Computing on authenticated data: New privacy definitions and constructions

Abstract

Homomorphic signatures are primitives that allow for public computations on authenticated data. At TCC 2012, Ahn et al. defined a framework and security notions for such systems. For a predicate P, their notion of P-homomorphic signature makes it possible, given signatures on a message set M, to publicly derive a signature on any message m′ such that P(M,m′) = 1. Beyond unforgeability, Ahn et al. considered a strong notion of privacy - called strong context hiding - requiring that derived signatures be perfectly indistinguishable from signatures newly generated by the signer. In this paper, we first note that the definition of strong context hiding may not imply unlinkability properties that can be expected from homomorphic signatures in certain situations. We then suggest other definitions of privacy and discuss the relations among them. Our strongest definition, called complete context hiding security, is shown to imply previous ones. In the case of linearly homomorphic signatures, we only attain a slightly weaker level of privacy which is nevertheless stronger than in previous realizations in the standard model. For subset predicates, we prove that our strongest notion of privacy is satisfiable and describe a completely context hiding system with constant-size public keys. In the standard model, this construction is the first one that allows signing messages of arbitrary length. The scheme builds on techniques that are very different from those of Ahn et al. © International Association for Cryptologic Research 2012.