An NTRU-like Message Recoverable Signature Algorithm

Abstract

An important feature of Nyberg-Rueppel type digital signature algorithms is message recovery, this signature algorithm can recover the original information from the signature directly by the verifier in the verification phase after signing the message. However, this algorithm is currently vulnerable to quantum attacks and its security cannot be guaranteed. Number Theory Research Unit (NTRU) is an efficient public-key cryptosystem and is considered to be one of the best quantum-resistant encryption schemes. This paper proposes an NTRU-like message recoverable signature algorithm to meet the key agreement requirements in the post-quantum world. This algorithm, designed for the Internet of Things (IoT), constructs a secure system using the Group-Based Message Recoverable Signature Algorithm (NR-GTRU), by integrating a Group-Based NTRU-Like Public-Key Cryptosystem (GTRU) with an efficient Nyberg-Rueppel type of NTRU digital signature algorithm (NR-NTRU). This signature algorithm, resistant to quantum algorithm attacks, offers higher security at the cost of a slight efficiency reduction compared to traditional NTRU signature algorithms, and features Nyberg-Rueppel message recovery, making it well-suited for IoT applications.

1. Introduction

In the IoT environment, secure communication between devices can be achieved through public key cryptographic security mechanisms. With the growing demand of IoT devices, when subjected to security threats (e.g., trespass attack, device scanning attack, active eavesdropping, spoofing attack, firmware attack, man-in-the-middle attack, Distributed denial of service attack (DDoS attack, etc.) in the smart device, it may still threaten the data security, disrupt the daily life and industrial operations, and affect the confidentiality, authentication, and integrity of the data. Therefore, security mechanisms based on public key cryptography face additional challenges in IoT environments [1,2]. The rapid development of quantum computing has triggered a series of studies showing the existence of quantum algorithms that can fully solve encryption algorithms such as RSA [3] in polynomial time. For example, Shor [4] proposed a quantum algorithm that solves large integer factorization and the Elliptic Curve Discrete Logarithm Problem (ECDLP) in polynomial time in a quantum computer. Among the existing encryption schemes, Stergiou [5] et al. proposed an efficient security model for IoT and cloud computing convergence, which is based on RSA. Similarly, Jose [6] et al. proposed an efficient IoT encryption method based on Elliptic Curve Cipher (ECC) [7]. However, due to the encryption and decryption complexity and security issues of these two schemes, they are no longer applicable to the IoT. While theoretical estimates suggest that quantum computers would need at least thousands of qubits to break existing codes, global tech giants are certainly working towards this goal [8]. IBM is currently leading the way in quantum computing hardware with its 127-qubit processor [9] and plans to surpass 1000 quantum bits by 2023 [10]. The likelihood of having scalable quantum computers in the next decade is predicted to be very high [11]. Therefore, there is an urgent need for quantum-resistant encryption and signature schemes.

Lattice cryptography are an important branch of post-quantum cryptography. Computing the Shortest Vector Problem (SVP) in a lattice is an important and difficult problem, which is the security cornerstone of contemporary lattice cryptography. Current practical and secure encryption/decryption lattice systems and digital signature lattice cryptosystems are basically designed based on the above problem. On the one hand, the lattice cryptography has the above difficult problem as the security foundation of the theoretical statute; on the other hand, the lattice cryptography has moderate consumption of space and time resources. Further, based on the lattice cryptography, it is possible to design attribute encryption, homomorphic encryption and other advanced cryptographic application algorithms. Therefore, lattice cryptography are widely recognised as the most promising branch of post-quantum cryptography. Among the lattice cryptography, the NTRU public key encryption system has been widely studied by scholars because of the simplicity of the algorithm, fast computation speed, and small storage space occupied.

Most lattice-based signature schemes have large signature sizes, which makes them unsuitable for resource-constrained IoT environments. Traditional digital signature schemes usually need to bind the message and the signature to make it easier for the verifier to verify the message, but this also incurs additional bandwidth costs, especially when the message and signature sizes are relatively large. The concept of message recovery was born based on the idea of reducing the consumption of bandwidth. In message recovery, the message is embedded in the signature. The sender sends the signature to the receiver and once the receiver receives the signature, he can perform signature verification and recover the original message from the signature [12]. In 1993, Nyberg and Ruppel modified the Digital Signature Algorithm (DSA) to support message recovery. It was the first signature scheme to support message recovery [13] and reduces the amount of information to be transmitted, and thus can save the transmission bandwidth dramatically.

In 1998, Hoffstein, Pipher, and Silverman [14] designed a fast public key cryptosystem based on the finite computation of constraint polynomials over a polynomial ring, the NTRU cryptosystem. The NTRU cryptosystem is 1.5 times faster than the ECC in hardware implementation [15]. Compared to the software implementation of RSA, NTRU is 200 times faster in key generation, nearly 3 times faster in encryption, and about 30 times faster in decryption [16]. The security of the NTRU cryptosystem is considered to be comparable to that of RSA and ECC when using the recommended parameters [17]. NTRU is not only a fast public-key cryptosystem, but also quantum-resistant.

In 2003, Hoffstein et al. also combined the GGH scheme and the NTRU lattice and proposed the NTRU signature scheme [18]. This scheme has shorter public and private keys and is more efficient, but it leaks trapdoor information during the Signature and does not give rigorous security proof.

