coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
opaque-lattice/papers_txt/Quantum-safe-identity-based-designated-verifier-_2025_Journal-of-Systems-Arc.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

733 lines
90 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Journal of Systems Architecture 160 (2025) 103362
Contents lists available at ScienceDirect
Journal of Systems Architecture
journal homepage: www.elsevier.com/locate/sysarc
Quantum-safe identity-based designated verifier signature for BIoMT
Chaoyang Li a,b ,, Yuling Chen a , Mianxiong Dong c , Jian Li d , Min Huang b , Xiangjun Xin b ,
Kaoru Ota c
a State Key Laboratory of Public Big Data, Guizhou University, Guizhou Guiyang, 550025, China
b
College of Software Engineering, Zhengzhou University of Light Industry, Zhengzhou 450001, China
c
Department of Sciences and Informatics, Muroran Institution of Technology, Muroran 050-8585, Japan
d
School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
ARTICLE INFO ABSTRACT
MSC: Blockchain technology changes the centralized management form in traditional healthcare systems and
00-01 constructs the distributed and secure medical data-sharing mechanism to achieve data value maximization.
99-00 However, the advanced capabilities of quantum algorithms bring a serious threat to current blockchain
Keywords: cryptographic algorithms which are based on classical mathematical difficulties. This paper proposes the first
Blockchain quantum-safe identity-based designated verifier signature (ID-DVS) scheme for blockchain-based Internet of
Internet of medical things medical things (BIoMT) systems. This scheme is constructed based on the lattice assumption of the short
Identity
integer solution (SIS) problem, which is believed to resist the quantum attack. The identity mechanism helps
DVS
to establish a transaction traceability mechanism when this data is shared among different medical institutions.
Privacy-preserving
The designated verifier mechanism also prevents unauthorized users from accessing data to improve the
security of medical data-sharing processes. Next, this ID-DVS scheme is proved in random oracle model, which
can achieve the security properties of anonymity and unforgeability. It also can capture the post-quantum
security. Then, the performance analysis of the key size and time consumption are presented, and the results
show that this ID-DVS is more efficient than other similar schemes. Therefore, this work supports secure
medical data-sharing and protects the privacy of users and medical data.
1. Introduction tructure, Merkle tree, digital signature, and zero-knowledge proof,
which are utilized to better adapt to the transaction privacy protection
Blockchain-enabled Internet of Medical Things (BIoMT) profoundly in the blockchain network. These blockchain cryptographic technolo-
affects peoples lives and health with the gradual increase of wearable gies jointly protect transaction security and user privacy. For example,
health devices [1]. Firstly, blockchain technology helps to establish a the digital signature is responsible for transaction verification in the
distributed medical data-sharing framework among different medical consensus process and for establishing links to different blocks [3].
institutions, which replaces the traditional centralized management The signature also provides the transaction traceability mechanism
form and achieves cross-institutional medical data utilization. Then, the when some disputes occur. Especially the DVS is more suitable for
BIoMT solves the problems of collecting, storing, sharing, and using one-to-one data-sharing among different BIoMT systems that it can
massive medical data. However, the security issues with medical data guarantee the non-delegatability of signature. These technologies con-
and user privacy in the cross-institutional data-sharing process have struct the trust foundation for the blockchain-based network as these
gained much attention as more sensitive information is inserted into NP-hard problem-based cryptographic algorithms cannot be broken
these medical data. Especially for the sensitive information protection, through with the current most advanced classic computer. Most of
the users do not want to give non-specified users access to the data. these algorithms are based on RSA and ECC cryptographic theories, but
Hence, one-to-one data sharing can effectively prevent the leakage of the fundamental problems of large integer factorization and discrete
sensitive information. logarithms are weak against the quantum attack [4].
Blockchain cryptography has received more attention as it is in- Quantum threat is the main concern in current information systems
creasingly essential in most blockchain-based applications [2]. It is with the rapid developments of quantum computers and quantum
relation to the cryptographic algorithms of the symmetric crypto- computing. The Grover quantum algorithm can speed up the efficiency
graphic, asymmetric cryptographic, hash function, public key infras-
Corresponding author at: College of Software Engineering, Zhengzhou University of Light Industry, Zhengzhou 450001, China.
E-mail address: lichaoyang@zzuli.edu.cn (C. Li).
https://doi.org/10.1016/j.sysarc.2025.103362
Received 9 December 2024; Received in revised form 13 January 2025; Accepted 6 February 2025
Available online 15 February 2025
1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
of target search, which brings threats to the symmetric cryptographic data-sharing processes. For identity authentication, Jia et al. [13]
algorithm, for example: Elliptic Curve Cryptography
√ (ECC), by decreas- constructed a privacy-aware authentication model with blockchain and
ing the search complexity from 𝑂(𝑁) to 𝑂( 𝑁) [5]. The Shor quantum proposed two authentication protocols based on ECC and physically un-
algorithm can achieve exponential acceleration for large integer factor- clonable function algorithm respectively to enhance privacy security in
ization [6], which brings threats to the asymmetric cryptographic, for the IoMT ecosystem. Lin et al. [14] proposed a mutual user authentica-
example: RSA. In recent years, post-quantum cryptographic algorithms tion protocol with the ECC algorithm, which could achieve a legal user
have gained much attention in the areas of scientific research, finance, authentication in blockchain-based IoMT networking. Chen et al. [15]
and industry [7]. Currently, code-based cryptography, Hash cryp- designed a certificateless aggregate signcryption scheme based on ECC
tography, lattice cryptography, and multivariate-quadratic-equations to protect the data privacy in IoT applications, but it could not provide
cryptography are some famous post-quantum cryptographic (PQC) al- anti-quantum attack security. Han et al. [16] introduced a blockchain
gorithms. Code-based cryptography was first proposed by McEliece [8], based privacy-preserving framework and a public key searchable en-
which was constructed by the error correction codes. Although this cryption scheme to strengthen the data traceability. Zou et al. [17]
cryptosystem has a significant anti-quantum attack advantage, its key introduced a credential-embedded authentication protocol to protect
size disadvantage makes it unsuitable for IoT systems. Hash cryptog- users privacy and designed an authenticated key agreement protocol to
raphy was initially introduced by Lamport [9], which was known as support bilateral authentication for medical data-sharing through IoMT
the one-way function to provide quantum-proof security. The Merkle systems. For data encryption/decryption, Guo et al. [18] presented
tree is another well-known hash-based cryptosystem [10]. These hash- an attributed-based encryption protocol with a ciphertext policy and
based algorithms are not based on solving hard mathematical problems, set an outsourced online/offline revocable mechanism to guarantee
but they can obtain the properties of one-wayness, collusion resistance, fine-grained access control. Li and Dong et al. [19] gave a keyword-
and preimage resistance. Lattice cryptography is one of the suggested searchable encryption scheme to achieve cross-institution medical data
PQC scheme in the NIST call, which was first proposed by Ajtai [11]. utilization and established an on-chain ledger and off-chain storage
Multivariate-quadratic-equations cryptography is another kind of PQC model to reduce ledger redundancy. Liu et al. [20] designed a cer-
that is based on the complexity of solving multivariate equations [12]. tificateless public key encryption protocol based on high-consumption
This kind of PQC algorithm suffers from efficiency hardship with the bilinear pairing, combining the keyword search function to protect
large key size and ciphertext overhead. medical data in IoMT. Qu et al. [21] introduced an interesting work
This paper focuses on the needs of security and integrity, and pro- of quantum blockchain to improve privacy security in IoMT, which
poses a lattice-based ID-DVS scheme to cover the privacy-preserving is- utilized the quantum signature and quantum identity authentication
sues, such as designated verifier, signers anonymity, and signature non- to achieve secure medical data-sharing with the quantum cloud. For
delegatability in the BIoMT system. The contributions are summarized transaction verification, Mao et al. [22] presented an identity-based
as follows. aggregated signature scheme for IoMT, which could enable efficient
local verification of medical data with a locally verifiable mechanism.
• A lattice-based ID-DVS scheme has been proposed. This is the
Zhang et al. [23] proposed a certificateless signcryption protocol to
first ID-DVS scheme which is constructed with the reject sampling
guarantee privacy security in IoMT, which utilized bilinear pairings
in Gaussian distribution and SIS lattice problem. The identity
and zero-knowledge proof to resist super-level internal adversaries.
mechanism in this ID-DVS provides transaction traceability for
Li et al. [24] proposed a designated verifier signature scheme and
medical data-sharing, and the designed verifier setting protects
established a cross-chain medical data-sharing framework to support
user privacy as unauthorized users cannot access the transaction.
secure and efficient data-sharing among different BIoMT systems.
