ , δthe )}generates 1. i ← i ) and δ ← Eval(pk, iof isigning i∈[k] ,an additional property, i.e., homomorphi ht a message-signature pair (µ, δ), and a circuit (reject). where i ∈ [Q between two types of then we get dis ]. We idistinguish ← Sign(sk, τ, i, µ)  ∈ [k], if δ C), we have Verify(pk, · the , µall ), , C) = scheme A δsignature is 0fully homomorphic if it 5the(SE[ 1 , µ2 , · ·to kadversary. construct a class of HCHFs using O ( n log q ). Similarly, SampleRight requires that τ, C(µ Definition C ∈ C. It outputs either 1 (accept) or forgers. One is that the adversary query all Verify(pk, τ, µ, δ, we Iiwill )arbitrary =never 1. Inpolynomial order to the maintain ne • The can make For correctness, require that both origi-Inthe 1. ~ m×m is adversary homomorphic fortrapdoor all polynomial-size circuits. function with preimage sampli * * homomorphic sig and sW = p (reject).number s ≥ TG sW w( log m ), where W ∈ {−1,1} signatures of messages for the tag , i.e., τ ≠ τ for τ consistency of the verification algorithm, we use the un i of signing queries. In the i-th query, nal by Sign) and the evaluated A signature scheme is fully homomorphic if we it (generated D thissignatures work, construct leveled fully homomorphic * [11-12]. Eval, Verify) is allFor other one is τdenote = τby for tag , but Specifiimapping, i ∈correctness, [Q ] . The circuit IiInto thesome identity namely, tyt O ( m ) [23]. Hence, we use sufficiently large iboth we require that the origisignatures (generated Eval) are accepted. is homomorphic for all polynomial-size circuits. signature schemes, i.e., they are homomorphic for al* * polyn Csignatures ( µ* )fully ≠ μ*(generated Ii (µ µby ·Sign) · · that ,adversary’s µand ) =the µi .evaluated ,cally, where is forged mes- probability s = O ( n log q ) w( log m ) so thatthis thework, outputs Sam- nalleveled 2 , the k Definition 6 (Homomorphic Chameleon we1μ,require the following conditions hold. weofconstruct homomorphic l polynomial-depth circuits. Next, we λdefine thewining se- the3p ty of 2. For all accepted. ∈ 1}µ ,∈space allM,messages λmessage sage. pleLeft and SampleRight are signature indistinguishable. If signatures tion). For afor M and a raf (generated are Specifi1. by For all τtags ∈ τ{0, 1} ,{0, all and schemes, i.e., they are homomorphic forEval) al- tags lectively unforgeable security homomorphic sigk * all circuits C ∈ C, if (µ , µ , · · · , µ ) ∈ M and 1 2 k depth , whatC is a boolean circuit of maximum d pace U, aτhold. family of homomorphic 1 We the situation, where = τ for all cally, we first require that the following conditions all i ∈ [k], if δvia ← Sign(sk, τ, i, µ) then we get l polynomial-depth circuits. Next, weconsider define the senature schemes the following game between a chaw i  3.τ,Homomorph δiτ←∈Sign(sk, i,= µ and δisorder Eval(pk, i , δi )} i∈[a ever the gate is, we also havelectively U * ≤ unforgeable Bint ( m1.5 + 1) .security functions a← collection Ha{(µ = {h 1.i ∈ For tags {0,µ, 1} , i )all µi )follows: ∈InM, and Verify(pk, τ, δ,λIτ, 1. to maintain the . The simulation step is as [Qhomomorphic ]all for sigi : M probabilistic polynomial time adversary A and chal inition and C C C), we have Verify(pk, τ, C(µ , µ , · · · , µ ), δ , C) = 1 2 k i is we the get index and V isthe the range ∈ [k], ifconsistency δ between ← S. Sign(sk, i,where then ofa theτ,verification algorithm, we use Hence, the size of evaluated signatures U ≤viaBinttheallfollowing nature schemes game _i_ The challenger generates aµ)public key for the ht lenger algorithm which a public τ, µ,circuit δ,AI1. ) = 1. In order toparameters maintain the,can Iai chalto the denote the identity mapping, probabilistic polynomial timeadversary adversary and .iChoose public . namely, q, m∗generate In [24], Free mp Next Verify(pk, ∗ n∗ • The adversary (τfully ,the µ homomorphic ,trapdoor C ) as the if key A, ·signature scheme isuse it T the verification µchooses . we lenger circuit S. Let s ofbeIthe the related Gaussian parameter and hashsecret function to i (µ 1, µ 2 · · , µalgorithm, k) = icorresponding di we consider that C is an arithmetic of max- consistency challenged information and gives is2.homomorphic for all polynomial-size circuits. In o λhash all circuit I to denote the identity mapping, namely, phic chameleon functions consist For all tags τ ∈ {0, 1} , all messages momorphic sign i denote the upper bound on the size of evaluated d ∗ ∗ ∗ imum depth d consisting of fan-in-• t The addition gateschooses (τ , µ , C )this adversary as the information to the work, we construct leveled fully C homomorphic k challenger. I (µ , µ , · · · , µ ) = µ . ing four properties: (µ , µ , · · · , µ ) ∈ M and all circuits ∈ C, if i 1 2 k i definition of cha 1 2 k c signature by B . See section 4.2 for more details. and fan-in-2 multiplication gates, where t = polyinformation (λ ) . challenged and gives allsignature •Sign(sk, Them× challenger generates (pk, sk) and gives pk they are homomorphic for al- , λ i.e., messages mschemes, 2. For all tags τ ∈ {0, 1} , all δ ← τ, i, µ ) and δ ← Eval(pk, τ, {(µ , δ )} definition of HCH i i i i i∈[k] a Sample W ∈ { − 1 , 1 } randomly and let Moreover, it is guaranteed that at least one inputto$\the challenger. • Uniformity property Forsea rand information tok the adversary. lwe polynomial-depth circuits. Next, we define  the *· · , µ C), (µ , µ , · ) ∈ M and all circuits C ∈ C, if have Verify(pk, τ, C(µ , µ , · · · , µ ), δ , C) = 1 2 k 1 2 k compared to ch − τ G mod q . For all i ∈ [k ] , choose matrix mu$ about this fan-in-2 multiplication gatechallenger is of sizegenerates (pk, sk) and indexarbitrary i,for µ∈ M, and u ∈ sigU , thecs • The •)gives Theδpk adversary cansecurity make polynomial lectively homomorphic unforgeable m ×m δ ← Sign(sk, τ, i, µ and ← Eval(pk, τ, {(µ , δ )} , 1. * i i i i i∈[k] an additional W ∈ { − 1 , 1 } at random and compute . polynomial in λ . From Theorem 2, to U the≤ adversary. Bint max i distance (µ, u)), (Ua Hpro ,trU number of signing queries. In((h the i-th i , hiquery, nature schemes via the following game between  C), we have Verify(pk, τ, C(µ , µ , · · · , µ ), δ , C) = A signature scheme is fully homomorphic if it 1.5 1 2 k construct a class [1 Output the public key ( Apolynomial ,B,G,{Vi }i∈[knegligible, {t , m + µ }. ] ) . adversary whereAUand UV den • The adversary can make arbitrary polynomial H and probabilistic time aIn chal1. is homomorphic for all polynomial-size circuits. trapdoor functio the i-th query, generates signatures uniform distributions on H and D V _ _ The Inchallenger for lenger Hence, U * ≤ Bint max{t , m1.5 + µ }d ≤ mnumber of signing queries. A signaturethis scheme iswefully homomorphic if it homomorphic work, S. construct leveled fully [11-12]. the queried messages and the tag . Since τ ∗ ti is homomorphic for *all• schemes, polynomial-size circuits. signature i.e., they are homomorphic alThe adversary chooses (τi In , µ∗ , C ∗ ) for as the w( log m ) max{t , m1.5 + µ }d ≤ 2 (log λ ) = B. , we can use τ τ τ [ A + ( − ) G ] = [ A B + G ] = A τ i i Definition 6 (Ho p this work, we lconstruct leveled fully homomorphic polynomial-depth circuits. Next,and we gives defineallthe sechallenged information the trapdoor to compute the signature so T U G ij tion). For a mes fu signature schemes, i.e., they are homomorphic forhomomorphic allectively unforgeable security for siginformation to the challenger. * that Aτ (U = V j . Namely, Udefine ← SampleRigh tbetween Correctness and security proof ij , µ circuits. j ) schemes ijfollowing pace U, aa pk familw l polynomial-depth Next, we the senature via the game • The challenger generates (pk, sk) and gives * * ( A, (unforgeable τ i − τ probabilistic )G ,W security , TG ,Vpolynomial −for µ Ghomomorphic , s ) . time adversary functions is j j a lectively sigA and a chal- a co to the adversary. From the parameters setting defined in section 4.2, where i is the in th nature schemes via the following game between a _ _ The challenger outputs the signed data { U } lenger S. • The adversary can make arbitrary ij j∈[ k ] polynomial it is easy to see that the signatures produced by Sign algorithm which p polynomial adversary A .and a ∗chaland sends them to time the adversary number of signing queries. i-th ∗ In the are correct. The correctness of signatures generated probabilistic • The adversary chooses (τ , µ , C ∗ ) as thequery, the correspondin in lenger S. by Eval follows from the homomorphic property of We show that the challenged information and gives all public keys and signatures in the phic chameleon ∗ HCHF. In this subsection, we mainly discuss the se- real • The adversary chooses (τ ∗ , to µ∗the , Cgame ) as the information challenger. scheme and in the simulation are statisti- ing four properti curity of our scheme. challenged information and gives all • The challenger generates (pk, sk) and gives pk • Uniformi information to the challenger. to the adversary. index i, µ • The challenger generates (pk, can sk) and gives pk polynomial • The adversary make arbitrary to the adversary.number of signing queries. In the i-th query,distance  negligible • The adversary can make arbitrary polynomial number of signing queries. In the i-th query, uniform d τ

