On the Security Notions for Homomorphic Signatures

Abstract

Homomorphic signature schemes allow anyone to perform computation on signed data in such a way that the correctness of computation’s results is publicly certified. In this work we analyze the security notions for this powerful primitive considered in previous work, with a special focus on adaptive security. Motivated by the complications of existing security models in the adaptive setting, we consider a simpler and (at the same time) stronger security definition inspired to that proposed by Gennaro and Wichs (ASIACRYPT’13) for homomorphic MACs. In addition to strength and simplicity, this definition has the advantage to enable the adoption of homomorphic signatures in dynamic data outsourcing scenarios, such as delegation of computation on data streams. Then, since no existing homomorphic signature satisfies this stronger notion, our main technical contribution are general compilers which turn a homomorphic signature scheme secure under a weak definition into one secure under the new stronger notion. Our compilers are totally generic with respect to the underlying scheme. Moreover, they preserve three important properties of homomorphic signatures: composability, context-hiding (i.e. signatures on computation’s output do not reveal information about the input) and efficient verification (i.e. verifying a signature against a program \({\mathcal P}\) can be made faster, in an amortized, asymptotic sense, than recomputing \({\mathcal P}\) from scratch).

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Digital signatures are a fundamental cryptographic primitive for guaranteeing the authenticity of digital information. In a digital signature scheme, a user Alice can use her secret key sk to generate a signature \(\sigma _{m}\) on a message m, and a user Bob can use Alice’s public key pk to check the authenticity of \((m, \sigma _{m})\). The standard security notion of digital signatures, unforgeability against chosen message attacks, says that an attacker who has access to a collection of signatures on messages of his choice cannot produce a signature on a new message. This notion essentially means that signatures must be non-malleable in the sense that, from a signature on m one cannot derive a signature on some \(m' \ne m\).

Even if in the most popular applications one wishes such a strong notion of non-malleability, there are application scenarios where some form of malleability can become very useful, paradoxically even for signature schemes. A notable example is that of homomorphic signatures, a notion first proposed by Desmedt [19] and Johnson et al. [26], defined in the context of linear network coding by Boneh et al. [6] and later properly formalized by Boneh and Freeman [7]. This is what we study in this work.

Homomorphic Signatures. In homomorphic signatures, a user Alice can use her secret key sk to generate signatures \(\sigma _1, \ldots , \sigma _n\) on a collection of messages \((m_1, \ldots , m_n)\) – a so-called dataset. Then the interesting feature of this primitive is a (publicly computable) \(\mathsf{Eval}\) algorithm that takes the signatures \(\sigma _1, \ldots , \sigma _n\) and a program \({\mathcal P}\), and outputs a signature \(\sigma _{{\mathcal P}, m}\) on the message \(m = {\mathcal P}(m_1, \ldots , m_n)\) as the output of \({\mathcal P}\). It is crucial that \(\sigma _{{\mathcal P}, m}\) is not a signature on just m, but on m as output of the program \({\mathcal P}\). The latter observation indeed makes sure that signatures are not “too malleable”, but they rather have a controlled malleability. This means that a user Bob will use Alice’s public key pk to check the triple \(({\mathcal P}, m, \sigma _{{\mathcal P}, m})\) and get convinced of whether m is the correct output of \({\mathcal P}\) on messages previously signed by Alice.

In addition to this interesting functionality, what makes this primitive attractive is the following set of features. First, homomorphic signatures must be succinct, meaning that their size must be significantly smaller than the size of the input dataset.¹ Second, Bob can verify computation’s outputs without needing to know the original dataset, a very appealing feature when considering computations on very large datasets that could not be stored locally by verifiers. Third, homomorphic signatures are composable, in the sense that signatures obtained from \(\mathsf{Eval}\) can be fed as inputs to new computations. Using composability, one can, for example, distribute different subtasks to several untrusted workers, ask each of them to produce a proof of its local task, and use these proofs to create another unique proof for the final job (as in the MapReduce approach). All these features make homomorphic signatures an interesting candidate to be used for securely delegating computation on previously outsourced data.

If the functionality of homomorphic signatures can be explained as above, defining the security notion of this primitive is a more delicate task. The following paragraphs provide an explanation of the security notions and then give an overview of our results. We warn the reader that the explanations in the introduction intentionally hide some details of the model for ease of exposition. A detailed formalization appears in Sect. 2.

Security of Homomorphic Signatures. Properly defining security for homomorphic signatures is tricky. Clearly, an homomorphic signature cannot meet the usual unforgeability requirement [24] as the primitive does allow the adversary to come up (honestly) with new signatures. The first satisfactory security definition was proposed by Boneh and Freeman in [7]. Intuitively, a homomorphic signature is secure if an adversary who knows the public key can only come up with signatures that are either obtained from the legitimate signer Alice, or they are obtained by running \(\mathsf{Eval}\) on the signatures obtained by Alice. In other words, the adversary can only do what is in the scope of the public evaluation algorithm. Slightly more in detail, this new unforgeability game can be explained as follows. During a training phase the adversary \(\mathcal{A}\) is allowed to see the signatures of messages belonging to different datasets. The adversary then wins the game if she can produce either (1) a signature on a message m belonging to some previously unseen dataset (this is called a Type 1 forgery), or (2) for some previously seen dataset \({\varDelta }=\{m_1, \ldots , m_n\}\), she manages to produce a triplet \(({\mathcal P},\sigma ,m)\), such that \(\sigma \) verifies correctly but \(m \ne {\mathcal P}(m_1, \ldots , m_n)\) (this is called a Type 2 forgery). Again explained in words, this definition means that the adversary can cheat either by claiming an output on a dataset that she never saw/queried, or by claiming an incorrect output of a given program \({\mathcal P}\), executed on a collection of messages for which she saw signatures.

A noteworthy caveat of the Boneh and Freeman [7] definition is the requirement that the adversary submits all the messages belonging to each queried dataset. Namely, for each queried dataset \({\varDelta }\), \(\mathcal{A}\) has to ask exactly n signing queries.² In this work, because of this limitation, we call this notion semi-adaptive security.³

To overcome this limitation, Freeman [21] later proposed a stronger notion where the adversary is allowed to adaptively query messages one by one, and even to sprinkle queries from different datasets. In this work, because of its increased adaptivity, we call the notion in [21] adaptive security.

The Shortcomings of Adaptive Security. Adaptive security, while very natural, has a dark side. Loosening the query-all requirement implies that the adversary might provide a forgery \(({\mathcal P},\sigma ,m)\) that corresponds to a previously seen dataset \({\varDelta }\), but for which \(\mathcal{A}\) did not ask signing queries on all the inputs of \({\mathcal P}\). For instance, \(\mathcal{A}\) might pretend to have a signature on \(m \ne {\mathcal P}(m_1, m_2)\) without having ever made a query on \(m_2\). The issue in this case is that it is not even possible to define what is the correct output of \({\mathcal P}\) in order to say whether the adversary has cheated (i.e., if m is a correct output or not). To deal with this issue, Freeman proposed a notion of “well-defined program” which characterizes when the output of \({\mathcal P}\) can be defined in spite of missing inputs. The idea is simple and intuitively says that a program is well defined if the missing inputs do not change its outcome (e.g., \({\mathcal P}(m_1, \cdot )\) is constant). Freeman’s definition then considered a forgery also one that passes verification for a \({\mathcal P}\) not well-defined, and called such a forgery Type 3.

