However, due to its special functionality, the security concepts of the homomorphic authenticated encryption are somewhat complicated, and the construction of fully homomorphic authenticated encryption has never been given. In this work, we propose a new security concept and the first construction of fully homomorphic authenticated encryption. To realize our new security concept, we also propose a construction of fully homomorphic authenticated encryption via generic construction.
Our contributions
HAE provides privacy and authenticity of the plaintext and ensures that the ciphertext is generated fairly with respect to a given circuit. Finally, we propose an efficient multi-dataset fully homomorphic authenticator (MDFHA) scheme that can be used as part of the generic construction of FHAE. Our MDFHA scheme is a variant of the first fully homomorphic signature scheme [4], but our construction supports multiple datasets more efficiently.
Related works
Notations and conventions
The depth of the bit-described circuit ¯f= (f1, . . . ,fn) is defined by the maximum value of the circle depths f1,. P¯l and the bitwise circuit ¯g= (g1, . . . ,gn), from Ml to M, a bitwise program denoted by ¯g(P¯1, . . . ,P¯l) is composed, the bitwise program , which evaluates the function ¯g at the outputs ¯P1,. For any bitwise program, ¯P= (f¯,τ1, . . . ,τl), using the graph traversal algorithm we can always find l′ ∈[l] such that, without loss of generality, i>l′ if and only , if each input wire is (τi,j)in f1,.
Syntax
If we let P′ be the fully bound subprogram of P, then we see from the correctness properties of an MDHAE that m=Dec(sk,∆,P′,c). Correctness: EffDec(skP,∆,c) =Dec(sk,∆,P,c)for any dataset identifier ∆∈D and ciphertext c∈C, when(ek,sk)←KeyGen(1λ)enskP←Prep(sk) ,P)for some allowable programP.
A new security notion for multi-dataset homomorphic authenticated encryptions 9
The advantage of the opponent in the game LojaMDHAE for the scheme H with respect to the algorithm $ is defined as. We say that a MDHAEHissecure if there exists an algorithm $ such that the advantageAdvMDHAEH,$,A (λ) is negligible for any adversary PPT A. Also, the game adversaryGameMDHAE,Priv is allowed to make encryption or decryption queries adaptively.
The security game GameMDHAE,PrivH,$,A (λ) is defined the same as GameMDHAEH,$,A (λ), except for the initialization phase, which is given below. The advantage of the opponent In the gameGameMDHAE, Priv for the schemeH with respect to the algorithm $ is defined as. We say that an MDHAE H has privacy if there exists an algorithm $ such that the advantage AdvMDHAE,PrivH,$,A (λ) is negligible for any PPT adversaryA.
But instead of adversaries that dump the MDHAE spoof, we consider adversaries that separate the decryption oracle from the⊥ algorithm. Let ⊥(·,·,·) be an algorithm that yields ⊥for all inputs as our new security notion in Section 3.2. Also, GameMDHAE's opponent, Authis, allowed custom encryption or decryption queries.
The security game GameMDHAE,AuthH,A (λ) is defined in the same way as GameMDHAEH,$,A (λ), except for the initialization phase, which is given below.
Syntax
A security notion for homomorphic encryptions
Syntax
We say that T is a fully homomorphic multi-dataset authenticator (MDFHA) if the admissible function spaceF is defined as . MDHA T is said to be bit-evaluated (or T BE-MDHA) if the algorithms T.Eval and T.Verify take a bit-described circuit and a bit-described program as part of their inputs instead of a regular circuit and a regular program, respectively. In addition, selective security, correctness, and support for efficient verification can be defined, as noted above, by replacing circuits and programs with bitwise counterparts.
Moreover, we say that T is a bitwise evaluable multi-dataset leveled fully homomorphic verification (BE-MDFHA) if the admissible function space F is defined as . But, to our knowledge, there is no direct MDHA construction that has exponentially large message space. Therefore, we define BE-MDHA as above and propose a generic construction of BE-MDHA using existing MDHA with message space {0,1}in Section VII.
We say that an MDHAT is OR-homomorphic if the admissible function spaceFis defined as F={f |f:Ml→M is for some a circuit with depthd.
A security notion for multi-dataset homomorphic authenticators
We say that an MDHAT is selectively secure if the advantageAdvMDHAT,A (λ) is negligible for any PPTA adversary.
Overview of our Construction
Instead, we will adapt the technique using the OR-homomorphic authenticator given by Catalano, Fiore, and Nizzardo [10]. The idea is to modify the simple construct of encrypt-then-authenticate H0 so that for each ciphertext we add an authentication token of 0. When we perform homomorphic evaluation, we must also homomorphically evaluate the authentication token.
When we evaluate a unary port, we will homomorphically evaluate the identity port for authentication 0. When we evaluate a binary port, we will homomorphically evaluate the logical OR of the corresponding two zeros. The MDHA ˇT used to authenticate 0 can be OR-homomorphic, and since the message 0 is fixed and we can randomize the labels as in the construction of H0, ˇT only needs to be selectively secure.
Since we will always evaluate ORs of inputs, the final value of this circuit made of OR gates will be 1. For example, some popular FHE schemes such as [2, 6] can be used as K, and the first fully homomorphic signature [4 ] can be used as ˇT. Using the first fully homomorphic signature [4] and Construction 3, one can construct a safe BE-MDFHA and it can be used as ¯T.