• The security proof of the proposed ID-DVS scheme is given. In
With the deepening application of blockchain in BIoMT, the re-
the random oracle model, this ID-DVS scheme can be proved to
search on blockchain cryptographic algorithms applicable to medical
satisfy the security properties of anonymity and unforgeability.
data-sharing transactions is also more urgent. Most of these BIoMT
Meanwhile, this ID-DVS scheme can resist the quantum attack
systems are also based on RSA and ECC cryptographic algorithms,
with the lattice assumption, which can prevent the quantum
which are vulnerable to quantum attacks. So it is urgent to seek more
adversary in the future quantum computer age.
secure anti-quantum cryptographic algorithms to equip current BIoMT
• The efficiency comparison and performance analysis are pre-
systems.
sented. The key size, time consumption, and energy consumption
are calculated and compared with other similar schemes. The
2.2. Post-quantum cryptography
results show that this ID-DVS scheme is more efficient, which can
well support secure medical data-sharing among different BIoMT
PQC utilizes classical computationally hard problems to construct
systems.
quantum-safe cryptosystems for current information systems. Especially
Next, the related work is given in Section 2, some preliminaries are for the sensitive information protection of medical data in BIoMT
shown in Section 3, the ID-DVS scheme is proposed in Section 4, the systems, the practical application of PQC is important and necessary.
security of the ID-DVS scheme is analyzed and proved in Section 5, the For code-based cryptography, Thiers et al. [25] presented a decoding
performance analysis is in Section 6, and the conclusion is in Section 7. algorithm based on the 𝑞-ary codes, which could achieve low com-
plexity and anti-quantum security. Alahmadi et al. [26] introduced
2. Related work a signature scheme with error-correcting codes for blockchain-based
networks and utilized bounded distance decoding for signature veri-
This paper mainly focuses on the research and applications of fication. For hash cryptography, Punithavathi et al. [27] established a
blockchain cryptography in BIoMT. Some reviews of blockchain cryp- double-layer encryption framework and proposed a crypto hash algo-
tography for BIoMT, PQC, and lattice-based signature theory about this rithm to resist the malware attack in medical data-sharing processes in
theme are given in the following subsections. the IoMT system. Kuznetsov et al. [28] gave the performance analysis
of the hashing algorithm in blockchain-based systems and compared
2.1. Blockchain cryptography for BIoMT it with other related hashing algorithms to show its efficiency and
practice. For lattice cryptography, Ye et al. [29] designed a traceable
In the BIoMT system, identity authentication, data ring signature scheme based on lattice assumption for IoMT, which
encryption/decryption, and transaction verification all need blockchain could obtain tag-linkability and exculpability in a random oracle model.
cryptography algorithms to protect privacy security in the medical Bagchi et al. [30] utilized the ring LWE problem to construct an
2
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
Table 1
Lattice-based schemes comparison.
Ref. Lattice problem Advantage Limitation
Kim et al. [33] NTRU Key encapsulation; Centralized KGC; Key escrow;
Randomness-recovery; Encoding Chosen ciphertext attack weak
Yu et al. [35] NTRU and SIS Certificateless, Ring signature Private key management
Li and Jiang et al. [34] ring-LWE and SIS Non-delegatability; Bimodal Centralized KGC; Key escrow
Gaussians
Yao et al. [36] ring-LWE and ring-ISIS Ring analog; Authenticate Centralized KGC; Key escrow
ciphertext
Zhang et al. [37] ring-LWE and SIS Non-delegatability; Chameleon Centralized KGC; Key escrow
hash
Zhang and Sun et al. [38] ring-LWE Re-signature; Semi-trusted proxy; Centralized KGC; Key escrow;
Signature evolution Double time consumption
aggregate signature scheme and applied this scheme to the Internet of 3. Preliminaries
drones for privacy preservation. For multivariate-quadratic-equations
cryptography, Shim et al. [31] proposed a post-quantum signature The lattice theories, ID-DVS scheme model, and security model have
with multivariate-quadratic-equations, which supported the dramatic been presented in this section.
online signing for cryptographic systems. These four PQC proposals are
not only generally used for creating encryption/decryption and digital 3.1. Lattice theories
signature algorithms, but also for key exchange and authentication
cryptosystems in the not-too-distant future. Definition 1 (Lattice [39]). Let 𝑣1 , … , 𝑣𝑛 ∈ R𝑚 be a set of linearly
This paper plans to utilize lattice theory to construct a PQC signa- independent vectors. The lattice 𝛬𝐿 generated by 𝑣1 , … , 𝑣𝑛 refers to the
ture algorithm, as the digital signature plays an essential roles in trans- set formed by linear combinations of vectors 𝑣1 , … , 𝑣𝑛 .
action signature, blockchain system consistency, and data ownership
confirmation in BIoMT systems. 𝛬𝐿 = {𝑎1 𝑣1 + 𝑎2 𝑣2 + · · · + 𝑎𝑛 𝑣𝑛 𝑎1 , 𝑎2 , · · ·, 𝑎𝑛 ∈ Z} (1)
2.3. Lattice-based signature theory Here, the matrices 𝐴 = (𝑎1 , … , 𝑎𝑚 ) ⊂ R𝑛×𝑚 is the coefficient matrix
of lattice 𝛬, where the dimension 𝑛 and rank 𝑚 of this lattice satisfy
Lattice cryptography serves as one promising PQC theory that has 𝑚 = 𝑂(𝑛 log 𝑞).
gained much attention in recent years. Its security is also based on some
NP-hard problems, such as shortest vector problem (SVP), shortest in-
Definition 2 (q-ary Lattice [39]). Eq. (1) is the q-ary lattice, which
dependent vectors problem (SIVP), closest vector problem (CVP), short
is constructed by a matrix  ∈ Z𝑛×𝑚
𝑞 , a prime number 𝑞, and a vector
integer solution (SIS), learning with errors (LWE), bounded distance
𝜇 ∈ Z𝑛𝑞 .
decoding problem (BDD), and so on [32]. The Number Theory Research
Unit (NTRU) algorithm is based on SVP or SIVP, which is designed with 𝛬⟂ (𝐴) = {𝑥 ∈ Z𝑚 |𝑥 = 0 mod 𝑞 𝑓 𝑜𝑟 𝑥 ∈ Z𝑚 }
(2)
the polynomial ring. The scheme in the Refs. [19] is based on this mech- 𝛬⟂𝜇 (𝐴) = {𝑥 ∈ Z |𝑥 = 𝜇 𝑚𝑜𝑑 𝑞 𝑓 𝑜𝑟 𝑥 ∈ Z }
𝑚 𝑚
anism. Kim et al. [33] introduced a key encapsulation mechanism with
the NTRU lattice, which could resist significant cryptanalytic attacks in
current information systems. The LWE is a CVP in which the hardness
Definition 3 (Gaussian Distribution [40]). The Gaussian distribution is
is solving linear equations with noise. The scheme in the Refs. [29] is 𝜌𝑐 ,𝜎 (𝑥) = 𝑒𝑥𝑝( (𝑥𝑐)
2
), where 𝜎 ∈ R is the standard deviation, 𝑐 ∈ R is
based on this mechanism. Li and Jiang et al. [34] proposed a group 2𝜎 2
the center, and 𝑥 ∈ R is vector. More generally, it can be defined as
signature scheme with the SIS lattice problem, which had been applied 2
𝜌𝑐 ,𝜎 (𝑥) = 𝑒𝑥𝑝( −‖𝑥−𝑐‖
2𝜎 2
) with 𝑥, 𝑐 ∈ R𝑛 . When the center 𝑐 = 0, it becomes
to the IoMT system with blockchain technology for secure medical
𝜌𝜎 (𝑥). Meanwhile, 𝐷𝜎 (𝑥) = 𝜌𝜎 (𝑥)𝜌𝜎 (Z) is discrete Gaussian distribution
data-sharing. Yu et al. [35] designed an NTRU-based certificateless
over Z and 𝐷𝜎 (𝑥) = 𝜌𝜎 (𝑥)𝜌𝜎 (Z𝑚 ) is the general situation over Z𝑚 .
ring signature for electronic voting, which could obtain the properties
of quantum immunity, unconditional anonymity, and unforgeability.
