A structure-preserving linearly homomorphic signature scheme with designated combiner

Linearly homomorphic signature (LHS) allows the acquisition of a new legal signature using the homomorphic operation of the original signatures. However, the public composability of LHS also prevents it from being used in some scenarios where the combiner needs to be designated. The LZZ22 scheme designates a combiner and preserves the signature structure by having the signer and the designated combiner share a secret. However, LZZ22 is not secure enough because the secret is constant. Here, we first prove that there is a polynomial time adversary that can crack the secret in LZZ22 through multiple signature queries. Then, we propose a new scheme, which realizes all the functions of LZZ22 and fixes the security problem by changing the secret with the message. The proposed scheme is shown to be secure against existential forgery on adaptively chosen subspace attacks under the random oracle model. Finally, we detail how to apply our scheme to the proxy signature and perform it on a personal computer, and the results show that our scheme is efficient.


INTRODUCTION
Linear network coding is an effective technique to improve network throughput.It allows nodes to combine multiple received data packets into one packet and forward it, so as to realize efficient data transmission.However, some malicious nodes in the network may inject forged packets into legitimate packets, and synthesize a corrupted packet that can be forwarded to other nodes.Other nodes in the network combine the corrupted packet with the legitimate packets to synthesize a new corrupted packet and forward it.Due to the nature of network coding, corrupted packets will pollute more legitimate packets, leaving the destination node unable to recover the original data.This type of attack is called a pollution attack.The digital signature (Diffie & Hellman, 1976) is one of the core technologies of cryptography, which can provide authenticity, integrity, and nonrepudiation of information.However, the general digital signature scheme cannot be used to solve the pollution attack problem because the original signature becomes invalid once the message is changed.The homomorphic signature (HS) is a type of digital signature that allows any entity to obtain a new legal signature by homomorphic operation on the original signature.Among them, the linearly homomorphic signature (LHS) (Attrapadung, Libert & Peters, 2013) can well resist pollution attacks in network coding because it supports linear homomorphic operations on messages (Zhao et al., 2007;Charles, Jain & Lauter, 2006;Yu et al., 2008;Yun, Cheon & Kim, 2010).With the development of homomorphic signature technology, LHS has also been used in scenarios such as electronic health systems (Li, Zhang & Sun, 2021), blockchain (Lin et al., 2018), and the Internet of Things (IoT) (Li, Zhang & Liu, 2020).
According to the homomorphism of LHS, any entity can obtain the signature of the linear combination of the original messages using the homomorphism operation of the obtained signatures from a set of message/signature pairs with the same label.This is the public composability of LHS.However, in some scenarios such as proxy signing, the user will designate a server that has the unique authority to combine messages and generate a legitimate signature.This allows the designated server to sign instead of the user in special circumstances, such as when it is not convenient for the signer, or if there is too much data.General LHS cannot implement the function of designating a combiner due to its public composability.Designating a combiner means that the signature is homomorphic for the combiner but not for other entities in the system.The linearly homomorphic signature with designated combiner (LHSDC) (Lin, Xue & Huang, 2021) realizes the function of designating a combiner by key agreement.However, the signature structure generated by the combiner was changed (Lin, Xue & Huang, 2021), so that the combined signature cannot continue to be used as the input of the combination algorithm.Li, Zhang & Zhang (2022) proposed the formal definition and security model of structure-preserving linearly homomorphic signature scheme with a designated combiner (SPS-LHSDC) and constructed the first SPS-LHSDC scheme, LZZ22.LZZ22 modifies the signature algorithm based on Lin, Xue & Huang (2021) to make the combined signature structure consistent with the original signature structure.However, this scheme has a security problem.

