Journal of Systems Architecture 160 (2025) 103362 Contents lists available at ScienceDirect Journal of Systems Architecture journal homepage: www.elsevier.com/locate/sysarc Quantum-safe identity-based designated verifier signature for BIoMT Chaoyang Li a,b ,∗, Yuling Chen a , Mianxiong Dong c , Jian Li d , Min Huang b , Xiangjun Xin b , Kaoru Ota c a State Key Laboratory of Public Big Data, Guizhou University, Guizhou Guiyang, 550025, China b College of Software Engineering, Zhengzhou University of Light Industry, Zhengzhou 450001, China c Department of Sciences and Informatics, Muroran Institution of Technology, Muroran 050-8585, Japan d School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China ARTICLE INFO ABSTRACT MSC: Blockchain technology changes the centralized management form in traditional healthcare systems and 00-01 constructs the distributed and secure medical data-sharing mechanism to achieve data value maximization. 99-00 However, the advanced capabilities of quantum algorithms bring a serious threat to current blockchain Keywords: cryptographic algorithms which are based on classical mathematical difficulties. This paper proposes the first Blockchain quantum-safe identity-based designated verifier signature (ID-DVS) scheme for blockchain-based Internet of Internet of medical things medical things (BIoMT) systems. This scheme is constructed based on the lattice assumption of the short Identity integer solution (SIS) problem, which is believed to resist the quantum attack. The identity mechanism helps DVS to establish a transaction traceability mechanism when this data is shared among different medical institutions. Privacy-preserving The designated verifier mechanism also prevents unauthorized users from accessing data to improve the security of medical data-sharing processes. Next, this ID-DVS scheme is proved in random oracle model, which can achieve the security properties of anonymity and unforgeability. It also can capture the post-quantum security. Then, the performance analysis of the key size and time consumption are presented, and the results show that this ID-DVS is more efficient than other similar schemes. Therefore, this work supports secure medical data-sharing and protects the privacy of users and medical data. 1. Introduction tructure, Merkle tree, digital signature, and zero-knowledge proof, which are utilized to better adapt to the transaction privacy protection Blockchain-enabled Internet of Medical Things (BIoMT) profoundly in the blockchain network. These blockchain cryptographic technolo- affects people’s lives and health with the gradual increase of wearable gies jointly protect transaction security and user privacy. For example, health devices [1]. Firstly, blockchain technology helps to establish a the digital signature is responsible for transaction verification in the distributed medical data-sharing framework among different medical consensus process and for establishing links to different blocks [3]. institutions, which replaces the traditional centralized management The signature also provides the transaction traceability mechanism form and achieves cross-institutional medical data utilization. Then, the when some disputes occur. Especially the DVS is more suitable for BIoMT solves the problems of collecting, storing, sharing, and using one-to-one data-sharing among different BIoMT systems that it can massive medical data. However, the security issues with medical data guarantee the non-delegatability of signature. These technologies con- and user privacy in the cross-institutional data-sharing process have struct the trust foundation for the blockchain-based network as these gained much attention as more sensitive information is inserted into NP-hard problem-based cryptographic algorithms cannot be broken these medical data. Especially for the sensitive information protection, through with the current most advanced classic computer. Most of the users do not want to give non-specified users access to the data. these algorithms are based on RSA and ECC cryptographic theories, but Hence, one-to-one data sharing can effectively prevent the leakage of the fundamental problems of large integer factorization and discrete sensitive information. logarithms are weak against the quantum attack [4]. Blockchain cryptography has received more attention as it is in- Quantum threat is the main concern in current information systems creasingly essential in most blockchain-based applications [2]. It is with the rapid developments of quantum computers and quantum relation to the cryptographic algorithms of the symmetric crypto- computing. The Grover quantum algorithm can speed up the efficiency graphic, asymmetric cryptographic, hash function, public key infras- ∗ Corresponding author at: College of Software Engineering, Zhengzhou University of Light Industry, Zhengzhou 450001, China. E-mail address: lichaoyang@zzuli.edu.cn (C. Li). https://doi.org/10.1016/j.sysarc.2025.103362 Received 9 December 2024; Received in revised form 13 January 2025; Accepted 6 February 2025 Available online 15 February 2025 1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. C. Li et al. Journal of Systems Architecture 160 (2025) 103362 of target search, which brings threats to the symmetric cryptographic data-sharing processes. For identity authentication, Jia et al. [13] algorithm, for example: Elliptic Curve Cryptography √ (ECC), by decreas- constructed a privacy-aware authentication model with blockchain and ing the search complexity from 𝑂(𝑁) to 𝑂( 𝑁) [5]. The Shor quantum proposed two authentication protocols based on ECC and physically un- algorithm can achieve exponential acceleration for large integer factor- clonable function algorithm respectively to enhance privacy security in ization [6], which brings threats to the asymmetric cryptographic, for the IoMT ecosystem. Lin et al. [14] proposed a mutual user authentica- example: RSA. In recent years, post-quantum cryptographic algorithms tion protocol with the ECC algorithm, which could achieve a legal user have gained much attention in the areas of scientific research, finance, authentication in blockchain-based IoMT networking. Chen et al. [15] and industry [7]. Currently, code-based cryptography, Hash cryp- designed a certificateless aggregate signcryption scheme based on ECC tography, lattice cryptography, and multivariate-quadratic-equations to protect the data privacy in IoT applications, but it could not provide cryptography are some famous post-quantum cryptographic (PQC) al- anti-quantum attack security. Han et al. [16] introduced a blockchain gorithms. Code-based cryptography was first proposed by McEliece [8], based privacy-preserving framework and a public key searchable en- which was constructed by the error correction codes. Although this cryption scheme to strengthen the data traceability. Zou et al. [17] cryptosystem has a significant anti-quantum attack advantage, its key introduced a credential-embedded authentication protocol to protect size disadvantage makes it unsuitable for IoT systems. Hash cryptog- users’ privacy and designed an authenticated