Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09,...
Transcript of Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09,...
PKC’14 - Buenos Aires, March 28, 2014
Generalizing Homomorphic MACs for Arithmetic Circuits
Dario Catalano
Università di Catania Italy
Dario Fiore
IMDEA Software Institute Spain
Rosario Gennaro
CUNY USA !
LucaUniversità di Milano-Bicocca
Italy *work done while visiting CUNY
Nizzardo*
Outline¨Motivation ¨Homomorphic MACs
¤ Definition ¤ Previous work
¨Our results ¨Summary & Open problems
!2
Delegating Computations on Outsourced Data
v1, v2, …, vn v1v2
vn
…
!3
Delegating Computations on Outsourced Data
“Compute P”v1, v2, …, vn v1v2
vn
…
!3
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
v1, v2, …, vn
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
TOO INEFFICIENT
v1, v2, …, vn
Question:
Main Goals
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
TOO INEFFICIENT
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
sksk
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
proves that “y is the output of P on authenticated data”
sksk
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
✓ ✓Cloud cannot forge MACs. | | << size of k input values.
proves that “y is the output of P on authenticated data”
sksk
Homomorphic MACs & Labeled Programs!5
[GW13]
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek
[GW13]
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
Auth
τv
σ
sk
[GW13]
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
Properties of Homomorphic MACs
¨Security: …in 2 slides ¨Succinctness: size of tags (returned by Eval) does not depend on the number of inputs of the computation
¨Composition: authenticated outputs can be further used as inputs to other circuits
!6
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx)
+ x x
++
xf’
τ3 τ4
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
+ x x
++
xf’
τ3 τ4
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
(f(v1,v2,v3,v4), σf )
+ x x
++
xf’ f = x o f’
τ3 τ4
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
(f(v1,v2,v3,v4), σf )
Very useful property if one wants to merge partially authenticated computations, e.g., for parallelization (MapReduce)
+ x x
++
xf’ f = x o f’
τ3 τ4
Security!8
sk
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f
¤Type-2: all labels have been queried and v*≠f(v1,…,vn)
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
Realizations: Previous Work!9
Realizations: Previous Work!9
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials
Realizations: Previous Work!9
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)O(k2)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
Basic idea: additively homomorphic but not multiplicative homomorphic (similar to [BCIOP13]). Possible instantiations: Paillier, BV11.
O(k2)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k.
O(k2)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k. This Talk
O(k2)
Graded k-Linear maps
¨Gen(1λ, k) generates k groups of prime order p
G1, G2, …, Gk
¨with a collection of bilinear maps
eij: Gi × Gj→Gi+j : eij(gia, gjb)=gi+jab
¨Notation: g∈G1 , gi=e(g,…, g) i times ¨“Approximate” realizations via graded encodings [GGH13, CLT13]
!11
Our Homomorphic MAC!12
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
!12
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
!12
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D
!12
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D
¨Compress(ek, y(X)): Λ← ∏di=1 (gx^i)yi = gy(x)-y(0)
¤ Similarly, compute Γ←ga[y(x)-y(0)]=Λa. Output σ=(y(0), Λ, Γ )
!12
Our Homomorphic MAC cont’d!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r
!13
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r
¤ Homomorphic properties of the graded maps
!13
Result¨Security under the (D, k)-MDHI assumption
¤Given (g, gx, …, gx^D) in G1, hard to compute gkx^(Dk+1)
in Gk ¤It can be shown hard in the generic multilinear group model, by extending the Uber assumption of [BBG05]
¨Theorem. If the (D,k)-MDHI assumption holds and F is a PRF, then the scheme is a secure homomorphic MAC with tags of size O(k2) and supports arithmetic circuits of degree ≤D and composition circuits of degree ≤k.
!14
Comparison to other approaches
¨Another approach to solve the problem is to leverage SNARKs ¤The homomorphic signature is a SNARK proof about the existence of valid signatures on the inputs
¨However, by following this approach: ¤composition is achieved via recursive composition of proofs (proofs about validity of other proofs) [BCCT13]
¤function independence achieved via universal circuits ¨Overall, less natural approach and likely to require non-falsifiable (knowledge) assumptions [GW11]
¨ In contrast, our solutions can be based on falsifiable assumptions
!15
Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes
¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition
¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?
¤ How about Fully-Homomorphic Signatures?
!16
Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes
¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition
¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?
¤ How about Fully-Homomorphic Signatures?
!16
Interesting observation: if we assume ideal compact k-linear maps with k<p exponential, our scheme is homomorphic for all circuits of bounded depth and secure against unbounded verification queries.
Thanks