Journal of Cryptology

, Volume 31, Issue 1, pp 23–59 | Cite as

Practical Homomorphic Message Authenticators for Arithmetic Circuits

  • Dario Catalano
  • Dario Fiore


Homomorphic message authenticators allow the holder of a (public) evaluation key to perform computations over previously authenticated data, in such a way that the produced tag \(\sigma \) can be used to certify the authenticity of the computation. More precisely, a user, knowing the secret key \(\mathsf{sk}\) used to authenticate the original data, can verify that \(\sigma \) authenticates the correct output of the computation. This primitive has been recently formalized by Gennaro and Wichs, who also showed how to realize it from fully homomorphic encryption. In this paper, we show new constructions of this primitive that, while supporting a smaller set of functionalities (i.e., polynomially bounded arithmetic circuits as opposite to boolean ones), are much more efficient and easy to implement. Moreover, our schemes can tolerate any number of (malicious) verification queries. Our first construction relies on the sole assumption that one-way functions exist, allows for arbitrary composition (i.e., outputs of previously authenticated computations can be used as inputs for new ones) but has the drawback that the size of the produced tags grows with the degree of the circuit. Our second solution, relying on the D-Diffie-Hellman Inversion assumption, offers somewhat orthogonal features as it allows for very short tags (one single group element!) but poses some restrictions on the composition side.


Homomorphic authenticators Homomorphic MAC Verifiable computation Secure outsourcing Cloud computing 



The authors would like to thank Valerio Pastro and Daniel Wichs for helpful discussions on this work. The second author did most of this work while at NYU. The research of Dario Fiore has been partially supported by the European Union’s Seventh Framework Programme under agreement 291803 (AMAROUT II), the Horizon 2020 Research and Innovation Programme under grant agreement 688722 (NEXTLEAP), the Spanish Ministry of Economy under project reference TIN2015-70713-R (DEDETIS) and under a Juan de la Cierva fellowship to Dario Fiore, and by the Madrid Regional Government under project N-Greens (ref. S2013/ICE-2731).


