Homomorphic signatures with sublinear public keys via asymmetric programmable hash functions

Abstract

We introduce the notion of asymmetric programmable hash functions (APHFs, for short), which adapts Programmable hash functions, introduced by Hofheinz and Kiltz (Crypto 2008, Springer, 2008), with two main differences. First, an APHF works over bilinear groups, and it is asymmetric in the sense that, while only secretly computable, it admits an isomorphic copy which is publicly computable. Second, in addition to the usual programmability, APHFs may have an alternative property that we call programmable pseudorandomness. In a nutshell, this property states that it is possible to embed a pseudorandom value as part of the function’s output, akin to a random oracle. In spite of the apparent limitation of being only secretly computable, APHFs turn out to be surprisingly powerful objects. We show that they can be used to generically implement both regular and linearly-homomorphic signature schemes in a simple and elegant way. More importantly, when instantiating these generic constructions with our concrete realizations of APHFs, we obtain: (1) the first linearly-homomorphic signature (in the standard model) whose public key is sub-linear in both the dataset size and the dimension of the signed vectors; (2) short signatures (in the standard model) whose public key is shorter than those by Hofheinz–Jager–Kiltz (Asiacrypt 2011, Springer, 2011) and essentially the same as those by Yamada et al. (CT-RSA 2012, Springer, 2012).

Appendices

Appendix A: Digital signatures

A digital signature scheme consists of three algorithms \(\varSigma =(\mathsf{KeyGen},\mathsf{Sign},\mathsf{Ver})\) such that:

\(\mathsf{KeyGen}(1^{\lambda })\) :

the key generation takes as input a security parameter \(\lambda \) and returns a secret key \(\mathsf{sk}\) and a public verification key \(\mathsf{vk}\).

\(\mathsf{Sign}(\mathsf{sk}, m)\) :

on input a secret key \(\mathsf{sk}\) and a message m, the signing algorithm generates a signature \(\sigma \).

\(\mathsf{Ver}(\mathsf{vk}, m, \sigma )\) :

given a triple \(\mathsf{vk},m,\sigma \) the verification algorithm outputs 1 (accept) if \(\sigma \) is a valid signature on m for verification key \(\mathsf{vk}\), and 0 (reject) otherwise.

The security of a signature scheme, called existential unforgeability against chosen message attacks (UF-CMA) is defined via the following experiment:

The advantage of \(\mathcal{{A}}\) in breaking the \(\mathsf{UF\text{- }CMA}\)-security of \(\varSigma \) is \(\mathbf {Adv}^\mathsf{UF\text{- }CMA}_{\mathcal{{A}},\varSigma }(\lambda )=\Pr [\mathbf {Exp}^\mathsf{UF\text{- }CMA}_{\mathcal{{A}},\varSigma }(\lambda )=1]\). Then we say that \(\mathcal{{A}}\) \((t, Q, \epsilon )\)-breaks the \(\mathsf{UF\text{- }CMA}\)-security of \(\varSigma \) if \(\mathcal{{A}}\) runs in time t, makes at most Q signature queries, and \(\mathbf {Adv}^\mathsf{UF\text{- }CMA}_{\mathcal{{A}},\varSigma }(\lambda ) = \epsilon \).

A digital signature scheme \(\varSigma \) is \(\mathsf{UF\text{- }CMA}\)-secure if for any PPT \(\mathcal{{A}}\), \(\mathbf {Adv}^\mathsf{UF\text{- }CMA}_{\mathcal{{A}},\varSigma }(\lambda )\) is negligible.

Appendix B: On the hardness of the FDHI assumption

To gain confidence in the FDHI assumption we show that FDHI is implied by the following decisional assumption:

Definition 12

(Decisional Assumption 1) Let \(\mathcal{{G}}\) be a generator of asymmetric bilinear groups, let \(\mathsf{bgp}= (p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_{T}, g_1, g_2, e) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal{{G}}(1^{\lambda })\) where \(g_1, g_2\) are two random generators. The Decisional Assumption 1 is \(\epsilon \)-hard for \(\mathcal{{G}}\) if for every PPT adversary \(\mathcal{{A}}\):

$$\begin{aligned} \left| \Pr [\mathcal{{A}}( g_1 , g_2 , g_2^z, g_2^v, g_1^{\frac{z}{v}}, g_1^r, g_1^{\frac{r}{v}}, g_2^{1/z})] - \Pr [\mathcal{{A}}( g_1 , g_2 , g_2^z, g_2^v, g_1^{\frac{z}{v}}, g_1^r, g_1^{\frac{r}{v}}, g_2^{t})]\right| \le \epsilon \end{aligned}$$

where \(z, v, r, t {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\).

Proposition 2

For any \(\mathcal{{A}}\) which \(\epsilon \)-breaks the FDHI assumption, there is \(\mathcal{{B}}\) which \(\epsilon '\)-breaks Assumption 1 where \(\epsilon ' \ge \epsilon - 1/p\)

Proof

(Sketch) Let \((g_1 , g_2 , g_2^z, g_2^v, g_1^{\frac{z}{v}}, g_1^r, g_1^{\frac{r}{v}}, T)\) be the input of \(\mathcal{{B}}\) where T can be either \(g_2^{1/z}\) or \(g_2^{t}\) for a random and independent t. \(\mathcal{{B}}\) runs \((W, Y) {\leftarrow }\mathcal{{A}}(g_1, g_2, g_2^z, g_2^v, g_1^{\frac{z}{v}}, g_1^r, g_1^{\frac{r}{v}})\). If \(e(Y, g_2^{z}) = e(W, g_2)\) (i.e., \(\mathcal{{A}}\) succeeds), then \(\mathcal{{B}}\) returns 1 if \(e(W, T) = e(Y, g_2)\) holds, and 0 otherwise.