Our contributions
In this article, we first prove that there is a polynomial time adversary that can crack the secret information in LZZ22 through multiple signature queries.Then, the adversary is able to forge the signature corresponding to any message.
Secondly, we propose a new scheme, which has all the functions of LZZ22 and fixes the security problem by changing the secret information with the message by adding one hash operation and one exponential operation to the signature algorithm.Meanwhile, we detail how to apply our scheme to the proxy signature.
Finally, we run the signature forgery program of LZZ22 through experiments, and the results show that the time required to forge a signature is inversely proportional to the message dimension.We run the proposed scheme in the same experimental environment and compare it with other LHS schemes.The experimental results show that the signature algorithm and the verification algorithm of our scheme are efficient, and that the usage of system resources by our algorithm is low.Desmedt (1993) introduced the concept of HS, and Johnson et al. (2002) introduced its formal definition and general framework in 2002.Afterward, many HS schemes appeared (Cheng et al., 2016;Li et al., 2018;SadrHaghighi & Khorsandi, 2016;Catalano, Fiore & Warinschi, 2014;Gorbunov, Vaikuntanathan & Wichs, 2015;Zhang, Jianping & Ting, 2012;Aranha & Pagnin, 2019), including one in which, LHS supports linear homomorphic operations on messages.However, the early LHS schemes lack strict security proof and are not practical.In 2009, Boneh et al. (2009) constructed the first provably secure LHS scheme under the random oracle model.In this scheme, each file is regarded as a linear vector subspace, and the source node signing the basis vectors of the subspace is equivalent to signing the whole file.Gennaro et al. (2010) proposed the first LHS scheme based on the RSA difficult problem.This scheme reduces the cost compared with the scheme in Boneh et al. (2009).To achieve the function of anti-quantum attacks, Boneh & Freeman (2011) proposed the first lattice-based LHS scheme in 2011.The security of the scheme is based on the SIS difficulty problem.The signature verification of the scheme is completed in the binary domain.Chen, Lei & Qi (2016) constructed the first LHS scheme based on the SIS difficulty problem under the standard model.This scheme can resist weak adversaries and provide weak context-hidden privacy.In 2018, Lin et al. (2018) constructed the first IDbased LHS scheme by introducing ID-based signature technology.This scheme uses the user's identity ID as the public key, which avoids the disadvantage of difficult key management.Zhang et al. (2018) proposed a more efficient ID-based LHS scheme, Zhang18.However, their scheme does not augment the original vector, so it is not suitable for network coding.Moreover, ID-based LHS schemes suffer from key escrow problems.In 2021, Wu, Wang & Yao (2021) constructed a certificate-free LHS scheme Wu21 for network coding.Their scheme avoids both the certificate management problem and the key escrow problem.

Related works
Lin, Xue & Huang (2021) and Lin et al. (2017) proposed two LHSDC schemes to make the LHS scheme applicable in scenarios that need to designate a combiner or verifier, Lin17 and Lin21.The latter made up for the former's lack of public verifiability.In both schemes, only the designated combiner has the right to combine the original signature.However, the combined signature structure in Lin, Xue & Huang (2021) and Lin et al. (2017) has changed, so that the combined signature can no longer be used as the input of the combination algorithm.In 2022, Li, Zhang & Zhang (2022) proposed the first SPS-LHSDC scheme LZZ22 based on the Lin21.In the SPS-LHSDC scheme, the combined signature has the same signature structure as the original signature, so it can still be used as the input of the combination algorithm.This function enables the SPS-LHSDC scheme to be used in certain scenarios.However, the scheme LZZ22 has a security problem.

Organization
The overall structure of the rest of this article is as follows.In the "Preliminaries" section, we introduce some preliminaries.In the "The Security Problem of LZZ22", we analyze the security of LZZ22 and then construct a signature forgery algorithm for LZZ22.In "The proposed Scheme" section, we propose a new SPS-LHSDC scheme and prove the correctness and security of the scheme.In the "Application and Security Analysis" section, we first describe how to apply the scheme in this article to proxy signature, and then run the signature forgery experiment of LZZ22 and compared the efficiency of our scheme with four other LHS schemes.Finally, we summarize the full text and describe future research directions in the Conclusions.

PRELIMINARIES
Here, we introduce some basics, including symmetric bilinear mapping, the augmented basis vector, and the formal definition of SPS-LHSDC.

Symmetric bilinear mapping
In 1991 Menezes, Vanstone & Okamoto (1991) proposed symmetric bilinear mapping which is defined as follows.
The mapping is called symmetric bilinear mapping.Definition 1: (computational Diffie-Hellman problem (CDH)) (Boneh, 1998).Given a triple ðg; g a ; g b Þ, where g is the generator of G 1 , a; b R Z Ã q are two unknown elements, solve g ab .
Definition 2: (CDH assumption) (Boneh, 1998).If for any probabilistic polynomialtime (PPT) algorithm A, the probability of solving the CDH problem is negligible, then it is difficult to solve the CDH problem in G 1 .

The augmented basis vector
In an LHS scheme, a file is usually divided into a set of n-dimensional original vectors 1; 2; . . .; m f g , q is a large prime.To ensure that receivers in the network can recover this set of vectors, the set of original vectors will be augmented to ensure that they are linearly independent.The augmentation operation of this set of vectors is as follows (Boneh et al., 2009): For each i 2 1; 2; . . .; m f g , let where Among them, N ¼ n þ m, add a m-dimensional unit vector (the i-th bit of this unit vector is "1", and the rest bits are "0") after the basis vector v i .This set of vectors after the augmentation operation becomes a set of basis vectors of the subspace to which the original file belongs due to its linear-independent property.