  1. 1.
    S. Agrawal and D. Boneh. Homomorphic MACs: MAC-based integrity for network coding, in M. Abdalla, D. Pointcheval, P.-A. Fouque, and D. Vergnaud, editors, ACNS 09, volume 5536 of LNCS (Springer, 2009), pp. 292–305Google Scholar
  2. 2.
    J. H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, a. shelat, and B. Waters. Computing on authenticated data, in R. Cramer, editor, TCC 2012, volume 7194 of LNCS (Springer, 2012), pp. 1–20Google Scholar
  3. 3.
    B. Applebaum, Y. Ishai, and E. Kushilevitz. From secrecy to soundness: Efficient verification via secure computation, in S. Abramsky, C. Gavoille, C. Kirchner, F. Meyer auf der Heide, and P.G. Spirakis, editors, ICALP 2010, Part I, volume 6198 of LNCS (Springer, 2010), pp. 152–163Google Scholar
  4. 4.
    N. Attrapadung and B. Libert. Homomorphic network coding signatures in the standard model, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors, PKC 2011, volume 6571 of LNCS (Springer, 2011), pp. 17–34Google Scholar
  5. 5.
    N. Attrapadung, B. Libert, and T. Peters. Computing on authenticated data: New privacy definitions and constructions, in X. Wang and K. Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS (Springer, 2012), pp. 367–385Google Scholar
  6. 6.
    N. Attrapadung, B. Libert, and T. Peters. Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa and G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS (Springer, 2013), pp. 386–404Google Scholar
  7. 7.
    M. Backes, D. Fiore, and R. M. Reischuk. Verifiable delegation of computation on outsourced data, in A.-R. Sadeghi, V. D. Gligor, and M. Yung, editors, ACM CCS 13 (ACM Press, 2013) pp. 863–874Google Scholar
  8. 8.
    S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiable delegation of computation over large datasets, in P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS (Springer, 2011), pp. 111–131Google Scholar
  9. 9.
    N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again, in S. Goldwasser, editor, ITCS 2012 (ACM 2012), pp. 326–349Google Scholar
  10. 10.
    N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. Recursive composition and bootstrapping for SNARKs and proof-carrying data. Cryptology ePrint Archive, Report 2012/095, 2012.
  11. 11.
    D. Boneh, D. Freeman, J. Katz, and B. Waters. Signing a linear subspace: Signature schemes for network coding, in S. Jarecki and G. Tsudik, editors, PKC 2009, volume 5443 of LNCS (Springer, 2009), pp. 68–87Google Scholar
  12. 12.
    D. Boneh and D. M. Freeman. Homomorphic signatures for polynomial functions, in K. G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS (Springer, 2011), pp. 149–168Google Scholar
  13. 13.
    D. Boneh and D. M. Freeman. Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors, PKC 2011, volume 6571 of LNCS (Springer, 2011), pp. 1–16Google Scholar
  14. 14.
    X. Boyen. The uber-assumption family (invited talk), in S.D. Galbraith and K.G. Paterson, editors, PAIRING 2008, volume 5209 of LNCS (Springer, 2008), pp. 39–56Google Scholar
  15. 15.
    D. Catalano and D. Fiore. Practical homomorphic MACs for arithmetic circuits, in T. Johansson and P.Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS (Springer, 2013), pp. 336–352Google Scholar
  16. 16.
    D. Catalano, D. Fiore, R. Gennaro, and L. Nizzardo. Generalizing homomorphic MACs for arithmetic circuits, in H. Krawczyk, editor, PKC 2014, volume 8383 of LNCS (Springer, 2014), pp. 538–555Google Scholar
  17. 17.
    D. Catalano, D. Fiore, R. Gennaro, and K. Vamvourellis. Algebraic (trapdoor) one-way functions and their applications, in A. Sahai, editor, TCC 2013, volume 7785 of LNCS (Springer, 2013), pp. 680–699Google Scholar
  18. 18.
    D. Catalano, D. Fiore, R. Gennaro, and K. Vamvourellis. Algebraic (trapdoor) one-way functions: Constructions and applications. Theoretical Computer Science, 592:143–165, 2015.MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    D. Catalano, D. Fiore, and L. Nizzardo. Programmable hash functions go private: Constructions and application to (homomorphic) signatures with shorter public keys, in Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part II, volume 9216 of LNCS (Springer, 2015), pp. 254–274Google Scholar
  20. 20.
    D. Catalano, D. Fiore, and B. Warinschi. Adaptive pseudo-free groups and applications, in K.G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS (Springer, 2011), pp. 207–223Google Scholar
  21. 21.
    D. Catalano, D. Fiore, and B. Warinschi. Efficient network coding signatures in the standard model, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, 2012), pp. 680–696Google Scholar
  22. 22.