i

i

outputs a signature k iandδ.sends (δ , δi2 , · · · , δikof )A for the i-th query · , µof ∈ Mthe . The challenger i1 , µi1 , · ·sary ik )the outputs signature δ.parameter λ and the(µ scheme is fullyifhomo A wins game. Due toi1the seleck signature C), we have Verify(pk, maximum size KeyGen(1λ , 1k ) The key ageneration (µ1 , it µ , ·the · ·definition ,adversary. µk ) ∈ M and all circuits I (µ , µ ,δ·C ·∈ , µkC,), C) = µτ, . • Eval(pk, τ, {(µ , 2to i 1 2 iT i i·)} i∈[k] generates the collection of signatures • Eval(pk, τ, {(µ , δ )} , C) The is homomorphic for all polynomial-si tive unforgeability, the adversary can query the signa i i 1. i∈[k] gorithm takes as input the security dataset k. It outputs a signing secret key sk δi •←The Sign(sk, τ, i, µ ) and δ ← Eval(pk, τ, {(µ , δ )} ∗ 2. For all tags τ evaluation algorithm takes as inpu i i i i∈[k adversary outputs atosignature forleveled the (δi1 , key δi2 , ·pk. · ·tures , δikof ) for i-th query and sends evaluation algorithm takesa public as inputverification the public work, we fully thethe challenged message vector µ∗∗.this In order A ·,δsignature scheme and arameter λ and the maximum size of the C), we have Verify(pk, τ,key C(µ µconstruct ,a· µ·circuit δk ,)C) = ∗ , · , µ ∈ of Mk pk, a tag collection 1µ,(µ 21,, ·µ·τthe k ), 2 chosen tag τ , a message and it to the adversary. key pk, a tag τ , a collection of signature schemes, i.e., they are homom make the challenger response for the challenger mesis homomorphic for alland p 4 D.Xie, H.Peng,L.Li, and Y.Yang • Sign(sk, τ, i, µ) The signing algorithm takes ataset k.282 It outputs a signing secret key sk 1. ∗ δ ← Sign(sk, τ, i, µ message-signature pairs {(µ Information Technology andoutputs Control λa signature δ ∗ forCthe 2017/2/46 i i ), δ i) . • The adversary message-signature pairs {(µ , δ )} , and a l polynomial-depth circuits. Next, we sage vector, we set the adversary’s challenged plaini i this work, we construct 4 D.Xie, H.Peng,L.Li, and Y.Yang i∈[k] as input the secret key sk, a tag τ∗ ∈ {0, 1} , ∗ nd a public verification key pk. A signature schemecircuit is fully homomorphic it τ,l we have Verify(pk, CC), ∈ C. It outputs aif signatu  chosen tag τ , a message µ and the circuit ∗ lectively ∗message. ∗ ∗ circuit C ∈ C. It outputs a signature δ for a unforgeable security for D.Xie, H.Peng,L.Li, and Y.Yang text as a set of messages, rather than a single signature schemes, i.e., th  an index i ∈ [k] and a message µ ∈ M. It Verify(pk, τ for , µ all , δ message , C ) =1.µ 1, .then the adver- Inhom ign(sk, τ, i, µ) The signing algorithm takes is Ifhomomorphic polynomial-size circuits. ∗ schemes via the following gam C ∗ .H.Peng,L.Li, message µ . λ nature  In fact, there are two types of forgers: one is τ =  τ l polynomial-depth circui 4 D.Xie, and Y.Yang outputs a signature δ. i definition sary wins the game. Due to the s input the secret key sk, a tag τ ∈={0, 1} , λscheme thisAthe work, we construct leveled fully homomorphic signature • Verify(pk, τ,Aτµ, δ, of C)selecThe verific adversary chooses a fresh tag 1} (KeyGen, Sign, Eval, Verify) with the followi ∈ {0, Verify(pk, τ, µ µ,∈δ,M. C) The verification  polynomial time adversary ∗ all ∗ queried ∗ ∗ i, andtive for the other isschemes, τ ∗ =the τprobabilistic for they somearecan lectively unforgeable secu • Eval(pk, τ, {(µ , δ )} , C) The ii.e., unforgeability, adversary query the signai i λ n index i ∈ [k] •and a message It i∈[k] If Verify(pk, τ , µ , δ , C ) = 1, then the adversignature homomorphic for alis homomorphic for all p algorithm takes as input the publi cally indistinguishable. For theEval, matrix A , it is proadversary a fresh tag τi ∈∗{0, 1} = Sign, Verify) with the follow-chooses m chooses ing(KeyGen, syntax. and a}m× k-length message setcomputes ∗ ∗ W ∗the algorithm takes as input the public pk, a tag τ , ∈ { − 1 , 1 . Last, lenger S. index i but µ =  C (µ ). nature schemes via the fl evaluation algorithm takes as input the public tures the message vector µ . In order to λchallenged circuits. utputs a signature δ. k sary A wins the game. Due to the definition of selecl polynomial-depth Next, we define the sethis work, we construct a message-signature pair (µ, δ), a duced by ing the TrapGen algorithm in the adversary real system chooses a fresh tag τi ∈ {0, 1} eyGen, Sign, Eval, Verify) withsyntax. the followand a *i1 k-length (µ ,µ · , µikMoreover, ) ∈set M . The challenger i1 , ·q·.message λand k a circuit a message-signature pair (µ, δ),  let µ V = [ A ] U + G mod probabilistic polynomial t • KeyGen(1 , 1 ) The key generation key pk, a tag τ , a collection of ∗i.e., ∗th make response the challenger mesi i challenger val(pk, τ, {(µi , δ= , C) Sign, The k∈ λ tive in unforgeability, the adversary can query the lectively unforgeable for homomorphic sigi the i )}i∈[k] signature schemes, C. Itchallenger outputs either 1(τ (accept • C{0, The adversary chooses ,µ , x. and asimulation k-length message and isC.chosen uniformly atλrandom the (µ ,signaµ · · the , µtag )A M .for The theset adversary τ∈i security ∈ 1} Eval, 1Verify) the followcollection of signatures i1generates i1a, ·fresh ik * chooses k with Definition (Selective leveled C (KeyGen, ∈ Itasoutputs either (accept) or ∗G Unforgeability). . After that, the challenger lenger S. between • KeyGen(1 , 1takes ) tures The key generation τ B5= mod qschemes algorithm as0 input the security message-signature pairs {(µ , δ )} , and sage vector, we set the adversary’s challenged plainkavector−µ i i valuation algorithm takes input the public i∈[k] of the challenged message . In order to nature via the following game a l polynomial-depth circui (reject). challenged information and (µi1 , µi1 ,at · · ran·homomorphic , µik ) ∈ M The challenger game. For the matrix B , it is chosen uniformly generates signatures and .asignature k-length message set (δi1 , δi2the , · ·collection · , δ ) forof the i-th query and sends give λ king syntax. scheme Sign, (reject). eyGen(1 , 1τ ,)a The key generation algorithm as input the security outputs the public keyof(k= Apolynomial ,(KeyGen, B,G,ik {Vi }rather ) .than parameter λ and the maximum size ofδ the circuittakes C∈ C. It outputs a signature for a text as a set messages, a single message. ey pk, a tag collection of * i ∈ [k ] probabilistic time A and a chal- cho make the challenger response for the challenger meslectively unforgeable secu information toThe the challenger. collection •and adversary ,M · · ·adversary. δik ) challenger for the correctness, i-thadversary query sends dom in the real and B = in thethe sim(µof , · · · ,(δ µi1 ∈ ., The −generates τa G i2 the i1 ,signatures ikit,)δto Eval, Verify) isµi1selectively unforgeable if For for any λ scheme k dataset ∗ we require that bo gorithm takes as input the security λk.generation and thethe maximum size ofthethe signing secret key skThe message µItboth .outputs •pairs KeyGen(1 , i∈[k] 1parameter ) ,The key In fact, there are two types of forgers: one is τ =  τ message-signature {(µ , δ )} and a _ _ challenger generates signatures for lenger S. i ∗ sage vector, we set adversary’s challenged plaini i nature schemes via the For correctness, we require that origi• The challenger generates (pk, skf (δi1 , δi2 , at · · ·ran, δik ) for the i-th query and sends informa it the adversary. ulation game, where W is chosen uniformly generates the collection of signatures •toThe adversary outputs a signature δchallenged forbytheSign) polynomial time adversary, the probabilinal signatures (generated and t ∗  and * for rameter and the maximum size of the dataset Itthe outputs aassigning secret key skrather ak.public verification key pk.probability •as Verify(pk, τ,the µ, evaluated