key agreement protocol to raphy was initially introduced by Lamport [9], which was known as support bilateral authentication for medical data-sharing through IoMT the one-way function to provide quantum-proof security. The Merkle systems. For data encryption/decryption, Guo et al. [18] presented tree is another well-known hash-based cryptosystem [10]. These hash- an attributed-based encryption protocol with a ciphertext policy and based algorithms are not based on solving hard mathematical problems, set an outsourced online/offline revocable mechanism to guarantee but they can obtain the properties of one-wayness, collusion resistance, fine-grained access control. Li and Dong et al. [19] gave a keyword- and preimage resistance. Lattice cryptography is one of the suggested searchable encryption scheme to achieve cross-institution medical data PQC scheme in the NIST call, which was first proposed by Ajtai [11]. utilization and established an on-chain ledger and off-chain storage Multivariate-quadratic-equations cryptography is another kind of PQC model to reduce ledger redundancy. Liu et al. [20] designed a cer- that is based on the complexity of solving multivariate equations [12]. tificateless public key encryption protocol based on high-consumption This kind of PQC algorithm suffers from efficiency hardship with the bilinear pairing, combining the keyword search function to protect large key size and ciphertext overhead. medical data in IoMT. Qu et al. [21] introduced an interesting work This paper focuses on the needs of security and integrity, and pro- of quantum blockchain to improve privacy security in IoMT, which poses a lattice-based ID-DVS scheme to cover the privacy-preserving is- utilized the quantum signature and quantum identity authentication sues, such as designated verifier, signer’s anonymity, and signature non- to achieve secure medical data-sharing with the quantum cloud. For delegatability in the BIoMT system. The contributions are summarized transaction verification, Mao et al. [22] presented an identity-based as follows. aggregated signature scheme for IoMT, which could enable efficient local verification of medical data with a locally verifiable mechanism. • A lattice-based ID-DVS scheme has been proposed. This is the Zhang et al. [23] proposed a certificateless signcryption protocol to first ID-DVS scheme which is constructed with the reject sampling guarantee privacy security in IoMT, which utilized bilinear pairings in Gaussian distribution and SIS lattice problem. The identity and zero-knowledge proof to resist super-level internal adversaries. mechanism in this ID-DVS provides transaction traceability for Li et al. [24] proposed a designated verifier signature scheme and medical data-sharing, and the designed verifier setting protects established a cross-chain medical data-sharing framework to support user privacy as unauthorized users cannot access the transaction. secure and efficient data-sharing among different BIoMT systems. • The security proof of the proposed ID-DVS scheme is given. In With the deepening application of blockchain in BIoMT, the re- the random oracle model, this ID-DVS scheme can be proved to search on blockchain cryptographic algorithms applicable to medical satisfy the security properties of anonymity and unforgeability. data-sharing transactions is also more urgent. Most of these BIoMT Meanwhile, this ID-DVS scheme can resist the quantum attack systems are also based on RSA and ECC cryptographic algorithms, with the lattice assumption, which can prevent the quantum which are vulnerable to quantum attacks. So it is urgent to seek more adversary in the future quantum computer age. secure anti-quantum cryptographic algorithms to equip current BIoMT • The efficiency comparison and performance analysis are pre- systems. sented. The key size, time consumption, and energy consumption are calculated and compared with other similar schemes. The 2.2. Post-quantum cryptography results show that this ID-DVS scheme is more efficient, which can well support secure medical data-sharing among different BIoMT PQC utilizes classical computationally hard problems to construct systems. quantum-safe cryptosystems for current information systems. Especially Next, the related work is given in Section 2, some preliminaries are for the sensitive information protection of medical data in BIoMT shown in Section 3, the ID-DVS scheme is proposed in Section 4, the systems, the practical application of PQC is important and necessary. security of the ID-DVS scheme is analyzed and proved in Section 5, the For code-based cryptography, Thiers et al. [25] presented a decoding performance analysis is in Section 6, and the conclusion is in Section 7. algorithm based on the 𝑞-ary codes, which could achieve low com- plexity and anti-quantum security. Alahmadi et al. [26] introduced 2. Related work a signature scheme with error-correcting codes for blockchain-based networks and utilized bounded distance decoding for signature veri- This paper mainly focuses on the research and applications of fication. For hash cryptography, Punithavathi et al. [27] established a blockchain cryptography in BIoMT. Some reviews of blockchain cryp- double-layer encryption framework and proposed a crypto hash algo- tography for BIoMT, PQC, and lattice-based signature theory about this rithm to resist the malware attack in medical data-sharing processes in theme are given in the following subsections. the IoMT system. Kuznetsov et al. [28] gave the performance analysis of the hashing algorithm in blockchain-based systems and compared 2.1. Blockchain cryptography for BIoMT it with other related hashing algorithms to show its efficiency and practice. For lattice cryptography, Ye et al. [29] designed a traceable In the BIoMT system, identity authentication, data ring signature scheme based on lattice assumption for IoMT, which encryption/decryption, and transaction verification all need blockchain could obtain tag-linkability and exculpability in a random oracle model. cryptography algorithms to protect privacy security in the medical Bagchi et al. [30] utilized the ring LWE problem to construct an 2 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 Table 1 Lattice-based schemes comparison. Ref. Lattice problem Advantage Limitation Kim et al. [33] NTRU Key encapsulation; Centralized KGC; Key escrow; Randomness-recovery; Encoding Chosen ciphertext attack weak Yu et al. [35] NTRU and SIS Certificateless, Ring signature Private key management Li and Jiang et al. [34] ring-LWE and SIS Non-delegatability; Bimodal Centralized KGC; Key escrow Gaussians Yao et al. [36] ring-LWE and ring-ISIS Ring analog; Authenticate Centralized KGC; Key escrow ciphertext Zhang et al. [37] ring-LWE and SIS Non-delegatability; Chameleon Centralized KGC; Key escrow hash Zhang and Sun et al. [38] ring-LWE Re-signature; Semi-trusted proxy; Centralized KGC; Key escrow; Signature evolution Double time consumption aggregate signature scheme and applied this scheme to the Internet of 3. Preliminaries drones for privacy preservation. For multivariate-quadratic-equations cryptography, Shim et al. [31] proposed a post-quantum signature The lattice theories, ID-DVS scheme model, and security model have with multivariate-quadratic-equations, which supported the dramatic been presented in this section. online signing for cryptographic systems. These four PQC proposals are not only generally used for creating encryption/decryption and digital 3.1. Lattice theories signature algorithms, but also for key exchange and authentication cryptosystems in the not-too-distant future. Definition 1 (Lattice [39]). Let 𝑣1 , … , 𝑣𝑛 ∈ R𝑚 be a set of linearly This paper plans to utilize lattice theory to construct a PQC signa- independent vectors. The lattice 𝛬𝐿 generated by 𝑣1 , … , 𝑣𝑛 refers to the ture algorithm, as the digital signature plays an essential roles in trans- set formed by linear combinations of vectors 𝑣1 , … , 𝑣𝑛 . action signature, blockchain system consistency, and data ownership confirmation in BIoMT systems. 