Type 3 forgeries are however nasty animals. Not only they are very hard to work with (as the security definition turns complicated), but they also make the outcome of the security experiment not efficiently computable. In fact, when considering general functions it may not be possible to check the well-definedness of \({\mathcal P}\) in polynomial time. This can be solved when \({\mathcal P}\) is a linear [21] or a low degree polynomial [9, 17], but the issue remains for the more general case, e.g., polynomial size circuits. In particular, this issue can generate troubles when proving the security of homomorphic signatures as well as when using them in larger protocols (as simply testing whether an adversary returned a forgery may not be doable in polynomial time).

1.1 Our Contribution

The state of the art of security notions for homomorphic signatures, as discussed above, seems quite unsatisfactory. Having expressive, yet easy to use, definitions is indeed a fundamental step towards a better understanding of cryptographic primitives.

A Stronger and Simpler Security Notion. To address the issues of adaptive security, we consider a new security notion that is both simpler and stronger than the one in [21]. This notion, that we call strong adaptive security, is the public key version of the one proposed by Gennaro and Wichs [23] for homomorphic message authenticators (the secret key equivalent of homomorphic signatures).⁴ Strong adaptive security deals with the case of programs with missing inputs in a simple way: if the triplet \(({\mathcal P}, m, \sigma )\) returned by the adversary verifies correctly and some inputs of \({\mathcal P}\) were not queried during the experiment, then it is considered a forgery (we call it a Type 3 Strong forgery).

Compared to previous notions, strong adaptive security has several advantages. First, the winning condition of the experiment is efficiently computable, thus avoiding the issues that may arise when proving and using homomorphic signatures. Second, the new forgery definition is arguably much simpler to state and work with. Finally, being a strengthening of adaptive security, homomorphic signature schemes that are strongly adaptive secure can be used in more application scenarios as discussed before.

Realizing Strong Adaptive Security, Generically. If we aim for strong adaptive security to be the “right” strong notion to use for homomorphic signatures, then we face the problem that virtually all existing schemes are not secure under this strong notion. This is the case for those schemes that support linear or low-degree polynomials and were proven secure under the adaptive notion of [21], as well as for the recently proposed leveled homomorphic scheme for circuits [25] which is only semi-adaptive secure. Notably, all these constructions break down in the new security experiment as they do not tolerate adversaries that issue Type 3 Strong forgeries. The only scheme which stands security in this stronger model is a recent proposal of Elkhiyaoui et al. [20] which supports constant-degree polynomials and relies on multilinear maps in the random oracle model. To remedy this situation, our main contribution is to show that strong adaptive security can be easily achieved without additional assumptions and in the standard model. Specifically, our main result is a generic compiler that, starting from an homomorphic signature scheme \(\varSigma \) satisfying semi-adaptive security, converts \(\varSigma \) into a strongly adaptive secure scheme that supports the same class of functions.

The compiler uses, as additional building block, a semi-adaptive secure signature scheme \(\varSigma _\mathsf{OR}\) that supports OR operations over \(\mathbb {Z}_2\). Clearly, if \(\varSigma \) supports arbitrary boolean circuits, then \(\varSigma _\mathsf{OR}\) can be instantiated using \(\varSigma \) itself. In such a case, our result is thus providing a transformation that “bootstraps” semi-adaptive security to strong adaptive security. If, on the other hand, \(\varSigma _\mathsf{OR}\) cannot be instantiated using \(\varSigma \), our result still provides a way to get strong adaptive security, under the additional assumption that semi-adaptive secure OR-homomorphic signatures exist. Nevertheless, since very few concrete examples of OR-homomorphic signatures are known (essentially, only one [25]), even if we think that this is not a limitation by itself, we asked whether a similar result could be obtained out of some more widely studied primitive. Along this direction, our second result is another compiler that combines a semi-adaptive secure scheme \(\varSigma \) together with a semi-adaptive secure linearly-homomorphic signature \(\varSigma _\mathsf{LH}\) that works for messages over a large ring, say \(\mathbb {Z}_p\). This combination yields a homomorphic signature scheme that is strongly adaptive secure and supports the same class of functions supported by \(\varSigma \). A limitation of this second transformation is that it applies only to schemes that are leveled homomorphic (i.e., for circuits of bounded depth). As an interesting feature, however, this result shows that strong adaptive security can be obtained from linearly-homomorphic schemes, a class of constructions for which many constructions are known (most of which are also way more efficient in practice than [25]).

Both our transformations hold in the standard model, and they preserve three properties of homomorphic signatures: composability, context-hiding and efficient-verification (so, security can be upgraded without penalties). Context hiding deals with privacy and informally says that signatures on computation’s outputs do not reveal information on the inputs. The latter instead fully enables the use of homomorphic signatures for verifiable delegation of computation, by requiring that verifying a signature for a program \({\mathcal P}\) is asymptotically faster (in an amortized, offline-online sense) than recomputing \({\mathcal P}\) from scratch (for the formal definitions of both context hiding and efficient verification we refer to [14]). We point out that our compilers are completely generic with respect to the semi adaptive secure scheme. This means, for instance, that when applied to the recent (leveled) fully homomorphic solution of [25] they lead to homomorphic signature schemes for general circuits achieving strong adaptive security.

On the Importance of Strong Adaptive Security. As an important application of (strong) adaptive secure homomorphic signatures, we mention certified computation on streaming data. Consider a scenario where a user Alice outsources a stream of data \(m_1, m_2, \ldots \) to an untrusted Cloud, so that the Cloud can compute a program \({\mathcal P}\) on the current snapshot \((m_1, \ldots , m_i)\) and post the result publicly (e.g., on a third party website). Using homomorphic signatures, Alice can sign each element of the data stream, while the Cloud can compute a homomorphic signature \(\sigma _{{\mathcal P}, y_i}\) on every computed result \(y_i = {\mathcal P}(m_1, \ldots , m_i)\) and post \((y_i, \sigma _{{\mathcal P}, y_i})\). This way, anyone with the only knowledge of Alice’s public key is able to check the results validity. Notably, the Cloud can produce the certified results in a completely non-interactive fashion, and no communication between Alice and the verifiers is needed (except, of course, for sending the public key). In such a scenario, where datasets grow dynamically and one performs computations on their current version, (strong) adaptive security is fundamental as it prevents the cloud from claiming to have results computed on dataset elements that it did not receive (yet). This is particularly relevant in scenarios where there is no communication between the signer and the verifiers, who may not be aware of the current status of the outsourced stream. Furthermore, strong adaptive security is important in the case of very large, potentially unbounded, datasets (as in the streaming case) as one cannot assume that the adversary queries the whole dataset. This actually shows an inherent limitation of semi-adaptive security, which cannot cope with datasets of arbitrarily large, unbounded, size. Indeed, to fit the requirements of the definition, adversaries would be required to ask signing queries on the whole dataset. However, if datasets are unbounded either the notion of whole dataset does not exist, or it can be approximated by configuring the scheme to work on a dataset of exponential size, which could not be queried in full by a polynomially bounded adversary.

As a final note, we remark that, in settings where the messages \(m_1, \ldots , m_i\) are signed sequentially, one at a time, it might be tempting to address the limitations of semi-adaptive security via (standard) signatures as follows. One simply includes a signature of the largest index i signed so far. When verifying an homomorphic signature for \({\mathcal P}(m_1, \ldots , m_k)\), where k is the largest index touched by \({\mathcal P}\), one also requires a (standard) signature on k. This solution has the drawback of requiring an ordering of indexes. More seriously, it only works in contexts where messages are signed in index-increasing order. Our solution, on the other hand, encompasses the more general case where messages are signed in completely arbitrary order (and without imposing additional constraints on the underlying indexes).

Other Related Work. The notion of homomorphic signature was (informally) suggested by Desmedt [19] and later more formally introduced by Johnson et al. [26]. The special case of linearly homomorphic signatures was first considered by Boneh et al. [6] as a key tool to prevent pollution attacks in network coding routing mechanisms. Following this work, several papers further studied this primitive both in the random oracle [7, 8, 11, 22], and in the standard model [3,4,5, 13, 15, 16, 21]. In the symmetric setting realizations of linearly homomorphic MACs have been proposed by Agrawal and Boneh in [1].