δ, C) The verification algorithm takes input security for all queried i, and the other is τ = τ some rcuit C λ ∈nal C. Itsignatures outputs a signature δ for a ∗ i ∗ ∗ text a set of messages, than a single message. the queried messages and the tag . If τ ≠ τ , τ probabilistic polynomial (generated by Sign) and to the adversary. ∗the it to the adversary. information thet i µ ∗and adversary a signature (δi1the , δi2above , · · ·•,game δThe the∗tag i-thτoutputs query and sends , a message dom. For each , Viaskis chosen uniformly atpk.random iand ik )chosen ty ofpk, wining isThe negligible. •∗for adversary (τ , iδµ∗the ,for C )Eval) as thearetoaccep (generated bycircuit ∗signatures ∗chooses taset k. µ It .outputs a signing secret key public verification key •Eval) Sign(sk, τ, i, µ) The signing algorithm algorithm takes as the public atakes tag τ , challenger parameter λ by and the maximum size ofinput the index but µ =  C (µ ). ∗ is τiaborts message ∗ ∗ ∗ In fact, there are two types of forgers: one =  τ the the game. Otherwise, lenger S. signatures (generated are accepted. Specifi• The adversary can make arbitrar i •circuit The challengercond gen • The adversary outputs itλa to signature δ chosen forCthechallenged message and the adversary. . tag τ , a cally, V = µ) The in thekey real system and using information andthe gives allfollowing i is computed we µrequire that the derify(pk, a publicτ, verification pk. Sign(sk, τ,i i,conditions signing takes as input the secret sk, aalgorithm tag τ∗and ∈ the {0, 1} , is∗ τ ∗ = τi for a message-signature pair a circuit dataset k. It•the outputs a signing secret key sk (µ, µ, δ,we C)require The verification ∗ some ∗ number{U for allkey queried i,δ), and other cally, that following hold. straightforwardly outputs the to signatures }signing of queries. In th to the adversary. chosen tag τ , a message µ and the circuit C . λ i i ∈ [ k ] • The adversary outputs a signature δ for the uniformly random in the simulation game. From W λ information the challenger. ∗ ∗ 1.Unforgeability). ∗ For ∗ all tags• τ The choµ ∈ {0, 1} , all i index Chameleon Hash Functions: DefDefinition 5 (Selective A adversary leveled gn(sk, τ, i, µ) 1. The signing algorithm takes as {0, input key sk, a tag τ=∈Cµ3.{0, 1} ∗∈Homomorphic ∗ 0 ,It an i outputs ∈pk. [k] and abut message M. ∈ the Itsecret either 1µ∗(accept) or λ and a tags public verification If Verify(pk, τ , µ , δ , C ) = 1, then the adver∗and gorithm takes as input the public pk, aC tag τC. ,key  ∗ ∗ index i (µ ). For all τ ∈ 1} , all µ ∈ M, for the challenged tag. •← adversary C . tag homomorphic τ , a message µ∗ and the circuit λ Lemma 2, the keys the realmessage ininition ∗ [k], if(pk, • Thethe generates sk)The and gives pki,can challenged informa i,scheme ∈ Sign(sk, τ, µ) and Construction signature =δ (KeyGen, Sign, input the secret key sk, a(µ, τ←and ∈public {0, 1} , signing ana index i ∈i, and ∈ M. It chosen outputs ain[k] signature δ.scheme (reject). If Verify(pk, τchallenger , µ∗all , δ ∗Due C )= then the adver• pair Sign(sk, τ, i, µ) The takesµand sary A wins game. to the1,definition of selecmessage-signature circuit ∗ all i ∈ [k], iftag δδ), Sign(sk, τ, µ) algorithm thena we get number of signing C . ∗ ∗ ∗ ∗ the simulation game are statistically indistinguishλ to the adversary. information to the Verify(pk, τ, µ, δ, I ) = 1. In order to Obviously, the challenger does not abort the game Eval, Verify) is selectively unforgeable if for any index i ∈ [k] and a message µ ∈ M. It i outputs a signature δ. If Verify(pk, τ , µ , δ , C ) = 1, then the adver• Eval(pk, τ, {(µ , δ )} , C) The Definition 5 (Selective Unforgeability). A leveled as input the secret key sk, a tag τ ∈ {0, 1} sary A wins the game. Due to the definition of selective unforgeability, the adversary can query the signai i i∈[k] ∈ C. It outputs eitherτ,1µ,(accept) 0 Incorrectness, Verify(pk, δ,the Ii ) sufficient =orFor 1. order toGaussian maintain the that both  Inthe [24], Freeman embed a∗ homomorphic chameleon we require origiable. For large parameter s ,the The can make arbitrary polynomial ∗ of ∗/ • ∗ adversary ∗ The • challenger gen consistency of the verification algorithm probability polynomial time adversary, probabiliwith probability . Similarly to the above analysis, 1 Q tputs a signature δ. • Eval(pk, τ, {(µ , δ )} , C) The sary A wins the game. Due to the definition selecevaluation algorithm takes as input public an index i ∈ [k] and a message µ ∈ M. It homomorphic signature scheme = (KeyGen, Sign, tive unforgeability, the adversary can query the signaIf Verify(pk, τ , µ , δ , C ) = 1, then the adveri i tures of the challenged message vector µ . In order to i∈[k] eject). consistency of the verification algorithm, we use function to show the unforgeability of hisIqueries. honalSampleLeft signatures (generated by the Sign) andhash the evaluated number ofmessage signing In the i-th query, the outputs of used the real system to the adversary. circuit tonegligible. denote the identity tyofof wining the definition above game val(pk, τ, {(µ ,denote C) a The we can also find the public keys and signatures in iis evaluation algorithm takes as input thesary public tive unforgeability, the adversary can query the signakey a tag τEval, , ain collection of outputs signature δ. pk, mapping, Verify) is selectively unforgeable ifthat for any i , δi )} tures the challenged µ∗challenger . In order to i∈[k] A wins the game. Due to the ofvector selecmake the challenger response for the mes- mapp circuit I to the identity namely, momorphic signature scheme. Based on this and the i signatures (generated by Eval) are accepted. Specificorrectness, we require that both the origi∗ and SampleRight used in the simulation are statisti• The adversary can I (µ , µ , · · · , µ ) = µ . aluation algorithm takes as input the public i 1 2 k i key pk, a tag τ , a collection of the real scheme and in the simulation game are statistures of the challenged message vector µ . In order to message-signature pairs {(µ , δ )} , and a • Eval(pk, τ, {(µ , δ )} , C) The probability polynomial time adversary, the probabilimake the challenger response for the challenger mestive unforgeability, the adversary can query the signasage vector, we set the adversary’s challenged plaini i∈[k] i i∈[k] Ii (µ1 , µby · · , µkand ) =cally, µi .ievaluated 2 , ·Sign) definition of chameleon hash function [18],∗a2.generic λ we require that the followingi conditions atures the  hold. number of signing For all tags τ ∈ {0, 1} , a cally indistinguishable. y pk, a(generated tag τ , a2.collection of message-signature pairs {(µ , δ )} , and a make the challenger response for the challenger mestically indistinguishable. circuit C ∈ C. It outputs a signature δ for a λas evaluation algorithm takes input the public 3. Homomorphic Chameleon Hash Functions: Defty of wining the above game is negligible. sage vector, we set the adversary’s challenged plaini i tures of the challenged message vector µ . In order to text as a set of messages, rather than a single message. i∈[k] For all tags τ 1.