A Provably Secure Lattice-Based Fuzzy Signature Scheme Using Linear Sketch

Fuzzy signatures (FS) are a kind of signature scheme that employs a noisy string (e.g., biometric data) as the secret key without requiring the user-specific auxiliary data. As the quantum computing era approaches, some research has been dedicated to developing quantum-resistant FS schemes, which can be classified into fuzzy extractor (FE) approach and linear sketch (LS) approach. However, the existing schemes utilizing FEs to obtain (variants of) fuzzy signatures require to produce the user-specific auxiliary information known as helper data to retrieve secret keys, leading to an additional computational cost. In light of the circumstance, we seek to construct a fuzzy signature scheme by employing a linear sketch, since this approach does not require the user-specific auxiliary data to derive secret keys. We modify the linear sketch which is an essential ingredient of the most practical fuzzy signature proposed by Katsumata et al. (CCS’ 21). Then we combine it with Lyubashevsky’s lattice-based signature scheme (EUROCRYPT’ 12) to construct our lattice-based fuzzy signature scheme. Moreover, to further demonstrate the security of our proposed scheme, we provide a rigorous security proof in the random oracle model. Finally, the comparison indicates that our proposed FS scheme not only avoids the use of FE but also shows a promising tendency in efficiency among the existing quantum-resistant FS schemes.


I. INTRODUCTION
Digital signatures are an indispensable component of modern cryptography, which is the cornerstone of information security. It is widely used in the fields of communication, electronic commerce and national defense because of its nonrepudiation, data integrity and unforgeability. Many kinds of signatures are proposed to satisfy the needs of the society towards security services in many different scenarios. A kind of special digital signature, called fuzzy signature [1], can offer better usability and security of the secret keys by using noisy data (e.g., biometric data) instead of traditional numberbased passwords.
The associate editor coordinating the review of this manuscript and approving it for publication was Barbara Masucci .
As we all know, the security of modern cryptographic applications is usually based on the secret keys. Thus the users need to keep his/her secret keys carefully, and they may keep their secret keys on a USB token or a smart card and remember a password to activate it. Hence, carrying an additional device is unavoidable for the users in such cases. This limitation causes some inconvenience and reduces usability. One of the promising solutions is to use biometric data as secret keys, like fingerprints, iris and faces, since they are parts of our body, and unique for everyone. Biometrics has a wide range of applications, especially the cybersecurity and personal privacy. However, biometric data could not be directly applied into the cryptographic scheme (as the signing keys), since it is not uniformly distributed and fluctuates each time when it is captured. Therefore, there are several methods proposed to address this issue, such as fuzzy extractors (FEs) 1 [2], [3], [4], [5], [6] and fuzzy signatures [1], [5], [7], [8]. FEs rely on the user-specific auxiliary information called helper data to retrieve its secret keys. In contrast, fuzzy signatures allow users to use their biometric data as secret keys to generate signatures without relying on user-specific auxiliary data. Such fuzzy signatures may bring a more straightforward way to solve the above problem. Therefore, we focus on fuzzy signatures in this paper.
Fuzzy signatures [1], known as generating a signature with a noisy string, are a kind of digital signature that utilizes a noisy string (e.g., biometric data) as a secret key to generate a signature without depending on the user-specific auxiliary data. For a fuzzy signature scheme, the key generation takes a noisy string x and a public parameter pp FS produced by the setup algorithm as inputs, and outputs a public key pk. The signing algorithm takes a message m and another noisy string x ′ as inputs, and outputs a signature σ . The verification algorithm takes a message-signature pair (m, σ ) and pk as inputs, and outputs 1 when σ is a valid signature on message m; Otherwise, outputs 0. That is, a message m signed by the fuzzy data x ′ can be verified by the public key pk generated by another fuzzy data x close to x ′ .
To our knowledge, using linear sketch [1], [7], [9] to construct a fuzzy signature is a more promising approach. The primitive, linear sketch, is an important building block used to cope with fuzzy data in a fuzzy signature scheme. Linear sketch (scheme), formally defined by [1], consists of three algorithms (LS.Setup, LS.Sketch, LS.DiffRec). The algorithm LS.Sketch takes a public parameter pp LS produced by the algorithm LS.Setup and a fuzzy data x as inputs, and outputs a sketch c and a proxy key S (which is regarded as a secret key). The difference reconstruction algorithm LS.DiffRec takes pp LS , c, and c ′ as inputs, and outputs the difference S = S ′ − S. Therefore, we can get a secret key S directly by exploiting the fuzzy data x from the algorithm LS.Sketch. In addition, there are few attentions on quantum-resistant fuzzy signatures constructed by linear sketch approach [8]. Hence, it is non-trivial to construct the quantum-resistant fuzzy signature scheme based on the linear sketch.