Several recent works also considered the question of constructing homomorphic authenticators (i.e., signatures and/or MACs) supporting more expressive functionalities. Boneh and Freeman in [7] proposed an homomorphic signature scheme for constant degree polynomials, in the random oracle model. Gennaro and Wichs [23] presented a construction of fully homomorphic MACs based on fully homomorphic encryption in a restricted adversarial model where no verification queries are allowed. Catalano and Fiore [9] proposed a much more efficient homomorphic MAC solution that, while capturing a less expressive class of functionalities (i.e. arithmetic circuits of polynomially bounded degree), allows for verification queries. This latter result was further generalized in [10]. All these constructions of homomorphic MACs achieve adaptive security.

In the asymmetric setting, Catalano, Fiore and Warinschi [17] proposed a homomorphic signature that achieves adaptive security in the standard model, works for constant degree polynomials and is based on multilinear maps. Moreover, Gorbunov, Vaikuntanathan and Wichs [25] recently proposed the first homomorphic signature construction that can handle boolean circuits of bounded polynomial depth; their scheme is secure in the semi-adaptive model, and is based on standard lattices.

Finally, we notice that Ahn et al. [2] and Chase et al. [18] worked on malleable signatures. In particular, [18] considered a problem similar to the one addressed in this work, i.e., elaborating a definition that allows one to establish, in an efficient way, when the signature produced by the adversary is a valid forgery. They deal with this problem by formalizing the idea that the adversary “must know” the function and the input that were used to obtain the forgery. To formalize this idea, their definition asks for the existence of a black-box extractor that must extract this information from what is in the view of the game and the output of the adversary. Unfortunately, this type of definition is impossible to achieve when one considers the case of succinct homomorphic signatures for n-ary functions, as we do in our paper. The reason is simply that the extractor should extract an amount of information (such as the function input) that is much larger than what is in its input.

1.2 An Overview of Our Compiler

To obtain strongly-adaptive secure homomorphic signatures from semi-adaptive secure ones, we propose a compiler that takes a semi-adaptive secure scheme \(\varSigma \) and upgrades its security with the help of an additional building block: an homomorphic signature scheme \(\varSigma _\mathsf{OR}\) that supports OR operations over \(\mathbb {Z}_2\). The basic idea of our compiler is to use \(\varSigma _\mathsf{OR}\) to additionally sign a bit ‘0’ for every dataset input. The homomorphic properties of this scheme then guarantee that the resulting bit remains 0 if and only if one properly operates on ‘0’ bits. This can be achieved either directly, by employing an or-homomorphic scheme, or indirectly, via an homomorphic signature for additions (over a sufficiently large ring \(\mathbb {Z}_p\)). This latter construction is more efficient, but it comes with restrictions. Indeed, to avoid false positives (i.e., invalid signatures that are interpreted as correct ones), p should be large, i.e., larger than \(c^d\), where c is the (constant) fan-in and d the maximum depth of the supported circuits.

More in detail, the compiler works as follows. For every dataset input m, in addition to signing m using the scheme \(\varSigma \), we also sign the bit ‘0’ using \(\varSigma _\mathsf{OR}\). So, every signature now consists of a pair \((\sigma _m, \sigma _b)\), where \(\sigma _{m}\) is a signature with the scheme \(\varSigma \) on some message m, and \(\sigma _{b}\) is a signature of a bit b with the scheme \(\varSigma _\mathsf{OR}\). Next, at every gate g we compute g homomorphically on the \(\sigma _m\)’s components, and we compute OR homomorphically on the \(\sigma _{b}\)’s. Finally, signature verification consists into the usual verification of \(\sigma _m\) (for a program \({\mathcal P}\)), plus checking that \(\sigma _b\) verifies for 0 for a computation that is simply an OR of all the dataset input bits. The reason why this makes the scheme resistant to strong Type-3 forgeries is that when the adversary does not ask all the dataset inputs (and thus misses a signature of ‘0’ on the missing inputs) it is forced to create a forgery for the \(\sigma _b\) component. The latter must verify for ‘0’ by construction. However, one of the missing bits could be set to be ‘1’ (notice indeed that the adversary does not see it), thus making the correct output of the OR computation ‘1’. Hence the signature returned by the adversary must verify for an incorrect output, i.e., it is a forgery for \(\varSigma _\mathsf{OR}\).

Notation. We denote with \(\lambda \in \mathbb N\) a security parameter. A probabilistic polynomial time (PPT) algorithm \(\mathcal{A}\) is a randomized algorithm for which there exists a polynomial \(p(\cdot )\) such that for every input x the running time of \(\mathcal{A}(x)\) is bounded by p(|x|). We say that a function \(\epsilon : \mathbb N\rightarrow \mathbb R^+\) is negligible if for every positive polynomial \(p(\lambda )\) there exists \({\lambda }_0 \in \mathbb N\) such that for all \(\lambda > {\lambda }_0\): \(\epsilon (\lambda ) < 1/p(\lambda )\). If S is a set, \(x {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}S\) denotes the process of selecting x uniformly at random in S. If \(\mathcal{A}\) is a probabilistic algorithm, \(y {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal{A}(\cdot )\) denotes the process of running \(\mathcal{A}\) on some appropriate input and assigning its output to y. For a positive integer n, we denote by [n] the set \(\{1,\ldots , n\}\).

2 Homomorphic Signatures

In this section we recall the definition of homomorphic signatures. This definition extends the one by Freeman in [21] in order to work with the general notion of labeled programs [23].

Labeled Programs [23]. A labeled program \({\mathcal P}\) is a tuple \((f, {\tau }_1,\ldots ,{\tau }_n)\) such that \(f : \mathcal{M}^n \rightarrow \mathcal{M}\) is a function of n variables (e.g., a circuit) and \({\tau }_i \in \{0,1\}^*\) is a label of the i-th input of f. Labeled programs can be composed as follows: given \({\mathcal P}_1, \dots , {\mathcal P}_t\) and a function \(g: \mathcal{M}^t \rightarrow \mathcal{M}\), the composed program \({\mathcal P}^*\) is the one obtained by evaluating g on the outputs of \({\mathcal P}_1,\dots , {\mathcal P}_t\), and it is denoted as \({\mathcal P}^* = g({\mathcal P}_1, \dots , {\mathcal P}_t )\). The labeled inputs of \({\mathcal P}^*\) are all the distinct labeled inputs of \({\mathcal P}_1, \dots , {\mathcal P}_t\) (all the inputs with the same label are grouped together and considered as a unique input of \({\mathcal P}^*\)).

Let \(f_{id} : \mathcal{M}\rightarrow \mathcal{M}\) be the identity function and \({\tau }\in \{0,1\}^*\) be any label. We refer to \(\mathcal{I}_{{\tau }}= (f_{id}, {\tau })\) as the identity program with label \({\tau }\). Note that a program \({\mathcal P}= (f, {\tau }_1, \cdots , {\tau }_n) \) can be expressed as the composition of n identity programs \({\mathcal P}= f(\mathcal{I}_{\tau _1}, \cdots , \mathcal{I}_{\tau _n})\).