Clearly, if \(T=g_2^{1/z}\), \(e(W, T) = e(W, g_2^{1/z}) = e(W^{1/z}, g_2) = e(Y, g_2)\). Instead, if T is random and independent, the equation holds only with negligible probability 1 / p. \(\square \)

As a next step, we show that Assumption 1 can be equivalently re-written in the following Assumption 2 without rational exponents:

Definition 13

(Decisional Assumption 2) Let \(\mathcal{{G}}\) be a generator of asymmetric bilinear groups, let \(\mathsf{bgp}= (p, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_{T}, g_1, g_2, e) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal{{G}}(1^{\lambda })\). Let \(h_1 \in \mathbb {G}_1, h_2 \in \mathbb {G}_2\) be two random generators. The Decisional Assumption 2 is \(\epsilon \)-hard for \(\mathcal{{G}}\) if for every PPT adversary \(\mathcal{{A}}\):

$$\begin{aligned} \left| \Pr [\mathcal{{A}}( h_1 , h_2 , h_2^x, h_2^u, h_1^{u}, h_1^{ru}, h_1^{rx}, h_2^{x^2})] - \Pr [\mathcal{{A}}( h_1 , h_2 , h_2^x, h_2^u, h_1^{u}, h_1^{ru}, h_1^{rx}, h_2^{t})]\right| \le \epsilon \end{aligned}$$

where \(x, u, r, t {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\).

Proof

The equivalence between the assumptions is obtained by setting the following equalities:

$$\begin{aligned} g_1 = h_1^{u}, g_2=h_2^{x}, g_2^{z} = h_2, g_2^{v}=h_2^{u}, g_1^{z/v} = h_{1}, g_1^{r} = h_1^{ru}, g_1^{r/v} = h_1^{rx}, T=T \end{aligned}$$

Finally, it is not hard to see that Assumption 2 is hard in the generic bilinear group model. When framing the assumption according to the master theorem in [13], the polynomial \(x^2\) (in the group \(\mathbb {G}_2\)) is in fact linearly-independent from the other polynomials representing the instance of the assumption. To confirm the validity of Assumption 2, we also automatically tested it using the generic group tool of [7].⁷

Appendix C: Programmable hash functions [30, 31]

Let \(\mathbb {G}\) be a cyclic group and \(\lambda \in \mathbb {N}\) be a security parameter. A group hash function H with input length \(\ell = \ell (\lambda )\) is defined by a couple of PPT algorithms \(H =(\mathsf{PHF.Gen}, \mathsf{PHF.Eval})\). Given the security parameter \(\lambda \), PHF.Gen outputs a key \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{PHF.Gen}(1^\lambda )\) which is used for deterministically evaluate H as \(y \leftarrow \mathsf{PHF.Eval}(K, X) \in \mathbb {G}\), for any \(x \in \{0, 1\}^\ell \). We write \(H(X) = \mathsf{PHF.Eval}(K, X)\).

A group hash function H is an \((m, n, \gamma , \delta )\)-programmable hash function if there exist two PPT algorithms PHF.TrapGen and PHF.TrapEval such that:

Syntactics::

: For \(g, h \in \mathbb {G}\), the trapdoor key generation \((K^\prime , t) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{PHF.TrapGen}(1^\lambda , g, h)\) produces a key \(K^\prime \) along with a trapdoor t. Moreover, \((a_X, b_X) \leftarrow \mathsf{PHF.TrapEval}(t, X)\) produces integers \(a_X\) and \(b_X\) for any \(X \in \{0, 1\}^\ell \).

Correctness::

We demand \(H_{K^\prime }(X) = \mathsf{PHF.Eval}(K^\prime , X) = g^{a_X} h^{b_X}\) for all generators \(g, h \in \mathbb {G}\) and all possible \((K^\prime , t) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{PHF.TrapGen}(1^\lambda , g, h)\), for all \(X \in \{0, 1\}^\ell \) and the corresponding \((a_X, b_X) \leftarrow \mathsf{PHF.TrapEval}(t, X)\).

Statistically-close trapdoor keys::

For all generators \(g, h \in \mathbb {G}\) and for \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{PHF.Gen}(1^\lambda )\) and \((K^\prime , t) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf{PHF.TrapGen}(1^\lambda ,g,h)\), the keys K and \(K^\prime \) are statistically \(\gamma \)-close: \(K \displaystyle \equiv ^\gamma K\).

Well distributed logarithms::

For all generators \(g, h \in \mathbb {G}\) and all possible \(K^\prime \) in the range of (the first component of ) PHF.TrapGen \((1^\lambda , g, h)\), for all \(X_1, \dots , X_m, Z_1, \dots , Z_n \in \{0, 1\}^\ell \) such that \(Xi \ne Z_j\) for any i, j, and for the corresponding \((a_{X_i}, b_{X_i}) \leftarrow \mathsf{PHF.TrapEval}(t, X_i)\) and \((a_{Z_i} , b_{Z_i}) \leftarrow \mathsf{PHF.TrapEval}(t, Z_i)\), we have

$$\begin{aligned} \Pr [a_{X_1} = \cdots = a_{X_m} = 0 \; \wedge \; a_{Z_1}, \ldots , a_{Z_n} \ne 0] \ge \delta \end{aligned}$$

where the probability is over the trapdoor t that was produced along with \(K^\prime \).