Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09,...
Transcript of Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09,...
![Page 1: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/1.jpg)
PKC’14 - Buenos Aires, March 28, 2014
Generalizing Homomorphic MACs for Arithmetic Circuits
Dario Catalano
Università di Catania Italy
Dario Fiore
IMDEA Software Institute Spain
Rosario Gennaro
CUNY USA !
LucaUniversità di Milano-Bicocca
Italy *work done while visiting CUNY
Nizzardo*
![Page 2: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/2.jpg)
Outline¨Motivation ¨Homomorphic MACs
¤ Definition ¤ Previous work
¨Our results ¨Summary & Open problems
!2
![Page 3: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/3.jpg)
Delegating Computations on Outsourced Data
v1, v2, …, vn v1v2
vn
…
!3
![Page 4: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/4.jpg)
Delegating Computations on Outsourced Data
“Compute P”v1, v2, …, vn v1v2
vn
…
!3
![Page 5: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/5.jpg)
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
![Page 6: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/6.jpg)
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?
![Page 7: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/7.jpg)
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
v1, v2, …, vn
![Page 8: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/8.jpg)
Question:
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
TOO INEFFICIENT
v1, v2, …, vn
![Page 9: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/9.jpg)
Question:
Main Goals
Delegating Computations on Outsourced Data
“Compute P”
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!3
¨ How can the client be sure that P is executed on the company’s data?¨ Trivial solution: the cloud sends all the authenticated inputs.
TOO INEFFICIENT
![Page 10: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/10.jpg)
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
sksk
![Page 11: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/11.jpg)
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
proves that “y is the output of P on authenticated data”
sksk
![Page 12: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/12.jpg)
Main Goals
An approach to solve the problem: Homomorphic Message Authenticators [GW13]
“Compute P“
y
y = P(v1,…,vk)v1, v2, …, vn v1v2
vn
…¨ Integrity Untrusted cloud must notbe able to send incorrect y
¨ EfficiencyClient’s communication and storage must be minimized
!4
✓ ✓Cloud cannot forge MACs. | | << size of k input values.
proves that “y is the output of P on authenticated data”
sksk
![Page 13: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/13.jpg)
Homomorphic MACs & Labeled Programs!5
[GW13]
![Page 14: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/14.jpg)
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek
[GW13]
![Page 15: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/15.jpg)
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
Auth
τv
σ
sk
[GW13]
![Page 16: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/16.jpg)
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
![Page 17: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/17.jpg)
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
![Page 18: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/18.jpg)
Homomorphic MACs & Labeled Programs!5
¨KeyGen(λ)→(sk,ek) // private key sk, public evaluation key ek¨Auth(sk,v,τ)→σ which authenticates value v w.r.t. label τ
• Idea of labels: uniquely “remember” the outsourced data $ 665.41 ~ “Jan, 3
rd, 2012, Google stock price”
$ 668.28 ~ “Jan, 4th, 2012, Google stock price”
$ 659.01 ~ “Jan, 5th, 2012, Google stock price”
... ...
