Lattice-Based Incremental Signature Scheme for the Authenticated Data Update in Fog Computing

,


I. INTRODUCTION
Since the cloud severs are with super computing and professional analysis ability, the user can enjoy the professional service from the cloud, such as the service of storing, managing and processing data. More and more enterprises and personal clients store their data to cloud severs. Internet of thing (IoT) consists as millions of the physic sensors. Informally, IoT puts internet to the edge of world and connects everything with internet. And the cloud computing is a centralized architecture of the internet. Hence, we should combine the IoT with cloud computing to exploit their advantages respectively. While between IoT and cloud computing, a new mechanism is needed to collect, process and transfer data [1]. Fog computing is a such paradigm which can be seemed as a combination of IoT and cloud computing [2], [3].
The associate editor coordinating the review of this manuscript and approving it for publication was Mansoor Ahmed . Fog computing firstly proposed by CiSCO [4]. It is a extension of cloud computing paradigm from the core to edge of the networks. Figure 1 shows the work mechanism of the fog computing [5]. In fog computing, fog devices are used to collect, process and transfer data and fog nodes are used to connect these devices and cloud severs. Both devices and nodes have some storage and processing capabilities, while these capabilities are limited. As a result, we should try to save the resources when we wish to achieve some functions in fog computing [6]. On the other hand, since both the devices and the fog nodes are distributed and with complex working environment, there are vulnerable to be attacked by various types adversaries. Hence, the potential security risk of the fog computing should be resolved [7].
When the devices transfer data to fog node, or the fog nodes transfer document to severs, the digital signature should also be sent to against forgery attack. While the data collected by the devices or fog nodes possible is incomplete, the additional supplement information sometimes need to update the original message. For example, in a weather forecasting system, the detection device has some new data u add that need to modify some known data u which has been corrected to the fog node. We should note that the modification is partly, which means the most parts remain unchange between the messages u + u add and u. As a result, if we ask the device to sign the whole message u + u add again, it is not efficient. Then, how to efficiently authenticate the updated data is an interesting topic for fog computing.
Incremental signature can be used to give an efficient update of the signature in fog computing. More precisely, if the document u needs to be modified by u add , then instead of re-signing the whole message u + u add , we just update the original signature of document u by signing the additional message u add [8]. It is clearly that the incremental signature provides an efficient authentication method to save the bandwidth and the computing cost of the fog computing.
Incremental cryptography was introduced by Bellare, Goldreich and Goldwasse which gives an efficient solution to the secure data update [9]. Since then many incremental cryptographic schemes have been proposed [8], [10]- [14]. These schemes give very elegant constructions, while are not quantum security. [10] firstly considered the quantum security and proposed a lattice-based incremental signature scheme in the standard model. While the space size of the scheme in [10] is too large to be used in fog computing. In fact, both the public key size and the signature length of scheme in [10]should be improved to save the store resource and bandwidth, especially considering its application in fog computing.

A. OUR WORK
This paper proposed an efficient lattice-based incremental signature scheme in the standard model. We prove that the proposed scheme is unforgeable whose security is based on the shortest integer solution problem. Compared with the known the lattice-based incremental signature scheme in [10], we add a ring operation into the message coding to conceal the coding structure of message. This idea helps us to delete a matrix from public key and also avoids to run the random sample operations in both Sign and InSig algorithms. As a result, the proposed scheme shares some advantages about the signature length, the public key size and the running speed. Moreover, parallel computing and pre-computing can be widely used in the proposed scheme to improve the running speed of the proposed scheme. To check the computing speed of the proposed scheme, a simulated experiment by JAVA language on PC is given in this paper. The result shows that a updated data can be authenticated with more less cost than resign the whole data. Moreover, the run speeds of all algorithms in proposed scheme are higher than those of the scheme in [10], such as to generate a signature or update a signature.