𝛬𝐿 = {𝑎1 𝑣1 + 𝑎2 𝑣2 + · · · + 𝑎𝑛 𝑣𝑛 ∶ 𝑎1 , 𝑎2 , · · ·, 𝑎𝑛 ∈ Z} (1) 2.3. Lattice-based signature theory Here, the matrices 𝐴 = (𝑎1 , … , 𝑎𝑚 ) ⊂ R𝑛×𝑚 is the coefficient matrix of lattice 𝛬, where the dimension 𝑛 and rank 𝑚 of this lattice satisfy Lattice cryptography serves as one promising PQC theory that has 𝑚 = 𝑂(𝑛 log 𝑞). gained much attention in recent years. Its security is also based on some NP-hard problems, such as shortest vector problem (SVP), shortest in- Definition 2 (q-ary Lattice [39]). Eq. (1) is the ‘‘q-ary’’ lattice, which dependent vectors problem (SIVP), closest vector problem (CVP), short is constructed by a matrix  ∈ Z𝑛×𝑚 𝑞 , a prime number 𝑞, and a vector integer solution (SIS), learning with errors (LWE), bounded distance 𝜇 ∈ Z𝑛𝑞 . decoding problem (BDD), and so on [32]. The Number Theory Research Unit (NTRU) algorithm is based on SVP or SIVP, which is designed with 𝛬⟂ (𝐴) = {𝑥 ∈ Z𝑚 |𝑥 = 0 mod 𝑞 𝑓 𝑜𝑟 𝑥 ∈ Z𝑚 } (2) the polynomial ring. The scheme in the Refs. [19] is based on this mech- 𝛬⟂𝜇 (𝐴) = {𝑥 ∈ Z |𝑥 = 𝜇 𝑚𝑜𝑑 𝑞 𝑓 𝑜𝑟 𝑥 ∈ Z } 𝑚 𝑚 anism. Kim et al. [33] introduced a key encapsulation mechanism with the NTRU lattice, which could resist significant cryptanalytic attacks in current information systems. The LWE is a CVP in which the hardness Definition 3 (Gaussian Distribution [40]). The Gaussian distribution is is solving linear equations with noise. The scheme in the Refs. [29] is 𝜌𝑐 ,𝜎 (𝑥) = 𝑒𝑥𝑝( −(𝑥−𝑐) 2 ), where 𝜎 ∈ R is the standard deviation, 𝑐 ∈ R is based on this mechanism. Li and Jiang et al. [34] proposed a group 2𝜎 2 the center, and 𝑥 ∈ R is vector. More generally, it can be defined as signature scheme with the SIS lattice problem, which had been applied 2 𝜌𝑐 ,𝜎 (𝑥) = 𝑒𝑥𝑝( −‖𝑥−𝑐‖ 2𝜎 2 ) with 𝑥, 𝑐 ∈ R𝑛 . When the center 𝑐 = 0, it becomes to the IoMT system with blockchain technology for secure medical 𝜌𝜎 (𝑥). Meanwhile, 𝐷𝜎 (𝑥) = 𝜌𝜎 (𝑥)∕𝜌𝜎 (Z) is discrete Gaussian distribution data-sharing. Yu et al. [35] designed an NTRU-based certificateless over Z and 𝐷𝜎 (𝑥) = 𝜌𝜎 (𝑥)∕𝜌𝜎 (Z𝑚 ) is the general situation over Z𝑚 . ring signature for electronic voting, which could obtain the properties of quantum immunity, unconditional anonymity, and unforgeability. The ring-LWE is a variant of LWE that has more strengthened security Definition 4 (ℜ − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 Problem [40]). ℜ − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 is defined to properties. The schemes in the Refs. [30] are based on this mechanism. find a non-zero 𝑣 ∈ ℜ𝑚 𝑞 which satisfy 𝐴𝑣 = 0, where ℜ a ring, 𝜅 is a 𝑞 , 𝐴 ∈ ℜ𝑞 , and ‖𝑣‖2 ≤ 𝛽. distribution over ℜ𝑛×𝑚 Yao et al. [36] designed a public-key authenticated encryption protocol 𝑛×𝑚 with ring-LWE in the ideal lattice, which also could achieve keyword search ability in cloud computing. Zhang et al. [37] proposed a DVS scheme with the chameleon hash and without trapdoors, which could Definition 5 (𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝜎 , 𝑦) [40]). Given a matrix 𝐴 ∈ 𝑍𝑞𝑛×𝑚 , √ achieve non-delegatability. Zhang and Sun et al. [38] presented an ID- a trapdoor basis 𝑇 of lattice 𝛬⟂ (𝐴), 𝜎 ≥ 𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛), and a random DVS scheme with a function of signature evolution, which also added vector 𝑦, 𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝜎 , 𝑦) can derive a non-zero vector 𝑒 ∈ 𝑍𝑞𝑚 , √ the proxy and re-signature functions. The simple comparisons of these which satisfy 𝐴𝑒 = 𝑦 𝑚𝑜𝑑 𝑞. Here, ‖𝑒‖ ≤ 𝜎 𝑚. lattice-based schemes are shown in Table 1. As in BIoMT, the protection of sensitive information in medical data is essential in the medical utilization processes among different 3.2. Model descriptions medical institutions. Meanwhile, the threats to classical cryptographic algorithms from quantum computers should be taken more seriously. The scheme model and security model are given in this subsection, Therefore, This paper addresses security and privacy issues related to and they provide the formal definition of an ID-DVS scheme. system users and medical data by proposing a quantum-safe ID-DVS (1) Scheme model scheme to strengthen the security of medical data-sharing in BIoMT For an ID-DVS scheme, it is mainly composed of five polynomial systems. time algorithms. 3 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 • Setup(1𝑛 ): Input the security parameter 𝑛, key generation center Table 2 (KGC) outputs the system parameters 𝑝𝑝 and system master secret System parameters. key 𝑚𝑠𝑘. Notation Meaning • KeyGen.(𝐼 𝐷𝑎 , 𝐼 𝐷𝑏 , 𝑝𝑝, 𝑚𝑠𝑘): Input the identities 𝐼 𝐷𝑎 and 𝐼 𝐷𝑏 of q One large prime with 𝑞 = 𝑞(𝑛) ≥ 3 the signer and designated verifier, 𝑝𝑝, and 𝑚𝑠𝑘, KGC generates the n, m The dimension of key matrix, and 𝑚 ≥ 5𝑛𝑙𝑜𝑔 𝑞 𝜅 The system security parameter key pairs (𝑝𝑘𝑎 , 𝑠𝑘𝑎 ) and (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ) respectively. Z The integer matrix/vector set for system keys • Sign(𝑝𝑝, 𝑠𝑘𝑎 , 𝑝𝑘𝑎 , 𝑝𝑘𝑏 , 𝜇): Input the message 𝜇, 𝑝𝑝, (𝑝𝑘𝑎 , 𝑠𝑘𝑎 ), the √ 𝜎 A system parameter with 𝜎 = 𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛) designated verifier’s public key 𝑝𝑘𝑏 , the signer generates an ID- 𝑚𝑝𝑘 The group public key DVS signature (𝑒, 𝜇). 𝑚𝑠𝑘 The group muster secret key • Verify(𝑠𝑘𝑏 , 𝑝𝑘𝑏 , 𝑝𝑘𝑎 , 𝜇, 𝑒): Input (𝑒, 𝜇), 𝑝𝑝, (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ), and the 𝐼 𝐷𝑖 The user identity 𝐻1 , 𝐻2 The cryptographic Hash function signer’s public key 𝑝𝑘𝑎 , the designated verifier checks the legality 𝐷𝜎𝑚 The bimodal Gaussian distribution of the ID-DVS signature. 𝜎 The standard deviation for 𝐷𝜎𝑚 • Simulation(𝑝𝑝, 𝑠𝑘𝑏 , 𝑝𝑘𝑏 , 𝑝𝑘𝑎 , 𝜇): Input the message 𝜇, 𝑝𝑝, (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ), 𝜇 The message to be signed the singer’s public key 𝑝𝑘𝑎 , the designed verifier generates an- 𝑝𝑘, 𝑠𝑘 The public and private keys for system users other ID-DVS signature (𝑒′ , 𝜇). (2) Security model An ID-DVS scheme must satisfy the correctness, anonymity, and unforgeability. The correctness can be verified according to the verifi- cation process. The anonymity and unforgeability should be proved in • Initialize: 𝐶 performs the Setup(1𝑛 ) algorithm to obtain the system the random oracle model as shown in the following Definitions 6 and 7, parameters 𝑝𝑝 and the master secret key 𝑚𝑠𝑘. Then, he exposes 𝑝𝑝 respectively. Note that only by passing this certification can it be shown and keeps 𝑚𝑠𝑘 in secret. that the designed ID-DVS scheme is safe. Next, the security proof model • Query: 𝐸 can perform enough polynomial times of queries on the is constructed with a query-respond game, where an adversary Eve 𝐸 random oracle. Here, the hash function, secret key, and signature performs the query and a challenger Charlie 𝐶 performs the response. are all the query targets. 