Results 1 
5 of
5
Homomorphic Signatures with Efficient Verification for Polynomial Functions?
"... Abstract. A homomorphic signature scheme for a class of functions C allows a client to sign and upload elements of some data set D on a server. At any later point, the server can derive a (publicly verifiable) signature that certifies that some y is the result computing some f ∈ C on the basic data ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. A homomorphic signature scheme for a class of functions C allows a client to sign and upload elements of some data set D on a server. At any later point, the server can derive a (publicly verifiable) signature that certifies that some y is the result computing some f ∈ C on the basic data set D. This primitive has been formalized by Boneh and Freeman (Eurocrypt 2011) who also proposed the only known construction for the class of multivariate polynomials of fixed degree d ≥ 1. In this paper we construct new homomorphic signature schemes for such functions. Our schemes provide the first alternatives to the one of BonehFreeman, and improve over their solution in three main aspects. First, our schemes do not rely on random oracles. Second, we obtain security in a stronger fullyadaptive model: while the solution of BonehFreeman requires the adversary to query messages in a given data set all at once, our schemes can tolerate adversaries that query one message at a time, in a fullyadaptive way. Third, signature verification is more efficient (in an amortized sense) than computing the function from scratch. The latter property opens the way to using homomorphic signatures for publiclyverifiable computation on outsourced data. Our schemes rely on a new assumption on leveled graded encodings which we show to hold in a generic model. 1
StronglyOptimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairingproduct equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structurepreserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structurepreserving signatures within a userspecified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structurepreserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
Automating Fast and Secure Translations from TypeI to TypeIII Pairing Schemes
 In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
"... Pairingbased cryptography has exploded over the last decade, as this algebraic setting offers good functionality and efficiency. However, there is a huge security gap between how schemes are usually analyzed in the academic literature and how they are typically implemented. The issue at play is tha ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Pairingbased cryptography has exploded over the last decade, as this algebraic setting offers good functionality and efficiency. However, there is a huge security gap between how schemes are usually analyzed in the academic literature and how they are typically implemented. The issue at play is that there exist multiple types of pairings: TypeI called “symmetric ” is typically how schemes are presented and proven secure in the literature, because it is simpler and the complexity assumptions can be weaker; however, TypeIII called “asymmetric ” is typically the most efficient choice for an implementation in terms of bandwidth and computation time. There are two main complexities when moving from one pairing type to another. First, the change in algebraic setting invalidates the original security proof. Second, there are usually multiple (possibly thousands) of ways to translate from a TypeI to a TypeIII scheme, and the “best ” translation may depend on the application. Our contribution is the design, development and evaluation of a new software tool, AutoGroup+, that automatically translates from TypeI to TypeIII pairings. The output of AutoGroup+ is: (1) “secure ” provided the input is “secure ” and (2) optimal based on the user’s
Programmable Hash Functions go Private: Constructions and Applications to (Homomorphic) Signatures with Shorter Public Keys?
"... Abstract. We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable Hash Functions, introduced by Hofheinz and Kiltz at Crypto 2008, with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, whi ..."
Abstract
 Add to MetaCart
Abstract. We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable Hash Functions, introduced by Hofheinz and Kiltz at Crypto 2008, with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, while only secretly computable, it admits an isomorphic copy which is publicly computable. Second, in addition to the usual programmability, APHFs may have an alternative property that we call programmable pseudorandomness. In a nutshell, this property states that it is possible to embed a pseudorandom value as part of the function’s output, akin to a random oracle. In spite of the apparent limitation of being only secretly computable, APHFs turn out to be surprisingly powerful objects. We show that they can be used to generically implement both regular and linearlyhomomorphic signature schemes in a simple and elegant way. More importantly, when instantiating these generic constructions with our concrete realizations of APHFs, we obtain: (1) the first linearlyhomomorphic signature (in the standard model) whose public key is sublinear in both the dataset size and the dimension of the signed vectors; (2) short signatures (in the standard model) whose public key is shorter than those by HofheinzJagerKiltz from Asiacrypt 2011, and essentially the same as those by Yamada, Hannoka, Kunihiro, (CTRSA 2012).
Multiuser Schnorr security, revisited
"... Abstract. Three recent proposals for standardization of nextgeneration ECC signatures have included “key prefixing ” modifications to Schnorr’s signature system. Bernstein, Duif, Lange, Schwabe, and Yang stated in 2011 that key prefixing is “an inexpensive way to alleviate concerns that several pub ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Three recent proposals for standardization of nextgeneration ECC signatures have included “key prefixing ” modifications to Schnorr’s signature system. Bernstein, Duif, Lange, Schwabe, and Yang stated in 2011 that key prefixing is “an inexpensive way to alleviate concerns that several public keys could be attacked simultaneously”. However, a 2002 theorem by Galbraith, MaloneLee, and Smart states that, for the classic Schnorr signature system, singlekey security tightly implies multikey security. Struik and then Hamburg, citing this theorem, argued that key prefixing was unnecessary for multiuser security and should not be standardized. This paper identifies an error in the 2002 proof, and an apparently insurmountable obstacle to the claimed theorem. The proof idea does, however, lead to a different theorem, stating that singlekey security of the classic Schnorr signature system tightly implies multikey security of the keyprefixed variant of the system. This produces exactly the opposite conclusion regarding standardization.