Definition 1

(Homomorphic Signature). A homomorphic signature scheme \(\mathsf{HSig}\) consists of a tuple of PPT algorithms \((\mathsf{KeyGen}, \mathsf{Sign}, \mathsf{Ver}, \mathsf{Eval})\) with the following syntax:  

\(\mathsf{KeyGen}(1^\lambda , \mathcal{L})\) :

the key generation algorithm takes as input a security parameter \(\lambda \), a description of the label space \(\mathcal{L}\) (which fixes the maximum data set size N), and outputs a public key \(\mathsf{vk}\) and a secret key \(\mathsf{sk}\). The public key \(\mathsf{vk}\) contains a description of the message space \(\mathcal{M}\) and the set \(\mathcal{F}\) of admissible functions.

\(\mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\) :

the signing algorithm takes as input a secret key \(\mathsf{sk}\), a data set identifier \({\varDelta }\in \{0,1\}^*\), a label \({\tau }\in \mathcal{L}\), a message \(m \in \mathcal{M}\), and it outputs a signature \(\sigma \).

\(\mathsf{Eval}(\mathsf{vk}, f, \sigma _1, \ldots , \sigma _n)\) :

the evaluation algorithm takes as input a public key \(\mathsf{vk}\), a function \(f \in \mathcal{F}\) and a tuple of signatures \(\{\sigma _i\}_{i=1}^{n}\) (assuming that f takes n inputs). It outputs a new signature \(\sigma \).

\(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}, {\varDelta }, m, \sigma )\) :

the verification algorithm takes as input a public key \(\mathsf{vk}\), a labeled program \({\mathcal P}= (f, {\tau }_1, \dots , {\tau }_n)\) with \(f \in \mathcal{F}\), a dataset identifier \({\varDelta }\), a message \(m \in \mathcal{M}\), and a signature \(\sigma \). It outputs either 0 (reject) or 1 (accept).

 

A homomorphic signature scheme is required to satisfy the properties of authentication correctness, evaluation correctness and succinctness that we describe below. The security property is discussed slightly later in Sect. 2.1.

Authentication Correctness. Intuitively, a homomorphic signature scheme has authentication correctness if the signature generated by \(\mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\) verifies correctly for m as the output of the identity program \(\mathcal{I}_{{\tau }}\) on a dataset with identifier \({\varDelta }\). More formally, a scheme \(\mathsf{HSig}\) satisfies the authentication correctness property if for a given label space \(\mathcal{L}\), all key pairs \((\mathsf{sk}, \mathsf{vk}) \leftarrow \mathsf{KeyGen}(1^\lambda , \mathcal{L})\), any label \({\tau }\in \mathcal{L}\), dataset identifier \({\varDelta }\in \{0,1\}^*\), and any signature \(\sigma \leftarrow \mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\), \(\mathsf{Ver}(\mathsf{vk}, \mathcal{I}_{{\tau }}, {\varDelta }, m, \sigma )\) outputs 1 with all but negligible probability.

Evaluation Correctness. Intuitively, this property says that running the evaluation algorithm on signatures \((\sigma _1, \dots , \sigma _t)\) such that each \(\sigma _i\) verifies for \(m_i\) as the output of a labeled program \({\mathcal P}_i\) and a dataset with identifier \({\varDelta }\), produces a signature \(\sigma \) which verifies for \(g(m_1, \dots , m_t)\) as the output of the composed program \(g({\mathcal P}_1, \dots , {\mathcal P}_t)\) and same dataset \({\varDelta }\). More formally, fix a key pair \((\mathsf{vk}, \mathsf{sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{KeyGen}(1^\lambda , \mathcal{L})\), a function \(g: \mathcal{M}^t \rightarrow \mathcal{M}\), and any set of program/message/signature triples \(\{({\mathcal P}_i, m_i, \sigma _i)\}_{i=1}^t\) such that \(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}_i, {\varDelta }, m_i, \sigma _i)=1\). If \(m^* = g(m_1, \dots , m_t)\), \({\mathcal P}^* = g({\mathcal P}_1, \dots , {\mathcal P}_t)\), and \(\sigma ^* = \mathsf{Eval}(\mathsf{vk}, g, \sigma _1, \dots , \sigma _t)\), then \(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}^* , {\varDelta }, m^*, \sigma ^*)= 1\) holds with all but negligible probability.

Succinctness. A homomorphic signature scheme is said to be succinct if, for a fixed security parameter \(\lambda \), the size of signatures depends at most logarithmically on the size of the input dataset. More formally, \(\mathsf{HSig}\) satisfies succinctness if there exists a polynomial \(p(\lambda )\) such that for all \((\mathsf{vk}, \mathsf{sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{KeyGen}(1^\lambda , \mathcal{L})\), all \((m_1, \ldots , m_t) \in \mathcal{M}^t\), all \(({\tau }_1, \ldots , {\tau }_t) \in \mathcal{L}^{t}\), any \({\varDelta }\in \{0,1\}^{*}\), and all functions \(f \in \mathcal{F}\), if \(\sigma _i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }_i, m_i)\) and \(\sigma {\leftarrow }\mathsf{Eval}(\mathsf{vk}, f, \sigma _1, \ldots , \sigma _t)\), then \(|\sigma | \le p(\lambda ) \cdot \log t\).

2.1 Security

At an intuitive level, a homomorphic signature is secure if an adversary, without knowledge of the secret key, can only come up with signatures that it obtained from the signer, or signatures that are obtained by running the \(\mathsf{Eval}\) algorithm on signatures obtained from the legitimate signer. Formalizing this intuition turns out to be tricky and leaves space to different possibilities.

In what follows we present three different security notions for homomorphic signatures that we call semi-adaptive, adaptive, and strong adaptive, respectively. These notions share the same security experiment between an adversary \(\mathcal{A}\) and a challenger, and the only difference lies in what is considered a forgery. The security experiment, denoted \(\mathbf {Exp}^{\mathsf{UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\), proceeds as described below:  

Key Generation. :

The challenger runs \((\mathsf{vk}, \mathsf{sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{KeyGen}(1^\lambda , \mathcal{L})\) and gives \(\mathsf{vk}\) to \(\mathcal{A}\).

Signing Queries. :

\(\mathcal{A}\) can adaptively submit queries of the form \(({\varDelta }, {\tau }, m)\), where \({\varDelta }\) is a data set identifier, \({\tau }\in \mathcal{L}\), and \(m \in \mathcal{M}\). The challenger proceeds as follows:

– if \(({\varDelta }, {\tau }, m)\) is the first query with the data set identifier \({\varDelta }\), the challenger initializes an empty list \(T_{\varDelta }= \emptyset \) for \({\varDelta }\).

– If \(T_{\varDelta }\) does not already contain a tuple \(({\tau }, \cdot )\) (i.e., \(\mathcal{A}\) never asked for a query \(({\varDelta }, {\tau }, \cdot )\)), the challenger computes \(\sigma {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\), returns \(\sigma \) to \(\mathcal{A}\) and updates the list \(T_{\varDelta }\leftarrow T_{\varDelta }\cup ({\tau }, m)\).

– If \(({\tau }, m) \in T_{\varDelta }\) (i.e., the adversary had already queried the tuple \(({\varDelta }, {\tau }, m)\)), the challenger replies with the same signature generated before.

– If \(T_{\varDelta }\) contains a tuple \(({\tau }, m^\prime )\) for some message \(m^\prime \ne m\), then the challenger ignores the query. Note that this means that a tuple \(({\varDelta }, {\tau }, \cdot )\) can be queried only once.

Forgery. :

The previous stage is executed until the adversary \(\mathcal{A}\) outputs a tuple \(({\mathcal P}^*, {\varDelta }^*, m^*, \sigma ^*)\). The experiments outputs 1 if the tuple returned by \(\mathcal{A}\) is a forgery, and 0 otherwise.

 

To complete the description of the experiment, it remains to define when a tuple \(({\mathcal P}^*, {\varDelta }^*, m^*, \sigma ^*)\) is considered a forgery. We give below three different forgery definitions; each of them yields a corresponding security notion for the homomorphic signature scheme.