𝐸 can perform queries on the non-target user’s identity 𝐼 𝐷∗ or the non-target message 𝜇 ∗ . 𝐶 responds to Definition 6 (Anonymity). If an adversary can make the right guess the answers to the queries if the answers already exist. Other- whether the signature is signed by the signer or the designated verifier wise, 𝐶 executes the signature algorithms of KeyGen. or Sign to with the adaptive selective identity attack in the random oracle model, generate new answers to 𝐸’s queries. he wins this round of the query-respond game. Detailed query-respond • Forge: 𝐸 utilizes these enough queried answers to generate a valid processes between 𝐴 and 𝐶 are shown as follows. signature (𝑒, 𝜇 ∗ ) for the target user’s identity 𝐼 𝐷∗ and message 𝜇 ∗ , • Initialize: 𝐶 performs the Setup(1𝑛 ) algorithm to obtain the system and exposes this signature. parameters 𝑝𝑝 and the master secret key 𝑚𝑠𝑘. Then, he exposes 𝑝𝑝 • Challenge: 𝐶 also can execute the signature processes legally and and keeps 𝑚𝑠𝑘 in secret. derive another valid signature (𝑒∗ , 𝜇 ∗ ) for the target user’s identity • Query: 𝐸 can perform enough polynomial times of queries on the 𝐼 𝐷∗ and message 𝜇 ∗ . Then, 𝐶 utilizes these two valid signatures random oracle. Here, the hash function, secret key, and signature about the same message 𝜇 ∗ to solve the Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 instance. are all the query targets. 𝐸 can perform queries on the non-target • Analyze: This step analyses two points. One is the probability that user’s identity 𝐼 𝐷∗ or the non-target message 𝜇 ∗ . 𝐶 responds to 𝐶 can find a solution for the Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 instance, and the other the answers to the queries if the answers already exist. Other- one is the probability that 𝐸 successfully generates a valid ID-DVS wise, 𝐶 executes the signature algorithms of KeyGen. or Sign to signature. Here the successful rate of 𝐸 can be defined as shown generate new answers to 𝐸’s queries. in Eq. (4). • Challenge: 𝐸 selects two target system users’ identities 𝐼 𝐷𝑖0 and 𝐼 𝐷𝑖1 and queries on the signature about these two identities. Next, 𝐴𝑑 𝑣𝐹𝐴 𝑜𝑟𝑔 𝑒 = 𝑃 𝑟[𝐸 𝑠𝑢𝑐 𝑐 𝑒𝑠𝑠𝑒𝑑 .] (4) 𝐶 randomly chooses the identity 𝐼 𝐷𝑖𝑏 , 𝑏 ∈ 0, 1 as the signer and the other one as the designated verifier, derives the ID-DVS (𝑒, 𝜇 ∗ ) This unforgeability ensures that no one other than the signer can according to the processes of KeyGen. and Sign algorithms, and generate a legitimate signature, thus improving the security of the sends it back to 𝐸. medical data-sharing process among different BIoMT systems. • Guess: 𝐸 performs the guess of 𝑏∗ . If 𝑏∗ = 𝑏, 𝐸 wins this game. Here the guess successful rate of 𝐸 can be defined as shown in Eq. (3). 4. The ID-DVS scheme 𝐴𝑑 𝑣𝐴𝑛𝑜𝑛 𝐴 = 𝑃 𝑟[𝐸 𝑠𝑢𝑐 𝑐 𝑒𝑠𝑠𝑒𝑑 .] (3) This ID-DVS scheme is constructed with the lattice assumption of ℜ − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 . To improve the computational efficiency, the lattice This anonymity increases the probability that the adversary will assumption is reduced from R to Z, and the new lattice assumption fail to attack the signature because he cannot determine whether the Z−𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 does not decrease the hardness. The parameter definitions signer or the designated verifier is the real signer. Meanwhile, the are shown in Table 2. This scheme mainly contains five algorithms of designated verifier cannot prove to third parties that this signature is 𝑆 𝑒𝑡𝑢𝑝, 𝐾 𝑒𝑦𝐺𝑒𝑛., 𝑆 𝑖𝑔 𝑛, 𝑉 𝑒𝑟𝑖𝑓 𝑦, and 𝑆 𝑖𝑚𝑢𝑙𝑎𝑡𝑖𝑜𝑛. The simple framework of valid. This mechanism can protect user privacy in medical data-sharing this ID-DVS scheme is shown in Fig. 1, and details of these algorithms transactions and prevent the designated verifier from authorizing other are described as follows. users to access the signature. 4.1. Setup Definition 7 (Unforgeability). If an adversary can forge a valid signature with the adaptive selective message attack in the random oracle model, Some system parameters are preset according to the setting princi- a challenger can derive another valid signature and solve the lattice assumption with these two signatures. Here, the successful probability ple in Ref. [41], where 𝑛 is the security parameter, 𝑞 is a prime number of this challenger is non-negligible. Detailed query-respond processes 𝑞 = 𝑞(𝑛) ≥ 3, 𝑚 is a positive which satisfies with √ √ integer which satisfies between 𝐸 and 𝐶 are shown below. 𝑚 ≥ 5𝑛 𝑙𝑜𝑔 𝑞, 𝐿 = 𝑂( 𝑛 𝑙𝑜𝑔 𝑞), and 𝜎 ≥ 𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛). 4 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 Fig. 1. The simple framework of ID-DVS scheme. (1) KGC generates a matrix 𝑚𝑝𝑘 = 𝐴 ∈ 𝑍𝑞𝑛×𝑚 with the former system (3) Utilizes his secret key 𝑠𝑘 to compute 𝑒 = 𝑥 + 𝑠𝐼 𝐷1 ; parameters by the Trapdoor generation (TrapGen.(1𝑛 )) algorithm, 𝐷𝑚 (𝑒) (4) Output the signature < 𝑒, 𝑐 > with probability 𝑚𝑖𝑛( 𝑀 𝐷𝑚 𝜎 , 1); 𝑠𝐼 𝐷 𝑐 ,𝜎 (𝑒) which is an approximate random distribution matrix. Then, a 1 otherwise, restart. basis 𝑇 ∈ 𝑍𝑞𝑚×𝑚 is derived from 𝛬⟂ (𝐴) by TrapGen.(1𝑛 ) as ‖𝑇̃ ‖ ≤ 𝐿; This is a probabilistic algorithm, and 𝑀 is some fixed positive real (2) Chooses 𝐻1 , 𝐻2 ∶ {0, 1}∗ → 𝑍𝑞𝑛 ; that is set large enough to ensure that the preceding probability is (3) Outputs 𝑝𝑝 = {𝐴, 𝐻1 , 𝐻2 } as public system parameters; always at most 1. If there is no data output, the signer will repeat these (4) Serves 𝑚𝑝𝑘 = 𝐴 as the master public key and 𝑚𝑠𝑘 = 𝑇 as the sign processes until a legal ID-DVS is generated. master secret key. 4.4. Verify 4.2. KeyGen When receives the ID-DVS from the signer, the designated verifier utilizes 𝑝𝑝, the signer’s private key 𝑎𝐼 𝐷1 , and his private key 𝑠𝑘2 = 𝑠𝐼 𝐷2 Given the system parameter 𝑝𝑝 and user’s identity 𝐼 𝐷𝑖 . to verify the legality of (𝑒, 𝑐) with message 𝜇. (1) KGC computes 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ) ∈ 𝑍𝑞𝑛 ; (1) The designated verifier checks ‖𝑒‖ > 𝐿, and rejects it; (2) Computes 𝑠𝐼 𝐷𝑖 ← 𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , 𝜎) ∈ 𝑍𝑞𝑚 , where 𝜎 ≥ (2) Checks ‖𝑒‖∞ > 𝑞∕4, and rejects it; √ √ ‖𝑇̃ ‖𝜔( 𝑙𝑜𝑔 𝑚), 𝑎𝐼 𝐷𝑖 𝑚𝑜𝑑 𝑞 = 𝐴 ⋅ 𝑠𝐼 𝐷𝑖 , and ‖𝑠𝐼 𝐷𝑖 ‖ ≤ 𝜎 𝑚; (3) When the former conditions hold, he verifies whether (3) Outputs 𝑝𝑘 = 𝑎𝐼 𝐷𝑖 as the public key and 𝑠𝑘 = 𝑠𝐼 𝐷𝑖 as the secret 𝑐 = 𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) holds or not. Iff this condition key for system user with 𝐼 𝐷𝑖 . holds, he accepts this signature; Otherwise, he rejects it. For the signer and designated verifier in this ID-DVS scheme, the signer’s key pair is set as (𝑝𝑘1 , 𝑠𝑘1 ) = (𝑎𝐼 𝐷1 , 𝑠𝐼 𝐷1 ) and the