A. OUR CONTRIBUTION
The main contributions of our work are summarized as follows: • In this work, we propose a lattice-based fuzzy signature scheme that is constructed by a modified linear sketch. More specifically, we provide a mapping h to replace the universal hash function UH 2 used for the linear sketch proposed by Katsumata et al. [7] so as to make it applicable to a lattice-based scheme of [10]. Since the modification we made on the linear sketch of [7] keeps the original functionality and structure, our modified linear sketch inherits the conceptually clean construction from Katsumata et al. [7] which proposed the first fuzzy signature implemented efficiently and securely. That makes our proposed scheme not only present theoretical achievements, but also have the probability of being implemented.
• We modify the Lyubashevsky's lattice-based signature scheme [10], and combine it with the above modified linear sketch to obtain a fuzzy signature scheme whose security relies on a lattice-based hardness assumption.
To further illustrate the security of our scheme, we give a rigorous security proof in the random oracle model. In addition, Table 1 indicates that our scheme obtains a promising result in efficiency among the existing lattice-based fuzzy signature schemes.

B. OUR APPROACH
The work aims to propose a lattice-based fuzzy signature scheme by utilizing linear sketch. Since most of the existing fuzzy signatures constructed by linear sketch [1], [7], [9], [13] are based on traditional number-theoretical assumptions, their linear sketch schemes cannot be directly employed in the lattice-based setting. We modify the linear sketch from the scheme of [7] which proposed the first fuzzy signature scheme that can be implemented securely and efficiently, since we hope that the novel construction of the modified linear sketch can not only make our scheme have the probability of being implemented, but also be applicable to the schemes from lattice. In our approach, we use a mapping h to replace an universal hash function of the algorithm LS.Sketch of linear sketch scheme in [7]. This modification makes the modified linear sketch not only capable of being applied into a lattice-based signature scheme, but also keep the original functionality and structure unchanged. In the security proof part, there are two possible approaches of responding the signing queries from the forger during signing, either using the secret key, or directly generating signatures chosen randomly from a distribution without utilizing secret key. Even though our scheme is based on [10], we do not prove the security of our scheme in the same way as [10]. We choose the former method, since we could not easily produce signatures without the help of the proxy key S ′ in the signing queries. Hence, in order to successfully simulate a signature which can be indistinguishable from the actual signature during the signing queries, we choose the former method.

C. RELATED WORK
The concept of fuzzy signatures was first introduced by Takahashi et al. [1] which not only provided the formal definition of fuzzy signatures including two building blocks, fuzzy key setting and linear sketch, but also proposed a generic construction of fuzzy signature from an ordinary VOLUME 11, 2023  signature satisfying homomorphic property regarding keys. Then Matsuda et al. [9] provided a relaxed version of fuzzy signatures by relaxing some requirements on the building blocks, like employing the ordinary signatures having the weaker form of homomorphic property, e.g., Waters signatures [14] were replaced with Schnorr signatures [15] in their proposed instantiations. In 2017, Yasuda et al. [16] claimed that the linear sketch of [1] and [9] is vulnerable to their ''recovering attacks'' since the treatment of real numbers in the linear sketch. After that, Takahashi et al. [13] gave a treatment of rounding-down operation (or called truncation) on the decimal part of real numbers to address that problem. However, such a method caused correctness loss in their proposed schemes.
Katsumata et al. [7] in 2021 proposed a simpler, more efficient and direct construction of fuzzy signatures by exploiting the Schnorr signatures [15] with a simpler linear sketch based on a mathematical object, called lattice. They showed that this fuzzy signature scheme can be efficiently and securely implemented with the help of some novel statistical techniques. They also gave the experimental results of using the realworld finger-vein database to show that the finger-vein from one hand is enough to construct secure and efficient fuzzy signatures. The work of [7] made a breakthrough for fuzzy signatures by widening theory oriented research into practical one.
Furthermore, little attention is paid on (variants of) quantum-resistant fuzzy signatures [5], [6], [8]. More concretely, a concrete instantiation of reusable fuzzy signature in [5] was built up on a reusable FE [17] based on learning with errors (LWE). The work in [6] proposed a variant of fuzzy signature scheme by utilizing a lattice-based signature scheme of [10] and a FE of [2]. Specifically, the scheme of [6] redefined the definition of fuzzy signatures proposed by [1] and relaxed the security model of [1] by relaxing the requirement of error distribution of fuzzy data.
To the best of our knowledge, there just exists a fuzzy signature scheme [8] which is against the quantum computers and constructed by the linear sketch. The work of [8] proposed a generic construction of fuzzy signatures constructed by a linear sketch and an ordinary signature scheme SS , and then instantiate it by giving a concrete LWE-based signature scheme and an instantiation of linear sketch. We hightlight that our scheme is not an instantiation of [8]. The construction of signing algorithm, verification algorithm, and the linear sketch of the generic construction in [8] are different from ours in various viewpoints. Specifically, in the signing algorithm of [8], it reused the key generation algorithm of SS to produce another pair of public/secret keys whose secret key was used as the input of the signing algorithm of SS and the linear sketch. For our scheme, we do not utilize the key generation algorithm again in our signing phase, and we just use an output of our linear sketch as the secret key. Moreover, compared to the scheme of [8], we give a rigorous security proof in the random oracle model.
In addition, although our scheme seems not to approach the optimal results in Table 1, it shows a promising tendency in efficiency among the existing lattice-based fuzzy signature schemes.

