Practical Homomorphic Message Authenticators for Arithmetic Circuits

Catalano, Dario; Fiore, Dario

doi:10.1007/s00145-016-9249-1

Practical Homomorphic Message Authenticators for Arithmetic Circuits

Published: 04 January 2017

Volume 31, pages 23–59, (2018)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Practical Homomorphic Message Authenticators for Arithmetic Circuits

Download PDF

Dario Catalano¹ &
Dario Fiore²

2961 Accesses
15 Citations
Explore all metrics

Abstract

Homomorphic message authenticators allow the holder of a (public) evaluation key to perform computations over previously authenticated data, in such a way that the produced tag $\sigma $ can be used to certify the authenticity of the computation. More precisely, a user, knowing the secret key $\mathsf{sk}$ used to authenticate the original data, can verify that $\sigma $ authenticates the correct output of the computation. This primitive has been recently formalized by Gennaro and Wichs, who also showed how to realize it from fully homomorphic encryption. In this paper, we show new constructions of this primitive that, while supporting a smaller set of functionalities (i.e., polynomially bounded arithmetic circuits as opposite to boolean ones), are much more efficient and easy to implement. Moreover, our schemes can tolerate any number of (malicious) verification queries. Our first construction relies on the sole assumption that one-way functions exist, allows for arbitrary composition (i.e., outputs of previously authenticated computations can be used as inputs for new ones) but has the drawback that the size of the produced tags grows with the degree of the circuit. Our second solution, relying on the D-Diffie-Hellman Inversion assumption, offers somewhat orthogonal features as it allows for very short tags (one single group element!) but poses some restrictions on the composition side.

De Bello Homomorphico: Investigation of the extensibility of the OpenFHE library with basic mathematical functions by means of common approaches using the example of the CKKS cryptosystem

Article Open access 27 November 2023

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Article Open access 22 June 2021

Homomorphic Encryption for Arithmetic of Approximate Numbers

1 Introduction

Cloud Computing allows a user to outsource his data to remote service providers in such a way that he can later access the data from multiple platforms (e.g., his desktop at work, his laptop, his smartphone, etc.), and virtually from everywhere. Moreover, using this paradigm, even clients with very limited storage capacity (e.g., smart phones) can have access “on demand” to very large amounts of data. Having access to the outsourced data does not necessarily mean only to retrieve such data. Indeed, a user may wish to perform a computation on (a subset of) the outsourced data, and this too can be delegated to the service provider. These and other benefits are the key to the success of Cloud Computing. The paradigm, however, raises security concerns essentially because cloud providers cannot always be trusted. One problem is related to preserving the privacy of the outsourced data. This question has been successfully addressed by the recent work on fully homomorphic encryption [31]. The second question deals with enforcing the authenticity of the computations performed on the outsourced data and is the focus of this work. In a nutshell, this problem can be described as follows. Assume that a client outsources a collection of data $m_1, \ldots , m_n$ to a server and later asks the server to run a program ${\mathcal {P}}$ over $(m_1, \ldots , m_n)$. The server computes $m {\leftarrow }{\mathcal {P}}(m_1, \ldots , m_n)$ and sends m to the client. The problem here is that the client wants to be sure that m is the value obtained by running ${\mathcal {P}}$ on its own data. A trivial solution would be to have the server send $m_1, \ldots , m_n$ to the client, who can then compute/check $m = {\mathcal {P}}(m_1, \ldots , m_n)$ by itself. This however vanishes the advantages of the outsourcing and is too costly in terms of bandwidth. Therefore, the main goal here is to find solutions in which the server can authenticate the output of the computation by sending some value whose size is much shorter than $m_1, \ldots , m_n$. This property is also motivated by the fact that, in spite of the continuous progress in increasing the computational power of small devices, bandwidth (especially in mobile data connections) seems to remain the most serious and expensive bottleneck.

The research community has recently put notable effort in developing new cryptographic tools that can help in solving this and related problems. This is the case, for instance, for works on verifiable computation [3, 23, 28, 33, 36, 38] and memory delegation [24].

Another line of research has explored the idea of enabling computation on authenticated data [2] by means of homomorphic authentication primitives.

In the public key setting, Boneh and Freeman introduced the notion of (fully) homomorphic signatures [12]. Roughly speaking, a homomorphic signature allows a user to generate signatures $\sigma _1, \ldots , \sigma _n$ on messages $m_1, \ldots , m_n$ so that later anyone (without knowledge of the signing key) can compute a signature $\sigma $ that is valid for the value $m = f(m_1, \ldots , m_n)$. Boneh and Freeman also showed a realization of homomorphic signatures for bounded (constant) degree polynomials, from ideal lattices.

Recently, Gennaro and Wichs proposed, formally defined and constructed the secret-key analogue of homomorphic signatures, that is homomorphic message authenticators (homomorphic MACs, for short) [30]. Their construction makes use of fully homomorphic encryption and allows to evaluate every circuit.

In this work, we continue the study of homomorphic MACs and propose new constructions which, while less general than that given in [30], are much more efficient.

Homomorphic Message Authenticators. Informally, a homomorphic MAC scheme enables a user to use his secret key for generating a tag $\sigma $ which authenticates a message m so that later, given a set of tags $\sigma _1, \ldots , \sigma _n$ authenticating messages $m_1, \ldots , m_n$, respectively, anyone can homomorphically execute a program ${\mathcal {P}}$ over $(\sigma _1, \ldots , \sigma _n)$ to generate a short tag $\sigma $ that authenticates m as the output of ${\mathcal {P}}(m_1, \ldots , m_n)$.

Given such a primitive, it is not hard to imagine how it can be employed to solve the problem of verifying computations on outsourced data. However, the above description needs some refinements, in particular to explain what does it mean to authenticate a message as the output of a program. To do this, Gennaro and Wichs introduce the notion of labeled data and programs. The label ${\tau }$ of a data m is some binary string ${\tau }$ chosen by the user to authenticate m, i.e., $\sigma {\leftarrow }\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$. One can think of labels as some indexing of the data. For example, assume that a company outsources a database with informations on its customers, in which each column contains a different attribute (e.g., age, expended amount, etc.). Then, to authenticate the “age” column of the database the user can define a label “(age, i)” for the age value in record i. On the other hand, a labeled program ${\mathcal {P}}$ is defined by a circuit f and a set of labels ${\tau }_1, \ldots , {\tau }_n$, one for each input wire of f. This can be seen as a way to specify on which inputs the circuit should be evaluated upon, without knowing the input values themselves. So, given a labeled program ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_n)$ and a set of tags $\sigma _1, \ldots , \sigma _n$ that authenticate messages $m_i$ under label ${\tau }_i$, anyone can run the homomorphic evaluation algorithm $\sigma {\leftarrow }\mathsf{Eval}({\mathcal {P}}, \sigma _1, \ldots , \sigma _n)$ whose output $\sigma $ will authenticate $m = {\mathcal {P}}(m_1, \ldots , m_n)$. Specifically, the secret-key verification algorithm takes as input a triple $(m, {\mathcal {P}}, \sigma )$ and verifies that m is the output of the program ${\mathcal {P}}$ run on some previously authenticated and labeled messages, without knowing such messages themselves.

Informally, homomorphic MACs are secure if any adversary who can adaptively query tags for messages of its choice cannot produce a valid tag $\sigma $ that authenticates m as the output of ${\mathcal {P}}$ unless $\sigma $ can be honestly computed by applying $\mathsf{Eval}$ on the queried tags.

Homomorphic MACs are also required to be succinct. Informally, succinctness requires that the output of ${\mathcal {P}}$ run over (previously) authenticated data can be certified with significantly less communication than that of sending the original inputs.

Another property one might want from homomorphic MACs is composability, which allows to combine tags authenticating previous computations to create a tag that authenticates a composition of such computations. More precisely, given tags $\sigma _1, \ldots , \sigma _t$ that authenticate $m_1, \ldots , m_t$ as the outputs of ${\mathcal {P}}_1, \ldots , {\mathcal {P}}_t$, respectively, composability allows to further compute $\sigma {\leftarrow }\mathsf{Eval}({\mathcal {P}}, \sigma _1, \ldots , \sigma _t)$ which authenticates $m = {\mathcal {P}}(m_1, \ldots , m_t)$ as the output of ${\mathcal {P}}^*$, the composed program obtained by running ${\mathcal {P}}$ on the outputs of ${\mathcal {P}}_1, \ldots , {\mathcal {P}}_t$.

1.1 Our Contribution

In this paper, we propose the first practically efficient constructions of homomorphic MACs. The most attractive feature of our schemes is that they are efficient, simple to implement and rely on well studied assumptions. Moreover, they are secure against PPT adversaries that can make an unbounded number of verification queries, as opposite to the construction in [30] that supports only an a-priori bounded number of verification queries (see next section for more details about this). On the negative side, our solution works only for functionalities that can be expressed as arithmetic circuits with certain additional restrictions that we describe below.

Our first construction is surprisingly simple and relies only on the existence of pseudorandom functions. While it offers arbitrary composition, it does not achieve full succinctness. More precisely, the size of the authentication tags grows with the degree d of the circuit,^{Footnote 1} and thus, we are able to guarantee succinct authenticators only when d is smaller than the input size n.

Our second construction enjoys succinct, constant-size tags (just one group element!) but only supports a limited form of composition. More precisely, for a fixed bound D (polynomial in the security parameter), the scheme allows to evaluate any arithmetic circuit of degree $d \le D$. In general, the evaluation has to be done in a “single shot”, that is, the authentication tags obtained from the $\mathsf{Eval}$ algorithm cannot be used again to be composed with other tags. Interestingly, we show that the scheme achieves what we call local composition. The idea is that one can keep locally a non-succinct version of the tag that allows for arbitrary composition. Next, when it comes to sending an authentication tag to the verifier, one can securely compress such large tag in a very compact one of constant size. We prove the security of our second construction under the D-Diffie-Hellman Inversion assumption [14, 39] (where D is the bound on the maximal circuit’s degree supported by the scheme).

Succinct Tags and Composition. Even though our solutions do not achieve succinctness and composition at the same time, we argue that these limitations might not be too relevant in many real life scenarios. First, we notice that several interesting functions and statistics (e.g., the standard deviation function) can be represented by constant-degree polynomials. In such a case, our first construction perfectly fits the bill as it is efficient, simple to implement and produces constant-size tags (and, of course, it only requires the existence of a PRF to be proved secure).

For the case of polynomials of large degree d (i.e., d polynomial in the security parameter), our scheme fits well in those applications where composition is not needed. Think for example of the application described at the beginning of this section. There, if the server just runs $m {\leftarrow }{\mathcal {P}}(m_1, \ldots , m_n)$ on the client’s data, using our second construction it can produce a succinct tag that authenticates m as ${\mathcal {P}}$’s output, and this tag is only one group element.

Finally, in applications where composition is needed but does not involve different parties, the notion of local composition achieved by our second scheme still allows to save in bandwidth and to (locally) compose tags of partial computations.

Overview of Our Techniques. The main idea behind our construction is a “re-interpretation” of some classical techniques for information-theoretic MACs. Let the secret key be a random value $x \in \mathbb {Z}_p$ and a seed K of a PRF. The authentication tag of a message $m \in \mathbb {Z}_p$ with label ${\tau }$ is a degree-1 polynomial $y(z) \in \mathbb {Z}_p[z]$ that evaluates to m on the point 0, and to $r_{{\tau }}$ on the secret point x (i.e., $y(0)=m$ and $y(x)=r_{{\tau }}$). Here $r_{{\tau }} ={F}_{K}({\tau })$ is a pseudorandom value, unique per each label, defined by the PRF. If we do not care about the homomorphic property and we assume that each $r_{{\tau }}$ is truly random, then this is a secure information-theoretic MAC. Now, the basic observation that allows to show the homomorphic property is the following. Let f be an arithmetic circuit and assume we evaluate the circuit over the tags (i.e., over these polynomials y(z)) as follows: for every additive gate we compute the addition of the two input polynomials, and for every multiplicative gate we compute their multiplication (i.e., the convolution of their coefficients). Now, we observe that these operations are naturally homomorphic with respect to the evaluation of the polynomial in every point. In particular, if we have two tags $y^{(1)}$ and $y^{(2)}$ (i.e., we are given only the coefficients of these polynomials) such that $y^{(1)}(0)=m_1$ and $y^{(2)}(0) = m_2$, then for $y = y^{(1)} + y^{(2)}$ (resp. $y = y^{(1)} *y^{(2)}$) we clearly obtain $y(0) = m_1 + m_2$ (resp. $y(0) = m_1 \cdot m_2$). The same holds for its evaluation at the random point x, i.e., $y(x) = r_{{\tau }_1} + r_{{\tau }_2}$ (resp. $y(x) = r_{{\tau }_1} \cdot r_{{\tau }_2}$). By extending this argument to the evaluation of the entire circuit f, this allows to verify a tag y for a labeled program ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_n)$ and a message m, by simply checking that $m = y(0)$ and $f(r_{{\tau }_1}, \ldots , r_{{\tau }_n}) = y(x)$, where $r_{{\tau }_i} = {F}_{K}({\tau }_i)$.

A drawback of this construction is that the tag’s size grows linearly with the degree of the evaluated circuit f. The reason is that the above homomorphic evaluation increases the degree of the “tag polynomial” y at every multiplication gate. This is why this MAC fails in achieving the succinctness property when the degree d becomes greater than the input size n of the circuit.

Our second construction overcomes this drawback as follows. First, the evaluation algorithm computes a tag $y = (y_0, \ldots , y_d)$ as before, and then it “accumulates” these coefficients in a single group element $\varLambda = \prod _{i=1}^{d} (g^{x^i})^{y_i}$. Verification will check that $g^{f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})} = g^{m} \cdot \varLambda $. If $\varLambda $ is computed correctly, then $\varLambda = g^{y(x) - y(0)}$, and thus one can easily see why correctness holds. The need to resort to the $(D-1)$-Diffie-Hellman Inversion assumption^{Footnote 2} comes from the fact that, in order to perform the evaluation procedure correctly, the values $g^{x}, g^{x^2}, \ldots , g^{x^{D}}$ need to be published as part of the evaluation key $\mathsf{ek}$. Once a tag of the $\varLambda $ form is created, it can be composed with other tags of the same form only for additions but not for multiplications. To satisfy partial composition, the idea is that one can keep locally the large version of the tag consisting of the coefficients $y_0, \ldots , y_d$, and always send to the verifier its compact version $\varLambda = \prod _{i=1}^{d} (g^{x^i})^{y_i}$. In Sect. 5, we also show an extension of this scheme which, by using bilinear pairings, allows to further compute an additional level of multiplications and unbounded additions on tags of the $\varLambda $ form.

1.2 Related Work

Homomorphic Message Authenticators and Signatures. Recently, many papers considered the problem of realizing homomorphic (mostly linear) authenticators either in the symmetric setting (MAC) or in the asymmetric one (signatures). This line of research has been initiated by the work of Johnson et al. [35] and became very popular in recent years because of the important application to linear network coding. Efficient solutions for linearly homomorphic schemes have been proposed both in the random oracle [11, 13, 17, 18, 29] and in the standard model [1, 4,5,6, 19,20,21, 27, 37]. Linearly homomorphic message authenticators have been considered also for proofs of retrievability for outsourced storage [42]. Only two works, however, consider the problem of realizing solutions for more complex functionalities (i.e., beyond linear).

Boneh and Freeman defined the notion of (fully) homomorphic signatures and showed a realization for bounded (constant) degree polynomials, from ideal lattices [12]. With respect to our work, this solution has the obvious advantage of allowing for public verifiability. On the negative side, it is not truly practical and the bound on the degree of the supported polynomials is more stringent than in our case (as they can support only polynomials of constant degree).

Closer to our setting is the recent work of Gennaro and Wichs [30] where fully homomorphic MACs are introduced, formally defined and constructed. The solution given there supports a wider class of functionalities than ours, and it allows to achieve succinct tags and composability at the same time. Their tags have size $\mu (\lambda ) = \mathsf{poly}(\lambda )$ where $\lambda $ is the security parameter, and thus they are asymptotically succinct as long as the circuit’s input size n is greater than $\mu (\lambda )$. Despite its nice properties, the proposed construction seems unfortunately far from being truly practical as it relies on fully homomorphic encryption. Moreover, it is proven secure only for a bounded and a-priori fixed number of verification queries,^{Footnote 3} meaning that the scheme becomes insecure if the verifier leaks information on whether it accepts/rejects tags.

Succinct Non-interactive Arguments of Knowledge. The problem of realizing homomorphic signatures can be solved in theory using Succinct Non-interactive Arguments of Knowledge (SNARKs) [9]. In a nutshell, given any NP statement, a SNARK allows to construct a succinct argument that can be used to prove knowledge of the corresponding witness. The nice feature of SNARKs is that the size of the argument is independent of the size of both the statement and the witness. The bad thing about SNARKs is that they are not very efficient (or at least not nearly as practical as we require) and require either the random oracle model [38] or non standard, non-falsifiable assumptions [32]. Moreover, SNARK-based solutions seem to allow for only very limited composability [10, 44].

Other Related Work. The notion of homomorphic authenticators is also (somewhat) related to the notion of verifiable computation [3, 8, 23, 26, 28, 33, 36, 38, 40]. There, one wants to delegate a computationally heavy task to a remote server while keeping the ability to verify the result in a very efficient way. While the two primitives might seem quite different at first, one can reinterpret some of the results on verifiable computation in our setting. The resulting solutions however present several limitations that make them of limited practical interest compared to homomorphic authenticators. We refer the reader to [30] for a nice discussion about this.

