PKC’14 - Buenos Aires, March 28, 2014

Generalizing Homomorphic MACs for Arithmetic Circuits

Dario Catalano

Università di Catania Italy

Dario Fiore

IMDEA Software Institute Spain

Rosario Gennaro

CUNY USA !

LucaUniversità di Milano-Bicocca

Italy *work done while visiting CUNY

Nizzardo*

Outline¨Motivation ¨Homomorphic MACs

¤ Definition ¤ Previous work

¨Our results ¨Summary & Open problems

!2

Delegating Computations on Outsourced Data

v1, v2, …, vn v1v2

vn

…

!3

Delegating Computations on Outsourced Data

“Compute P”v1, v2, …, vn v1v2

vn

…

!3

Delegating Computations on Outsourced Data

“Compute P”

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…

!3

Question:

Delegating Computations on Outsourced Data

“Compute P”

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…

!3

¨ How can the client be sure that P is executed on the company’s data?

Question:

Delegating Computations on Outsourced Data

“Compute P”

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…

!3

¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.

v1, v2, …, vn

Question:

Delegating Computations on Outsourced Data

“Compute P”

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…

!3

¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.

TOO INEFFICIENT

v1, v2, …, vn

Question:

Main Goals

Delegating Computations on Outsourced Data

“Compute P”

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…¨ Integrity Untrusted cloud must notbe able to send incorrect y

¨ EfficiencyClient’s communication and storage must be minimized

!3

¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.

TOO INEFFICIENT

Main Goals

An approach to solve the problem: Homomorphic Message Authenticators [GW13]

“Compute P“

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…¨ Integrity Untrusted cloud must notbe able to send incorrect y

¨ EfficiencyClient’s communication and storage must be minimized

!4

sksk

Main Goals

An approach to solve the problem: Homomorphic Message Authenticators [GW13]

“Compute P“

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…¨ Integrity Untrusted cloud must notbe able to send incorrect y

¨ EfficiencyClient’s communication and storage must be minimized

!4

proves that “y is the output of P on authenticated data”

sksk

Main Goals

An approach to solve the problem: Homomorphic Message Authenticators [GW13]

“Compute P“

y

y = P(v1,…,vk)v1, v2, …, vn v1v2

vn

…¨ Integrity Untrusted cloud must notbe able to send incorrect y

¨ EfficiencyClient’s communication and storage must be minimized

!4

✓ ✓Cloud cannot forge MACs. | | << size of k input values.

proves that “y is the output of P on authenticated data”

sksk

Homomorphic MACs & Labeled Programs!5

[GW13]

Homomorphic MACs & Labeled Programs!5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek

[GW13]

Homomorphic MACs & Labeled Programs!5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”

$ 668.28 ~ “Jan, 4th, 2012, Google stock price”

$ 659.01 ~ “Jan, 5th, 2012, Google stock price”

... ...

Auth

τv

σ

sk

[GW13]

Homomorphic MACs & Labeled Programs!5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”

$ 668.28 ~ “Jan, 4th, 2012, Google stock price”

$ 659.01 ~ “Jan, 5th, 2012, Google stock price”

... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi

+ x x

++

τ1 τ2 τ3

x

Auth

τv

σ

sk

P

[GW13]

Homomorphic MACs & Labeled Programs!5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”

$ 668.28 ~ “Jan, 4th, 2012, Google stock price”

$ 659.01 ~ “Jan, 5th, 2012, Google stock price”

... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi

¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn

+ x x

++

τ1 τ2 τ3

x

Auth

τv

σ

sk

P

[GW13]

Homomorphic MACs & Labeled Programs!5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”

$ 668.28 ~ “Jan, 4th, 2012, Google stock price”

$ 659.01 ~ “Jan, 5th, 2012, Google stock price”

... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi

¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn

+ x x

++

τ1 τ2 τ3

x

Auth

τv

σ

sk

P

[GW13]

Properties of Homomorphic MACs

¨Security: …in 2 slides ¨Succinctness: size of tags (returned by Eval) does not depend on the number of inputs of the computation

¨Composition: authenticated outputs can be further used as inputs to other circuits

!6

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

(v1,σ1) (v2,σ2)

(v1 x v2, σx)

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

(v1,σ1) (v2,σ2)

(v1 x v2, σx)

+ x x

++

xf’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

(v1,σ1) (v2,σ2)

(v1 x v2, σx) (v3,σ3) (v4,σ4)

+ x x

++

xf’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

(v1,σ1) (v2,σ2)

(v1 x v2, σx) (v3,σ3) (v4,σ4)

(f(v1,v2,v3,v4), σf )

+ x x

++

xf’ f = x o f’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs, obtain an authenticated output

!7

xτ2τ1

(v1,σ1) (v2,σ2)

(v1 x v2, σx) (v3,σ3) (v4,σ4)

(f(v1,v2,v3,v4), σf )

Very useful property if one wants to merge partially authenticated computations, e.g., for parallelization (MapReduce)

+ x x

++

xf’ f = x o f’

τ3 τ4

Security!8

sk

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

b=Ver(sk,P,v,σ)

P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

b=Ver(sk,P,v,σ)

P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and

!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

b=Ver(sk,P,v,σ)

P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f

!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

b=Ver(sk,P,v,σ)

P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f

¤Type-2: all labels have been queried and v*≠f(v1,…,vn)

!8

sk

σi=Auth(sk,τi,vi)

τi ,vi

b=Ver(sk,P,v,σ)

P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Realizations: Previous Work!9

Realizations: Previous Work!9

¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

Realizations: Previous Work!9

¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):

Realizations: Previous Work!9

Assumption Security Computations Size of tags Comp.

