Adaptively Secure Fully Homomorphic Signatures Based on Lattices

In a homomorphic signature scheme, given the public key and a vector of signaturesσ := (σ1, . . . , σl) over l messages μ := (μ1, . . . , μl), there exists an efficient algorithm to produce a signature σ′ for μ = f(μ). Given the tuple (σ′, μ, f), anyone can then publicly verify the validity of the signature σ′. Inspired by the recent (selectively secure) key-homomorphic functional encryption for circuits, recent works propose fully homomorphic signature schemes in the selective security model. However, in order to gain adaptive security, one must rely on generic complexity leveraging, which is not only very inefficient but also leads to reductions that are “unfalsifiable”. In this paper, we construct the first adaptively secure homomorphic signature scheme that can evaluate any circuit over signed data. For poly-logarithmic depth circuits, our scheme achieves adaptive security under the standard Small Integer Solution (SIS) assumption. For polynomial depth circuits, the security of our scheme relies on sub-exponential SIS — but unlike complexity leveraging, the security loss in our reduction depends only on circuit depth and on neither message length nor dataset size.

[1]  Miklós Ajtai,et al.  Determinism versus non-determinism for linear time RAMs (extended abstract) , 1999, STOC '99.

[2]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[3]  Bogdan Warinschi,et al.  Homomorphic Signatures with Efficient Verification for Polynomial Functions , 2014, CRYPTO.

[4]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[5]  Bogdan Warinschi,et al.  Efficient Network Coding Signatures in the Standard Model , 2012, Public Key Cryptography.

[6]  Rosario Gennaro,et al.  Fully Homomorphic Message Authenticators , 2013, IACR Cryptol. ePrint Arch..

[7]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, IEEE Symposium on Security and Privacy.

[8]  Rosario Gennaro,et al.  Generalizing Homomorphic MACs for Arithmetic Circuits , 2014, IACR Cryptol. ePrint Arch..

[9]  David Mandell Freeman,et al.  Improved Security for Linearly Homomorphic Signatures: A Generic Framework , 2012, Public Key Cryptography.

[10]  Florian Volk,et al.  Security of Sanitizable Signatures Revisited , 2009, Public Key Cryptography.

[11]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[12]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[13]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors: A Framework for Fully Secure Short Signatures and More , 2010, Public Key Cryptography.

[14]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[15]  Daniel Wichs,et al.  Leveled Fully Homomorphic Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[16]  Vinod Vaikuntanathan,et al.  (Leveled) Fully Homomorphic Signatures from Lattices , 2014, IACR Cryptol. ePrint Arch..

[17]  Nuttapong Attrapadung,et al.  Homomorphic Network Coding Signatures in the Standard Model , 2011, Public Key Cryptography.

[18]  Michael Backes,et al.  Verifiable delegation of computation on outsourced data , 2013, CCS.

[19]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[20]  Dan Boneh,et al.  Preventing Pollution Attacks in Multi-Source Network Coding , 2010, IACR Cryptol. ePrint Arch..

[21]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[22]  Dan Boneh,et al.  Homomorphic MACs: MAC-Based Integrity for Network Coding , 2009, ACNS.

[23]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[24]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[25]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[26]  Nir Bitansky,et al.  Succinct Non-Interactive Arguments via Linear Interactive Proofs , 2013, Journal of Cryptology.

[27]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[28]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[29]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[30]  Thomas Peters,et al.  Computing on Authenticated Data: New Privacy Definitions and Constructions , 2012, ASIACRYPT.

[31]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, Journal of Cryptology.

[32]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[33]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[34]  Dario Fiore,et al.  Practical Homomorphic MACs for Arithmetic Circuits , 2013, IACR Cryptol. ePrint Arch..

[35]  Dan Boneh,et al.  Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures , 2011, Public Key Cryptography.

[36]  Dan Boneh,et al.  Efficient Selective Identity-Based Encryption Without Random Oracles , 2011, Journal of Cryptology.

[37]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[38]  Suela Kodra Fuzzy extractors : How to generate strong keys from biometrics and other noisy data , 2015 .

[39]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[40]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.