D. ROADMAP
The remainder of this paper is arranged as follows. Section II introduces some preliminaries used in this paper. Linear sketch, an essential building block of fuzzy signatures, is recalled in Section III. In Section IV, we propose our lattice-based fuzzy signature scheme and give its security analysis. Furthermore, Section V concludes this paper.

II. PRELIMINARIES
In this section, we recall some basic notations, results and definitions that will be used in the paper.

A. NOTATION
Throughout the paper, we denote R, N, and Z by the set of real numbers, natural number and integers. We use log to denote the logarithm of base 2. κ ∈ N denotes the security parameter, and let q be a polynomial-size prime number. Vectors are denoted by bold lower-case letters (e.g., x), and matrices are represented by bold capital letters (e.g., X). Let all vectors be column vectors, and x ⊤ will be the transpose of the vector x. ∥x∥ 2 is denoted by the ℓ 2 norm of a vector x. The notation of ← denotes the random selection of the elements from some sets or distributions. We denote deterministic polynomial time (resp. probabilistic polynomial time) by DPT (resp. PPT). A function f (n) is negligible in n if for any positive c, large enough n, we have f (n) < n −c . We use standard notation big-O and big-to classify the growth of functions f (x) and g(x) which map positive integers to non-negative real numbers. We say that Note that all operations include the elements in Z involved end with a reduction modulo q. That means we usually omit to write the modulo q in such equations. For example, the product of a matrix A ∈ Z n×n q and a vector y ∈ Z n is a vector in Z n q .

B. DIGITAL SIGNATURES
We recall the definition of digital signature schemes.
A signature scheme is said to be secure if there is only a negligible probability that any forger, after seeing signatures of messages of his choosing, can sign a message whose signature he has not already seen [18]. The standard security notion for digital signature schemes is existentially unforgeable under adaptative chosen message attacks (EUF-CMA) [11], [12] which is usually given as a game. It requires that a forger F could not be able to come up with a valid signature of a new message after he adaptively queries the messages. Formally, consider the following EUF-CMA game between a challenger C and a forger F.
• KGen: The challenger C first runs (pk, sk) ← KGen(1 κ ). It then sends the public key pk to the forger F, and keeps secret key sk by itself.
• Signing: The forger F is allowed to query messages adaptively. When F asks the signature on any fresh message M , the challenger C computes and sends σ M ← Sign(sk, M ) to F. The forger can repeat this queries in any polynomial time.
• Forge: Finally, the forger F outputs a message-signature pair (M * , σ M * ), and let Q be the set of all messages queried by F. The challenger C outputs 1 if M * / ∈ Q and Vrfy(pk, M * , σ M * ) = 1, else outputs 0.
A signature scheme = (KGen, Sign, Vrfy) is EUF-CMA secure if there is no PPT forger wins the above EUF-CMA game with a non-negligible probability.
Definition 2 (EUF-CMA Security): Let κ be the security parameter. A signature scheme is said to be existentially unforgeable against chosen message attacks if the advantage Adv euf −cma ,F (1 κ ) = Pr[C outputs 1] is negligible in κ for all PPT adversaries.