Semi-adaptive Secure Homomorphic Signatures. Informally speaking, in the semi-adaptive security game a forgery is one where either (1) the dataset \({\varDelta }^{*}\) is “new” (i.e., no signing query \(({\varDelta }^{*}, \cdot , \cdot )\) was ever made during the game), or (2) the claimed output \(m^{*}\) of \({\mathcal P}^{*}\) is not the correct one. The crucial aspect of this definition is that to identify what is a correct output, one assumes that the adversary has fully specified the inputs of \({\mathcal P}^{*}\), namely \(\mathcal{A}\) has asked for signatures on \(({\varDelta }^{*}, {\tau }^{*}_{i}, m_i)\), for all \(i=1\) to n. More formally,

Definition 2

(Semi-adaptive Security). We define \(\mathbf {Exp}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) as the security experiment which proceeds as \(\mathbf {Exp}^{\mathsf{UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) with the addition that the tuple \(({\mathcal P}^*:=(f^*, {\tau }_1^*, \ldots , {\tau }_n^*), {\varDelta }^*, m^*, \sigma ^*)\) returned by the adversary \(\mathcal{A}\) is considered a forgery if \(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}^*, {\varDelta }^*, m^*, \sigma ^*) =1\) and either one of the following conditions hold:  

Type 1::

The list \(T_{{\varDelta }^*}\) has not been initialised during the game.

Type 2::

For all \(i \in [n], \; \exists \,({\tau }_i, m_i) \in T_{{\varDelta }^*}\) and \(m^* \ne f^*(m_1, \ldots , m_n)\).

  Let \(\mathbf {Adv}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) = \Pr [\mathbf {Exp}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )=1]\) be the advantage of \(\mathcal{A}\) against the semi-adaptive security of scheme \(\mathsf{HSig}\). We say that a homomorphic signature scheme \(\mathsf{HSig}\) is semi-adaptive secure (or simply secure) if for every PPT adversary \(\mathcal{A}\) there exists a negligible function \(\epsilon (\lambda )\) such that \(\mathbf {Adv}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) \le \epsilon (\lambda )\).

We stress that in the above security experiment the adversary \(\mathcal{A}\) is restricted to produce Type 2 forgeries where all the inputs of the labeled program have been queried during the experiment. This notion works well for applications where the dataset is signed in one shot (as in the earlier proposals of homomorphic signatures [7]), or where one computes on the signed data only after the whole dataset has been filled up. In contrast, in those applications where the dataset is signed incrementally and one performs computations in between (e.g., in streaming applications), semi-adaptive security falls short of providing good guarantees. The issue is that in such a dynamic setting the adversary may claim a forgery with a labeled program containing a label \({\tau }^{*}\) that was not queried during the game. In this case, the input of \({\mathcal P}^{*}\) is no longer specified and defining whether the adversary’s output is a forgery is not captured by Definition 2. From the literature, we note that the schemes in [6, 7, 22, 25] are proven under a weaker version of semi-adaptive security where the messages of every dataset have to be queried all at once.⁵

Adaptive Secure Homomorphic Signatures. The issue of adversaries who claim programs in which some of the inputs are missing in the forgery stage was recognized earlier on by Freeman [21]. To deal with this issue, he proposed a notion of “well-defined programs” which characterizes when the output of a program can be defined in spite of missing inputs. Intuitively, the idea is that a program is well-defined if the missing inputs do not change its outcome.

Definition 3

(Well-Defined Labeled Program [21]). A labeled program \({\mathcal P}^*= (f^*, {\tau }_1^*, \dots , {\tau }_n^*)\) is well-defined with respect to a list \(T = \{({\tau }_i, m_i)\}_{i \in I}\) if one of the two following cases holds:

• \(\forall i=1, \dots , n: ({\tau }_i^*, m_i) \in T\).

• \(\exists \; j \in [n]\) s.t. \(({\tau }_j, \cdot ) \notin T\), and for all possible choices of \(\tilde{m}_j \in \mathcal{M}\) such that \(({\tau }_j, \cdot ) \notin T\) \(f^*(m'_1, \ldots , m'_n)\) is the same, where \(m'_i = m_i\) for all i s.t. \(({\tau }_i, m_i) \in T\) and \(m'_i = \tilde{m}_i\) otherwise.

With the notion of well-defined programs, adaptive security can be defined as follows.

Definition 4

(Adaptive Security [21]). We define \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) as the security experiment which proceeds as \(\mathbf {Exp}^{\mathsf{UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) with the addition that the tuple \(({\mathcal P}^* :=(f^*, {\tau }_1^*, \ldots , {\tau }_n^*), {\varDelta }^*, m^*, \sigma ^*)\) returned by the adversary \(\mathcal{A}\) is considered a forgery if \(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}^*, {\varDelta }^*, m^*, \sigma ^*) =1\) and either one of the following conditions hold:  

Type 1::

The list \(T_{{\varDelta }^*}\) has not been initialized during the game.

Type 2::

\({\mathcal P}^*\) is well-defined with respect to \(T_{{\varDelta }^*}\), and \(m^* \ne f^*(m'_1, \ldots , m'_n)\) where \(m'_i = m_i\) for all i s.t. \(({\tau }_i, m_i) \in T_{{\varDelta }^*}\) and \(m'_i = \tilde{m}\) (for some arbitrary \(\tilde{m} \in \mathcal{M}\)), otherwise.

Type 3::

\({\mathcal P}^*\) is not well-defined with respect to \(T_{{\varDelta }^*}\).

  Let \(\mathbf {Adv}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) = \Pr [\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )=1]\) be the advantage of \(\mathcal{A}\) against the adaptive security of scheme \(\mathsf{HSig}\). We say that a homomorphic signature scheme \(\mathsf{HSig}\) is adaptive secure if for every PPT adversary \(\mathcal{A}\) there exists a negligible function \(\epsilon (\lambda )\) such that \(\mathbf {Adv}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) \le \epsilon (\lambda )\).

Comparing the above definition of adaptive security with the semi-adaptive definition presented earlier, we note the following: Type 1 forgeries are identical in both definitions. Type 2 forgeries are similar: intuitively, they both capture the case when the adversary cheats on the result of \({\mathcal P}^{*}\), except that Definition 4 addresses the case of missing inputs by defining what is, in this case, a correct output (using the notion of well-defined program). Finally, Type 3 forgeries are introduced in Definition 4 to address the remaining case in which \({\mathcal P}^{*}\) may have different outputs, yet the forgery verifies correctly.

From the literature, the schemes in [3, 11, 13, 15,16,17, 21] are proven under the adaptive security notion presented above.

Strongly Adaptive Secure Homomorphic Signatures. The good of the adaptive definition given above is that it addresses the issue of labeled programs with unspecified inputs by modeling when an adversary is cheating. The modeling of Definition 4 however comes at the price of a rather cumbersome security definition. Well-defined programs are certainly not the most intuitive notion to work with. In addition, besides simplicity, the main issue with the above notion is that deciding whether the tuple returned by the adversary is a forgery may not be doable in polynomial time. Indeed, making this test would require to execute \(f^{*}\) on all possible values of the missing inputs (that may be exponentially many). In the case when admissible functions are low-degree arithmetic circuits over a large field, it has been shown that well-defined programs can be tested probabilistically, and that Type 3 forgeries can be reduced to Type 2 ones [10]. However, for general circuits the inefficient test issue remains and can generate troubles when proving the security of homomorphic signature schemes as well as when using them in larger protocols (as simply testing whether an adversary returned a forgery – wins – may not be doable in polynomial time).