∈Specifi{0,all 1}tags , allτ messages HCHF are given in this section. Note, ·that k For ∈ {0, 1}* λ , *all definition µ  ∈ M,ofand es (generated by pairs Eval) are accepted. ∗ (µ ·*forgers: · ,aµsingle ∈ message. M and all circuit essage-signature {(µ , δ )} and a 1 , µ*2of k ) one circuit C ∈ C. It outputs a signature δ for a sage vector, we set the adversary’s challenged plainµ . k, a, message key pk, a tag τ collection of i i inition and Construction text as a set of messages, rather than i∈[k] If the adversary outputs a forgery ( U , µ ) for make the challenger response for the challenger mesIn fact, there are two types is τ =  τ i the a forgery (U , µhas ) for the tag (µ1the , µ2following , · *· · , µk )*conditions ∈ all M i and all circuits C Sign(sk, ∈ C, if τ, i, µ)compared togetadversary chameleonoutputs hash function, * [k],  ∈Chold. δ *)← then If we if ,V ecuit require ∗ δiHCHF ← Sign(sk, τ, ∗ i, µ * than a A(the U1*message-signature tag WU   **Gmessage (19) C ∈that C. It←outputs a signature δthe a(V1Eval(pk, * are two µ, . C as anaturally set of messages, rather message. •for Verify(pk, δ,Homomorphic C) verification  pairs {(µ ,ktext δµ, )} ,,The and a have Insingle fact, there types of forgers: one isiτ)τiand = δsome τi ← Eval(pk sage vector, we set the adversary’s challenged plainand circuit , we τ2*i,)* µ for all queried i, and the other is τ = for iτ, i.τ, i∈[k] 3. Chameleon Hash Functions: Defτ * and the circuit , we naturally have C δ Sign(sk, τ, ) and δ ← {(µ δ )} , λ i i i i i∈[k] an additional property, i.e., homomorphism. Then we Verify(pk, δ, 1. In order * to* maintain the  In [24], embed a homomorphicτ,chameleon i)). = (19) A(hU 1} WU  (and Vτ,1*,)µ,  ,µ, VIkIn or all µtags τ ∈ {0, ∈Verify(pk, M, * , all *) µ C(µ1 , µ2 , · · · ∗C), ∗we have 1circuit essage . C), • *G δ, The algorithm as the pk, aasof tag τ , of for * , µ2C) ∈ *outputs fact, two types one isqueried τi∗rather = µ τi,i∗Freeman aτ, δthere a= =*  ,C  V all and is τ ∗Verify(pk, = τi for some [δinput A ]are Upublic + G µconstruct text aaforgers: set messages, than single but =the Cathe (µother ). message. ,, ·signature inition and Construction A (( 1G we have ,get µkof ·i.e., ,verification µC) ), , for C)verification A UUVerify(pk, WU )CC. τ,(ItVC(µ ,C (V ,·takes  ,V (19) class of index HCHFs using distinguished algorithm, we use the 1*  2*consistency kk) . hash function to show the unforgeability of his ho* we1 *2 1the [k], if δ ← Sign(sk, τ, i, µ) then ∗ ∗ ∗ ∗ * * * * t 1. ∗ rify(pk, τ,1.µ, δ, C) The verification as input the public pk, a atag τ ,there a*U pair (µ,i,δ), andIn circuit and the other is τ index =*two τii types for µ some µk2.)* .)algorithm A (*U  WU * C (UV ) (20) . queried (19) C,(µ ). *but fact, of*=(forgers: one is τ(22) = τi (22) Cmessage (V Let we have [takes U * ,*V *CG 1WU k,all 1(,U h A= (U  (message-signature V ,= ,CV11*k,( )Vfor .21,,]V [function A AWare ]Uwith   G  C V , V ) . trapdoor preimage sampling technique circuit I denote the identity mapping, namely, A WU )   G   , V ) . (19) 1*  2*,to 1to momorphic signature scheme. Based on this and the homo i k, τ, µ, δ, I ) = 1. In order maintain the 1 k ∗ ∗ ∗ In [24], Freeman embed a homomorphic chameleon i 1 2 k A signature scheme is fully ∗ * * *5 (Selective Unforgeability). A leveled gorithm takes as theWU public aCC) tag , homomorphic amessage-signature (µ, a or circuit ∈1τ,The C. It,Vverification outputs either (accept) •(UVerify(pk, τ,pk, µ, δ, indexpair i but µ1 δ), =and C (µ ).0all[queried for and other is τ = τ for some C (V  A AW ]Ui,*Definition  * *the G Cof (Vchameleon (22)  Ahinput scheme fully Asignature 1  2 , I*i ) kk)) .= µi .(20)if it 1*, , Vk ) . ihash [11-12]. (µ , µ , · · , µ * *1is *·the *5 (Selective 2 definition function [18], a generic ncy of the verification algorithm, we use hash function to show the unforgeability of his hois homomorphic for all polynomial-siz Definition Unforgeability). A leveled ∗ ∗ ∗ homomorphic signature scheme = (KeyGen, Sign, message-signature pair and circuit h A (U WU , apolynomial-size )∈(reject). C. C It(Voutputs ,public ,Vk either )circuits. . pk, 1a(20) (accept) or 0 [ Aµ AW ]U (µ  ). tag τ , λ(19) *(µ, *takes i but = 1* δ), 1the * C **as * C * *G t  C *(V1 , , Vk ) .  (22) ** is homomorphic for In Ah(algorithm U 1 WU )2all 2. Ginput *CC* (*V (all V , ,V ). . ∈(19) For tags {0, 1} , allindex messages (1U(accept) mapping, WU , (reject). ,V (20) Letting , we can =on [U Uthis [ A UAW ]definition *and  (V1obtain ,Vgiven ) . unforgeable (22) k) τ of HCHF are inwe this section. Note thatfully h denote theeither identity Definition 5 (20) (Selective Unforgeability). A leveled * 2 2or * )namely, *,1δ), momorphic signature scheme. Based the i to Amessage-signature 1(µ, k and 1 U 2 ]G construct leveled * C *, homomorphic signature scheme = (KeyGen, kwork, Eval, Verify) for any ∈ C. It outputs 1 0 a pair a circuit  h ( U  WU ,  )  C ( V ,  , V ) . [ A AW ]U Chameleon * G is  Cselectively (this V (22) if Sign, Definition 6 (Homomorphic Hash FuncweAconstruct leveled 1 * (µ ,For kkrequire 1 , , V k). correctness, we that both the origi· ·C· *,fully µk,)1homomorphic ∈homomorphic M and allchameleon circuits C ∈ C, if * * * 1 2*µ 2 , compared to chameleon hash function, HCHF hashomom , · · · , µk )this = µwork, signature scheme = (KeyGen, Sign, 2ject). i . A(C definition of hash function [18], a generic U1*∈C. WU )  G ( V , V ) . (19) signature schemes, i.e., they are Eval, Verify) is selectively unforgeable if for any Definition A (23) leveled probability adversary, the probabili(Selective WU ,  * ) Unforgeability). C *polynomial (V1 , ,Vk ) .time 2outputs either 1 1(accept) k or 0  It i.e., 15 2*space tion). ForhiA,a(δU message M and a randomness s* signature they are* homomorphic for al- Eval(pk, correctness, that both the origisignatures (generated by and the evaluated δall Sign(sk, τ, i,we µdefinition and δ Sign) ← τ, {(µ )} , * 1}λ , nal *For *messages *,if *polynomial * , , Vtime i ← i )require i For all tags τ Equivalently, ∈hschemes, {0, i∈[k] an additional property, i.e., homomorphism. Then we we d h ( U  WU  ) C ( V ) . (23) (23) Eval, Verify) is selectively unforgeable for any of HCHF are given in this section. Note that l polynomial-depth circuits. Next, probability adversary, the probabili2 of 1*(V k, V homomorphic signature = (KeyGen, the above game is Sign, negligible. )  Next, C (V1 ,we  ,V (20) [hA1(AW U *wining scheme G (22) (reject). *of]ty * C A (U1  WU 2 , the k). 1 ,, U,δ a, AC) family homomorphic chameleon l polynomial-depth circuits. define the WU has C (V  ,Vkk )) .. hash (23) the distinguished correctness, we nalboth signatures (generated byτ,Eval) Sign) signatures (generated by are C), we∈origihave Verify(pk, C(µse,and µchameleon ,the · · pace · evaluated , Eval, µtime A=Uty 1*  2*,  *) 1 of 1polynomial 2accepted. k ),Specifi· · · , µk ) ∈ Mkrequire and all*that circuits C C, if construct a class HCHFs using * probability adversary, the probabilicompared to hash function, HCHF lectively unforgeable security for homo of wining the above game is negligible. Verify) selectively any * * * * : (V (AW Uis1 ]U WU unforgeable ,U Vk)if)→ . for (23) ** H * ) *C functions is [ahAAcollection = {h ×,V V}, 2, * 1*, security for sigASign) hδunforgeable (← U1Eval(pk, and WU ){(µ (generated Crequire (V1homomorphic , ,V )the . following (20) i)  Gthe C (VM .V (22) ures (generated by the signatures by Eval) are accepted. Specifically, we that conditions hold. 1. For correctness, we require that both the(20) origi2, 1 , khas h ( U  WU ,  C ( V ,  , ) . (23) gn(sk, τ, i,lectively µi ) and τ,evaluated ,kan trapdoor function with preimage sampling technique On the other hand, adversary the collection i , δi )} ty ofadditional wining the above game is negligible. i∈[k] property, i.e., homomorphism. Then we nature schemes via the following A 1 2 1 k probability adversary, the probabiliHomomorphic Chameleon Hash Functions: Def- gam λ where i is and theitpolynomial index3.and Vtime is the range. There is an nature schemes via following game between aconditions by Sign) save (generated by we require theτconstruct following hold. allthat ∈ {0, 1} , homomorphic all of µ ∈ M, A signature scheme is fully if nalτ,Eval) signatures (generated and the evaluated Verify(pk, C(µ1are , µ2accepted. ,cally, · · · the ,µ ),SpecifiδFor , C) =tags [11-12]. of signatures for the challenged message time { U } k1. probabilistic polynomial a class HCHFs using the distinguished ty of wining the i i∈[ k ] is negligible. 