Results 1  10
of
16
Fully homomorphic message authenticators
 IACR Cryptology ePrint Archive
"... We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be ve ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be verified using the secret key to ensure that the claimed result is indeed the correct output of the specified computation over previously authenticated data (without knowing the underlying data). For example, Alice can upload authenticated data to “the cloud”, which then performs some specified computations over this data and sends the output to Bob, along with a short tag that convinces Bob of correctness. Alice and Bob only share a secret key, and Bob never needs to know Alice’s underlying data. Our construction relies on fully homomorphic encryption to build fully homomorphic message authenticators. 1
Verifiable Delegation of Computation on Outsourced Data
, 2013
"... We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correct ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
We address the problem in which a client stores a large amount of data with an untrusted server in such a way that, at any moment, the client can ask the server to compute a function on some portion of its outsourced data. In this scenario, the client must be able to efficiently verify the correctness of the result despite no longer knowing the inputs of the delegated computation, it must be able to keep adding elements to its remote storage, and it does not have to fix in advance (i.e., at data outsourcing time) the functions that it will delegate. Even more ambitiously, clients should be able to verify in time independent of the inputsize – a very appealing property for computations over huge amounts of data. In this work we propose novel cryptographic techniques that solve the above problem for the class of computations of quadratic polynomials over a large number of variables. This class covers a wide range of significant arithmetic computations – notably, many important statistics. To confirm the efficiency of our solution, we show encouraging performance results, e.g., correctness proofs have size below 1 kB
Practical homomorphic macs for arithmetic circuits
 In EUROCRYPT
, 2013
"... Abstract. Homomorphic message authenticators allow the holder of a (public) evaluation key to perform computations over previously authenticated data, in such a way that the produced tag σ can be used to certify the authenticity of the computation. More precisely, a user knowing the secret key sk us ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Abstract. Homomorphic message authenticators allow the holder of a (public) evaluation key to perform computations over previously authenticated data, in such a way that the produced tag σ can be used to certify the authenticity of the computation. More precisely, a user knowing the secret key sk used to authenticate the original data, can verify that σ authenticates the correct output of the computation. This primitive has been recently formalized by Gennaro and Wichs, who also showed how to realize it from fully homomorphic encryption. In this paper, we show new constructions of this primitive that, while supporting a smaller set of functionalities (i.e., polynomiallybounded arithmetic circuits as opposite to boolean ones), are much more efficient and easy to implement. Moreover, our schemes can tolerate any number of (malicious) verification queries. Our first construction relies on the sole assumption that one way functions exist, allows for arbitrary composition (i.e., outputs of previously authenticated computations can be used as inputs for new ones) but has the drawback that the size of the produced tags grows with the degree of the circuit. Our second solution, relying on the DDiffieHellman Inversion assumption, offers somewhat orthogonal features as it allows for very short tags (one single group element!) but poses some restrictions on the composition side. 1
Algebraic (Trapdoor) OneWay Functions and their Applications
"... Abstract. In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of numbertheoretic oneway functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of numbertheoretic oneway functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F (x) · F (y) = F (x · y), and is fieldhomomorphic, meaning that it is possible to compute linear operations “in the exponent ” over some field (which may be different from Zp where p is the order of the underlying group X) without knowing the bases. Moreover, algebraic OWFs must be strongly oneway in the sense that given y = F (x), it must be infeasible to compute (x ′ , d) such that F (x ′ ) = y d (for d ̸ = 0). Interestingly, algebraic one way functions can be constructed from a variety of standard number theoretic assumptions, such as RSA, Factoring and CDH over bilinear groups. As a second contribution of this paper, we show several applications where algebraic (trapdoor) OWFs turn out to be useful. In particular: – Publicly Verifiable Secure Outsourcing of Polynomials: We present efficient solutions which work for fields of arbitrary size and characteristic. When instantiating our protocol with the RSA/Factoring based algebraic OWFs we obtain the first solution which supports small field size, is efficient and
Homomorphic Signatures with Efficient Verification for Polynomial Functions?