Homomorphic authenticators are also related to memory delegation [24]. This primitive allows a client to outsource large amounts of data to a server so that he can later verify computations on the data. The advantage of this approach over ours is that it offers an efficient verification procedure, and it supports a dynamic memory in which the client can update the outsourced data. However, current (non-interactive) realizations of memory delegation, in the standard model, are rather inefficient and require the user to keep a state. Moreover, in known constructions, efficient verification comes at the price of an offline phase where the runtime of both the delegator and the server depends polynomially on the size of the memory.

Follow up work. After the publication of the original version of this paper at Eurocrypt 2013, many other works addressed the problem of constructing homomorphic message authenticator schemes, both in the private and in the public verifiable settings. Here we discuss some of these results. In [16], Catalano et al. generalized the results of the present work and in particular proposed a new homomorphic MAC that uses multilinear maps to achieve both succinctness and composability. The resulting construction is still not fully homomorphic, but it supports arithmetic circuits slightly more expressive than those considered in this paper. On the negative side, given its reliance on multilinear maps and the performance of the current candidate multilinear maps, the scheme in [16] can be hardly considered efficient (or even remotely practical). Backes, Fiore and Reischuk [7] considered the question of constructing a homomorphic MAC in which the cost of verifying a MAC for a function f can be more efficient than running f, a property which immediately gives a nice application to verifiable computation on outsourced data. Specifically, they achieve such efficiency by considering an amortized model in which one is allowed to do one single expensive pre-processing (whose cost is about the same as running f) that is later amortized by re-using it across several verifications (involving the same function). The scheme proposed in [7] uses pairings, and as such, it only supports degree-two polynomials. Catalano, Fiore and Warinschi [22] recently proposed the first homomorphic signature scheme that enjoys (amortized) efficient verification. Their scheme can support the evaluation of bounded-degree polynomials, is based on multilinear maps, and is the first homomorphic signature that is secure in the standard model and can support more than linear functions. Finally, in a recent work [34], Gorbunov et al. show how to construct the first fully fledged (leveled) homomorphic signatures that supports arbitrary circuits and are based only on standard lattices.

1.3 Organization

The paper is organized as follows. In Sect. 2, we provide a background and relevant definitions of arithmetic circuits and homomorphic authenticators. Section 3 describes our first construction from PRFs, while our second compact construction is given in Sect. 4. Finally, in Sect. 5, we show an extension of the second construction that allows to further compute one level of multiplication and unbounded additions on tags previously obtained from the homomorphic evaluation.

2 Background and Definitions

In this section, we review the notation and some basic definitions that we use in our work.

Notation. We denote with $\lambda \in \mathbb {N}$ a security parameter. A probabilistic polynomial time (PPT) algorithm $\mathcal{A}$ is a randomized algorithm for which there exists a polynomial $p(\cdot )$ such that for every input x the running time of $\mathcal{A}(x)$ is bounded by p(|x|). We say that a function $\epsilon : \mathbb {N}\rightarrow \mathbb {R}^+$ is negligible if for every positive polynomial $p(\lambda )$ there exists ${\lambda }_0 \in \mathbb {N}$ such that for all $\lambda > {\lambda }_0$: $\epsilon (\lambda ) < 1/p(\lambda )$. If S is a set, $x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S$ denotes the process of selecting x uniformly at random in S. If $\mathcal{A}$ is a probabilistic algorithm, $y \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{A}(\cdot )$ denotes the process of running $\mathcal{A}$ on some appropriate input and assigning its output to y.

2.1 Pseudorandom Functions

Let $\lambda $ be the security parameter and $\kappa $ be polynomial in $\lambda $. Let $F: \mathcal{K}\times \mathcal{D}\rightarrow \mathcal{R}$ be a keyed function where $\mathcal{K}= \{0,1\}^{\kappa }$ is the key space, $\mathcal{D}$ is the domain and $\mathcal{R}$ is the output space. We define the advantage of an adversary $\mathcal{A}$ against the pseudorandomness of F as follows:

$$\begin{aligned} {\mathbf {Adv}}^{PRF}_{\mathcal{A}, F}(\lambda ) = \left| \Pr [\mathcal{A}^{F_{K}(\cdot )}(1^{\lambda })=1: K\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}] - \Pr [\mathcal{A}^{\Phi (\cdot )}(y)=1] \right| \end{aligned}$$

Above, K is chosen uniformly at random in the key space, while $\Phi : \mathcal{D}\rightarrow \mathcal{R}$ is chosen uniformly at random among the set of all functions from $\mathcal{D}$ to $\mathcal{R}$.

Then, we say that F is a pseudorandom function (PRF) if for any PPT adversary $\mathcal{A}$, the advantage ${\mathbf {Adv}}^{PRF}_{\mathcal{A}, F}(\lambda )$ is a negligible function.

2.2 Arithmetic Circuits

Here, we provide a very brief overview of arithmetic circuits. The interested reader is referred to [43] for a more detailed treatment of the subject.

An arithmetic circuit over a field $\mathbb {F}$ and a set of variables $X=\{{\tau }_1 \ldots {\tau }_n\}$, is a directed acyclic graph with the following properties. Each node in the graph is called gate. Gates with in-degree 0 are called input gates (or input nodes), while gates with out-degree 0 are called output gates. Each input gate is labeled by either a variable or a constant. Variable input nodes are labeled with binary strings ${\tau }_1, \ldots , {\tau }_n$ and can take arbitrary values in $\mathbb {F}$. A constant input node instead is labeled with some constant c, and it can take only some fixed value $c \in \mathbb {F}$.

Gates with in-degree and out-degree greater than 0 are called internal gates. Each internal gate is labeled with an arithmetic operation symbol. Gates labeled with $\times $ are called product gates, while gates labeled with $+$ are called sum gates. In this paper, we consider circuits with a single output node and where the in-degree of each internal gate is 2. The size of the circuit is the number of its gates. The depth of the circuit is the length of the longest path from input to output.

Arithmetic circuits evaluate polynomials in the following way. Input gates compute the polynomial defined by their labels. Sum gates compute the polynomial obtained by the sum of the (two) polynomials on their incoming wires. Product gates compute the product of the two polynomials on their incoming wires. The output of the circuit is the value contained on the outgoing wire of the output gate. The degree of a gate is defined as the total degree of the polynomial computed by that gate. The degree of a circuit is defined as the maximal degree of the gates in the circuit.

We stress that arithmetic circuits should be seen as computing specific polynomials in $\mathbb {F}[X]$ rather than functions from $\mathbb {F}^{|X|}$ to $\mathbb {F}$. In other words, when studying arithmetic circuits one is interested in the formal computation of polynomials rather than the functions that these polynomials define.^{Footnote 4}

In this paper, we restrict our interest to families of polynomials $\{f_n\}$ over $\mathbb {F}$ which have polynomially bounded degree, meaning that both the number of variables and the degree of $f_n$ are bounded by some polynomial p(n). The class VP (also known as $\mathbf{AlgP_{/poly}}$) contains all such polynomials. More precisely, it contains all polynomially bounded-degree families of polynomials that are computable by arithmetic circuits of polynomial size and degree.

2.3 Homomorphic Message Authenticators

Labeled Programs. First, we recall the notion of labeled programs introduced by Gennaro and Wichs in [30]. A labeled program ${\mathcal {P}}$ consists of a tuple $(f, {\tau }_1, \ldots , {\tau }_{n})$ where $f : \mathbb {F}^{n} \rightarrow \mathbb {F}$ is a circuit, and the binary strings ${\tau }_{1}, \ldots , {\tau }_n \in \{0,1\}^{*}$ are the labels of the input nodes of f. Given some labeled programs ${\mathcal {P}}_1, \ldots , {\mathcal {P}}_t$ and a function $g: \mathbb {F}^{t} \rightarrow \mathbb {F}$ it is possible to define the composed program ${\mathcal {P}}^{*} = g({\mathcal {P}}_1, \ldots , {\mathcal {P}}_t)$ which consists in evaluating a circuit g on the outputs of ${\mathcal {P}}_1, \ldots , {\mathcal {P}}_t$, respectively. The labeled inputs of ${\mathcal {P}}^{*}$ are all distinct labeled inputs of ${\mathcal {P}}_1, \ldots , {\mathcal {P}}_t$, i.e., all inputs with the same label are put together in a single input of the new program. We denote with $\mathcal{I}_{{\tau }} = (g_{id}, {\tau })$ the identity program with label ${\tau }$ where $g_{id}$ is the canonical identity function and ${\tau }\in \{0,1\}^{*}$ is some input label. Finally, we notice that any program ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_{n})$ can be expressed as the composition of n identity programs ${\mathcal {P}}=f(\mathcal{I}_{{\tau }_1}, \ldots , \mathcal{I}_{{\tau }_{n}})$.

While Gennaro and Wichs [30] defined labeled programs for Boolean circuits (i.e., $f: \{0,1\}^{n} \rightarrow \{0,1\}$), here we consider its extension to the case of arithmetic circuits $f: \mathbb {F}^{n} \rightarrow \mathbb {F}$ where $\mathbb {F}$ is some finite field, e.g., $\mathbb {Z}_{p}$ for a prime p.

Homomorphic Authenticator Scheme. A homomorphic message authenticator scheme $\mathsf{HomMAC}$ is a 4-tuple of algorithms working as follows:

$\mathsf{KeyGen}(1^{\lambda })$::: on input the security parameter $\lambda $, the key generation algorithm outputs a secret key $\mathsf{sk}$ and a public evaluation key $\mathsf{ek}$.
$\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$::: given the secret key $\mathsf{sk}$, an input label ${\tau }$ and a message $m \in \mathcal{M}$, it outputs a tag $\sigma $.
$\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$::: given the secret key $\mathsf{sk}$, a message $m \in \mathcal{M}$, a program ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_n)$ and a tag $\sigma $, the verification algorithm outputs 0 (reject) or 1 (accept).
$\mathsf{Eval}(\mathsf{ek}, f, {\varvec{\sigma }})$::: on input the evaluation key $\mathsf{ek}$, a circuit $f: \mathcal{M}^{n} \rightarrow \mathcal{M}$ and a vector of tags ${\varvec{\sigma }}=(\sigma _1, \ldots , \sigma _{n})$, the evaluation algorithm outputs a new tag $\sigma $.

Authentication Correctness. Intuitively, a homomorphic MAC satisfies this property if any tag $\sigma $ generated by the algorithm $\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$ authenticates with respect to the identity program $\mathcal{I}_{{\tau }}$. Formally, we require that for any message $m \in \mathcal{M}$, all keys $(\mathsf{sk}, \mathsf{ek}) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{KeyGen}(1^{\lambda })$, any label ${\tau }\in \{0,1\}^{*}$, and any tag $\sigma \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$, it holds: $\Pr [\mathsf{Ver}(\mathsf{sk}, m, \mathcal{I}_{{\tau }}, \sigma ) = 1]=1$.

Evaluation Correctness. Informally, this property states that if the evaluation algorithm is given a vector of tags ${\varvec{\sigma }} = (\sigma _1, \ldots , \sigma _n)$ such that each $\sigma _i$ authenticates some message $m_i$ as the output of a labeled program ${\mathcal {P}}_i$, then the tag $\sigma $ produced by $\mathsf{Eval}$ must authenticate $g(m_1, \ldots , m_n)$ as the output of the composed program $g({\mathcal {P}}_1, \ldots , {\mathcal {P}}_n)$.

More formally, let us fix a pair of keys $(\mathsf{sk}, \mathsf{ek}) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{KeyGen}(1^{\lambda })$, a function $g: \mathcal{M}^{t} \rightarrow \mathcal{M}$ and any set of message/program/tag triples $\{(m_i, {\mathcal {P}}_i, \sigma _i)\}_{i=1}^{t}$ such that $\mathsf{Ver}(\mathsf{sk}, m_i, {\mathcal {P}}_i, \sigma _i)=1$. If $m^{*} = g(m_1, \ldots , m_t)$, ${\mathcal {P}}^{*} = g({\mathcal {P}}_1, \ldots , {\mathcal {P}}_t)$, and $\sigma ^{*} = \mathsf{Eval}(\mathsf{ek}, g, (\sigma _1, \ldots , \sigma _{t}))$, then it must hold: $\mathsf{Ver}(\mathsf{sk}, m^{*}, {\mathcal {P}}^{*}, \sigma ^{*})=1$.

Succinctness. The size of a tag is bounded by some fixed polynomial in the security parameter, that is independent of the number of inputs taken by the evaluated circuit.

Security. Let $\mathsf{HomMAC}$ be a homomorphic MAC scheme as defined above. Consider the following experiment $\mathsf{HomUF-CMA}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )$ between a challenger and an adversary $\mathcal{A}$ against $\mathsf{HomMAC}$:

Setup :: The challenger generates $(\mathsf{sk}, \mathsf{ek}) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{KeyGen}(1^{\lambda })$ and gives $\mathsf{ek}$ to $\mathcal{A}$. It also initializes a list $T = \emptyset $.
Authentication queries :: The adversary can adaptively ask for tags on label-message pairs of its choice. Given a query $({\tau }, m)$, if there is some $({\tau }, \cdot ) \in T$ (i.e., the label was already queried), then the challenger ignores the query. Otherwise, it computes $\sigma \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$, returns $\sigma $ to $\mathcal{A}$ and updates the list $T = T \cup ({\tau },m)$. If $({\tau }, m) \in T$ (i.e., the query was previously made), then the challenger replies with the same tag generated before.
Verification queries :: The adversary is also given access to a verification oracle. Namely, $\mathcal{A}$ can submit a query $(m, {\mathcal {P}}, \sigma )$ and the challenger replies with the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.
Forgery :: The challenger checks if one of the verification queries (e.g., $(m^{*}, {\mathcal {P}}^{*}, \sigma ^{*})$) is a forgery (as defined below). If this is the case the experiment outputs 1.

In order to define what is a forgery, we first give the notion of well-defined program with respect to a list T. Informally, there are two ways for a program ${\mathcal {P}}^{*}=(f^{*}, {\tau }^{*}_1, \ldots , {\tau }^{*}_{n})$ to be well-defined. Either all the ${\tau }_i^*$s are in T or, if there are labels $\tau ^*_i$ not in T, then the inputs associated with such labels are somewhat “ignored” by $f^*$ when computing the output. In other words input corresponding to labels not in T do not affect the behavior of $f^*$ in any way.

More formally, we say that a labeled program ${\mathcal {P}}^{*}=(f^{*}, {\tau }^{*}_1, \ldots , {\tau }^{*}_{n})$ is well-defined on T if either one of the following two cases occurs:

1.
there exists $i \in \{1, \ldots ,n\}$ such that $({\tau }^{*}_{i}, \cdot ) \notin T$ (i.e., $\mathcal{A}$ never asked an authentication query with label ${\tau }^{*}_i$), and $f^*(\{m_{j}\}_{({\tau }_j, m_j) \in T} \cup \{\tilde{m}_{j}\}_{({\tau }_{j}, \cdot ) \notin T})$ outputs the same value for all possible choices of $\tilde{m}_j \in \mathcal{M}$. Here, the notation $f(\{m_j\}_{({\tau }_j, m_j)})$ is a shorthand for referring to an execution of f where the input wire labeled by ${\tau }_j$ is assigned value $m_j$.
2.
T contains tuples $({\tau }^{*}_1, m_1), \ldots , ({\tau }^{*}_n, m_n)$, for some messages $m_1, \ldots , m_n$.

Then we say that a verification query $(m^{*}, {\mathcal {P}}^{*}=(f^{*}, {\tau }^{*}_1, \ldots , {\tau }^{*}_{n}), \sigma ^{*})$ is a forgery if and only if $\mathsf{Ver}(\mathsf{sk}, m^*, {\mathcal {P}}^*, \sigma ^*)=1$ and one of the following conditions holds:

Type 1 Forgery: ${\mathcal {P}}^{*}$ is not well-defined on T.
Type 2 Forgery: ${\mathcal {P}}^{*}$ is well-defined on T and $m^* \ne f^*(\{m_{j}\}_{({\tau }_j, m_j) \in T})$, i.e., $m^{*}$ is not the correct output of the labeled program ${\mathcal {P}}^{*}$ when executed on previously authenticated messages.

We say that a homomorphic MAC scheme $\mathsf{HomMAC}$ is secure if for every PPT adversary $\mathcal{A}$ we have that $\Pr [\mathsf{HomUF-CMA}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )=1]$ is negligible.

Remark 1

(Comments on our definition) First, we observe that our definition explicitly disallow the possibility of re-using a label to authenticate more than one value. Essentially, this is a way to uniquely keep track of the authenticated inputs, and it is rather natural in the outsourcing setting. Indeed, notice that storing two elements under the same label in a remote server would cause ambiguity when computing over them.^{Footnote 5} This restriction is also present in the Gennaro-Wichs construction as well as in all previous works on homomorphic signatures.