C. LATTICE AND GAUSSIAN DISTRIBUTION
There is a special lattice family called q-ary lattices, which contains qZ m as a sublattice for some small integer q. Let A ∈ Z n×m q be a matrix with some positive n, m, q ∈ Z, and consider the following m-dimension q-ary lattice: Given a uniformly random matrix A ∈ Z n×m q , the small integer solution problem (SIS q,m,n,β problem) asks to find a non-zero vector v ∈ ⊥ q (A) such that Av = 0 mod q and ∥v∥ 2 ≤ β. We then give the formal definition of SIS q,m,n,β [19] as follows.
Definition 3: (SIS q,m,n,β problem) Given a random matrix A ← Z n×m q , find a non-zero vector v ∈ Z m such that Av = 0 mod q and ∥v∥ 2 ≤ β.
Definition 4: The continuous Normal distribution over R m centered at v with standard deviation σ is defined by the and more specifically, for any v ∈ Z m , if σ = α∥v∥ for any positive α, then Lemma 3: For any positive integer m ∈ Z, vector y ∈ Z m , and large enough σ ≥ ω( √ log m), we have that Lemma 4: Let d be a small positive integer. For any A ∈ Z n×m q where prime integer q, positive integer n, and m > 64+ n· log q log(2d+1) , for randomly chosen s ← {−d, · · · , 0, · · · , d} m , then with probability 1 − 2 −100 , there exists another s ′ ← {−d, · · · , 0, · · · , d} m such that As = As ′ .
Rejection sampling is a well-known technique introduced by John von Neumann [22] to sample from a target probability distribution f . Specifically, given a source bound to a different probability distribution g, and a sample x is drawn VOLUME 11, 2023 from g and is accepted by probability f (x) M ·g(x) , where M ∈ R + . We get the following theorem of rejection sampling from [10].
Theorem 1: Let V be a subset of Z m in which all elements have norms less than T, σ be some element in R such that σ = ω(T √ log m), and h : V → R be a probability distribution. Then there exists a constant M = O(1) such that the distribution of the following algorithm A: of the distribution of the following algorithm B: More concretely, if σ = αT for any positive α, then M = e 12/α+1/(2α 2 ) , the output of algorithm A is within statistical distance 2 −100 M of the output of B, and the probability that A outputs something is at least 1−2 −100 M .

III. FUZZY SIGNATURES
Before recalling the definition of fuzzy signatures [7], [13], we first introduce its two important ingredients, fuzzy key setting and linear sketch. They are used to formalize how to deal with fuzzy data in a cryptographic scheme.

A. FUZZY KEY SETTING
The primitive, fuzzy key setting [1], [7], is an important building block of fuzzy signatures. A fuzzy key setting includes the below five parameters (X , X , ξ, Φ, ϵ), and it is used to formally treat fuzzy data in cryptographic schemes.
• Fuzzy data space X : This is the space to which a possible fuzzy data x belongs. Assume that X forms an Abelian group.
• Distribution X : The distribution of fuzzy data over X . That is, X : X → R.
• Acceptance region function ξ : X → 2 X : This function maps from a fuzzy data x ∈ X to a subspace ξ (x) ⊂ X , i.e., if x ′ ∈ ξ (x), then x ′ is considered close to x. Two quantities, the false matching rate FMR 3 and the false non-matching rate FNMR 4 [23], are determined based on ξ . The FMR is defined as: • Error distribution Φ: The distribution models the measurement error of fuzzy data. Assume ''universal error model'' where the measurement error is independent of the users. 3 FMR is the rate at which a biometric process mismatches biometric signals from two distinct individuals as coming from the same individual. 4 FNMR is the rate at which a biometric matcher miscategorizes two captures from the same individual as being from different individuals.

B. LINEAR SKETCH
Linear sketch was first formally defined by [1], and then the work of [7] proposed a simpler one and gave a specific construction. Linear sketch is an essential ingredient in the construction of fuzzy signatures [1], [7], [9], [13], and its main purpose is to ''bridge'' fuzzy data and cryptographic operations. It is related to the fuzzy key setting and consists of three algorithms. In the following, we describe the formal definition of linear sketch scheme [7]. Definition 6 (Linear Sketch): Let K = (X , X , ξ, Φ, ϵ) be a fuzzy key setting with respect to a (finite) Abelian group = (ψ, +). A linear sketch scheme LS for K and consists of the following three polynomial-time algorithms.
• LS.Setup(K, ) → pp LS : The setup algorithm takes the fuzzy key setting K and the description as inputs, and outputs a public parameter pp LS .
• LS.Sketch(pp LS , x) → (c, S): The deterministic sketch algorithm takes pp LS and a fuzzy data x ∈ X as inputs, and outputs a sketch c and a proxy key S ∈ ψ.
• LS.DiffRec(pp LS , c, c ′ ) → S: The deterministic difference reconstruction algorithm takes as inputs the public parameter pp LS and two sketches c and c ′ (c ′ is also output by the algorithm LS.Sketch), and outputs the difference S ∈ ψ. Correctness. We say a linear sketch scheme LS for a fuzzy key setting K and is correct if, for all x, x ′ ∈ X such that