In 2008, Gentry et al. designed a one-way function, also known as preimage sampleable functions, based on the hard problem on the lattice (Short Integer Solution (SIS) problem) and proposed a digital signature scheme based on it, the GPV08 digital signature [19]. This scheme is provably secure under the random oracle model and is resistant to adaptive chosen-message attacks. However, the GPV08 digital signature scheme is inefficient, mainly due to the inefficiency of its Preimage Gaussian sampling algorithm.

In 2008 and 2010, the NTRU encryption algorithm was standardised by the IEEE [20] and ASC X9 [21].

In 2012, Lyubashevsky proposed a lattice-based digital signature scheme based on SIS problem without using trapdoor matrices [22].

In 2013, Tian [23] et al. first introduced the concept of message recovery to lattice-based cryptography.

In 2016, NIST initiated the Post-Quantum Cryptography Project to start a worldwide call for post-quantum cryptographic algorithms with a view to laying the groundwork for subsequent standardisation [24]. After three rounds of selection, NIST announced on 5 July 2022 the final algorithms selected for standardization as well as those that require further discussion in the fourth round. The NTRU public-key cryptosystem involves only simple polynomial modular multiplication and addition/subtraction operations in the computation process, and its encryption and decryption speeds and time efficiencies outperform existing public-key cryptosystems, such as RSA, ElGamal [25], etc. under the same security level. In NIST’s post-quantum cryptography scheme collection project, schemes based on the NTRU lattice occupy an important position. For example, the Falcon digital signature [26] is constructed based on the NTRU lattice and is one of the pre-standardization signatures in the standard collection of NIST post-quantum cryptography schemes.

In 2017, Faguo Wu [27] et al. present a new identity-based proxy signature scheme over an NTRU lattice with message recovery (IB-PSSMR), which is more efficient than the other existing identity-based proxy signature schemes in terms of the size of the signature and the cost of energy.

In 2019, Shuai Li [28] et al. proposed a group-based NTRU-like public key cryptosystem, GTRU, using non-Abelian poly-$\mathbb{Z}$ groups and NTRU encryption algorithms. This scheme constructs a high-performance GTRU for IoT. In the security analysis, it is demonstrated that the IoT GTRU proposed by this scheme is more secure against lattice-based attacks than the NTRU security and its efficiency exceeds that of traditional cryptographic algorithms.

To enhance the security of the Nyberg-Rueppel digital signature algorithm for IoT applications, this paper proposes a message recoverable signature algorithm based on NTRU-like. This scheme is based on the GTRU cryptosystem proposed by Shuai Li et al. [28] and exploits the message recovery property of the Nyberg-Rueppel digital signature algorithm. It has the advantage of resisting the attack of quantum algorithms, and it is a suitable digital signature scheme for IoT applications with higher security compared to the traditional NTRU public key cryptosystem and Nyberg-Rueppel digital signature algorithm.

The remainder of this paper is organised as follows. Section 2 provides an overview of the research in this article. Section 3 presents the mathematical background knowledge and theorems. Section 4 constructs the NR-GTRU signature algorithm. Section 5 compares the performance with the NR-NTRU algorithm, Section 6 analyses the security properties, Section 7 describes the advantages and challenges faced by NR-GTRU in IoT. Finally, the conclusions are presented in Section 8. Appendix A gives an example of this signature algorithm and Appendix B lists all the abbreviations and annotations that appear in this paper.

2. Research Content

Due to security reasons, traditional public key cryptosystems will be replaced by post-quantum cryptographic schemes, of which lattice-based cryptosystems are one of the best alternatives.

By studying and analyzing NTRU and digital signature algorithms in related literature, it is concluded that the security of NTRU mainly stems from the difficulty of finding the shortest vector in a given lattice, i.e., the Shortest Vector Problem (SVP): given a lattice L, find a non-zero vector v satisfying that for any non-zero vector $u\in L$, $\parallel v\parallel \le \parallel u\parallel$.

To ensure the security of the Internet of Things, this paper focuses on the Nyberg-Rueppel digital signature scheme and the group-based NTRU-like public key cryptosystem (GTRU) and proposes a new group-based message recoverable signature scheme. This scheme uses the GTRU cryptosystem, which has message recovery properties, is suitable for the IoT, and is resistant to lattice-based attacks, making it a secure digital signature scheme.

The research focus of this paper includes the following aspects:

• Design and improve a group-based NTRU-like signature algorithm based on the GTRU public key cryptosystem studied by Shuai Li [28] et al. It is also ensured that this signature algorithm can statute to the SVP, guaranteeing that it can withstand lattice-based attacks.
• The signature scheme proposed by Nyberg and Rueppel [13] is adapted to a group-based NTRU-like signature algorithm to make it message-recovery friendly and resistant to some well-known forgery attacks and other related lattice attacks.
• The efficiency and security of the signature scheme are verified and analyzed.

3. Mathematical Background

In this section, the NTRU public-key cryptosystem and poly-$\mathbb{Z}$ group are introduced.

3.1. NTRU

We denote by $\mathbb{Z}$ the set of all integers, $\mathbb{Z}$ being the infinite cyclic group under the ordinary addition. For a positive integer n, we use ${\mathbb{Z}}^n$ to denote the n-ary cartesian product of $\mathbb{Z}$. As the n-ary direct product of $\mathbb{Z}$, ${\mathbb{Z}}^n$ is the group under vector addition. For the positive integer m, denoted ${\mathbb{Z}}_m=\mathbb{Z}/m\mathbb{Z}$, the operation mod m defines the natural homomorphism from ${\mathbb{Z}}^n$ to ${\mathbb{Z}}_m^n$.