To address this issue, in what follows we consider a stronger and much simpler security definition. This notion is obtained by extending the notion of semi-adaptive security (Definition 2) with a very simple notion of Type 3 forgeries. The latter are just forgeries where the labeled program contains a “new” label. The formal definition follows.

Definition 5

(Strong Adaptive Security). We define \(\mathbf {Exp}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) as the security experiment which proceeds as \(\mathbf {Exp}^{\mathsf{UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) except that the tuple \(({\mathcal P}^* :=(f^*, {\tau }_1^*, \ldots , {\tau }_n^*), {\varDelta }^*, m^*, \sigma ^*)\) returned by the adversary \(\mathcal{A}\) is considered a forgery if \(\mathsf{Ver}(\mathsf{vk}, {\mathcal P}_{{\varDelta }^*}^*, m^*, \sigma ^*) =1\) and either one of the following conditions hold:  

Type 1::

The list \(T_{{\varDelta }^*}\) has not been initialized during the game.

Type 2::

For all \(i \in [n], \; \exists \,({\tau }_i, m_i) \in T_{{\varDelta }^*}\) and \(m^* \ne f^*(m_1, \ldots , m_n)\).

Type 3 Strong::

there exists \(j \in [n]\) such that \(({\tau }^*_j, \cdot ) \notin T_{{\varDelta }^*}\).

  Let \(\mathbf {Adv}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) = \Pr [\mathbf {Exp}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )=1]\) be the advantage of \(\mathcal{A}\) against the strong adaptive security of scheme \(\mathsf{HSig}\). We say that a homomorphic signature scheme \(\mathsf{HSig}\) is strongly adaptive secure if for every PPT adversary \(\mathcal{A}\) there exists a negligible function \(\epsilon (\lambda )\) such that \(\mathbf {Adv}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda ) \le \epsilon (\lambda )\).

The security notion of Definition 5 now allows to detect forgeries in polynomial time, and is without doubt much simpler than Definition 4. Basically, this notion is the public-key equivalent of the security notion proposed by Gennaro and Wichs [23] for fully-homomorphic MACs (with some cosmetic changes due to the handling of multiple datasets).

Relation Between Security Notions. We note that the three security definitions presented in this Section are increasingly strong. Definition 4 is strictly stronger than Definition 2: while all forgeries in \(\mathbf {Exp}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) are also forgeries in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\), the converse is not true as any forgery in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) where the labeled program \({\mathcal P}^*\) contains an unqueried label is not considered a forgery in \(\mathbf {Exp}^{\mathsf{semi\text {-}Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\).

Definition 5 is strictly stronger than Definition 4. In one direction, any Type 1 and Type 3 forgery in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) yields, respectively, a Type 1 and a Type 3 Strong forgery in \(\mathbf {Exp}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\), and a Type 2 forgery in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) becomes either a Type 2 forgery or a Type 3 Strong forgery in \(\mathbf {Exp}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\). In the other direction, there exist forgeries in experiment \(\mathbf {Exp}^{\mathsf{strong\text {-} Ad\text {-}UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\) that are not considered so in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\). We show this by considering the following adversary \(\mathcal{A}\). \(\mathcal{A}\) asks signing queries \(({\varDelta }, {\tau }_1, m_1), ({\varDelta }, {\tau }_2, m_2)\) and obtains signatures \(\sigma _1, \sigma _2\); it computes \(\sigma ^* {\leftarrow }\mathsf{Eval}(\mathsf{vk}, \times , \sigma _1, \sigma _2)\), and outputs \(({\mathcal P}^{*} :=(f, {\tau }_1, {\tau }_2, {\tau }_3), {\varDelta }, m_1 \cdot m_2)\), where f is the function \(f(x,y,z)=x(y+z) - xz\).⁶ As one can see, the output of \(\mathcal{A}\) is a Type 3 Strong forgery, since \({\tau }_3\) is a label which has never been queried, while it is not a forgery in \(\mathbf {Exp}^{\mathsf{Ad\text {-} UF}}_{\mathcal{A}, \mathsf{HSig}}(\lambda )\), since \({\mathcal P}^* :=(f, \tau _1, \tau _2, \tau _3)\) is well-defined with respect to the set of queries \(T_{{\varDelta }}= \{({\tau }_1, m_1), ({\tau }_2, m_2)\}\), and \(m_1\cdot m_2\) is the correct output.

In addition to the fact that the security notions are strictly separated, we also note that by using a counterexample such as the one above it is possible to show that previously proposed homomorphic signatures (e.g., [7, 17, 25] are not strong adaptive secure.

3 A Generic Transformation from Semi-adaptive to Strong Adaptive Security

In this Section we show a technique that allows one to turn a semi-adaptive unforgeable homomorphic signature into one that satisfies strong adaptive security. Specifically, our main result is stated in the following theorem:

Theorem 1

If \(\varSigma \) is a semi-adaptive unforgeable fully (resp. leveled) homomorphic signature scheme for boolean circuits, then there exists a strong adaptive unforgeable homomorphic signature scheme \(\widehat{\varSigma }\) that supports the same class of functions. Furthermore, if \(\varSigma \) satisfies context-hiding (resp. efficient verification, composability) so does \(\widehat{\varSigma }\).

The core of our result is a general transformation which shows how to combine a semi-adaptive secure scheme \(\varSigma \) together with a semi-adaptive secure scheme \(\varSigma _\mathsf{OR}\) that supports only OR operations over \(\mathbb {Z}_2\). This combination yields a homomorphic signature scheme that is strong adaptive secure and supports the same class of functions supported by \(\varSigma \).

Clearly, if \(\varSigma \) supports the evaluation of boolean circuits, then \(\varSigma _\mathsf{OR}\) can be instantiated using \(\varSigma \). In this case, our result provides a way to bootstrap the security of \(\varSigma \) from semi-adaptive to strong adaptive. This yields our main result above.

In the case where \(\varSigma _\mathsf{OR}\) cannot be instantiated using \(\varSigma \) (e.g., \(\varSigma \) is not expressive enough), our transformation still provides a recipe to obtain strong adaptive security using a separate OR-homomorphic scheme. However, motivated by the lack of many candidates of OR-homomorphic signature schemes (concretely, [25] is the only available one), we investigated how to obtain a similar transformation by using schemes that have been studied more widely. Our second result is a transformation which can combine a semi-adaptive secure scheme \(\varSigma \) together with a semi-adaptive secure linearly-homomophic signature \(\varSigma _\mathsf{LH}\) that works for scalar messages⁷ over a large ring, say \(\mathbb {Z}_p\). This combination yields a homomorphic signature scheme that is strong adaptive secure and supports the same class of functions supported by \(\varSigma \). A limitation of this second transformation is that it applies only to schemes that are leveled homomorphic (i.e., for circuits of bounded depth) as it requires to set \(p > 2^d\) where \(d = poly(\lambda )\) is the bound on circuits depth. On the other hand, the advantage is that strong adaptive security can be obtained by using linearly-homomorphic schemes, a class of constructions that has received significant attention, of which we know many constructions from several assumptions [3,4,5, 11, 13, 15, 16, 21], most of which are way more efficient in practice than [25]. As for the efficiency of the scheme resulting from our transformations, it basically depends on the efficiency of the scheme one starts from. In the worst case, however, the efficiency loss is comparable to executing the original algorithms twice.