The ring-LWE is a variant of LWE that has more strengthened security Definition 4 ( 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 Problem [40]). 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 is defined to
properties. The schemes in the Refs. [30] are based on this mechanism. find a non-zero 𝑣 ∈ ℜ𝑚 𝑞 which satisfy 𝐴𝑣 = 0, where a ring, 𝜅 is a
𝑞 , 𝐴𝑞 , and ‖𝑣‖2 ≤ 𝛽.
distribution over ℜ𝑛×𝑚
Yao et al. [36] designed a public-key authenticated encryption protocol 𝑛×𝑚
with ring-LWE in the ideal lattice, which also could achieve keyword
search ability in cloud computing. Zhang et al. [37] proposed a DVS
scheme with the chameleon hash and without trapdoors, which could Definition 5 (𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝜎 , 𝑦) [40]). Given a matrix 𝐴 ∈ 𝑍𝑞𝑛×𝑚 ,
achieve non-delegatability. Zhang and Sun et al. [38] presented an ID- a trapdoor basis 𝑇 of lattice 𝛬⟂ (𝐴), 𝜎𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛), and a random
DVS scheme with a function of signature evolution, which also added vector 𝑦, 𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝜎 , 𝑦) can derive a non-zero vector 𝑒 ∈ 𝑍𝑞𝑚 ,
the proxy and re-signature functions. The simple comparisons of these which satisfy 𝐴𝑒 = 𝑦 𝑚𝑜𝑑 𝑞. Here, ‖𝑒‖ ≤ 𝜎 𝑚.
lattice-based schemes are shown in Table 1.
As in BIoMT, the protection of sensitive information in medical
data is essential in the medical utilization processes among different 3.2. Model descriptions
medical institutions. Meanwhile, the threats to classical cryptographic
algorithms from quantum computers should be taken more seriously. The scheme model and security model are given in this subsection,
Therefore, This paper addresses security and privacy issues related to and they provide the formal definition of an ID-DVS scheme.
system users and medical data by proposing a quantum-safe ID-DVS (1) Scheme model
scheme to strengthen the security of medical data-sharing in BIoMT For an ID-DVS scheme, it is mainly composed of five polynomial
systems. time algorithms.
3
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
• Setup(1𝑛 ): Input the security parameter 𝑛, key generation center Table 2
(KGC) outputs the system parameters 𝑝𝑝 and system master secret System parameters.
key 𝑚𝑠𝑘. Notation Meaning
• KeyGen.(𝐼 𝐷𝑎 , 𝐼 𝐷𝑏 , 𝑝𝑝, 𝑚𝑠𝑘): Input the identities 𝐼 𝐷𝑎 and 𝐼 𝐷𝑏 of q One large prime with 𝑞 = 𝑞(𝑛) ≥ 3
the signer and designated verifier, 𝑝𝑝, and 𝑚𝑠𝑘, KGC generates the n, m The dimension of key matrix, and 𝑚 ≥ 5𝑛𝑙𝑜𝑔 𝑞
𝜅 The system security parameter
key pairs (𝑝𝑘𝑎 , 𝑠𝑘𝑎 ) and (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ) respectively.
Z The integer matrix/vector set for system keys
• Sign(𝑝𝑝, 𝑠𝑘𝑎 , 𝑝𝑘𝑎 , 𝑝𝑘𝑏 , 𝜇): Input the message 𝜇, 𝑝𝑝, (𝑝𝑘𝑎 , 𝑠𝑘𝑎 ), the √
𝜎 A system parameter with 𝜎 = 𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛)
designated verifiers public key 𝑝𝑘𝑏 , the signer generates an ID- 𝑚𝑝𝑘 The group public key
DVS signature (𝑒, 𝜇). 𝑚𝑠𝑘 The group muster secret key
• Verify(𝑠𝑘𝑏 , 𝑝𝑘𝑏 , 𝑝𝑘𝑎 , 𝜇, 𝑒): Input (𝑒, 𝜇), 𝑝𝑝, (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ), and the 𝐼 𝐷𝑖 The user identity
𝐻1 , 𝐻2 The cryptographic Hash function
signers public key 𝑝𝑘𝑎 , the designated verifier checks the legality
𝐷𝜎𝑚 The bimodal Gaussian distribution
of the ID-DVS signature. 𝜎 The standard deviation for 𝐷𝜎𝑚
• Simulation(𝑝𝑝, 𝑠𝑘𝑏 , 𝑝𝑘𝑏 , 𝑝𝑘𝑎 , 𝜇): Input the message 𝜇, 𝑝𝑝, (𝑝𝑘𝑏 , 𝑠𝑘𝑏 ), 𝜇 The message to be signed
the singers public key 𝑝𝑘𝑎 , the designed verifier generates an- 𝑝𝑘, 𝑠𝑘 The public and private keys for system users
other ID-DVS signature (𝑒 , 𝜇).
(2) Security model
An ID-DVS scheme must satisfy the correctness, anonymity, and
unforgeability. The correctness can be verified according to the verifi-
cation process. The anonymity and unforgeability should be proved in • Initialize: 𝐶 performs the Setup(1𝑛 ) algorithm to obtain the system
the random oracle model as shown in the following Definitions 6 and 7, parameters 𝑝𝑝 and the master secret key 𝑚𝑠𝑘. Then, he exposes 𝑝𝑝
respectively. Note that only by passing this certification can it be shown and keeps 𝑚𝑠𝑘 in secret.
that the designed ID-DVS scheme is safe. Next, the security proof model • Query: 𝐸 can perform enough polynomial times of queries on the
is constructed with a query-respond game, where an adversary Eve 𝐸 random oracle. Here, the hash function, secret key, and signature
performs the query and a challenger Charlie 𝐶 performs the response. are all the query targets. 𝐸 can perform queries on the non-target
users identity 𝐼 𝐷 or the non-target message 𝜇 . 𝐶 responds to
Definition 6 (Anonymity). If an adversary can make the right guess the answers to the queries if the answers already exist. Other-
whether the signature is signed by the signer or the designated verifier wise, 𝐶 executes the signature algorithms of KeyGen. or Sign to
with the adaptive selective identity attack in the random oracle model, generate new answers to 𝐸s queries.
he wins this round of the query-respond game. Detailed query-respond • Forge: 𝐸 utilizes these enough queried answers to generate a valid
processes between 𝐴 and 𝐶 are shown as follows.
signature (𝑒, 𝜇 ) for the target users identity 𝐼 𝐷 and message 𝜇 ,
• Initialize: 𝐶 performs the Setup(1𝑛 ) algorithm to obtain the system and exposes this signature.
parameters 𝑝𝑝 and the master secret key 𝑚𝑠𝑘. Then, he exposes 𝑝𝑝 • Challenge: 𝐶 also can execute the signature processes legally and
and keeps 𝑚𝑠𝑘 in secret. derive another valid signature (𝑒 , 𝜇 ) for the target users identity
• Query: 𝐸 can perform enough polynomial times of queries on the 𝐼 𝐷 and message 𝜇 . Then, 𝐶 utilizes these two valid signatures
random oracle. Here, the hash function, secret key, and signature about the same message 𝜇 to solve the Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 instance.
are all the query targets. 𝐸 can perform queries on the non-target • Analyze: This step analyses two points. One is the probability that
users identity 𝐼 𝐷 or the non-target message 𝜇 . 𝐶 responds to
𝐶 can find a solution for the Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 instance, and the other
the answers to the queries if the answers already exist. Other-
one is the probability that 𝐸 successfully generates a valid ID-DVS
wise, 𝐶 executes the signature algorithms of KeyGen. or Sign to
signature. Here the successful rate of 𝐸 can be defined as shown
generate new answers to 𝐸s queries.
in Eq. (4).
• Challenge: 𝐸 selects two target system users identities 𝐼 𝐷𝑖0 and
𝐼 𝐷𝑖1 and queries on the signature about these two identities. Next, 𝐴𝑑 𝑣𝐹𝐴 𝑜𝑟𝑔 𝑒 = 𝑃 𝑟[𝐸 𝑠𝑢𝑐 𝑐 𝑒𝑠𝑠𝑒𝑑 .] (4)
𝐶 randomly chooses the identity 𝐼 𝐷𝑖𝑏 , 𝑏 ∈ 0, 1 as the signer and
the other one as the designated verifier, derives the ID-DVS (𝑒, 𝜇 ) This unforgeability ensures that no one other than the signer can
according to the processes of KeyGen. and Sign algorithms, and
generate a legitimate signature, thus improving the security of the
sends it back to 𝐸.
medical data-sharing process among different BIoMT systems.