Second, the notion of well-defined programs aims at capturing, in a formal way, which tuples generated by the adversary should be considered as forgeries. The catch here is that, since we are dealing with a homomorphic primitive, we should be able to differentiate MACs produced by $\mathsf{Eval}$ from MACs generated in some other, possibly malicious, way. Notice, however, that even maliciously generated MACs should not necessarily be considered as forgeries. This is because, in our setting, the adversary can trivially modify a circuit C she is allowed to evaluate by adding dummy gates and inputs that are simply ignored in the evaluation of the modified circuit (i.e., the new circuit is semantically equivalent to C). This last case does not constitute an infringement of our security requirements. Our notion of well-defined program ${\mathcal {P}}$ captures exactly this: either ${\mathcal {P}}$ is run on legal (i.e., in T) inputs only, or, if this is not the case, those inputs not in T do not affect the computation in any way.

Finally, we observe that for arbitrary computations checking whether a program is well-defined may not be efficiently computable. In particular, the difficult task is to check the first condition, i.e., whether a program always outputs the same value for all possible choices of the inputs that are not in T. However, for the case of arithmetic circuits in (exponentially) large fields and of polynomial degree, this check can be efficiently performed by using probabilistic polynomial identity testing [25, 41, 45]. Below, we state a simple proposition that shows how to do the testing for arithmetic circuits of degree d, over a finite field of order p such that $d/p<1/2$.^{Footnote 6}

Proposition 1

Let $\lambda , n \in \mathbb {N}$ and let $\mathcal{F}$ be the class of arithmetic circuits $f: \mathbb {F}^{n} \rightarrow \mathbb {F}$ over a finite field $\mathbb {F}$ of order p and such that the degree of f is at most d, with $\frac{d}{p}< \frac{1}{2}$. Then, there exists a probabilistic algorithm that for any given $f\in \mathcal{F}$, decides if there exists $y \in \mathbb {F}$ such that $f({\varvec{u}})=y, \forall {\varvec{u}} \in \mathbb {F}^{n}$ (i.e., if f is constant) and is correct with probability at least $1 - 2^{-\lambda }$.

Proof

The algorithm first samples $\lambda +1$ tuples $\{ {\varvec{u}}_i\}_{i=0}^{\lambda }$ uniformly at random in $\mathbb {F}^{n}$. Next, if $f({\varvec{u}}_0) = \cdots = f({\varvec{u}}_\lambda )$ the algorithm says “constant”, otherwise it says “non-constant”. If f is really constant, then it is easy to see that this algorithm is correct with probability 1. In the case when f is not constant, then the probability that the algorithm is wrong is essentially $\Pr [f({\varvec{u}}_0) = \cdots = f({\varvec{u}}_\lambda )]$ over the random choices of all the ${\varvec{u}}_i$’s. Since the samples are independent, this probability can be upper bounded by $(\Pr _{{\varvec{u}}_i \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {F}^{n}}[f({\varvec{u}}_i)=y_0 | y_0 = f({\varvec{u}}_0)])^{\lambda } \le (\frac{d}{p})^{\lambda } \le 2^{-\lambda }$, where the upper bound by d / p follows from the Schwartz-Zippel Lemma [25, 41, 45]. $\square $

Remark 2

(Relations with previous definitions) Our definition is very similar to that proposed by Gennaro and Wichs in [30] except for two modifications. First, we explicitly allow the adversary to query the verification oracle. Second, we adopt a definition of forgery slightly weaker than that in [30]. More precisely, Gennaro and Wichs define Type 1 forgeries as ones where at least one new label is present. Type 2 forgeries, on the other hand, contain only labels that have been already queried, but $m^*$ is not the correct output of the program when executed on the previously queried inputs.

Notice that our notion becomes equivalent to that given in [30] by simply changing the definition of “well-defined program” so that ${\mathcal {P}}^{*}=(f^{*}, {\tau }^{*}_1, \ldots , {\tau }^{*}_{n})$ is said well-defined on T if $({\tau }_i, m_i) \in T$ $\forall i=1, \ldots n$. The difference between the two definitions is that, as we explained above, we do not consider forgeries all those tuples where ”fresh” labels (i.e., labels not in T) do not contribute to the output of the program.

Even though our security definition is weaker than the one in [30], we stress that it is perfectly meaningful for the notion of homomorphic MAC. Indeed, we are still excluding from forgeries all those MACs that can be trivially computed by the adversary from what it queried during the game.

On a technical level, our definition of forgery is inspired by the security definition recently proposed by Freeman for homomorphic signatures [27], except that in our case we do not consider the notion of data set.

3 Our Homomorphic MAC from OWFs

In this section, we propose our first construction of homomorphic MACs whose security relies only on a pseudo-random function (and thus on one-way functions). The scheme is simple and efficient and allows to homomorphically evaluate arithmetic circuits $f: \mathbb {Z}_p^{n} \rightarrow \mathbb {Z}_p$ for a prime p of roughly $\lambda $ bits, where $\lambda $ is the security parameter.

Our Scheme. In our construction, we restrict to circuits whose additive gates do not get inputs labeled by constants. This can be done without loss of generality as, when needed, one can use an equivalent circuit in which there is a special variable/label for the value 1, and can publish the MAC of 1.

The description of our scheme follows.

$\mathsf{KeyGen}(1^{\lambda })$. Let p be a prime of roughly $\lambda $ bits. Choose a seed $K \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}$ of a pseudorandom function ${F}_{K}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$ (cf. Sect. 2.1) and a random value $x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$. Output $\mathsf{sk}= (K, x), \mathsf{ek}=p$ and let the message space $\mathcal{M}$ be $ \mathbb {Z}_{p}$.
$\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$. To authenticate a message $m \in \mathbb {Z}_p$ with label ${\tau }\in \{0,1\}^{\lambda }$, compute $r_{{\tau }} = {F}_{K}({\tau })$, set $y_0 = m$, $y_1 = (r_{{\tau }}- m)/ x \bmod p$ and output $\sigma = (y_0, y_1)$. Basically, $y_0, y_1$ are the coefficients of a degree-1 polynomial y(z) with the special property that it evaluates to m on the point 0 ($y(0) = m$), and it evaluates to $r_{{\tau }}$ on a hidden random point x ($y(x) = r_{\tau }$).

In our construction, we will interpret tags $\sigma $ as polynomials $y \in \mathbb {Z}_p[z]$ of degree $d \ge 1$ in some variable z, i.e., $y(z) = \sum _{i}y_i z^{i}$.
$\mathsf{Eval}(\mathsf{ek}, f, {\varvec{\sigma }})$. The homomorphic evaluation algorithm takes as input the evaluation key $\mathsf{ek}= p$, an arithmetic circuit $f: \mathbb {Z}_{p}^{n} \rightarrow \mathbb {Z}_p$, and a vector ${\varvec{\sigma }}$ of tags $(\sigma _1,\ldots , \sigma _n)$.

Intuitively, $\mathsf{Eval}$ consists in evaluating the circuit f on the tags $\sigma _1, \ldots , \sigma _{n}$ instead of evaluating it on messages. However, since the values $\sigma _i$’s are not messages in $\mathbb {Z}_p$, but rather are polynomials $y^{(i)} \in \mathbb {Z}_p[z]$, we need to specify how this evaluation is carried through.

$\mathsf{Eval}$ proceeds gate-by-gate as follows. At each gate g, given two tags $\sigma _1, \sigma _2$ (or a tag $\sigma _1$ and a constant $c \in \mathbb {Z}_p$), it runs the algorithm $\sigma {\leftarrow }\mathsf{GateEval}(\mathsf{ek}, g, \sigma _1, \sigma _2)$ described below that returns a new tag $\sigma $, which is in turn passed on as input to the next gate in the circuit.

When the computation reaches the last gate of the circuit f, $\mathsf{Eval}$ outputs the tag vector $\sigma $ obtained by running $\mathsf{GateEval}$ on such last gate.

To complete the description of $\mathsf{Eval}$ we describe the subroutine $\mathsf{GateEval}$.
- –$\mathsf{GateEval}(\mathsf{ek}, g, \sigma _1, \sigma _2)$. Let $\sigma _i = {\varvec{y}}^{(i)} = (y^{(i)}_0, \ldots , y^{(i)}_{d_i})$ for $i=1,2$ and $d_i \ge 1$ (see below for the special case when one of the two inputs is a constant $c \in \mathbb {Z}_p$).
  
  If $g = +$, then:
  - $\bullet $ let $d = \max (d_1, d_2)$. Here we assume without loss of generality that $d_1 \ge d_2$ (i.e., $d=d_1$).
  - $\bullet $ Compute the coefficients $(y_0, \ldots , y_d)$ of the polynomial $y(z) = y^{(1)}(z) + y^{(2)}(z)$. This can be efficiently done by adding the two vectors of coefficients, ${\varvec{y}} = {\varvec{y}}^{(1)} + {\varvec{y}}^{(2)}$ (${\varvec{y}}^{(2)}$ is, if needed, padded with zeroes in positions $d_1+1, \ldots , d_2$).
  If $g = \times $, then:
  - $\bullet $ let $d = d_1 + d_2$.
  - $\bullet $ Compute the coefficients $(y_0, \ldots , y_d)$ of the polynomial $y(z) = y^{(1)}(z) *y^{(2)}(z)$ using the convolution operator $*$, i.e., $\forall k=0, \ldots , d$, define $y_k = \sum _{i=0}^{k} y^{(1)}_{i} \cdot y^{(2)}_{k-i}$.
  If $g = \times $ and one of the two inputs, say $\sigma _2$, is a constant $c \in \mathbb {Z}_p$, then:
  - $\bullet $ let $d = d_1$.
  - $\bullet $ Compute the coefficients $(y_0, \ldots , y_d)$ of the polynomial $y(z) = c \cdot y^{(1)}(z)$.
    
    We note that the above multiplication by a constant can also be seen as a special case of multiplication, if one think of $\sigma _2$ as a degree-0 polynomial $y^{(2)}(z)$ such that $y^{(2)}(0)=y^{(2)}(x)=c$.
  Return $\sigma = (y_0, \ldots , y_d)$.
As one can notice, the size of a tag grows only after the evaluation of a multiplication gate (where both inputs are not constants). It is not hard to see that after the homomorphic evaluation of a circuit f, it holds $|\sigma | = d+1$, where d is the degree of f.
$\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$. Let ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ be a labeled program, $m \in \mathbb {Z}_p$ and $\sigma = (y_0, \ldots , y_d)$ be a tag for some $d \ge 1$. Verification proceeds as follows:
- – If $y_0 \ne m$, then output 0 (reject). Otherwise continue as follows.
- – For every input wire of f with label ${\tau }$ compute $r_{{\tau }} = {F}_{K}({\tau })$.
- – Next, evaluate the circuit on $r_{{\tau }_1}, \ldots , r_{{\tau }_n}$, i.e., compute $\rho {\leftarrow }f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})$, and use x to check whether the following equation holds:
  $$\begin{aligned} \rho = \sum _{k=0}^{d} y_k x^{k} \end{aligned}$$
  (1)
  If this is true, then output 1. Otherwise output 0.
Observe that the above applies also to identity programs $\mathcal{I}_{{\tau }}$, in which case the algorithm just checks that $r_{{\tau }} = y_0 + y_1 \cdot x$ and $y_0 = m$.

Efficiency. Our scheme is extremely efficient in generating a tag using the $\mathsf{Auth}$ algorithm: just one PRF evaluation (e.g., one AES evaluation, in practice).

If we analyze the $\mathsf{Eval}$ algorithm, its complexity is dominated by the cost of evaluating the circuit f with an additional overhead due to the modified gate evaluation and to that the tag’s size grows with the degree of the circuit. If the circuit has degree d, in the worst case, this overhead is going to be O(d) for addition gates, and $O(d \log d)$ for multiplication gates.^{Footnote 7}

The cost of verification is basically the cost of computing $\rho = f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})$, that is O(|f|), plus the cost of computing $\sum _{i=0}^{d} y_i x^{i}$, that is O(d).

3.1 Correctness

In this section, we prove that the scheme described above satisfies authentication and evaluation correctness.

Theorem 1

The homomorphic MAC scheme described above satisfies authentication correctness.

Proof

Let $\mathsf{sk}= (K, x)$ and $\mathsf{ek}= p$ be honestly generated keys, and let $\sigma \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$. By construction of $\mathsf{Auth}$, the tag $\sigma = (y_0, y_1)$ is a degree-1 polynomial y such that $y(0) = m$ and $y(x) = y_0 + y_1 x = r_{{\tau }}$. Therefore, it is trivial to verify that the checks made by the verification algorithm are satisfied and it outputs 1. $\square $

Theorem 2

The homomorphic MAC scheme described above satisfies evaluation correctness.

Proof

Let $\mathsf{sk}= (K, x)$ and $\mathsf{ek}= p$ be honestly generated keys, and let $\{m_i, {\mathcal {P}}_i, \sigma _i\}_{i=1}^{n}$ be n triples of message/program/tag such that $\mathsf{Ver}(\mathsf{sk}, m_i, {\mathcal {P}}_i, \sigma _i) = 1$, $\forall i=1, \ldots , n$. Then we want to show that for the message $m^{*} = f^{*}(m_1, \ldots , m_n)$, the composed program ${\mathcal {P}}^{*} = f^{*}({\mathcal {P}}_1, \ldots , {\mathcal {P}}_n)$ and the tag $\sigma ^{*} = \mathsf{Eval}(\mathsf{ek}, f^{*}, (\sigma _1, \ldots , \sigma _n))$, it holds $\mathsf{Ver}(\mathsf{sk}, m^{*}, {\mathcal {P}}^{*}, \sigma ^{*}) = 1$.

Let us first recall that for any program ${\mathcal {P}}= (f,{\tau }_1, \ldots , {\tau }_{n})$, any message $m\in \mathcal{M}$ and any tag $\sigma = (y_0, \ldots , y_d)$ the algorithm $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma ) $ outputs 1 only if the following two equations are satisfied:

$$\begin{aligned} m= & {} y(0) \\ \rho= & {} y(x) = \sum _{k=0}^{d} y_k x^{k} \end{aligned}$$

where $\rho $ is the value obtained by computing f on $r_{{\tau }_1}, \ldots , r_{{\tau }_n}$.

Let $\rho _1, \ldots , \rho _n$ be the values computed in the run of $\mathsf{Ver}(\mathsf{sk}, m_i, {\mathcal {P}}_i, \sigma _i) = 1$, for all $i=1$ to n. Since the verification algorithm outputs 1, it must hold $m_i = y^{(i)}(0)$ and $\rho _i = y^{(i)}(x)$ (where $y^{(i)} = \sigma _i$). Our goal is to show that the above conditions imply $m^{*} = y^{*}(0)$ and $\rho ^{*} = y^{*}(x)$ where $y^{*}$ is the polynomial obtained by evaluating $f^{*}$ over the polynomials $y^{(1)}, \ldots , y^{(n)}$ as described in the algorithm $\mathsf{Eval}$, $m^{*} = f^{*}(m_1, \ldots , m_n)$ and $\rho ^{*} = f^{*}(\rho _1, \ldots , \rho _n)$.

To do this, we simply show that this property holds for every gate g, and then we observe that it easily extends by induction to the computation of $f^{*}$. Namely, if the above conditions hold before and after the evaluation of every single gate, then they must hold even for the values generated at the end of the computation of $f^{*}$, i.e., the output of the last gate of $f^{*}$.

The core of the proof is the following Lemma, which basically shows that our homomorphic evaluation of a gate g using two polynomials $y^{(1)}, y^{(2)}$ preserves their nice structure. $\square $

Lemma 1

Let $b_1, b_2 \in \mathbb {Z}_p, y^{(1)}, y^{(2)} \in \mathbb {Z}_p[z]$ and $z \in \mathbb {Z}_{p}$ be such that

$$\begin{aligned} b_i= & {} y^{(i)}(z), \;\;\; \forall i=1,2 \end{aligned}$$

(2)

and let $b = g(b_1, b_2)$, $y = \mathsf{GateEval}(\mathsf{ek}, g, y^{(1)}, y^{(2)})$ for some gate g that is either $\times $ or $+$. Then, it holds

$$\begin{aligned} b= & {} y(z) \end{aligned}$$

(3)

Proof

If g is a multiplicative gate, then $b = b_1 \cdot b_2$ and $y = y^{(1)} *y^{(2)}$. By definition of the $*$ operator we then have $y(z) = y^{(1)}(z) \cdot y^{(2)}(z) = b_1 \cdot b_2$. This also captures the special case of multiplication by constant gates.

If g is an additive gate, then $b = b_1 + b_2$, and $y = y^{(1)} + y^{(2)}$. Hence, it is easy to see that $y(z) = y^{(1)}(z) + y^{(2)}(z) = b_1 + b_2$. $\square $

To complete the proof of the Theorem, we have to observe that by definition of composed program the value $\rho ^{*} = f^{*}(\rho _1, \ldots , \rho _n)$ is the same $\rho ^{*} = f(r_{{\tau }^*_1}, \ldots , r_{{\tau }^*_n})$ computed in $\mathsf{Ver}(\mathsf{sk}, m^{*}, {\mathcal {P}}^{*}, \sigma ^{*})$.

3.2 Proof of Security

The security of our scheme is established by the following theorem.

Theorem 3

If ${F}$ is a PRF, then the homomorphic MAC scheme described in Sect. 3 is secure.

Toward proving the theorem, we define the following hybrid games. We denote with $G_i$ the event that the experiment Game i, run with the adversary $\mathcal{A}$, outputs 1.

Game 0: This is the same as the real $\mathsf{HomUF-CMA}$ experiment, except that in every verification query $(m, {\mathcal {P}}, \sigma )$, in order to check whether ${\mathcal {P}}$ is well-defined or not, the challenger uses the probabilistic test of Proposition 1.