3.1 Strong Adaptive Security from OR-Homomorphic Signatures

Here we present our first transformation. The tools we start from are a homomorphic signature scheme \(\varSigma :=(\varSigma .\mathsf{KeyGen}, \varSigma .\mathsf{Sign}, \varSigma .\mathsf{Ver}, \varSigma .\mathsf{Eval})\) for a class \(\mathcal{C}\) of (boolean or arithmetic) circuits, and a homomorphic signature \(\varSigma _\mathsf{OR}:=(\varSigma _\mathsf{OR}.\mathsf{KeyGen}, \varSigma _\mathsf{OR}.\mathsf{Sign}, \varSigma _\mathsf{OR}.\mathsf{Ver}, \varSigma _\mathsf{OR}.\mathsf{Eval})\) that works over message space \(\mathbb {Z}_2\) and supports homomorphic OR operations. More precisely, \(\varSigma _\mathsf{OR}\) must support circuits that are composed only of OR gates and have the same depth as those in \(\mathcal{C}\).

Using \(\varSigma \) and \(\varSigma _\mathsf{OR}\) in a black box way, we build a scheme \(\widehat{\varSigma }\) which supports evaluation of circuits in \(\mathcal{C}\). Moreover, assuming only semi-adaptive security of both \(\varSigma \) and \(\varSigma _\mathsf{OR}\), we show that \(\widehat{\varSigma }\) is strong adaptive secure.

 

\(\widehat{\varSigma }.\mathsf{KeyGen}(1^\lambda , \mathcal{L})\).:

Run the key generation algorithms \((\mathsf{vk}, \mathsf{sk}) \leftarrow \mathsf{KeyGen}(1^\lambda , \mathcal{L})\) and \((\mathsf{vk}_\mathsf{OR}, \mathsf{sk}_\mathsf{OR}) \leftarrow \varSigma _\mathsf{OR}.\mathsf{KeyGen}(1^\lambda , \mathcal{L})\), and output \((\hat{\mathsf{vk}}, \hat{\mathsf{sk}}) :=((\mathsf{vk}, \mathsf{vk}_\mathsf{OR}), (\mathsf{sk}, \mathsf{sk}_\mathsf{OR}))\).

\(\widehat{\varSigma }.\mathsf{Sign}(\hat{\mathsf{sk}}, {\varDelta }, {\tau }, m)\).:

The signing algorithm uses the secret key to compute \(\sigma \leftarrow \mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\) and \(\sigma _\mathsf{OR}\leftarrow \varSigma _\mathsf{OR}.\mathsf{Sign}(\mathsf{sk}_\mathsf{OR}, {\varDelta }, {\tau }, 0)\), and outputs \(\hat{\sigma }:=(\sigma , \sigma _\mathsf{OR})\).

Note that the OR-homomorphic component \(\sigma _\mathsf{OR}\) of the signature signs the bit 0. Although the usefulness of this component will become more clear in the security proof, the intuition is that this component keeps track of those labels that are used throughout the computation.

\(\widehat{\varSigma }.\mathsf{Eval}(\hat{\mathsf{vk}}, f, \hat{\sigma }_1, \ldots , \hat{\sigma }_n)\).:

We describe the homomorphic evaluation of f in a gate-by-gate fashion, distinguishing the cases of unary and binary gates. One can easily see that the construction generalizes to n-ary gates. Describing the evaluation gate-by-gate is also useful to clearly see that our transformation allows for arbitrary composition of signatures (i.e., running \(\widehat{\varSigma }.\mathsf{Eval}\) on outputs of \(\widehat{\varSigma }.\mathsf{Eval}\)). At every gate g, one proceeds as follows.  

Unary Gates.:

Let g be an unary gate and let \(\hat{\sigma }_1:=(\sigma _1, \sigma _{\mathsf{OR}, 1})\) be the input. We compute the output signature \(\hat{\sigma }_\mathsf{out} :=(\sigma _\mathsf{out}, \sigma _\mathsf{OR, out})\) by computing \(\sigma _\mathsf{out} \leftarrow \varSigma .\mathsf{Eval}(\mathsf{vk}, g, \sigma _1)\) and \(\sigma _\mathsf{OR, out} {\leftarrow }\sigma _{\mathsf{OR}, 1}\). Basically, we evaluate g over the \(\varSigma \) component, while for the OR-homomorphic component we simply evaluate an identity function.

Binary Gates.:

Let g be a binary gate and let \(\hat{\sigma }_1:=(\sigma _1, \sigma _{\mathsf{OR}, 1})\) and \( \hat{\sigma }_2:=(\sigma _2, \sigma _{\mathsf{OR}, 2})\) be its two inputs. We compute the output signature \(\hat{\sigma }_\mathsf{out} :=(\sigma _\mathsf{out}, \sigma _\mathsf{OR, out})\) by first evaluating \(\sigma _\mathsf{out} \leftarrow \varSigma .\mathsf{Eval}(\mathsf{vk}, g, \sigma _1, \sigma _2)\) and then evaluating \(\sigma _\mathsf{OR, out} \leftarrow \varSigma _\mathsf{OR}.\mathsf{Eval}(\mathsf{vk}_\mathsf{OR}, \mathsf{OR}, \sigma _{\mathsf{OR}, 1}, \sigma _{\mathsf{OR}, 2})\). Basically, we evaluate the binary g over the \(\varSigma \) components, while for the OR-homomorphic components we perform their homomorphic OR.

  By proceeding over f in a gate-by-gate fashion, eventually we obtain a signature \(\hat{\sigma }:=(\sigma , \sigma _\mathsf{OR})\), and \(\widehat{\varSigma }.\mathsf{Eval}\) returns \(\hat{\sigma }\). At this point, it is worth mentioning that the evaluation algorithm of our transformation generates \((\sigma , \sigma _\mathsf{OR})\) such that \(\sigma = \varSigma .\mathsf{Eval}(\mathsf{vk}, f, \sigma _1, \ldots , \sigma _n)\) and \(\sigma _\mathsf{OR}= \varSigma _\mathsf{OR}.\mathsf{Eval}(\mathsf{vk}_\mathsf{OR}, f_\mathsf{OR}, \sigma _{\mathsf{OR}, 1}, \ldots , \sigma _{\mathsf{OR}, n})\), where \(f_\mathsf{OR}\) is an “OR version” of the circuit f obtained by changing any unary gate with an identity gate and any binary gate with an OR gate.

\(\widehat{\varSigma }.\mathsf{Ver}(\mathsf{vk}, {\mathcal P}, {\varDelta }, m, \hat{\sigma })\).:

Parse \({\mathcal P}= (f, {\tau }_1, \ldots , {\tau }_n)\) and \(\hat{\sigma }:=(\sigma , \sigma _\mathsf{OR})\). Next, define \({\mathcal P}_\mathsf{OR} :=(f_\mathsf{OR}, {\tau }_1, \ldots , {\tau }_n)\), where \(f_\mathsf{OR}\) is the circuit composed only of OR (and identity) gates, obtained from f as described above. Then check if \(\varSigma .\mathsf{Ver}(\mathsf{vk}, {\mathcal P}, {\varDelta }, m, \sigma )=1\) and \(\varSigma _\mathsf{OR}.\mathsf{Ver}(\mathsf{vk}_\mathsf{OR}, {\mathcal P}_\mathsf{OR}, {\varDelta }, 0, \sigma _\mathsf{OR})=1\). If both the verification runs output 1, then output 1, otherwise output 0.

 

In the following theorem we show that our generic scheme \(\widehat{\varSigma }\) satisfies strong adaptive security, as long as the schemes \(\varSigma \) and \(\varSigma _\mathsf{OR}\) are only semi-adaptive secure (proof is given in the full version of the paper [12].

Theorem 2

Assume that \(\varSigma \) is a semi-adaptive secure homomorphic signature scheme for a class of circuits \(\mathcal{C}\), and that \(\varSigma _\mathsf{OR}\) is a semi-adaptive secure homomorphic signature with message space \(\mathbb {Z}_2\) and supporting OR circuits. Then the scheme \(\widehat{\varSigma }\) described above is a strong-adaptive secure homomorphic signature for \(\mathcal{C}\). Furthermore, if both \(\varSigma \) and \(\varSigma _\mathsf{OR}\) satisfy context-hiding (resp. efficient verification, composability), then so does \(\widehat{\varSigma }\).