    D. Catalano, D. Fiore, and B. Warinschi. Homomorphic signatures with efficient verification for polynomial functions, in J.A. Garay and R. Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS (Springer, 2014), pp. 371–389Google Scholar
  23. 23.
    K.-M. Chung, Y. Kalai, and S. P. Vadhan. Improved delegation of computation using fully homomorphic encryption, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, 2010), pp. 483–501Google Scholar
  24. 24.
    K.-M. Chung, Y. T. Kalai, F.-H. Liu, and R. Raz. Memory delegation, in P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS (Springer, 2011), pp. 151–168Google Scholar
  25. 25.
    R. A. DeMillo and R. J. Lipton. A probabilistic remark on algebraic program testing. Information Processing Letters, 7(4):193–195, 1978.CrossRefzbMATHGoogle Scholar
  26. 26.
    D. Fiore and R. Gennaro. Publicly verifiable delegation of large polynomials and matrix computations, with applications, in T. Yu, G. Danezis, and V.D. Gligor, editors, ACM CCS 12 (ACM Press, 2012), pp. 501–512Google Scholar
  27. 27.
    D. M. Freeman. Improved security for linearly homomorphic signatures: A generic framework, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, 2012), pp. 697–714Google Scholar
  28. 28.
    R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers, in T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS (Springer, 2010), pp. 465–482Google Scholar
  29. 29.
    R. Gennaro, J. Katz, H. Krawczyk, and T. Rabin. Secure network coding over the integers, in P.Q. Nguyen and D. Pointcheval, editors, PKC 2010, volume 6056 of LNCS (Springer, 2010), pp. 142–160Google Scholar
  30. 30.
    R. Gennaro and D. Wichs. Fully homomorphic message authenticators, in K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS (Springer, 2013), pp. 301–320Google Scholar
  31. 31.
    C. Gentry. Fully homomorphic encryption using ideal lattices, in M. Mitzenmacher, editor, 41st ACM STOC (ACM Press, 2009), pp. 169–178Google Scholar
  32. 32.
    C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions, in L. Fortnow and S.P. Vadhan, editors, 43rd ACM STOC (ACM Press, 2011), pp. 99–108Google Scholar
  33. 33.
    S. Goldwasser, Y.T. Kalai, and G.N. Rothblum. Delegating computation: interactive proofs for muggles, in R.E. Ladner and C. Dwork, editors, 40th ACM STOC (ACM Press, 2008), pp. 113–122Google Scholar
  34. 34.
    S. Gorbunov, V. Vaikuntanathan, and D. Wichs. Leveled fully homomorphic signatures from standard lattices, in 47th ACM STOC (ACM Press, 2015)Google Scholar
  35. 35.
    R. Johnson, D. Molnar, D.X. Song, and D. Wagner. Homomorphic signature schemes, in B. Preneel, editor, CT-RSA 2002, volume 2271 of LNCS (Springer, 2002), pp. 244–262Google Scholar
  36. 36.
    J. Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract), in 24th ACM STOC (ACM Press, 1992), pp. 723–732Google Scholar
  37. 37.
    B. Libert, T. Peters, M. Joye, and M. Yung. Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS (Springer, 2013), pp. 289–307Google Scholar
  38. 38.
    S. Micali. CS proofs (extended abstracts), in 35th FOCS (IEEE Computer Society Press, 1994), pp. 436–453Google Scholar
  39. 39.
    S. Mitsunari, R. Sakai, and M. Kasahara. A new traitor tracing. IEICE Transactions on Fundamentals, E85-A(2):481–484, 2002.Google Scholar
  40. 40.
    B. Parno, M. Raykova, and V. Vaikuntanathan. How to delegate and verify in public: Verifiable computation from attribute-based encryption, in R. Cramer, editor, TCC 2012, volume 7194 of LNCS (Springer, 2012), pp. 422–439Google Scholar
  41. 41.
    J. T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. Journal of the ACM, 27:701–717, 1980.MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    H. Shacham and B. Waters. Compact proofs of retrievability, in J. Pieprzyk, editor, ASIACRYPT 2008, volume 5350 of LNCS (Springer, 2008), pp. 90–107Google Scholar
  43. 43.
    A. Shpilka and A. Yehudayoff. Arithmetic circuits: A survey of recent results and open questions. Foundations and Trends in Theoretical Computer Science, 5(3-4):207–388, 2010.MathSciNetzbMATHGoogle Scholar
  44. 44.
    P. Valiant. Incrementally verifiable computation or proofs of knowledge imply time/space efficiency, in R. Canetti, editor, TCC 2008, volume 4948 of LNCS (Springer, 2008), pp. 1–18Google Scholar
  45. 45.
    R. Zippel. Probabilistic algorithms for sparse polynomials. In E. W. Ng, editor, EUROSM ’79, volume 72 of Lecture Notes in Computer Science (Springer, 1979), pp. 216–226Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Dipartimento di Matematica e InformaticaUniversità di CataniaCataniaItaly
  2. 2.IMDEA Software InstituteMadridSpain

Personalised recommendations