3. above Homomorphic Chameleon Functions: Def-adversary inition * game * Construction λ challenger algorithm which generate aCpublic index iHash and probabilistic time adversary A and a1} chalFrom polynomial Theorem 2, we can that the require that the following conditions hIn U*1*can  WU ,  * ) and the (V1 ,lenger ,Vk ) . S. (23) all tags τaccepted. ∈trapdoor {0, , all M, and all iFor [k], if ← Sign(sk, τ, i,µµ)∈ then we get is1. homomorphic for all polynomial-size circuits. signatures (generated by∈hold. Eval) areδsee SpecifiA (sampling 2technique vector . Therefore, challenger can compute function with preimage µ Homomorphic Chameleon Hash Functions: Definition and Construction C 3. m ×m λ compute a matrix corresponding trapdoor secret key Homomorlenger can and an integer or all tagsscheme τ cally, ∈ S. {0, 1}require , homomorphic all ∈∈the M, and Definition Hash FuncZ * [24], * CTi . embed all µthat ithis [k], if δ Uconstruct ←conditions τ, order i, µ) then we the get the Verify(pk, τ,we δ, I∈i )Sign(sk, = 1. In tothe maintain work, leveled fully homomorphic following hold. In a Chameleon homomorphic chameleon ignature iswe fully if itµ, qinition hevaluated (U1*  WU ,  * )  6Freeman C(Homomorphic (V1 , ,Vk ) . the (23) [11-12]. signature using Eval algoU and Construction C * A 2 3. Homomorphic Chameleon Hash Functions: Defλ phic chameleon hash functions consist of the follow• The adversary chooses (τs-∗ , µ∗ , C C ( V , L , V ) = + x G [k], if δ ← Sign(sk, τ, i, µ) then we get so that . In other tion). For a message space M and a randomness Verify(pk, τ, µ, δ, I ) = 1. In order to maintain the x ∈ Z consistency of the verification algorithm, we use the signature schemes, i.e., they are homomorphic for al∗ ∗ ∗ 1. For all tags τ ∈ {0, 1} , all µ ∈ M, and In [24], Freeman embedthe a homomorphic 1(τ In hash function to show unforgeabilitychameleon of his homorphic for all• polynomial-size circuits. q The adversary chooses , µik , C ) as the rithm. Namely, inition and Construction C C * * * * ing four properties: information and gives k,k,τ,we µ, δ, Ii ) all = 1. In U, a to family ofthe homomorphic consistency verification algorithm, we use (to U ,← x ) =Sign(sk, Vthe  ,V )Definition .the Therefore, we ICiof(the to mapping, lmaintain polynomial-depth circuits. Next, wehave define seInidentity [24], embed aAW homomorphic iwords, ∈ order [k],hfully δcircuit τ, i,kµ) then we get 6Freeman (Homomorphic Chameleon Hash function show ofthis his and ho-hash [namely, Athe ]U Chash  momorphic Cpace ( μchameleon )GFuncCsignature (V , ,Vscheme. . challenged (24) Based chameleon on the construct leveled homomorphic Aif 1 ,denote k )unforgeability challenged information and gives all * * * 1 C * * * information to the challenger. [ A AW ] U  C ( μ ) G  C ( V ,  , V ) . (24) cy of the verification algorithm, we use the µ h ( U , x ) = h ( U + , ) functions is a collection H = {h : M × U → V}, circuit I to denote the identity mapping, namely, . In the simulation game, I (µ , µ , · · · , µ ) = µ . lectively unforgeable security for homomorphic sigVerify(pk, τ, µ, δ, I ) = 1. In order to maintain the hash function to show the unforgeability of his hoi tion). For a message space M and a randomness smomorphic Based on this the 1* scheme. k hash Cdefinition In [24], Freeman embed chameleon 2for 2al- k i A are homomorphic ofa homomorphic chameleon function [18],and a generic i 11ichallenger. e schemes, i.e., they *signature • Uniformity For randomized information toAithe (24) generates (pk, sk) [ A AW ]Uproperty  C **( μ )Gthe a Cindex (V , ,•VV ) is . the (24) Cwhere challenger k The *chameleon * 1 hash to denote circuits. the mapping, iu is and range. There is an Iwe (µ ,generates µ2. , ·the · · , seµ(pk, ) produced = µmomorphic .the For all tags τ gives ∈independently 1}λgame nature schemes via following between a µ definition , of allhash messages consistency of we use the all signatures are signature scheme. Based on this and the ithe 1verification 2namely, kalgorithm, iand pace U, a{0, family homomorphic chameleon hash of function [18], a generic function to show the unforgeability of his hodefinition of HCHF are given in this section. Note that mial-depth Next, define [ A AW ] U  C ( μ ) G  C ( V ,  , V ) . (24) index i, ∈ M, and ∈ U , the statistical C • identity Thequeried challenger sk) pk * * 1* k k {0, 1}λ , all messages [ A AW algorithm to the adversary. ] U  C ( μ ) G  C ( V ,  , V ) . (24) , unforgeable · · · , µk ) = circuit µsecurity 2. For all tags τ ∈ which can generate a public index i and probabilistic polynomial time adversary A and a chal(µ , µ , · · · , µ ) ∈ M and all circuits C ∈ C, if I to denote the identity mapping, namely, 1 k i . through definition of chameleon hash function [18], a generic SampleRight algorithm. The adversary functions is a collection H = {h : M × U → V}, definition HCHF areUgiven in thisfunction, section. Note thathas 1 2 momorphic signature Based on this and the to (U chameleon hash HCHF homomorphic sig- k i((h C*of u)), C CC compared distance ,[U h (µ, to thei for adversary. C * ischeme. iC H,, V λ Letting we can obtain U = Uthat ]t* (,V k (Uifin  WU ,the (Note ))  C ,V)) )•is. The (25)  circuits C ∈h A adversary make 1μ * to 2chameleon 2CC kalso or all tags , 1kδall (µ ,)lenger ,messages ·make ·i .·S., µkarbitrary )aof ∈all C, trapdoor secret key HCHF Ti .can Homomor← Sign(sk, τ, i,M µdefinition ) and δiall ← Eval(pk, τ,given {(µ ,1Cδithis )} ,an Iτi•(µ∈ ,not · ·1} ·query ,game µ = µ ofthe HCHF are section. 2 between does signatures the messages with thedefinition where is index and V the range. There is an compared hash function, has wearbitrary * corresponding * *1denote iµ ipolynomial i is 1 , µ{0, 2adversary of chameleon hash function [18], a generic chemes via the following i∈[k] additional property, i.e., homomorphism. Then * * negligible, where U and U the The can H V h (U CWU C 1 ,, Vk,)V.k number k [,)} A ]U2 ,phic C C( μchameleon (*μ)) )*GC (CV1*hash (,V )(25) . (24)  1 AW λand τ, * circuits C τ, {(µ A of signing queries. In the ·istic · , µpolynomial and all C ∈ C, if δ ← Sign(sk, τ, i, µ ) δ ← Eval(pk, , δ , functions consist of the C), we have Verify(pk, C(µ , µ , · · · , µ ), δ C) = 2. For all tags τ ∈ {0, 1} , all messages k ) ∈ M time compared to chameleon hash function, HCHF has i i i i algorithm which can generate a public index i and i∈[k] additional Then followwe tag . Thus, gets information about τadversary 1 ∗U k uniform A and a no chalof HCHF are in that the distinguished construct class HCHFs h A (U an WU , Cgiven ( μaproperty, ))H this C *of (section. Vi.e., ,homomorphism. ,VNote ) .using (25) number of signing In the i-th query, and V. 1 C distributions •queries. adversary (τ 2, µ.