Generalizing Homomorphic MACs for Arithmetic Circuits Dario Catalano - - PowerPoint PPT Presentation

PKC’14 - Buenos Aires, March 28, 2014

Generalizing Homomorphic MACs for Arithmetic Circuits

Dario Catalano

Università di Catania Italy

Dario Fiore

IMDEA Software Institute Spain

Rosario Gennaro

CUNY USA

• Luca

Università di Milano-Bicocca Italy

*work done while visiting CUNY

Nizzardo*

Outline

¨Motivation ¨Homomorphic MACs

¤ Definition ¤ Previous work

¨Our results ¨Summary & Open problems

2

Delegating Computations on Outsourced Data

v1, v2, …, vn v1 v2 vn …

3

Delegating Computations on Outsourced Data

“Compute P” v1, v2, …, vn v1 v2 vn …

3

Delegating Computations on Outsourced Data

“Compute P” y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

3

Question:

Delegating Computations on Outsourced Data

“Compute P” y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

3

¨ How can the client be sure that P is executed on the company’s data?

Question:

Delegating Computations on Outsourced Data

“Compute P” y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

3

¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs.

v1, v2, …, vn

Question:

Delegating Computations on Outsourced Data

“Compute P” y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

3

¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs.

TOO INEFFICIENT

v1, v2, …, vn

Question: Main Goals

Delegating Computations on Outsourced Data

“Compute P” y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

¨ Integrity


Untrusted cloud must not


be able to send incorrect y

¨ Effjciency


Client’s communication and storage must be minimized

3

¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs.

TOO INEFFICIENT

Main Goals

An approach to solve the problem:

Homomorphic Message Authenticators [GW13]

“Compute P“ y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

¨ Integrity


Untrusted cloud must not


be able to send incorrect y

¨ Effjciency


Client’s communication and storage must be minimized

4

sk sk

Main Goals

An approach to solve the problem:

Homomorphic Message Authenticators [GW13]

“Compute P“ y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

¨ Integrity


Untrusted cloud must not


be able to send incorrect y

¨ Effjciency


Client’s communication and storage must be minimized

4

proves that “y is the output of P on authenticated data”

sk sk

Main Goals

An approach to solve the problem:

Homomorphic Message Authenticators [GW13]

“Compute P“ y

y = P(v1,…,vk)

v1, v2, …, vn v1 v2 vn …

¨ Integrity


Untrusted cloud must not


be able to send incorrect y

¨ Effjciency


Client’s communication and storage must be minimized

4

✓ ✓

Cloud cannot forge MACs. | | << size of k input values.

proves that “y is the output of P on authenticated data”

sk sk

Homomorphic MACs & Labeled Programs

5

[GW13]

Homomorphic MACs & Labeled Programs

5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek

[GW13]

Homomorphic MACs & Labeled Programs

5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek ¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data


$ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”


$ 668.28 ~ “Jan, 4

th, 2012, Google stock price”


$ 659.01 ~ “Jan, 5

th, 2012, Google stock price”


... ...

Auth

τ

v

σ

sk

[GW13]

Homomorphic MACs & Labeled Programs

5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek ¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data


$ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”


$ 668.28 ~ “Jan, 4

th, 2012, Google stock price”


$ 659.01 ~ “Jan, 5

th, 2012, Google stock price”


... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of

labeled program P”

¨A labeled program P is a circuit f with a label τ on each input wire

• e.g., P computes the yearly average stock price for some days — each day

labeled by some τi

+ x x + +

τ1 τ2 τ3

x

Auth

τ

v

σ

sk

P

[GW13]

Homomorphic MACs & Labeled Programs

5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek ¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data


$ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”


$ 668.28 ~ “Jan, 4

th, 2012, Google stock price”


$ 659.01 ~ “Jan, 5

th, 2012, Google stock price”


... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of

labeled program P”

¨A labeled program P is a circuit f with a label τ on each input wire

• e.g., P computes the yearly average stock price for some days — each day

labeled by some τi

¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn)

• n values authenticated with labels τ1,…,τn

+ x x + +

τ1 τ2 τ3

x

Auth

τ

v

σ

sk

P

[GW13]

Homomorphic MACs & Labeled Programs

5

¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek ¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ

• Idea of labels: uniquely “remember” the outsourced data


$ 665.41 ~ “Jan, 3

rd, 2012, Google stock price”


$ 668.28 ~ “Jan, 4

th, 2012, Google stock price”


$ 659.01 ~ “Jan, 5

th, 2012, Google stock price”


... ...

¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of

labeled program P”

¨A labeled program P is a circuit f with a label τ on each input wire

• e.g., P computes the yearly average stock price for some days — each day

labeled by some τi

¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn)

• n values authenticated with labels τ1,…,τn

+ x x + +

τ1 τ2 τ3

x

Auth

τ

v

σ

sk

P

[GW13]

Properties of Homomorphic MACs

¨Security: …in 2 slides ¨Succinctness: size of tags (returned by Eval) does

not depend on the number of inputs of the computation

¨Composition: authenticated outputs can be further

used as inputs to other circuits

6

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1 (v1,σ1) (v2,σ2) (v1 x v2, σx)

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1 (v1,σ1) (v2,σ2) (v1 x v2, σx)

+ x x + +

x

f’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1 (v1,σ1) (v2,σ2) (v1 x v2, σx) (v3,σ3) (v4,σ4)

+ x x + +

x

f’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1 (v1,σ1) (v2,σ2) (v1 x v2, σx) (v3,σ3) (v4,σ4) (f(v1,v2,v3,v4), σf )

+ x x + +

x

f’ f = x o f’

τ3 τ4

Composition

¨At gate level: for every pair of authenticated inputs,

• btain an authenticated output

7

x

τ2 τ1 (v1,σ1) (v2,σ2) (v1 x v2, σx) (v3,σ3) (v4,σ4) (f(v1,v2,v3,v4), σf )

Very useful property if one wants to merge partially authenticated computations, e.g., for parallelization (MapReduce)

+ x x + +

x

f’ f = x o f’

τ3 τ4

Security

8

sk

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security

8

sk σi=Auth(sk,τi,vi) τi ,vi

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security

8

sk σi=Auth(sk,τi,vi) τi ,vi b=Ver(sk,P,v,σ) P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Security

8

sk σi=Auth(sk,τi,vi) τi ,vi b=Ver(sk,P,v,σ) P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for

P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and

8

sk σi=Auth(sk,τi,vi) τi ,vi b=Ver(sk,P,v,σ) P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for

P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and

¤Type-1: ∃τj that has never been queried, and τj “does contribute” to

f

8

sk σi=Auth(sk,τi,vi) τi ,vi b=Ver(sk,P,v,σ) P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Security

¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for

P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and

¤Type-1: ∃τj that has never been queried, and τj “does contribute” to

f

¤Type-2: all labels have been queried and v*≠f(v1,…,vn) 8

sk σi=Auth(sk,τi,vi) τi ,vi b=Ver(sk,P,v,σ) P,v,σ

Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC

ek

Each τi can be queried only once

Realizations: Previous Work

9

Realizations: Previous Work

9

¨Homomorphic Signatures [JMSW02] (more flexible - public verification)

¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12,

Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

Realizations: Previous Work

9

¨Homomorphic Signatures [JMSW02] (more flexible - public verification)

¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12,

Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

¨Homomorphic MACs (beyond linear):

Realizations: Previous Work

9

Assumption Security Computations Size of tags Comp. [GW13] FHE no verif. queries Arbitrary O(1)

✔

¨Homomorphic Signatures [JMSW02] (more flexible - public verification)

¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12,

Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

¨Homomorphic MACs (beyond linear):

Realizations: Previous Work

9

Assumption Security Computations Size of tags Comp. [GW13] FHE no verif. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

¨Homomorphic Signatures [JMSW02] (more flexible - public verification)

¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12,

Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

¨Homomorphic MACs (beyond linear):

Realizations: Previous Work

9

Assumption Security Computations Size of tags Comp. [GW13] FHE no verif. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

[CF13] (2) d-DHI full degree-D arithmetic circuits for D=poly(k) O(1)

✘

¨Homomorphic Signatures [JMSW02] (more flexible - public verification)

¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12,

Freeman12, ALP13, …]

¨Beyond linear: only one scheme [BF11] for constant-degree polynomials

¨Homomorphic MACs (beyond linear):

Our Results

10

Assumption Security Computations Size of tags Comp. [GW13] FHE no ver. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

[CF13] (2) d-DHI full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

Encoding w/ limited malleability

full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

• (D,k)-MDHI
• n multilinear

maps

full degree-(D+k) arithmetic circuits

✔ (k)

O(k2)

Our Results

10

Assumption Security Computations Size of tags Comp. [GW13] FHE no ver. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

[CF13] (2) d-DHI full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

Encoding w/ limited malleability

full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

• (D,k)-MDHI
• n multilinear

maps

full degree-(D+k) arithmetic circuits

✔ (k)

Basic idea: additively homomorphic but not multiplicative homomorphic (similar to [BCIOP13]). Possible instantiations: Paillier, BV11.

O(k2)

Our Results

10

Assumption Security Computations Size of tags Comp. [GW13] FHE no ver. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

[CF13] (2) d-DHI full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

Encoding w/ limited malleability

full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

• (D,k)-MDHI
• n multilinear

maps

full degree-(D+k) arithmetic circuits

✔ (k)

We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k.

