Privacy-Preserving Homomorphic MACs with Efficient Verification

Abstract

Homomorphic Message Authentication Code (MAC) allows a user to outsource data to an untrusted server and verify that results of computation on the data returned by the server are correct. Recently, much effort has been independently focused on whether a homomorphic MAC scheme supports data confidentiality or the authenticators can be efficiently verified. In this paper, we address the question of whether it is possible for homomorphic MAC to simultaneously achieve both the privacy and the efficiency. The answer is affirmative and we propose a new cryptographic primitive, privacy-preserving homomorphic MACs with efficient verification that can guarantee the authenticator can not reveal the underlying message.

More precisely, our contributions are three-fold: (i) we introduce the primitive of privacy-preserving homomorphic MAC (PHMAC) that provides both data confidentiality and efficient verification, (ii) We provide a PHMAC construction which supports homogeneous polynomials, and demonstrate it shows high efficiency, (iii) We investigate how our PHMAC primitive with efficient verification can be employed to homomorphic authenticator-encryption and verifiable computation.

1 Introduction

Cloud computing has become increasingly popular since it offers clients a way to all-powerful servers to remotely store and compute on data, which is urgently needed especially for those who lack computing and storage resources. Consider the following scenario: Alice owns a large amount of sensitive data \(M=M_1,M_2,M_3,\dots \), while she has no enough memory to store all these data, thus she resorts to a remote server via cloud service. In this scenario, Alice needs to consider several crucial issues. Firstly, she can (1) incrementally add data to the server, i.e. the server needs to provide an unbounded storage for her without a-priori fixed size; and she also enables to (2) choose function dynamically, which implies that Alice can ask the server to evaluate functions on the outsourced data at any certain points in time; moreover, considering that the data contain sensitive information and the server may be malicious, the outsourcing process needs to guarantee (3) data privacy to insure that the server obtains no sensitive information; finally, a very appealing requirement is (4) efficient verification, i.e. the server should provide a succinct proof for Alice to verify the correctness of the computation efficiently, say, in constant time. To satisfy the above requirements, we may consider two candidate approaches, i.e. non-interactive verifiable computation [1,2,3] and homomorphic authenticator-encryption [4].

While most works for non-interactive verifiable computation focus on requirements (3) or (4), and hardly achieve requirements (1) and (2). In particular, plenty of the existing works require the client to send M all at once and not allow to add additional data later (e.g. [5]), or the client must determine the computation functions in advance (e.g. [1, 6]). The only approach that satisfies most of the above requirements is the work by Backes et al. [7]. In particular, this work proposed a homomorphic MAC scheme with efficient verification, thus naturally satisfies the requirements (1), (2) and (4). But their construction inevitably fails in achieving requirement (3), i.e. data privacy.

For homomorphic authenticator-encryption, a promising approach to construct it is combining homomorphic encryption and homomorphic MAC/signature following the generic composition methods, i.e., Encrypt-and-MAC, Encrypt-then-MAC and MAC-then-Encrypt. Although homomorphic encryption can guarantee the data privacy outsourced to the server, it is not the case for most existing homomorphic MAC/signature schemes. Thus, most homomorphic authenticator-encryption schemes also can not meet the requirement (3). We note that although the notion of homomorphic encrypted authenticator proposed by Lai et al. [8] provides authenticated data privacy, however, it does not achieve the efficient verification.

Hence, in order to address the problem in the above scenario, in this paper we define a new primitive called privacy-preserving homomorphic MAC with efficient verification (PHMAC), in which the authenticator does not reveal any information about the underlying message, and can be efficiently verified in constant time. Informally, PHMAC is an augmented homomorphic MAC which integrates two rather strong properties, i.e. privacy and efficiency. Besides, We also give the formal security notions respectively for the unforgeability and the privacy. Inspired by the homomorphic signature scheme with efficient verification proposed by Catalano et al. [9], we subtly construct an efficiently verifiable PHMAC scheme for homogeneous polynomials which additionally guarantees the authenticators can not reveal the information of the data.

It is easy to find that our result subsumes all prior works we mentioned above. Roughly, we integrate both the privacy and the efficiency into one primitive PHMAC, which can be viewed as an augmented homomorphic MAC. Obviously, PHMAC perfectly meets all the requirements in the scenario aforementioned.

1.1 Our Contributions

In this paper, we define the syntax of privacy-preserving homomorphic MAC and formalize the security notions in terms of both authenticity (i.e. unforgeability against chosen message attacks (UF-CMA)) and a rather strong notion of privacy (i.e. indistinguishability against chosen plaintext attacks (IND-CPA)). Moreover, we provide a scheme called PHMAC for a rather large range of classes, i.e. homogeneous polynomials, satisfying the aforementioned privacy requirement while enabling efficient verification for the authenticators. We stress that privacy and efficiency are two rather strong requirements that have not been simultaneously achieved in the literature before. In particular, there exist a few homomorphic MAC schemes [8, 10] that satisfy our privacy requirement, however their cost of verifying each computation result is as expensive as executing the evaluation function locally, i.e. incapable of verifying efficiently. For efficiency property, the recent work of Backes et al. [7] proposed a homomorphic MAC scheme for quadratic polynomials with efficient verification, while their construction can not guarantee the privacy of authenticated data.

We also discuss the relation between our PHMAC and two cryptographic primitives, i.e. homomorphic authenticator-encryption (HAE) and verifiable computation (VC). In particular, applying Encrypt-and-MAC composition method to combine our PHMAC with any homomorphic encryption, we can naturally obtain a HAE scheme. Compared to the previous works [4, 8], this specific HAE scheme owns a favorable property-efficiency, i.e. it can efficiently verify the outsourced encrypted data, which directly inherits from our PHMAC. Moreover, the research of HAE has also been considered under the notion of VC, thus our PHMAC also contributes a lot for the research of VC. Our PHMAC for homogeneous polynomials are suitable for a wide range of scenarios involving computing profitability, loss, interest rate, and many other significant arithmetic computations.

Our contributions are summarized as follows:

• We introduce a new primitive called privacy-preserving homomorphic MACs with efficient verification (PHMAC).

• We formalize the security notions of PHMAC, i.e. authenticity (unforgeability against chosen message attacks) and privacy (indistinguishability against chosen plaintext attacks).

• We provide a PHMAC construction which supports homogeneous polynomials, and prove it satisfies security requirements.

• We evaluate our PHMAC to demonstrate its efficiency.

• We discuss the applications of PHMAC for homomorphic authenticator-encryption and verifiable computation.

2 Related Work

Homomorphic Signatures and MACs. Homomorphic signatures (publicly verifiable) and homomorphic message authentication codes (MACs) (privately verifiable) have been considered in many previous works. Homomorphic signature was initially introduced by Johnson et al. [11]. Since then, many constructions for linear functions have been proposed [12,13,14,15] with important applications in network coding [16]. Three more recent works consider larger classes more than linear functions [9, 17, 18] in the case of homomorphic signatures. In the private setting, Gennaro and Wichs [19] initially introduced homomorphic MACs and gave a construction for arbitrary computations, while it holds in a weaker security model where the adversary cannot issue verification queries. Although the schemes proposed by Catalano and Fiore [20, 21] later are secure in the presence of verification queries, they achieve no efficiency property which is very important for computations over huge datasets. Backes et al. [7] were the first to consider efficiency issue, unfortunately they did not guarantee data confidentiality. Recently, Lai et al. [8] initially considered the privacy of homomorphic MACs and introduced a notion of homomorphic encrypted authentication which requires that the authenticator does not leak any information about the message that it authenticates and also proposed a construction for linear evaluation functions, yet the scheme lacks of the efficient sense.