• Guess: 𝐸 performs the guess of 𝑏 . If 𝑏 = 𝑏, 𝐸 wins this game.
Here the guess successful rate of 𝐸 can be defined as shown in
Eq. (3). 4. The ID-DVS scheme
𝐴𝑑 𝑣𝐴𝑛𝑜𝑛
𝐴 = 𝑃 𝑟[𝐸 𝑠𝑢𝑐 𝑐 𝑒𝑠𝑠𝑒𝑑 .] (3)
This ID-DVS scheme is constructed with the lattice assumption of
𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 . To improve the computational efficiency, the lattice
This anonymity increases the probability that the adversary will assumption is reduced from R to Z, and the new lattice assumption
fail to attack the signature because he cannot determine whether the Z𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 does not decrease the hardness. The parameter definitions
signer or the designated verifier is the real signer. Meanwhile, the are shown in Table 2. This scheme mainly contains five algorithms of
designated verifier cannot prove to third parties that this signature is 𝑆 𝑒𝑡𝑢𝑝, 𝐾 𝑒𝑦𝐺𝑒𝑛., 𝑆 𝑖𝑔 𝑛, 𝑉 𝑒𝑟𝑖𝑓 𝑦, and 𝑆 𝑖𝑚𝑢𝑙𝑎𝑡𝑖𝑜𝑛. The simple framework of
valid. This mechanism can protect user privacy in medical data-sharing this ID-DVS scheme is shown in Fig. 1, and details of these algorithms
transactions and prevent the designated verifier from authorizing other are described as follows.
users to access the signature.
4.1. Setup
Definition 7 (Unforgeability). If an adversary can forge a valid signature
with the adaptive selective message attack in the random oracle model,
Some system parameters are preset according to the setting princi-
a challenger can derive another valid signature and solve the lattice
assumption with these two signatures. Here, the successful probability ple in Ref. [41], where 𝑛 is the security parameter, 𝑞 is a prime number
of this challenger is non-negligible. Detailed query-respond processes 𝑞 = 𝑞(𝑛) ≥ 3, 𝑚 is a positive
which satisfies with √ √ integer which satisfies
between 𝐸 and 𝐶 are shown below. 𝑚 ≥ 5𝑛 𝑙𝑜𝑔 𝑞, 𝐿 = 𝑂( 𝑛 𝑙𝑜𝑔 𝑞), and 𝜎𝐿 ⋅ 𝜔( 𝑙𝑜𝑔 𝑛).
4
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
Fig. 1. The simple framework of ID-DVS scheme.
(1) KGC generates a matrix 𝑚𝑝𝑘 = 𝐴 ∈ 𝑍𝑞𝑛×𝑚 with the former system (3) Utilizes his secret key 𝑠𝑘 to compute 𝑒 = 𝑥 + 𝑠𝐼 𝐷1 ;
parameters by the Trapdoor generation (TrapGen.(1𝑛 )) algorithm, 𝐷𝑚 (𝑒)
(4) Output the signature < 𝑒, 𝑐 > with probability 𝑚𝑖𝑛( 𝑀 𝐷𝑚 𝜎 , 1);
𝑠𝐼 𝐷 𝑐 ,𝜎 (𝑒)
which is an approximate random distribution matrix. Then, a 1
otherwise, restart.
basis 𝑇 ∈ 𝑍𝑞𝑚×𝑚 is derived from 𝛬⟂ (𝐴) by TrapGen.(1𝑛 ) as ‖𝑇̃ ‖ ≤
𝐿; This is a probabilistic algorithm, and 𝑀 is some fixed positive real
(2) Chooses 𝐻1 , 𝐻2 {0, 1}𝑍𝑞𝑛 ; that is set large enough to ensure that the preceding probability is
(3) Outputs 𝑝𝑝 = {𝐴, 𝐻1 , 𝐻2 } as public system parameters; always at most 1. If there is no data output, the signer will repeat these
(4) Serves 𝑚𝑝𝑘 = 𝐴 as the master public key and 𝑚𝑠𝑘 = 𝑇 as the sign processes until a legal ID-DVS is generated.
master secret key.
4.4. Verify
4.2. KeyGen When receives the ID-DVS from the signer, the designated verifier
utilizes 𝑝𝑝, the signers private key 𝑎𝐼 𝐷1 , and his private key 𝑠𝑘2 = 𝑠𝐼 𝐷2
Given the system parameter 𝑝𝑝 and users identity 𝐼 𝐷𝑖 . to verify the legality of (𝑒, 𝑐) with message 𝜇.
(1) KGC computes 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ) ∈ 𝑍𝑞𝑛 ; (1) The designated verifier checks ‖𝑒‖ > 𝐿, and rejects it;
(2) Computes 𝑠𝐼 𝐷𝑖𝑆 𝑎𝑚𝑝𝑙𝑒𝑃 𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , 𝜎) ∈ 𝑍𝑞𝑚 , where 𝜎 ≥ (2) Checks ‖𝑒‖∞ > 𝑞4, and rejects it;
√ √
‖𝑇̃ ‖𝜔( 𝑙𝑜𝑔 𝑚), 𝑎𝐼 𝐷𝑖 𝑚𝑜𝑑 𝑞 = 𝐴𝑠𝐼 𝐷𝑖 , and ‖𝑠𝐼 𝐷𝑖 ‖ ≤ 𝜎 𝑚; (3) When the former conditions hold, he verifies whether
(3) Outputs 𝑝𝑘 = 𝑎𝐼 𝐷𝑖 as the public key and 𝑠𝑘 = 𝑠𝐼 𝐷𝑖 as the secret 𝑐 = 𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) holds or not. Iff this condition
key for system user with 𝐼 𝐷𝑖 . holds, he accepts this signature; Otherwise, he rejects it.
For the signer and designated verifier in this ID-DVS scheme, the
signers key pair is set as (𝑝𝑘1 , 𝑠𝑘1 ) = (𝑎𝐼 𝐷1 , 𝑠𝐼 𝐷1 ) and the designated 4.5. Simulation
verifiers key pair is set as (𝑝𝑘2 , 𝑠𝑘2 ) = (𝑎𝐼 𝐷2 , 𝑠𝐼 𝐷2 ). Then, they will work
together to generate a legitimate ID-DVS with the following steps. This subsection presents the generation simulation of a new ID-
DVS performed by the designated verifier. According to the former
4.3. Sign generation processes, he can derive a legal ID-DVS with the same
message 𝜇.
Given the system parameter 𝑝𝑝 and message 𝜇.
(1) Selects a random vector 𝑥 ← 𝐷𝜎𝑚
(1) The signer 𝐼 𝐷1 randomly chooses 𝑥 ∈ 𝐷𝜎𝑚 ; (2) Computes 𝑐 = 𝐻(𝐴𝑥 + 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) with the system public key
(2) Computes 𝑐 = 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇); 𝐴 and the same message 𝜇;
5
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
(3) Computes 𝑒 = 𝑥 + 𝑠𝐼 𝐷2 ; exists, the result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) is returned back to 𝐸. If not,
𝐷𝑚 (𝑒 ) 𝐶 computes the corresponding 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ), returns the
(4) Outputs the ID-DVS (𝑒, 𝑐 ) with probability min( 𝑀 𝐷 𝜎 (𝑒 )
, 1),
𝑠𝐼 𝐷 𝑐 ,𝜎 result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) back to 𝐸, and records this result into the
2
otherwise he restarts this algorithm. list 𝐿𝑖𝑠𝑡𝐻1 .
Here, the simulated signature (𝑒 , 𝑐 ) is indistinguishable from the 𝐻2 query: 𝐸 adaptively chooses a message 𝜇𝑖 to query on
former generated signature (𝑒, 𝑐) with the same message 𝜇. This is the 𝐻2 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻2 to store (𝜇𝑖 , 𝑐𝑖 ). When he
inherent quality of the DVS scheme which can prevent attacks from obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻2 whether
unauthorized verifiers. It can improve the security of cross-institution the identity 𝜇𝑖 is queried or not. If exists, the result (𝜇𝑖 , 𝑐𝑖 )
medical data-sharing through the BIoMT system. is returned back to 𝐸. If not, 𝐶 randomly selects 𝑥 ∈ 𝐷𝜎𝑚 ,
computes the corresponding 𝑐𝑖 = 𝐻2 (𝐴𝑥 𝑚𝑜𝑑 𝑞 , 𝜇𝑖 ), returns
5. Security analysis the result (𝜇𝑖 , 𝑐𝑖 ) back to 𝐸, and records this result into the
list 𝐿𝑖𝑠𝑡𝐻2 .