B. RELATED WORK
As known as the post-quantum cryptography, lattice-based cryptography has gained more and more attentions in recently years. Considering the lattice-based signature scheme, there are two approaches for designing lattice-based digital signature scheme. One is proposed by Lyubashevsky which used the Fiat-Shamir technique [15]. The other is to use the hash-and-sign method in [16]. In [16], the trapdoor basis [17] of a lattice is used as a private key to sign a message. Since then trapdoor basis has been widely used in the design of lattice-based signature schemes [18], [19]. The other important and efficient lattice-based trapdoor is proposed by D. Micciancio and C. Peikert [20]. By the novel trapdoor of [20], the efficiency of the lattice-based digital signature has been improved. In fact, the lattice-based incremental signature scheme in [10] is designed by using the trapdoor in [20]. To conceal the linear structure of the message coding, an additional random matrix must be bringed into the public keys of in [10]. For the same reason, the signer must choose a Gaussian vector in both Sign and InSig algorithms which occupies the computing resources of the signer in [10]. Just as we described, to improve the efficiency of the lattice-based incrementa signature scheme is an important requirement to achieve the authentication of updated data in fog computing. This paper would use the trapdoor in [20] to design the incremental signature scheme.

A. NOTATIONS
Matrices and vectors in column form are denoted by bold upper-case and the bold lower-case letters respectively. Let · be the Euclidean norm. The matrix norm is defined to be the norm of the longest column. An unspecified function f (n) = O(n c ) for a constant c is written as poly(n). Function g(n) is negligible if g(n) = 1/poly(n). We see a function g(n) = ω(f (n)) if it grows faster than cf (n) for any constant c. D α denotes the Gaussian distribution over R with parameter α.

B. LATTICE
Given n linearly independent vectors B = {b 1 , b 2 , · · · , b n }, a lattice is defined as We call B is the basis of the lattice. B is a trapdoor basis when all the basis vectors are with small Euclidean norms. Note that the trapdoor basis of the lattice can act as a trapdoor of the lattice-based cryptographic scheme [17].
Compared with the traditional trapdoor basis of lattice, D. Micciancio and C. Peikert proposed a more efficient trapdoor called G-trapdoor of cryptographic lattice [20]. Informally, it shares some advantages over the trapdoor basis, such as the smaller lattice dimension and the shorter trapdoor size. Moreover, G-trapdoor also can achieve the Gaussian sampler and the delegation functions which are important for the design of the lattice-based schemes.
Given parameters (n, m, q, k) and a primitive matrix G ∈ Z n×nk q [20], the G-trapdoor is defined as follows.

Definition 1: Given matrices
Given parameters (n, m, q) and a random vector y ∈ Z n q , the following special integer lattices are widely used in the design of the lattice-based cryptographic scheme, Just like the known lattice-based signature schemes, we will also design the incremental signature scheme based on the SIS problem in this paper. More precisely, the SIS problem is described as follows.
Definition 2: Giving a real number β and A ∈ Z n×m q , the SIS problem is defined to find a nonzero vector e ∈ Z m q which satisfies Ae = 0(modq) and ||e|| ≤ β.