NTRU [29] has three parameters N, p, q, where N is used for modulo operations with polynomial coefficients less than N, and N is generally set to a prime number for better security. On the other hand, p and q must be mutually prime, and they are used to minimise the polynomial coefficients. Note that p must be less than q. NTRU also has four subsets ${\mathcal{L}}_f$, ${\mathcal{L}}_g$, ${\mathcal{L}}_r$, and ${\mathcal{L}}_m$ of ${\mathbb{Z}}^n$, where ${\mathbb{Z}}^n$ is endowed with the structure of a ring under the addition operation

$$({\mathit{a}}_1,\dots ,{\mathit{a}}_n)+({\mathit{b}}_1,\dots ,{\mathit{b}}_n)=({\mathit{a}}_1+{\mathit{b}}_1,\dots ,{\mathit{a}}_n+{\mathit{b}}_n),$$

(1)

and the multiplication operation, i.e., the cyclic convolution product

$$({\mathit{a}}_1,\dots ,{\mathit{a}}_n)\ast ({\mathit{b}}_1,\dots ,{\mathit{b}}_n)=({\mathit{c}}_1,\dots ,{\mathit{c}}_n),$$

(2)

where

$${\mathit{c}}_k=\sum _{i+j=k+1modn}{\mathit{a}}_i{\mathit{b}}_j.$$

The key generation, encryption and decryption operations of NTRU are as follows.

3.1.1. Key Generation

• First choose two random polynomials $f\in {\mathcal{L}}_f$, $g\in {\mathcal{L}}_g$ and have $f_p,f_q$ to satisfy:

  $$f\ast f_p=e_{1}modp,$$

  $$f\ast f_q=e_{1}modq,$$
  In some cases, f has no corresponding $f_p,f_q$, in which case another polynomial $f\in {\mathcal{L}}_f$ must be re-selected to compute $f_p,f_q$.
• Compute the public key h using the chosen $f,g$:

  $$h=f_q\ast pgmodq$$
• The public key is ($n,p,q,h$) and the private key is ($f,f_p$).

3.1.2. Encrypt

• Select the plaintext to be encrypted $m\in {\mathcal{L}}_m$, after randomly selecting $r\in {\mathcal{L}}_r$.
• Calculate c:

  $$c=h\ast r+mmodq$$

3.1.3. Decrypt

• To recover the plaintext m, you need to multiply c by the private key f, and then take the modulus of q after calculating the result:

  $$a=f\ast cmodq$$
• Finally, using a and $f_p$, the plaintext m is computed:

  $$m=f_p\ast amodp$$

The NTRU can be decrypted correctly because $amodm=bmodm$ and $0\le a,b\le m$, which means that for $a,b,b\in \mathbb{Z}$, $a=b$.

3.2. ${\mathbb{Z}}^n$

Shuai Li [28] et al. construct high-performance GTRU for IoT by the use of the non-abelian poly-$\mathbb{Z}$ group ${\mathbb{Z}}^{n-3}\times \mathcal{H}$, where $\mathcal{H}$ is the discrete Heisenberg group. The signature algorithm constructed in this paper uses the GTRU encryption algorithm as the basis, and the following is a brief summary of the Propositions made in GTRU.

The circular convolution product of two vectors $\mathit{h}$ and $\mathit{r}$ in ${\mathbb{Z}}^n$ can be expressed as the image $\mathit{H}\left(\mathit{r}\right)$ under the ${\mathbb{Z}}^n$ self-homomorphism $\mathit{H}$, where $\mathit{H}$ is determined by $\mathit{h}$.

Moreover, the result of a modulo m operation on a vector in ${\mathbb{Z}}^n$ can be expressed as the image of that vector in the natural homomorphism. The following proposition shows that the result of choosing the coefficients of an n-vector on ${\mathbb{Z}}_m$ can be expressed as the image of this n-vector on ${\mathbb{Z}}_m^n$ under the function from ${\mathbb{Z}}_m^n$ to ${\mathbb{Z}}^n$ in the interval from $-m/2$ to $m/2$ [28].

Theorem 1

([28]). Let G be a group, N be a normal subgroup of G, and ${\mathfrak{ϝ}}_N$ be the natural homomorphism from G to $G/N$, i.e., ${\mathfrak{ϝ}}_N\left(x\right)=xN$, $T_N$ be a transversal to N in G, i.e., $G={\displaystyle \bigcup _{t\in T_N}}tN$. For every $x\in G$, denote the unique element in $xN\cap T_N$ by $x{T}_N$, then the function

$$\rho T_n:G/N\to G,\rho T_N\left(xN\right)=x{T}_N$$

is well-defined.

Further, for every $t\in T_N$, $\rho T_N\circ {\mathfrak{ϝ}}_N\left(t\right)=t$.

Theorem 2

([28]). Let G be a group, N be a normal subgroup of G, $E\left(G\right)$ be the endomorphism monoid of G, $E(G/N)$ be the endomorphism monoid of $G/N$. Denote $E{\left(G\right)}_N=\{f\in E\left(G\right):f\left(N\right)\subseteq N\}$, then the function

$${\overline{\mathfrak{ϝ}}}_N:E{\left(G\right)}_N\to E(G/N),{\overline{\mathfrak{ϝ}}}_N\left(f\right)=\overline{f}$$

is a monoid homomorphism, where $\overline{f}\in E(G/N)$ is defined by $\overline{f}\left(xN\right)=f\left(x\right)N$.