Compared to the previous works, our notion of PHMAC achieves both data confidentiality and efficient verification, in addition, our construction also holds securely in the presence of verification queries.

Homomorphic Authenticator-Encryption. A homomorphic authenticator-encryption (HAE) scheme, which is also called homomorphic authenticated encryption in [4], is a homomorphic authenticator scheme with an additional \(\mathsf {decrypt}\) algorithm, finally guarantees both privacy and authenticity of computation on outsourced data. In the literature, the mainstream approach to construct HAE scheme is combining homomorphic encryption and homomorphic MAC via composition methods such as MAC-then-Encrypt, Encrypt-and-MAC [8] and Encrypt-then-MAC [22]. Unlike [22], in the construction of [8] homomorphic encryption and homomorphic MAC are independent, thus the scheme is more flexible. However, [8] is not outsourceable due to its expensive computation of verification just as executing the evaluation function locally. Adopting Encrypt-and-MAC composition method, we can combine our efficiently verifiable PHMAC construction with any fully homomorphic encryption to obtain a HAE scheme, which enables verifiable computation on outsourced encrypted data.

Non-interactive Verifiable Computation. The notion of non-interactive verifiable computation, introduced by Gennaro et al. [1], enables a computationally weak client to outsource the computation of a function to a server, which returns the result of the function evaluation as well as a non-interactive proof which shows that the computation was carried out correctly, with the crucial requirement that verification of the proof needs substantially less computational effort than computing the function by the client from scratch. The existing non-interactive verifiable computation schemes supports either for arbitrary computations (e.g. [1, 2]) or for some specific computations (e.g. [3, 23]). Unfortunately, the previous non-interactive verifiable computation schemes either do not protect privacy of outsourced data from a malicious server, or the functions to be evaluated must be known at system setup, or the outsourced data must be fixed a-priori, or the verification is as expensive as running the evaluation algorithm locally. The HAE scheme combining our PHMAC scheme with a homomorphic encryption suffers from none of the above limitations, i.e. the client enables guarantee input privacy and efficiently verify the results, in addition, she can incrementally add her data and the functions to be applied can be selected at any point by the server.

3 Preliminaries

Let \(\lambda \) denote the security parameter throughout this paper. If \(\mathcal {S}\) is a set, \(s\xleftarrow {\$}\mathcal {S}\) denotes the process of selecting s uniformly at random in \(\mathcal {S}\). A non-negative function \(\epsilon (\lambda )\) is negligible if for every polynomial \(p(\lambda )\) it holds that \(\epsilon (\lambda )\le 1/p(\lambda )\) for all sufficiently large \(\lambda \in \mathbb {N}\).

3.1 Leveled Multilinear Maps

Assume there exists a group generator \(\mathcal {G}\) that takes the security parameter \(1^\lambda \) and the pairing bound k and outputs the description \(\mathsf {pp}\) of groups \(\mathbb {G}_1,\dots ,\mathbb {G}_k\) each of large prime order \(p> 2^\lambda \). Let \(g_i\) be the generator of group \(\mathbb {G}_i\). In addition, the algorithm outputs a description of a set of bilinear maps:

$$\begin{aligned} \{e_{i,j}:\mathbb {G}_i\times \mathbb {G}_j\rightarrow \mathbb {G}_{i+j}\}_{i,j\ge 1,i+j\le k} \end{aligned}$$

satisfying \(e_{i,j}(g_i^a,g_j^b)=g_{i+j}^{ab}\) for all \(a,b\in \mathbb {Z}_p\). When obvious from the context we drop the indices i, j from \(e_{i,j}\).

Below we present the computational assumption that underlies the security of our scheme, which was initially defined and justified by Catalano et al. [9].

Definition 1

(k-Augmented-Power Multilinear Diffie-Hellman). Let \(\mathsf {pp}\) be the description of a set of multilinear groups and \(g_i\in \mathbb {G}_1\) be a random generator. Let \(a,b,x\xleftarrow {\$}\mathbb {Z}_p\) be chosen at random. We define the advantage of an adversary \(\mathcal {A}\) in solving the k-APMDH problem as

$$\begin{aligned} \mathrm {Adv}_\mathcal {A}^{APMDH}(\lambda )=\Pr [\mathcal {A}(g_1,g_1^a,g_1^b,g_1^{ab},g_1^x,g_1^{ax},g_1^{abx})=g_k^{a^{k-1}(bx)^k}], \end{aligned}$$

and we say that the k-APMDH assumption holds for \(\mathbb {G}\) if for every PPT \(\mathcal {A}\), the advantage \(\mathrm {Adv}_\mathcal {A}^{APMDH}(\lambda )\) is negligible in \(\lambda \).

3.2 Multi-labeled Programs

The notion of multi-labeled programs was introduced in [7] which is an extension to labeled programs [19, 20].

A multi-labeled program \(\mathcal {P}_\varDelta \) is a pair \((\mathcal {P},\varDelta )\) in which \(\mathcal {P}=(f,\tau _1,\dots ,\tau _n)\) such that \(f:\mathcal {M}^n\rightarrow \mathcal {M}\) is a function on n variables (e.g., a circuit), and \(\tau _i\in \{0,1\}^*\) is the label of the i-th variable input of f, and \(\varDelta \in \{0,1\}^*\) is a binary string called the data set identifier. Multi-labeled programs allow for composition within the same data set in the most natural way, i.e., given multi-labeled programs \((\mathcal {P}_1,\varDelta ),\dots ,(\mathcal {P}_t,\varDelta )\) sharing the same data set identifier \(\varDelta \), and given a function \(g:\mathcal {M}^t\rightarrow \mathcal {M}\), the composed multi-labeled program \(\mathcal {P}_\varDelta ^*\) is the pair \((\mathcal {P}^*,\varDelta )\) where \(\mathcal {P}^*\) is the composed program \(g(\mathcal {P}_1,\dots ,\mathcal {P}_t)\), and \(\varDelta \) is the data set identifier shared by all the \(\mathcal {P}_i\). Let \(f_{id}:\mathcal {M}\rightarrow \mathcal {M}\) be the canonical identity function and \(\tau \in \{0,1\}^*\) be a label, then \(\mathcal {I}_{(\varDelta ,\tau )}=((f_{id},\tau ),\varDelta )\) is the multi-labeled identity program for input label \(\tau \) and data set identifier \(\varDelta \). Using this notation, observe that any program \(\mathcal {P}_\varDelta =((f,\tau _1,\dots ,\tau _n),\varDelta )\) can be expressed as the composition of n identity programs \(\mathcal {P}_\varDelta =f(\mathcal {I}_{(\varDelta ,\tau _1)},\dots ,\mathcal {I}_{(\varDelta ,\tau _n)})\).

4 Privacy-Preserving Homomorphic MACs for Multi-labeled Programs

We now give a formal definition of a privacy-preserving homomorphic message authenticator scheme, and explain in more detail the correctness, efficiency, unforgeability and privacy properties a privacy-preserving homomorphic message authenticator scheme should satisfy.