We define the corresponding logic circuit ˇf :{0,1}l →{0,1} as the circuit obtained by replacing each unary gate f with an identity gate (sending bitbtobitself) and each binary gate f with an OR gate.
Generic construction
For unaltered ciphertexts and their homomorphic evaluation, the extra tags are therefore all authentication tags with zeros. Then any such decryption query (with the extra code for 0 verified) will produce a falsification of ˇT. Therefore, if ˇT is secure, then it is impossible to produce a valid decryption query with an empty space.
As for ¯T, since there is no dedicated MDFHA scheme with exponential message space, one can follow our generic construction, Construction 3, for BE-MDHA in Section VII to construct such a scheme. Evaluation correctness: From H. Evaland's description, the correctness of K,T and ¯ T , Hˇ completes the evaluation correctness. Projection preservation: By the correctness of K, if f is a projection, then f is also a projectionˇ and f is a bitwise projection, where ¯ f is the bitwise circuit of the deterministic algorithm K.Eval(ek,˚ f,.
Then, from the description of H.Eva and the correctness of T and ¯ T, H satisfies the conservation of the projection.ˇ. Note 5 IfT and¯T support efficient verification, Construction 1 supports efficient decoding.ˇ We define H.Prepand H.EffDecas as follows:. Since the complexity of H.EffDecis is independent of the time complexity of computing f, the above algorithms satisfy amortized efficiency.
Security
Furthermore, B wins the game˚ GameHEK,$K,B˚(λ)if and only if A does not make any bad queries on B and issues the winning bit b˚ ′=b in the finalization phase. Among queries A, let ∆i∈D be the i-th new data set identifier and τj ∈T the j-th new data identifier. B handles A's inquiries as follows:¯. If query¯ (∆∗,P∗,c∗) is a non-redundant decryption query before q∗th query, then B gives ¯ ⊥ as the answer.
If the q∗th query is an encryption query or a rejected query, B does nothing and quits. More precisely, except for the choice of q∗∈[q], the other parts of B and the¯ challenger of this game are deterministic. Then suppose for any fixed prms∈Coll∩E¯′, A made the first bad query on the q∗∗th query inGame2(λ;prms).
Among queries A, let ∆i∈D be the i-th identifier of the new data set and τj ∈T the j-th identifier of the new data. B handles A's inquiries as follows:ˇ. For each decryption query (∆∗,P∗,c∗) made by A, B checks whether the query is redundant. If the query (∆∗,P∗,c∗) is redundant, then B rejects the query. If queryˇ (∆∗,P∗,c∗) is a non-redundant decryption query before q∗this query, then B returnsˇ ⊥as the answer.
Our scheme is a slightly modified version of the first fully homomorphic signature [4], but our scheme supports multiple datasets without additional transformation.
A selectively secure multi-dataset fully homomorphic authenticator scheme
In this section, we propose a selectively secure multi-dataset (leveled) fully homomorphic authentication scheme and a generic construction for a selectively secure BE-MDHA. The generic construction we propose, construction 3, can be used to construct a selectively safe BE-MDHA using a selectively safe MDHA such as construction 2. For any nonzero(u0,u1)∈Zk0×Zk1, when A0 andA0Rare given, the average min-entropy of Ru1 is at least Ω(n).
Let DR be the distribution given in Lemma 2, DU be the distribution of the output ofSam(1k,1k,q), andβinit =βsam =poly(λ). Correctness of evaluation: Since T.Verify accepts the output of T.Eval when its input is also accepted by T.Verify, we see that T satisfies the correctness of evaluation. Also, from the definition of T.EffVerify, the complexity of T.EffVerify is independent of the time complexity of computer input P.
Security GameGameMDHAT′,A (λ) where T′ is the same as T except for the parts using PRF F. From A's perspective, B's simulation above is indistinguishable from the original challenger GameMDHAT,A (λ) except negligible probabilities from Lemma 2. Therefore, when A issues a forgery attempt (∆∗,P∗,m∗,σ∗= (∆∗,U∗)), the probability that ∆∗=∆i∗ is at least 1q, except negligible probabilities.
In short, if A commits a forgery, B can solve the SISn,k,q,βSIS problem except with negligible probability.
Generic construction of bitwisely evaluable multi-dataset homomorphic authen-
In conclusion, if A makes a forgery, then B can solve the SISn,k,q,βSIS problem with negligible probability exception. bitwise described programP¯j′for all j′∈[n], then sinceπi,1,. From the amortized efficiency of T, the complexity of T¯.EffVerify is also independent of the time complexity of computer input P. In this work, we have proposed a new security concept for HAEs that simultaneously implies privacy and authenticity.
In order to create an FHAE that meets the new concept of safety, we designed a generic construction that combines FHE and MDFHA. Our construction is essentially a homomorphic version of the encrypt-then-authenticate construction, while adding another message-independent authentication for our stronger security definition. Fully homomorphic encryptions and fully homomorphic authenticators usually have a very large ciphertext expansion, and their practical performance in real life is sometimes not so satisfactory.
Since our construction follows the 'encrypt-then-verify' paradigm, our construction has large ciphertext expansion and less-than-ideal performances, while it is true that existing FHA schemes that support amortized efficiency and satisfy adaptive security have similar imperfections. Our FHAE gives extra data privacy for free, with asymptotically comparable performance to those FHA schemes. It would be a very interesting open problem to construct more efficient FHAE schemes than our current generic composition.
I also thank my family and friends for all the support and love they have given me.