The formal definition of SPS-LHSDC
Definition 3: The SPS-LHSDC scheme consists of five PPT algorithms (Li, Zhang & Zhang, 2022): Setupð1 k ; NÞ !ðppÞ: The algorithm inputs the security parameter 1 k and the dimension N, outputs the system public parameter pp; KeyGenðppÞ !ðsk; pkÞ: The algorithm inputs pp and outputs a private key sk and the corresponding public key pk; Signðpp; sk A ; pk B ; id; v k Þ !ðs; r k Þ: The algorithm inputs pp, the signer's private key sk A , the combiner's public key pk B , file identifier id and vector v k , and outputs the subspace label s and signature r k ; Combine pp; pk A ; sk B ; s; , where b k 2 Z Ã q , outputs a message/signature pair ðv; rÞ; Verifyðpp; pk A ; s; v; rÞ !ð0; 1Þ: The algorithm inputs pp, pk A , s, v, and r.If r is the legal signature of vector v, the algorithm outputs 1; otherwise, the algorithm outputs 0.

Correctness
The SPS-LHSDC scheme is correct if it satisfies the following two conditions:

Security model
In the SPS-LHSDC scheme, the forgery of adversary A is said to be successful if the forged message/signature pair can pass the verification algorithm, and the forgery conforms to one of the following types of forgery.
Type 1 Forgery: The adversary A never queried the subspace V and generates a valid signature for w Ã 2 V, where w Ã 6 ¼ 0.
Type 2 Forgery: The adversary A has queried the subspace V labeled s, and then A uses the label s to generate a valid signature for w Ã = 2V, where w Ã 6 ¼ 0. Type 3 Forgery: The adversary A has queried the subspace V, and then A generates a valid signature for w Ã 2 V without knowing the private key of the combiner, where the vector w Ã is composed of the basis vector of V and w Ã 6 ¼ 0.
Definition 4: If the probability of any PPT adversary A winning the following games is negligible, then the SPS-LHSDC scheme is safe.

Setup:
The challenger C selects the security parameter 1 k and a positive integer N and runs Setupð1 k ; NÞ !ðppÞ, KeyGenðppÞ !ðsk; pkÞ in turn.Then C sends pp; pk A ð Þto A.
Combiner-key Generation Query: when A initiates this query, C runs KeyGenðppÞ !ðsk B ; pk B Þ and sends pk B to A.
Combiner Corruption Query: When A initiates this query, A sends a combiner's public key pk B to C, then C returns the corresponding sk B to A. Sign Query: When A initiates this query, A selects a subspace V i ¼ spanfv i1 ; . . .; v im g, where v i1 ; . . .; v im 2 Z n q , then C: 1) For each k 2 f1; …; mg, augments v ik 2 Z n q to v ik 2 Z N q , then gets a new subspace V i .2) Randomly selects the file identifier id i , then gets the subspace label ! ðv; rÞ and returns ðv; rÞ to A.
Forgery: A outputs a signer's public key pk Ã A , a combiner's public key pk Ã B , a subspace label s Ã , a non-zero vector v Ã 2 Z N q and a signature r Ã .
If Verifyðpp; pk Ã A ; s Ã ; v Ã ; r Ã Þ ¼ 1 and one of the following three conditions is true, the adversary A is considered to win the above game: and A has not queried the combiner's private key.

THE SECURITY PROBLEM OF LZZ22
Here, we first analyze the security of LZZ22 and then perform signature forgery against its security problem.

Security analysis of the LZZ22
Li et al. used a similar method as Boneh et al. (2009) to prove that LZZ22 is secure against existential forgery on adaptively chosen subspace attacks under the random oracle model.However, the security model of the SPS-LHSDC scheme has one more type of forgery (Type 3 Forgery) than Boneh et al. (2009).Li, Zhang & Zhang (2022) actually only proves that the LZZ22 scheme can resist Type 1 Forgery and Type 2 Forgery.Type 3 Forgery exists in SPS-LHSDC because requires that no entity other than the designated combiner combine original signatures to generate a new signature.Type 3 Forgery without knowing the private key of the designated combiner, can obtain the signature of a new message.Below, we analyze the feasibility of Type 3 Forgery in LZZ22.LZZ22 designates a combiner by binding the combiner's public key to the signature algorithm.The signer then shares a secret information with the combiner through key negotiation.The secret information can make the signatures generated by the signer temporarily lose the homomorphic property.Therefore, other entities in the system cannot combine signatures, and the combiner who has the secret information can restore the homomorphic property of the signature, thereby obtaining the authority to combine signatures.Thus, the key to realizing the function of designating a combiner is that only the signer and the designated combiner have the secret information.An adversary that can decrypt the secret information in LZZ22 can pretend to be the designated combiner and make any combination of the original signatures to forge a new message/signature pair.Next, we explore a theoretical way to crack LZZ22's secret information.
In LZZ22, the document will be divided into m message vectors v i f g m i¼1 , where 1; 2; . . .; m f g , and the signer signs these message vectors, respectively.The signature corresponding to the k-th message vector is , where g i f g n i¼1 are the generators of G 1 , s is the subspace label, H 1 is a hash map: 0; 1 f g Ã !G 1 , u B is the public key of the designated combiner, a A is the private key of the signer.u B a A ¼ u A a B ¼ g a A a B , so u B a A is the secret information shared by the signer and the designated combiner.However, u B a A is a fixed value and can be obtained by division between two different signatures.If the adversary finds out the value of u B a A , he obtains the authority to combine signatures, thereby forging a new message/signature pair.