4.1 Formal Definition

Definition 2

(Privacy-Preserving Homomorphic MACs). A privacy-preserving homomorphic message authenticator scheme (PHMAC) for multi-label programs is a tuple of algorithms \(\mathsf {(KeyGen, Auth, Eval, Ver)}\):

• \(\mathsf {KeyGen}(1^\lambda ,\mathcal {L}):\) given the security parameter \(\lambda \), the description of the label space \(\mathcal {L}\), the key generation algorithm outputs a public key \(\mathsf {pk}\) and a secret key \(\mathsf {sk}\). The public key \(\mathsf {pk}\) defines implicitly a message space \(\mathcal {M}\) and a set \(\mathcal {F}\) of admissible functions.

• \(\mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m):\) given the secret key \(\mathsf {sk}\), a data set identifier \(\varDelta \), a label \(\tau \) and a message \(m\in \mathcal {M}\), it outputs a tag \(\sigma \).

• \(\mathsf {Eval}(\mathsf {pk},f,(\sigma _1,\dots ,\sigma _n)):\) on input the evaluation key \(\mathsf {pk}\), a circuit \(f:\mathcal {M}^n\rightarrow \mathcal {M}\) and a vector of tags \((\sigma _1,\dots ,\sigma _n)\), the evaluation algorithm outputs a new tag \(\sigma \).

• \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_\varDelta ,m,\sigma ):\) given the secret key \(\mathsf {sk}\), a multi-labeled program \(\mathcal {P}_\varDelta =((f,\tau _1\), \(\dots ,\tau _n),\varDelta )\), a message \(m\in \mathcal {M}\), and a tag \(\sigma \), the verification algorithm outputs 0 (reject) or 1 (accept).

Authentication Correctness. For any message \(m\in \mathcal {M}\), all keys \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), any multi-label \((\varDelta ,\tau )\in (\{0,1\}^*)^2\), and any tag \(\sigma \leftarrow \mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m)\), it holds that \(\mathsf {Ver}(\mathsf {sk},\mathcal {I}_{(\varDelta ,\tau )},m,\sigma )=1\).

Evaluation Correctness. For a pair of keys \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), a circuit \(f:\mathcal {M}^n\) \(\rightarrow \mathcal {M}\) and any set of message/program/tag triples \(\{(m_i,\mathcal {P}_{\varDelta ,i},\sigma _i)\}_{i=1}^t\) such that all multi-labeled programs \(\mathcal {P}_{\varDelta ,i}=(\mathcal {P}_i,\varDelta )\) (i.e., share the same data set identifier \(\varDelta \)) and \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_{\varDelta ,i},m_i,\sigma _i)=1\), if \(m^*=f(m_1,\dots ,m_t),\mathcal {P}^*=g(\mathcal {P}_1,\dots ,\mathcal {P}_t)\), and \(\sigma ^*=\mathsf {Eval}(\mathsf {pk},f,(\sigma _1,\dots ,\sigma _t))\), then \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_\varDelta ^*,m^*,\sigma ^*)=1\) holds with probability 1.

Efficiency. Let \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KeyGen}(1^\lambda ,\mathcal {L})\) be honestly generated keys, let \(\mathcal {P}_\varDelta =(\mathcal {P},\varDelta )\) be a program, let \((m_1,\dots ,m_n)\in \mathcal {M}^n\) be any vector of inputs, and let t(n) be the time required to be compute \(\mathcal {P}(m_1,\dots ,m_n)\). Then the time required for \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_\varDelta ,m,\sigma )\) must be much less than t(n), i.e. \(t'=o(t(n))\).

4.2 Definition of Unforgeability

A \(\mathsf {PHMAC}\) scheme is unforgeable if the advantage of any PPT adversary \(\mathcal {A}\) in the following game \(\mathsf {PHomUF}\)-\(\mathsf {CMA}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) is negligible:

• Setup. The challenger generates \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), then gives \(\mathsf {pk}\) to \(\mathcal {A}\) and keeps \(\mathsf {sk}\) to itself.

• Authentication queries. Adversary \(\mathcal {A}\) can adaptively issues authentication queries. For each authentication query \((\varDelta ,\tau ,m)\), if it is the first query with data set identifier \(\varDelta \), then the challenger initializes an empty list \(L_\varDelta =\emptyset \) for \(\varDelta \). If \((\tau ,\cdot )\notin L_\varDelta \) (i.e., the multi-label \((\varDelta ,\tau )\) was never queried), the challenger returns \(\sigma \leftarrow \mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m)\) to \(\mathcal {A}\) and updates the list \(L_\varDelta \leftarrow L_\varDelta \cup \{(\tau ,m)\}\). If \((\tau ,m)\in T_\varDelta \), then the challenger replies with the same tag generated before. If \(L_\varDelta \) contains a tuple \((\tau ,m')\) for some message \(m'\ne m\), then the challenger ignores the query.

• Verification queries. Adversary \(\mathcal {A}\) can adaptively issues authentication queries. For each verification query \((\mathcal {P}_\varDelta ,m,\sigma )\), the challenger replies with the output of \(\mathsf {Ver}(\mathsf {sk}\), \(\mathcal {P}_\varDelta ,m,\sigma )\).

• Forgery. The previous stage is repeated a polynomial number of times until the adversary outputs a tuple \((\mathcal {P}_{\varDelta ^*}^*,m^*,\sigma ^*)\). The experiment outputs 1 if the tuple is a forgery, and 0 otherwise.

In order to characterize forgeries in this model, we firstly review the notion of well-defined programs with respect to a list \(L_\varDelta \) [20]. A labeled program \(\mathcal {P}^*=(f^*,\tau _1^*,\dots ,\tau _n^*)\) is well-defined with respect to \(L_{\varDelta ^*}\) if either one of the following two cases holds:

• there exist messages \(m_1,\dots ,m_n\) such that the list \(L_{\varDelta ^*}\) contains all tuples \((\tau _1^*,m_1)\), \(\dots ,(\tau _n^*,m_n)\). Intuitively, this means that the entire input space of f for data set \(\varDelta ^*\) has been authenticated.

• there exist indices \(i\in \{1,\dots ,n\}\) such that \((\tau _1^*,\cdot )\notin L_{\varDelta ^*}\) (i.e., \(\mathcal {A}\) never asked authentication queries with multi-label \((\varDelta ^*,\tau _i^*)\)), and the function \(f^*(\{m_j\}_{(\tau _j,m_j)\in L_{\varDelta ^*}}\) \(\cup \{\tilde{m}_j\}_{(\tau _j,\cdot )\notin L_{\varDelta ^*}})\) outputs the same value for all possible choices of \(\tilde{m}_j\in \mathcal {M}\). Intuitively, this case means that the unauthenticated inputs never contribute to the computation of f.

The experiment \(\mathsf {PHomUF}\)-\(\mathsf {CMA}\) outputs 1 if and only if \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_{\varDelta ^*}^*,m^*,\sigma ^*)=1\) and one of the following conditions holds:

• Type 1 Forgery: no list \(L_{\varDelta ^*}\) was created during the game, i.e., during the experiment no message m has ever been signed with respect to a data set identifier \(\varDelta ^*\).