C. DISCRETE GAUSSIAN DISTRIBUTION
The discrete Gaussian distribution on lattice ⊥ q (A) (A ∈ Z n×m q ) pays an important role for the design of the lattice-based cryptography. More precisely, the discrete Gaussian on lattice is defined as a ''conditional'' distribution .
The smoothing parameter is an important concept that proposed by [21]. Let be a lattice and > 0 be a positive real, smoothing parameter η ( ) is defined to be the smallest positive σ satisfying ρ 1/σ ( * \{0}) ≤ . About smoothing parameter, the following results hold.
(1) When σ > η ( ), every coset of has roughly equal mass. ( There are several lemmas which are important for the design in this paper.
statistically close to the uniform distribution and with its G-trapdoor R ← D Zm ×w ,s . Lemma 1 [20] shows that the G-trapdoor of the lattice can be generated by an efficient algorithm. Clearly, Lemma 1 can be used to generate the public key and private key of the lattice-based cryptography.
Lemma 2: For the same parameters as lemma 1, inputting and an aim vector u ∈ Z n q , there is a PPT algorithm SampleD(A, R, H , u, s) outputs vector e whose distribution is close to the Gaussian distribution. As we have shown that the Gaussian distribution of the sampled vector can protect the information of the trapdoor information. It is very important to the security of the lattice-based signature scheme. For this reason, the SampleD algorithm [20] can be used to design the sign algorithm of the lattice-based scheme.
Lemma 3: t i ∈ Z m and x i are mutually independent random variables sampled from a Gaussian distribution D t i + ,σ over t i + for i = 1, 2, · · · , k in which is a lattice and σ ∈ R is a parameter. Let c = (c 1 , · · · , c k ) ∈ Z k and g = gcd(c 1 [19] is important for our signature update and the security proof in this paper. In generally, lemma 3 ensures that the combination of the Gaussian vectors still distributes according to the Gaussian distribution. Lemma 4: [16] Given a random matrix A ∈ Z n×m q whose columns generates Z n q , ∈ (0, 1) and s > η ( ⊥ q (A)). If e ∼ D Z m , s, then the distribution of the syndrome u = Ae(modq) is within statistical distance 2 of the uniform distribution. Kg: Inputting a security parameter n, it returns a key pair (sk, pk) where sk is the private key and pk the public key. VOLUME 8, 2020 Sign: It is a PPT algorithm, inputting private key sk, a document D and its tag id, that returns the signature s in which the document is divided into a sequence of blocks of fix size.
InSig: It is an incremental update algorithm, which inputs sk, (D, id), a modification file D and the primitive signature s, that returns the modified signature s of the modification file (D , id).
Verify: It is a deterministic polynomial time algorithm that inputs a public key pk and a signature s of document (D, id) not matter generated by Sign algorithm or the InSig algorithm and returns 1 if the signature is valid, 0 otherwise.
The main security requirement of the incremental signature schemes is the existential unforgeability under the chosen message attack.
Definition 4: Definition An incremental signature scheme is existential unforgeable under a chosen message attack if any PPT adversary's advantage is negligible in the following game.
1. Setup. The challenger obtains a public and private key pair (pk,sk) by running Kg algorithm. Public key pk is sent to the adversary.
2. Signing queries. The adversary adaptively queries the signing oracle q 1 times. The challenger should simulate the Sign algorithm to answer the signing queries.
3. Incremental update queries. The adversary adaptively queries the InSig oracle q 2 times. The challenger should simulate the InSig algorithm to answer these incremental update queries.
4. Forgery. When the challenger responds all the queries and the adversary satisfies all the responds, the adversary should output a forgeable message and signature pair (D * , id * , s * ). D * is not a document signed by the signing oracle nor an updated document whose the signature has been obtained from the incremental update oracle. If (D * , id * , s * ) can be accepted by the Verify algorithm, then the adversary wins the game.

III. INCREMENTAL SIGNATURE SCHEME IN THE STANDARD MODEL
Given security parameters n and q > 2, others parameters (k, m, ω,m = m−ω, σ ) can be generated by n and q. The tag of document belongs to Z l 2 in which l ≤ n. Let the primitive matrix G ∈ Z n×m 2q and c ≤ √ l be the maximum times of the update of the incremental signature. The sender is Alice and the recipient verifier Bob.
Kg. Alice inputs the tag of the G-trapdoor I n×n and the random matrixĀ ∈ Z n×m 2q into the algorithm in Lemma 1. Then, Alice generates A ∈ Z n×m 2q and its G-trapdoor Alice randomly chooses l matrices over Z n×m 2q denoted by C 1 , · · · , C l respectively.
Then the public key of Alice is (A, C 1 , · · · , C l ) and private key R.

Sign. Message matrix D is divided into a sequence of blocks
The tag of the message is id = (id 1 , id 2 , · · · , id l ) T ∈ {0, 1} l . Alice generates the signature of D as follows: 1. Computes u = l j=1 q 2 (−1) id j C j d j (mod2q).
2. Generates a preimage of u by SampleD algorithm: Hence, (e, id) is a signature of D.
InSig We suppose that only one block d i of document needs to be updated and the others blocks remain unchange for simply. Giving the updated message d i of d i , InSig algorithm runs as follows. 1 Generates a preimage of u : Verify. To verify the signature (e, id) of the message D, Bob does as follows:

Accepts (e, id) if and only if:
m.