The security analyses of the correctness, anonymity, and unforge- Secret key query: 𝐸 adaptively chooses the non-target iden-
ability of the proposed ID-DVS scheme have been given in this section. tity 𝐼 𝐷𝑖 to query on secret key. 𝐶 owns a list 𝐿𝐾 to store
(𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ). When he obtains the query, he first searches
5.1. Correctness the list 𝐿𝐾 whether the identity 𝐼 𝐷𝑖 is queried or not.
If exists, the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) is returned back to 𝐸. If
According to the verification steps in Verify algorithm, a valid not, 𝐶 obtains (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) from the list 𝐿𝑖𝑠𝑡𝐻1 or regener-
ID-DVS shall satisfy three conditions. From the signature generation ates it firstly. Next, 𝐶 computes the corresponding 𝑠𝐼 𝐷𝑖
process, (𝑒, 𝑐) satisfy ‖𝑒‖ ≤ 𝐿 and ‖𝑒‖∞ ≤ 𝑞4 which are easily 𝑆 𝑎𝑚𝑝𝑙𝑒𝑝𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , 𝜎), returns the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) back to
verified. The third condition 𝑐𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) = 𝐸, and records this result into the list 𝐿𝐾 .
𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇) holds which can be verified by the equation Signature query: 𝐸 adaptively chooses a message 𝜇𝑖 to query
𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 = 𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞. Eq. (5) shows the detailed on signature. 𝐶 owns a list 𝐿𝑆 to store (𝑒, 𝑐𝑖 ). When he
verification processes. obtains the query, he first searches the list 𝐿𝑆 whether the
𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 = 𝐴(𝑥 + 𝑠𝐼 𝐷1 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 message 𝜇𝑖 is queried or not. If exists, the result (𝑒, 𝑐𝑖 , 𝜇)
= 𝐴𝑥 + 𝐴𝑠𝐼 𝐷1 + 𝐴𝑠𝐼 𝐷2 𝑎𝐼 𝐷1 is returned back to 𝐸. If not, 𝐶 obtains (𝜇𝑖 , 𝑐𝑖 ) from the
(5) list 𝐿𝑖𝑠𝑡𝐻2 or regenerates it firstly. Next, 𝐶 computes the
= 𝐴𝑥 + 𝑎𝐼 𝐷1 + 𝑎𝐼 𝐷2 𝑎𝐼 𝐷1
corresponding 𝑒1 = 𝑥 + 𝑠𝐼 𝐷1 , where 𝐼 𝐷1 is set as the signer
= 𝐴𝑥 + 𝑎𝐼 𝐷2 and 𝐼 𝐷2 is set as the designated verifier. Then, he returns
the result (𝑒, 𝑐𝑖 ) back to 𝐸, and records this result into the
Meanwhile, the signature (𝑒 , 𝑐 ) simulated by the designated verifier list 𝐿𝑆 .
also can be verified by the signer as the conditions of ‖𝑒′ ‖ ≤ 𝐿,
‖𝑒′ ‖∞ ≤ 𝑞4, and the equation 𝑐 𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷1 ) 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇) = • Challenge: 𝐸 randomly selects two system users identities 𝐼 𝐷𝑖0
𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) holds, which is shown in Eq. (6) holds. and 𝐼 𝐷𝑖1 which are not queried before. Next, he sends these two
𝐴(𝑒 + 𝑠𝐼 𝐷1 ) 𝑎𝐼 𝐷2 = 𝐴(𝑥 + 𝑠𝐼 𝐷2 + 𝑠𝐼 𝐷1 ) 𝑎𝐼 𝐷2 target identities to 𝐶. 𝐶 randomly selects the identity 𝐼 𝐷𝑖𝑏 , 𝑏
0, 1 as the signer and the other one as the designated verifier, and
= 𝐴𝑥 + 𝐴𝑠𝐼 𝐷2 + 𝐴𝑠𝐼 𝐷1 𝑎𝐼 𝐷2
(6) derives the ID-DVS (𝑒, 𝑐𝑖0 ) and (𝑒 , 𝑐𝑖1 ) according to the ID-DVS
= 𝐴𝑥 + 𝑎𝐼 𝐷2 + 𝑎𝐼 𝐷1 𝑎𝐼 𝐷2 processes, and sends it back to 𝐸.
= 𝐴𝑥 + 𝑎𝐼 𝐷1 • Guess: 𝐸 utilizes the formerly obtained messages and performs the
guess of signer 𝑏 . 𝐶 confirms whether 𝐼 𝐷𝑖𝑏 is the real signer or
not. If correct, 𝐸 wins this game.
5.2. Anonymity • Analyze: Because the parameter 𝑥 is randomly selected with the
same Gaussian distribution 𝐷𝜎𝑚 , the statistical distance of 𝑐𝑖0 and
Theorem 1. The proposed ID-DVS can capture anonymity with lattice 𝑐𝑖1 is indistinguishable. Therefore, the statistical distance of these
assumption Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 if no adversary can correctly distinguish the real two signatures (𝑒, 𝑐𝑖0 ) and (𝑒 , 𝑐𝑖1 ) generated by 𝑒 = 𝑥 + 𝑠𝐼 𝐷𝑖 and
0
signer with the non-negligible probability. 𝑒 = 𝑥 + 𝑠𝐼 𝐷𝑖 is also indistinguishable. This is to say that 𝐸
1
cannot distinguish the correct signer of these two signatures and
the proposed ID-DVS can guarantee the signers anonymity.
Proof. According to Definition 6, 𝐸 attempts to distinguish the real
signer by performing the queries on Hash, secret key, and sign algo-
rithms under the adaptively chosen identity attack. Here, 𝐸 can execute 5.3. Unforgeability
enough times queries on three algorithms to obtain information about
the non-target identity in polynomial time. Meanwhile, the probability Theorem 2. The proposed ID-DVS can capture unforgeability with lattice
that 𝐸 wins one round query-respond game is defined as at least 𝜁. assumption Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 if no adversary can generate a valid signature
Then, 𝐶 generates a signature with the target identity 𝐼 𝐷 and lets 𝐸 with the non-negligible probability.
guess the real signer. Detailed query-respond processes are shown as
follows.
Proof. According to Definition 7, 𝐸 attempts to derive a valid signature
• Initialize: 𝐶 executes the Setup algorithm to generate the system
by performing the queries on Hash, secret key, and sign algorithms
parameters (𝑛, 𝑚, 𝑞 , 𝑘, 𝜎) and sends them to 𝐸.
under the adaptively chosen message attack. Here, 𝐸 can execute
• Query: 𝐸 adaptively chooses the non-target identity to query with
enough time queries on three algorithms to obtain information about
𝐶.
the non-target message in polynomial time. Meanwhile, the probability
𝐻1 query: 𝐸 adaptively chooses the non-target identity 𝐼 𝐷𝑖 that 𝐸 wins one round query-respond game is defined as at least 𝜉.
to query on 𝐻1 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻1 to store Then, 𝐶 attempts to utilize this forged signature to solve the lattice
(𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ). When he obtains the query, he first searches the instance Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 . Detailed query-respond processes are shown as
list 𝐿𝑖𝑠𝑡𝐻1 whether the identity 𝐼 𝐷𝑖 is queried or not. If follows.
6
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
• Initialize: 𝐶 executes the Setup algorithm to generate the system It also has:
parameters (𝑛, 𝑚, 𝑞 , 𝑘, 𝜎) and sends them to 𝐸.
𝐴(𝑒 𝑒 ) = 𝐴(𝑥 𝑥 ) 𝑚𝑜𝑑 𝑞 (10)
• Query: 𝐸 adaptively chooses the non-target messages to query
with 𝐶. 𝐴(𝑒1 to
Due 𝑒𝑥 ) = 0𝑚𝑜𝑑 𝑞
1 𝑥 ≠ 0, it can derive
(11)
𝐻1 query: 𝐸 adaptively chooses the identity 𝐼 𝐷𝑖 to query Here, 𝐶 quits this game if 𝑒1 𝑒 = 0. Otherwise, 𝑒1 𝑒 is a
1 1
on 𝐻1 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻1 to store (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ). solution of SIS instance 𝐴𝑒 = 0 𝑚𝑜𝑑 𝑞.