• Type 2 Forgery: \(\mathcal {P}^*\) is well-defined w.r.t. \(L_{\varDelta ^*}\) and \(m^*\ne f^*(\{m_j\}_{(\tau _j,m_j)\in L_{\varDelta ^*}})\), i.e., \(m^*\) is not the correct output of the labeled program \(\mathcal {P}^*\) when executed on previously signed messages \((m_1,\dots ,m_n)\).

• Type 3 Forgery: \(\mathcal {P}^*\) is not well-defined w.r.t. \(L_{\varDelta ^*}\).

Backes et al. [7] proved that for arithmetic circuits which are defined over the finite field \(\mathbb {Z}_p\) where p is a prime of roughly \(\lambda \) bits and whose degree d is bounded by a polynomial, any adversary who wins by producing a Type 3 forgery can be converted into one who outputs a Type 2 forgery.

Proposition 1

Let \(\lambda \in \mathbb {N}\) be the security parameter, let \(p>2^\lambda \) be a prime number, and let \(\{f_\lambda \}\) be a family of arithmetic circuits over \(\mathbb {Z}_p\) whose degree is bounded by some polynomial \(d=poly(\lambda )\). If for any adversary \(\mathcal {B}\) producing a Type 2 forgery we have that \(\Pr [\mathsf {PHomUF-CMA}_{\mathcal {B},\mathsf {PHMAC}}(\lambda )=1]\le \epsilon \), then for any adversary \(\mathcal {A}\) producing a Type 3 forgery it holds \(\Pr [\mathsf {PHomUF-CMA}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )=1]\le \epsilon +d/p\).

4.3 Definition of Privacy

A \(\mathsf {PHMAC}\) scheme must satisfy the requirement of privacy. Roughly speaking, privacy requires that the tag \(\sigma \) of a tuple \((\varDelta ,\tau ,m)\) should reveal no information of the underlying massage m. Formally, this property are captured by the following definition.

Definition 3

(Privacy). A \(\mathsf {PHMAC}\)-\(\mathsf {ML}\) scheme is private if the advantage of any PPT adversary \(\mathcal {A}\) in the following game \(\mathsf {PHomUF}\)-\(\mathsf {Pri}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) is negligible:

• Setup. The challenger generates \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), then gives \(\mathsf {pk}\) to \(\mathcal {A}\) and keeps \(\mathsf {sk}\) to itself.

• Authentication queries. 1 Adversary \(\mathcal {A}\) can adaptively issues authentication queries. For each authentication query \((\varDelta ,\tau ,m)\), if it is the first query with data set identifier \(\varDelta \), then the challenger initializes an empty list \(L_\varDelta =\emptyset \) for \(\varDelta \). If \((\tau ,\cdot )\notin L_\varDelta \) (i.e., the multi-label \((\varDelta ,\tau )\) was never queried), the challenger returns \(\sigma \leftarrow \mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m)\) to \(\mathcal {A}\) and updates the list \(L_\varDelta \leftarrow L_\varDelta \cup \{(\tau ,m)\}\). If \((\tau ,m)\in T_\varDelta \), then the challenger replies with the same tag generated before. If \(L_\varDelta \) contains a tuple \((\tau ,m')\) for some message \(m'\ne m\), then the challenger ignores the query.

• Challenge. Adversary \(\mathcal {A}\) outputs a tuple \((\varDelta ^*,\tau ^*,m_0^*,m_1^*)\). If there exists the list \(L_{\varDelta ^*}\) for data set identifier \(\varDelta ^*\) and \((\tau ^*,\cdot )\in L_{\varDelta ^*}\), the challenger ignores it. Otherwise, the challenger randomly chooses a bit \(\gamma \leftarrow \{0,1\}\), then returns \(\sigma ^*\leftarrow \mathsf {Auth}(\mathsf {sk},\varDelta ^*,\tau ^*,m_\gamma ^*)\) and updates \(L_{\varDelta ^*}\leftarrow L_{\varDelta ^*}\cup \{(\tau ^*,m_\gamma ^*)\}\) (If there exists no query with data set identifier \(\varDelta ^*\) before, the challenger initializes an empty list \(L_{\varDelta ^*}=\emptyset \) for \(\varDelta ^*\)).

• Authentication queries. 2 Adversary \(\mathcal {A}\) can also adaptively issues authentication queries as in Authentication queries 1 step.

• Guess. Adversary outputs a bit \(\gamma '\), and wins the game if \(\gamma '=\gamma \).

5 Construction

In this section we describe our construction of privacy preserving homomorphic MAC with efficient verification from leveled multilinear maps. Our construction relies on a regular signature scheme \(\mathsf {S=(S.KeyGen, S.Sign, S.Ver)}\), a pseudorandom function \(F:\mathcal {K}\times \{0,1\}^*\rightarrow \mathbb {Z}_p^2\) with key space \(\mathcal {K}\), and an implementation of multilinear groups whose description is generated by \(\mathcal {G}\). The construction of \(\mathsf {PHMAC}=(\mathsf {KeyGen},\mathsf {Auth}\), \(\mathsf {Eval},\mathsf {Ver})\) proceeds as follows.

• \(\mathsf {KeyGen}(1^\lambda ,k,\mathcal {L}):\) Let \(\lambda \) be the security parameter, \(k\in \mathbb {N}^+\) be a constant denoting the bound on the degree of the supported homogeneous polynomials, and \(\mathcal {L}\subset \{0,1\}^*\) be a set of admissible labels \(\mathcal {L}=\{\tau _1,\dots ,\tau _n\}\), for some \(n=\mathsf {poly}(\lambda )\). The key generation algorithm proceeds as follows.

  1. 1.

     Generate a signature key pair \((\mathsf {sik},\mathsf {vk})\leftarrow \mathsf {S.KeyGen}(1^\lambda )\).

  2. 2.

     Choose a random seed \(K\xleftarrow {\$}\mathcal {K}\) for the PRF \(F_K:\{0,1\}^*\rightarrow \mathbb {Z}_p^2\).

  3. 3.

     Run \(\mathcal {G}(1^\lambda ,2k)\) to generate the description of (2k)-linear groups \(\mathbb {G}_1,\dots ,\mathbb {G}_{2k}\) of order p, where p is a prime number of roughly \(\lambda \) bits.

  4. 4.

     Choose random elements \(g_1\xleftarrow {\$}\mathbb {G}_1, x\xleftarrow {\$}\mathbb {Z}_p\) as well as \(N+1\) random values \(R_\tau \xleftarrow {\$}\mathbb {G}_1\), \(\forall \tau \in \mathcal {L}\), compute \(h_1=g_1^x\).

  Finally output \(\mathsf {sk}=(\mathsf {sik},K,x)\), \(\mathsf {pk}=(\mathsf {vk},g_1,h_1,\{R_\tau \}_{\tau \in \mathcal {L}})\), and let the message space \(\mathcal {M}\) be \(\mathbb {Z}_p\).

• \(\mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m):\) given the secret key \(\mathsf {sk}\), a data set identifier \(\varDelta \in \{0,1\}^*\), a label \(\tau \in \mathcal {L}\) and a message \(m\in \mathcal {M}\), the authentication algorithm proceeds as follows.

  1. 1.

     Compute two integers \((a,b)\leftarrow F_K(\varDelta )\), and set \(A_1=g_1^a, B_1=g_1^b, C_1=g_1^{ab}\).

  2. 2.