Signature forgery
The specific requirements of Type 3 Forgery in the SPS-LHSDC security model (Li, Zhang & Zhang, 2022) are as follows: The adversary A does not know the private key of the combiner.
A has queried the subspace V, that is, A knows a set of basis vectors v i f g m i¼1 of subspace V and the corresponding signature r i f g m i¼1 .A generates a legal signature for a non-zero vector v Ã , and v Ã must be obtained by a linear combination of v i f g m i¼1 .
According to the requirements of Type 3 Forgery and the security vulnerability of the LZZ22 scheme, if the adversary A wants to forge the signature r Ã of a vector v Ã , A first needs to find the secret information u a A B shared by the signer and combiner by asking for two different signature values (Step 1).The adversary then represents the attempted forged vector v Ã with a set of basis vectors v i f g m i¼1 of subspace V (Step 2).Finally, the adversary, with the secret information u a A B , will be able to assume the identity of the combiner and run the Combine in LZZ22 to obtain the legal signature of the vector v Ã (Step 3).The specific steps are as follows: Step 1: Queries the signature r 0 of any message v 0 and the signature r 00 ¼ Step 2: After querying the subspace V where the message v Ã is located, a set of basis vector/signature pairs v i ; r i f g m i¼1 of the subspace V is obtained, and v Ã can be decomposed into (5) Step 3: ; i ¼ 1; 2; . . .; m, respectively, and gets the signature corresponding to v Ã : The correctness of the message/signature pair ðv Ã ; r Ã Þ is obvious.The key to the successful forgery above is that the adversary A finds out the secret information u a A B shared by the signer and the designated combiner.This type of forgery satisfies the condition of the Type 3 forgery.
In this section, we find that the root cause of the insecurity of the LZZ22 scheme is that the secret information u B a A shared by the signer and the specified combinator is a fixed value, and this fixed value can be easily separated from the signature.Our signature forgery approach can attack some digital signature schemes with the same characteristics: (1) some of the important information in the signature is a fixed value; (2) this fixed value can be derived by arithmetic among multiple signatures.In the next section, we propose a more secure scheme.Compared with the LZZ22 scheme, our scheme adds a hash function value of the message v k to the index part of the secret information u B a A .If the adversary wants to obtain the secret information, it will need to solve the discrete logarithm problem, so our scheme ensures the security of secret information.

THE PROPOSED SCHEME
Here, we first propose a new scheme by fixing the security problem of LZZ22, then we prove the correctness and security of our scheme.

Construction
The proposed scheme is composed of five algorithms, Setup is responsible for generating initialization parameters, KeyGen is responsible for generating public/private keys of the user and the designated combiner, Sign is run by the signer and is responsible for generating the original signature, Combine is run by the designated combiner and is responsible for generating the combined signature from the original signature.The Verify algorithm is responsible for verifying the legitimacy of all signatures.The details of each algorithm are as follows: Setupð1 k ; NÞ !ðppÞ: The algorithm inputs the security parameter 1 k and a positive integer N, then: 1) Two multiplicative cyclic groups G 1 and G 2 with large prime q are randomly selected, where q . 2 k , a bilinear mapping e : 2) The generators g; g 1 ; . . .g N is randomly selected in the group G 1 .
KeyGenðppÞ !ðsk; pkÞ: The algorithm inputs pp, when the signer runs the algorithm, randomly selects a A 2 Z Ã q as the signer's private key sk A , and calculates u A ¼ g a A as the signer's public key pk A ; when the designated combiner runs the algorithm, randomly selects a B 2 Z Ã q as the designated combiner's private key sk B , calculates u B ¼ g a B as the public key pk B of the designated combiner.Signðpp; sk A ; pk B ; id; v k Þ !ðs; r k Þ: The algorithm inputs pp, sk A ¼ a A , pk B ¼ u B , the file identifier id 2 0; 1 f g k and the vector v k 2 Z N q , then outputs the subspace label s ¼ ðid; pk B Þ and the signature Combine pp; pk A ; sk B ; s; , where b k 2 Z Ã q .The designated combiner calculates and outputs: Verifyðpp; pk A ; s; v; rÞ !ð0; 1Þ: The algorithm inputs pp, pk A ¼ u A , s, the vector v, and ðvÞ ; u A holds, the algorithm outputs 1; otherwise, it outputs 0.