Furthermore, let ${\mathfrak{ϝ}}_N$ be the natural homomorphism from G to $G/N$, i.e., ${\mathfrak{ϝ}}_N\left(x\right)=xN$, then for every $f\in E{\left(G\right)}_N$, ${\mathfrak{ϝ}}_N\circ f={\overline{\mathfrak{ϝ}}}_N\left(f\right)\circ {\mathfrak{ϝ}}_N$.

3.3. Poly-$\mathbb{Z}$ Group

Let X and Y betwo groups with group operations · and ∗ respectively, and $\varphi :Y\to Aut\left(X\right)$ be a group homomorphism. The semi-direct product $X{⋊}_{\varphi }Y$ of X and Y with respect to $\varphi$. As a set, $X{⋊}_{\varphi }Y$ is equal to $X\times Y$, but the group operation of $X{⋊}_{\varphi }Y$ is:

$$(x_1,y_1)★(x_2,y_2)=(x_1·\varphi \left(y_1\right)\left(x_2\right),y_1\ast y_2)$$

A group G is called polycyclic if it has a subnormal series with cyclic quotients [30,31]. The Hirsch length of a polycyclic group G is the number of factors in the subnormal series of G. Specially, a polycyclic group G is called poly-$\mathbb{Z}$ if G has a subnormal series with infinite cyclic quotients.

The Hirsch dimension of a polycyclic group G corresponds to the number of factors within its subnormal series. Specifically, a polycyclic group G is called poly-$\mathbb{Z}$ when it features a subnormal series composed of quotients that are infinitely cyclic [28]. A poly-$\mathbb{Z}$ group can be created by successive infinite cyclic extensions [32]. Namely, up to isomorphism, a poly-$\mathbb{Z}$ group with group operation ★ is equal to

$${\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}=\left(\left(\mathbb{Z}{⋊}_{{\varphi }_1}\mathbb{Z}\right){⋊}_{{\varphi }_2}\right){⋊}_{{\varphi }_n-1}\mathbb{Z}.$$

As a set, ${\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$ is equal to ${\mathbb{Z}}^n$. In other words, any element in ${\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$ can be written as an n-ary integer vector. Specifically, the identity element of ${\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$ is denoted by 0 = (0, …, 0). We use ${\mathit{e}}_{\mathit{i}}$ to denote the element in ${\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$ with a 1 in the i-th entry and 0’s elsewhere for $1\le i\le n$. For $\mathit{a}\in {\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$, let ${\mathit{a}}^{-1}$ denote the inverse of $\mathit{a}$. For $k\in \mathbb{Z}$ and $\mathit{a}\in {\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}$, the k-th power of $\mathit{a}$ is given by

$${\mathit{a}}^k=\left\{\begin{array}{cc}\underset{ktimes}{\underbrace{\mathit{a}★ ★\mathit{a}}}\hfill & \mathrm{k}>0\hfill \\ \mathbf{0}\hfill & \mathrm{k}=0\hfill \\ {\left({\mathit{a}}^{-1}\right)}^{-k}\hfill & \mathrm{k}<0\hfill \end{array}\right.$$

For $\mathit{x}\in {\mathbb{Z}}^{\{ph{i}_i:1\le i<n\}}$, $f\in E\left({\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}\right)$, we have

$$f\left(\mathit{x}\right)=f({\mathit{e}}_1^{x_1}★ ★{\mathit{e}}_n^{x_n})=f{\left({\mathit{e}}_1\right)}^{x_1}★ ★f{\left({\mathit{e}}_n\right)}^{x_n},$$

thus f is entirely determined by $f\left({\mathit{e}}_i\right)$, $1\le i\le n$. In other words, $f\in E\left({\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}\right)$ can be written as an $n\times n$ integer matrix [28].

Let n be a positive integer at least 3, and $G_n={\mathbb{Z}}^{n-1}{⋊}_{\varphi }\mathbb{Z}$, where $\varphi :\mathbb{Z}\to Aut\left({\mathbb{Z}}^{n-1}\right)$ is delineated by

$$\varphi \left(a\right)=\left(\begin{array}{cccc}1& 0& \dots & a\\ 0& 1& \dots & 0\\ ⋮& ⋮& \ddots & ⋮\\ 0& 0& \dots & 1\end{array}\right),a\in \mathbb{Z}.$$

$G_n$ is a special poly-$\mathbb{Z}$ group. The group operation of $G_n$ is given by

$$x★y=(x_1+y_1+x_n{y}_{n-1},x_2+y_2,\dots ,x_n+y_n),$$

(3)

and $G_n\simeq {\mathbb{Z}}^{n-3}\times$, where $\mathcal{H}$ is the discrete Heisenberg group [28,33].