designated 4.5. Simulation verifier’s key pair is set as (𝑝𝑘2 , 𝑠𝑘2 ) = (𝑎𝐼 𝐷2 , 𝑠𝐼 𝐷2 ). Then, they will work together to generate a legitimate ID-DVS with the following steps. This subsection presents the generation simulation of a new ID- DVS performed by the designated verifier. According to the former 4.3. Sign generation processes, he can derive a legal ID-DVS with the same message 𝜇. Given the system parameter 𝑝𝑝 and message 𝜇. (1) Selects a random vector 𝑥′ ← 𝐷𝜎𝑚 (1) The signer 𝐼 𝐷1 randomly chooses 𝑥 ∈ 𝐷𝜎𝑚 ; (2) Computes 𝑐 ′ = 𝐻(𝐴𝑥′ + 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) with the system public key (2) Computes 𝑐 = 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇); 𝐴 and the same message 𝜇; 5 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 (3) Computes 𝑒′ = 𝑥′ + 𝑠𝐼 𝐷2 ; exists, the result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) is returned back to 𝐸. If not, 𝐷𝑚 (𝑒′ ) 𝐶 computes the corresponding 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ), returns the (4) Outputs the ID-DVS (𝑒, 𝑐 ′ ) with probability min( 𝑀 𝐷 𝜎 (𝑒′ ) , 1), 𝑠𝐼 𝐷 𝑐 ′ ,𝜎 result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) back to 𝐸, and records this result into the 2 otherwise he restarts this algorithm. list 𝐿𝑖𝑠𝑡𝐻1 . Here, the simulated signature (𝑒′ , 𝑐 ′ ) is indistinguishable from the – 𝐻2 query: 𝐸 adaptively chooses a message 𝜇𝑖 to query on former generated signature (𝑒, 𝑐) with the same message 𝜇. This is the 𝐻2 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻2 to store (𝜇𝑖 , 𝑐𝑖 ). When he inherent quality of the DVS scheme which can prevent attacks from obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻2 whether unauthorized verifiers. It can improve the security of cross-institution the identity 𝜇𝑖 is queried or not. If exists, the result (𝜇𝑖 , 𝑐𝑖 ) medical data-sharing through the BIoMT system. is returned back to 𝐸. If not, 𝐶 randomly selects 𝑥 ∈ 𝐷𝜎𝑚 , computes the corresponding 𝑐𝑖 = 𝐻2 (𝐴𝑥 𝑚𝑜𝑑 𝑞 , 𝜇𝑖 ), returns 5. Security analysis the result (𝜇𝑖 , 𝑐𝑖 ) back to 𝐸, and records this result into the list 𝐿𝑖𝑠𝑡𝐻2 . The security analyses of the correctness, anonymity, and unforge- – Secret key query: 𝐸 adaptively chooses the non-target iden- ability of the proposed ID-DVS scheme have been given in this section. tity 𝐼 𝐷𝑖 to query on secret key. 𝐶 owns a list 𝐿𝐾 to store (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ). When he obtains the query, he first searches 5.1. Correctness the list 𝐿𝐾 whether the identity 𝐼 𝐷𝑖 is queried or not. If exists, the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) is returned back to 𝐸. If According to the verification steps in Verify algorithm, a valid not, 𝐶 obtains (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) from the list 𝐿𝑖𝑠𝑡𝐻1 or regener- ID-DVS shall satisfy three conditions. From the signature generation ates it firstly. Next, 𝐶 computes the corresponding 𝑠𝐼 𝐷𝑖 ← process, (𝑒, 𝑐) satisfy ‖𝑒‖ ≤ 𝐿 and ‖𝑒‖∞ ≤ 𝑞∕4 which are easily 𝑆 𝑎𝑚𝑝𝑙𝑒𝑝𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , 𝜎), returns the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) back to verified. The third condition 𝑐 ← 𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) = 𝐸, and records this result into the list 𝐿𝐾 . 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇) holds which can be verified by the equation – Signature query: 𝐸 adaptively chooses a message 𝜇𝑖 to query 𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 = 𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞. Eq. (5) shows the detailed on signature. 𝐶 owns a list 𝐿𝑆 to store (𝑒, 𝑐𝑖 ). When he verification processes. obtains the query, he first searches the list 𝐿𝑆 whether the 𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 = 𝐴(𝑥 + 𝑠𝐼 𝐷1 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 message 𝜇𝑖 is queried or not. If exists, the result (𝑒, 𝑐𝑖 , 𝜇) = 𝐴𝑥 + 𝐴𝑠𝐼 𝐷1 + 𝐴𝑠𝐼 𝐷2 − 𝑎𝐼 𝐷1 is returned back to 𝐸. If not, 𝐶 obtains (𝜇𝑖 , 𝑐𝑖 ) from the (5) list 𝐿𝑖𝑠𝑡𝐻2 or regenerates it firstly. Next, 𝐶 computes the = 𝐴𝑥 + 𝑎𝐼 𝐷1 + 𝑎𝐼 𝐷2 − 𝑎𝐼 𝐷1 corresponding 𝑒1 = 𝑥 + 𝑠𝐼 𝐷1 , where 𝐼 𝐷1 is set as the signer = 𝐴𝑥 + 𝑎𝐼 𝐷2 and 𝐼 𝐷2 is set as the designated verifier. Then, he returns the result (𝑒, 𝑐𝑖 ) back to 𝐸, and records this result into the Meanwhile, the signature (𝑒′ , 𝑐 ′ ) simulated by the designated verifier list 𝐿𝑆 . also can be verified by the signer as the conditions of ‖𝑒′ ‖ ≤ 𝐿, ‖𝑒′ ‖∞ ≤ 𝑞∕4, and the equation 𝑐 ′ ← 𝐻2 (𝐴(𝑒′ + 𝑠𝐼 𝐷1 ) − 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇) = • Challenge: 𝐸 randomly selects two system users’ identities 𝐼 𝐷𝑖0 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) holds, which is shown in Eq. (6) holds. and 𝐼 𝐷𝑖1 which are not queried before. Next, he sends these two 𝐴(𝑒′ + 𝑠𝐼 𝐷1 ) − 𝑎𝐼 𝐷2 = 𝐴(𝑥 + 𝑠𝐼 𝐷2 + 𝑠𝐼 𝐷1 ) − 𝑎𝐼 𝐷2 target identities to 𝐶. 𝐶 randomly selects the identity 𝐼 𝐷𝑖𝑏 , 𝑏 ∈ 0, 1 as the signer and the other one as the designated verifier, and = 𝐴𝑥 + 𝐴𝑠𝐼 𝐷2 + 𝐴𝑠𝐼 𝐷1 − 𝑎𝐼 𝐷2 (6) derives the ID-DVS (𝑒, 𝑐𝑖0 ) and (𝑒′ , 𝑐𝑖1 ) according to the ID-DVS = 𝐴𝑥 + 𝑎𝐼 𝐷2 + 𝑎𝐼 𝐷1 − 𝑎𝐼 𝐷2 processes, and sends it back to 𝐸. = 𝐴𝑥 + 𝑎𝐼 𝐷1 • Guess: 𝐸 utilizes the formerly obtained messages and performs the guess of signer 𝑏∗ . 𝐶 confirms whether 𝐼 𝐷𝑖𝑏∗ is the real signer or not. If correct, 𝐸 wins this game. 5.2. Anonymity • Analyze: Because the parameter 𝑥 is randomly selected with the same Gaussian distribution 𝐷𝜎𝑚 , the statistical distance of 𝑐𝑖0 and Theorem 1. The proposed ID-DVS can capture anonymity with lattice 𝑐𝑖1 is indistinguishable. Therefore, the statistical distance of these assumption Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 if no adversary can correctly distinguish the real two signatures (𝑒, 𝑐𝑖0 ) and (𝑒′ , 𝑐𝑖1 ) generated by 𝑒 = 𝑥 + 𝑠𝐼 𝐷𝑖 and 0 signer with the non-negligible probability. 𝑒′ = 𝑥 + 𝑠𝐼 𝐷𝑖 is also indistinguishable. This is to say that 𝐸 1 cannot distinguish the correct signer of these two signatures and the proposed ID-DVS can guarantee the signer’s anonymity. Proof. According to Definition 6, 𝐸 attempts to distinguish the real signer by performing the queries on Hash, secret key, and sign algo- rithms under the adaptively chosen identity attack. Here, 𝐸 can execute 5.3. Unforgeability enough times queries on three algorithms to obtain information about the non-target identity in polynomial time. Meanwhile, the probability Theorem 2. The proposed ID-DVS can capture unforgeability with lattice that 𝐸 wins one round query-respond game is defined as at least 𝜁. assumption Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 if no adversary can generate a valid signature Then, 𝐶 generates a signature with the target identity 𝐼 𝐷∗ and lets 𝐸 with the non-negligible probability. guess the real signer. Detailed query-respond processes are shown as follows. Proof. According to Definition 7, 𝐸 attempts to derive a valid signature • Initialize: 𝐶 executes the Setup algorithm to generate the system by performing the queries on Hash, secret key, and sign algorithms parameters (𝑛, 𝑚, 𝑞 , 𝑘, 𝜎) and sends them to 𝐸. under the adaptively chosen message attack. Here, 𝐸 can execute • Query: 𝐸 adaptively chooses the non-target identity to query with enough time queries on three algorithms to obtain information about 𝐶. the non-target message in polynomial time. Meanwhile, the probability – 𝐻1 query: 𝐸 adaptively chooses the non-target identity 𝐼 𝐷𝑖 that 𝐸 wins one round query-respond game is defined as at least 𝜉. to query on 𝐻1 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻1 to store Then, 𝐶 attempts to utilize this forged signature to solve the lattice (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ). When he obtains the query, he first searches the instance Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 . Detailed query-respond processes are shown as list 𝐿𝑖𝑠𝑡𝐻1 whether the identity 𝐼 𝐷𝑖 is queried or not. If follows. 