Homomorphic Signatures with Efficient Verification for Polynomial Functions

Catalano, Dario; Fiore, Dario; Warinschi, Bogdan

doi:10.1007/978-3-662-44371-2_21

Cited by 90 publications

(63 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In compliance with previous work [7,10] on homomorphic signatures, we formalize aggregate unforgeability via a game in which Aggregator A accesses oracles O Setup and O EncTag . Furthermore, given the property that anyone holding the public verification key VK can execute the algorithm Verify, we assume that Aggregator A during the unforgeability game runs the algorithm Verify by itself.…”

Section: Security Modelmentioning

confidence: 98%

PUDA – Privacy and Unforgeability for Data Aggregation

Leontiadis

Elkhiyaoui

Önen

et al. 2015

Cryptology and Network Security

View full text Add to dashboard Cite

Abstract. Existing work on data collection and analysis for aggregation is mainly focused on confidentiality issues. That is, the untrusted Aggregator learns only the aggregation result without divulging individual data inputs. In this paper we extend the existing models with stronger security requirements. Apart from the privacy requirements with respect to the individual inputs, we ask for unforgeability for the aggregate result. We first define the new security requirements of the model. We also instantiate a protocol for private and unforgeable aggregation for multiple independent users. I.e, multiple unsynchronized users owing to personal sensitive information without interacting with each other, contribute their values in a secure way: The Aggregator learns the result of a function without learning individual values, and moreover, it constructs a proof that is forwarded to a verifier that will convince the latter for the correctness of the computation. Our protocol is provably secure in the random oracle model.

show abstract

Section: Security Modelmentioning

confidence: 98%

PUDA – Privacy and Unforgeability for Data Aggregation

Leontiadis

Elkhiyaoui

Önen

et al. 2015

Cryptology and Network Security

View full text Add to dashboard Cite

show abstract

“…The construction is based on the hardness of the Small Integer Solution (SIS) problem in ideal lattices and has a proof of security in the random-oracle model. The recent work of Catalano et al [CFW14] gives an alternate solution using multi-linear maps which removes the need for random oracles at the cost of having large public parameters. The main open question left by these works is to construct signatures with greater levels of homomorphism, and ideally a fully homomorphic scheme that can evaluate arbitrary circuits.…”

Section: Related Workmentioning

confidence: 99%

“…However, there is a way to generate A along with a trapdoor td that makes this easy and, more generally, for any matrix V ∈ Z n×m q , 2 Although Catalano et al [CFW14] provide a similar transformation, it works only for bounded degree polynomial functions, and does not generalize to leveled FHS. the trapdoor can be used to sample a "short" matrix U ∈ Z m×m q such that AU = V. There is also a public matrix G ∈ Z n×m q with some special structure (not random) for which everyone can efficiently compute a "short" matrix G −1 (V) such that GG −1 (V) = V. 3 Our HTDF consists of choosing pk = A together with trapdoor sk = td as above.…”

Section: Homomorphic Trapdoor Functions (Htdf)mentioning

confidence: 99%

Leveled Fully Homomorphic Signatures from Standard Lattices

Gorbunov

Vaikuntanathan

Wichs

2015

Proceedings of the Forty-Seventh Annual ACM Symposium on Theory of Computing

184

148

View full text Add to dashboard Cite

In a homomorphic signature scheme, a user Alice signs some large dataset x using her secret signing key and uploads the signed data to an untrusted remote server. The server can then run some computation y = f (x) over the signed data and homomorphically derive a short signature σ f,y certifying that y is the correct output of the computation f . Anybody can verify the tuple (f, y, σ f,y ) using Alice's public verification key and become convinced of this fact without having to retrieve the entire underlying data.In this work, we construct the first (leveled) fully homomorphic signature schemes that can evaluate arbitrary circuits over signed data. Only the maximal depth d of the circuits needs to be fixed a-priori at setup, and the size of the evaluated signature grows polynomially in d, but is otherwise independent of the circuit size or the data size. Our solution is based on the hardness of the small integer solution (SIS) problem in standard lattices and satisfies full (adaptive) security. In the standard model, we get a scheme with large public parameters whose size exceeds the total size of a dataset. In the random-oracle model, we get a scheme with short public parameters. In both cases, the schemes can be used to sign many different datasets. The complexity of verifying a signature for a computation f is at least as large as that of computing f , but can be amortized when verifying the same computation over many different datasets. Furthermore, the signatures can be made context-hiding so as not to reveal anything about the data beyond the outcome of the computation.These results offer a significant improvement in capabilities and assumptions over the best prior homomorphic signature schemes, which were limited to evaluating polynomials of constant degree.As a building block of independent interest, we introduce a new notion called homomorphic trapdoor functions (HTDF) which conceptually unites homomorphic encryption and signatures. We construct HTDFs by relying on the techniques developed by Gentry et al. (CRYPTO '13) and Boneh et al. (EUROCRYPT '14) in the contexts of fully homomorphic and attribute-based encryptions. *

show abstract

“…Their solution is based on multi-linear maps and bypasses the need for random oracles. More interestingly, the work by Catalano et al [16] contains the first mechanism to verify signatures faster than the running time of the verified function. Recently, Gorbunov et al [29] have proposed the first (leveled) fully homomorphic signature scheme that can evaluate arbitrary circuits of bounded 5 Note that s can be bounded by poly(n) for constant d, or by poly(d) for constant n.…”

Section: Related Workmentioning

confidence: 99%

“…The intuition behind this transformation is similar to the one employed in [29] and implicitly used in [16,13], except that here we have to use additional techniques to deal with the multi-key setting. We combine a standard signature scheme NH.Sig (non-homomorphic) with a single dataset multi-key homomorphic signature scheme MKHSig .…”

Section: From a Single Dataset To Multiple Datasetsmentioning

confidence: 99%

Multi-key Homomorphic Authenticators

Fiore

Mitrokotsa

Nizzardo

et al. 2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Homomorphic authenticators (HAs) enable a client to authenticate a large collection of data elements m1, . . . , mt and outsource them, along with the corresponding authenticators, to an untrusted server. At any later point, the server can generate a short authenticator σ f,y vouching for the correctness of the output y of a function f computed on the outsourced data, i.e., y = f (m1, . . . , mt). Recently researchers have focused on HAs as a solution, with minimal communication and interaction, to the problem of delegating computation on outsourced data. The notion of HAs studied so far, however, only supports executions (and proofs of correctness) of computations over data authenticated by a single user. Motivated by realistic scenarios (ubiquitous computing, sensor networks, etc.) in which large datasets include data provided by multiple users, we study the concept of multi-key homomorphic authenticators. In a nutshell, multi-key HAs are like HAs with the extra feature of allowing the holder of public evaluation keys to compute on data authenticated under different secret keys. In this paper, we introduce and formally define multi-key HAs. Secondly, we propose a construction of a multi-key homomorphic signature based on standard lattices and supporting the evaluation of circuits of bounded polynomial depth. Thirdly, we provide a construction of multi-key homomorphic MACs based only on pseudorandom functions and supporting the evaluation of low-degree arithmetic circuits. Albeit being less expressive and only secretly verifiable, the latter construction presents interesting efficiency properties.

show abstract

Homomorphic Signatures with Efficient Verification for Polynomial Functions

Cited by 90 publications

References 28 publications

PUDA – Privacy and Unforgeability for Data Aggregation

PUDA – Privacy and Unforgeability for Data Aggregation

Leveled Fully Homomorphic Signatures from Standard Lattices

Multi-key Homomorphic Authenticators

Contact Info

Product

Resources

About