Correctness
The correctness of the proposed scheme consists of two parts, namely the correctness of the signature algorithm and the correctness of the combination algorithm.

Security analysis
In this section, we use a game to prove the security of the scheme.Our general idea is to assume that there exists a PPT adversary A that can forge a message/signature pair of our scheme with a non-negligible probability ϵ.Then we will show that there exists another PPT algorithm B, and that B can crack the CDH problem by interacting with A with another non-negligible probability ϵ 0 .According to the CDH assumption that there exists no PPT algorithm that can crack the CDH problem with a non-negligible probability, therefore, we conclude that there exists no PPT adversary A that can achieve forgery with a non-negligible probability, thus proving the security of this scheme.In our proof process, we first define the type of queries that adversary A is able to make (capabilities of A) and the way B replies, and find the probability ϵ 1 that B is able to successfully simulate the system based on the way B replies (the probability that B has not given up the simulation).
Then, assuming that A has output a valid forgery with probability ϵ, we find the probability ϵ 2 that B correctly outputs a solution to the CDH problem using the forgery of A. Finally, if all of the above events hold true, we obtain the probability that B cracks the CDH problem as ϵ 0 ¼ ϵ 1 ϵ 2 ϵ.Since ϵ 1 , ϵ 2 , and ϵ are not negligible, ϵ 0 is not negligible.By the converse method, we conclude that PPT adversary A cannot crack our scheme with non-negligible probability ϵ.The specific proof process is as follows.
Theorem 1.If there is a PPT adversary A who can break the proposed scheme with a non-negligible probability ϵ, then there is another PPT algorithm B that can solve the CDH problem with a non-negligible probability ϵ 0 !e 2 1 À 1 q s q h 1 À 1 q ϵ, where q s and q h , respectively represent the number of Sign Query and H 1 Query.
Proof.Suppose there is an adversary A that meets the above conditions, then we will construct another PPT algorithm B, B will call A as a subroutine, and obtain g ab from the known public parameters pp ¼ ðq; G 1 ; G 2 ; e; gÞ and ðg a ; g b Þ, where g 2 G 1 ; a; b R Z Ã q .
Combiner-Key Generation Query: A will initiate multiple queries.B denotes the t-th query as ðpk B Þ, and guesses that the T-th query corresponds to the final forgery of A. B creates a list L k to record this query, and each record in L k is ðt; When A initiates this query, A sends the subspace label s to B, then B: 1) If s has already been queried, B queries the list L H and returns Sign Query: A queries for the signatures of the subspace V & Z N q , then B: 1) Selects id R 0; 1 f g k and let the label of the vector subspace V be s ¼ ðid; 3) Outputs label s and message/signature pair ðv; rÞ.
Output: In the above process, if B does not give up the simulation, the successful forgery of A means outputting a quadruple ðpk Ã B ; s Ã ; v Ã ; r Ã Þ, where v Ã 6 ¼ 0, and Verify pp; pk A ; s has not appeared in the signature query, B computes and , where s ¼ ðs 1 ; . . .; Below we prove that B successfully simulates the Setup, KeyGen, and Sign algorithm, and hash function H 1 without giving up the simulation.Since the Combine algorithm simulated by B runs completely according to the real algorithm, its correctness proof is ignored here.
Since s 1 ; s 2 ; . . .; s N are randomly selected values, g 1 ; g 2 ; . . .; g N are also random values, so B successfully simulates the algorithm Setup and KeyGen; and because f 1 ; f 2 ; . . .; f m are randomly selected values, the output of H 1 is also a random value, so B successfully simulates the hash function H 1 .Below, we prove that B successfully simulates the Sign algorithm: For the Sign algorithm, when the input parameter is ðpp; sk A ; pk t ð Þ B ; id; vÞ, where sk A ¼ a; pk t ð Þ B ¼ u B , the corresponding real signature value is: Substituting the query value ; u B ¼ g y t into the above formula, the result of the Sign Query is: According to the construction of f in the Sign Query, s Á v ¼ 0 can be known, so the last equal sign in the above formula is established.It can be found that the output of the real signature algorithm Sign is consistent with the output of B, so B successfully simulates the algorithm Sign.
Below we analyze the probability that B does not give up the simulation.Let q k ; q r ; q h ; q s ; q c denote the query number of Combiner-Key Generation Query, Combiner Corruption Query, H 1 Query, Sign Query, and Combine Query, respectively.If B does not abandon the simulation, the following conditions need to be met during all queries: 1.The combiner public key corresponding to the final forged result of A was not used in q r times of Combiner Corruption Query initiated by A, and this probability is 1 À 1 q k q r ; 2. In the q s Sign Queries initiated by A, none of the vector subspace labels used by B has been queried by A in H 1 Query and this probability is 1 À 1 q s Áq h ; 3. In the q c Combine Queries initiated by A, the public key of the combiner corresponding to the final forged result of A is used, and the probability is 1 So the probability that B does not abandon the simulation is Substituting the query value will not output the value of g ab correctly.Event s Á v Ã ¼ 0 occurs in the following three situations: 1.When the forgery of A belongs to the Type 1 Forgery.Since all values of s are randomly selected numbers in the space Z q , and v Ã 6 ¼ 0, so s Á v Ã is uniformly distributed in Z q , then P s Á v Ã ¼ 0 ð Þ¼ 1 q : 2. When the forgery of A belongs to the Type 2 Forgery.Since all values of s are randomly selected numbers in the space Z q , then P s Á v Ã ¼ 0 ð Þ¼ 1 q in the same way.
3. When the forgery of A belongs to the Type 3 Forgery.All values of s are randomly selected numbers in space Z q , v Ã 2 V À fv 1 ; v 2 ; . . .; v m g and v Ã 6 ¼ 0, so the value of In summary, the probability of event s Á v Ã 6 ¼ 0 is 1 À 1 q : We set the probability that A successfully outputs a valid signature as ϵ, then B can correctly output the value of g ab with probability ϵ 0 !e 2 1 À 1 Since the CDH assumption is established, the probability ϵ 0 of B correctly outputting g ab is negligible, so the probability ϵ is negligible.