6 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 • Initialize: 𝐶 executes the Setup algorithm to generate the system It also has: parameters (𝑛, 𝑚, 𝑞 , 𝑘, 𝜎) and sends them to 𝐸. 𝐴(𝑒∗ − 𝑒∗∗ ) = 𝐴(𝑥∗ − 𝑥∗∗ ) 𝑚𝑜𝑑 𝑞 (10) • Query: 𝐸 adaptively chooses the non-target messages to query with 𝐶. 𝐴(𝑒∗1 to Due − 𝑒𝑥∗∗ ) = 0∗∗𝑚𝑜𝑑 𝑞 1 − 𝑥 ≠ 0, it can derive (11) – 𝐻1 query: 𝐸 adaptively chooses the identity 𝐼 𝐷𝑖 to query Here, 𝐶 quits this game if 𝑒∗1 − 𝑒∗∗ = 0. Otherwise, 𝑒∗1 − 𝑒∗∗ is a 1 1 on 𝐻1 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻1 to store (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ). solution of SIS instance 𝐴𝑒 = 0 𝑚𝑜𝑑 𝑞. When he obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻1 • Analyze: There are two situations in which 𝐶 quits the query- whether the identity 𝐼 𝐷𝑖 is queried or not. If exists, the re- respond game. Therefore, the success rate is 𝑞 +𝑞 𝜉 +𝑞 +𝑞 . This sult (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) is returned back to 𝐸. If not, 𝐶 computes the 𝐻1 𝐻2 𝐾 𝑆 probability is negligible with the increase in query times. In corresponding 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ), returns the result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) addition, the lattice assumption is a non-deterministic polynomial back to 𝐸, and records this result into the list 𝐿𝑖𝑠𝑡𝐻1 . problem that cannot be broken with current classical or quantum – 𝐻2 query: 𝐸 adaptively chooses the non-target message 𝜇𝑖 to computational conditions. query on 𝐻2 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻2 to store (𝜇𝑖 , 𝑐𝑖 ). When he obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻2 From former theoretical security proof, the proposed ID-DVS scheme whether the identity 𝜇𝑖 is queried or not. If exists, the result can obtain correctness, anonymity, and unforgeability. Meanwhile, (𝜇𝑖 , 𝑐𝑖 ) is returned back to 𝐸. If not, 𝐶 randomly selects 𝑥 ∈ 𝐷𝜎𝑚 , computes the corresponding 𝑐𝑖 = 𝐻2 (𝐴𝑥 𝑚𝑜𝑑 𝑞 , 𝜇𝑖 ), this ID-DVS scheme can also satisfy the post-quantum security as it returns the result (𝜇𝑖 , 𝑐𝑖 ) back to 𝐸, and records this result is constructed with lattice assumption. Compared with other classi- into the list 𝐿𝑖𝑠𝑡𝐻2 . cal cryptography algorithm-based BIoMT systems, this scheme can well guarantee anti-quantum security for medical data-sharing among – Secret key query: 𝐸 adaptively chooses the identity 𝐼 𝐷𝑖 to query on secret key. 𝐶 owns a list 𝐿𝐾 to store (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ). different medical institutions. When he obtains the query, he first searches the list 𝐿𝐾 whether the identity 𝐼 𝐷𝑖 is queried or not. If exists, the 6. Performance analysis result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) is returned back to 𝐸. If not, 𝐶 obtains (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) from the list 𝐿𝑖𝑠𝑡𝐻1 or regenerates it firstly. Next, 𝐶 computes the corresponding 𝑠𝐼 𝐷𝑖 ← 𝑆 𝑎𝑚𝑝𝑙𝑒𝑝𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , The performance analyses of this ID-DVS scheme from the theory 𝜎), returns the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) back to 𝐸, and records this and simulation aspects have been given in this section. result into the list 𝐿𝐾 . – Signature query: 𝐸 adaptively chooses the non-target mes- 6.1. Theoretical analysis sage 𝜇𝑖 to query on signature. 𝐶 owns a list 𝐿𝑆 to store (𝑒, 𝑐𝑖 ). When he obtains the query, he first searches the list 𝐿𝑆 whether the message 𝜇𝑖 is queried or not. If exists, the result In this phase, six items are selected for comparison, where the (𝑒, 𝑐𝑖 , 𝜇) is returned back to 𝐸. If not, 𝐶 obtains (𝜇𝑖 , 𝑐𝑖 ) from assumption is the lattice assumption, 𝑚𝑝𝑘 is the system master key, the list 𝐿𝑖𝑠𝑡𝐻2 or regenerates it firstly. Next, 𝐶 computes the 𝑚𝑠𝑘 is the system private key, 𝑝𝑘 is the system user’s public key, 𝑠𝑘 is corresponding 𝑒 = 𝑥 + 𝑠𝐼 𝐷1 , where 𝐼 𝐷1 is set as the signer the system user’s private key, and signature is the size of the proposed and 𝐼 𝐷2 is set as the designated verifier. Then, he returns signature. The comparison results are shown in Table 3. Firstly, the the result (𝑒, 𝑐𝑖 ) back to 𝐸, and records this result into the schemes in Ref. [24,34] and this proposed scheme are based on the list 𝐿𝑆 . problem of Z − 𝑆 𝐼 𝑆, the schemes in Ref. [29,30] are based on Ring- LWE, and the scheme in Ref. [35] is based on NTRU lattice. Secondly, • Forge: 𝐸 can respectively perform 𝑞𝐻1 , 𝑞𝐻2 , 𝑞𝐾 , and 𝑞𝑆 queries on the size of 𝑚𝑝𝑘, 𝑚𝑠𝑘, 𝑝𝑘, and 𝑠𝑘 is in relation to the parameters of the algorithms of 𝐻1 Hash, 𝐻2 Hash, secret key, and sign until 𝑚, 𝑛, and 𝑞. Then, the size of the signatures in these schemes is also obtaining enough information. With these query results, 𝐸 can with the effort scalar factor 𝜎 and ring number 𝑁. In Ref. [29] and forge a valid signature (𝑒∗ , 𝑐𝑖∗ ) about the target message 𝜇∗ . Then, Ref. [30], the signature size increases with the ring number increasing 𝐸 returns it to 𝐶. • Challenge: 𝐶 first confirms that the signature secret key about which will affect the efficiency of the signature algorithm. Here, there identity 𝐼 𝐷𝑖∗ is not queried, the signature about message 𝜇 ∗ is not are no results about 𝑚𝑝𝑘 and 𝑚𝑠𝑘 in Ref. [24] and Ref. [24,34] as the queried, and the public keys of (𝑎𝐼 𝐷1 , 𝑎𝐼 𝐷2 ) is derived by 𝐶. Then, algorithms of Setup and KeyGen. in these two references are not divided. 𝐶 utilizes this forged signature (𝑒∗ , 𝑐𝑖∗ ) to solve the Z − 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 These theoretical comparisons and analyses show that the proposed instance 𝐴𝑒∗ = 0 𝑚𝑜𝑑 𝑞. He checks the list 𝐿𝑖𝑠𝑡𝐻2 and quits this ID-DVS has certain advantages over those in the other five related game if that (𝜇𝑖∗ , 𝑐𝑖∗ ) does not exist. Otherwise, he utilizes the same schemes. random vector 𝑥 ∈ 𝐷𝜎𝑚 and derives a new valid signature (𝑒∗∗ , 𝑐𝑖∗∗ ) Meanwhile, the theoretical analyses of the times costs of Setup, according to the sign algorithm with the following two equations. KeyGen, Sign, and Verify algorithms are presented in Table 4, where ⎧ 𝑐𝑖∗ ←𝐻2 (𝐴(𝑒∗ + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) 𝑇𝑇 𝑟𝑎𝑝 represents the time costs of trapdoor algorithm, 𝑇𝑆 𝑎𝑚 represents ⎪ the Gaussian Samplepre algorithm, 𝑇𝑀 𝑢𝑙 represents the scalar mul- ⎪ = 𝐻2 (𝐴𝑥∗ + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇 ∗ ) ⎨ ∗∗ ∗∗ (7) tiplication algorithm, and 𝑇𝐻 represents the hash algorithm. Here, ⎪𝑐𝑖 ←𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) some high-time-consuming algorithms and steps have been selected for ⎪ ⎩ = 𝐻2 (𝐴𝑥∗∗ + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇∗ ) comparison, and some other addition or modular operations that are According to the verification algorithm, it has: low-time-consuming are not considered. The Setup and KeyGen algo- { ∗ rithms can be prepared in advance, which can save time and costs. So 𝐴(𝑒 + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 = 𝐴𝑥∗ + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 (8) the time-consuming in other algorithms will affect the efficiency more. 