O(k2)

Our Results

10

Assumption Security Computations Size of tags Comp. [GW13] FHE no ver. queries Arbitrary O(1)

✔

[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d)

✔

[CF13] (2) d-DHI full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

Encoding w/ limited malleability

full degree-D arithmetic circuits for D=poly(k) O(1)

✘

This work

• (D,k)-MDHI
• n multilinear

maps

full degree-(D+k) arithmetic circuits

✔ (k)

We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k.

This Talk

O(k2)

Graded k-Linear maps

¨Gen(1λ, k) generates k groups of prime order p

G1, G2, …, Gk

¨with a collection of bilinear maps

eij: Gi × Gj→Gi+j : eij(gia, gjb)=gi+jab

¨Notation: g∈G1 , gi=e(g,…, g) i times ¨“Approximate” realizations via graded

encodings [GGH13, CLT13]

11

Our Homomorphic MAC

12

Our Homomorphic MAC

¨KeyGen(1λ, D, k): ¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp ¤sk=(K, g, x, a), ek=(g

a, {g x^i,g ax^i}i )

12

Our Homomorphic MAC

¨KeyGen(1λ, D, k): ¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp ¤sk=(K, g, x, a), ek=(g

a, {g x^i,g ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.

y(0)=v and y(x)=rτ=FK(τ)

12

Our Homomorphic MAC

¨KeyGen(1λ, D, k): ¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp ¤sk=(K, g, x, a), ek=(g

a, {g x^i,g ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.

y(0)=v and y(x)=rτ=FK(τ)

¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D 12

Our Homomorphic MAC

¨KeyGen(1λ, D, k): ¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g

x^i, g ax^i, for i=1…D

¤Sample a seed K of a PRF FK: {0,1}*→Zp ¤sk=(K, g, x, a), ek=(g

a, {g x^i,g ax^i}i )

¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.

y(0)=v and y(x)=rτ=FK(τ)

¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D ¨Compress(ek, y(X)): Λ← ∏d i=1 (gx^i)yi =

gy(x)-y(0)

¤ Similarly, compute Γ←g a[y(x)-y(0)]=Λ

• a. Output σ=(y(0), Λ, Γ )

12

Our Homomorphic MAC cont’d

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

¤ Verify the invariant Λ= gd a^(d-1)[r - v]

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

¤ Verify the invariant Λ= gd a^(d-1)[r - v]

¨Correctness

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

¤ Verify the invariant Λ= gd a^(d-1)[r - v]

¨Correctness

¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r

13

Our Homomorphic MAC cont’d

¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)

(simplified description for ϕ single gate and elements in G1)

¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,

Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2 e(ga,Λ2)v1 = g2

a[y(x) - v]

Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2 e(ga,Γ2)v1 = g2

a2[y(x) - v]

¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k

¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )

¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)

¤ Verify the invariant Λ= gd a^(d-1)[r - v]

¨Correctness

¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r

¤ Homomorphic properties of the graded maps

13

Result

¨Security under the (D, k)-MDHI assumption

¤Given (g, gx, …, gx^D) in G1, hard to compute gkx^(Dk+1)

in Gk

¤It can be shown hard in the generic multilinear group

model, by extending the Uber assumption of [BBG05]

¨Theorem. If the (D,k)-MDHI assumption holds and F is

a PRF, then the scheme is a secure homomorphic MAC with tags of size O(k2) and supports arithmetic circuits of degree ≤D and composition circuits of degree ≤k.

14

Comparison to other approaches

¨Another approach to solve the problem is to leverage SNARKs

¤The homomorphic signature is a SNARK proof about the existence

• f valid signatures on the inputs

¨However, by following this approach:

¤composition is achieved via recursive composition of proofs

(proofs about validity of other proofs) [BCCT13]

¤function independence achieved via universal circuits

¨Overall, less natural approach and likely to require non-

falsifiable (knowledge) assumptions [GW11]

¨In contrast, our solutions can be based on falsifiable

assumptions

15

Conclusions & Open Problems

¨ We proposed new homomorphic MAC schemes

¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition

¨ Main open questions:

¤ Can we achieve Fully Homomorphic MACs with

unbounded verification queries ?

¤ How about Fully-Homomorphic Signatures?

16

Conclusions & Open Problems

¨ We proposed new homomorphic MAC schemes

¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition

¨ Main open questions:

¤ Can we achieve Fully Homomorphic MACs with

unbounded verification queries ?

¤ How about Fully-Homomorphic Signatures?

16

Interesting observation: if we assume ideal compact k-linear maps with k<p exponential, our scheme is homomorphic for all circuits of bounded depth and secure against unbounded verification queries.

Thanks