"... Abstract. A homomorphic signature scheme for a class of functions C allows a client to sign and upload elements of some data set D on a server. At any later point, the server can derive a (publicly verifiable) signature that certifies that some y is the result computing some f ∈ C on the basic data ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A homomorphic signature scheme for a class of functions C allows a client to sign and upload elements of some data set D on a server. At any later point, the server can derive a (publicly verifiable) signature that certifies that some y is the result computing some f ∈ C on the basic data set D. This primitive has been formalized by Boneh and Freeman (Eurocrypt 2011) who also proposed the only known construction for the class of multivariate polynomials of fixed degree d ≥ 1. In this paper we construct new homomorphic signature schemes for such functions. Our schemes provide the first alternatives to the one of BonehFreeman, and improve over their solution in three main aspects. First, our schemes do not rely on random oracles. Second, we obtain security in a stronger fullyadaptive model: while the solution of BonehFreeman requires the adversary to query messages in a given data set all at once, our schemes can tolerate adversaries that query one message at a time, in a fullyadaptive way. Third, signature verification is more efficient (in an amortized sense) than computing the function from scratch. The latter property opens the way to using homomorphic signatures for publiclyverifiable computation on outsourced data. Our schemes rely on a new assumption on leveled graded encodings which we show to hold in a generic model. 1
Leveled Fully Homomorphic Signatures from Standard Lattices
, 2014
"... In a homomorphic signature scheme, a user Alice signs some large data x using her secret signing key and stores the signed data on a server. The server can then run some computation y = g(x) on the signed data and homomorphically produce a short signature σg,y. Anybody can verify the signature using ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In a homomorphic signature scheme, a user Alice signs some large data x using her secret signing key and stores the signed data on a server. The server can then run some computation y = g(x) on the signed data and homomorphically produce a short signature σg,y. Anybody can verify the signature using Alice’s public verification key and become convinced that y is the correct output of the computation g over Alice’s data, without needing to have the underlying data itself. In this work, we construct the first leveled fully homomorphic signature schemes that can evaluate arbitrary circuits over signed data, where only the maximal depth d of the circuit needs to be fixed a priori. The size of the evaluated signature grows polynomially in d, but is otherwise independent of the circuit size or the data size. Our solutions are based on the hardness of the small integer solution (SIS) problem, which is in turn implied by the worstcase hardness of problems in standard lattices. We get a scheme in the standard model, albeit with large public parameters whose size must exceed the total size of all signed data. In the randomoracle model, we get a scheme with short public parameters. These results offer a significant improvement in capabilities and assumptions over the best prior homomorphic signature scheme due to Boneh and Freeman (Eurocrypt ’11). As a building block of independent interest, we introduce a new notion called homomorphic trapdoor functions (HTDF). We show to how construct homomorphic signatures using HTDFs as a black box. We construct HTDFs based on the SIS problem by relying on a recent technique developed by Boneh et al. (Eurocrypt ’14) in the context of attribute based encryption. 1
Efficient Secure and Verifiable Outsourcing of Matrix Multiplications
"... With the emergence of cloud computing services, a resourceconstrained client can outsource its computationallyheavy tasks to cloud providers. Because such service providers might not be fully trusted by the client, the need to verify integrity of the returned computation result arises. The ability ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
With the emergence of cloud computing services, a resourceconstrained client can outsource its computationallyheavy tasks to cloud providers. Because such service providers might not be fully trusted by the client, the need to verify integrity of the returned computation result arises. The ability to do so is called verifiable delegation or verifiable outsourcing. Furthermore, the data used in the computation may be sensitive and it is often desired to protect it from the cloud throughout the computation. In this work, we put forward solutions for verifiable outsourcing of matrix multiplications that favorably compare with the state of the art. The cost of verifying the result of computation consists of a single modulo exponentiation and can be further reduced if the cloud is rational. A rational cloud is neither honest nor arbitrarily malicious, but rather economically motivated with the sole purpose of maximizing a monetary reward. Our solutions achieve several desired features such as data protection, public verifiability, and computation chaining. 1
TECHNISCHE BERICHTE TECHNICAL REPORTS Communication Overhead of Network Coding Schemes Secure against Pollution Attacks Communication Overhead of Network Coding Schemes Secure against Pollution Attacks
"... Abstract. Network coding is a promising approach for increasing performance of multicast data transmission and reducing energy costs. Of course, it is essential to consider security aspects to ensure a reliable data transmission. Particularly, pollution attacks may have serious impacts in network c ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Network coding is a promising approach for increasing performance of multicast data transmission and reducing energy costs. Of course, it is essential to consider security aspects to ensure a reliable data transmission. Particularly, pollution attacks may have serious impacts in network coding since a single attacker can jam large parts of the network. Therefore, various approaches have been introduced to secure network coding against this type of attack. However, introducing security increases costs. Even though there are some performance analysis of secure schemes, to our knowledge there are no details whether these schemes are worthwhile to replace routing under the facet of efficiency. Thus, we discuss in this report parameters to assess the efficiency of secure network coding schemes. Using three network graphs, we evaluate parameters focusing on communication overhead for selected schemes. Our results show that there are still benefits in comparison to routing depending on the network topology.