IV. SCHEME ANALYSIS A. CORRECTNESS
For security parameters n and q > 2, we set k = log q , m = O(kn) = m − ω, ω = 2nk and σ = O( √ lnk)ω( √ log n). Then under the given parameters, the sign key of Alice in this paper is a G-trapdoor [20]. Hence, the SampleD algorithm in Lemma 2 works. Then, the correctness of the proposed scheme can be shown as follows.
Case 1: For a primitive signature (e, id), it is an output of the SampleD algorithm. According to literature [20], we know that Ae = u(mod2q) and e ≤ σ √ m holds. Hence it can be accepted by the Verify algorithm.
Case 2: If (e + e , id) is an output of the Insig algorithm and only one block is updated, it also can be accepted by the Verify algorithm.
On the other hand, ||e + e || ≤ 2 So that (e + e , id) is a signature of the message vector is an output of the Insig algorithm and c (≤ c) blocks of document are updated, then this incremental signature also can be accepted by the Verify algorithm. Let the updated message be On the other hand, The correctness of the proposed scheme is proven.

Theorem 1:
If there is an adversary can win the unforgeability game of the incremental signature scheme with a probability ε, there is a challenger can solve the SIS problem with a probability approaching to ε/(q − 1).
Suppose there exists a PPT adversary A gaining an advantage ε for winning the unforgeability game, a PPT challenger C can be constructed to solve the SIS problem with advantage ε/(q − 1).
Suppose that the challenger C wants to solve an SIS instance (A 0 ∈ Z n×m 2q , q, n, σ, L). That is, C hopes to find a vector e satisfying e ≤ 2Lσ √ m and A 0 e = 0(mod2q). C does as follows: (1) Sets A = q 2 A 0 (mod2q); (2) Randomly chooses E i for i = 1, 2, · · · , l according to the distribution D m×m s where s = L l 2 σ and ensures row vectors of these matrices are linearly independent. According to [16], we can ensure that E i are row linearly independent by at most choosing n 2 vectors.
(4) The Gaussian parameter is defined to be Lσ .
} to A as the public key. To finish the security game, C keeps a list to store the answers to the signature oracle. The Gaussian parameter is defined to be the sufficiently large number Lσ .
Since A 0 is random and uniform, then A = qA 0 (mod2q) would also be random and uniform. On the other hand, since the Gaussian parameter s is larger than the smoothing parameters, then the public matrices C i are closed to the uniform distribution. As result, C can simulate perfectly the attack environment.
Sign Query. When C needs to answer a sequence of sign queries, it firstly checks the freshness of this query by the list. If the message D had been queried then the same answers are returned. For a fresh message, if D i is represented by l blocks d ij ∈ Z m 2 for 1 ≤ j ≤ l, C chooses a fresh identifier id (i) ∈ {0, 1} l and computes e i = l t=1 (−1) id (i) t E t d it as the signature of the query message. C outputs (id (i) , e i ) as the answer. C stores (id (i) , D i , * , e i ) to the list L.
The adversary verifies the signature by the Verify algorithm. In fact, and

Incremental Update Queries.
A can query the incremental update oracle adaptively. For a message D i and the updated message d ij to jth block of D i , the challenger firstly checks the list L to sure that the message D i has been queried and D i = (d i1 , · · · , d ij , · · · , d il ) has never been queried. Otherwise, if D i has been queried then the same answer is responded. For a fresh incremental update query, the challenger firstly reads (id (i) , D i , e i ) from the list L. Then the challenger computes . Hence, the incremental signature is (id (i) , e i + e i (mod2q)) and (id (i) , D i , D i , e i + e i (mod2q)) is stored into the List.
A(e + e ) = Ae + Ae On the other hand, ||e + e || ≤ Lσ √ m holds. As a result, in view of the adversary, (id (i) , e i + e i (mod2q)) is a signature of D i .
If more than one block of document are asked to be update by A, C can answer the query by the similar operations as shown as above mentioned in which only one block need to be update.
After both the Sign and the Incremental update queries are finished, A forges a signature (e * , id * ) of the message D * with the probability ε in which D * is never queried in the Sign or Incremental Update queries.
As a result, C would solve the SIS problem with a probability 1 q−1 (1 − 2 −ω(log n )ε.