3.2 Strong Adaptive Security from Linearly-Homomorphic Signatures

Here we present our second transformation. This transformation is similar to the one of Sect. 3.1: it incorporates signatures from a second homomorphic signature scheme in order to handle Type 3 forgeries. However, instead of a OR-homomorphic scheme, here we use a linearly-homomorphic one. More in detail, our constructions takes in a homomorphic signature scheme \(\varSigma :=(\varSigma .\mathsf{KeyGen}, \varSigma .\mathsf{Sign}, \varSigma .\mathsf{Ver}, \varSigma .\mathsf{Eval})\) that supports circuits of polynomial depth at most d and fan-in 2,⁸ and an additive-homomorphic signature \(\varSigma _\mathsf{LH}:=(\varSigma _\mathsf{LH}.\mathsf{KeyGen}, \varSigma _\mathsf{LH}.\mathsf{Sign}, \varSigma _\mathsf{LH}.\mathsf{Ver}, \varSigma _\mathsf{LH}.\mathsf{Eval})\) that works over message space \(\mathbb {Z}_p\), where \(p>2^d\). Using \(\varSigma \) and \(\varSigma _\mathsf{LH}\) in a black box way, we build a scheme \(\varSigma '\) which supports the same circuits as \(\varSigma \), and assuming only semi-adaptive security of \(\varSigma \) and \(\varSigma _\mathsf{LH}\), we show that \(\varSigma '\) is strong adaptive secure. The scheme \(\varSigma '\) is defined as follows:  

\(\varSigma '.\mathsf{KeyGen}(1^\lambda , \mathcal{L})\).:

Run both \((\mathsf{vk}, \mathsf{sk}) \leftarrow \varSigma .\mathsf{KeyGen}(1^\lambda , \mathcal{L})\) and \((\mathsf{vk}_\mathsf{LH}, \mathsf{sk}_\mathsf{LH}) \leftarrow \varSigma _\mathsf{LH}.\mathsf{KeyGen}(1^\lambda , \mathcal{L})\), and output \((\mathsf{vk}^\prime , \mathsf{sk}^\prime ) :=((\mathsf{vk}, \mathsf{vk}_\mathsf{LH}), (\mathsf{sk}, \mathsf{sk}_\mathsf{LH}))\).

\(\varSigma '.\mathsf{Sign}(\mathsf{sk}^\prime , {\varDelta }, {\tau }, m)\).:

The signing algorithm uses \(\mathsf{sk}'\) to compute \(\sigma \leftarrow \mathsf{Sign}(\mathsf{sk}, {\varDelta }, {\tau }, m)\) and \(\sigma _\mathsf{LH}\leftarrow \varSigma _\mathsf{LH}.\mathsf{Sign}(\mathsf{sk}_\mathsf{LH}, {\varDelta }, {\tau }, 0)\), and outputs \(\sigma ^\prime :=(\sigma , \sigma _\mathsf{LH})\).

\(\varSigma '.\mathsf{Eval}(\mathsf{vk}^\prime , f, \sigma ^\prime _1, \ldots , \sigma ^\prime _n)\).:

As in the previous section, we describe the homomorphic evaluation of f in a gate-by-gate fashion, distinguishing the cases of unary and binary gates. At every gate g, one proceeds as follows.  

Unary Gates.:

Let g be an unary gate and let \(\sigma _1' :=(\sigma _1, \sigma _{\mathsf{LH}, 1})\) be the input. We compute the output signature \(\sigma ^\prime _\mathsf{out} :=(\sigma _\mathsf{out}, \sigma _\mathsf{LH, out})\) by computing \(\sigma _\mathsf{out} \leftarrow \varSigma .\mathsf{Eval}(\mathsf{vk}, g, \sigma _1)\) and \(\sigma _\mathsf{LH, out} {\leftarrow }\sigma _{\mathsf{LH}, 1}\).

Binary Gates.:

Let g be a binary gate and let \(\sigma _1' :=(\sigma _1, \sigma _{\mathsf{LH}, 1})\) and \( \sigma _2' :=(\sigma _2, \sigma _{\mathsf{LH}, 2})\) be its two inputs. We compute the output signature \(\sigma ^\prime _\mathsf{out} :=(\sigma _\mathsf{out}, \sigma _\mathsf{LH, out})\) by first evaluating \(\sigma _\mathsf{out} \leftarrow \varSigma .\mathsf{Eval}(\mathsf{vk}, g, \sigma _1, \sigma _2)\) and then evaluating \(\sigma _\mathsf{LH, out} \leftarrow \varSigma _\mathsf{LH}.\mathsf{Eval}(\mathsf{vk}_\mathsf{LH}, +, \sigma _{\mathsf{LH}, 1}, \sigma _{\mathsf{LH}, 2})\).

  By proceeding over f in a gate-by-gate fashion, eventually we obtain a signature \(\sigma ^\prime :=(\sigma , \sigma _\mathsf{LH})\), and \(\varSigma '.\mathsf{Eval}\) returns \(\sigma '\). We note that the evaluation algorithm of our transformation generates \((\sigma , \sigma _\mathsf{LH})\) such that \(\sigma = \varSigma .\mathsf{Eval}(\mathsf{vk}, f, \sigma _1, \ldots , \sigma _n)\) and \(\sigma _\mathsf{LH}= \varSigma _\mathsf{LH}.\mathsf{Eval}(\mathsf{vk}_\mathsf{LH}, f_+, \sigma _{\mathsf{LH}, 1}, \ldots , \sigma _{\mathsf{LH}, n})\), where \(f_+\) is an “additive version” of the circuit f obtained by changing any unary gate with an identity gate and any binary gate with an additive gate.

\(\varSigma '.\mathsf{Ver}(\mathsf{vk}, {\mathcal P}, {\varDelta }, m, \sigma ^\prime )\).:

Parse \({\mathcal P}= (f, {\tau }_1, \ldots , {\tau }_n)\) and \(\sigma ^\prime :=(\sigma , \sigma _\mathsf{LH})\). Next, define \({\mathcal P}_+ :=(f_+, {\tau }_1, \ldots , {\tau }_n)\), where \(f_+\) is the additive circuit obtained from f as described above. Then check if \(\varSigma .\mathsf{Ver}(\mathsf{vk}, {\mathcal P}, {\varDelta }, m, \sigma )=1\) and \(\varSigma _\mathsf{LH}.\mathsf{Ver}(\mathsf{vk}_\mathsf{LH}, {\mathcal P}_+, {\varDelta }, 0, \sigma _\mathsf{LH})=1\). If both the verification runs output 1, then output 1, otherwise output 0.

 

In the following theorem we show that our generic scheme \(\varSigma '\) satisfies strong adaptive security, as long as the schemes \(\varSigma \) and \(\varSigma _\mathsf{LH}\) are only semi-adaptive secure (proof is given in the full version of the paper [12]).

Theorem 3

Assume that \(\varSigma \) is a semi-adaptive secure homomorphic signature scheme for circuits of polynomial depth at least d and fan-in 2, and that \(\varSigma _\mathsf{LH}\) is a semi-adaptive secure linearly-homomorphic signature scheme whose message space is \(\mathbb {Z}_p\), with \(p>2^d\). Then the scheme \(\varSigma '\) described above is a strong-adaptive secure homomorphic signature. Furthermore, if both \(\varSigma \) and \(\varSigma _\mathsf{LH}\) satisfy context-hiding (resp. efficient verification), then so does \(\varSigma '\).