APPLICATION AND EXPERIMENT ANALYSIS
Here, we illustrate how the proposed scheme works when it is applied to proxy signatures, and then theoretically analyzed the efficiency of our scheme.Finally, the signature forgery experiments on LZZ22 and our scheme are respectively run in the same experimental environment, and the efficiency of our scheme is compared with other schemes.

Application
Digital signature technology can provide authenticity and integrity certification to users.In real life, a large number of signature activities are often required in some departments (e.g., governments and hospitals).Ordinary digital signature schemes do not allow entities other than a specific user to have signing privileges, so users have to accomplish a large number of signing tasks on their own.The linearly homomorphic signature scheme with a designated combiner can improve the efficiency of signing by transferring the user's large number of computational tasks to a server with high computational power.Consider the following specific scenario: Suppose the user has partitioned the file set labeled s into m n-dimensional vectors v 1 ; v 2 ; . . .; v m 2 Z n q , and augmented v i f g m i¼1 into a set of basis vectors v i f g m i¼1 in the subspace V according to the method in "Preliminaries".The user has computed the signatures r k f g m k¼1 of v i f g m i¼1 respectively.At this time, if the user needs to generate the signatures r Ã of the data vectors v q , the user can only re-compute the signature on his own in the ordinary digital signature scheme.In contrast, in the LHSDC scheme, the user only needs to send the label s and the combination coefficients b k to the specified server, and the specified server will complete the signature instead of the user (as shown in Fig. 1).We call this application scenario proxy signing.
The proposed scheme contains three types of participants when applied to proxy signing, namely the signer (user), the designated combiner (server) and the verifier (Fig. 2).The specific application process is as follows: Step 1: The system runs the algorithm Setup to generate the system public parameter pp and publish pp to all participants.The signer and the designated combiner run the algorithm KeyGen respectively to generate the private/public key pair ðsk A ; pk A Þ of the signer and the private/public key pair ðsk B ; pk B Þ of the designated combiner.
Step 2: The signer first divides the message file needing a signature into m n-dimensional message vectors v 1 ; v 2 ; . . .; v m 2 Z n q , and uses the vector augmentation method in "Preliminaries" section to augment each n-dimensional message vector into an N-dimensional subspace basis vector v 1 ; v 2 ; . . .; v m 2 Z N q .Then, the label s of the vector subspace is generated according to the file identifier id.Finally, the signer runs the algorithm Sign to sign v k f g m k¼1 to obtain r k f g m k¼1 , send ðs;  Boneh et al. (2009) determined that the process requires ðm þ 1Þ pairing operations, m þ 2 ð Þexponentiation operations, m inverse operations, 2m multiplication operations, and ð2m þ 1Þ hash operations.In contrast, SPS-LHSDC maintains the signature structure on top of the function of designating a combiner.Therefore, v ÃÃ does not need to be decomposed into the form of multiple basis vector representations, and ðv Ã ; r Ã ; nÞ can be directly used as the input to the algorithm Combine.Using our scheme, , the process requires  In summary, SPS-LHSDC can reduce the calculation of the signer and improve the efficiency of signing compared with ordinary digital signature schemes and LHSDC schemes.However, since the designated combiner (server) in SPS-LHSDC also has the authority to generate signatures, the server must be under the management of the most authoritative department of the organization.Meanwhile, the SPS-LHSDC scheme does not apply to some departments with high confidentiality due to the irreplaceable nature of the signatures of these departments.