Thus, we have that for all adversaries $\mathcal{A}$ making at most Q verification queries we have
$$\begin{aligned} | \Pr [\mathsf{HomUF-CMA}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )] - \Pr [G_0(\mathcal{A})] | \le Q \cdot 2^{-\lambda } \end{aligned}$$
(4)
Game 1: This is the same as Game 0, except that the PRF is replaced with a truly random function $\mathcal{R}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$: basically, each value $r_{{\tau }}$ is generated uniformly at random in $\mathbb {Z}_p$.
Game 2: This is the same as Game 1 except for the following change in answering verification queries. First, for every verification query $(m, {\mathcal {P}}, \sigma =(y_0, \ldots , y_d))$ such that $y_0 \ne m$ output 0 (reject). Next, for all verification queries $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}$ is not well-defined on T, the challenger proceeds as follows.

First, for every ${\tau }_i$ such that $({\tau }_i, \cdot ) \notin T$ it takes $r_{{\tau }_{i}} {\leftarrow }\mathcal{R}({\tau }_i)$. Next, it computes $\rho $ using the internal procedure of $\mathsf{Ver}$, and finally it computes $Z = \rho - \sum _{k=0}^{d} y_k x^{k}$. If $Z = 0 \bmod p$, then it returns 1, otherwise it outputs 0.
Game 3: This is the same as Game 2 except for an additional change in answering verification queries. For every verification query $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_{n})$ is well-defined on T, the challenger proceeds as follows.

For every index $i \in \{1, \ldots , n\}$ such that $({\tau }_{i}, \cdot ) \notin T$ (i.e., ${\mathcal {P}}$ contains a new label), it chooses a dummy tag $\sigma _i$ (e.g., for a random message). Let $\sigma _1, \ldots , \sigma _n$ be the tags associated to labels ${\tau }_1, \ldots , {\tau }_{n}$, respectively. The challenger homomorphically computes ${\hat{\sigma }} = ({\hat{y}}_0, \ldots , {\hat{y}}_d) {\leftarrow }\mathsf{Eval}(\mathsf{ek}, f, (\sigma _1, \ldots , \sigma _n))$, and proceeds as follows:
1. 1.
  If $(y_0, \ldots , y_d) = ({\hat{y}}_0, \ldots , {\hat{y}}_d)$, then output 1.
2. 2.
  If $(y_0, \ldots , y_d) \ne ({\hat{y}}_0, \ldots , {\hat{y}}_d)$, compute $Z = \sum _{k=0}^{d}(y_k - {\hat{y}}_{k})x^{k}$. If $Z = 0 \bmod p$, then output 1. Otherwise, output 0.
Game 4: This is the same as Game 3 except for the following additional code run by the challenger. Let $\mathsf{bad}$ be a flag value which is initially set to $\mathsf{false}$. Once the challenger receives a verification query $(m, {\mathcal {P}}, \sigma )$ such that
1. 1.
  $(m, {\mathcal {P}}, \sigma )$ requires the computation of Z (see the games above),
2. 2.
  $Z=0 \pmod p$,
then it answers with 0 (reject), instead of 1 (accept), and sets $\mathsf{bad}{\leftarrow }\mathsf{true}$. Notice that the flag $\mathsf{bad}$ is updated to $\mathsf{true}$ when the first bad (i.e., meeting the two requirements above) verification query is received.

Let $\mathsf{Bad}_4$ be the event that $\mathsf{bad}{\leftarrow }\mathsf{true}$ is set in Game 4. Notice that any adversary has zero probability of winning in Game 4, as all verification queries that may be Type 1 or Type 2 forgeries are answered with 0. Therefore, it clearly holds $\Pr [G_4]=0$.

To prove Theorem 3, we first prove the following claims.

Claim 1

$|\Pr [G_0] - \Pr [G_1]| \le {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda )$.

The proof can be obtained via a straightforward reduction to the security of the PRF.

Claim 2

$\Pr [G_1] \equiv \Pr [G_2]$.

This is only a syntactic change, and it is easy to see that the two games are basically the same.

Claim 3

$\Pr [G_2] \equiv \Pr [G_3]$.

Proof

The only difference between Game 2 and Game 3 is in the way the challenger answers verification queries $(m, {\mathcal {P}}, \sigma )$ for a program ${\mathcal {P}}$ that is well-defined on T. We claim that the change introduced in Game 3 is only syntactic, and thus the adversary has exactly the same view in both games.

Let $(m, {\mathcal {P}}, \sigma )$ be a verification query with $\sigma = (y_0, \ldots , y_d)$ such that ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ is well-defined on T, and let us first consider the case in which $\forall i=1, \ldots , n$ it holds that $({\tau }_i, m_i) \in T$ and a tag $\sigma _i$ had already been computed. Recall that the challenger computes ${\hat{\sigma }} = ({\hat{y}}_0, \ldots , {\hat{y}}_d)$ using the $\mathsf{Eval}$ algorithm. If we consider the answer provided by the challenger in each case, then we have:

1.
$(y_0, \ldots , y_d) = ({\hat{y}}_0, \ldots , {\hat{y}}_d)$: The answer is correct by correctness of the scheme.
2.
$(y_0, \ldots , y_d) \ne ({\hat{y}}_0, \ldots , {\hat{y}}_d)$. Let $\rho $ be the value computed by the verification algorithm to check equation (1), and observe that $\rho $ is the same when running both $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ and $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, {\hat{\sigma }})$ as the same values $r_{{\tau }}$’s are generated.

By correctness of ${\hat{\sigma }}$ we have that $\rho =\sum _{k=0}^{d} {\hat{y}}_{k} \cdot x^{k}$. In order for $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ to output 1, it must hold $y_0 = m$ and $\rho = \sum _{k=0}^{d} y_{k} \cdot x^{k}$. Notice also that, by definition of our verification algorithm, the check $y_0 = m$ is performed first (i.e., the equality $\sum _{k=0}^{d} y_{k} \cdot x^{k} = \rho $ is verified only if $y_0 = m$ holds). So, returning 1 only if $Z= \sum _{k=0}^{d}(y_k - {\hat{y}}_{k})x^{k} = 0$ is the same as returning the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.

To complete the proof, let us consider the case in which ${\mathcal {P}}$ is well-defined on T but there exists some $i \in \{1, \ldots , n \}$ such that $({\tau }_i, \cdot ) \notin T$. By definition of well-defined program, this means that if we fix the input values of all wires labeled with ${\tau }$ where $({\tau }, \cdot ) \in T$, then the circuit f always returns the same output whatever are the values taken by the input wires labeled with $\tilde{\tau }$ for $(\tilde{\tau }, \cdot ) \notin T$. In other words, the value corresponding to input wires $\tilde{\tau }\notin T$ are irrelevant when it comes to evaluating f. Of course, this remains true even in the homomorphic evaluations of f: the one using the polynomials $y^{(i)}$ in $\mathsf{Eval}$ and the other one using the values $r_{{\tau }_i}$’s in $\mathsf{Ver}$. This means that for all wires labeled with $\tilde{\tau }$ (for $(\tilde{\tau }, \cdot ) \notin T$) the dummy tags chosen for such indices do not contribute to the computation of $({\hat{y}}_0, \ldots , {\hat{y}}_d)$, and the same holds for the random values $r_{\tilde{\tau }}$ with respect to R. Therefore, the above argument for the case when $({\tau }_i, m_i) \in T, \forall i=1, \ldots , n$ applies here as well. $\square $

Claim 4

$|\Pr [G_3] - \Pr [G_4]| \le \Pr [\mathsf{Bad}_4]$.

Game 3 and Game 4 are identical unless the event $\mathsf{Bad}_4$ occurs in Game 4. Indeed, in this case the challenger is providing a different answer to some verification queries. Hence, $\Pr [G_4 \wedge \lnot \mathsf{Bad}_4] = \Pr [G_3]$, that is $|\Pr [G_3] - \Pr [G_4]| \le \Pr [\mathsf{Bad}_4]$.

To finalize the proof of our theorem, we are left with bounding the probability of the event $\mathsf{Bad}_4$, which is done below.

Claim 5

$\Pr [\mathsf{Bad}_4] \le \frac{2d Q}{p - d(Q-1)} $ where p is the prime used in the construction and Q is an upper bound on the number of verification queries made by $\mathcal{A}$ during the Game.

Proof

For $j=1$ to Q, let $B_j$ be the event that $\mathsf{bad}{\leftarrow }\mathsf{true}$ is set after the j-th verification query, but not before. Hence, we have:

$$\begin{aligned} \Pr [\mathsf{Bad}_4]= & {} \Pr \left[ \bigvee _{j=1}^{Q} B_j\right] \le \sum _{j=1}^{Q} \Pr \left[ B_j\right] \end{aligned}$$

(5)

The main part of this proof will consist in estimating the probability $\Pr \left[ B_j\right] $ taken over the random choices of x and all values $r_{{\tau }}$ sampled by the challenger, and for any possible values chosen by the adversary.

For ease of exposition, we call “easy queries” those verification queries that do not “force” the challenger to compute Z. In our analysis, we only consider non-“easy” queries as, by game definition, “easy” queries cannot cause the setting of $\mathsf{bad}{\leftarrow }\mathsf{true}$, i.e., $B_j$ never occurs when the j-th query is “easy”.

Let $(m, {\mathcal {P}}, \sigma )$ be the j-th verification query, that is not easy. According to whether ${\mathcal {P}}$ is well-defined or not, we have only two possible cases for $B_j$ to occur:

1.
$Z = \sum _{k=0}^{d}(y_k - {\hat{y}}_{k})x^{k} = 0 \pmod p$, where there exists at least an index $\tilde{k} \in \{0, \ldots , d \}$ such that $y_{\tilde{k}} \ne {\hat{y}}_{\tilde{k}}$.
2.
$Z = \rho -\sum _{k=0}^{d} y_k x^{k} = 0 \pmod p$, where ${\mathcal {P}}$ is not well-defined and $\rho $ is computed by using at least one value $r_{{\tau }^*} \in \mathbb {Z}_p$ such that $({\tau }^*, \cdot ) \notin T$.

For $j=1, \ldots , Q$ we denote with $Z_j$ the Z value computed in the j-th such query. By definition of the event $B_j$, $\mathsf{bad}$ was not set $\mathsf{true}$ in the previous $j-1$ queries, i.e., $Z_1, \ldots , Z_{j-1} \ne 0 \pmod p$. Therefore, we have:

$$\begin{aligned} \Pr [B_j] = \Pr [Z_j = 0 | Z_1 \ne 0 \wedge \cdots \wedge Z_{j-1} \ne 0] \end{aligned}$$

(6)

Let us fix the value of x at the beginning of the game. Now, the crucial observation here is that, before the adversary starts making verification queries there are exactly p tuples $(x, \{ r_{{\tau }} \}_{{\tau }\in T})$ that are consistent with her view. More precisely, conditioning on the tags $\sigma _i$ seen by the adversary there is exactly one valid $r_{{\tau }_i}$ for each potential value of $x \in \mathbb {Z}_{p}$. Moreover, each “easy” query does not reveal any additional information about x and the relevant $r_{\tau }$’s. This is because our modified verification algorithm run by the challenger (introduced in Games 2 and 3) does not even need such values to answer “easy” verification queries. So, from now on we assume that all the Q queries in our analysis are non-easy.

After the first query, if $Z_1 \ne 0 \pmod p$, the number of possible values $x, \{ r_{{\tau }} \}_{{\tau }\in T}$ becomes at least $p - d$, as the zeroes of a non-zero polynomial $c(x) = \sum _{k=0}^{d}c_k x^{k}$ of degree d are at most d. In general, after the i-th query, if $Z_1 \ne 0 \wedge \cdots \wedge Z_{i} \ne 0$, then the number of remaining possible values $x, \{ r_{{\tau }} \}_{{\tau }\in T}$ is at least $p - di$.

Let $(m,{\mathcal {P}},\sigma )$ be the j-th verification query. We define $E^{1}_j$ as the event that “${\mathcal {P}}$ is well-defined and there exists an index $\tilde{k} \in \{0, \ldots , d \}$ such that $y_{\tilde{k}} \ne {\hat{y}}_{\tilde{k}}$”. Similarly, we define the event $E^{2}_{j}$ as “${\mathcal {P}}$ is not well-defined and $\rho $ is computed by using some $r_{{\tau }^*} \in \mathbb {Z}_p$ such that $({\tau }^*,\cdot ) \notin T$”. Finally, let $\mathtt{NotZero_j}$ be the event “$Z_1 \ne 0 \wedge \cdots \wedge Z_{j-1} \ne 0$”.

Clearly, $\Pr [B_j]=\Pr [B_j \wedge E^{1}_j] + \Pr [B_j \wedge E^{2}_j]$ and thus

$$\begin{aligned} \Pr [B_j]= & {} \Pr [Z_j = 0 \; | \; \; \mathtt{NotZero_j}] \nonumber \\= & {} \Pr [Z_j = 0 \wedge E^{1}_j \; | \; \; \mathtt{NotZero_j} ] + \Pr [Z_j = 0 \wedge E^{2}_j \; | \; \; \mathtt{NotZero_j}] \nonumber \\\le & {} \Pr [Z_j = 0 \; | \; E^{1}_j \; \wedge \; \mathtt{NotZero_j}] + \Pr [Z_j = 0 \; | \; E^{2}_j \; \wedge \; \mathtt{NotZero_j}] \end{aligned}$$

(7)

The first probability is

$$\begin{aligned} \Pr [Z_j = 0 \; | \; E^{1}_j \; \wedge \; \mathtt{NotZero_j}] \le \frac{d}{p - d(j-1)} \end{aligned}$$

(8)

as the zeroes of the polynomial $\sum _{k=0}^{d}(y_k - {\hat{y}}_{k})x^{k}$ are at most d, and there are $p - d(j-1)$ possible values of x.

To evaluate the second probability $ \Pr [Z_j = 0 \; | \; E^{2}_j \; \wedge \; \mathtt{NotZero_j}]$, we observe that one can think of $\rho $ as a univariate polynomial $\rho = \eta (r_{{\tau }^{*}})$ in the variable $r_{{\tau }^{*}}$ whose degree is at most d. Moreover, since ${\mathcal {P}}$ is not well-defined, $\eta $ must be a non-constant polynomial. The value $r_{{\tau }^*}$ was sampled uniformly at random and it was never used before to produce a tag (since $({\tau }^*,\cdot ) \not \in T)$.^{Footnote 8}

Initially, i.e., when no verification queries involving ${\tau }^*$ have been made, $r_{{\tau }^*}$ is perfectly hidden to the adversary, and she cannot guess it with probability better than 1 / p. The worst case to consider is then the one where all queries, before the j-th we are considering, involve ${\tau }^*$. In such a case, we can use an argument very similar to that given before, so that, conditioned on $Z = \eta (r_{{\tau }^{*}}) \ne 0$, one can exclude at most d possible values of $r_{{\tau }^*}$. Therefore, if we condition on the event $\mathtt{NotZero_j}$, the probability of the adversary to guess $r_{{\tau }^*}$ at the j-th query cannot be better than $1/(p-d(j-1))$.

Hence,

$$\begin{aligned} \Pr [Z_j = 0 \; | \; E^{2}_j \; \wedge \; \mathtt{NotZero_j}]\le & {} \frac{d}{p - d(j-1)} \end{aligned}$$

(9)

Finally, if we apply the results of equations (8) and (9) to equation (7), then we obtain:

$$\begin{aligned} \Pr [B_j]\le & {} \frac{2d}{p - d(j-1)} \end{aligned}$$

(10)

and thus we can upper bound:

$$\begin{aligned} \Pr [\mathsf{Bad}_4]\le & {} \frac{2d Q}{p - d(Q-1)} \end{aligned}$$

(11)

which proves the Claim. $\square $

The proof of the Theorem follows by putting together the results of the above claims:

$$\begin{aligned} {\mathbf {Adv}}^{\mathsf{HomUF-CMA}}_{\mathcal{A},\mathsf{HomMAC}}(\lambda ) \le {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda ) + \frac{2 d Q}{p - d(Q-1)} + \frac{Q}{2^{\lambda }}. \end{aligned}$$

Since $p \approx 2^{\lambda }$ and both d and Q are $\mathsf{poly}(\lambda )$, $ \frac{2 d Q}{p - d(Q-1)} = \mathsf{negl}(\lambda )$. Therefore, if the PRF is secure (i.e., ${\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda ) = \mathsf{negl}(\lambda )$) then any PPT adversary $\mathcal{A}$ has at most negligible advantage of breaking the unforgeability of our homomorphic MAC.

4 A Compact Homomorphic MAC for Circuits of Bounded Polynomial Degree

As we mentioned earlier, the homomorphic MAC of Sect. 3 has the drawback that the tags’ size grows linearly with the degree of the evaluated circuit. While this may be acceptable in some cases, e.g., circuits evaluating constant-degree polynomials, it may become impractical in other situations, e.g., when the degree is greater than the input size of the circuit. In this section, we propose a second scheme that solves this issue and enjoys tags of constant size. The scheme keeps almost the same efficiency of the previous one, even though constant-size tags come at the price of a couple of restrictions. First, we have to fix an a-priori bound D on the degree of the circuits that can be evaluated. Second, the homomorphic evaluation has to be done in a “single shot” that is the authentication tags obtained from the $\mathsf{Eval}$ algorithm cannot be used again to be composed with other tags.