Theorem 3

([1]). For $f\in E\left(G_n\right)$ with $f\left({\mathit{e}}_1\right)\ne 0$, there must have

$$\left\{\begin{array}{c}{f}_{11}=f_{(n-1)(n-1)}{f}_{nn}-f_{(n-1)(n-1)}{f}_{n(n-1)},\hfill \\ f_{1k}=0\hfill & 2\le k\le n,\hfill \\ f_{k(n-1)}=f_{kn}=0\hfill & 2\le k\le n-2\hfill \end{array}\right.$$

Subsequently, the endomorphism f of $G_n$ with $f\left({\mathit{e}}_1\right)\ne 0$ can be written as the matrix with the form in Equation (4).

$$\left(\begin{array}{c}{f}_{11}\\ ine{f}_{21}\\ f_{31}\\ ⋮\\ f_{(n-2)1}\\ ine{f}_{(n-1)1}\\ f_{n1}\end{array}\left|\begin{array}{c}0\\ f_{22}\\ f_{32}\\ ⋮\\ f_{(n-2)2}\\ f_{(n-1)2}\\ f_{n2}\end{array}\begin{array}{c}0\\ f_{23}\\ f_{33}\\ ⋮\\ f_{(n-2)3}\\ f_{(n-1)3}\\ f_{n3}\end{array}\begin{array}{c}\dots \\ \dots \\ \dots \\ \ddots \\ \dots \\ \dots \\ \dots \end{array}\begin{array}{c}0\\ f_{2(n-2)}\\ f_{3(n-2)}\\ ⋮\\ f_{(n-2)(n-2)}\\ f_{(n-1)(n-2)}\\ f_{n(n-2)}\end{array}\right|\begin{array}{c}0\\ 0\\ 0\\ ⋮\\ 0\\ f_{(n-1)(n-1)}\\ f_{n(n-1)}\end{array}\begin{array}{c}0\\ 0\\ 0\\ ⋮\\ 0\\ f_{(n-1)n}\\ f_{nn}\end{array}\right)$$

(4)

Denote $E_1\left(G_n\right)=\{f\in G_n:f\left({\mathit{e}}_1\right)\ne 0\}$. Give the image of an element in $G_n$ under an element in $E_1\left(G_n\right)$, and the operation of two elements in $E_1\left(G_n\right)$ in the following.

For $\mathit{x}\in G_n$ and $f\in E\left(G_n\right)$ with $f\left({\mathit{e}}_1\right)\ne \mathbf{0}$, if $\mathit{y}=f\left(\mathit{x}\right)$, then

$$y_i={\delta }_i+\sum _{k=1}^n{x}_k{f}_{ki},$$

(5)

where ${\delta }_i=0$ for $2\le i\le n$ and

$$\begin{array}{cc}\hfill {\delta }_1& =\frac{x_{n-1}(x_{n-1}-1)}{2}{f}_{(n-1)(n-1)}{f}_{(n-1)n}\hfill \\ \hfill & +\frac{x_n(x_n-1)}{2}{f}_{n(n-1)}{f}_{nn}\hfill \\ \hfill & +x_{n-1}{x}_n{f}_{(n-1)n}{f}_{n(n-1)}\hfill \end{array}$$

For $f\in E\left(G_n\right)$ with $f\left({\mathit{e}}_1\right)\ne \mathbf{0}$, $g\in E\left(G_n\right)$ with $g\left({\mathit{e}}_1\right)\ne \mathbf{0}$, if $h=f\circ g$, then

$$h_{ij}={\delta }_{ij}+\sum _{k=1}^n{g}_{ik}{f}_{kj},$$

(6)

where ${\delta }_{ij}=0$ for $i\ne n-1,n.$ $j\ne 1$, and

$$\begin{array}{cc}\hfill {\delta }_{i1}& =\frac{g_{i(n-1)}(g_{i(n-1)}-1)}{2}{f}_{(n-1)(n-1)}f(n-1)n\hfill \\ \hfill & +\frac{g_{in}(g_{in}-1)}{2}{f}_{n(n-1)}{f}_{nn}\hfill \\ \hfill & +g_i(n-1)g_{in}{f}_{(n-1)n}{f}_{n(n-1)}\hfill \end{array}$$

For $i=n-1,n$; particularly, if $h=id$, i.e., g is the inverse of f, we have Equation (7), and $g_{11}=f_{11}^{-1}$ and $g_{i1}=f_{11}^{-1}({\delta }_{i}1+{\sum }_{i=2}^n{g}_{ik}{f}_{k1})$ for $2\le i\le n$ [28].

$$\left(\begin{array}{ccc}{g}_{22}& \dots & g_{2n}\\ ⋮& \ddots & ⋮\\ g_{n2}& \dots & g_{nn}\end{array}\right)={\left(\begin{array}{ccc}{f}_{22}& \dots & f2n\\ ⋮& \ddots & ⋮\\ f_{n2}& \dots & f_{nn}\end{array}\right)}^{-1}$$

(7)

Theorem 4

([28]). Let the function ${\mathfrak{ϝ}}_m$ from the poly-$\mathbb{Z}$ group $G_n$ to the set ${\mathbb{Z}}_m^n$ is defined by

$${\mathfrak{ϝ}}_m\left((x_1,\dots ,x_n)\right)\to (x_{1}modm,\dots ,x_{n}modm),$$

(8)

then ${\mathfrak{ϝ}}_m$ is a group homomorphism.

Theorem 5

([28]). For $f\in E_1\left(G_n\right)$, if m is odd, then $f\left(ker{\mathfrak{ϝ}}_m\right)\subseteq ker{\mathfrak{ϝ}}_m$.