     Compute \(\sigma _\varDelta \leftarrow \mathsf {S.Sign}(\mathsf {sik},\mathsf {pp}_\varDelta )\), where \(\mathsf {pp}_\varDelta =(\varDelta ,A_1,B_1,C_1)\) is the public parameters of data set identifier \(\varDelta \).

  3. 3.

     Compute \(\varLambda _1=(R_\tau h_1^{-m})^b,\varGamma _1=\varLambda _1^a\) and \(\varPhi _1=h_1^{abm}\), let \(\rho =(\varLambda _1,\varGamma _1,\varPhi _1)\).

  Finally, output the tag \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho )\).

• \(\mathsf {Eval}(\mathsf {pk},f,(\sigma _1,\dots ,\sigma _n)):\) takes as input the public key \(\mathsf {vk}\), an homogeneous polynomial \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\), and a vector \(\sigma \) of n tags \(\sigma ^{(1)},\dots ,\sigma ^{(n)}\) such that \(\sigma ^{(i)}=(\mathsf {pp}_\varDelta ^{(i)},\sigma _\varDelta ^{(i)},\rho _i)\) for \(i=1,\dots ,n\), the evaluation algorithm computes a tag \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho )\) as follows.

  1. 1.

     Set \(\mathsf {pp}_\varDelta =\mathsf {pp}_\varDelta ^{(1)}\) and \(\sigma _\varDelta =\sigma _\varDelta ^{(1)}\).

  2. 2.

     Compute \(\rho \) by homomorphically evaluating the circuit f over the values \(\{\rho _i\}_{i=1}^n\). Specifically, at every gate \(f_g\), given two values \(\rho _1=(\varLambda _i^{(1)},\varGamma _i^{(1)},\varPhi _i^{(1)})\in \mathbb {Z}_p\times \mathbb {G}_i^2\), \(\rho _2=(\varLambda _j^{(2)},\varGamma _j^{(2)},\varPhi _j^{(2)})\in \mathbb {Z}_p\times \mathbb {G}_j^2\), \(\mathsf {Eval}\) proceeds \(\mathsf {GateEval(\mathsf {vk},\mathsf {pp}_\varDelta ,f_g,\rho _1,\rho _2)}\) as follows:

     • Addition: \(\varLambda _i=\varLambda _i^{(1)}\cdot \varLambda _i^{(2)},\,\varGamma _i=\varGamma _i^{(1)}\cdot \varGamma _i^{(2)},\,\varPhi _i=\varPhi _i^{(1)}\cdot \varPhi _i^{(2)}\)

     • Multiplication by constant: \(\varLambda _i=(\varLambda _i^{(1)})^c,\,\varGamma _i=(\varGamma _i^{(1)})^c,\,\varPhi _i=(\varPhi _i^{(1)})^c\)

     • Multiplication: \(\varLambda _d=e(\varLambda _i^{(1)},\varGamma _j^{(2)})\cdot e(\varLambda _i^{(1)},\varPhi _j^{(2)})\cdot e(\varPhi _i^{(1)},\varLambda _j^{(2)}),\,\varGamma _d=e(\varGamma _i^{(1)}, \varGamma _j^{(2)})\cdot e(\varGamma _i^{(1)},\varPhi _j^{(2)})\cdot e(\varPhi _i^{(1)},\varGamma _j^{(2)}),\,\varPhi _d=e(\varPhi _i^{(1)},\varPhi _j^{(2)})\)

• \(\mathsf {Ver}(\mathsf {sk},\mathcal {P}_\varDelta ,m,\sigma ):\) Let \(\mathcal {P}_\varDelta =((f,\tau _1,\dots ,\tau _n),\varDelta )\) be a multi-labeled program such that \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\) is an homogeneous polynomial of degree \(d\le k\). Let \(m\in \mathbb {Z}_p\) and \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho )\) be a tag with \(\rho =(\varLambda _d,\varGamma _d,\rho _d)\in \mathbb {Z}_p\times \mathbb {G}_d^2\). The \(\mathsf {Ver}\) proceeds as follows.

  1. 1.

     Run \(\mathsf {S.Ver}(\mathsf {vk},\mathsf {pp}_\varDelta ,\sigma _\varDelta )\) to check if \(\sigma _\varDelta \) is a valid signature on \(\mathsf {pp}_\varDelta \). If \(\sigma _\varDelta \) is valid, then continue the next step. Otherwise, stop and return 0 (reject).

  2. 2.

     Evaluate the circuit f on the values \((R_{\tau _1},\dots ,R_{\tau _n})\) to obtain \(R=f(R_{\tau _1},\dots ,R_{\tau _n})\in \mathbb {G}_d\).

     item Check the following three equations:

     $$\begin{aligned} e(R\cdot h_d^{-m},g_d^{a^{d-1}b^d})=e(\varLambda _d,g_d) \end{aligned}$$

     (1)
     $$\begin{aligned} e(\varLambda _d,A_1)=e(\varGamma _d,g_1) \end{aligned}$$

     (2)
     $$\begin{aligned} C_d^{x^d}=\varPhi _d \end{aligned}$$

     (3)

  Output 1 only if the above three equations are satisfied.

6 Security Analysis

6.1 Correctness

In this section we prove that our \(\mathsf {PHMAC}\) scheme satisfies the authentication correctness and evaluation correctness.

Theorem 1

The scheme \(\mathsf {PHMAC}\) satisfies the authentication correctness property.

Proof

For the freshly generated tag \(\sigma \leftarrow \mathsf {Auth}(\mathsf {sk},\varDelta ,\tau ,m)\) where \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho =(\varLambda ,\varGamma ,\varPhi ))\), we can obviously see that \(\mathsf {Ver}(\mathsf {vk},\mathcal {I}_{(\varDelta ,\tau )},m,\sigma )\) outputs 1 by observing that the regular signature \(\sigma _\varDelta \) verifies correctly for \(\mathsf {pp}_\varDelta \) and \(\varDelta \), and \(\varLambda _1=(R_\tau h_1^{-m})^b,\varGamma _1=\varLambda _1^a\).    \(\square \)

Theorem 2

The scheme \(\mathsf {PHMAC}\) satisfies the evaluation correctness property.

Proof

Let \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho )\) be the resulting tag from \(\mathsf {Eval}\) algorithm which is executed on \(\mathsf {vk}\), a circuit f and tags \(\mathbf {\sigma }\) on \((\mathcal {P}_1,\varDelta ,\tau _1,m_1),\dots ,(\mathcal {P}_n,\varDelta ,\tau _n,m_n)\). We can easily see that \((\mathsf {pp}_\varDelta ,\sigma _\varDelta )\) is correctly verified according to the construction. Thus, we then focus on proving that the value \(\rho \) satisfies the three verification Eqs. (1), (2) and (3).

Let \(\rho =(\varLambda _{d_i}^{(i)},\varGamma _{d_i}^{(i)},\varPhi _{d_i}^{(i)})\) for all \(i=1,\dots ,n\) and \((a,b)\leftarrow F_K(\varDelta )\). Since every \(\rho _i\) satisfies the three equations, we have: \(\varLambda _{d_i}^{(i)}=(g_{d_i}^{r_i-x^dm_i})^{a^{d-1}b^d},\,\varGamma _{d_i}^{(i)}=(g_{d_i}^{r_i-x^dm_i})^{a^d b^d}\), \(\varPhi _{d_i}^{(i)}=g_{d_i}^{x^d a^d b^d m_i}\), where \(r_i\) is the discrete log in base \(g_{d_i}\) of the value \(R_i\in \mathbb {G}_d\) computed by applying f on the values \(\{R_\tau \}_{\tau \in \mathcal {P}_i}\).