C. FUZZY SIGNATURES
We now give the formal definition of fuzzy signatures [1], [7], [13], whose messages are signed by the fuzzy data x ′ , and the corresponding signatures can be verified by public key pk generated by another fuzzy data x, where x ′ ∈ ξ (x). More specifically, the secret key will not be explicitly defined in the scheme, since the fuzzy data x can be regarded as the same role of the secret key in the fuzzy signature scheme.
Definition 7 (Fuzzy Signatures): Let FS be a fuzzy signature scheme for a fuzzy key setting K = (X , X , ξ, Φ, ϵ) with massage space M consisting of four algorithms.
• FS.Setup(1 κ , K) → pp FS : The setup algorithm takes the security parameter 1 κ and the fuzzy key setting K as inputs and outputs a public parameter pp FS .
• FS.KGen(pp FS , x) → pk FS : The key generation algorithm takes pp FS and a fuzzy data x ∈ X as inputs, and outputs a public key pk FS .
• FS.Sign(pp FS , x ′ , M ) → σ FS : The signing algorithm takes pk FS , a fuzzy data x ′ ∈ X , and a message M ∈ M as inputs, and outputs a signature σ FS .
• FS.Vrfy(pp FS , pk FS , M , σ FS ) → 0/1: The verification algorithm takes pp FS , pk FS , and the message-signature pair (M , σ FS ) as inputs, output 1 (resp. 0) indicates that σ FS is a valid (resp. invalid) signature of the message M under the public key pk FS . We recall the correctness and EUF-CMA security of fuzzy signatures [7]. Briefly, the correctness requires that a signature signed by a fuzzy data x ′ ∈ ξ (x) can be verified by a public key pk FS generated by the fuzzy data x, and parameter ϵ is connected to the probability Formally, the work [7] defined ϵ-correctness and EUF-CMA security of fuzzy signatures. A fuzzy signature scheme FS for a fuzzy key setting K is ϵ-correct if, for all M ∈ M, x ← X , and e ← Φ, the following holds where the probability is taken over the randomness of algorithms pp FS ← FS.Setup(1 κ , K), pk FS ← FS.KGen(pp FS , x), and σ FS ← FS.Sign(pp FS , x + e, M ).
EUF-CMA security of fuzzy signatures is similar to those of standard signatures except that the challenger uses x ′ ∈ ξ (x) to respond signing queries rather than the original x used to generate the public key pk FS . The security model of a fuzzy signature scheme FS for a fuzzy key setting K is defined by the following game, which is between a challenger C and a forger F: • Setup: The challenger C first runs pp FS ← FS.Setup(1 κ , K), x ← X , and pk FS ← FS.KGen(pp FS , x), and then sends the public parameter pp FS , and public key pk FS to the forger F. Otherwise, it outputs 0. If the challenger C outputs 1, we say that the forger F wins this game. The advantage of the forger F in the game is defined as

IV. A FUZZY SIGNATURE SCHEME FROM LATTICE
In this section, we first provide an instantiation of linear sketch, which is modified from an existing linear sketch in [7]. Then we introduce our concrete fuzzy signature from lattice, and finally give a rigorous proof of our scheme.

A. THE MODIFIED LINEAR SKETCH
Katsumata et al. [7] utilized a mathematical object called lattice [24] to construct their specific linear sketch. Lattice has the property of discretization and linearity, which can properly represent the fuzzy data, and associate fuzzy data and cryptographic operations together.
In the following, we first recall the basic definition of lattice, and declare several primitives related to lattice. Then we give our mapping h which is used to replace the universal hash function in the linear sketch proposed by [7]. Furthermore, we give the detail explanation for this modification without compromising the functionality and structure of the original linear sketch in [7]. We finally provide the modified linear sketch scheme. In addition, since the symmetry of lattices, we have VR L (y) = VR L (0) + y.
Let g L : X → L be the function g L (x) = B⌊B −1 x⌋.

Hence we have that
The above explains that linearity property of the function h is under modulo (2d + 1), which leads to linearity of the modified linear sketch also under the same situation.
We use the mapping h to replace the universal hash function used in the linear sketch scheme proposed by [7], since this modification made on the mapping h not only makes the mapping h achieve the properties of pre-image resistance and collision resistance like the universal hash function in [7], but also makes the modified linear sketch capable of being adapted into the lattice-based setting. Hence, the modified linear sketch can benefit from the original construction of [7], VOLUME 11, 2023 while being applicable to the lattice-based setting. The analysis of the mapping h satisfying the properties of pre-image resistance and collision resistance is in the following.
For the function h (B,v) (y) = B −1 yv ⊤ mod (2d + 1), we assume that B −1 y = (x 1 , · · · , x m ) ⊤ , v ⊤ = (v 1 , · · · , v k ). Let h (B,v) (y) = Z = (z ij ) m×k where i ∈ {1, 2, · · · , m}, and j ∈ {1, 2, · · · , k}. Thereby, we have that Since the hash value Z and v ⊤ is public, there is a chance of ⌊ q 2d+1 ⌉/q getting the value of x i (i.e., B −1 y). After that, we can easily get y by having a left multiplication on B −1 y by matrix B. Hence, with a probability of at most 1 (2d+1) m , one can reveal vector y by knowing the hash value Z such that The parameters of our scheme are inherited from [10], so the probability of 1 (2d+1) m is small enough. We now analyze the probability of getting a collision pair of function h. Assume that there exist two different vectors y, y ′ such that h (B,v) (y) = h (B,v) (y ′ ). Rearranging the equation, we can get that Since |B −1 | ̸ = 0, we obtain y = y ′ mod (2d+1). This shows that if y ′ = y + k(2d + 1) for k ∈ Z m , there exists a pair of collision y and y ′ such that h (B,v) (y) = h (B,v) (y ′ ). However, we need to consider its specific application scenario. Since the mapping h is used in the algorithm Sketch(pp LS , x) to produce the proxy key S, and the input of h is actually kept private. Hence, if fixing a vector y (unknown to others), there is a chance of at most 1 (2d+1) m to obtain the vector y ′ by guess such that h (B,v) (y ′ ) = h (B,v) (y). Thus, it is hard to find a collision pair of function h under this circumstance.