Nevertheless, we show that the scheme achieves an interesting property that we call local composition. The idea is that one can keep locally a non-succinct version of the tag that allows for arbitrary composition. Later, when it comes to send an authentication tag to the verifier, one can securely compress such large tag in a very compact one of constant size.

Before describing the scheme in details, we give a high level description of our technique. The main idea is to use the same scheme of Sect. 3 with the following modifications. Tags on messages are the same, i.e., a degree-1 polynomial with the special property that $y(0)=m$ and $y(x)=r_{{\tau }}$. We publish the values $g^{x}, \ldots , g^{x^{D}}$ in the public evaluation key. Then, for the homomorphic evaluation, one first computes the coefficients $(y_0, \ldots , y_{d})$ as before, and then “accumulates” such values into a single group element $\varLambda = \prod _{i=1}^{d} (g^{x^i})^{y_i}$. The verification is carried in the exponent as follows: The verifier first computes $\rho $ as before and next checks that $g^{\rho } = g^{m} \varLambda $. If $\varLambda $ is computed correctly, then $\varLambda = g^{y(x) - y(0)}$ and thus correctness follows.

For security, in addition to a PRF, we need to rely on a computational assumption that says that one cannot compute g given values $g^{x}, \ldots , g^{x^{D}}$. This problem is basically a re-writing of a problem already considered in the past: the $\ell $-Diffie-Hellman Inversion. We recall its definition below.

Definition 1

($\ell $-DHI [14, 39]) Let $\lambda \in \mathbb {N}$ be the security parameter, and $\mathbb {G}$ be a group of order $p > 2^{\lambda }$. For a generator $g \in \mathbb {G}$ and a randomly chosen $x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ we define the advantage of an adversary $\mathcal{A}$ in solving the $\ell $-DHI problem as

$$\begin{aligned} {\mathbf {Adv}}_{\mathcal{A}}^{DHI}(\lambda ) = \Pr [\mathcal{A}(g, g^{x}, \ldots , g^{x^{\ell }}) = g^{1/x}] \end{aligned}$$

and we say that the $\ell $-DHI assumption holds in $\mathbb {G}$ if for every PPT $\mathcal{A}$ and for $\ell = \mathsf{poly}(\lambda )$, the advantage ${\mathbf {Adv}}_{\mathcal{A}}^{DHI}(\lambda )$ is at most negligible in $\lambda $.

Our Construction. The description of our scheme follows.

$\mathsf{KeyGen}(1^{\lambda }, D)$.:

Let $\lambda $ be the security parameter and $D = \mathsf{poly}(\lambda )$ be an upper bound so that the scheme can support the homomorphic evaluation of circuits of degree at most D. The key generation works as follows.

Generate a group $\mathbb {G}$ of order p where p is a prime of roughly $\lambda $ bits, and choose a random generator $g \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {G}$. Choose a seed $K \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal{K}$ of a pseudorandom function ${F}_{K}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$ and a random value $x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$. For $i=1$ to D compute $h_i = g^{x^{i}}$. Output $\mathsf{sk}= (K, g, x), \mathsf{ek}=(h_1, \ldots , h_D)$ and let the message space $\mathcal{M}$ be $ \mathbb {Z}_{p}$.

$\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$.:

The tagging algorithm is the same as the one of the construction in Sect. 3. To authenticate a message $m \in \mathbb {Z}_p$ with label ${\tau }\in \{0,1\}^{\lambda }$, compute $r_{{\tau }} = {F}_{K}({\tau })$, set $y_0 = m$ , $y_1 = (r_{{\tau }}- m)/x \bmod p$, and output $\sigma = (y_0, y_1)$.

$\mathsf{Eval}(\mathsf{ek}, f, {\varvec{\sigma }})$.:

The homomorphic evaluation algorithm takes as input the evaluation key $\mathsf{ek}$, an arithmetic circuit $f: \mathbb {Z}_{p}^{n} \rightarrow \mathbb {Z}_p$, and a vector ${\varvec{\sigma }}$ of tags $(\sigma _1,\ldots , \sigma _n)$ so that $\sigma _i \in \mathbb {Z}_p^{2}$ (i.e., it is a tag for a degree-1 polynomial).

First, proceed exactly as in the construction of Sect. 3 to compute the coefficients $(y_0, \ldots , y_d)$. If $d=1$ (i.e., the circuit f computes a degree-1 polynomial), then return $\sigma = (y_0, y_1)$. Otherwise, compute

$$\begin{aligned} \varLambda = \prod _{i=1}^{d} h_{i}^{y_i} \end{aligned}$$

and return $\sigma = \varLambda $.

$\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.:

Let ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ be a labeled program, $m \in \mathbb {Z}_p$ and $\sigma $ be a tag of either the form $(y_0, y_1) \in \mathbb {Z}_p^{2}$ or $\varLambda \in \mathbb {G}$.

First, proceed as in the construction of Sect. 3 to compute $\rho = f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})$.

If the program ${\mathcal {P}}$ computes a polynomial of degree 1, then proceed exactly as in the construction of Sect. 3 and check that

$$\begin{aligned} \rho = y_0 + y_1 \cdot x \; \wedge \; y_0 =m. \end{aligned}$$

Otherwise, use g to check whether the following equation holds:

$$\begin{aligned} g^{\rho } = g^{m} \cdot \varLambda \end{aligned}$$

(12)

If the checks are satisfied, then output 1. Otherwise output 0.

Correctness. The correctness easily follows from the correctness of the scheme described in Sect. 3 and by observing that equation (12) is essentially equivalent to checking that

$$\begin{aligned} \rho = \sum _{i=0}^{d} y_i x^{i} \end{aligned}$$

which is the verification equation (1) in the scheme of Sect. 3.

Local Composition. The above scheme satisfies an interesting property that we call local composition. The idea is that one can keep locally the large version of the tag, i.e., the polynomial y with its $d+1$ coefficients $y_0, \ldots , y_d$, but still send its compact version $\varLambda = \prod _{i=1}^{d} (g^{x^i})^{y_i}$ to the verifier. Keeping y allows for arbitrary composition as in the scheme of Sect. 3. In applications where composition does not involve many parties, this property allows to achieve succinct tags and local composition of partial computations at the same time.

Extension. In Sect. 5, we show an extension of this scheme that, by using pairings, allows to further compute an additional level of multiplications and unbounded additions on tags of the $\varLambda $ form.

4.1 Proof of Security

Theorem 4

If ${F}$ is a PRF and the $(D-1)$-Diffie-Hellman Inversion Assumption holds in $\mathbb {G}$, then the homomorphic MAC scheme described in Sect. 4 is secure.

To prove the security of our scheme, we define the following hybrid games. We denote with $G_i$ the event that the experiment Game i, run with the adversary $\mathcal{A}$, outputs 1.

Game 0: This is the same as the real $\mathsf{HomUF-CMA}$ experiment, except that in every verification query $(m, {\mathcal {P}}, \sigma )$, in order to check whether ${\mathcal {P}}$ is well-defined or not, the challenger uses the probabilistic test of Proposition 1.

Thus, we have that for all adversaries $\mathcal{A}$ making at most Q verification queries we have
$$\begin{aligned} | \Pr [\mathsf{HomUF-CMA}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )] - \Pr [G_0(\mathcal{A})] | \le Q \cdot 2^{-\lambda } \end{aligned}$$
(13)
Game 1: This is the same as Game 0, except that the PRF is replaced with a truly random function $\mathcal{R}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$: basically, each value $r_{{\tau }}$ is generated uniformly at random in $\mathbb {Z}_p$.
Game 2: This is the same as Game 1 except for a change in answering verification queries. Let $\mathsf{bad}$ be a flag value which is initially set to $\mathsf{false}$. For all verification queries $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_n)$ is not well-defined on T, the challenger answers 0 (reject) and proceeds as follows.

First, for every ${\tau }_i$ such that $({\tau }_i, \cdot ) \notin T$ it takes $r_{{\tau }_{i}} {\leftarrow }\mathcal{R}({\tau }_i)$. Next, it computes $\rho $ using the internal procedure of $\mathsf{Ver}$.

If $\sigma = (y_0, y_1)$, compute $z = \rho - y_0 - x \cdot y_1$. If $z = 0 \pmod p$, then set $\mathsf{bad}{\leftarrow }\mathsf{true}$.

If $\sigma = \varLambda $ compute $Z = g^{\rho - m} \varLambda ^{-1}$. If $Z = 1$, then set $\mathsf{bad}{\leftarrow }\mathsf{true}$.
Game 3: This is the same as Game 2 except for the following change in answering authentication queries. Given a query $({\tau }, m)$ such that $({\tau }, m) \notin T$, if $r_{{\tau }} = \mathcal{R}({\tau })$ was previously used to answer a verification query, then resample a fresh $r_{{\tau }}' \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ to create the tag, and from now on use $r'_{{\tau }}$ in every verification query involving label ${\tau }$.
Game 4: this is the same as Game 3 except for the following change in answering verification queries. Let $\mathsf{bad}'$ be a flag value which is initially set to $\mathsf{false}$. For every verification query $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_{n})$ is well-defined on T, the challenger proceeds as follows.

For every index $i \in \{1, \ldots , n\}$ such that $({\tau }_{i}, \cdot ) \notin T$ (i.e., ${\mathcal {P}}$ contains a new label) it chooses a dummy tag $\sigma _i$ (e.g., for a random message).

Let $\sigma _1, \ldots , \sigma _n$ be the tags associated to labels ${\tau }_1, \ldots , {\tau }_{n}$, respectively. The challenger homomorphically computes ${\hat{\sigma }}$ (which is either $({\hat{y}}_0, {\hat{y}}_1)$ or ${\hat{\varLambda }}$) and proceeds as follows.

If $\sigma = {\hat{\sigma }}$, then output 1 (accept). Otherwise, output 0 (reject).

Moreover,
1. 1.
  If $(y_0, y_1) \ne ({\hat{y}}_0, {\hat{y}}_1)$, compute $z = (y_0 - {\hat{y}}_0) + x(y_1 - {\hat{y}}_1)$. If $z = 0 \pmod p$, then set $\mathsf{bad}' {\leftarrow }\mathsf{true}$.
2. 2.
  If $\varLambda \ne {\hat{\varLambda }}$, compute $Z = (\varLambda /{\hat{\varLambda }}) g^{(m - {\hat{m}})}$. If $Z = 1$, then set $\mathsf{bad}' {\leftarrow }\mathsf{true}$.

To prove the theorem we prove the following claims.

Claim 6

$|\Pr [G_0] - \Pr [G_1]| \le {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda )$.

The proof can be obtained via a straightforward reduction to the security of the PRF.

Claim 7

$|\Pr [G_1] - \Pr [G_2]| \le \frac{Q(d+1)}{p - d(Q-1)}$ where p is the order of the group used in the scheme and Q is the number of verification queries made by the adversary $\mathcal{A}$ during the experiment.

Proof

Let $\mathsf{Bad}_2$ be the event that $\mathsf{bad}{\leftarrow }\mathsf{true}$ is set in Game 2. Game 1 and Game 2 are identical unless the event $\mathsf{Bad}_2$ occurs. Indeed, in this case the challenger is providing a different answer to some verification queries. It holds $\Pr [G_2 \wedge \lnot \mathsf{Bad}_2] = \Pr [G_1]$, that is $|\Pr [G_1] - \Pr [G_2]| \le \Pr [\mathsf{Bad}_2]$. Hence, to prove the Claim, we estimate the probability $\Pr [\mathsf{Bad}_2]$. The proof is very similar to that of Claim 5. We provide it below for completeness.

For $j=1$ to Q, let $B_j$ be the event that $\mathsf{bad}{\leftarrow }\mathsf{true}$ is set after the j-th verification query, but not before. Clearly, we have:

$$\begin{aligned} \Pr [\mathsf{Bad}_2]= & {} \Pr \left[ \bigvee _{j=1}^{Q} B_j\right] \le \sum _{j=1}^{Q} \Pr \left[ B_j\right] \end{aligned}$$

(14)

Moreover, by definition of $B_j$, $\mathsf{bad}{\leftarrow }\mathsf{true}$ did not occur in the previous $j-1$ queries, thus

$$\begin{aligned} \Pr [B_j] = \Pr [B_j | \lnot B_1 \wedge \cdots \wedge \lnot B_{j-1}] \end{aligned}$$

The main part of this proof will consist in estimating the probability $\Pr \left[ B_j\right] $ taken over the random choices of the values $r_{{\tau }}$ sampled by the challenger, and for any possible values chosen by the adversary. In our analysis, we will consider only verification queries $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}$ is not well-defined, as they are the only queries that may cause setting $\mathsf{bad}{\leftarrow }\mathsf{true}$.

Let $(m, {\mathcal {P}}, \sigma )$ be the j-th verification query. According to whether $\sigma = (y_0, y_1)$ or $\sigma = \varLambda $, we have only two possible cases for $B_j$ to occur:

1.
$z = \rho - y_0 - x y_1 = 0 \pmod p$.
2.
$Z = g^{\rho -m} \varLambda ^{-1} = 1$

where in both cases $\rho $ is computed by using at least one value $r_{{\tau }^*} \in \mathbb {Z}_p$ such that $({\tau }^*, \cdot ) \notin T$.

For $1 \le j \le Q$, let $z_j$ (resp. $Z_j$) be the value computed in the j-th query. Let $\mathtt{NotZero_j}$ be the event “$\lnot B_1 \wedge \cdots \wedge \lnot B_{j-1}$”, and notice that for $1 \le i \le j-1$, $\lnot B_i$ may mean either $z_i \ne 0$ or $Z_i \ne 1$. Therefore, we have:

$$\begin{aligned} \Pr [B_j | \lnot B_1 \wedge \cdots \wedge \lnot B_{j-1}] \le \Pr [z_j = 0 \; | \; \mathtt{NotZero_j}] + \Pr [Z_j = 1 \; | \; \mathtt{NotZero_j}] \nonumber \\ \end{aligned}$$

(15)

where the probability is taken over the random choice of $r_{{\tau }^{*}}$.

Using an argument similar to that in the proof of Claim 5, it is possible to show that, information theoretically, the probability that any adversary guesses correctly the value $r_{{\tau }^{*}}$ at the j-th verification query (conditioned on the event $\mathtt{NotZero_j}$) cannot be better than $1/(p-D(j-1))$.

Moreover, the value $\rho $ can be thought of as a univariate polynomial $\eta (r_{{\tau }^{*}})$ in the variable $r_{{\tau }^{*}}$ of degree at most D (where $D=1$ if $\sigma =(y_0, y_1)$). Since ${\mathcal {P}}$ is not well-defined, the polynomial $\eta $ is non-constant, and thus:

$$\begin{aligned} \Pr [z_j = 0 \; | \; \mathtt{NotZero_j}]\le & {} \frac{1}{p - D(j-1)} \end{aligned}$$

(16)

$$\begin{aligned} \Pr [Z_j = 1 \; | \; \mathtt{NotZero_j}]\le & {} \frac{D}{p - D(j-1)} \end{aligned}$$

(17)

Therefore, by applying equations (16) and (17) to equation (15), we obtain:

$$\begin{aligned} \Pr [\mathsf{Bad}_2]\le & {} \frac{Q(D+1)}{p - D(Q-1)} \end{aligned}$$

which proves the Claim. $\square $

Claim 8

$|\Pr [G_2] - \Pr [G_3]| \le \frac{DQ^2}{p}$ where p is the order of the group used in the scheme and Q is the number of verification queries made by the adversary $\mathcal{A}$ during the experiment.

Proof

Game 2 and Game 3 differ only in the sampling of the value $r_{{\tau }}$ in authentication queries. In particular, notice that there are at most Q such queries. For each of these authentication queries, say $({\tau }, m)$, assume that there were Q prior verification queries involving label ${\tau }$. Using the argument in the previous lemma, the number of possible values of $r_{{\tau }}$ is at least $p-DQ$, and the games will differ only if sampling the fresh $r_{{\tau }}'$ will hit one of the DQ values that are excluded conditioning on $\mathtt{NotZero}_{Q}$. However, this happens with probability DQ / p. Thus, the Claim follows by union bound. $\square $

Claim 9

$\Pr [G_3] \equiv \Pr [G_4 \wedge \lnot \mathsf{Bad}_4]$.

Proof

Let $\mathsf{Bad}_4$ be the event that $\mathsf{bad}'$ is set $\mathsf{true}$ in Game 4. If the event $\mathsf{Bad}_4$ does not occur, then we claim that Game 4 is identical to Game 3. The only change is in the way the challenger answers verification queries $(m, {\mathcal {P}}, \sigma )$ for a program ${\mathcal {P}}$ that is well-defined on T.

Let $(m, {\mathcal {P}}, \sigma )$ be a verification query with $\sigma = (y_0, y_1)$ or $\sigma = \varLambda $ such that ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ is well-defined on T, and let us first consider the case in which $\forall i=1, \ldots , n$ it holds that $({\tau }_i, m_i) \in T$ and a tag $\sigma _i$ had already been computed. Recall that the challenger computes ${\hat{\sigma }}$ using the $\mathsf{Eval}$ algorithm. If we consider the answer provided by the challenger in this case, then we have:

1.
$\sigma = {\hat{\sigma }}$: the answer is correct by correctness of the scheme.
2.
$(y_0, y_1) \ne ({\hat{y}}_0, {\hat{y}}_1)$. Let $\rho $ be the value computed by the verification algorithm to check equation (12), and observe that $\rho $ must be the same when running both $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ and $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, {\hat{\sigma }})$ as the same values $r_{{\tau }}$’s are used.