𝐴(𝑒∗∗ + 𝑠𝐼 𝐷2 ) − 𝑎𝐼 𝐷1 = 𝐴𝑥∗∗ + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 In the proposed ID-DVS scheme, the time costs of KeyGen and Sign Then, it has: algorithms are lower than the other schemes. From these comparison { ∗ 𝐴𝑒 − 𝑎𝐼 𝐷1 = 𝐴𝑥∗ 𝑚𝑜𝑑 𝑞 results, it can derived that the proposed ID-DVS has certain advantages (9) 𝐴𝑒∗∗ − 𝑎𝐼 𝐷1 = 𝐴𝑥∗∗ 𝑚𝑜𝑑 𝑞 over those in the other five related schemes. 7 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 Table 3 Keys size comparison. Ref. Assumption mpk msk pk sk signature Li et al. [24] Z − 𝑆𝐼𝑆 – – mnlog2q mnlog2q 2mlog(12𝜎) Ye et al. [29] Ring-LWE mnlogq n(m-n)logq nlogq mlogq 2mlog(12𝜎)+Nlog3 Bagchi et al. [30] Z − 𝑆𝐼𝑆 2mlogq mlogq 2mlogq mlogq 2Nmlog(12𝜎) Li and Jiang et al. [34] Ring-LWE – – mnlog2q mnlog2q 2mlog(12𝜎) Yu et al. [35] NTRU mlogq 4𝑛2 𝑙𝑜𝑔 𝑞 mlogq 2nlogq 2mlog(2𝜎) This scheme Z − 𝑆𝐼𝑆 mnlogq mmlogq nlogq mlogq 2mlog(12𝜎) Table 4 Time costs comparison. Items Setup KeyGen. Sign Verify Li et al. [24] – 2𝑇𝑇 𝑟𝑎𝑝 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻 Ye et al. [29] 𝑇𝑇 𝑟𝑎𝑝 𝑇𝑆 𝑎𝑚 + 𝑇𝑀 𝑢𝑙 𝑇𝑆 𝑎𝑚 + 7𝑇𝑀 𝑢𝑙 + 3𝑇𝐻 5𝑇𝑀 𝑢𝑙 + 2𝑇𝐻 Bagchi et al. [30] 2𝑇𝑇 𝑟𝑎𝑝 3𝑁 𝑇𝑀 𝑢𝑙 + 𝑁 𝑇𝐻 3𝑁 𝑇𝑀 𝑢𝑙 + 𝑁 𝑇𝐻 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻 Li and Jiang et al. [34] – 2𝑁 𝑇𝑇 𝑟𝑎𝑝 5𝑇𝑀 𝑢𝑙 + 2𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻 Yu et al. [35] 𝑇𝑇 𝑟𝑎𝑝 𝑁 𝑇𝑆 𝑎𝑚 + 2𝑁 𝑇𝑀 𝑢𝑙 + 2𝑁 𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻 6𝑇𝑀 𝑢𝑙 + 4𝑇𝐻 This scheme 𝑇𝑇 𝑟𝑎𝑝 𝑇𝑆 𝑎𝑚 + 𝑇𝐻 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻 4𝑇𝑀 𝑢𝑙 + 𝑇𝐻 Fig. 2. Keys size comparison (80-bit security level with parameter setting of 𝑛 = 512 𝑚 = 3549, 𝑞 = 223 , and 𝜎 = 230 ; 192-bit security level with parameter setting of 𝑛 = 1024 𝑚 = 8323, 𝑞 = 227 , and 𝜎 = 230 ). 6.2. Simulation evaluation Ref. [40]. Then, the time-consuming results in Table 4 are calculated, and the results show that this ID-DVS scheme has obvious advantages To more clearly compare the advantages and disadvantages of dif- that other similar schemes. Meanwhile, the simulated devices are with ferent schemes, the ID-DVS scheme has been executed with the Matlab 3.2 V and 7.6 mA. With the former calculated time-consuming data, 2016b on a Windows 11 desktop with Intel(R) Core(TM) i5-1240P the energy-consuming results are calculated and shown in Fig. 4. 1.90 GHz and 16G RAM. Here, the system parameters are selected according to those in Ref. [39], which are presented in the tile of 7. Conclusion Fig. 2. Meanwhile, the signature size in Ref. [29] and Ref. [30] is in relation to the ring number 𝑁 which is preset as 𝑁 = 3. With the This paper contributes to privacy protection in the cross-chain ring number increasing, the signature size in these two references will health data-sharing process in the BIoMT systems and introduces an increase. From the comparison results, the key size of 𝑝𝑘 and 𝑠𝑘 in this MCF model with a DVS scheme. The MCF model is constructed with ID-DVS has a certain advantage over other schemes. Although 𝑚𝑝𝑘 and blockchain and relay chain technologies, which can support cross-chain 𝑚𝑠𝑘 are equal to or bigger than that in other schemes, this ID-DVS is health data-sharing and guarantee that data is not tampered with. constructed with the lattice assumption Z − 𝑆 𝐼 𝑆 which can provide a The DVS is designed with lattice cryptography which can resist anti- strong security guarantee. As the signing process is the main part of a quantum attack. Meanwhile, the combination of the MCF model and signature scheme, the signature size is the smallest compared with these DVS scheme can effectively improve the privacy security of system similar schemes, which can improve the algorithm execution efficiency. transactions and users. Then, it has proved that the DVS scheme can Then, the simulation of the time-consuming and energy-consuming satisfy the security requirements of unforgeability, anonymity, and are shown in Fig. 3 and Fig. 4, respectively. Here, the time-consuming non-traceability. The key size comparison shows that the proposed of 𝑇𝑇 𝑟𝑎𝑝 , 𝑇𝑆 𝑎𝑚 , 𝑇𝑀 𝑢𝑙 , 𝑇𝐻 algorithms are set according to the principal in DVS scheme is efficient and ledger space-saving, the consumption 8 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 Fig. 3. Time-consuming comparison. Fig. 4. Energy-consuming comparison. comparison of time and energy shows that this DVS is more practical Declaration of competing interest for cross-chain transactions and the performance evaluations of cross- chain transactions show that the proposed MCF model is efficient and The authors declare that they have no known competing finan- practical for BIoMT systems. These works provide a new solution for cial interests or personal relationships that could have appeared to the ‘‘data island’’ and privacy protection issues in current IoMT systems influence the work reported in this paper. and promote the cross-chain technology application in BIoMT systems. Acknowledgments Moreover, there are still some worth exploring research directions, such as cross-chain identity authentication, secure secret sharing, data This work was supported by the National Natural Science Founda- access control, and efficient data retrieval in cross-chain health data- tion of China under Grant Numbers 62272090, 72293583, 72293580, sharing processes which will become the possible research orientations the Foundation of State Key Laboratory of Public Big Data under Grant in future work. PBD2023-25, the Foundation and Cutting-Edge Technologies Research Program of Henan Province (CN) under Grant Numbers 242102211073, CRediT authorship contribution statement the Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Numbers JP22K11989, JP24K14910, Leading Initiative for Excellent Chaoyang Li: Writing – review & editing, Writing – original draft, Young Researchers (LEADER), MEXT, Japan, and Japan Science and Formal analysis, Conceptualization. Yuling Chen: Writing – review Technology Agency (JST), PRESTO Grant Number JPMJPR21P3, JST & editing, Supervision. Mianxiong Dong: Project administration, In- ASPIRE Grant Number JPMJAP2344, and the Soroptimist Japan Foun- vestigation. Jian Li: Validation, Supervision. Min Huang: Validation, dation. Mianxiong Dong is the corresponding author, and the Doctor Supervision. Xiangjun Xin: Supervision, Funding acquisition. Kaoru Scientific Research Fund of Zhengzhou University of Light Industry Ota: Supervision, Formal analysis. under Grant 2021BSJJ033. 