2) THE MODIFIED LINEAR SKETCH
Let K = (X , X , ξ, Φ, ϵ) be a concrete fuzzy key setting with respect to a lattice L, where X = R m , X has the property that if x ← X , then , and Φ is any efficiently samplable distribution over X such that FNMR ≤ ϵ.
Combining all the above building blocks, the detail of the modified linear sketch LS is described as the Fig. 1. The auxiliary algorithm M c in Fig. 1 is used for proving the linearity property of LS .
Since the proof process of correctness and linearity of LS in the Fig. 1 are similar to the proof in [7], we briefly introduce the proof process. Linearity of our mapping is under modulo (2d + 1), hence correctness and linearity of LS are also under the same situation.  , x), and (c ′ , S ′ ) ← LS.Sketch(pp LS , x ′ ) for x, x ′ ∈ X satisfying x ′ ∈ ξ (x), and pp LS ← LS.Setup(K, ). In the algorithm LS.DiffRec of LS , y←CV L (c − c ′ ) can be written as

Proof of linearity.
For linearity, we use the auxiliary algorithm M c to prove it. Let Enlightened by [7], we get that the following equation: where the first item of the above (1) is the output of M c (pp LS , c, e) is sufficient to show linearity of LS . By applying the related elements of LS to the first item of the above (1), it is easy to get the equality. Here we complete the proof. We now illustrate why sketch c of LS does not leak the information of fuzzy data x and the proxy key S. To ensure the privacy of fuzzy data x, we require one quantity, the conditional false matching rate (ConFMR) as [7], to guarantee it. The definition of ConFMR is as follows: Here we require ConFMR ≈ 2 −κ is small, which indicates that with a low probability 2 −κ , one can get a ''collision'' pair of (x, c), (x ′ , c ′ ) such that c = c ′ and x ′ ∈ ξ (x). For the proxy key S, since the randomness of the vector v, the value of S ← h (B,v) (y) is statistically close to an uniformly random element even given c. Refer to [7] for more detail.

B. OUR SCHEME
In this section, we propose our concrete lattice-based fuzzy signature scheme. We first give the parameter setting. Most parameters in our scheme are inherited from the scheme in [10]. Let κ ∈ N be the security parameter, and q be prime integer. Let m, n, k, d ∈ Z + and small η > 1. Let M = O(1), and σ ∈ R + . Let hash function H : {0, 1} * → {−1, 0, 1} k , and matrix E ∈ Z m×k where all entities are small integers. The modified linear sketch LS utilized in our lattice-based fuzzy signature scheme FS is given in the Section IV-A. Please see our concrete scheme FS in Fig. 2. ϵ-Correctness. From the definition of the fuzzy key setting K, we have Hence, to show correctness of our scheme, it is sufficient to shows that if x ′ ∈ ξ (x), then a signature generated by x ′ can be accepted under a public key pk FS generated by x.
We now consider the execution of the verification algorithm. From the scheme, we have that the actual distribution of z is D m S ′ h,σ . From Theorem 1, we get that the actual distribution of z is statistically close to the distribution in which z is chosen from D m σ . Hence we tailored z to be distributed according to D m σ . By Lemma 1, we have that ∥z∥ ≤ ησ √ m with probability at least 1 − 2 −m . Moreover, from Lemma 3, we get that finding a y ′ ∈ D m σ such that y ′ = y is at most with a probability of 2 1−m . Hence Y = Ay being public does not compromise the security of our scheme.
From correctness of linear sketch, we get that LS.DiffRec(pp LS , c, c ′ ) = S = (S ′ − S) mod (2d + 1), which indicates that there must exist a matrix E ∈ Z m×k such that Hence the ephemeral public key T ′ can be written as Furthermore, since z = S ′ h + y, we easily get that where h = H (Y, m). Hence, such matrix E satisfying the above (2) also meets the equation of (3). Therefore, the signature σ FS = (z, Y, c ′ ) is accepted by the verification algorithm. Hence σ FS is a valid signature of the message m.
We now give the way to calculate matrix E ∈ Z m×k . The parameters of our scheme are inherited from the scheme in [10] which gave two instantiations of d = 1 and d = 31, respectively. Even though the concrete value of S, S ′ are unknown, we still know that the range of them are from {−d, · · · , 0, · · · , d} m×k , and S is public. Thus, from the above (2), we can get that the possible values of elements of matrix E are {−1, 0, 1}.
More concretely, for d = 1, if one element of S is −1, the corresponding element of E has two possible values, 1 with probability of 1 3 , and 0 with probability of 2 3 ; If one element of S is 0, the corresponding element of E is also 0; If one element of S is 1, the corresponding element of E has two possible values, −1 with probability of 1 3 , and 0 with probability of 2 3 . The randomness of choosing S is used to calculate the above probability of the values of E. Then we start to calculate the matrix E. First of all, we set all the elements of E are 0. Then we calculate the value of to compare with the value of Az. Since S is public, we can get the positions of the elements (−1, 0, 1) of S. Hence, for the unmatched elements between the comparison result of the value of Az, and the above (4), if the values of the corresponding positions of the unmatched elements in S is −1 (1), we change 0 to 1 (−1) in the corresponding positions of E. Therefore, we can just calculate the above (4) once to get the value of E. For d = 31, it also has a similar pattern.