By correctness of ${\hat{\sigma }}$ we have that $\rho ={\hat{y}}_0 + {\hat{y}}_1 \cdot x$. In order for $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ to output 1, it must hold $\rho = y_0 + y_1 \cdot x$. So, returning 1 only if $z = (y_0 - {\hat{y}}_0) + x(y_1 - {\hat{y}}_1) = 0$ is the same as returning the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.
3.
$\varLambda \ne {\hat{\varLambda }}$. Let $\rho $ be the value computed by the verification algorithm to check equation (12), and observe that $\rho $ must be the same when running both $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ and $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, {\hat{\sigma }})$ as the same values $r_{{\tau }}$’s are used.

By correctness of ${\hat{\sigma }}$ we have that $g^{\rho }=g^{{\hat{m}}}{\hat{\varLambda }}$. In order for $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ to output 1, it must hold $g^{\rho } = g^{m} \varLambda $. So, returning 1 only if $Z = g^{m - {\hat{m}}} (\varLambda /{\hat{\varLambda }})= 1$ is the same as returning the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.

Now, let us consider the case in which ${\mathcal {P}}$ is well-defined on T but there exists some $i \in \{1, \ldots , n \}$ such that $({\tau }_i, \cdot ) \notin T$. By definition of well-defined program, this means that if we fix the input values of all wires labeled with ${\tau }$ where $({\tau }, \cdot ) \in T$, then the circuit f always returns the same output whatever are the values of the input wires with label $\tilde{\tau }$ such that $(\tilde{\tau }, \cdot ) \notin T$. In other words, the value corresponding to the input wire ${\tau }_i$ is irrelevant when it comes to evaluating f. Of course, this remains true even in the homomorphic evaluations of f: the one using y in $\mathsf{Eval}$ and the other one using the $r_{{\tau }}$’s in $\mathsf{Ver}$. This means that for all wires labeled with $\tilde{\tau }$ (for $(\tilde{\tau }, \cdot ) \notin T$) the dummy tags chosen for such indices do not contribute to the computation of ${\hat{\varLambda }}$, and the same holds for the random values $r_{\tilde{\tau }}$ with respect to $\rho $. Therefore, the above argument for the case when $({\tau }_i, m_i) \in T, \forall i=1, \ldots , n$ applies here as well. $\square $

Claim 10

$\Pr [\mathsf{Bad}_4] \le Q \cdot {\mathbf {Adv}}_{\mathcal{B}}^{DHI}(\lambda )$ where Q is the number of verification queries made by the adversary $\mathcal{A}$ in Game 4.

Proof

For sake of presentation, we prove the claim using a slightly different assumption: the adversary $\mathcal{A}$ is given a tuple $(g^{x}, \ldots , g^{x^{\ell }})$ for randomly chosen $g \in \mathbb {G}$ and $x \in \mathbb {Z}_p$, and it is required to compute g. It is not hard to see that this is only a rewriting of the $(\ell -1)$-DHI assumption defined above. Indeed a tuple $(g^{x}, \ldots , g^{x^{\ell }})$ can be rewritten as $(h, h^{x}, \ldots , h^{x^{\ell -1}})$ by letting $h = g^x$.

Assume by contradiction that there exists an adversary $\mathcal{A}$ such that, when run in Game 4, we have $\Pr [\mathsf{Bad}_4] \ge \epsilon (\lambda )$ for some non-negligible function $\epsilon $. Then, we show how to build an efficient simulator $\mathcal{B}$ that breaks the $(D-1)$-DHI assumption with advantage ${\mathbf {Adv}}^{DHI}_{\mathcal{B}}(\lambda ) \ge \epsilon (\lambda )/Q$.

If $\mathsf{Bad}_4$ occurs in Game 4, then there must exist an index $1 \le \mu \le Q$ such that $\mathsf{bad}'{\leftarrow }\mathsf{true}$ is set in the $\mu $-th verification query.

$\mathcal{B}$ takes as input a tuple $(g^{x}, \ldots , g^{x^{D}})$. Let Q be an upper bound on the number of verification queries made by the adversary. $\mathcal{B}$ chooses $\mu ^* \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{1, \ldots , Q \}$ uniformly at random as a guess for the index $\mu $ in which $\mathsf{bad}'$ is updated to $\mathsf{true}$. Next, it runs $\mathcal{A}$ on input $\mathsf{ek}= (g^{x}, \ldots , g^{x^D})$ answering queries as follows.

Authentication Queries. Given an authentication query $(m, {\tau })$ it chooses $y_1 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ at random, sets $y_0 = m$ and returns $\sigma = (y_0, y_1)$. Notice that this alternative generation of the tag without using x generates the same distribution of tags as the one in Game 4, in which a fresh value $r_{{\tau }}'$ is used in every authentication query.

Verification Queries. On input the j-th verification query $(m, {\mathcal {P}}, \sigma )$, $\mathcal{B}$ proceeds as follows:

If ${\mathcal {P}}$ is not well-defined on T, output 0 (reject). Notice that this answer is correct by the change introduced in Game 2.
If ${\mathcal {P}}$ is well-defined compute ${\hat{\sigma }}$ using the $\mathsf{Eval}$ algorithm (exactly as the challenger in Game 4). If $\sigma = {\hat{\sigma }}$ output 1 (accept).
If ${\mathcal {P}}$ is well-defined, $\sigma \ne {\hat{\sigma }}$ and $j\ne \mu ^{*}$, then output 0 (reject).
If ${\mathcal {P}}$ is well-defined, $\sigma \ne {\hat{\sigma }}$ and $j = \mu ^{*}$, then output 0 (reject), and proceed as follows:
- If $\sigma = (y_0, y_1)$ (and ${\hat{\sigma }} = ({\hat{y}}_0, {\hat{y}}_1)$), compute $x' = (y_0 - {\hat{y}}_0)/({\hat{y}}_1 - y_1) \pmod p$, and $g' = (g^{x})^{-1/x'}$.
- If $\sigma = \varLambda $ (and ${\hat{\sigma }} = {\hat{\varLambda }}$), compute $g' = ({\hat{\varLambda }}/\varLambda )^{(m-{\hat{m}})^{-1}}$.

At the end of the simulation $\mathcal{B}$ outputs $g'$. If $\mathcal{B}$ correctly guessed the index $\mu ^{*} = \mu $ in which the adversary queries the forgery, then $\mathcal{B}$ clearly succeeds in finding the correct $g'=g$ with probability at least $\epsilon (\lambda )$. Therefore, we have:

$$\begin{aligned} {\mathbf {Adv}}^{DHI}_{\mathcal{B}}(\lambda ) = \Pr [\mathsf{Bad}_4 \wedge \mu ^{*} = \mu ] \ge \Pr [\mu ^{*} = \mu ] \Pr [\mathsf{Bad}_4] \ge \frac{\epsilon (\lambda )}{Q} \end{aligned}$$

which concluded the proof of the Claim. $\square $

To conclude the proof of the Theorem, observe that $\Pr [G_4] = 0$ as all verification queries to Type 1 and Type 2 forgeries are answered with 0. So, if we put together the results of the above claims we obtain

$$\begin{aligned} {\mathbf {Adv}}^{\mathsf{HomUF-CMA}}_{\mathcal{A},\mathsf{HomMAC}}(\lambda ) \le {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda ) + \frac{Q}{2^{\lambda }} + \frac{Q (D+1)}{p - D(Q-1)} + \frac{DQ^{2}}{p} + Q\cdot {\mathbf {Adv}}^{DHI}_{\mathcal{B}}(\lambda ). \end{aligned}$$

Since $p \approx 2^{\lambda }$ and both D and Q are $\mathsf{poly}(\lambda )$, if the PRF is secure and the $(D-1)$-DHI assumption holds (i.e., ${\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda ) = \mathsf{negl}(\lambda )$ and ${\mathbf {Adv}}^{DHI}_{\mathcal{B}}(\lambda ) = \mathsf{negl}(\lambda )$), then $\mathcal{A}$ has at most negligible advantage of breaking the unforgeability of our construction.

5 A Compact Homomorphic MAC with an Additional Level of Multiplication

Here we describe an extension of the scheme given in Sect. 4. The new scheme allows to further apply homomorphic operations on the tags returned by $\mathsf{Eval}$. In particular, the extended homomorphic evaluation allows for circuits of degree up to 2, i.e., at most one multiplication and an unbounded number of additions.

The intuitive idea of this construction is based on the following facts. Given two tags $\varLambda ^{(1)}, \varLambda ^{(2)} \in \mathbb {G}$ (as in the construction of Sect. 4) one could still apply homomorphic operations if these were only additions: just compute $\varLambda = \varLambda ^{(1)} \cdot \varLambda ^{(2)}$. To compute a multiplication, we assume that the group $\mathbb {G}$ is a bilinear group (i.e., one equipped with an efficiently computable bilinear map $e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}$). Thus, we can use the bilinear property of the pairing and compute $\varOmega = e(\varLambda ^{(1)}, \varLambda ^{(2)})$. The way it is described here, the scheme is not fully correct, and however, we show below that some appropriate modifications allow to turn this basic idea into a scheme with the desired property.

The security of the new scheme relies on the Bilinear version of the Diffie-Hellman Inversion assumption used in Sect. 4. We recall it below.

Definition 2

($\ell $-BDHI) Let $\lambda \in \mathbb {N}$ be the security parameter, and $\mathbb {G}$ be a group of order $p > 2^{\lambda }$. Let $\mathbb {G}, \mathbb {G}_{T}$ be groups with an efficient bilinear map $e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}$. For randomly chosen generators $g, \gamma \in \mathbb {G}$ and a randomly chosen $x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ we define the advantage of an adversary $\mathcal{A}$ in solving the $\ell $-Parallel Diffie-Hellman Inversion problem as

$$\begin{aligned} {\mathbf {Adv}}_{\mathcal{A}}^{BDHI}(\lambda ) = \Pr [\mathcal{A}(g, g^{x}, \ldots , g^{x^{\ell }}) = e(g, g)^{1/x}] \end{aligned}$$

and we say that the $\ell $-BDHI assumption holds in $\mathbb {G}, \mathbb {G}_{T}$ if for every PPT $\mathcal{A}$ and for $\ell = \mathsf{poly}(\lambda )$, the advantage ${\mathbf {Adv}}_{\mathcal{A}}^{BDHI}(\lambda )$ is at most negligible in $\lambda $.

Our Construction. The description of our scheme follows.

$\mathsf{KeyGen}(1^{\lambda }, D)$. Let $\lambda $ be the security parameter and $D = \mathsf{poly}(\lambda )$ be an upper bound so that the scheme can support the homomorphic evaluation of circuits of degree at most D. The key generation works as follows.

Generate bilinear groups $\mathbb {G}, \mathbb {G}_T$ of order p such that p is a prime of roughly $\lambda $ bits and there exists an efficient and non-degenerate bilinear map $e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}$. Choose a random generator $g \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {G}$, a random value $\alpha \in \{0,1\}^\lambda $, two random values $a, x \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$, and a seed K of a pseudorandom function ${F}_{K}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$. For $i=1$ to D compute $h_i = g^{x^{i}}, \gamma _i = g^{a x^{i}}$, and set $\gamma = g^{a}$. Set $\sigma _{U} = (1, (r_{\alpha } - 1)/x)$ for $r_{\alpha } = {F}_{K}(\alpha )$ ($\sigma _{U}$ is essentially the MAC on 1 under this special and secret label $\alpha $).

Output $\mathsf{sk}= (K, g, h, x, \alpha ), \mathsf{ek}=(\gamma , h_1, \gamma _1, \ldots , h_D, \gamma _D, \sigma _{U})$ and let the message space $\mathcal{M}$ be $ \mathbb {Z}_{p}$.
$\mathsf{Auth}(\mathsf{sk}, {\tau }, m)$. The tagging algorithm is the same as the one of the construction in Sect. 3. To authenticate a message $m \in \mathbb {Z}_p$ with label ${\tau }\in \{0,1\}^{\lambda }$, compute $r_{{\tau }} = {F}_{K}({\tau })$, set $y_0 = m$ , $y_1 = (r_{{\tau }}- m)/x \bmod p$, and output $\sigma = (y_0, y_1)$.
$\mathsf{Eval}_1(\mathsf{ek}, f, {\varvec{\sigma }})$. The homomorphic evaluation algorithm $\mathsf{Eval}_1$ allows to compute a MAC for a circuit f of degree at most D starting from MACs obtained by evaluating circuits of degree 1. The algorithm is almost the same as the $\mathsf{Eval}$ algorithm in the construction of Sect. 4 and works as follows. It takes as input the evaluation key $\mathsf{ek}$, an arithmetic circuit $f: \mathbb {Z}_{p}^{n} \rightarrow \mathbb {Z}_p$, and a vector ${\varvec{\sigma }}$ of tags $(\sigma _1,\ldots , \sigma _n)$ such that $\sigma _i \in \mathbb {Z}_p^{2}$ (i.e., it is a tag for a degree-1 polynomial).

First, proceed exactly as in the construction of Sect. 3 to compute the coefficients $(y_0, \ldots , y_d)$. If $d=1$ (i.e., the circuit f computes a degree-1 polynomial), then return $\sigma = (y_0, y_1)$. Otherwise, compute
$$\begin{aligned} \varLambda = \prod _{i=1}^{d} h_{i}^{y_i}, \;\; \; \Gamma = \prod _{i=1}^{d} \gamma _{i}^{y_i} \end{aligned}$$
and return $\sigma = (y_0, \varLambda , \Gamma )$.
$\mathsf{Eval}_2(\mathsf{ek}, \phi , {\varvec{\sigma }})$. The homomorphic evaluation algorithm $\mathsf{Eval}_2$ allows to further applies homomorphic operations on tags that were already obtained by using the algorithm $\mathsf{Eval}_1$, namely tags for circuits of degree at most D. Precisely, $\mathsf{Eval}_2$ allows to evaluate any circuit of degree at most 2. Thus, having $\mathsf{Eval}_1$ and $\mathsf{Eval}_2$ enables us to obtain a scheme that supports the evaluation of circuits of degree up to 2D, and whose tags have constant size.

The algorithm takes as input the evaluation key $\mathsf{ek}$, an arithmetic circuit $\phi : \mathbb {Z}_{p}^{n} \rightarrow \mathbb {Z}_p$ of degree $\le 2$ and a vector ${\varvec{\sigma }}$ of tags $(\sigma _1,\ldots , \sigma _n)$ so that $\sigma _i \in \mathbb {Z}_p^{2}$ (i.e., it is a tag for a degree-1 polynomial), or $\sigma _{i} \in \mathbb {Z}_p \times \mathbb {G}^{2} $ (i.e., it is a tag obtained by $\mathsf{Eval}_1$). In particular, we assume that at least one of the $\sigma _i$’s is in $\mathbb {Z}_p \times \mathbb {G}^{2}$ (otherwise, one can use $\mathsf{Eval}_1$).

First, for any tag $\sigma _i = (y^{(i)}_0,y^{(i)}_1) \in \mathbb {Z}_p^{2}$ the algorithm transforms $\sigma _i$ into a tag $\tilde{\sigma }_i = (y^{(i)}_0, \varLambda ^{(i)}, \Gamma ^{(i)}) \in \mathbb {Z}_p \times \mathbb {G}^{2}$ as follows:
$$\begin{aligned} \varLambda ^{(i)} = h_1^{y^{(i)}_1}, \; \; \; \Gamma ^{(i)} = \gamma _1^{y^{(i)}_1} \end{aligned}$$
Next, $\mathsf{Eval}_2$ proceeds on the circuit $\phi $ gate-by-gate as follows. At each gate g, given two tags $\sigma _1, \sigma _2$ (or a tag $\sigma _1$ and a constant $c \in \mathbb {Z}_p$), it runs one of the procedures described below (according to the case). It obtains a new tag $\sigma $ and passes this on as input to the next gate in the circuit.