∗ ,The C ∗definition )as the C 2C * * on  *μ* ))  C * (V1 , , Vk ) . (25) *kThe * C τ, chooses (25) h ( U  WU , C ( n(sk, τ, i, µ ) and δ ← Eval(pk, τ, {(µ , δ )} , C), we have Verify(pk, C(µ , µ , · · · , µ ), δ , C) = ing four properties: 1. (µ , µ , · · · , µ ) ∈ M and all circuits C ∈ C, if [ A AW ] U  C ( μ ) G  C ( V ,  , V ) . (24) i i i * C C * * 1 2 1 k A i∈[k] an additional property, i.e., homomorphism. Then we 1 2 k the corresponding trapdoor secret key T . Homomora hash class of HCHFs using the distinguished = 0 can be and 1 probability 2 k that U1 + negligible. . comparedhto(Uconstruct chameleon function, HCHF has trapdoor function with preimage sampling technique 1 k i 2 − U information gives all challenged 1  WU 2 , C ( μ ))  C (V1 , , Vk ) . (25) A ve Verify(pk,δiτ,← C(µ · · i,, µkianalysis, δsignature , C) =the Aand scheme is{(µ fully if itconsist Sign(sk, τ, )), δ ← Eval(pk, τ,chameleon δihomomorphic )}ai∈[k] ,an 1, µ 2 , ·1. construct ai ,class of HCHFs using the distinguished phic hash functions of the followtrapdoor function with preimage sampling technique additional property, i.e., homomorphism. Then we [11-12]. From the challenger finds colli∗ above ∗ ∗ • *Uniformity a randomized to the challenger. Cproperty C For * he adversaryC), chooses (τ Verify(pk, , µ ,is CAhomomorphic )signature asτ,information the  homomorphic hA[11-12]. (U1*of+C HCHFs ,μµ* *)))using =hCA (*U ( μ* ). Since is fully ifHence, all polynomial-size circuits. In we have C(µ1 ,scheme µ2for , ·trapdoor ·ing ·chameleon , µfour , C)function = withconstruct function preimage properties: k ), δ a*1Csampling class the distinguished sion for the fully homomorphic h*it WU ,technique C *2(index (∈ V11M, , ,and Vk 2) ,.uC∈ (25) A (U i, µ U , for the the statistical • The challenger generates (pk, sk) and gives pk * 2 hallenged information and gives all ,with the preimage adversary finds a collision gnature scheme fully homomorphic it for 6 (Homomorphic Chameleon Hash FuncCIn( µfunction ) ≠ µ Definition is homomorphic all[11-12]. polynomial-size this work,if we construct leveled fully circuits. homomorphic 1. is trapdoor sampling technique hchallenger. * C C * distance * A with the advantage ((h , h (µ, u)), (U , U is to the adversary. i i H V )) h ( U  WU , C ( μ ))  C ( V ,  , V ) . (25) • Uniformity property For a randomized nformation to the 1 2selective 1 chameleon k M and A alDefinition 6 (Homomorphic Chameleon Hash Funcrandomized fully homomorphic function morphic for all polynomial-size circuits. In tion). For a message space a randomness sthissignature work, we construct fully  i.e.,leveled they are for A signature scheme isschemes, fully homomorphic ifhomomorphic ithomomorphic [11-12]. Adv ( ∈ U ) , the Advstatistical (negligible,  ) / Q  negl (n ). UH(26) where and U denote the • The adversary can make arbitrary polynomial HCHF  V index i, µ ∈ M, and u he challenger generates (pk, sk) and gives pk selective Definition 6 (Homomorphic Chameleon Hash Function). For a message space M and a randomness s, we construct leveled fully homomorphic pace U, a family of homomorphic chameleon hash with advantage h signature i.e., they are homomorphic for allfor polynomial-depth circuits. Next, we define the seis homomorphic allschemes, polynomial-size circuits. In Adv (  )  Adv (  ) / Q  negl ( n ). (26) A selective of signing queries. In the i-thHCHF   number distributions H and V. ((h hiquery, (µ, u)), UAdv isuniform oschemes, the adversary. Adv )  Adv ) tion). negl (Next, nFor ).distance (21) i ,the V )) (21) space afor message M and a)Hrandomness Adv (6(U ,functions  /ofQ  neglHash (H n ).=on (26) unforgeable pace U , selective aselective family homomorphic chameleon i.e.,this theywork, are HCHF homomorphic for al- ( fully Definition (Homomorphic Chameleon Funcis(sa )collection {h → V}, polynomial-depth circuits. we define selectively security homomorphic sigwel(  construct leveled homomorphic i : M × U hash HCHF  Adv (  )  Adv (  ) / Q  negl ( n ). (26) negligible, where U and U denote the he adversary can make arbitrary polynomial  selective HCHF  H V pace afor family of homomorphic chameleon hash functions is a collection H negl =V {h ×(26) U There → V}, mial-depth circuits. Next, we define the setion). For aHCHF a message M s-range. i is the and index and is(nithe is an lectively security for homomorphic signature schemes via the U, following between signature schemes, i.e., unforgeable they are homomorphic al- game Adv (  where )  space Adv (  ) a/ Qrandomness ).: M (26) umber of signing Innature the i-th query, uniform distributions and V. functions is agame collection HaU = {h Malgorithm × 2 queries. Next, we consider the other type oftime forgers: is→theV}, index can and V is the hash range. There is an unforgeable security for homomorphic sigaH family of iUhomomorphic chameleon schemes via the following between a,on which generate a public index i and i : where probabilistic polynomial adversary Apace and chall polynomial-depth circuits. Next, we define the se selective where iadversary is the index and VInHCHF istable the There ( range. ) the the Adv (an  )can /Q negl×(nU).signatures (26) algorithm generate a→public i and hemes via the following game between afor homomorphic _ _ The challenger atime public key for the functions is a 1, collection His = {h :trapdoor M V}, probabilistic polynomial A and aAdv chalcorresponding secret key index Treplenger S. generates lectively unforgeable security sigievaluated i . Homomor which original and algorithm which can generate a public index i and the selective stic polynomial timeadversary adversary A .and afollowing chalcorresponding trapdoor secret key T . Homomorchoosesgame the public parameters lenger S. where i is the index and V is the range. There is an phic chameleon hash functions consist of the nature schemes via thefirst between a i resent the signatures generated by the and Eval follow(  ) / Q  negl (n ). Sign (26) HCHF (  )  Adv  • The adversary (τ ∗ , µ∗ ,trapdoor C ∗ ) Adv as the thechooses corresponding secret key T . Homomorphic chameleon hash functions consist of the algorithm which can generate a public index i and ing four properties: areadversary the same as aabove. Then n, q, mpolynomial , s, B which i probabilistic time A and ∗ chal∗ ∗ respectively. “RO” is an abbreviation forfollow• Thechallenged adversary tinformation chooses (τ ,and µ ,gives the algorithm, all 2C m ) as phic chameleon hash functions consist of the following four properties: the corresponding trapdoor secret key T . Homomorsamples U ← ( D ) and lenger S. i ∗randomly ∗ ∗ i “Random Oracle”, and similarly “ST” isFor an aabbrevi,w ( loggives Zchallenger. m) e adversary chooses (τ , µ , C ) challenged as the information and all • Uniformity property randomized information to ingthe four properties: phic chameleon hash functions consist of the follow∗ challenger. ∗ allenged information andadversary gives allinformation • Uniformity index i, µproperty ∈ M, andFor u ∈a randomized U , the statistical • The challenger • The chooses (τ ∗to , µthe , Cgenerates ) as the (pk, sk) and gives pk ing four properties: • Uniformity property ormation to the challenger. index i, µ ∈((h M, and ∈ u)), U , the • Thetochallenger generates (pk, sk) and gives pkFor a randomized distance (Ustatistical the adversary. challenged information and gives all i , hiu(µ, H , UV )) is indexarbitrary i, µ ∈ M, and• uUniformity ∈ U , the statistical e challenger generates (pk, sk) and gives pk distance ((h , hi (µ,Uu)), (U , U the adversary. property For a iwhere randomized negligible, and U The adversary can make polynomial information toto•the challenger. H V denote V )) is the H distance (µ, u)), ))negligible, isand the adversary. • The challenger and U denote • The adversary can arbitrary polynomial index(Ui,Hµ, U ∈VM, u ∈ where U , the Ustatistical number of signing In((h the i-th uniform distributions on H and V.the generates (pk, sk)make andqueries. gives pk i , hiquery, H V negligible, where UH and UV denote the e adversary can make arbitrary polynomial number of signing queries. In the i-th query, distributions on H and V. distance ((huniform , h (µ, u)), (U , U )) is to the adversary. i i H V mber of signing queries. In the i-thcan query, uniform distributions on H and V.where UH and UV denote the negligible, • The adversary make arbitrary polynomial number of signing queries. In the i-th query, uniform distributions on H and V. τ*