C. SECURITY PROOF
Before giving the full security proof, we give a statement to illustrate that compared to [10], why our scheme can skip one signing hybrid ( which is the Hybrid 2 in [10] ) in the security proof process, since we use another approach to prove the security of our scheme. Statement. Our fuzzy signature scheme FS is based on the scheme of [10], but we do not adopt the same method as [10] to prove the security of our scheme. For the scheme in [10], there are two possible methods of responding the signing queries of the forger during signing, either using the simulated secret key to generate signatures (method A), or programming the random oracle accordingly and generating z directly from the distribution D m σ without utilizing the secret key (method B). More precisely, method A can just utilize Hybrid 1 of [10] (which is using a randomly chosen element to replace the actual hash value), and another one, method B, employs two hybrids shown in [10]. These two hybrids of [10] both obtain the property of the distribution of signatures generated by these two hybrids independent of the secret key. For Hybrid 1, it utilizes the rejection sampling to approach it as the actual signing algorithm, and signatures generated by Hybrid 2 are randomly chosen without employing the secret key. Moreover, by appropriately choosing the parameters of σ and M in the scheme of [10], the statistical distance between the distribution of signatures from Hybrid 1 and from Hybrid 2 in [10] is small which indicates the difference caused by signatures generated from these two hybrids are slight.
Moveover, the scheme of [10] can actually use the above two methods in its proof. The author in [10] chose method B because he would like to be able to still use the same lemma of security proof with another section which proposed another schemes that can just use method B to proof their schemes.
As for our scheme, we prefer to use method A since the ''ephemeral'' public key T ′ , which is utilized in our verification algorithm, cannot be directly obtained like the public key T in the proof of [10]. More specifically, the linearity of our mapping h is satisfied under modulo 2d + 1, so the ''ephemeral'' public key T ′ cannot be derived just by employing the public key and the signature. In the signing queries, we simulate the secret key to generate signatures which can be indistinguishable from the actual one. That is why we skip Hybrid 2 of [10], since we manage to simulate the signing key to generate signatures in the signing queries phase by using method A which can just employ Hybrid 1 of [10].
In addition, we use the auxiliary algorithm M c in the Hybrid 1 to get the sketch c ′ without knowing the knowledge of the fuzzy data x ′ . Then we construct an algorithm solving the SIS q,m,n,β assumption by simulating adversary against EUF-CMA security game by running algorithm M c . We now prove the security of our signature scheme as follows.
Theorem 2: If there is a polynomial-time forger who makes at most s queries to the signing oracle and g queries to the random oracle H, and breaking the EUF-CMA security with probability δ, then there exists a polynomial-time algorithm solving the SIS q,m,n,β problem for β = (2ησ + 2dk) √ m with probability ≈ δ 2 2(g+s) . This theorem is proved in a sequence of two lemmas. In the Lemma 5, we illustrate that the actual signing algorithm can be replaced with Hybrid 2, and the statistical distance between these two outputs is at most ϵ ′ = s(s + g)2 −n+1 . For the Lemma 6, we assume that a forger produces a forgery with probability δ when the signing algorithm is replaced with Hybrid 2. Then we can use it to recover v such that ∥v∥ ≤ (2ησ + 2dk) √ m and Av = 0 with probability at least δ 2 2(g+s) . Please see two signing hybrids in Fig. 3. Lemma 5: Let D be a distinguisher which can query the random oracle H and either the actual signing algorithm or Hybrid 2. If he can make g queries to random oracle H and s queries to the signing algorithm that he can access to, then for all but a e − (n) fraction of all possible matrices A, the advantage of the distinguisher D in distinguishing the actual signing algorithm from the one in Hybrid 2 is at most s(s + g)2 −n+1 .