When the computation reaches the last gate of the circuit $\phi $, $\mathsf{Eval}_2$ outputs the tag $\sigma $ obtained by evaluating such last gate.
- – $\mathsf{Add}_\mathsf{1}(\mathsf{ek}, \sigma _1, \sigma _2)$. This takes as input two tags $\sigma _1 = (y_0^{(1)}, \varLambda ^{(1)}, \Gamma ^{(1)})$ and $\sigma _2 = (y_0^{(2)}, \varLambda ^{(2)}, \Gamma ^{(2)})$ and outputs a tag $\sigma = (y_0, \varLambda , \Gamma )$ which is computed as follows:
  $$\begin{aligned} y_0 = y^{(1)}_0 + y^{(2)}_0, \; \; \; \varLambda = \varLambda ^{(1)} \cdot \varLambda ^{(2)}, \; \; \; \Gamma = \Gamma ^{(1)} \cdot \Gamma ^{(2)} \end{aligned}$$
- – $\mathsf{ConstMult}_\mathsf{1}(\mathsf{ek}, \sigma _1, c)$. This takes as input a tag $\sigma _1 = (y_0^{(1)}, \varLambda ^{(1)}, \Gamma ^{(1)})$ and a constant $c \in \mathbb {Z}_p$ and outputs the tag $\sigma = (y_0, \varLambda , \Gamma )$ which is computed as follows:
  $$\begin{aligned} y_0 = c \cdot y^{(1)}_0, \; \; \; \varLambda = (\varLambda ^{(1)})^{c}, \; \; \; \Gamma = (\Gamma ^{(1)})^{c} \end{aligned}$$
- – $\mathsf{Mult}_\mathsf{1}(\mathsf{ek}, \sigma _1, \sigma _2)$. This takes as input two tags $\sigma _1 = (y_0^{(1)}, \varLambda ^{(1)}, \Gamma ^{(1)})$ and $\sigma _2 = (y_0^{(2)}, \varLambda ^{(2)}, \Gamma ^{(2)})$ and outputs a tag $\sigma = \varOmega $ for the multiplication, computed as follows:
  $$\begin{aligned} \varOmega = e(\varLambda ^{(1)}, \Gamma ^{(2)}) \cdot e(\varLambda ^{(1)}, \gamma ^{y^{(2)}_0}) \cdot e(\varLambda ^{(2)}, \gamma ^{y^{(1)}_0}) \end{aligned}$$
- – $\mathsf{Shift}_{\mathsf{1} \rightarrow \mathsf{2}}(\mathsf{ek}, \sigma _1)$. This takes as input a tag $\sigma _1 = (y_0^{(1)}, \varLambda ^{(1)}, \Gamma ^{(1)})$ and outputs $\sigma = \varOmega $ computed as $\sigma {\leftarrow }\mathsf{Mult}_\mathsf{1}(\mathsf{ek}, \sigma _1, \sigma _{U})$. Here we are using multiplication by 1 to obtain a tag that is valid for the same message, but that it is of the $\mathbb {G}_T$ form. The only case in which this algorithm is needed is before running the following algorithm $\mathsf{Add}_\mathsf{2}$ (i.e., when one needs to compute an addition after the last multiplication), and one of the two input tags $\sigma _1, \sigma _2$ is not of the $\mathbb {G}_T$ form.
- – $\mathsf{Add}_\mathsf{2}(\mathsf{ek}, \sigma _1, \sigma _2)$. This takes as input two tags $\sigma _1 = \varOmega ^{(1)} \in \mathbb {G}_{T}$ and $\sigma _2 = \varOmega ^{(2)} \in \mathbb {G}_{T}$ and outputs $\sigma = \varOmega $ which is computed as:
  $$\begin{aligned} \varOmega = \varOmega ^{(1)} \cdot \varOmega ^{(2)} \end{aligned}$$
- – $\mathsf{ConstMult}_\mathsf{2}(\mathsf{ek}, \sigma _1, c)$. This takes as input a tag $\sigma _1 = \varOmega ^{(1)}$ and a constant $c \in \mathbb {Z}_p$ and outputs $\sigma = \varOmega $ which is computed as:
  $$\begin{aligned} \varOmega = (\varOmega ^{(1)})^{c} \end{aligned}$$
$\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$. Let ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ be a labeled program, $m \in \mathbb {Z}_p$ and $\sigma $ be a tag of either the form $(y_0, y_1) \in \mathbb {Z}_p^{2}$, or $(y_0, \varLambda , \Gamma ) \in \mathbb {Z}_p \times \mathbb {G}^{2}$, or $\sigma = \varOmega $.

First, proceed as in the construction of Sect. 3 to compute $\rho = f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})$.

Next, according to the form of $\sigma $ make the following checks:
1. 1.
  If $\sigma = (y_0, y_1)$, then output 1 only if
  $$\begin{aligned} \rho = y_0 + y_1 \cdot x \; \wedge \; y_0 =m. \end{aligned}$$
2. 2.
  If $\sigma = (y_0, \varLambda , \Gamma )$, then output 1 only if
  $$\begin{aligned} g^{\rho } = g^{y_0} \cdot \varLambda \; \wedge \; y_0 = m \; \wedge \; e(\varLambda , \gamma ) = e(\Gamma , g) \end{aligned}$$
3. 3.
  If $\sigma = \varOmega $, then output 1 only if
  $$\begin{aligned} e(g, \gamma )^{\rho - m} = \varOmega \end{aligned}$$

Correctness. The correctness basically follows from the correctness of the scheme described in Sect. 4. The only less trivial fact to observe is what happens in the procedure $\mathsf{Mult}_\mathsf{1}$ which computes the multiplication of two tags $\sigma _1 = (y_0^{(1)}, \varLambda ^{(1)}, \Gamma ^{(1)})$, $\sigma _2 = (y_0^{(2)}, \varLambda ^{(2)}, \Gamma ^{(2)})$ (that we assume to be valid for messages $m_1$ and $m_2$, respectively).

By definition we have that $\varLambda ^{(i)} = g^{(y^{(i)}(x) - y^{(i)}(0))}$ while $\Gamma ^{(i)} = (\varLambda ^{(i)})^{a}$.

$$\begin{aligned} \varOmega= & {} e(\varLambda ^{(1)}, \Gamma ^{(2)}) \cdot e(\varLambda ^{(1)}, \gamma ^{y^{(2)}_0}) \cdot e(\varLambda ^{(2)}, \gamma ^{y^{(1)}_0})\\= & {} e(g,\gamma )^{(y^{(1)}(x) - y^{(1)}(0))(y^{(2)}(x) - y^{(2)}(0)) + y^{(2)}(x)y^{(1)}(0) + y^{(1)}(x)y^{(2)}(0) + y^{(1)}(0)y^{(2)}(0)} \\= & {} e(g, \gamma )^{y^{(1)}(x)y^{(2)}(x) - y^{(1)}(0)y^{(2)}(0)} \\= & {} e(g, \gamma )^{\rho _1 \rho _2 - m_1m_2} \end{aligned}$$

where the last equality follows from the correctness of the tags $\sigma _1, \sigma _2$.

5.1 Proof of Security

Theorem 5

If ${F}$ is a PRF and the D-Bilinear Diffie-Hellman Inversion Assumption holds in $\mathbb {G}, \mathbb {G}_{T}$, then the homomorphic MAC scheme described in Sect. 5 is secure.

To prove the security of our scheme, we define the following hybrid games. We denote with $G_i$ the event that the experiment Game i, run with the adversary $\mathcal{A}$, outputs 1.

Game 0: This is the same as the real $\mathsf{HomUF-CMA}$ experiment, except that in every verification query $(m, {\mathcal {P}}, \sigma )$, in order to check whether ${\mathcal {P}}$ is well-defined or not, the challenger uses the probabilistic test of Proposition 1.

Thus, we have that for all adversaries $\mathcal{A}$ making at most Q verification queries we have
$$\begin{aligned} | \Pr [\mathsf{HomUF-CMA}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )] - \Pr [G_0(\mathcal{A})] | \le Q \cdot 2^{-\lambda } \end{aligned}$$
(18)
Game 1: This is the same as Game 0, except that the PRF is replaced with a truly random function $\mathcal{R}: \{0,1\}^{*} \rightarrow \mathbb {Z}_p$: basically, each value $r_{{\tau }}$ is generated uniformly at random in $\mathbb {Z}_p$.
Game 2: This is the same as Game 1, except for the following changes. Let $\mathsf{bad}_2$ be a flag value which is initially set to $\mathsf{false}$. Here we set $\mathsf{bad}_2$ to true if we ever receive a query (either a verification query or an authentication one) containing the label $\alpha $.
Game 3: This is the same as Game 2 except for a change in answering verification queries. Let $\mathsf{bad}_3$ be a flag value which is initially set to $\mathsf{false}$. For all verification queries $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}= (f, {\tau }_1, \ldots , {\tau }_n)$ is not well-defined on T, the challenger answers 0 (reject) and proceeds as follows.

First, for every ${\tau }_i$ such that $({\tau }_i, \cdot ) \notin T$ it takes $r_{{\tau }_{i}} {\leftarrow }\mathcal{R}({\tau }_i)$. Next, it computes $\rho $ using the internal procedure of $\mathsf{Ver}$.

If $\sigma = (y_0, y_1)$, compute $z = \rho - y_0 - x \cdot y_1$. If $z = 0 \pmod p$, then set $\mathsf{bad}_3 {\leftarrow }\mathsf{true}$.

If $\sigma = (y_0, \varLambda , \Gamma )$ compute $Z = g^{\rho - m} \varLambda ^{-1}$. If $Z = 1$, then set $\mathsf{bad}_3 {\leftarrow }\mathsf{true}$.

If $\sigma = \varOmega $ compute $Z = e(g, \gamma )^{\rho + m} \varOmega ^{-1}$. If $Z = 1$, then set $\mathsf{bad}_3 {\leftarrow }\mathsf{true}$.
Game 4: This is the same as Game 3 except for the following change in answering authentication queries. Given a query $({\tau }, m)$ such that $({\tau }, m) \notin T$, if $r_{{\tau }} = \mathcal{R}({\tau })$ was previously used to answer a verification query, then resample a fresh $r_{{\tau }}' \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ to create the tag, and from now on use $r'_{{\tau }}$ in every verification query involving label ${\tau }$.
Game 5: This is the same as Game 4 except for the following change in answering verification queries. Let $\mathsf{bad}_5$ be a flag value which is initially set to $\mathsf{false}$. For every verification query $(m, {\mathcal {P}}, \sigma )$ such that ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_{n})$ is well-defined on T, the challenger proceeds as follows.

For every index $i \in \{1, \ldots , n\}$ such that $({\tau }_{i}, \cdot ) \notin T$ (i.e., ${\mathcal {P}}$ contains a new label) it chooses a dummy tag $\sigma _i$ (e.g., for a random message).

Let $\sigma _1, \ldots , \sigma _n$ be the tags associated to labels ${\tau }_1, \ldots , {\tau }_{n}$, respectively. If $\sigma = (y_0, y_1)$ or $\sigma = (y_0, \varLambda , \Gamma )$, then the challenger uses $\mathsf{Eval}_1(\mathsf{ek}, f, (\sigma _1, \ldots , \sigma _n))$ to homomorphically compute ${\hat{\sigma }}$ (which is either $({\hat{y}}_0, {\hat{y}}_1)$, or ${\hat{\varLambda }}$, respectively). If ${\hat{\sigma }} = {\hat{\varOmega }}$, instead it computes ${\hat{\sigma }}$ as follows. First, it computes $y_0, \ldots , y_d$ as in $\mathsf{Eval}_1$. Next, it goes back to the last multiplication level before the end of the evaluation of f. Let $y^{(1)}, \ldots , y^{(t)}$ be the tags that were obtained immediately before reaching the last multiplication level. The challenger first “transforms” such tags into tags of the form $(y_0^{(i)}, \varLambda ^{(i)}, \Gamma ^{(i)})$ and then it runs $\mathsf{Eval}_2$ on such tags to obtain ${\hat{\sigma }} = {\hat{\varOmega }}$.

Let ${\hat{\sigma }}$ be the tag obtained by the honest homomorphic evaluation as described before. If $\sigma = {\hat{\sigma }}$, then the challenger outputs 1 (accept). Otherwise, it outputs 0 (reject).

Moreover,
1. 1.
  If $(y_0, y_1) \ne ({\hat{y}}_0, {\hat{y}}_1)$, compute $z = (y_0 - {\hat{y}}_0) + x(y_1 - {\hat{y}}_1)$. If $z = 0 \pmod p$, then set $\mathsf{bad}_5 {\leftarrow }\mathsf{true}$.
2. 2.
  If $\varLambda \ne {\hat{\varLambda }}$, compute $Z = (\varLambda /{\hat{\varLambda }}) g^{(m - {\hat{m}})}$. If $Z = 1$, then set $\mathsf{bad}_5 {\leftarrow }\mathsf{true}$.
3. 3.
  If $\varOmega \ne {\hat{\varOmega }}$, compute $Z = e(g, \gamma )^{m - {\hat{m}}} ({\hat{\varOmega }}/\varOmega )$. If $Z = 1$, then set $\mathsf{bad}_5 {\leftarrow }\mathsf{true}$.

To prove the theorem, we prove the following claims. Most of them have proofs similar to those used in the proof of Theorem 4.

Claim 11

$|\Pr [G_0] - \Pr [G_1]| \le {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda )$.

The proof can be obtained via a straightforward reduction to the security of the PRF.

Claim 12

$|\Pr [G_1] - \Pr [G_2]| \le \frac{nQ}{2^{\lambda }}$ where n is the maximum number of allowed input labels per labeled program and Q is the number of queries made by the adversary $\mathcal{A}$ during the experiment.

Proof

First notice that the first change introduced in this game is merely syntactical and does not affect the quality of the verification procedure. As for the second modification the stated bound can be easily be obtained by simply counting the number of maximum different labels that $\mathcal{A}$ can use in its queries. This is at most a polynomial number n for each of the Q queries. Also, notice that even tough the value $\mathcal{R}(\alpha )=r_\alpha $ is only computationally hidden by the values contained in $\mathsf{ek}$, the label $\alpha $ remains information theoretically hidden even given $r_\alpha $ (as described in Game 2, we are now using a truly random function to generate $r_\alpha $ from $\alpha $). $\square $

Claim 13

$|\Pr [G_2] - \Pr [G_3]| \le \frac{Q(d+1)}{p - d(Q-1)}$ where p is the order of the group used in the scheme and Q is the number of verification queries made by the adversary $\mathcal{A}$ during the experiment.

The proof is essentially the same as the proof of Claim 7.

Claim 14

$|\Pr [G_3] - \Pr [G_4]| \le \frac{DQ^2}{p}$ where p is the order of the group used in the scheme and Q is the number of verification queries made by the adversary $\mathcal{A}$ during the experiment.

The proof is essentially the same as the proof of Claim 8.

Claim 15

$\Pr [G_4] \equiv \Pr [G_5 \wedge \lnot \mathsf{Bad}_5]$.

Proof

Let $\mathsf{Bad}_5$ be the event that $\mathsf{bad}_5$ is set $\mathsf{true}$ in Game 5. If the event $\mathsf{Bad}_4$ does not occur, then we claim that Game 4 is identical to Game 3. The only change is in the way the challenger answers verification queries $(m, {\mathcal {P}}, \sigma )$ for a program ${\mathcal {P}}$ that is well-defined on T, and we claim that such change is only syntactic, and thus it does not change the adversary’s view of the game.

Let $(m, {\mathcal {P}}, \sigma )$ be a verification query. If $\sigma = (y_0, y_1)$ then by the same argument in the proof of Claim 10 the answer is correct. If $\sigma = (y_0, \varLambda , \Gamma ) \ne ({\hat{y}}_0, {\hat{\varLambda }}, {\hat{\Gamma }}) = {\hat{\sigma }}$, then observe that:

if $(y_0, \varLambda ) \ne ({\hat{y}}_0, {\hat{\varLambda }})$, then the answer is correct by the same argument in Claim 9;
if $(y_0, \varLambda ) = ({\hat{y}}_0, {\hat{\varLambda }})$ and $\Gamma \ne {\hat{\Gamma }}$, then $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ would output 1 only if $e(\Gamma , g) = e(\varLambda , \gamma )$. Since $\varLambda = {\hat{\varLambda }}$, we have that $e(\varLambda , \gamma ) = e({\hat{\varLambda }}, \gamma ) = e({\hat{\Gamma }}, g)$. Hence, returning 1 only if $\Gamma = {\hat{\Gamma }}$ (i.e., $e(\Gamma , g) = e({\hat{\Gamma }}, g)$) is the same as the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.

We consider the remaining case in which the queried tag $\sigma $ is of the form $\sigma =\varOmega \in \mathbb {G}_T$. Similarly, to the proof of Claim 9, we only consider the case when ${\mathcal {P}}=(f, {\tau }_1, \ldots , {\tau }_n)$ is well-defined on T and $\forall i=1, \ldots , n$, $({\tau }_i, m_i) \in T$. Indeed, as we have shown, the case in which ${\mathcal {P}}$ is well-defined and there is some $({\tau }_i, \cdot ) \notin T$ is essentially the same.

Now, if we analyze how the challenger computes ${\hat{\sigma }} = {\hat{\varOmega }}$ (which is also the way $\mathcal{B}$ does), then this is basically a way to compute a valid tag (of the $\mathbb {G}_T$ form) for the circuit f. By correctness, it must be $e(g,\gamma )^{\rho + {\hat{m}}} = {\hat{\varOmega }}$ where $\rho $ is the value computed by the verification algorithm as $f(r_{{\tau }_1}, \ldots , r_{{\tau }_n})$. $\rho $ is the same when running both $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ and $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, {\hat{\sigma }})$ as the very same $r_{{\tau }}$’s are used. In order for $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$ to output 1, it must hold $e(g,\gamma )^{\rho + m} = \varOmega $. So, returning 1 only if $Z = e(g, \gamma )^{m - {\hat{m}}} ({\hat{\varOmega }}/\varOmega )= 1$ is the same as returning the output of $\mathsf{Ver}(\mathsf{sk}, m, {\mathcal {P}}, \sigma )$.

$\square $

Claim 16

$\Pr [\mathsf{Bad}_5] \le Q \cdot {\mathbf {Adv}}_{\mathcal{B}}^{BDHI}(\lambda )$ where Q is the number of verification queries made by the adversary $\mathcal{A}$ in Game 5.

Proof

Assume by contradiction that there exists an adversary $\mathcal{A}$ such that, when run in Game 4, we have $\Pr [\mathsf{Bad}_5] \ge \epsilon (\lambda )$ for some non-negligible function $\epsilon $. Then, we show how to build an efficient simulator $\mathcal{B}$ that breaks the D-BDHI assumption with advantage ${\mathbf {Adv}}^{BDHI}_{\mathcal{B}}(\lambda ) \ge \epsilon (\lambda )/Q$.

