Multi-key homomorphic authenticators

Abstract

Homomorphic authenticators (HAs) enable a client to authenticate a large collection of data elements m1, …, mt and outsource them, along with the corresponding authenticators, to an untrusted server. At any later point, the server can generate a short authenticator σf, y vouching for the correctness of the output y of a function f computed on the outsourced data, i.e. y = f(m1, …, mt). The notion of HAs studied so far, however, only supports executions of computations over data authenticated by a single user. Motivated by realistic scenarios in which large datasets include data provided by multiple users, we study the concept of multi-key homomorphic authenticators. In a nutshell, multi-key HAs are like HAs with the extra feature of allowing the holder of public evaluation keys to compute on data authenticated under different secret keys. In this paper, we introduce and formally define multi-key HAs. Secondly, we propose a construction of a multi-key homomorphic signature based on standard lattices and supporting the evaluation of circuits of bounded polynomial depth. Thirdly, we provide a construction of multi-key homomorphic MACs based only on pseudorandom functions and supporting the evaluation of low-degree arithmetic circuits.