Proof: First, we show the outputs of the actual signing algorithm and Hybrid 1 exactly follow the same distribution. Instead of directly using the Sketch algorithm of LS again with input of fuzzy data x ′ to generate the sketch c ′ in the actual signing algorithm, we use the auxiliary algorithm M c of LS with inputs of c and e. Since the linearity of LS , the distribution of c ′ generated in the actual signing algorithm and in the Hybrid 1 are identical.
We then declare that the distinguisher D has the advantage of at most s(s + g)2 −n+1 to distinguish an output of Hybrid 1 from an output of Hybrid 2. The only difference between these two Hybrids is the output of the random oracle H . In Hybrid 2, the outputs of H are randomly chosen from {−1, 0, 1} k and then programmed as the response of H (Y, m) = H (Az − T ′ h, m) = h without checking (Y, m) is set or not. For each time the Hybrid 2 is called, the probability of getting a vector y such that Ay is equal to the one queried before is at most 2 −n+1 . By [10], we know that with where y = [y 0 ∥y 1 ] ⊤ . Since D can call random oracle H g times and the signing algorithm s times, there is at most s + g values of (Y, m) set. Thus, for each time Hybrid 2 accessed, the probability of getting a collision is at most (s+g)2 −n+1 . Therefore, the probability that a collision occurs after s queries from Hybrid 2 is at most s(s + g)2 −n+1 . Hence, the statistical distance between the output of the actual signing algorithm and Hybrid 2 is at most s(s + g)2 −n+1 . □ Lemma 6: Suppose that there exists a polynomial-time forger F who makes at most s queries to the signer in Hybrid 2, g queries to the random oracle H, and succeeds in forging with probability δ. Then there exists a polynomial-time algorithm B that for a given A ← Z n×m q , finds a non-zero vector v ∈ Z m such that ∥v∥ ≤ (2ησ + 2dk) √ m and Av = 0 with probability at least δ 2 2(g+s) . Proof: We now give the construction of algorithm B, which simulates the attack environment for F, and solves solving SIS q,m,n,β assumption with probability at least δ 2 2(g+s) . The algorithm B receives a challenge instance A ← Z n×m q , and computes pp LS ← LS.Setup(K, ). B randomly chooses x ∈ X , computes c = x − g L (x), and S = h (B,v) (g L (x)) where the function g L and h (B,v) are defined in IV-A. Then algorithm B computes T = AS. Let (pp LS , A, T, c) be public and keep S private.
When F asks to see a signature of certain message, B runs the signing algorithm of Hybrid 2 to produce a signature. Let D H = {−1, 0, 1} k denote the range of the random oracle H , and let t = g + s be the bound on the number of times the random oracle H is called or programmed during the attack from F. The algorithm B will conduct as follows: B first picks up the values r 1 , · · · , r t ← D H that will correspond to the responses of the random oracle H . Note that a random oracle query can be made by the forger F directly, or it can be programmed by the signing algorithm when the forger F makes some signing queries on some messages. Thus, during signing or when F makes queries to the random oracle, the random oracle H will be programmed by B, and the response of H will be the first unused r i in the list (r 1 , · · · , r t ) every time. At the same time, B keeps a table of all queries to the random oracle H , so when the same query is made twice, the previously answered r i will be replied. After making at most s + g random oracle queries, F outputs a forged signature (ẑ,Ŷ,ĉ ′ ) on messagem.
The above (5) shows the existence of the secret keyŜ ′ , since the secret key S, Ŝ′ ← LS.DiffRec(pp LS , c,ĉ ′ ), and the matrix E 1 ∈ Z m×k that can be calculated are known by the algorithm B. If the random oracle H was not queried or programmed on some input w =Ŷ = Aẑ −T ′ĥ , then F only has a probability of 1 |D H | to produce a vectorĥ such thatĥ = H (w,m), soĥ is one of the r i 's with probability 1 − 1 |D H | . Thus the probability that F succeeds in forging and h is one of the r i 's, is at least δ − 1 |D H | . Let j be such that h = H (Ŷ,m) = r j .
In the above case, B records the forged message-signature pair ((ẑ,Ŷ,ĉ ′ ),m), and then generates fresh random elements r * j , · · · , r * t ← D H . Then B returns the forger F the same randomness tape and answers to the random oracle H as the previous run until j-th query. By the General Forking Lemma