Presentation is loading. Please wait.

Presentation is loading. Please wait.

Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.

Published byLenard Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman."— Presentation transcript:

1 Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman

2 Recall: fully homomorphic encryption server PK, E pk [ x ] E pk [ f(x) ] For any function f [G’09, SV’10, vDGHV’10, …] Lots of excitement around this concept (FHE) E pk [x] E pk [ f(x) ]

3 Can we do the same for signatures? u 1, 91.0, σ 1 u 2, 73.0, σ 2 u k, 84.0, σ k signed grades untrusted server SK 87.3, σ f σ f = sig on ‹ “grades”, 91.0, u i › σ = sig on ‹ “grades”, 87.3, “f” › σ f authenticates x = f(x 1,…,x k ) and f “grades”, f:X k →X (e.g. mean) Can further compute on σ f : σ gf sig on ( t, g(f(m)), “g  f” )

4 more generally: Predicate Signatures [ABCHSW’10] Homomorphic signature for relation P ⊆ 2 M × M’ S can generate Alice’s sig on P-approved msgs. and nothing else Derived sigs should be “short”, “private”, and composable m 1, sign(sk,m 1 ) m k, sign(sk,m k ) SK (m, sig. on m) ⇔ P* ( (m 1, …, m k ), m ) S

5 Unifies three lines of research Quoting/Redaction [JMSW’02, …] : given (document, sig) anyone can derive a signature on substring or subset of document Linearly homomorphic (network coding) [KFM’04,…] : given signatures on vectors v 1, …, v k in F n anyone can derive a sig on linear combination Transitive signatures [MR’02,…] : given sigs on nodes and edges of graph G=(V,E) anyone can derive sig on (u,v) in V 2 if there is a path from u to v in G

6 Back to Homomorphic Sigs: Syntax setup( 1 n, k ): n=(sec. param), k=(max data size) → signing key sk, public key pk function family f: Y X ∈ F sign ( sk, m ) : output ( σ, random tag t ) eval ( pk, t, f, sig σ on m ) : sig σ’ on ( t, f(m), “f” ) verify ( pk, (t, m, “f”), σ ) : 1 or 0 to verify fresh sig use “id” function: f(x) = x

7 Desirable properties: data m with tag t 1.Certified computation (existential unforgeability): given (σ i, t i )Sign( sk, {m i,1... m i,k } ) for many i, can’t compute σ’ on (t i, x, “f”) for x ≠ f(m i,1 … m i,k ) 2.Private: Let σ’ be derived sig on (t, x, “f”) for x = f(m). given x and f, sig. σ’ reveals “no other info” about m 3.Short: the length of σ’ is at most ( log |m| ) × λ O(1) 4.Composable

8 Privacy: two definitions Weak context hiding [BBD…’10] (a la witness indistinguishability): derived sig. does not help adv. distinguish compatible data sets f(m 1 ) = f(m 2 )  derived sig on f(m 1 )  derived sig on f(m 2 ) Strong context hiding [MR’02, ABCHSW’10] (a la zero knowledge): derived sigs look like fresh sigs (given sk and original sigs)  m: ( sk, sign(sk, m ), sign(sk, f(m) )  ( sk, sign(sk, m ), eval( pk, , f, sig σ on m ) ) Key difference: original sigs remain hidden in weak context hiding (in both defs adv. can be given the secret key)

9 Applications Authenticated statistics: average, variance, … Data mining: signed decision trees (ID3), signed SVM, … Least squares log (axis of orbit) log (orbit period) earth mars jupiter venus saturn

10 Signed least squares (ex: y = ax+b) ⇒ Consider data set { (x i, y i ) } i=1,…k of integers. Then: a = f(x, y) / h(x, y) and b = g(x, y) / h(x, y) where f, g, h are cubic integer polynomials Using a cubic homomorphic scheme: signed x 1, …, x k, y 1, …, y k signed f(x,y), g(x,y), h(x,y)

11 Constructions

12 Homomorphic systems EncryptionSignatures Linear functions Large p : [P’99,…] Small p : [GM’82,…] [KFM’04,CJL’06,BFKW’09] [BF’10, BF’11] Polynomials quadratic: [BGN’05, GHV’10] small degree: [G’09] [BF’11] (small degree) Poly-size circuits [G’09, vDGHV’10, SV’10]????

13 Homomorphic systems EncryptionSignatures Linear functions Large p : [P’99,…] Small p : [GM’82,…] [KFM’04,CJL’06,BFKW’09] [BF’10, BF’11] Polynomials quadratic: [BGN’05, GHV’10] small degree: [G’09] [BF’11] (small degree) Poly-size circuits [G’09, vDGHV’10, SV’10]????

14 Homomorphic systems EncryptionSignatures Linear functions Large p : [P’99,…] Small p : [GM’82,…] [KFM’04,CJL’06,BFKW’09] [BF’10, BF’11] Polynomials quadratic: [BGN’05, GHV’10] small degree: [G’09] [BF’11] (small degree) Poly-size circuits [G’09, …]????

15 Linearly homomorphis sigs: options

16 B = b1b1 bmbm …

17 Cosets of a lattice

18 Lattice-based signatures [GPV’08]

19 A linear lattice signature system (the intersection method)

20 Homomorphic property

21 Unforgeabililty

22 Polynomially homomorphic sigs But no privacy !

23 Summary EncryptionSignatures Linear functions Large p : [P’99,…] Small p : [GM’82,…] [KFM’04,CJL’06,BFKW’09] [BF’10] Polynomials quadratic: [BGN’05, GHV’10] small degree: [G’09] [BF’11] (small degree) Poly-size circuits [G’09, …]????

24 Alternate approaches Computationally Sound (CS) Proofs [Micali’00] m, t sign( sk, (t, m) ) x=f(m), proof π m, t σ t, f: Y → X π: short proof of knowledge [V’07] that (t, f, x) ∈ { (t, f, x; m, σ) s.t. } Need PCP machinery. Harder to compose [V’07] Cannot build from falsifiable assumptions [GW’11] x = f(m), and verify(PK, (t,m), σ) = 1

25 Many open problems Fully homomorphic sigs (a la Gentry’s bootstrapping) Or more than low-degree polynomials Polynomially homomorphic sigs: with privacy without random oracles (can do for linear sigs)

26 THE END

27 Restricted Homomorphic Encryption Back in 2008: best homomorphic systems -- linear or quadratic operations Prabhakaran and Rosulek [PR’08] : Built systems that provably support only linear operations. More generally: can we build systems that support a restricted set of homomorphisms F ?

28 Applications [BSW’11] Network guards on encrypted traffic: With restricted FHE: guard can implement policy, but nothing else Goal: restricted FHE that keeps ciphertext size short Guard 1 Guard 2

29 A New Construction [BSW’11] Properties:no ciphertext expansion under constant iteration Tools: a recent short NIZK due to Groth [G’10] Fully Hom. Enc. func. family F Hom. Enc. for F

Download ppt "Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google