Presentation is loading. Please wait.

Presentation is loading. Please wait.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

Published bySydney Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University."— Presentation transcript:

1 based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University

2 Recall the GSW FHE

3 GSW as a Commitment

4 Homomorphic Computation on Commitments and Openings Might reveal extra info about x 1,…,x n. (can remove this)

5 Homomorphic Computation on Commitments and Openings Commitments: C 1 = AR 1 + x 1 G, C 2 = AR 2 + x 2 G Openings: (x 1, R 1 ) (x 2, R 2 ) Addition: Eval com C + = C 1 + C 2 Eval open ( x 1 + x 2, R 1 + R 2 ) C + = ( AR 1 + x 1 G ) + ( AR 2 + x 2 G ) = A(R 1 +R 2 ) + (x 1 +x 2 )G

6 Homomorphic Computation on Commitments and Openings Commitments: C 1 = AR 1 + x 1 G, C 2 = AR 2 + x 2 G Openings: (x 1, R 1 ) (x 2, R 2 ) Multiplication: Eval com C x = C 1 G -1 (C 2 ) Eval open (x 1 x 2, R 1 G -1 (C 2 ) + x 1 R 2 ) C x = (AR 1 + x 1 G) G -1 (C 2 ) = (AR 1 G -1 (C 2 ) + x 1 (AR 2 + x 2 G) = A(R 1 G -1 (C 2 ) + x 1 R 2 ) + x 1 x 2 G

7 Two Flavors of Commitments A is chosen as in GSW: – computationally hiding (LWE). – statistically binding. – extractable using trapdoor. A is chosen uniformly random: – scheme is statistically hiding, commitments are uniformly random. – computationally binding (SIS or LWE) – equivocal using a trapdoor (next) B b = sB+e A = Commit pk (x) : C = AR + xG

8 SIS Trapdoor [Ajtai99,…,MP12] Goal: choose a random A with a trapdoor such that for any V can find short R : AR = V. A = To open commitment C to a bit x, set V = C – xG. B BR* + G AT = G n m/2 R = TG -1 (V) Trapdoor: T = -R* I

9 SIS Trapdoor with Correct Distribution [GPV08, MP12, LW15]

10 Summary: Homomorphic Commitments

11 Homomorphic Commitments extractable equivocal Homomorphic Encryption Homomorphic Signatures

12 x x = (x 1, …, x n ) y=f(x) Alice Bob Cloud Server y large databaseprogram Homomorphic Signatures: Motivation

13 communicationcomputation privacy verifiability ENCRYPTION HOMOMORPHIC ENCRYPTION SIGNATURES HOMOMORPHIC

14 Verify(pkf, y, σ f,y )=1 Homomorphic Signatures (HS) y=f(x) σ f,y =Eval pk (f,x,σ ) Alice (sk) Bob (pk) Cloud Server y, Is y=f(x) ??? σ ← Sign sk (x) x, σx, σ σ f,y Shortness: ind. of size of x or runtime of f Process pk (f)=pk f Efficiency: ind. of runtime of f and size of x correctness Security : If y=f(x), the cloud cannot convince Bob that result is y’ ≠ y Additional features: Multi-Data: Alice can sign many different (labeled) datasets. Context Hiding: σ f,y reveals no additional info about x.

15 [CJL’09, BFKW’09, GKKR’10, BF’11] [BF’11][CFW’14][GVW’15] This Talk Program ClassLinear functions Bounded degree polynomials all circuits (leveled) AssumptionBilinear, RSA, SIS Ideal SIS + Random Oracle Multilinear Maps SIS/LWE -- Bad-- Good Constructions of Homomorphic Signatures

16 Other Solutions x, σ x = (x 1, …, x n ) Alice Bob Cloud Server y, Π CS proofs/SNARKs? [Mic’00, BCCT12] short proofclassic signatureVerify(y, Π)=1 y=f(x) use non-standard assumptions [Mic’00, BCCT’12] x x = (x 1, …, x n ) y=f(x) Alice Bob Cloud Server challenge Memory Delegation? [CKLR’11] response interactive verification Other solutions also fall short: [GRK’08, AIK’10, BGV’11, PRV’12, GW’13, KRR’14] (private verification or preprocessing) which are essential [GW’11]

17 Theorem [Gorbunov, Vaikuntanathan, Wichs’15] : There exists a Homomorphic Signature (HS) scheme for arbitrary programs represented by circuits where: Our Results Shortness: Size of certificate σ f,y is poly(λ, d) where λ is the security parameter and d is the circuit depth for f. Security: assuming hardness SIS /LWE standard lattices Caveat: Need large public random string (public params) or random oracle model.

18 Warm-Up: 1-Time, 1-Bit Signature from Equivocal Commitment Public parameters: random commitment C Verification key: commitment key pk Signing key: equivocation trapdoor td To sign a message x, use trapdoor to sample an opening R such that C = Commit(x;R). Selective security: if adversary picks signing query x ahead of time, can set C = Commit(x;R) and not know td. Forgery breaks binding.

19 Warm-Up: 1-Time, Multi-Bit Signature from Equivocal Commitment Public parameters: random commitment C 1,…,C n Verification key: commitment key pk Signing key: equivocation trapdoor td To sign a message (x 1,…,x n ) use trapdoor to sample openings R i such that C i = Commit(x;R i ). Selective security: if adversary picks signing query x ahead of time, can set C = Commit(x;R) and not know td. Forgery breaks binding.

20 Homomorphic Signature Public params: C 1 … C n Sign sk (x 1, …, x n ) → σ:sample R 1,…,R n s.t. Commit(x i ;R i )=C i random commitments Output pk f = C f = Eval com (f, C 1, …, C n ) Verify pk (pk f, y, σ f,y ) =1 iff C f = Comm pk (y;R f ) σ f,y := R f = Eval open (f, (x 1, R 1 ), …, (x n, R n )) Eval pk (f, (x 1,R 1 )…,(x n, R n ) )→σ f,y Process pk (f) →pk f Verification key: pkSigning key: td

21 Extensions Full security (beyond selective): – Homomorphic chameleon hash [KR00] = Homomorphic equivocal commitments. Multiple data sets: – Use standard signature to sign a fresh verification key of homomorphic signature scheme for each data set. Context Hiding (certificate only reveals output of comp.) – Can be done generically with NIZKs. – Nice way to do this for our scheme using equivocation trapdoors.

22 Open Problems Remove large public parameters? Remove dependence on depth. Bootstrapping?

23

Download ppt "Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Lattice-Based Cryptography

Lattice-Based Cryptography
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Identity Based Encryption

Identity Based Encryption
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

Similar presentations

Ads by Google