When he obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻1 • Analyze: There are two situations in which 𝐶 quits the query-
whether the identity 𝐼 𝐷𝑖 is queried or not. If exists, the re- respond game. Therefore, the success rate is 𝑞 +𝑞 𝜉 +𝑞 +𝑞 . This
sult (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) is returned back to 𝐸. If not, 𝐶 computes the 𝐻1 𝐻2 𝐾 𝑆
probability is negligible with the increase in query times. In
corresponding 𝑎𝐼 𝐷𝑖 = 𝐻1 (𝐼 𝐷𝑖 ), returns the result (𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 )
addition, the lattice assumption is a non-deterministic polynomial
back to 𝐸, and records this result into the list 𝐿𝑖𝑠𝑡𝐻1 .
problem that cannot be broken with current classical or quantum
𝐻2 query: 𝐸 adaptively chooses the non-target message 𝜇𝑖 to
computational conditions.
query on 𝐻2 function. 𝐶 owns a list 𝐿𝑖𝑠𝑡𝐻2 to store (𝜇𝑖 , 𝑐𝑖 ).
When he obtains the query, he first searches the list 𝐿𝑖𝑠𝑡𝐻2
From former theoretical security proof, the proposed ID-DVS scheme
whether the identity 𝜇𝑖 is queried or not. If exists, the result
can obtain correctness, anonymity, and unforgeability. Meanwhile,
(𝜇𝑖 , 𝑐𝑖 ) is returned back to 𝐸. If not, 𝐶 randomly selects
𝑥 ∈ 𝐷𝜎𝑚 , computes the corresponding 𝑐𝑖 = 𝐻2 (𝐴𝑥 𝑚𝑜𝑑 𝑞 , 𝜇𝑖 ), this ID-DVS scheme can also satisfy the post-quantum security as it
returns the result (𝜇𝑖 , 𝑐𝑖 ) back to 𝐸, and records this result is constructed with lattice assumption. Compared with other classi-
into the list 𝐿𝑖𝑠𝑡𝐻2 . cal cryptography algorithm-based BIoMT systems, this scheme can
well guarantee anti-quantum security for medical data-sharing among
Secret key query: 𝐸 adaptively chooses the identity 𝐼 𝐷𝑖 to
query on secret key. 𝐶 owns a list 𝐿𝐾 to store (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ). different medical institutions.
When he obtains the query, he first searches the list 𝐿𝐾
whether the identity 𝐼 𝐷𝑖 is queried or not. If exists, the 6. Performance analysis
result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) is returned back to 𝐸. If not, 𝐶 obtains
(𝐼 𝐷𝑖 , 𝑎𝐼 𝐷𝑖 ) from the list 𝐿𝑖𝑠𝑡𝐻1 or regenerates it firstly. Next,
𝐶 computes the corresponding 𝑠𝐼 𝐷𝑖𝑆 𝑎𝑚𝑝𝑙𝑒𝑝𝑟𝑒(𝐴, 𝑇 , 𝑎𝐼 𝐷𝑖 , The performance analyses of this ID-DVS scheme from the theory
𝜎), returns the result (𝑠𝐼 𝐷𝑖 , 𝐼 𝐷𝑖 ) back to 𝐸, and records this and simulation aspects have been given in this section.
result into the list 𝐿𝐾 .
Signature query: 𝐸 adaptively chooses the non-target mes-
6.1. Theoretical analysis
sage 𝜇𝑖 to query on signature. 𝐶 owns a list 𝐿𝑆 to store (𝑒, 𝑐𝑖 ).
When he obtains the query, he first searches the list 𝐿𝑆
whether the message 𝜇𝑖 is queried or not. If exists, the result In this phase, six items are selected for comparison, where the
(𝑒, 𝑐𝑖 , 𝜇) is returned back to 𝐸. If not, 𝐶 obtains (𝜇𝑖 , 𝑐𝑖 ) from assumption is the lattice assumption, 𝑚𝑝𝑘 is the system master key,
the list 𝐿𝑖𝑠𝑡𝐻2 or regenerates it firstly. Next, 𝐶 computes the 𝑚𝑠𝑘 is the system private key, 𝑝𝑘 is the system users public key, 𝑠𝑘 is
corresponding 𝑒 = 𝑥 + 𝑠𝐼 𝐷1 , where 𝐼 𝐷1 is set as the signer the system users private key, and signature is the size of the proposed
and 𝐼 𝐷2 is set as the designated verifier. Then, he returns signature. The comparison results are shown in Table 3. Firstly, the
the result (𝑒, 𝑐𝑖 ) back to 𝐸, and records this result into the schemes in Ref. [24,34] and this proposed scheme are based on the
list 𝐿𝑆 . problem of Z 𝑆 𝐼 𝑆, the schemes in Ref. [29,30] are based on Ring-
LWE, and the scheme in Ref. [35] is based on NTRU lattice. Secondly,
• Forge: 𝐸 can respectively perform 𝑞𝐻1 , 𝑞𝐻2 , 𝑞𝐾 , and 𝑞𝑆 queries on
the size of 𝑚𝑝𝑘, 𝑚𝑠𝑘, 𝑝𝑘, and 𝑠𝑘 is in relation to the parameters of
the algorithms of 𝐻1 Hash, 𝐻2 Hash, secret key, and sign until
𝑚, 𝑛, and 𝑞. Then, the size of the signatures in these schemes is also
obtaining enough information. With these query results, 𝐸 can
with the effort scalar factor 𝜎 and ring number 𝑁. In Ref. [29] and
forge a valid signature (𝑒 , 𝑐𝑖 ) about the target message 𝜇∗ . Then,
Ref. [30], the signature size increases with the ring number increasing
𝐸 returns it to 𝐶.
• Challenge: 𝐶 first confirms that the signature secret key about which will affect the efficiency of the signature algorithm. Here, there
identity 𝐼 𝐷𝑖 is not queried, the signature about message 𝜇 is not are no results about 𝑚𝑝𝑘 and 𝑚𝑠𝑘 in Ref. [24] and Ref. [24,34] as the
queried, and the public keys of (𝑎𝐼 𝐷1 , 𝑎𝐼 𝐷2 ) is derived by 𝐶. Then, algorithms of Setup and KeyGen. in these two references are not divided.
𝐶 utilizes this forged signature (𝑒 , 𝑐𝑖 ) to solve the Z 𝑆 𝐼 𝑆𝑞𝜅,𝑛,𝑚,𝛽 These theoretical comparisons and analyses show that the proposed
instance 𝐴𝑒 = 0 𝑚𝑜𝑑 𝑞. He checks the list 𝐿𝑖𝑠𝑡𝐻2 and quits this ID-DVS has certain advantages over those in the other five related
game if that (𝜇𝑖∗ , 𝑐𝑖 ) does not exist. Otherwise, he utilizes the same schemes.
random vector 𝑥 ∈ 𝐷𝜎𝑚 and derives a new valid signature (𝑒 , 𝑐𝑖 ) Meanwhile, the theoretical analyses of the times costs of Setup,
according to the sign algorithm with the following two equations. KeyGen, Sign, and Verify algorithms are presented in Table 4, where
𝑐𝑖𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) 𝑇𝑇 𝑟𝑎𝑝 represents the time costs of trapdoor algorithm, 𝑇𝑆 𝑎𝑚 represents
⎪ the Gaussian Samplepre algorithm, 𝑇𝑀 𝑢𝑙 represents the scalar mul-
⎪ = 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇 )
(7) tiplication algorithm, and 𝑇𝐻 represents the hash algorithm. Here,
⎪𝑐𝑖 ←𝐻2 (𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 𝑚𝑜𝑑 𝑞 , 𝜇) some high-time-consuming algorithms and steps have been selected for
⎩ = 𝐻2 (𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞 , 𝜇∗ ) comparison, and some other addition or modular operations that are
According to the verification algorithm, it has: low-time-consuming are not considered. The Setup and KeyGen algo-
{ rithms can be prepared in advance, which can save time and costs. So
𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 = 𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞
(8) the time-consuming in other algorithms will affect the efficiency more.