Theoretical analysis
Table 1 illustrates the meanings of the notations used in this section.Table 2 compares our scheme with the other four schemes in Lin, Xue & Huang (2021), Li, Zhang & Zhang (2022), Zhang et al. (2018) and Wu, Wang & Yao (2021) in terms of efficiency and functionality.
By comparing with other four schemes theoretically, we find that only our scheme and LZZ22 are able to realize both functions of designating a combiner and maintaining the signature structure.In "The Security Problem of LZZ22", the LZZ22 scheme was shown to have a security vulnerability, and our scheme was the only secure SPS-LHSDC scheme.Table 1 Notations and the correspondent operations.
Notation Operation H Map-to-point hash operation The size of elements in G 1 jG 2 j The size of elements in G 2 , G 2 j j, jG 1 j Our scheme has the lowest computational overhead for both the signature algorithm and the verification algorithm, thus our scheme is efficient.

Experiment analysis
In this section, we run the signature forgery program of LZZ22 through experiments, so as to obtain the probability and time required for an adversary to successfully forge a signature.Then, under the same experimental environment, we run our scheme and evaluate its efficiency.
The following illustrates experimental environment and parameter selection.We build the simulator in Python and use a 2.6 GHz single-core twelve-thread processor.The parameter params we used in LZZ22's, Wu21's and our simulations are from pypbc (Maas, 2004) library's A-type curve.The parameter params we used in Lin's and Zhang18's simulations are from pypbc library's F-type curve.The security parameter length is 80 bits, and the element lengths in G 1 and G 2 are 320 and 160 bits respectively.In our experiment, in order to meet the needs of simulating multiple scenarios, the size of the test file we choose is 3.2 KB (3,279 bytes).The file will be divided into m blocks, each block contains n elements, and each element length is 160 bits, which means that the test file is represented by m n-dimensional vectors, and the values of m and n need to meet: 160 8 ðmÀ1Þn 3; 279 160 8 mn.According to the load of the network, we set the packet size as 1,460 bytes.Thus, each packet can hold 1;460 20 ¼ 73 elements.Therefore, the augmented data packet length N should satisfy: N ¼ m þ n 73.

Signature forgery experiment of LZZ22
The signature forgery of LZZ22 includes two processes, namely the signature query and the signature forgery.Since the adversary can obtain the signatures r 0 ; r 00 , and fr i g m i¼1 from the signatures generated by the signer in the past, we ignore the cost of the signature query.The cost of the signature forgery process is consistent with the formula Figure 4 shows the relationship between the cost required for the signature forgery and the message vector dimension n.From Fig. 4, it can be found that the adversary can forge the signature of LZZ22 in a very small amount of time after the Sign Query.The time required for forging the signature decreases with the increase of the dimension n.This is because an increase in n is accompanied by a decrease in m.
Efficiency analysis experiment of the proposed scheme from the cost of the signature algorithm and verification algorithm, respectively.Figure 7 shows the CPU and RAM occupancy of each scheme, and Fig. 8 shows the specific usage of RAM for each scheme.
Figure 5 illustrates that the cost of each scheme in the signature algorithm does not change greatly with the increase of the dimension value n of the base vector.This is because an increase in n is accompanied by a decrease in m, that is, although the length of each data packet increases, a file can be represented using fewer data packets.Figure 6 shows that the cost of each scheme in the verification algorithm increases with the increase of the dimension n of the base vector.This is because the verification of each vector needs to add one multiplication operation and one exponent operation due to the increase of n.By comparing our scheme with the experimental results of other schemes, we find that whether signing a 3.2 KB file or verifying a single message vector, the time overhead of the LZZ22 scheme is the smallest, and our scheme is the second smallest.However, we have proved in "The Security Problem of LZZ22" that the LZZ22 scheme has a security vulnerability.Therefore, our scheme has the highest efficiency among the remaining schemes.When the amount of valid data in the packet reaches the maximum value of 41 (n = 41), our scheme takes 1.620 s to sign a 3.2 KB file and 55.406 ms to verify a single data vector under that file.Figures 7 and 8 illustrate that there is no major difference between the schemes in terms of CPU occupancy.In terms of RAM occupancy, LZZ22 has the smallest memory usage, followed by our scheme.Since the LZZ22 scheme is insecure, our scheme has the smallest usage on RAM among the remaining schemes.When the file size is 3.2 KB, running our scheme will consume 12:7% of CPU and 1;462:8 8Ã1;024 ¼ 17:86% of system memory.Overall, our scheme has a low computational overhead and system resource usage on top of the simultaneous functionality of designating a combiner and maintaining the signature structure.