This is the full version. Improved Security for Linearly Homomorphic Signatures: A Generic Framework ∗
, 2012
"... We propose a general framework that converts (ordinary) signature schemes having certain properties into linearly homomorphic signature schemes, i.e., schemes that allow authentication of linear functions on signed data. The security of the homomorphic scheme follows from the same computational assu ..."
Abstract
 Add to MetaCart
We propose a general framework that converts (ordinary) signature schemes having certain properties into linearly homomorphic signature schemes, i.e., schemes that allow authentication of linear functions on signed data. The security of the homomorphic scheme follows from the same computational assumption as is used to prove security of the underlying signature scheme. We show that the following signature schemes have the required properties and thus give rise to secure homomorphic signatures in the standard model: • The scheme of Waters (Eurocrypt 2005), secure under the computational DiffieHellman asumption in bilinear groups. • The scheme of Boneh and Boyen (Eurocrypt 2004, J. Cryptology 2008), secure under the qstrong DiffieHellman assumption in bilinear groups. • The scheme of Gennaro, Halevi, and Rabin (Eurocrypt 1999), secure under the strong RSA assumption. • The scheme of Hohenberger and Waters (Crypto 2009), secure under the RSA assumption. Our systems not only allow weaker security assumptions than were previously available for homomorphic signatures in the standard model, but also are secure in a model that allows a stronger adversary than in other proposed schemes. Our framework also leads to efficient linearly homomorphic signatures that are secure against our stronger adversary under weak assumptions (CDH or RSA) in the random oracle model; all previous proofs of security in the random oracle model break down completely when faced with our stronger adversary. Keywords. Homomorphic signatures, standard model, bilinear groups, CDH, RSA.
An Efficient EdgeBased Authentication for Network Coding Against Entropy Attacks
"... Abstract—This paper proposes a new edgebased authentication scheme for network coding. Many authentication schemes for random linear network coding have been proposed against pollution attacks. However, random linear network coding is vulnerable to entropy attacks. An adversary can generate messag ..."
Abstract
 Add to MetaCart
Abstract—This paper proposes a new edgebased authentication scheme for network coding. Many authentication schemes for random linear network coding have been proposed against pollution attacks. However, random linear network coding is vulnerable to entropy attacks. An adversary can generate messages that are verified as correct messages by the authentication mechanism but obstruct the network coding. Random linear network coding is shown to be efficient in a random failure model, but not in an adversary model. This paper shows a simple solution to tolerate entropy attacks by changing random linear coding to deterministic message combining rule. For an example, this paper shows a modification of RIPPLE, an authentication scheme for random linear network coding. Lastly, we show that the total delay of modified RIPPLE can be reduced by an edgebased authentication. RIPPLE and many other authentication schemes are nodebased, that is, verification keys and operations are defined for each node. We show that we can construct an edgebased scheme, that is, verification keys and operations are defined for each edge. We show that the edgebased authentication scheme is more efficient than the nodebased schemes. Keywordsnetwork coding; random linear network coding; message authentication code; I.