We now show that the above conditions hold after evaluating every gate \(f_g\) of the circuit f. Let \(\rho _1=(\varLambda _i^{(1)},\varGamma _i^{(1)},\varPhi _i^{(1)})\in \mathbb {Z}_p\times \mathbb {G}_i^2\) and \(\rho _2=(\varLambda _j^{(2)},\varGamma _j^{(2)},\varPhi _j^{(2)})\in \mathbb {Z}_p\times \mathbb {G}_j^2\) be the valid tags as defined above, namely \(\varLambda _i^{(1)}=(g_i^{r_1-x^i m_1})^{a^{i-1}b^i},\,\varGamma _i^{(1)}=(\varLambda _i^{(1)})^a,\,\varPhi _i^{(1)}=g_i^{x^i a^i b^i m_1}\) and \(\varLambda _j^{(2)}=(g_j^{r_2-x^j m_2})^{a^{j-1}b^j},\,\varGamma _j^{(2)}=(\varLambda _j^{(2)})^a,\,\varPhi _j^{(2)}=g_j^{x^j a^j b^j m_2}\). It is easy to see that the conditions hold true both for addition gates and for multiplication gates. Specifically, for addition gates we have:

• \(\varLambda _i=\varLambda _i^{(1)}\times \varLambda _i^{(2)}=[g_i^{r_1+r_2-x^i(m_1+m_2)}]^{a^{i-1}b^i}\),

• \(\varGamma _i=\varLambda _i^{(1)}\times \varLambda _i^{(2)}=[g_i^{r_1+r_2-x^i(m_1+m_2)}]^{a^{i-1}b^i},\, \varPhi _i=g_i^{x^i a^i b^i (m_1+m_2)}\).

For multiplication gates, let \(d=i+j\), then we have:

$$\begin{aligned} \varLambda _d&= e(\varLambda _i^{(1)},\varGamma _j^{(2)})\cdot e(\varLambda _i^{(1)},\varPhi _j^{(2)})\cdot e(\varPhi _i^{(1)},\varLambda _j^{(2)})\\&= e((g_i^{r_1-x^i m_1})^{a^{i-1}b^i},(g_j^{r_2-x^j m_2})^{a^j b^j})\cdot e((g_i^{r_1-x^i m_1})^{a^{i-1}b^i},g_j^{a^j b^j x^j m_2})\cdot \\&e(g_i^{a^i b^i x^i m_1},(g_j^{r_2-x^j m_2})^{a^{j-1}b^j})\\&= [g_d^{(r_1-x^i m_1)(r_2-x^j m_2)}\cdot g_d^{(r_1-x^i m_1)x^j m_2}\cdot g_d^{x^i m_1(r_2-x^j m_2)}]^{a^{d-1}b^d}\\&= [g_d^{(r_1 r_2-x^d m_1 m_2)}]^{a^{d-1}b^d} \end{aligned}$$

\(\varGamma _d=e(\varGamma _i^{(1)},\varGamma _j^{(2)})\cdot e(\varGamma _i^{(1)},\varPhi _j^{(2)})\cdot e(\varPhi _i^{(1)},\varGamma _j^{(2)})=[g_d^{(r_1 r_2-x^d m_1 m_2)}]^{a^d b^d}\)

\(\varPhi _d=e(S_i^{(1)},s_j^{(2)})=e(g_i^{x^i a^i b^i m_1},g_j^{x^j a^j b^j m_2})=g_d^{x^d a^d b^d m_1 m_2}\)    \(\square \)

6.2 Unforgeability

In this section we prove that our \(\mathsf {PHMAC}\) scheme satisfies unforgeability.

Theorem 3

If \(\mathsf {S}\) is an unforgeable signature scheme, F is a pseudorandom function, and \(\mathcal {G}\) is the generator of 2k-linear groups such that the 2k-APMDH assumption holds for \(\mathcal {G}\), then the scheme \(\mathsf {PHMAC}\) is unforgeable for homogeneous polynomials of degree k.

Proof

To prove the above theorem, we have to show that the probability for any PPT adversary \(\mathcal {A}\) of winning the experiment \(\mathsf {PHomUF}\)-\(\mathsf {CMA}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) is negligible. By \(W_i(\mathcal {A})\) we denote the event that adversary \(\mathcal {A}\) wins in the experiment defined by Hybrid i, namely the challenger outputs 1, and we denote by \(\varepsilon _i\) the event that in a given experiment the adversary returns a Type-b forgery.

• Hybrid 0 is the experiment \(\mathsf {PHomUF}\)-\(\mathsf {CMA}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\).

• Hybrid 1 is like Hybrid 0 except that the PRF is replaced by a random function \(\mathcal {R}:\{0,1\}^*\) \(\rightarrow \mathbb {Z}_p^2\). We can easily see that by the assumption that F is pseudorandom Hybrid 0 and Hybrid 1 are computationally indistinguishable, namely there exists a PPT adversary \(\mathcal {S}\) such that \(|\Pr [W_0(\mathcal {A})]-\Pr [W_1(\mathcal {A})]|\le \mathrm {Adv}_{F,\mathcal {S}}^{PRF}(\lambda )\).

• Hybrid 2 is like Hybrid 1 except that if the adversary returns a valid forgery \(\sigma ^*=(\mathsf {pp}_{\varDelta ^*}^*,\sigma _{\varDelta ^*}^*,\rho ^*)\) such that \(\mathsf {pp}_{\varDelta ^*}^*\) was not generated by the challenger in the signing queries phase, then Hybrid 2 outputs 0 (reject). We call this event \(\mathsf {Bad_1}\). The two games differ only if \(\mathsf {Bad_1}\) occurs, then we have \(|\Pr [W_1(\mathcal {A})]-\Pr [W_2(\mathcal {A})]|\le \Pr [\mathsf {Bad_1}]\). It is easy to see that if \(\mathsf {Bad_1}\) occurs, then the adversary broke the unforgeability of the signature scheme \(\mathsf {S}\). Thus for any PPT adversary \(\mathcal {A}\) there exists a forger algorithm \(\mathcal {D}\) such that \(\Pr [\mathsf {Bad_1}]\le \mathrm {Adv}_{\mathsf {S},\mathcal {D}}^{\mathsf {UF-CMA}}(\lambda )\).

Now, if we can prove Claim 1 below that the adversary wins in Hybrid 3 only with negligible probability under the 2k-APMDH assumption, then we have

$$\begin{aligned} \mathrm {Adv}_{\mathcal {A},\mathsf {PHMAC}}^{\mathsf {PHomUF-CMA}}(\lambda )\le Q\cdot \mathrm {Adv}_\mathcal {B}^{APMDH}(\lambda )+\mathrm {Adv}_{F,\mathcal {S}}^{PRF}(\lambda )+\mathrm {Adv}_{\mathsf {S},\mathcal {D}}^{\mathsf {UF-CMA}}(\lambda ), \end{aligned}$$

thus we complete the proof of Theorem 3.

Claim 1

\(\Pr [W_2(\mathcal {A})]\le Q\cdot \mathrm {Adv}_\mathcal {B}^{APMDH}(\lambda )\).