*

*

*

*

*

*

*

*

*

*

*

* *

*

*

*

* ** *

*

*

*

*

*

*

*

*

*

*

*

*

**

*

*

*

**

*

*

*

* *

*

*

*

*

*

*

*

*

*

*

m

*

*

*

*

*

*

* *

**

*

*

*

*

Information Technology and Control

283

2017/2/46

Table 1 Comparison between our scheme and some classical homomorphic signature schemes Scheme

[7]

Bit length of the 8 public key

Bit length of the private key

Bit length of original Bit length of D.Xie, H.Peng,L.Li, Y.Yang signatures evaluatedand signatures

Model

Permissible functions

RO Linear m 2 log( log 2q) log 2q 2m log(σ 1 2m ) 2m log(kσ 1 2m ) ∗ and SampleRight used in the simulation are statistiS c message vector µ . Therefore, the challenger C∗ [8] RO Linear log( p + k + σ 2 cally ) + indistinguishable. log q σ m log( 0 . 5 m ) m 2 log( log q) using the compute the evaluated signature U m log(σ 2 m ) 2 ∗ If the adversary outputs a forgery (U∗ , µ∗ ) for val algorithm. Namely, [AAW]UC + C ∗ (µ∗ )G ∗ 2 ∗ ∗ [10] Any UC = [UC ∗ UC ∗ naturally tagq τ andm the log( circuit log q) C , 2we ( 2k + 3 + λ )the log (VB11, V2 , · · · ST , Vk ). Letting 2mC2 ∗log m 2 log( σ 3 2m )have 2 1 ∗ ∗ ∗ ∗ C∗ C∗ ∗ ∗ hAτ ∗ (U , µ ) = C (V1 , V2 , · · · , Vk ), i.e., [AAW]U we can also obtain h (U + WU , C (µ )) A 1 2 ∗ ∗ ∗ t ∗ ∗ Ours Any h (U∗ + WU∗ , µ∗ ) 2 V2 , · ·log · , qV)k ). Let m12,log( ( k + 3) +µ log qG = C (V (VB12, V2 , · · · ST , Vk ). Hence, 2mC2 ∗log 2m U log(= σ 4[U21mU ) 2] , A 1 2 ∗ ∗ ∗ ∗ ∗ ∗ C we haveA(U1 +WU2 )+µ G = C (V1 , V2 , · · · , Vk ). ∗ ∗ ∗ ∗ hA (UC 1 + WU2 , C (µ )). Since C (µ ) = ∗ ∗ ∗ ∗ Equivalently, hA (U1 +WU2 , µ ) = C (V1 , V2 , · · · , Vk ). the adversary finds a collision for the randomized f Figure 1 From Theorem 2, we can see that the challenger ly homomorphic chameleon function hA with adv C ∗ original Comparison of the bit lengths public/private keyUand signatures ∈ Zm×m and an integer S canofcompute a matrix q tage ∗ x ∈ Zq so that C ∗ (V1 , V2 , · · · , Vk ) = AUC + xG. ∗  In other words, hA (UC , x) = C ∗ (V1 , V2 , · · · , Vk ). (A)/Q − negl(n AdvHCHF (S A )  Advselective C∗ ∗ ∗ ∗ Therefore, we have hA (U , x) = hA (U1 +WU2 , µ ). (1 In the simulation game, all queried signatures are produced independently through SampleRight algo5. Efficiency rithm. The adversary A does not query signatures In this section, we consider the efficiency of o of all the messages with the∗ tag τ ∗ . Thus, A getscheme by comparing it with some existing classi s no information ∗about UC . The probability that homomorphic signature schemes in terms of the U∗1 + WU∗2 − UC = 0 can be negligible. From the length of the public/private key size, the bit length above analysis, the challenger finds a collision for the signatures, the security model and permissible fu fully homomorphic chameleon function hA with the tions homomorphic  50, c  30 (b) q  100000007, n  40, c  30 (c) qfor  100000007 , c  30computation. Table 1 sho (a) q  100000007, kadvantage the specific comparison results. In [13], Boneh a  Freeman presented a linearly homomorphic signat (A) − negl(n). AdvHCHF (S A )  Advselective scheme that can authenticate vectors defined over (16) ation for “Standard”. The last column “permissible ture scheme that can authenticate vectors defined nary fields. In order to generate the private key, th 2. Next, we consider the other type of forgers: functions” means that the signature scheme can over binary fields. In order to generate the private key, adopted the method introduced in [26], which c support the corresponding• type functions for ho- a they The of challenger S generates public key forthe method adopted introduced in [5], can lattices. Suppo generate short bases ofwhich hard random momorphic computation over data.A.Note that thesigned adversary S first chooses the public generate short bases ofthat hard random lattices. Suppose the generated trapdoor short basis (private k n, q,we m,should s, B which arethe the generated same if some entries in Table 1 areparameters non-integer, that trapdoor short key) has basis been (private shown that TA   O(n log is TA . It above. S randomly samples transform them into integersas using theThen ceil function. is . It has been shown that [5,7]. T T ≤ O ( n log q ) [13, 26]. Thus in our table, c is a constant so t A A t chooses Ui ← (DZm ,w(√log m) )2m and TA ≤ log to q. their constructi Thus in our table, c isT a constant solog that   cn q. According A W ∈ {−1, 1}m×m . Last, S computes According to their construction, themparameter m and parameter σ1 the parameter and the Gaussian √ √ Moreover, Vi = [AAW]Ui + µ∗i G mod theq.Gaussian parameter are set equal to σ 6 n set equal to 6n log q and  clognqlog  2qw( log n), 1 ∗ Efficiency Aftercthat, the2q w( logspectively. let B = AW − τ G mod q. and n log n ), respectively. In the same In the same year, they proposed ano challenger S outputs the public key linearly homomorphic er linearly homomorphic signature scheme in s In this section, we consider the efficiency of our year, they proposed another (A, B, G, {Vi }i∈[k] ). [8],which whichcan can authenticate aution 4 of4 of [14], any lin scheme by comparing it with some existing classical signature scheme in section • The challenger S generates signatures for the linear function function of signed vectors deof signed vectors defined over small fie homomorphic signature schemes in terms of the bit thenticate any ∗ , queried messages and the tag fined τi . If τover i = τsmall their scheme, fieldss Fp . In their scheme, pp and and qq are two primes length of the public/private key size, the bit length of the challenger aborts the game. Otherwise, S 2 . For convenience, we denote σ2 thatqq≥  two primes so that (nkp ) 2. For convenience, signatures, the security model and permissible func- the are √ (nkp) straightforwardly outputs signatures p log m m log q in Table In 2014, Boyen et we denote σ = p log m m log q in Table 1. In 1. 2014, tions for homomorphic computation. Table shows tag. 2 the 1challenged {Ui }i∈[k] for proposed an adaptively secure homomorphic sig the specific comparison results. In [7], Boneh and Boyen et al. proposed an adaptively secure homomorture scheme that can evaluate any Obviously, the challenger does not abort the Freeman presented a linearly homomorphic signa- phic signature scheme that can evaluate any circuit circuit over sign data [17]. In their game with probability 1/Q. Similarly to the above √ scheme, the Gaussian parame σ3 = w(m log q log m) and the upper bound of analysis, we can also find that the public keys and sigsize of evaluated signatures B1 = w(2d ), where natures in the real scheme and in the simulation game is the maximum depth of the circuits. According are statistically indistinguishable. section 4.2, the √ Gaussian parameter σ4 in our sche If the adversary outputs a forgery (U∗ , µ∗ ) for √ is equal to O( n log q)w( log m), and the up the tag τ ∗ and the circuit C ∗ , we naturally have ∗ ∗ ∗ bound B = 2dw(log λ) . In order to achieve the sa

284

Information Technology and Control

over signed data [10]. In their scheme, the Gaussian parameter σ 3 = w( m log q log m ) and the upper bound of the size of evaluated signatures B1 = w( 2 d ), where d is the maximum depth of the circuits. According to section 4.2, the Gaussian parameter σ 4 in our scheme is equal to O ( n log q ) w( log m ), and the upper bound B2 = (log λ ). In order to achieve the same security level, all the above-mentioned homomorphic signature schemes adopt the same parameters when performing the TrapGen algorithm [5]. That is to say, the comparison is fair. Note that in Table 1, the first two signature schemes [7-8] are linearly homomorphic in the random oracle model and the latter two ones ([10] and ours) are fully homomorphic in the standard model. Nevertheless, the comparison result shows that the bit lengths of the private keys are almost exactly the same. Unfortunately, the bit lengths of evaluated signatures in fully homomorphic schemes are larger than those in linearly homomorphic schemes. However, the bit length of evaluated signatures in [10] is almost the same as that in our scheme. Next, we compare the public key size and the size of the original signatures from an experimental point of view. In [8], the scheme requires two primes p and q . Thus in our experiments, we choose two specific primes p = 2 and q = 100000007 which can meet their requirements. The dimension of random lattices m and the specific constant c are set equal to 6n log q  and 30, respectively [7-8]. We set σ 1 = c n log 2q log n , σ 3 = m log q log m , and σ 4 = n log q log m . In Fig. 1(a) and 1(b), we investigate the bit length of the public key in terms of the parameter n and the maximum size of the dataset k, respectively. Note that we set the security parameter λ in [10] to n. In Fig. 1(c), we investigate the bit length of original signatures in terms of n. Evidently, the experimental results imply that the public key size and the size of original signatures in our scheme are smaller than those in [10]. Simultaneously, the public key size and the size of original signatures in our fully homomorphic signature scheme are larger than those in these two linearly homomorphic signature scheme

2017/2/46

[7-8]. It is acceptable because fully homomorphic signatures can support any homomorphic computation over signed data, rather than linear homomorphic computation. This may be a compromise between the functionality and efficiency.

Conclusions In this paper, we first construct a type of HCHFs based on the SIS problem in hard random lattices. Then we use this type of HCHFs to construct fully homomorphic signature schemes for poly-depth circuits. Our construction has many advantages compared to previous works on this study. It is secure in the standard model and the public parameters grow linearly in the size of input circuit. The public key size and the bit length of original signatures of our scheme are smaller than those of the classical fully homomorphic signature scheme [10]. Our future work mainly focuses on designing fully homomorphic signature schemes with constant-size public keys. From a security perspective, the security parameter of the SIS problem in our scheme is β = m ( 2 + 1) = O ( m1.5 2 (log λ ) ). In fact, the size of the evaluated signatures B affects the security of our scheme. Another open problem is to construct fully homomorphic signature schemes in which the size of evaluated signatures is smaller than that in ours.