4. An NTRU-like Message Recoverable Signature Algorithm

In this section, this paper uses GTRU [28] to extend the NTRU encryption algorithm to general groups and constructs the poly-$\mathbb{Z}$ group [14] by an infinite cyclic of successive extensions.

The signature of NR-GRTU is shown in Figure 1, where the signer uses the private key to sign the message M and sends the signature information to the verifier, who uses the public key to verify the correctness of the signature and recover the original message.

Given a group G, a normal subgroup N of G, and a transversal $T_N$ to N in G, let ${\mathfrak{ϝ}}_N$, $\rho T_N$ and ${\overline{\mathfrak{ϝ}}}_N$ be as depicted in Theorems 1 and 2, i.e.,

$$\begin{array}{cc}\hfill & {\mathfrak{ϝ}}_N:G\to G/N,{\mathfrak{ϝ}}_P\left(g\right)=gP,\hfill \\ \hfill & \rho T_N:G/N\to G,\rho T_N\left(gN\right)=g{T}_N\in gN\cap T_N,\hfill \\ \hfill & {\overline{\mathfrak{ϝ}}}_N:E{\left(G\right)}_N\to E(G/N),{\overline{\mathfrak{ϝ}}}_N\left(f\right)\left(gN\right)=f\left(g\right)N.\hfill \end{array}$$

An NTRU-Like Message Recoverable Signature Algorithm proposed in this paper is shown below.

4.1. Parameters

N: Number, coefficients of the polynomial

p: Small modulus to reduce the coefficient

q: Large modulus to reduce the coefficient

G: Group

P: A normal subgroup of the group G.

Q: A normal subgroup of the group G.

$E\left(G\right)$: The endomorphism group of G

${\mathcal{L}}_f,{\mathcal{L}}_g,{\mathcal{L}}_u,{\mathcal{L}}_v$: Subgroups of $E\left(G\right)$

${\mathcal{L}}_m,{\mathcal{L}}_r,{\mathcal{L}}_k$: Subgroups of G

4.2. Key Generation

• Choose $f\in {\mathcal{L}}_f$ and $g\in {\mathcal{L}}_g$ and there exist $f_P$, $f_Q$, and $g_Q$ satisfying the

  $${\overline{\mathfrak{ϝ}}}_P(f\circ f_P)\circ {\mathfrak{ϝ}}_P={\mathfrak{ϝ}}_P,$$

  $${\overline{\mathfrak{ϝ}}}_Q(f\circ f_Q)\circ {\mathfrak{ϝ}}_Q={\mathfrak{ϝ}}_Q,$$

  $${\overline{\mathfrak{ϝ}}}_Q(g\circ g_Q)\circ {\mathfrak{ϝ}}_Q={\mathfrak{ϝ}}_Q.$$
  In some cases, $f,g$ has no corresponding $f_P,f_Q,g_Q$, in which case the other polynomials $f\in {\mathcal{L}}_f$ and $g\in {\mathcal{L}}_g$ must be re-selected.
• Choose $U\in {\mathcal{L}}_u$ and $v\in {\mathcal{L}}_v$, let $u=E★pU$ (where E is the identity matrix), and satisfy

  $${\overline{\mathfrak{ϝ}}}_Q(u\circ u_Q)\circ {\mathfrak{ϝ}}_Q={\mathfrak{ϝ}}_Q$$
• Calculates h and l

  $$h={\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q),$$

  $$l={\overline{\mathfrak{ϝ}}}_Q(u_Q\circ v).$$
• The private key of A is $(f,g)$ and the public key of A is h; The private key of B is u and the public key of B is l.

4.3. Signature

• A randomly selected $m\in {\mathcal{L}}_m,r\in {\mathcal{L}}_r$.
• Based on Equation (3), A uses the public key l of B to calculate c

  $$c={\mathfrak{ϝ}}_Q\left(m\right)★pl\circ {\mathfrak{ϝ}}_Q\left(r\right).$$
• A calculates

  $$H(h,c)=(s_p,t_p).$$
• A randomly selected $k\in {\mathcal{L}}_k$.
• A calculates $s_0$ and $t_0$

  $$s_0=s_p★k,$$

  $$t_0=h\circ {\mathfrak{ϝ}}_Q\left(s_0\right).$$
• A calculates

  $$a=g_P\circ {\mathfrak{ϝ}}_P\left(t_p\right)\circ {\mathfrak{ϝ}}_P(-t_0).$$
• A calculates s and t

  $$s=s_0★f\circ a,$$

  $$t=t_0★g\circ a.$$
• A sends $(c,(s,t\left)\right)$ to B.

4.4. Verification

• B calculates $t=h\circ {\mathfrak{ϝ}}_Q\left(s\right)$, verifies equality, and rejects otherwise.
• B calculates

  $$H(h,c)=(s_p,t_p).$$
• B verifies that $(s,t)=(s_p,t_p)modp$, otherwise reject.
• B restores message m

  $$z=u\circ {\mathfrak{ϝ}}_Q\left(c\right),$$

  $$z=m\left(modp\right).$$

Theorem 6.

H (h, c) is based on polynomial groups for a special kind of computation, and in the aforementioned mathematics, this paper explains how to construct this signature scheme using a non-abelian poly-$\mathbb{Z}$ group, whose $f\in E\left({\mathbb{Z}}^{\{{\varphi }_i:1\le i<n\}}\right)$ can be represented as a matrix of $n\times n$. Through this property, this paper is designed as $H(h,c)=(s_p,t_p)$, where $s_p,t_p$ represent the symbolic and numerical matrices of the $h★c$ result, respectively.