¨Eval(ek,P,σ1,…,σn)→σ new tag authenticating “output of labeled program P” ¨A labeled program P is a circuit f with a label τ on each input wire • e.g., P computes the yearly average stock price for some days — each day labeled by some τi
¨Ver(sk, P, v, σ) checks whether v is output of P=(f,τ1, …, τn) on values authenticated with labels τ1,…,τn
+ x x
++
τ1 τ2 τ3
x
Auth
τv
σ
sk
P
[GW13]
![Page 19: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/19.jpg)
Properties of Homomorphic MACs
¨Security: …in 2 slides ¨Succinctness: size of tags (returned by Eval) does not depend on the number of inputs of the computation
¨Composition: authenticated outputs can be further used as inputs to other circuits
!6
![Page 20: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/20.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
![Page 21: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/21.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
![Page 22: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/22.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx)
![Page 23: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/23.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx)
+ x x
++
xf’
τ3 τ4
![Page 24: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/24.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
+ x x
++
xf’
τ3 τ4
![Page 25: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/25.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
(f(v1,v2,v3,v4), σf )
+ x x
++
xf’ f = x o f’
τ3 τ4
![Page 26: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/26.jpg)
Composition
¨At gate level: for every pair of authenticated inputs, obtain an authenticated output
!7
xτ2τ1
(v1,σ1) (v2,σ2)
(v1 x v2, σx) (v3,σ3) (v4,σ4)
(f(v1,v2,v3,v4), σf )
Very useful property if one wants to merge partially authenticated computations, e.g., for parallelization (MapReduce)
+ x x
++
xf’ f = x o f’
τ3 τ4
![Page 27: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/27.jpg)
Security!8
sk
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
![Page 28: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/28.jpg)
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
![Page 29: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/29.jpg)
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
![Page 30: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/30.jpg)
Security!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
![Page 31: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/31.jpg)
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
![Page 32: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/32.jpg)
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
![Page 33: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/33.jpg)
Security
¨Adversary wins if it makes a verification query (P,v*,σ*) such that, for P=(f,τ1, …, τn): Ver(sk,P,v*,σ*)=accept and ¤Type-1: ∃τj that has never been queried, and τj “does contribute” to f
¤Type-2: all labels have been queried and v*≠f(v1,…,vn)
!8
sk
σi=Auth(sk,τi,vi)
τi ,vi
b=Ver(sk,P,v,σ)
P,v,σ
Unforgeability against chosen-message attacks Basic idea: nobody, without sk, can create a “valid” MAC
ek
Each τi can be queried only once
![Page 34: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/34.jpg)
Realizations: Previous Work!9
![Page 35: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/35.jpg)
Realizations: Previous Work!9
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials
![Page 36: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/36.jpg)
Realizations: Previous Work!9
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
![Page 37: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/37.jpg)
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
![Page 38: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/38.jpg)
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
![Page 39: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/39.jpg)
Realizations: Previous Work!9
Assumption Security Computations Size of tags Comp.
[GW13] FHE no verif. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
¨Homomorphic Signatures [JMSW02] (more flexible - public verification) ¨Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]
¨Beyond linear: only one scheme [BF11] for constant-degree polynomials¨Homomorphic MACs (beyond linear):
![Page 40: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/40.jpg)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)O(k2)
![Page 41: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/41.jpg)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
Basic idea: additively homomorphic but not multiplicative homomorphic (similar to [BCIOP13]). Possible instantiations: Paillier, BV11.
O(k2)
![Page 42: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/42.jpg)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k.
O(k2)
![Page 43: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/43.jpg)
Our Results!10
Assumption Security Computations Size of tags Comp.
[GW13] FHE no ver. queries Arbitrary O(1) ✔
[CF13] (1) OWF full degree-d arithmetic circuits, d=O(1) O(d) ✔
[CF13] (2) d-DHI fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This workEncoding w/
limited malleability
fulldegree-D arithmetic
circuits for D=poly(k)
O(1) ✘
This work!
(D,k)-MDHI on multilinear
mapsfull degree-(D+k)
arithmetic circuits ✔ (k)
We use graded k-linear maps [GGH13, CLT13] and support composition circuits of bounded degree k. This Talk
O(k2)
![Page 44: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/44.jpg)
Graded k-Linear maps
¨Gen(1λ, k) generates k groups of prime order p
