Generalizing Homomorphic MACs for Arithmetic Circuits Dario Catalano - PowerPoint PPT Presentation

Generalizing Homomorphic MACs for Arithmetic Circuits Dario Catalano Dario Fiore Università di Catania IMDEA Software Institute Italy Spain Rosario Gennaro Luca Nizzardo * CUNY Università di Milano-Bicocca USA Italy � *work done while visiting CUNY PKC’14 - Buenos Aires, March 28, 2014

Outline � 2 ¨ Motivation ¨ Homomorphic MACs ¤ Definition ¤ Previous work ¨ Our results ¨ Summary & Open problems

Delegating Computations on Outsourced Data � 3 v 1 , v 2 , …, v n v 1 v 2 … v n

Delegating Computations on Outsourced Data � 3 “ Compute P” v 1 , v 2 , …, v n v 1 v 2 … v n

Delegating Computations on Outsourced Data � 3 “ Compute P” y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … v n

Delegating Computations on Outsourced Data � 3 “ Compute P” y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … v n Question: ¨ How can the client be sure that P is executed on the company’s data?

Delegating Computations on Outsourced Data � 3 “ Compute P” y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … v n v 1 , v 2 , …, v n Question: ¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs .

Delegating Computations on Outsourced Data � 3 “ Compute P” y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … v n v 1 , v 2 , …, v n Question: ¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs . TOO INEFFICIENT

Delegating Computations on Outsourced Data � 3 “ Compute P” y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … v n Question: ¨ How can the client be sure that P is executed on the company’s data? ¨ Trivial solution: the cloud sends all the authenticated inputs . TOO INEFFICIENT Main Goals ¨ Integrity 
 ¨ E ffj ciency 
 Client ’ s communication and Un trusted cloud must not 
 storage must be minimized be able to send incorrect y

An approach to solve the problem: Homomorphic Message Authenticators [GW13] � 4 “ Compute P“ y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … sk v n sk Main Goals ¨ E ffj ciency 
 ¨ Integrity 
 Un trusted cloud must not 
 Client ’ s communication and storage must be minimized be able to send incorrect y

An approach to solve the problem: Homomorphic Message Authenticators [GW13] � 4 “ Compute P“ y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … sk v n sk proves that “y is the output of P on authenticated data” Main Goals ¨ E ffj ciency 
 ¨ Integrity 
 Un trusted cloud must not 
 Client ’ s communication and storage must be minimized be able to send incorrect y

An approach to solve the problem: Homomorphic Message Authenticators [GW13] � 4 “ Compute P“ y = P ( v 1 ,…,v k ) v 1 , v 2 , …, v n v 1 y v 2 … sk v n sk proves that “y is the output of P on authenticated data” Main Goals ¨ E ffj ciency 
 ¨ Integrity 
 ✓ ✓ Un trusted cloud must not 
 Client ’ s communication and Cloud cannot forge MACs . | | << size of k input values . storage must be minimized be able to send incorrect y

Homomorphic MACs & Labeled Programs [GW13] � 5

Homomorphic MACs & Labeled Programs [GW13] � 5 ¨ KeyGen( λ ) → ( sk,ek ) // private key sk , public evaluation key ek

Homomorphic MACs & Labeled Programs [GW13] � 5 ¨ KeyGen( λ ) → ( sk,ek ) // private key sk , public evaluation key ek ¨ Auth ( sk,v, τ ) → σ which authenticates value v w . r . t . label τ v τ sk • Idea of labels: uniquely “remember” the outsourced data 
 rd , 2012, Google stock price” 
 Auth $ 665.41 ~ “Jan, 3 th , 2012, Google stock price” 
 $ 668.28 ~ “Jan, 4 th , 2012, Google stock price” 
 $ 659.01 ~ “Jan, 5 σ ... ...

Homomorphic MACs & Labeled Programs [GW13] � 5 ¨ KeyGen( λ ) → ( sk,ek ) // private key sk , public evaluation key ek ¨ Auth ( sk,v, τ ) → σ which authenticates value v w . r . t . label τ v τ sk • Idea of labels: uniquely “remember” the outsourced data 
 rd , 2012, Google stock price” 
 Auth $ 665.41 ~ “Jan, 3 th , 2012, Google stock price” 
 $ 668.28 ~ “Jan, 4 th , 2012, Google stock price” 
 $ 659.01 ~ “Jan, 5 σ ... ... ¨ Eval ( ek , P , σ 1 ,…, σ n ) → σ new tag authenticating “output of τ 1 τ 2 τ 3 labeled program P ” + x x ¨ A labeled program P is a circuit f with a label τ on each input wire + + P • e . g . , P computes the yearly average stock price for some days — each day x labeled by some τ i