Proof of Verification 1.

$$\begin{array}{cc}\hfill t& =h\circ {\mathfrak{ϝ}}_Q\left(s\right)\hfill \\ \hfill & =h\circ {\mathfrak{ϝ}}_Q(s_0★f\circ a)\hfill \\ \hfill & =h\circ {\mathfrak{ϝ}}_Q\left(s_0\right)★h\circ {\mathfrak{ϝ}}_Q(f\circ a)\hfill \\ \hfill & =t_0★h\circ {\mathfrak{ϝ}}_Q(f\circ a)\hfill \\ \hfill & =t_0★{\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q)\circ {\mathfrak{ϝ}}_Q(f\circ a),\hfill \end{array}$$

among them

$$\begin{array}{cc}\hfill {\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q)\circ {\mathfrak{ϝ}}_Q(f\circ a)& ={\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q)\circ {\overline{\mathfrak{ϝ}}}_Q(f\circ a)\circ {\mathfrak{ϝ}}_Q\hfill \\ \hfill & ={\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q\circ f\circ a)\circ {\mathfrak{ϝ}}_Q\hfill \\ \hfill & ={\overline{\mathfrak{ϝ}}}_Q(g\circ a)\circ {\mathfrak{ϝ}}_Q\hfill \\ \hfill & =g\circ a,\hfill \end{array}$$

so it can be inferred

$$\begin{array}{cc}\hfill t& =t_0★{\overline{\mathfrak{ϝ}}}_Q(g\circ f_Q)\circ {\mathfrak{ϝ}}_Q(f\circ a)\hfill \\ \hfill & =t_0★g\circ a\hfill \end{array}$$

□

Proof of Verification 4.

$$\begin{array}{cc}\hfill z& =u\circ {\mathfrak{ϝ}}_Q\left(c\right)\hfill \\ \hfill & =u\circ {\mathfrak{ϝ}}_Q({\mathfrak{ϝ}}_Q\left(m\right)★pl\circ {\mathfrak{ϝ}}_Q\left(r\right))\hfill \\ \hfill & =\underset{E★pU}{\underbrace{u}}\circ {\mathfrak{ϝ}}_Q\left(m\right)★u\circ {\mathfrak{ϝ}}_Q(pl\circ {\mathfrak{ϝ}}_Q\left(r\right)),\hfill \end{array}$$

thus taking the model p for z gives:

$$z=m\left(modp\right).$$

□

An example of NR-GTRU signature verification is given in Appendix A.

5. Performance Analysis

In this section, this paper discusses the efficiency analysis of the NR-GTRU signature algorithm and the NR-NTRU [34] signature algorithm.

5.1. Parameter

In NR-NTRU and NR-GTRU, it is mostly recommended that $p=3$ and a prime number q is chosen to ensure security, and the value of q is guaranteed to be sufficiently large, and here in this paper, $q=1009$ is chosen.

Since the operation of NR-GTRU is based on polynomial groups while NR-NTRU is based on normal polynomials, if the same N is chosen, the computational complexity of NR-GTRU will be N times higher than that of NR-NTRU. Therefore, for performance analysis, this paper sets NR-GTRU to take $N=17$ and NR-NTRU to take $N=293$ as a way to ensure that their arithmetic storage is at the same level.

5.2. Key Generation

Compared to NR-NTRU, NR-GTRU requires more computation in key generation because it uses polynomial groups instead of a single polynomial. In addition, NR-GTRU imposes strict requirements on the format of the polynomial group. Therefore, the NR-GTRU proposed in this paper is slower in generating the key compared to NR-NTRU. However, considering that the key needs to be generated only once, a slightly slower key generation speed is acceptable.

5.3. Signature and Verification

Compared to NR-NTRU, the NR-GTRU signature algorithm does not make use of norm constraints to restrict its corresponding polynomial group. Due to the unique arithmetic algorithm and polynomial group of NR-GTRU, it necessarily requires more computations to obtain the corresponding results.

5.4. Analysis

According to the proposed parameters, we implement the comparison of NR-GTRU and NR-NTRU in the following environment: Intel (R) Core (TM) i7-7700 CPU @3.60 GHz, 8GB RAM, Windows 10 operating system. For NR-GTRU and NR-NTRU, we performed Key Generation, Signature, and Verification 1000 times, respectively, and listed the average time for one signature verification in

Table 1. This is a comparison between NR-GTRU and NR-NTRU.

	NR-GTRU	NR-NTRU
Parameter N	17	293
Parameter p	3	3
Parameter q	1009	1009
key (bit)	$2^{12}$	$2^{12}$
Key Generation (ms)	58.3568	37.9395
Signature (ms)	10.3836	9.4576
Verification (ms)	7.5134	6.4936

.

Table 1 demonstrates the efficiency comparison between NR-GTRU and NR-NTRU. From the table, it can be seen that in the key generation phase, NR-GTRU is much slower compared to NR-NTRU. And in the signature verification phase, the time taken by NR-NTRU is almost 1.1 times the time taken by NR-NTRU. In the verification signature phase, NR-NTRU is also slightly slower than NR-NTRU than NR-NTRU.