Proof

Suppose \(Pr[W_3(\mathcal {A})]\ge \epsilon \) for some non-negligible \(\epsilon \), we use to \(\mathcal {A}\) construct a PPT algorithm \(\mathcal {B}\) whose advantage \(\mathrm {Adv}_\mathcal {B}^{APMDH}(\lambda )\) is at least \(\epsilon /Q\), where \(Q=\mathsf {poly}(\lambda )\) is an upper bound on the number of signing queries asked by \(\mathcal {A}\).

\(\mathcal {B}_{APMDH}(g_1,g_1^a,g_1^b,g_1^{ab},g_1^x,g_1^{xa},g_1^{xab})\):

• Setup. \(\mathcal {A}\) firstly outputs a set of tuples \(\{m_{\tau ,i}\}_{\tau \in \L }\) for \(i=1,\dots ,Q\), with \(m_{\tau ,i}\in \mathbb {Z}_p\). \(\mathcal {B}\) then randomly choose \(\nu \xleftarrow {\$}[Q]\) which represents a guess on the query index of the dataset \(\varDelta ^*\) that \(\mathcal {A}\) will use in the Type-2 forgery. Later, \(\mathcal {B}\) generates \((\mathsf {sik},\mathsf {vk})\leftarrow \mathsf {S.KeyGen}(1^\lambda )\), and set \(h_1=g_1^x\). For all \(\tau \in \mathcal {L}\), it randomly choose \(r_\tau \xleftarrow {\$}\mathbb {Z}_p\) and computes \(R_\tau =g_1^{r_\tau }h_1^{m_{\tau ,\nu }}\). Finally, it gives the public key \(\mathsf {pk}=(\mathsf {vk},g_1,h_1,\{R_\tau \}_{\tau \in \L })\) to \(\mathcal {A}\).

• Authentication queries. For every new queried dataset \(\varDelta \), B creates a list \(L_\varDelta \) of tuples \((\tau ,m,\sigma )\). On the i-th query \(\varDelta \), \(\mathcal {B}\) proceeds as follows:

  • If \(i\ne \nu \), \(\mathcal {B}\) runs the real authentication algorithm \(\sigma _{\tau ,i}\leftarrow \mathsf {S.Sign}(\mathsf {sik},\varDelta ,\tau ,m_{\tau ,j})\), then updates \(L_{\varDelta _i}\leftarrow L_{\varDelta _i}\cup (\tau ,m_{\tau ,i},\sigma _{\tau ,i})\) and returns \(\{\sigma _{\tau ,i}\}_{\tau \in \mathcal {L}}\) to \(\mathcal {A}\).

  • If \(i=\nu \), \(\mathcal {B}\) generates \(\mathsf {pp}_\varDelta =(\varDelta ,A_1,B_1,C_1)\) by setting \(A_1=g_1^a,\,B_1=g_1^b,\,C=g_1^{ab}\), then generates \(\sigma _\varDelta \leftarrow \mathsf {S.Sign}(\mathsf {sik},\mathsf {pp}_\varDelta )\). To simulate every \(\rho _{\tau ,\nu }\) for all \(\tau \in \mathcal {L}\), \(\mathcal {B}\) computes \(\varLambda _1=(R_\tau h_1^{-m_{\tau ,\nu }})^b=(g_1^b)^{r_\tau },\varGamma _1=\varLambda _1^a=(g_1^{ab})^{r_\tau }\) and \(\varPhi _1=g_1^{xabm_{\tau ,\nu }}\), then updates \(L_{\varDelta _\nu }\leftarrow L_{\varDelta _\nu }\cup (\tau ,m_{\tau ,\nu },\sigma _{\tau ,\nu })\) and returns \(\{\sigma _{\tau ,\nu }\}_{\tau \in \mathcal {L}}\) to \(\mathcal {A}\).

• Verification queries. For each query \((\mathcal {P}_\varDelta ,m,\sigma )\) from \(\mathcal {A}\), where \(\sigma =(\mathsf {pp}_\varDelta ,\sigma _\varDelta ,\rho )\) and \(\rho =(\varLambda _d,\varGamma _d,\varPhi _d)\), \(\mathcal {B}\) firstly verifies whether \(\sigma _\varDelta \) is a valid signature of \(\mathsf {pp}_\varDelta \) with \(\mathsf {pk}\). If it is true, then \(\mathcal {B}\) uses \(A_1,B_1,C_1\) and \(g_1^{xab}\) to check whether the three verification Eqs. (1), (2), (3) hold. If all above conditions are satisfied, \(\mathcal {B}\) returns 1 to \(\mathcal {A}\), otherwise returns 0.

• Forgery. Let \((\mathcal {P}_{\varDelta ^*}^*,m^*,\sigma ^*)\) be the forgery returned by A where \(\sigma ^*=(\mathsf {pp}_{\varDelta ^*}^*,\sigma _{\varDelta ^*}^*,\rho ^*)\) and \(\rho ^*=(m^*,\varLambda _d^*,\varGamma _d^*,\varPhi _d^*)\). Note that \(\mathsf {pp}_{\varDelta ^*}^*\) was generated by \(\mathcal {B}\) before since \(\mathsf {Bad_1}\) does not occur in Hybrid 3.

  \(\mathcal {B}\) firstly checks if \(\varDelta ^*\ne \varDelta _\nu \), then \(\mathcal {B}\) aborts the simulation. Otherwise, it proceeds as follows:

  1. 1.

     \(\mathcal {B}\) computes \(\bar{\sigma }\leftarrow \mathsf {Eval}(\mathsf {pk},f^*,\{\sigma _{\tau ,\nu }\}_{\tau \in \mathcal {L}})\) on the previously generated tags, where \(\bar{\sigma }=(\mathsf {pp}_{\varDelta ^*},\sigma _{\varDelta ^*},\bar{\rho })\) and \(\bar{\rho }=(\bar{m},\bar{\varLambda }_d,\bar{\varGamma }_d,\bar{\varPhi }_d)\). By the evaluation correctness, we have

     $$\begin{aligned} \begin{array}{c} e(R\cdot h_d^{-\bar{m}},g_d^{a^{d-1}b^d})=e(\bar{\varLambda }_d,g_d)\,\text {where}\, R=f(R_{\tau _1},\dots ,R_{\tau _n}) \\ e(\bar{\varLambda }_d,A_1)=e(\bar{\varGamma }_d,g_1) \end{array} \end{aligned}$$

     (4)

     For \(\sigma ^*\), we also have

     $$\begin{aligned} \begin{array}{c} e(R\cdot h_d^{-m^*},g_d^{a^{d-1}b^d})=e(\varLambda _d^*,g_d)\,\text {where}\, R=f(R_{\tau _1},\dots ,R_{\tau _n}) \\ e(\varLambda _d^*,A_1)=e(\varGamma _d^*,g_1) \end{array} \end{aligned}$$

     (5)
  2. 2.

     By dividing Eqs. (4) and (5), \(\mathcal {B}\) can computes \(h_d^{a^{d-1}b^d}=(\frac{\bar{\varLambda }_d}{\varLambda _d^*})^\eta \), where \(\eta =(m^*-\bar{m})^{-1}\mod p\), note that \(m^*\ne \bar{m}\) by the definition of Type-2, and \(h_{2k}^{a^{2k-1}b^{2k}}=e(h_d^{a^{d-1}b^d},D_{2k-d})\) where \(D_{2k-d}=g_{2k-d}^{x^{2k-d}a^{2k-d}b^{2k-d}}\).