𝐴(𝑒 + 𝑠𝐼 𝐷2 ) 𝑎𝐼 𝐷1 = 𝐴𝑥 + 𝑎𝐼 𝐷2 𝑚𝑜𝑑 𝑞
In the proposed ID-DVS scheme, the time costs of KeyGen and Sign
Then, it has: algorithms are lower than the other schemes. From these comparison
{
𝐴𝑒 𝑎𝐼 𝐷1 = 𝐴𝑥 𝑚𝑜𝑑 𝑞 results, it can derived that the proposed ID-DVS has certain advantages
(9)
𝐴𝑒 𝑎𝐼 𝐷1 = 𝐴𝑥 𝑚𝑜𝑑 𝑞 over those in the other five related schemes.
7
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
Table 3
Keys size comparison.
Ref. Assumption mpk msk pk sk signature
Li et al. [24] Z 𝑆𝐼𝑆 mnlog2q mnlog2q 2mlog(12𝜎)
Ye et al. [29] Ring-LWE mnlogq n(m-n)logq nlogq mlogq 2mlog(12𝜎)+Nlog3
Bagchi et al. [30] Z 𝑆𝐼𝑆 2mlogq mlogq 2mlogq mlogq 2Nmlog(12𝜎)
Li and Jiang et al. [34] Ring-LWE mnlog2q mnlog2q 2mlog(12𝜎)
Yu et al. [35] NTRU mlogq 4𝑛2 𝑙𝑜𝑔 𝑞 mlogq 2nlogq 2mlog(2𝜎)
This scheme Z 𝑆𝐼𝑆 mnlogq mmlogq nlogq mlogq 2mlog(12𝜎)
Table 4
Time costs comparison.
Items Setup KeyGen. Sign Verify
Li et al. [24] 2𝑇𝑇 𝑟𝑎𝑝 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻
Ye et al. [29] 𝑇𝑇 𝑟𝑎𝑝 𝑇𝑆 𝑎𝑚 + 𝑇𝑀 𝑢𝑙 𝑇𝑆 𝑎𝑚 + 7𝑇𝑀 𝑢𝑙 + 3𝑇𝐻 5𝑇𝑀 𝑢𝑙 + 2𝑇𝐻
Bagchi et al. [30] 2𝑇𝑇 𝑟𝑎𝑝 3𝑁 𝑇𝑀 𝑢𝑙 + 𝑁 𝑇𝐻 3𝑁 𝑇𝑀 𝑢𝑙 + 𝑁 𝑇𝐻 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻
Li and Jiang et al. [34] 2𝑁 𝑇𝑇 𝑟𝑎𝑝 5𝑇𝑀 𝑢𝑙 + 2𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻
Yu et al. [35] 𝑇𝑇 𝑟𝑎𝑝 𝑁 𝑇𝑆 𝑎𝑚 + 2𝑁 𝑇𝑀 𝑢𝑙 + 2𝑁 𝑇𝐻 3𝑇𝑀 𝑢𝑙 + 𝑇𝐻 6𝑇𝑀 𝑢𝑙 + 4𝑇𝐻
This scheme 𝑇𝑇 𝑟𝑎𝑝 𝑇𝑆 𝑎𝑚 + 𝑇𝐻 2𝑇𝑀 𝑢𝑙 + 𝑇𝐻 4𝑇𝑀 𝑢𝑙 + 𝑇𝐻
Fig. 2. Keys size comparison (80-bit security level with parameter setting of 𝑛 = 512 𝑚 = 3549, 𝑞 = 223 , and 𝜎 = 230 ; 192-bit security level with parameter setting of 𝑛 = 1024 𝑚 = 8323,
𝑞 = 227 , and 𝜎 = 230 ).
6.2. Simulation evaluation Ref. [40]. Then, the time-consuming results in Table 4 are calculated,
and the results show that this ID-DVS scheme has obvious advantages
To more clearly compare the advantages and disadvantages of dif- that other similar schemes. Meanwhile, the simulated devices are with
ferent schemes, the ID-DVS scheme has been executed with the Matlab 3.2 V and 7.6 mA. With the former calculated time-consuming data,
2016b on a Windows 11 desktop with Intel(R) Core(TM) i5-1240P the energy-consuming results are calculated and shown in Fig. 4.
1.90 GHz and 16G RAM. Here, the system parameters are selected
according to those in Ref. [39], which are presented in the tile of 7. Conclusion
Fig. 2. Meanwhile, the signature size in Ref. [29] and Ref. [30] is in
relation to the ring number 𝑁 which is preset as 𝑁 = 3. With the This paper contributes to privacy protection in the cross-chain
ring number increasing, the signature size in these two references will health data-sharing process in the BIoMT systems and introduces an
increase. From the comparison results, the key size of 𝑝𝑘 and 𝑠𝑘 in this MCF model with a DVS scheme. The MCF model is constructed with
ID-DVS has a certain advantage over other schemes. Although 𝑚𝑝𝑘 and blockchain and relay chain technologies, which can support cross-chain
𝑚𝑠𝑘 are equal to or bigger than that in other schemes, this ID-DVS is health data-sharing and guarantee that data is not tampered with.
constructed with the lattice assumption Z 𝑆 𝐼 𝑆 which can provide a The DVS is designed with lattice cryptography which can resist anti-
strong security guarantee. As the signing process is the main part of a quantum attack. Meanwhile, the combination of the MCF model and
signature scheme, the signature size is the smallest compared with these DVS scheme can effectively improve the privacy security of system
similar schemes, which can improve the algorithm execution efficiency. transactions and users. Then, it has proved that the DVS scheme can
Then, the simulation of the time-consuming and energy-consuming satisfy the security requirements of unforgeability, anonymity, and
are shown in Fig. 3 and Fig. 4, respectively. Here, the time-consuming non-traceability. The key size comparison shows that the proposed
of 𝑇𝑇 𝑟𝑎𝑝 , 𝑇𝑆 𝑎𝑚 , 𝑇𝑀 𝑢𝑙 , 𝑇𝐻 algorithms are set according to the principal in DVS scheme is efficient and ledger space-saving, the consumption
8
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
Fig. 3. Time-consuming comparison.
Fig. 4. Energy-consuming comparison.
comparison of time and energy shows that this DVS is more practical Declaration of competing interest
for cross-chain transactions and the performance evaluations of cross-
chain transactions show that the proposed MCF model is efficient and The authors declare that they have no known competing finan-
practical for BIoMT systems. These works provide a new solution for cial interests or personal relationships that could have appeared to
the data island and privacy protection issues in current IoMT systems influence the work reported in this paper.
and promote the cross-chain technology application in BIoMT systems.
Acknowledgments
Moreover, there are still some worth exploring research directions,
such as cross-chain identity authentication, secure secret sharing, data
This work was supported by the National Natural Science Founda-
access control, and efficient data retrieval in cross-chain health data- tion of China under Grant Numbers 62272090, 72293583, 72293580,
sharing processes which will become the possible research orientations the Foundation of State Key Laboratory of Public Big Data under Grant
in future work. PBD2023-25, the Foundation and Cutting-Edge Technologies Research
Program of Henan Province (CN) under Grant Numbers 242102211073,
CRediT authorship contribution statement the Japan Society for the Promotion of Science (JSPS) KAKENHI Grant
Numbers JP22K11989, JP24K14910, Leading Initiative for Excellent
Chaoyang Li: Writing review & editing, Writing original draft, Young Researchers (LEADER), MEXT, Japan, and Japan Science and
Formal analysis, Conceptualization. Yuling Chen: Writing review Technology Agency (JST), PRESTO Grant Number JPMJPR21P3, JST
& editing, Supervision. Mianxiong Dong: Project administration, In- ASPIRE Grant Number JPMJAP2344, and the Soroptimist Japan Foun-
vestigation. Jian Li: Validation, Supervision. Min Huang: Validation, dation. Mianxiong Dong is the corresponding author, and the Doctor
Supervision. Xiangjun Xin: Supervision, Funding acquisition. Kaoru Scientific Research Fund of Zhengzhou University of Light Industry
Ota: Supervision, Formal analysis. under Grant 2021BSJJ033.
9
C. Li et al. Journal of Systems Architecture 160 (2025) 103362
Data availability [21] Z. Qu, Y. Meng, B. Liu, G. Muhammad, P. Tiwari, QB-IMD: A secure medical
data processing system with privacy protection based on quantum blockchain
for IoMT, IEEE Internet Things J. 11 (1) (2023) 4049.
No data was used for the research described in the article.