If $\mathsf{Bad}_5$ occurs in Game 5, then there must exist an index $1 \le \mu \le Q$ such that $\mathsf{bad}_5{\leftarrow }\mathsf{true}$ is set in the $\mu $-th verification query.

$\mathcal{B}$ takes as input a tuple $(\eta , \eta ^{x}, \ldots , \eta ^{x^{\ell }})$ and its goal is to compute $e(\eta , \eta )^{1/x}$. $\mathcal{B}$ picks a random $\beta \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ and defines $\gamma = \eta ^{\beta }$. Next, for $i=1$ to D, it sets $\gamma _i = (\eta ^{x^{i}})^{\beta }$ and $h_i = \eta ^{x^{i-1}}$. It also simulates the tag $\sigma _U$ for the value 1 using “1” as label. This is done by using the same procedure described below for the simulation of authentication queries. Let Q be an upper bound on the number of verification queries made by the adversary. $\mathcal{B}$ chooses $\mu ^* \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\{1, \ldots , Q \}$ uniformly at random as a guess for the index $\mu $ in which $\mathsf{bad}_5$ is updated to $\mathsf{true}$. Finally, $\mathcal{B}$ runs $\mathcal{A}$ on input $\mathsf{ek}= (\gamma , h_1, \gamma _1, \ldots , h_{D}, \gamma _{D}, \sigma _{U})$ and it answers queries as follows.

Authentication Queries. Given an authentication query $(m, {\tau })$ it chooses $y_1 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p$ at random, sets $y_0 = m$ and returns $\sigma = (y_0, y_1)$. Notice that this alternative generation of the tag without using x generates the same distribution of tags as the one in Game 5, in which a fresh value $r_{{\tau }}'$ is used in every authentication query.

Verification Queries. On input the j-th verification query $(m, {\mathcal {P}}, \sigma )$, $\mathcal{B}$ proceeds as follows:

If ${\mathcal {P}}$ is not well-defined on T, output 0 (reject). Notice that this answer is correct by the change introduced in Game 2.
If ${\mathcal {P}}$ is well-defined compute ${\hat{\sigma }}$ as the challenger in Game 5, i.e., by using either $\mathsf{Eval}_1$ or the modified version of $\mathsf{Eval}_2$. If $\sigma = {\hat{\sigma }}$ $\mathcal{B}$ outputs 1 (accept).
If ${\mathcal {P}}$ is well-defined, $\sigma \ne {\hat{\sigma }}$ and $j\ne \mu ^{*}$, then output 0 (reject).
If ${\mathcal {P}}$ is well-defined, $\sigma \ne {\hat{\sigma }}$ and $j = \mu ^{*}$, then output 0 (reject), and proceed as follows:
- If $\sigma = (y_0, y_1)$ (and ${\hat{\sigma }} = ({\hat{y}}_0, {\hat{y}}_1)$), compute $x' = (y_0 - {\hat{y}}_0)/({\hat{y}}_1 - y_1) \pmod p$, and $U = e(\eta , \eta )^{1/x'}$
- If $\sigma = (y_0, \varLambda , \Gamma )$ (and ${\hat{\sigma }} = ({\hat{y}}_0, {\hat{\varLambda }}, {\hat{\Gamma }})$), compute $\eta ' = ({\hat{\varLambda }}/\varLambda )^{(y_0-{\hat{y}}_0)^{-1}}$ and $U = e(\eta ', \eta )$.
- If $\sigma = \varOmega $ (and ${\hat{\sigma }} = {\hat{\varOmega }}$), compute $U= (\varOmega /{\hat{\varOmega }})^{(\beta (m - {\hat{m}}))^{-1}}$

At the end of the simulation, $\mathcal{B}$ outputs U. If $\mathcal{B}$ correctly guessed the index $\mu ^{*} = \mu $ in which the adversary queries the forgery, then it is not hard to verify that $\mathcal{B}$ is correctly computing $U=e(\eta , \eta )^{1/x}$ with probability at least $\epsilon (\lambda )$ (i.e., $\mathcal{A}$’s success probability). Therefore, we have:

$$\begin{aligned} {\mathbf {Adv}}^{BDHI}_{\mathcal{B}}(\lambda ) = \Pr [\mathsf{Bad}_5 \wedge \mu ^{*} = \mu ] \ge \Pr [\mu ^{*} = \mu ] \Pr [\mathsf{Bad}_5] \ge \frac{\epsilon (\lambda )}{Q} \end{aligned}$$

which concludes the proof of the Claim. $\square $

To conclude the proof of the Theorem, observe that $\Pr [G_5] = 0$ as all verification queries to Type 1 and Type 2 forgeries are answered with 0. So, if we put together the results of the above claims we obtain

$$\begin{aligned} {\mathbf {Adv}}^{\mathsf{HomUF-CMA}}_{\mathcal{A},\mathsf{HomMAC}}(\lambda )\le & {} {\mathbf {Adv}}^{PRF}_{\mathcal{B}, {F}}(\lambda ) + \frac{(n+1)Q}{2^{\lambda }} + \frac{Q (D+1)}{p - D(Q-1)} + \frac{DQ^{2}}{p}\\&+ Q\cdot {\mathbf {Adv}}^{BDHI}_{\mathcal{B}}(\lambda ). \end{aligned}$$

Since $p \approx 2^{\lambda }$ and D, n and Q are $\mathsf{poly}(\lambda )$, if the PRF is secure and the D-BDHI assumption holds then $\mathcal{A}$ has at most negligible advantage of breaking the unforgeability of our construction.

Notes

Informally, the degree of an arithmetic circuit is related to the degree of the polynomial computed by the circuit (see next section for more details).
Very briefly, this assumption states that it is computationally infeasible to compute $g^{1/x}$, given $g, g^{x}, g^{x^2}, \ldots , g^{x^{D-1}}$.
More precisely, their basic construction cannot support verification queries at all. This can be extended to allow for some fixed a priori number of queries q at the cost of increasing by O(q) the size of the tag.
While, in general, every polynomial defines a unique function, the converse is not true as a function may be expressed as a polynomial in several ways.
One should think of such a situation as if one stored two different values under the same unique index in a remote database.
The same argument can be actually extended to $d/p<1/c$ for some constant c.
This bound follows from that one can use optimized algorithms based on FFT to compute the convolution.
However, this $r_{{\tau }^*}$ might have been implicitly used before. In particular the adversary might have already asked some non-easy verification query containing the input label ${\tau }^*$.

References

S. Agrawal and D. Boneh. Homomorphic MACs: MAC-based integrity for network coding, in M. Abdalla, D. Pointcheval, P.-A. Fouque, and D. Vergnaud, editors, ACNS 09, volume 5536 of LNCS (Springer, 2009), pp. 292–305
J. H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, a. shelat, and B. Waters. Computing on authenticated data, in R. Cramer, editor, TCC 2012, volume 7194 of LNCS (Springer, 2012), pp. 1–20
B. Applebaum, Y. Ishai, and E. Kushilevitz. From secrecy to soundness: Efficient verification via secure computation, in S. Abramsky, C. Gavoille, C. Kirchner, F. Meyer auf der Heide, and P.G. Spirakis, editors, ICALP 2010, Part I, volume 6198 of LNCS (Springer, 2010), pp. 152–163
N. Attrapadung and B. Libert. Homomorphic network coding signatures in the standard model, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors, PKC 2011, volume 6571 of LNCS (Springer, 2011), pp. 17–34
N. Attrapadung, B. Libert, and T. Peters. Computing on authenticated data: New privacy definitions and constructions, in X. Wang and K. Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS (Springer, 2012), pp. 367–385
N. Attrapadung, B. Libert, and T. Peters. Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa and G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS (Springer, 2013), pp. 386–404
M. Backes, D. Fiore, and R. M. Reischuk. Verifiable delegation of computation on outsourced data, in A.-R. Sadeghi, V. D. Gligor, and M. Yung, editors, ACM CCS 13 (ACM Press, 2013) pp. 863–874
S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiable delegation of computation over large datasets, in P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS (Springer, 2011), pp. 111–131
N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again, in S. Goldwasser, editor, ITCS 2012 (ACM 2012), pp. 326–349
N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. Recursive composition and bootstrapping for SNARKs and proof-carrying data. Cryptology ePrint Archive, Report 2012/095, 2012. http://eprint.iacr.org/2012/095
D. Boneh, D. Freeman, J. Katz, and B. Waters. Signing a linear subspace: Signature schemes for network coding, in S. Jarecki and G. Tsudik, editors, PKC 2009, volume 5443 of LNCS (Springer, 2009), pp. 68–87
D. Boneh and D. M. Freeman. Homomorphic signatures for polynomial functions, in K. G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS (Springer, 2011), pp. 149–168
D. Boneh and D. M. Freeman. Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors, PKC 2011, volume 6571 of LNCS (Springer, 2011), pp. 1–16
X. Boyen. The uber-assumption family (invited talk), in S.D. Galbraith and K.G. Paterson, editors, PAIRING 2008, volume 5209 of LNCS (Springer, 2008), pp. 39–56
D. Catalano and D. Fiore. Practical homomorphic MACs for arithmetic circuits, in T. Johansson and P.Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS (Springer, 2013), pp. 336–352
D. Catalano, D. Fiore, R. Gennaro, and L. Nizzardo. Generalizing homomorphic MACs for arithmetic circuits, in H. Krawczyk, editor, PKC 2014, volume 8383 of LNCS (Springer, 2014), pp. 538–555
D. Catalano, D. Fiore, R. Gennaro, and K. Vamvourellis. Algebraic (trapdoor) one-way functions and their applications, in A. Sahai, editor, TCC 2013, volume 7785 of LNCS (Springer, 2013), pp. 680–699
D. Catalano, D. Fiore, R. Gennaro, and K. Vamvourellis. Algebraic (trapdoor) one-way functions: Constructions and applications. Theoretical Computer Science, 592:143–165, 2015.
Article MathSciNet MATH Google Scholar
D. Catalano, D. Fiore, and L. Nizzardo. Programmable hash functions go private: Constructions and application to (homomorphic) signatures with shorter public keys, in Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part II, volume 9216 of LNCS (Springer, 2015), pp. 254–274
D. Catalano, D. Fiore, and B. Warinschi. Adaptive pseudo-free groups and applications, in K.G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS (Springer, 2011), pp. 207–223
D. Catalano, D. Fiore, and B. Warinschi. Efficient network coding signatures in the standard model, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, 2012), pp. 680–696
D. Catalano, D. Fiore, and B. Warinschi. Homomorphic signatures with efficient verification for polynomial functions, in J.A. Garay and R. Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS (Springer, 2014), pp. 371–389
K.-M. Chung, Y. Kalai, and S. P. Vadhan. Improved delegation of computation using fully homomorphic encryption, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, 2010), pp. 483–501
K.-M. Chung, Y. T. Kalai, F.-H. Liu, and R. Raz. Memory delegation, in P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS (Springer, 2011), pp. 151–168
R. A. DeMillo and R. J. Lipton. A probabilistic remark on algebraic program testing. Information Processing Letters, 7(4):193–195, 1978.
Article MATH Google Scholar
D. Fiore and R. Gennaro. Publicly verifiable delegation of large polynomials and matrix computations, with applications, in T. Yu, G. Danezis, and V.D. Gligor, editors, ACM CCS 12 (ACM Press, 2012), pp. 501–512
D. M. Freeman. Improved security for linearly homomorphic signatures: A generic framework, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, 2012), pp. 697–714
R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, 2010), pp. 465–482
R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin. Secure network coding over the integers, in P.Q. Nguyen and D. Pointcheval, editors, PKC 2010, volume 6056 of LNCS (Springer, 2010), pp. 142–160
R. Gennaro and D. Wichs. Fully homomorphic message authenticators, in K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS (Springer, 2013), pp. 301–320
C. Gentry. Fully homomorphic encryption using ideal lattices, in M. Mitzenmacher, editor, 41st ACM STOC (ACM Press, 2009), pp. 169–178
C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions, in L. Fortnow and S.P. Vadhan, editors, 43rd ACM STOC (ACM Press, 2011), pp. 99–108
S. Goldwasser, Y.T. Kalai, and G.N. Rothblum. Delegating computation: interactive proofs for muggles, in R.E. Ladner and C. Dwork, editors, 40th ACM STOC (ACM Press, 2008), pp. 113–122
S. Gorbunov, V. Vaikuntanathan, and D. Wichs. Leveled fully homomorphic signatures from standard lattices, in 47th ACM STOC (ACM Press, 2015)
R. Johnson, D. Molnar, D.X. Song, and D. Wagner. Homomorphic signature schemes, in B. Preneel, editor, CT-RSA 2002, volume 2271 of LNCS (Springer, 2002), pp. 244–262
J. Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract), in 24th ACM STOC (ACM Press, 1992), pp. 723–732
B. Libert, T. Peters, M. Joye, and M. Yung. Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS (Springer, 2013), pp. 289–307
S. Micali. CS proofs (extended abstracts), in 35th FOCS (IEEE Computer Society Press, 1994), pp. 436–453
S. Mitsunari, R. Sakai, and M. Kasahara. A new traitor tracing. IEICE Transactions on Fundamentals, E85-A(2):481–484, 2002.
Google Scholar
B. Parno, M. Raykova, and V. Vaikuntanathan. How to delegate and verify in public: Verifiable computation from attribute-based encryption, in R. Cramer, editor, TCC 2012, volume 7194 of LNCS (Springer, 2012), pp. 422–439
J. T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. Journal of the ACM, 27:701–717, 1980.
Article MathSciNet MATH Google Scholar
H. Shacham and B. Waters. Compact proofs of retrievability, in J. Pieprzyk, editor, ASIACRYPT 2008, volume 5350 of LNCS (Springer, 2008), pp. 90–107
A. Shpilka and A. Yehudayoff. Arithmetic circuits: A survey of recent results and open questions. Foundations and Trends in Theoretical Computer Science, 5(3-4):207–388, 2010.
MathSciNet MATH Google Scholar
P. Valiant. Incrementally verifiable computation or proofs of knowledge imply time/space efficiency, in R. Canetti, editor, TCC 2008, volume 4948 of LNCS (Springer, 2008), pp. 1–18
R. Zippel. Probabilistic algorithms for sparse polynomials. In E. W. Ng, editor, EUROSM ’79, volume 72 of Lecture Notes in Computer Science (Springer, 1979), pp. 216–226

Download references

Acknowledgements

The authors would like to thank Valerio Pastro and Daniel Wichs for helpful discussions on this work. The second author did most of this work while at NYU. The research of Dario Fiore has been partially supported by the European Union’s Seventh Framework Programme under agreement 291803 (AMAROUT II), the Horizon 2020 Research and Innovation Programme under grant agreement 688722 (NEXTLEAP), the Spanish Ministry of Economy under project reference TIN2015-70713-R (DEDETIS) and under a Juan de la Cierva fellowship to Dario Fiore, and by the Madrid Regional Government under project N-Greens (ref. S2013/ICE-2731).

Author information

Authors and Affiliations

Dipartimento di Matematica e Informatica, Università di Catania, Catania, Italy
Dario Catalano
IMDEA Software Institute, Madrid, Spain
Dario Fiore

Authors

Dario Catalano
View author publications
You can also search for this author in PubMed Google Scholar
Dario Fiore
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dario Fiore.

Additional information

Communicated by Hugo Krawczyk.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Catalano, D., Fiore, D. Practical Homomorphic Message Authenticators for Arithmetic Circuits. J Cryptol 31, 23–59 (2018). https://doi.org/10.1007/s00145-016-9249-1

Download citation

Received: 13 April 2015
Revised: 05 May 2016
Published: 04 January 2017
Issue Date: January 2018
DOI: https://doi.org/10.1007/s00145-016-9249-1

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Practical Homomorphic Message Authenticators for Arithmetic Circuits

Abstract

Similar content being viewed by others

De Bello Homomorphico: Investigation of the extensibility of the OpenFHE library with basic mathematical functions by means of common approaches using the example of the CKKS cryptosystem

Ascon v1.2: Lightweight Authenticated Encryption and Hashing

Homomorphic Encryption for Arithmetic of Approximate Numbers

1 Introduction

1.1 Our Contribution

1.2 Related Work

1.3 Organization

2 Background and Definitions

2.1 Pseudorandom Functions

2.2 Arithmetic Circuits

2.3 Homomorphic Message Authenticators

Remark 1

Proposition 1

Proof

Remark 2

3 Our Homomorphic MAC from OWFs

3.1 Correctness

Theorem 1

Proof

Theorem 2

Proof

Lemma 1

Proof

3.2 Proof of Security

Theorem 3

Claim 1

Claim 2

Claim 3

Proof

Claim 4

Claim 5

Proof

4 A Compact Homomorphic MAC for Circuits of Bounded Polynomial Degree

Definition 1

4.1 Proof of Security

Theorem 4

Claim 6

Claim 7

Proof

Claim 8

Proof

Claim 9

Proof

Claim 10

Proof

5 A Compact Homomorphic MAC with an Additional Level of Multiplication

Definition 2

5.1 Proof of Security

Theorem 5

Claim 11

Claim 12

Proof

Claim 13

Claim 14

Claim 15

Proof

Claim 16

Proof

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Additional information

Rights and permissions

About this article

Cite this article

Share this article

Keywords

Search

Navigation