Authenticating Computation on Groups: New Homomorphic Primitives and

Applications

Dario Catalano Università di Catania

Antonio Marcedone Cornell University

Orazio Puglisi Università di Catania

1

Outline

Delegating computation on authenticated data Motivating example Linearly Homomorphic Signature Authenticated Encryption

Linearly Homomorphic Authenticated Encryption with Public Verifiability (LAEPuV) Definition and security Generic Construction outline and Instantiation

Other results

Authenticaticating Computation on Groups: New Primitives and Applications

2

Authenticaticating Computation on Groups: New Primitives and Applications

3

Delegating Computation on Authenticated Data

(Calculus , Alice, 30)

(Algebra, Alice, 28)

(Calculus , Bob, 28)

Delegating Computation on Authenticated Data

What is the grade of Alice in Calculus?

The Grade of Alice in Calculus is 30

Authenticaticating Computation on Groups: New Primitives and Applications

4

Delegating Computation on Authenticated Data

What is the average grade in Calculus?

The average grade in Calculus is 29

Authenticaticating Computation on Groups: New Primitives and Applications

5

Linearly Homomorphic Signatures (M

1,Sign(sk,M

1))

(M2,Sign(sk,M

2))

….. (M

n,Sign(sk,M

n))

COMBINE(PK,f,...)

(f(M1,...,M

n),

Sign(sk,f(M1,...,M

n))

Verification is done w.r.t. a function f:

Ver(pk, f, M, σ) The signatures must be succinct (indipendent on the

number of messages).

Authenticaticating Computation on Groups: New Primitives and Applications

6

[Desmedt93], [JMSW02], [BFKW09]

Delegating Computation on Authenticated Data

What is the average grade in Calculus?

The average grade in Calculus is 29

Authenticaticating Computation on Groups: New Primitives and Applications

7

Authenticaticating Computation on Groups: New Primitives and Applications

8

Authenticated Encryption

(Calculus , Alice, 30)

(Algebra, Alice, 28)

(Calculus , Bob, 28)

Authenticaticating Computation on Groups: New Primitives and Applications

9

Authenticated Encryption

(Calculus , Alice, 30) (Calculus , Alice, 30)

(Algebra , Alice, 28)

(Calculus , Bob, 28)

(Calculus , Alice, ##)

(Algebra , Alice, ??)

(Calculus , Bob, !!) Simmetric Cryptography Asimmetric

Cryptography

TLS – SSH – IpSec

[BelNam00]

[An01]

Authenticated Encryption

What is the grade of Alice in Calculus?

The Grade of Alice in Calculus is ##

## 30

Authenticaticating Computation on Groups: New Primitives and Applications

10

Authenticated Encryption

What is the average grade in Calculus?

The average grade in Calculus is **

Authenticaticating Computation on Groups: New Primitives and Applications

11

Delegating Computation on Authenticated Data with privacy

What is the average grade in Calculus?

The average grade in Calculus is **

** 29

## ?? **

Authenticaticating Computation on Groups: New Primitives and Applications

12

Linearly Homomorphic Authenticated Encryption with Public Verifiability

AE-KeyGen(1λ,k )→(sk, vk)

AE-Encrypt (sk, FID, i, M) → C

AE-Verify(vk, FID, C, f)→{0,1}

AE-Decrypt (sk, FID, C, f) → M or

AE-Eval(vk, f, FID, {Ci }i=1,...,k) →C

Security: LH-IND-CCA for privacy, LH-Uf-CMA for integrity Authenticaticating Computation on Groups:

New Primitives and Applications 13

Public Verifiability

Inspired by [JY14]

Authenticaticating Computation on Groups: New Primitives and Applications

14

LAEPuV - General Construction M message space, additive group R randomness space, multiplicative group

C ciphertext space, multiplicative group

Authenticaticating Computation on Groups: New Primitives and Applications

15

LAEPuV - General Construction

T IND-CPA secure

Public Key Encryption Scheme

Encpk(M1,R1)*Encpk(M2,R2)=Encpk(M1+M2,R1*R2)

M message space, additive group R randomness space, multiplicative group

C ciphertext space, multiplicative group

Authenticaticating Computation on Groups: New Primitives and Applications

16

LAEPuV - General Construction

T IND-CPA secure

Public Key Encryption Scheme

Encpk(M1,R1)*Encpk(M2,R2)=Encpk(M1+M2,R1*R2)

M message space, additive group R randomness space, multiplicative group

C ciphertext space, multiplicative group

Σ Linearly Homomorphic signature

scheme for elements in M

Authenticaticating Computation on Groups: New Primitives and Applications

17

LAEPuV - General Construction

T IND-CPA secure

Public Key Encryption Scheme

Encpk(M1,R1)*Encpk(M2,R2)=Encpk(M1+M2,R1*R2)

M message space, additive group R randomness space, multiplicative group

C ciphertext space, multiplicative group

Σ Linearly Homomorphic signature

scheme for elements in M

H Random Oracle

HK:{0,1}*→C

Authenticaticating Computation on Groups: New Primitives and Applications

18

LAEPuV – Encryption

M

ENC

C

HOM-SIGN

σ C*Enc(b)

DEC

Authenticaticating Computation on Groups: New Primitives and Applications

19

LAEPuV – Eval

σ

C

HOM-EVAL

Authenticaticating Computation on Groups: New Primitives and Applications

20

LAEPuV – Practical Instantiation

Other results (in the paper)

A Linearly homomorphic signature scheme to sign elements in (bilinear) groups

This has nice applications in the context of On-line/Off-line signatures

Authenticaticating Computation on Groups: New Primitives and Applications

21

Related works

Efficient Delegation of Computation over encrypted data [JY14], [FGP14]

Authenticaticating Computation on Groups: New Primitives and Applications

22

Authenticaticating Computation on Groups: New Primitives and Applications

23

Very efficient

General construction

Public Verifiability

Only linear functions

Needs ROM

Conclusion and Open problems

Interesting Open questions remain :

• How to extend to more general functionalities?

• How to avoid ROM?

Authenticaticating Computation on Groups: New Primitives and Applications

24

Conclusion and Open problems

Authenticaticating Computation on Groups: New Primitives and Applications

25