C. EFFICIENCY
We give a comparison about the public key size and the signature length between the proposed scheme and the scheme in [10]. Let (n, m) be the row and column of the lattice matrix and l be the length of the tag respectively. Then Table 1 gives the details of the space efficiency comparison. Furthermore, to find the concrete comparison effect, we give three group concrete parameters as shown as Table 2, under which the message length |ID| equal to 48K, 90.75Kb and 180.5Kb respectively. Under these parameters, more concrete comparison between this paper and [10] are given in Figure 2 and Figure 3. It can be found that the proposed scheme shares some advantages with respect about the public key size and signature length. Especially the signature length of the proposed scheme has been reduced efficiently. As a result, the space efficiency of the proposed scheme can help to save the storing resource and the bandwidth when we consider the application of the proposed scheme in fog computing.
To check the computing speed of the proposed scheme, we firstly analyze the whole computing costs of the schemes in [10] and this paper by Table 3. In Table 3, let T s , T m , T a , T sampled denote the running times of random Gaussian sample, multiplication of matrices and 0-1 vectors, addition of vectors and SampleD algorithm respectively. We only consider to update one block in Table 3.And then, we simulated the proposed scheme by using Java language on PC with Intel(R) Core (TM) i7-8700K (3.7GHz), 32G RAM. We change the parameter l to check the running times of Sign and InSign algorithms and the others parameters are set to   be the firstly group parameters in Table 2. More precisely, l = 8, 16, 24, 32, 40, 48 are considered in the simulation. All the simulations are run 10 times and the average running time are used in the following analysis. We also test the scheme in [10] on the same PC. Then Figure 4 shows the comparison details of the Sign algorithm. If we only consider that only one block is updated in the InSig algorithm, the running times comparison of our scheme with [10] is 0.181s VS 0.446s. That is, the running time of InSig in our proposed scheme is about 40.5% of that in [10]. In order to check the efficiency of the InSig algorithm, more blocks updates are considered in the following simulation. Then Figure 5 shows the running times of the InSig algorithm in the simulation.
We explain the simulation results in Figure 4 and Figure 5 as follows.
1. When we run the Sign algorithm, we use parallel computing to compute the multiplication of matrices and vectors   in our simulation. And we only consider the online time of the SampleD algorithm in our simulation. In fact, according to the perfect work in [20], there are many off-line operations in SampleD algorithm can be finished by pre-computing. As a result, these parallel computing and pre-computing operations have improved the run speed of our proposed scheme. At last, Figure 6 shows the CPU status when we used the parallel computing to improve the run speed of Sign algorithm in our simulation.
2. Under the given parameters as shown as the first entry of Table 2, the size of one block of the message is about 1.5K. Hence, we use the InSig algorithm to update 1-6 blocks of the message to check the running speed. In this process, we do not use the parallel computing. Figure 5 shows the running time of the InSig algorithm. In fact, if we need update more than one blocks, the parallel computing also can be used to compute the multiplication of matrices and vectors. Clearly, the InSig algorithm can achieve the signature update with more little computation. Hence the proposed scheme helps us to update the data with less cost than to re-sign the data. Figure 4 and Figure 5 show that the advantage of the incremental signature scheme would be more clearer when it is used to update the bigger document.

V. CONCLUSIONS
Data update is a common demand of the fog computing. In order the achieve the authentication of the updated data efficiently, we present an efficient lattice-based incremental signature scheme in the standard model. The security of the proposed incremental signature scheme is based on the standard SIS problem. By using the proposed scheme, the updated data can be authenticated with more less cost than re-sign the whole updated data. The analysis shows that the computing speed of the proposed scheme can be easily improved by parallel computing and pre-computing operations. Compared with a known incremental signature scheme over lattice, the proposed scheme shares some advantages about small public key size and signature length. Hence, the proposed scheme gives an efficient solution to the authentication of the updated data in fog computing. There are still many topics that need to be studied, such as how to reduce the space size of the lattice-based incremental signature scheme, especially the public key size. On the other hand, how to achieve more incremental update operations by lattice tools, such as the deletion and insertion of the message, needs to be studied in the future.