Homomorphic MACs & Labeled Programs [GW13] � 5 ¨ KeyGen( λ ) → ( sk,ek ) // private key sk , public evaluation key ek ¨ Auth ( sk,v, τ ) → σ which authenticates value v w . r . t . label τ v τ sk • Idea of labels: uniquely “remember” the outsourced data 
 rd , 2012, Google stock price” 
 Auth $ 665.41 ~ “Jan, 3 th , 2012, Google stock price” 
 $ 668.28 ~ “Jan, 4 th , 2012, Google stock price” 
 $ 659.01 ~ “Jan, 5 σ ... ... ¨ Eval ( ek , P , σ 1 ,…, σ n ) → σ new tag authenticating “output of τ 1 τ 2 τ 3 labeled program P ” + x x ¨ A labeled program P is a circuit f with a label τ on each input wire + + P • e . g . , P computes the yearly average stock price for some days — each day x labeled by some τ i ¨ Ver ( sk , P , v , σ ) checks whether v is output of P =( f , τ 1 , …, τ n ) on values authenticated with labels τ 1 ,…, τ n

Homomorphic MACs & Labeled Programs [GW13] � 5 ¨ KeyGen( λ ) → ( sk,ek ) // private key sk , public evaluation key ek ¨ Auth ( sk,v, τ ) → σ which authenticates value v w . r . t . label τ v τ sk • Idea of labels: uniquely “remember” the outsourced data 
 rd , 2012, Google stock price” 
 Auth $ 665.41 ~ “Jan, 3 th , 2012, Google stock price” 
 $ 668.28 ~ “Jan, 4 th , 2012, Google stock price” 
 $ 659.01 ~ “Jan, 5 σ ... ... ¨ Eval ( ek , P , σ 1 ,…, σ n ) → σ new tag authenticating “output of τ 1 τ 2 τ 3 labeled program P ” + x x ¨ A labeled program P is a circuit f with a label τ on each input wire + + P • e . g . , P computes the yearly average stock price for some days — each day x labeled by some τ i ¨ Ver ( sk , P , v , σ ) checks whether v is output of P =( f , τ 1 , …, τ n ) on values authenticated with labels τ 1 ,…, τ n

Properties of Homomorphic MACs � 6 ¨ Security: … in 2 slides ¨ Succinctness: size of tags (returned by Eval ) does not depend on the number of inputs of the computation ¨ Composition: authenticated outputs can be further used as inputs to other circuits

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output τ 1 τ 2 x

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output ( v 1 , σ 1 ) ( v 2 , σ 2 ) τ 1 τ 2 x ( v 1 x v 2 , σ x )

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output ( v 1 , σ 1 ) ( v 2 , σ 2 ) τ 1 τ 2 x ( v 1 x v 2 , σ x ) τ 3 τ 4 + x x + + f ’ x

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output ( v 1 , σ 1 ) ( v 2 , σ 2 ) τ 1 τ 2 x ( v 1 x v 2 , σ x ) ( v 3 , σ 3 ) ( v 4 , σ 4 ) τ 3 τ 4 + x x + + f ’ x

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output ( v 1 , σ 1 ) ( v 2 , σ 2 ) τ 1 τ 2 x ( v 1 x v 2 , σ x ) ( v 3 , σ 3 ) ( v 4 , σ 4 ) τ 3 τ 4 + x x + + f ’ f = x o f’ x ( f ( v 1 ,v 2 ,v 3 ,v 4 ) , σ f )

Composition � 7 ¨ At gate level: for every pair of authenticated inputs, obtain an authenticated output ( v 1 , σ 1 ) ( v 2 , σ 2 ) τ 1 τ 2 x ( v 1 x v 2 , σ x ) ( v 3 , σ 3 ) ( v 4 , σ 4 ) τ 3 τ 4 Very useful property if one wants to merge + x x partially authenticated computations, + + f ’ f = x o f’ e . g . , for parallelization (MapReduce) x ( f ( v 1 ,v 2 ,v 3 ,v 4 ) , σ f )

Security � 8 Unforgeability against chosen-message attacks Basic idea: nobody, without sk , can create a “valid” MAC sk ek

Security � 8 Unforgeability against chosen-message attacks Basic idea: nobody, without sk , can create a “valid” MAC τ i ,v i σ i = Auth ( sk, τ i ,v i ) sk ek

Security � 8 Unforgeability against chosen-message attacks Basic idea: nobody, without sk , can create a “valid” MAC τ i ,v i σ i = Auth ( sk, τ i ,v i ) P ,v, σ b =Ver ( sk, P ,v, σ ) sk ek

Security � 8 Unforgeability against chosen-message attacks Basic idea: nobody, without sk , can create a “valid” MAC Each τ i can be τ i ,v i queried only once σ i = Auth ( sk, τ i ,v i ) P ,v, σ b =Ver ( sk, P ,v, σ ) sk ek