G1, G2, …, Gk
¨with a collection of bilinear maps
eij: Gi × Gj→Gi+j : eij(gia, gjb)=gi+jab
¨Notation: g∈G1 , gi=e(g,…, g) i times ¨“Approximate” realizations via graded encodings [GGH13, CLT13]
!11
![Page 45: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/45.jpg)
Our Homomorphic MAC!12
![Page 46: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/46.jpg)
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
!12
![Page 47: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/47.jpg)
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
!12
![Page 48: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/48.jpg)
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D
!12
![Page 49: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/49.jpg)
Our Homomorphic MAC¨KeyGen(1λ, D, k):
¤Generate leveled k-linear groups of prime order p, eij: Gi × Gj→Gi+j ¤Take random generator g in G1, sample x,a ← Zp, ¤Compute g
x^i, g
ax^i, for i=1…D
¤Sample a seed K of a PRF FK: {0,1}*→Zp
¤sk=(K, g, x, a), ek=(ga, {gx^i,g
ax^i}i )
¨Auth(sk,v,τ): the tag is a degree-1 polynomial y(X)∈Zp[X] s.t.y(0)=v and y(x)=rτ=FK(τ)
¨Eval(ek,f): compute y(X)← f(y1(X), …,yn(X)) over Zp[X], |y(X)|≤D
¨Compress(ek, y(X)): Λ← ∏di=1 (gx^i)yi = gy(x)-y(0)
¤ Similarly, compute Γ←ga[y(x)-y(0)]=Λa. Output σ=(y(0), Λ, Γ )
!12
![Page 50: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/50.jpg)
Our Homomorphic MAC cont’d!13
![Page 51: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/51.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
!13
![Page 52: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/52.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2
!13
![Page 53: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/53.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
!13
![Page 54: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/54.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
!13
![Page 55: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/55.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )
!13
![Page 56: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/56.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)
!13
![Page 57: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/57.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
!13
![Page 58: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/58.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness
!13
![Page 59: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/59.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r
!13
![Page 60: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/60.jpg)
Our Homomorphic MAC cont’d
¨CompositionEval(ek, ϕ, σ1=(v1,Λ1, Γ1), σ2=(v2, Λ2, Γ2) )→σ=(v, Λ, Γ)(simplified description for ϕ single gate and elements in G1)
¤Addition: v=v1+v2, Λ=Λ1 Λ2, Γ=Γ1 Γ2 ¤Multiplication: v=v1v2,
Λ1 = e(Λ1,Γ2) e(Λ1, ga)v2
e(ga,Λ2)
v1 = g2a[y(x) - v]
Γ2 = e(Γ1,Γ2) e(Γ1, ga)v2
e(ga,Γ2)
v1 = g2a2[y(x) - v]
¤Basic idea: use the graded maps to compute ϕ(Λ1, …,Λn)→Λ , with deg(ϕ)≤k
¨Ver(sk, P, v, σ)→0/1 Let P=(f,τ1, …, τn) and σ=(v, Λ, Γ )¤ Derive ri←FK(τi) i=1…n and compute r ←f(r1, …, rn)¤ Verify the invariant Λ= gda^(d-1)[r - v]
¨Correctness ¤y(x)= f(y1(x), …,yn(x)) = f(r1, …,rn)=r
¤ Homomorphic properties of the graded maps
!13
![Page 61: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/61.jpg)
Result¨Security under the (D, k)-MDHI assumption
¤Given (g, gx, …, gx^D) in G1, hard to compute gkx^(Dk+1)
in Gk ¤It can be shown hard in the generic multilinear group model, by extending the Uber assumption of [BBG05]
¨Theorem. If the (D,k)-MDHI assumption holds and F is a PRF, then the scheme is a secure homomorphic MAC with tags of size O(k2) and supports arithmetic circuits of degree ≤D and composition circuits of degree ≤k.
!14
![Page 62: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/62.jpg)
Comparison to other approaches
¨Another approach to solve the problem is to leverage SNARKs ¤The homomorphic signature is a SNARK proof about the existence of valid signatures on the inputs
¨However, by following this approach: ¤composition is achieved via recursive composition of proofs (proofs about validity of other proofs) [BCCT13]
¤function independence achieved via universal circuits ¨Overall, less natural approach and likely to require non-falsifiable (knowledge) assumptions [GW11]
¨ In contrast, our solutions can be based on falsifiable assumptions
!15
![Page 63: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/63.jpg)
Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes
¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition
¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?
¤ How about Fully-Homomorphic Signatures?
!16
![Page 64: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/64.jpg)
Conclusions & Open Problems¨ We proposed new homomorphic MAC schemes
¤ Based on encoding w/limited malleability ¤ Multilinear maps - trading succinctness vs. composition
¨ Main open questions: ¤ Can we achieve Fully Homomorphic MACs with unbounded verification queries ?
¤ How about Fully-Homomorphic Signatures?
!16
Interesting observation: if we assume ideal compact k-linear maps with k<p exponential, our scheme is homomorphic for all circuits of bounded depth and secure against unbounded verification queries.
![Page 65: Generalizing MACs for Arithmetic Circuits · Many realizations for linear functions [BFKW09, GKKR10, CFW11, AL11, CFW12, Freeman12, ALP13, …]!Beyond linear: only one scheme [BF11]](https://reader033.fdocuments.us/reader033/viewer/2022053122/60aa5558a929f7161f5afec9/html5/thumbnails/65.jpg)
Thanks