[GW13] FHE no verif. queries Arbitrary O(1) ✔

¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):

Realizations: Previous Work!9

Assumption Security Computations Size of tags Comp.

[GW13] FHE no verif. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):

Realizations: Previous Work!9

Assumption Security Computations Size of tags Comp.

[GW13] FHE no verif. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

[CF13] (2) d-DHI fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):

Our Results!10

Assumption Security Computations Size of tags Comp.

[GW13] FHE no ver. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

[CF13] (2) d-DHI fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This workEncoding w/

limited malleability

fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This work!

(D,k)-MDHI on multilinear

mapsfull degree-(D+k)

arithmetic circuits ✔ (k)O(k2)

Our Results!10

Assumption Security Computations Size of tags Comp.

[GW13] FHE no ver. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

[CF13] (2) d-DHI fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This workEncoding w/

limited malleability

fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This work!

(D,k)-MDHI on multilinear

mapsfull degree-(D+k)

arithmetic circuits ✔ (k)

Basic idea: additively homomorphic but not multiplicative homomorphic (similar to [BCIOP13]). Possible instantiations: Paillier, BV11.

O(k2)

Our Results!10

Assumption Security Computations Size of tags Comp.

[GW13] FHE no ver. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

[CF13] (2) d-DHI fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This workEncoding w/

limited malleability

fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This work!

(D,k)-MDHI on multilinear

mapsfull degree-(D+k)

arithmetic circuits ✔ (k)

We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k.

O(k2)

Our Results!10

Assumption Security Computations Size of tags Comp.

[GW13] FHE no ver. queries Arbitrary O(1) ✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔

[CF13] (2) d-DHI fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This workEncoding w/

limited malleability

fulldegree-D arithmetic

circuits for D=poly(k)

O(1) ✘

This work!

(D,k)-MDHI on multilinear

mapsfull degree-(D+k)

arithmetic circuits ✔ (k)

We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k. This Talk

O(k2)

Graded k-Linear maps

¨Gen(1λ, k) generates k groups of prime order p

G1, G2, …, Gk

¨with a collection of bilinear maps

eij: Gi × Gj→Gi+j : eij(gia, gjb)=gi+jab

¨Notation: g∈G1 , gi=e(g,…, g) i times ¨“Approximate” realizations via graded encodings [GGH13, CLT13]

!11

Our Homomorphic MAC!12

Our Homomorphic MAC¨KeyGen(1λ, D, k):

¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g

ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp

¤sk=(K, g, x, a), ek=(ga, {gx^i,g

ax^i}i )

!12

Our Homomorphic MAC¨KeyGen(1λ, D, k):

¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g

ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp

¤sk=(K, g, x, a), ek=(ga, {gx^i,g

ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)

!12

Our Homomorphic MAC¨KeyGen(1λ, D, k):

¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g

ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp

¤sk=(K, g, x, a), ek=(ga, {gx^i,g

ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)

¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D

!12

Our Homomorphic MAC¨KeyGen(1λ, D, k):

¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g

ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp

¤sk=(K, g, x, a), ek=(ga, {gx^i,g

ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)

¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D

¨Compress(ek, y(X)): Λ← ∏di=1 (gx^i)yi = gy(x)-y(0)

¤ Similarly, compute Γ←ga[y(x)-y(0)]=Λa. Output σ=(y(0), Λ, Γ )

!12

Our Homomorphic MAC cont’d!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]

¨Correctness

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]

¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r

!13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2

e(ga,Λ2)

v1 = g2a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2

e(ga,Γ2)

v1 = g2a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]

¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r

¤ Homomorphic properties of the graded maps

!13

Result¨Security under the (D, k)-MDHI assumption

¤Given (g, gx, …, gx^D) in G1, hard to compute gkx^(Dk+1)

in Gk ¤It can be shown hard in the generic multilinear group model, by extending the Uber assumption of [BBG05]

¨Theorem. If the (D,k)-MDHI assumption holds and F is a PRF, then the scheme is a secure homomorphic MAC with tags of size O(k2) and supports arithmetic circuits of degree ≤D and composition circuits of degree ≤k.

!14

Comparison to other approaches

¨Another approach to solve the problem is to leverage SNARKs ¤The homomorphic signature is a SNARK proof about the existence of valid signatures on the inputs

¨However, by following this approach: ¤composition is achieved via recursive composition of proofs (proofs about validity of other proofs) [BCCT13]

¤function independence achieved via universal circuits ¨Overall, less natural approach and likely to require non-falsifiable (knowledge) assumptions [GW11]

¨ In contrast, our solutions can be based on falsifiable assumptions

!15

Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes

¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition

¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?

¤ How about Fully-Homomorphic Signatures?

!16

Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes

¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition

¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?

¤ How about Fully-Homomorphic Signatures?

!16

Interesting observation: if we assume ideal compact k-linear maps with k<p exponential, our scheme is homomorphic for all circuits of bounded depth and secure against unbounded verification queries.

Thanks