Acknowledgments The authors gratefully thank the reviewers for their valuable comments. This paper is supported by the National Key Research and Development Program of China (Grant no. 2016YFB0800602), the National Natural Science Foundation of China (Grant nos. 61573067, 61472045), and the Beijing City Board of Education Science and technology key project (Grant no. KZ201510015015), the Beijing City Board of Education Science and technology project (Grant no. KM 201510015009).

References 1. Agrawal, S., Boneh, D., Boyen, X. Efficient lattice (H)IBE in the standard model. Advances in Cryptology-EUROCRYPT, 2010, 553-572. https://doi.org/10.1007/978-3642-13190-5_28

2. Agrawal, S., Boyen, X., Vaikuntanathan, V., Voulgaris, P., Wee, H. Functional encryption for threshold functions (or fuzzy ibe) from lattices. Public Key Cryptography. Springer, Berlin-Heidelberg, 2012, 280-297.

Information Technology and Control

3. Agrawal, S., Freeman, D. M., Vaikuntanathan, V. Functional encryption for inner product predicates from learning with errors. Advances in Cryptology-ASIACRYPT. Springer, Berlin-Heidelberg, 2011, 21-40. 4. Ajtai, M. Generating hard instances of lattice problems. Extended abstracts of the Proceedings of the 28 annual ACM symposium on Theory of computing, 1988. 5. Alwen, J., Peikert, C. Generating shorter bases for hard random lattices. Theory of Computing Systems, 2011, 48, 535-553. https://doi.org/10.1007/s00224-010-9278-3 6. Barbosa, M., Farshim, P. On the semantic security of functional encryption schemes. Public Key Cryptography. Springer, Berlin-Heidelberg, 2013, 143-161. 7. Boneh, D., Freeman, D. M. Linearly homomorphic signatures over binary fields and new tools for latticebased signatures. Public Key Cryptography, volume 6571 of Lecture Notes in Computer Science. Springer, 2011, 1-16. 8. Boneh, D., Freeman, D. M. Homomorphic signatures for polynomial functions. Advances in Cryptology- EUROCRYPT, 2011, 149-168. https://doi.org/10.1007/978-3642-20465-4_10 9. Boyen, X. Attribute-based functional encryption on lattices. Theory of Cryptography. Springer, Berlin-Heidelberg, 2013, 122-142. 10. Boyen, X., Fan, X., Shi, E. Adaptively Secure Fully Homomorphic Signatures Based on Lattices. IACR Cryptology ePrint Archive, 2014, 916. 11. Brakerski, Z., Gentry, C., Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ACM, 2012, 309-325. https://doi.org/10.1145/2090236.2090262 12. Brassard, G., Chaum, D., Crépeau, C. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 1988, 37, 156-189. https://doi. org/10.1016/0022-0000(88)90005-0 13. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C. Bonsai trees, or how to delegate a lattice basis. Journal of Cryptology, 2012, 25, 601-639. https://doi.org/10.1007/s00145-011-9105-2 14. Dodis, Y., Reyzin, L., Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. Advances in Cryptology-Eurocrypt. Springer, Berlin-Heidelberg, 2004, 523-540. 15. Freeman, D. M. Improved security for linearly homomorphic signatures: A generic framework. In: In-

2017/2/46

ternational Workshop on Public Key Cryptography. Springer, Berlin-Heidelberg, 2012, 697-714. https://doi. org/10.1007/978-3-642-30057-8_41 16. Gennaro, R., Katz, J., Krawczyk, H., Rabin T. Secure network coding over the integers. Public Key Cryptography. Springer, 2010, 142-160. 17. Gentry, C. Fully homomorphic encryption using ideal lattices. Proceedings of the 41 Annual ACM Symposium on Theory of Computing, ACM, 2009, 169-178. https:// doi.org/10.1145/1536414.1536440 18. Gentry, C., Halevi, S., Vaikuntanathan, V. i-hop homomorphic encryption and rerandomizable Yao circuits. Advances in Cryptology-CRYPTO. Springer, Berlin-Heidelberg, 2010, 155-172. 19. Gentry, C., Peikert, C., Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth Annual ACM Symposium on Theory of Computing, ACM, 2008, 197-206. https://doi. org/10.1145/1374376.1374407 20. Krawczyk, H., Rabin, T. Chameleon hashing and signatures. IACR Cryptology ePrint Archive, 1998, 10. 21. Micciancio, D., Peikert, C. Trapdoors for lattices: Simpler, tighter, faster, smaller. Advances in Cryptology-EUROCRYPT. Springer, Berlin-Heidelberg, 2012, 700-718. 22. Micciancio, D., Regev, O. Worst-case to averagecase reductions based on Gaussian measures. SIAM Journal on Computing, 2007, 37(1), 267-302. http://epubs.siam. org/doi/abs/10.1137/S0097539705447360. 23. Mohassel, P. One-time signatures and chameleon hash functions. Selected Areas in Cryptography. Springer, Berlin-Heidelberg, 2011, 302-319. https://doi. org/10.1007/978-3-642-19574-7_21 24. Shpilka, A., Yehudayoff, A. Arithmetic circuits: A survey of recent results and open questions. Foundations and Trends in Theoretical Computer Science, 2010, 5, 207388. https://doi.org/10.1561/0400000039 25. Van, D. M., Gentry, C., Halevi, S., Vaikuntanathan, V. Fully homomorphic encryption over the integers. Advances in Cryptology-EUROCRYPT. Springer, Berlin-Heidelberg, 2010, 24-43. 26. Xie, D., Peng, H., Li, L., Yang, Y. Efficient PostQuantum Secure Network Coding Signatures in the Standard Model. KSII Transactions on Internet and Information Systems, 2016, 10, 2427-2445.

285

286

Information Technology and Control

2017/2/46

Summary / Santrauka Homomorphic signature schemes provide a feasible solution to the authenticity of computations on an untrusted server (e.g. cloud). In a homomorphic signature scheme, given a k -length message set µ = {µ1 , µ 2 ,, µ k } and its corresponding signed dataset δ = {δ 1 , δ 2 ,, δ k } , anyone can publicly perform homomorphic computations and produce a new signature δ ' for the messages µ ' = f ( µ1 , µ 2 ,, µ k ) , where f is a function or a circuit. If the generated homomorphic signature δ ' is valid, then the owner of the dataset (e.g. cloud users) convinces that μ' is indeed the correct output of the function f over the original messages even if he/she forgets them. In this work, the main contribution is to build a bridge between the leveled Fully Homomorphic Signature Scheme (FHSS) and Homomorphic Chameleon Hash Function (HCHF), which is a new cryptographic primitive introduced by us based on prior works. We first present the definition and specific construction of HCHF and then use this forceful technique to construct leveled fully homomorphic signature schemes for any polynomial-depth circuit. In our standard model scheme, the size of evaluated homomorphic signature grows polynomially in the depth of the circuit. The security of our scheme is based on the property of collision resistance of HCHF, which can be reduced to the Small Integer Solution (SIS) in hard random lattices. Homomorfinio parašo schemose pateikiamas galimas sprendimas nepatikimo serverio (pvz., debesies) apskaičiavimų autentiškumui nustatyti. Homomorfinio parašo schemoje, turint k-ilgio žinučių rinkinį μ = {μ1, ..., μk } ir atitinkamą pasirašytą duomenų rinkinį 𝛿 = { 𝛿1, ... , 𝛿k }, bet kas gali viešai atlikti homomorfinius skaičiavimus ir sukurti naują parašą 𝛿‘ žinutėms μ‘ = f { μ1, μ2, μ3, ... , μk }; čia f – grandinės funkcija. Jei gautas homomorfinis parašas 𝛿‘ yra validus, duomenų rinkinio savininkas (pvz., debesų vartotojas) įtikina, kad, palyginti su originaliomis žinutėmis (net jei apie jas pamirštama), μ‘ išties yra teisinga funkcijos f išeiga. Pagrindinis šio straipsnio indėlis – sukurti sąsają tarp išlygintos visiškai homomorfinės parašo sistemos (angl. Fully Homomorphic Signature Scheme (FHSS)) ir homomorfinės chameleoninės maišos funkcijos (angl. Homomorphic Chameleon Hash Function (HCHF)), kuri yra nauja kriptografinė bazė, autorių pristatyta remiantis jų ankstesniais darbais. Straipsnyje pirmiausia apibūdinama HCHF ir pateikiamas jos specifinio sudarymo mechanizmas, tada ši veržli technologija taikoma išlygintoms visiškai homomorfinėms parašo schemoms bet kokiai daugianarei gylio grandinei konstruoti. Standartinėje autorių modelio schemoje įvertintų homomorfinių parašų dydis daugianariškai auga grandinės gylyje. Schemos saugumas paremtas HCHF susidūrimo pasipriešinimo savybe, kuri gali būti sumažinta iki mažojo sveikojo skaičiaus sprendinio (angl. Small Integer Solution (SIS)) kietosiose atsitiktinėse gardelėse.