[22] W. Mao, P. Jiang, L. Zhu, Locally verifiable batch authentication in IoMT, IEEE
Trans. Inf. Forensics Secur. 19 (2023) 10011014.
[23] J. Zhang, C. Dong, Y. Liu, Efficient pairing-free certificateless signcryption
References scheme for secure data transmission in IoMT, IEEE Internet Things J. (2023).
[24] C. Li, B. Jiang, M. Dong, Y. Chen, Z. Zhang, X. Xin, K. Ota, Efficient designated
[1] X. Xiang, J. Cao, W. Fan, S. Xiang, G. Wang, Blockchain enabled dynamic trust verifier signature for secure cross-chain health data sharing in BIoMT, IEEE
management method for the internet of medical things, Decis. Support Syst. 180 Internet Things J. 11 (11) (2024) 1983819851.
(2024) 114184. [25] J.-P. Thiers, J. Freudenberger, Code-based cryptography with generalized con-
[2] A. Kosba, A. Miller, E. Shi, Z. Wen, C. Papamanthou, Hawk: The blockchain catenated codes for restricted error values, IEEE Open J. Commun. Soc. 3 (2022)
model of cryptography and privacy-preserving smart contracts, in: 2016 IEEE 15281539.
Symposium on Security and Privacy, SP, IEEE, 2016, pp. 839858. [26] A. Alahmadi, S. Çalkavur, P. Solé, A.N. Khan, M.A. Raza, V. Aggarwal, A new
[3] W. Wang, H. Xu, M. Alazab, T.R. Gadekallu, Z. Han, C. Su, Blockchain-based code based signature scheme for blockchain technology, Mathematics 11 (5)
reliable and efficient certificateless signature for iIoT devices, IEEE Trans. Ind. (2023) 1177.
Inform. 18 (10) (2021) 70597067. [27] R. Punithavathi, K. Venkatachalam, M. Masud, M.A. AlZain, M. Abouhawwash,
[4] Z. Wang, S. Wei, G.-L. Long, L. Hanzo, Variational quantum attacks threaten Crypto hash based malware detection in IoMT framework, Intell. Autom. Soft
advanced encryption standard based symmetric cryptography, Sci. China Inf. Sci. Comput. 34 (1) (2022).
65 (10) (2022) 200503. [28] A. Kuznetsov, I. Oleshko, V. Tymchenko, K. Lisitsky, M. Rodinko, A. Kol-
[5] L.K. Grover, Quantum mechanics helps in searching for a needle in a haystack, hatin, Performance analysis of cryptographic hash functions suitable for use in
Phys. Rev. Lett. 79 (2) (1997) 325. blockchain, Int. J. Comput. Netw. Inf. Secur. 13 (2) (2021) 115.
[6] P.W. Shor, Polynomial-time algorithms for prime factorization and discrete [29] Q. Ye, Y. Lang, H. Guo, Y. Tang, Efficient lattice-based traceable ring signature
logarithms on a quantum computer, SIAM Rev. 41 (2) (1999) 303332. scheme with its application in blockchain, Inform. Sci. 648 (2023) 119536.
[7] D.J. Bernstein, T. Lange, Post-quantum cryptography, Nature 549 (7671) (2017) [30] P. Bagchi, R. Maheshwari, B. Bera, A.K. Das, Y. Park, P. Lorenz, D.K. Yau,
188194. Public blockchain-envisioned security scheme using post quantum lattice-based
[8] R.J. McEliece, A public-key cryptosystem based on algebraic, Coding Thv 4244 aggregate signature for internet of drones applications, IEEE Trans. Veh. Technol.
(1978) 114116. 72 (8) (2023) 1039310408.
[9] L. Lamport, Constructing digital signatures from a one way function, 1979. [31] K.-A. Shim, J. Kim, Y. An, Mq-sign: A new post-quantum signature scheme based
[10] R.C. Merkle, A certified digital signature, in: Conference on the Theory and on multivariate quadratic equations: Shorter and faster, KpqC Round 1 (2022).
Application of Cryptology, Springer, 1989, pp. 218238. [32] H. Nejatollahi, N. Dutt, S. Ray, F. Regazzoni, I. Banerjee, R. Cammarota, Post-
[11] M. Ajtai, Generating hard instances of lattice problems, in: Proceedings of the quantum lattice-based cryptography implementations: A survey, ACM Comput.
Twenty-Eighth Annual ACM Symposium on Theory of Computing, 1996, pp. Surv. 51 (6) (2019) 141.
99108. [33] J. Kim, J.H. Park, Ntru+: Compact construction of NTRU using simple encoding
[12] J. Dey, R. Dutta, Progress in multivariate cryptography: Systematic review, method, IEEE Trans. Inf. Forensics Secur. 18 (2023) 47604774.
challenges, and research directions, ACM Comput. Surv. 55 (12) (2023) 134. [34] C. Li, B. Jiang, M. Dong, X. Xin, K. Ota, Privacy preserving for electronic medical
[13] X. Jia, M. Luo, H. Wang, J. Shen, D. He, A blockchain-assisted privacy-aware record sharing in healthchain with group signature, IEEE Syst. J. 17 (4) (2023)
authentication scheme for internet of medical things, IEEE Internet Things J. 9 61146125.
(21) (2022) 2183821850. [35] H. Yu, W. Hui, Certificateless ring signature from NTRU lattice for electronic
[14] Q. Lin, X. Li, K. Cai, M. Prakash, D. Paulraj, Secure Internet of medical Things voting, J. Inf. Secur. Appl. 75 (2023) 103496.
(IoMT) based on ECMQV-MAC authentication protocol and EKMC-SCP blockchain [36] L. Yao, J. Weng, A. Yang, X. Liang, Z. Wu, Z. Jiang, L. Hou, Scalable CCA-secure
networking, Inform. Sci. 654 (2024) 119783. public-key authenticated encryption with keyword search from ideal lattices in
[15] D. Chen, F. Zhou, Y. Liu, L. Li, Y. Liang, Secure pairing-free certificateless cloud computing, Inform. Sci. 624 (2023) 777795.
aggregate signcryption scheme for IoT, J. Syst. Archit. 156 (2024) 103268. [37] Y. Zhang, W. Susilo, F. Guo, Lattice-based strong designated verifier signature
[16] Y. Han, J. Han, W. Meng, J. Lai, G. Wu, Blockchain-based privacy-preserving with non-delegatability, Comput. Stand. Interfaces 92 (2025) 103904.
public key searchable encryption with strong traceability, J. Syst. Archit. 155 [38] Q. Zhang, Y. Sun, Y. Lu, W. Huang, Revocable identity-based designated verifier
(2024) 103264. proxy re-signature with signature evolution, Comput. Stand. Interfaces 92 (2025)
[17] S. Zou, Q. Cao, C. Huangqi, A. Huang, Y. Li, C. Wang, G. Xu, A physicians 103894.
privacy-preserving authentication and key agreement protocol based on decen- [39] D. Micciancio, O. Regev, Lattice-based cryptography, in: Post-Quantum
tralized identity for medical data sharing in IoMT, IEEE Internet Things J. 11 Cryptography, Springer, 2009, pp. 147191.
(17) (2024) 2917429189. [40] L. Ducas, A. Durmus, T. Lepoint, V. Lyubashevsky, Lattice signatures and bimodal
[18] R. Guo, G. Yang, H. Shi, Y. Zhang, D. Zheng, O 3-R-CP-ABE: An efficient and Gaussians, in: Annual Cryptology Conference, Springer, 2013, pp. 4056.
revocable attribute-based encryption scheme in the cloud-assisted IoMT system, [41] M. Ajtai, Generating hard instances of the short basis problem, in: Automata,
IEEE Internet Things J. 8 (11) (2021) 89498963. Languages and Programming: 26th International Colloquium, ICALP99 Prague,
[19] C. Li, M. Dong, J. Li, G. Xu, X.-B. Chen, W. Liu, K. Ota, Efficient medical big Czech Republic, July 1115, 1999 Proceedings 26, Springer, 1999, pp. 19.
data management with keyword-searchable encryption in healthchain, IEEE Syst.
J. 16 (4) (2022) 55215532.
[20] X. Liu, Y. Sun, H. Dong, A pairing-free certificateless searchable public key
encryption scheme for IoMT, J. Syst. Archit. 139 (2023) 102885.
10
Reference in New Issue View Git Blame Copy Permalink