CONCLUSION
Here, we prove that there is a polynomial time adversary that can crack the secret information in LZZ22 through multiple signature queries, which will allow the adversary to forge the signature corresponding to any message.We proposed a new scheme, which has all the functions of LZZ22 and fixed the security problem by adding one hash operation and one exponential operation to the signature algorithm.Our scheme proved secure against existential forgery on adaptively chosen subspace attacks under the random oracle model.We also detailed the application of our scheme to the proxy signature.Finally, we ran the signature forgery program of LZZ22 through experiments, and the results showed that the time required to forge a signature was inversely proportional to the message dimension.The proposed scheme was run in the same experimental environment and compared with other similar schemes.The experimental results show that the signature algorithm and the verification algorithm of our scheme are efficient, and efficiently use the system resources.
It should be noted that in proxy signing because our scheme allows the designated combiner (server) to generate legal signatures, the server must be managed at the highest level in the department.Meanwhile, the SPS-LHSDC scheme does not apply to some departments with high confidentiality due to the irreplaceable nature of the signatures of these departments.In addition, in this article, we only explore the application of SPS- LHSDC scheme in proxy signatures, and some other application scenarios that need to specify servers for calculating such as federated learning, cloud auditing, and so on deserve more in-depth research.Although the proposed scheme is more efficient than the existing LHSDC scheme and is the only secure SPS-LHSDC scheme, there is still room for improving the efficiency of the signature algorithm.Two directions deserve further research to improve the efficiency of the signature algorithm.One of them is to optimize the homomorphic hash function, which can significantly improve the efficiency of the scheme.The other is to optimize the way to bind combiners, that is, to find a way to bind combiners other than key exchange, which can improve the efficiency of the scheme by a small margin.
to the designated combiner, which runs the algorithm Verify to verify the legitimacy of r k f g m k¼1 respectively.If r k f g m k¼1 are all valid, the designated combiner will store them.Step 3: When the signer wants to generate the signature r Ã of the new message v Ã under this subspace, he only needs to express v Ã as v Ã ¼ P m k¼1 b k v k , and then send the combination coefficient b k f g m k¼1 to the designated combiner.The designated combiner runs the algorithm Combine to get ðv Ã ; r Ã Þ, and sends ðv Ã ; r Ã Þ to the verifier.The verifier runs the algorithm Verify to verify the legitimacy of the combined signature r Ã .In proxy signing, let us consider another case.After the designated combiner has derived the signature r Ã of a certain message v Ã by the algorithm Combine, the signer expects the combiner to continue generating the signature r ÃÃ of the message v ÃÃ ¼ nv Ã .At this point, ðv Ã ; r Ã Þ cannot be used as an input to the algorithm Combine because the signature r Ã generated by the combiner is structurally altered compared to the original signature generated by the signer in the LHSDC.The signer must first decomposev ÃÃ into P m k¼1 b Ã k v k ; b Ã k 2 Z Ã q ,and then the combiner inputs v k ; r k ; b Ã k È É m k¼1 into the algorithm Combine to obtain the signature r ÃÃ .

Figures 5
Figures 5 and 6 show a comparison between our scheme and the schemes in Lin, Xue & Huang (2021), Li, Zhang & Zhang (2022), Zhang et al. (2018) and Wu, Wang & Yao (2021)from the cost of the signature algorithm and verification algorithm, respectively.Figure7shows the CPU and RAM occupancy of each scheme, and Fig.8shows the specific usage of RAM for each scheme.Figure5illustrates that the cost of each scheme in the signature algorithm does not change greatly with the increase of the dimension value n of the base vector.This is because an increase in n is accompanied by a decrease in m, that is, although the length of each data packet increases, a file can be represented using fewer data packets.Figure6shows that the

Figure 8
Figure 8 RAM usage.Full-size  DOI: 10.7717/peerj-cs.1978/fig-8 If t ¼ T, B gives up the simulation, otherwise, B queries the list L k and returns sk Query: B builds a list L H to record the H 1 Query, and each record in L H is ðs; f

Table 2
Comparison of cost and functions.