The performance analysis of NR-GTRU, NR-NTRU and NTRU is given in

Table 2. Comparison among signature algorithms.NR-NTRU [34], NTRUsign [18] and our scheme.

	Message Recovery	Key Size	Operation Speed	Algorithms
NTRUsign [18]	No	Medium	Fast	NTRU
NR-NTRU [34]	No	Medium	Slower than NTRU	NTRU
NR-GTRU	Yes	Large	Slower than NR-NTRU	GTRU

.

6. Security Analysis

In this section, the paper continues with a discussion of NR-GTRU security.

In contrast to traditional signature verification methods, NR-GTRU sends an encrypted form of the message rather than a summary of the message. When an attacker intercepts the output of $(c,(s,t\left)\right)$, they get the ciphertext (i.e., the output of c). In this case, the attacker may attack the proposed signature algorithm as an encryption algorithm only [34].

6.1. Brute Force Attacks

An attacker can try to perform a brute force attack on the NR-GTRU digital signature algorithm, which involves testing all possible private key values until the correct one is found. However, in the case of NR-GTRU, since it uses a large key space, it is usually impractical to find the right key through multiple attempts.

6.2. Lattice-Based Attacks

The security of the message is related to the difficulty of finding the shortest vector, while the security of the key is related to the difficulty of the shortest vector problem. Lattice basis reduction algorithms, especially the LLL (Lenstra-Lenstra-Lovász) algorithm [35], are the main means of attacking NTRU cryptosystems.

To explore the security of GTRUs constructed from poly-$\mathbb{Z}$ groups against lattice-based attacks, Shuai Li et al. [28] generalised the shortest vector problem on NTRU lattices. In their work, the shortest vector problem was generalised to poly-$\mathbb{Z}$ groups. In the poly-$\mathbb{Z}$ group G, the shortest vector problem is defined as follows: given a matrix f of $n\times n$ and a norm N, where f equates to a one-to-one endomorphism of the group G, a non-zero vector v must be found in the lattice $L=\left\{f\right(x):x\in G\}$ such that $N\left(v\right)=\underset{x\in L/\left\{0\right\}}{min}N\left(x\right)$.

It can be shown that the shortest vector problem for the ordinary additive group ${\mathbb{Z}}^n$ is actually the original shortest vector problem. Therefore, the shortest vector problem for the poly-$\mathbb{Z}$ group serves as a generalisation of the original shortest vector problem and is at least as hard as the original problem.

6.3. Forgery and Key Recovery Attacks

Forgery attacks are the most conventional attacks on signature algorithms. For lattice-based signature algorithms, if an attacker attempts a forgery attack, they have to solve the problem of finding the approximate closest vector in the corresponding lattice [36,37], which is a known hard problem. Furthermore, the study by Hoffstein et al. [37] analyses this type of attack based on lattice bases and explores its security. Therefore, considering these factors, the signature algorithm proposed in this topic is also able to defend against this type of attack.

7. Advantages and Challenges

NR-GTRU has multiple advantages in terms of its applicability in IoT environments and can effectively ensure its security.

• Against quantum attacks: The traditional signature algorithm is primarily implemented by using algorithms such as RSA, DSA and finite field cryptography. However, all these schemes are practically inadequate against quantum attacks [38]. The NR-GTRU signature algorithm is implemented on top of the GTRU encryption algorithm, and the security of GTRU is associated with the difficult problem of SVP for lattice cryptography, so it is reasonable to believe that the NR-GTRU signature algorithm can be well protected against quantum attacks.
• Faster execution time: Although NR-GTRU loses some of its efficiency when compared to the traditional NTRU signature algorithm, it is still more efficient than the traditional RSA signature algorithm and the Elliptic Curve Digital Signature Algorithm (ECDSA).

However, there are still some issues that need to be effectively addressed in practical applications:

• Computation cost: Due to the large number of matrix operations used in NR-GTRU and the resource constrained IoT devices, which usually have low processing power, limited memory and low computational power, this definitely increases the computational cost in IoT devices.
• Appropriate parameters selection: NR-GTRU has certain parameter requirements and it is a difficult task to select the appropriate parameters and mathematical functions for a particular application.
• Communication cost: NR-GTRU is a lattice-based signature algorithm that is more efficient and secure than traditional encryption and signature algorithms, but this also results in more communication bits to be processed.
• Side channel attacks: Digital signature algorithms based on lattice cryptography theory can operate securely in a quantum environment, but in practice, they still face the threat of side-channel attacks such as energy analysis attacks and timing attacks.

8. Conclusions

With the widespread adoption of IoT in smart infrastructures, security and privacy have become major challenges in the last few years. Traditional signature algorithms cannot effectively address the security challenges in IoT environments as they are not resistant to quantum attacks.The paper presents an algorithm that constructs a lightweight high-performance Group-Based Message Recoverable Signature Algorithm (NR-GTRU) signature algorithm for IoT applications. It uses a combination of Group-Based NTRU-Like Public-Key Cryptosystem (GTRU) and efficient Nyberg-Rueppel type of NTRU digital signature algorithm (NR-GTRU). The developed algorithm is a quantum attack-resistant algorithm and performs well as compared to traditional algorithms, except the efficiency. However, the practical application of NR-GTRU in IoT still has certain drawbacks that need to be addressed, such as computation cost, communication cost, and side channel attacks are all issues that need to be considered, and in the future, we will continue to improve the usability of the scheme and investigate the specific application scenarios of the scheme.