To complete the proof, we finally observe that \(\mathcal {B}\) is successful only if it does not abort in the forgery phase. However, since the index \(\nu \) is perfectly hidden to \(\mathcal {A}\), \(\mathcal {B}\) will abort with probability 1/Q. Therefore, if \(\mathcal {A}\) wins in Hybrid 3 with probability at least \(\epsilon \), then \(\mathcal {B}\) will have advantage \(\mathrm {Adv}_\mathcal {B}^{APMDH}(\lambda )\ge \epsilon /Q\).    \(\square \)

6.3 Privacy

In this section we prove that our \(\mathsf {PHMAC}\) scheme satisfies privacy.

Theorem 4

If F is a pseudorandom function, and the discrete logarithm problem is hard in group \(\mathbb {G}_1\), then the scheme \(\mathsf {PHMAC}\) is privacy for homogeneous polynomials of degree k.

Proof

To prove the above theorem, we show that the advantage for any PPT adversary \(\mathcal {A}\) of winning the experiment \(\mathsf {PHomUF}\)-\(\mathsf {Pri}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) is negligible. By \(W_i(\mathcal {A})\) we denote the event that adversary \(\mathcal {A}\) wins in the experiment defined by Hybrid i.

• Hybrid 0 is the experiment \(\mathsf {PHomUF}\)-\(\mathsf {Pri}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\).

• Hybrid 1 is like Hybrid 1 except that the PRF is replaced by a random function \(\mathcal {R}:\{0,1\}^*\) \(\rightarrow \mathbb {Z}_p^2\). We can easily see that by the assumption that F is pseudorandom Hybrid 1 and Hybrid 2 are computationally indistinguishable, namely \(|\Pr [W_0(\mathcal {A})]-\Pr [W_1(\mathcal {A})]|\le \mathrm {Adv}_{F,\mathcal {S}}^{PRF}(\lambda )\).

In Hybrid 1, the challenge authenticator \(\sigma ^*=(\mathsf {pp}_{\varDelta ^*},\sigma _{\varDelta ^*},(\varLambda ^*,\varGamma ^*,\varPhi ^*))\), where \(\varLambda ^*=(R_{\tau ^*}h_1^{-m_\gamma ^*})^{b^*}, \varGamma ^*=(R_{\tau ^*}h_1^{-m_\gamma ^*})^{a^*b^*}\) and \(\varPhi ^*=h_1^{a^*b^*m_\gamma ^*}\). Since \((a^*,b^*)\leftarrow \mathcal {R}\) are random elements, in \(\mathcal {A}\)’s view, \(\varLambda ^*,\varGamma ^*\) and \(\varPhi ^*\) are random elements in \(\mathbb {G}_1\). Thus, \(\mathcal {A}\) can win the Hybrid 2 if and only if it breaks the discrete logarithm problem in \(\mathbb {G}_1\) or randomly guesses, i.e. \(\Pr [W_1]=1/2+\mathrm {Adv}_{\mathsf {dlog},\mathcal {D}}(\lambda )\). By putting together the above results for any PPT adversary \(\mathcal {A}\) in experiment \(\mathsf {PHomUF}\)-\(\mathsf {Pri}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) there exist PPT adversaries \(\mathcal {S}\) and \(\mathcal {D}\) such that:

$$\begin{aligned} \mathrm {Adv}_{\mathcal {A},\mathsf {PHMAC}}^{\mathsf {PHomUF-Pri}}\le 1/2+\mathrm {Adv}_{F,\mathcal {S}}^{PRF}(\lambda )+\mathrm {Adv}_{\mathsf {dlog},\mathcal {D}}(\lambda ) \end{aligned}$$

By our assumptions, the advantage of adversary \(\mathcal {A}\) in experiment \(\mathsf {PHomUF}\)-\(\mathsf {Pri}_{\mathcal {A},\mathsf {PHMAC}}(\lambda )\) is negligible, thus we complete the proof of Theorem 4.    \(\square \)

6.4 Efficiency Analysis

To evaluate the efficiency of our PHMAC scheme, we firstly observe that for any labeled program \(\mathcal {P}=(f,\mathbf {\tau })\) where \(f\in \mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\) with labels \(\mathbf {\tau }=(\tau _1,\dots ,\tau _n)\), the verifier enables to compute in advance the value \(\mathsf {vk}_\mathcal {P}\) as follows:

$$\begin{aligned} \mathsf {vk}_\mathcal {P}=(R,\, h_d,\, g_d^{a^{d-1}b^d},\, C_d^{x^d}), \end{aligned}$$

where \(R=f(R_{\tau _1},\dots ,R_{\tau _n})\in \mathbb {G}_d\) and \(g_d^{a^{d-1}b^d}=e(C_{d-1},B_1)\). Then, the computational complexity of the online verification for the same labeled program \(\mathcal {P}\) and any dataset \(\varDelta \) depends only on the complexity of computing the group operations and the bilinear maps in verification Eqs. (1), (2), (3), i.e. one exponentiation in \(\mathbb {G}_d\) and four pairings.

We can easily find that the cost of the verifier for \(\mathsf {vk}_\mathcal {P}\) is constant for many verifications of the same evaluation function on different datasets, and the online verification performs a constant number of exponentiations and pairings. Using current graded encoding schemes, the cost essentially becomes \(\mathsf {poly}(k,\log {n})\) which is much less than the cost of evaluating an n-variate homogeneous polynomial of degree k. Therefore, our PHMAC scheme achieves the efficiency property.

7 Discussion

Below, we discuss the applications of our PHMAC for homomorphic authenticator-encryption and verifiable computation.

Applying Encrypt-and-MAC composition method, we can produce a general compiler from our PHMAC scheme and any homomorphic encryption scheme into a homomorphic authenticator-encryption scheme. Let us recall that homomorphic authenticator-encryption for a class F can be used to certify computations on authenticated data for any \(f\in F\), while can guarantee data privacy. Considering some client who holds a data set \((m_1,\dots ,m_n)\), wants an untrusted cloud server to evaluate function f on \((m_1,\dots ,m_n)\) for her. She initially performs PHMAC and homomorphic encryption to obtain some message/authenticator/encryption triples \(\{m_i,\sigma _i,c_i\}_{i=1}^n\) and sends all these values to the server. By respectively running the evaluation algorithms of PHMAC and homomorphic encryption, the server obtains the encryption of the results \(f(m_1,\dots ,m_n)\) as well as its authenticator \(\sigma _{f(m_1,\dots ,m_n)}\). The client, who owns the secret keys for PHMAC and homomorphic encryption, enables to decrypt the result \(f(m_1,\dots ,m_n)\) and then efficiently verify whether it is computed honestly by the server.

It is obvious that the above process is in fact the implementation of a homomorphic authenticator-encryption scheme, which not only simultaneously achieves privacy and authenticity of the computation on outsourced data, but also adds a favorable property, i.e. efficient verification. Since the problem of achieving homomorphic authenticator-encryption has also been considered under the notion of verifiable computation, we can naturally conclude that our PHMAC contributes a lot for the field of verifiable computation likewise.