9 C. Li et al. Journal of Systems Architecture 160 (2025) 103362 Data availability [21] Z. Qu, Y. Meng, B. Liu, G. Muhammad, P. Tiwari, QB-IMD: A secure medical data processing system with privacy protection based on quantum blockchain for IoMT, IEEE Internet Things J. 11 (1) (2023) 40–49. No data was used for the research described in the article. [22] W. Mao, P. Jiang, L. Zhu, Locally verifiable batch authentication in IoMT, IEEE Trans. Inf. Forensics Secur. 19 (2023) 1001–1014. [23] J. Zhang, C. Dong, Y. Liu, Efficient pairing-free certificateless signcryption References scheme for secure data transmission in IoMT, IEEE Internet Things J. (2023). [24] C. Li, B. Jiang, M. Dong, Y. Chen, Z. Zhang, X. Xin, K. Ota, Efficient designated [1] X. Xiang, J. Cao, W. Fan, S. Xiang, G. Wang, Blockchain enabled dynamic trust verifier signature for secure cross-chain health data sharing in BIoMT, IEEE management method for the internet of medical things, Decis. Support Syst. 180 Internet Things J. 11 (11) (2024) 19838–19851. (2024) 114184. [25] J.-P. Thiers, J. Freudenberger, Code-based cryptography with generalized con- [2] A. Kosba, A. Miller, E. Shi, Z. Wen, C. Papamanthou, Hawk: The blockchain catenated codes for restricted error values, IEEE Open J. Commun. Soc. 3 (2022) model of cryptography and privacy-preserving smart contracts, in: 2016 IEEE 1528–1539. Symposium on Security and Privacy, SP, IEEE, 2016, pp. 839–858. [26] A. Alahmadi, S. Çalkavur, P. Solé, A.N. Khan, M.A. Raza, V. Aggarwal, A new [3] W. Wang, H. Xu, M. Alazab, T.R. Gadekallu, Z. Han, C. Su, Blockchain-based code based signature scheme for blockchain technology, Mathematics 11 (5) reliable and efficient certificateless signature for iIoT devices, IEEE Trans. Ind. (2023) 1177. Inform. 18 (10) (2021) 7059–7067. [27] R. Punithavathi, K. Venkatachalam, M. Masud, M.A. AlZain, M. Abouhawwash, [4] Z. Wang, S. Wei, G.-L. Long, L. Hanzo, Variational quantum attacks threaten Crypto hash based malware detection in IoMT framework, Intell. Autom. Soft advanced encryption standard based symmetric cryptography, Sci. China Inf. Sci. Comput. 34 (1) (2022). 65 (10) (2022) 200503. [28] A. Kuznetsov, I. Oleshko, V. Tymchenko, K. Lisitsky, M. Rodinko, A. Kol- [5] L.K. Grover, Quantum mechanics helps in searching for a needle in a haystack, hatin, Performance analysis of cryptographic hash functions suitable for use in Phys. Rev. Lett. 79 (2) (1997) 325. blockchain, Int. J. Comput. Netw. Inf. Secur. 13 (2) (2021) 1–15. [6] P.W. Shor, Polynomial-time algorithms for prime factorization and discrete [29] Q. Ye, Y. Lang, H. Guo, Y. Tang, Efficient lattice-based traceable ring signature logarithms on a quantum computer, SIAM Rev. 41 (2) (1999) 303–332. scheme with its application in blockchain, Inform. Sci. 648 (2023) 119536. [7] D.J. Bernstein, T. Lange, Post-quantum cryptography, Nature 549 (7671) (2017) [30] P. Bagchi, R. Maheshwari, B. Bera, A.K. Das, Y. Park, P. Lorenz, D.K. Yau, 188–194. Public blockchain-envisioned security scheme using post quantum lattice-based [8] R.J. McEliece, A public-key cryptosystem based on algebraic, Coding Thv 4244 aggregate signature for internet of drones applications, IEEE Trans. Veh. Technol. (1978) 114–116. 72 (8) (2023) 10393–10408. [9] L. Lamport, Constructing digital signatures from a one way function, 1979. [31] K.-A. Shim, J. Kim, Y. An, Mq-sign: A new post-quantum signature scheme based [10] R.C. Merkle, A certified digital signature, in: Conference on the Theory and on multivariate quadratic equations: Shorter and faster, KpqC Round 1 (2022). Application of Cryptology, Springer, 1989, pp. 218–238. [32] H. Nejatollahi, N. Dutt, S. Ray, F. Regazzoni, I. Banerjee, R. Cammarota, Post- [11] M. Ajtai, Generating hard instances of lattice problems, in: Proceedings of the quantum lattice-based cryptography implementations: A survey, ACM Comput. Twenty-Eighth Annual ACM Symposium on Theory of Computing, 1996, pp. Surv. 51 (6) (2019) 1–41. 99–108. [33] J. Kim, J.H. Park, Ntru+: Compact construction of NTRU using simple encoding [12] J. Dey, R. Dutta, Progress in multivariate cryptography: Systematic review, method, IEEE Trans. Inf. Forensics Secur. 18 (2023) 4760–4774. challenges, and research directions, ACM Comput. Surv. 55 (12) (2023) 1–34. [34] C. Li, B. Jiang, M. Dong, X. Xin, K. Ota, Privacy preserving for electronic medical [13] X. Jia, M. Luo, H. Wang, J. Shen, D. He, A blockchain-assisted privacy-aware record sharing in healthchain with group signature, IEEE Syst. J. 17 (4) (2023) authentication scheme for internet of medical things, IEEE Internet Things J. 9 6114–6125. (21) (2022) 21838–21850. [35] H. Yu, W. Hui, Certificateless ring signature from NTRU lattice for electronic [14] Q. Lin, X. Li, K. Cai, M. Prakash, D. Paulraj, Secure Internet of medical Things voting, J. Inf. Secur. Appl. 75 (2023) 103496. (IoMT) based on ECMQV-MAC authentication protocol and EKMC-SCP blockchain [36] L. Yao, J. Weng, A. Yang, X. Liang, Z. Wu, Z. Jiang, L. Hou, Scalable CCA-secure networking, Inform. Sci. 654 (2024) 119783. public-key authenticated encryption with keyword search from ideal lattices in [15] D. Chen, F. Zhou, Y. Liu, L. Li, Y. Liang, Secure pairing-free certificateless cloud computing, Inform. Sci. 624 (2023) 777–795. aggregate signcryption scheme for IoT, J. Syst. Archit. 156 (2024) 103268. [37] Y. Zhang, W. Susilo, F. Guo, Lattice-based strong designated verifier signature [16] Y. Han, J. Han, W. Meng, J. Lai, G. Wu, Blockchain-based privacy-preserving with non-delegatability, Comput. Stand. Interfaces 92 (2025) 103904. public key searchable encryption with strong traceability, J. Syst. Archit. 155 [38] Q. Zhang, Y. Sun, Y. Lu, W. Huang, Revocable identity-based designated verifier (2024) 103264. proxy re-signature with signature evolution, Comput. Stand. Interfaces 92 (2025) [17] S. Zou, Q. Cao, C. Huangqi, A. Huang, Y. Li, C. Wang, G. Xu, A physician’s 103894. privacy-preserving authentication and key agreement protocol based on decen- [39] D. Micciancio, O. Regev, Lattice-based cryptography, in: Post-Quantum tralized identity for medical data sharing in IoMT, IEEE Internet Things J. 11 Cryptography, Springer, 2009, pp. 147–191. (17) (2024) 29174–29189. [40] L. Ducas, A. Durmus, T. Lepoint, V. Lyubashevsky, Lattice signatures and bimodal [18] R. Guo, G. Yang, H. Shi, Y. Zhang, D. Zheng, O 3-R-CP-ABE: An efficient and Gaussians, in: Annual Cryptology Conference, Springer, 2013, pp. 40–56. revocable attribute-based encryption scheme in the cloud-assisted IoMT system, [41] M. Ajtai, Generating hard instances of the short basis problem, in: Automata, IEEE Internet Things J. 8 (11) (2021) 8949–8963. Languages and Programming: 26th International Colloquium, ICALP’99 Prague, [19] C. Li, M. Dong, J. Li, G. Xu, X.-B. Chen, W. Liu, K. Ota, Efficient medical big Czech Republic, July 11–15, 1999 Proceedings 26, Springer, 1999, pp. 1–9. data management with keyword-searchable encryption in healthchain, IEEE Syst. J. 16 (4) (2022) 5521–5532. [20] X. Liu, Y. Sun, H. Dong, A pairing-free certificateless searchable public key encryption scheme for IoMT, J. Syst. Archit. 139 (2023) 102885. 10