Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2018 | Book

On the Leakage of Corrupted Garbled Circuits Read chapter Read first chapter

Provable Security

12th International Conference, ProvSec 2018, Jeju, South Korea, October 25-28, 2018, Proceedings

Editors: Joonsang Baek, Willy Susilo, Jongkil Kim

Publisher: Springer International Publishing

Book Series : Lecture Notes in Computer Science

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This book constitutes the refereed proceedings of the 12th International Conference on Provable Security, ProvSec 2018, held in Jeju, South Korea, in October 2018. The 21 full and 4 short papers presented were carefully reviewed and selected from 48 submissions. The papers are grouped in topical sections on foundation. Public key encryption, digital signature, symmetric key cryptography, and applications.

Table of Contents

Frontmatter

Foundation

Frontmatter
On the Leakage of Corrupted Garbled Circuits
Abstract
Secure two-party computation provides a way for two parties to compute a function, that depends on the two parties’ inputs, while keeping them private. Known since the 1980s, Yao’s garbled circuits appear to be a general solution to this problem, in the semi-honest model. Decades of optimizations have made this tool a very practical solution. However, it is well known that a malicious adversary could modify a garbled circuit before submitting it. Many protocols, mostly based on cut-&-choose, have been proposed to secure Yao’s garbled circuits in the presence of malicious adversaries. Nevertheless, how much an adversary can modify a circuit and make it still executable has not been studied yet. The main contribution of this paper is to prove that any modification made by an adversary is equivalent to adding/removing NOT gates arbitrarily in the original circuit, otherwise the adversary can get caught. Thereafter, we study some evaluation functions for which, even without using cut-&-choose, no adversary can gain more information about the inputs by modifying the circuit. We also give an improvement over most recent cut-&-choose solutions by requiring that different circuits of the same function are used instead of just one.
Aurélien Dupin, David Pointcheval, Christophe Bidan
Location-Proof System Based on Secure Multi-party Computations
Abstract
Location-based services are quite popular. Their variety and their numerous users show it clearly. However, these applications rely on the persons’ honesty to use their real location. If they are motivated to lie about their position, they can do so. A location-proof system allows a prover to obtain proofs from nearby witnesses, for being at a given location at a given time. Such a proof can be used to convince a verifier later on. Many solutions have been designed in the last decade, but none protects perfectly the privacy of their participants. Indeed, provers and witnesses may want to keep their identity and location private. In this paper, a solution is presented in which a malicious adversary, acting as a prover, cannot cheat on his position. It relies on multi-party computations and group-signature schemes to protect the private information of both the prover and the witnesses against any semi-honest participant. Additionally, this paper gives a new secure multi-party maximum computation protocol requiring \(\mathcal {O}(n \log (n))\) computations and communications, which greatly improves the previously known solutions having \(\mathcal {O}(n^2)\) complexities. Although it is designed for our location-proof system, it can be applied to any scenario in which a small information leakage is acceptable.
Aurélien Dupin, Jean-Marc Robert, Christophe Bidan
Verifiable Homomorphic Secret Sharing
Abstract
In this paper, we explore the multi-server (i.e., multiple servers are employed to perform computations) and multi-client (i.e., multiple clients outsource joint computations on their joint inputs) scenario that avoids single points of failure and provides higher security and privacy guarantees. More precisely, we introduce the notion of verifiable homomorphic secret sharing (VHSS) for multi-input, that allows n clients to outsource joint computations on their joint inputs to m servers without requiring any communication between the clients or the servers; while providing the verifiable capability to any user to confirm that the final output (rather than each share) is correct. Our contributions are two-fold: (i) we provide a detailed example for casting Shamir’s secret sharing scheme over a finite field \(\mathbb {F}\) as an n-client, m-server, t-secure perfectly secure, additive HSS scheme for the function f that sums n field elements, and (ii) we propose an instantiation of an n-client, m-server, t-secure computationally secure, multiplicative VHSS scheme for the function f that multiplies n elements under the hardness assumption of the fixed inversion problem in bilinear maps.
Georgia Tsaloli, Bei Liang, Aikaterini Mitrokotsa
Single Private-Key Generator Security Implies Multiple Private-Key Generators Security
Abstract
This paper discusses the security of identity-based cryptography with multiple private-key generators (mPKG-IBC). Most mPKG-IBC schemes and protocols are statically secure where private-key generators (PKGs) cannot control a binding between a party and its PKG. We propose adaptive security notions for identity-based key encapsulation mechanism with multiple private-key generators, identity-based signature with multiple private-key generators, and identity-based authenticated key exchange with multiple private-key generators, respectively. In additions, we provide their generic constructions of those from identity-based key encapsulation mechanism, identity-based signature, and identity-based authenticated key exchange which are secure in a single PKG model, respectively.
Atsushi Fujioka, Kazuki Yoneyama
Secure Outsourcing of Cryptographic Circuits Manufacturing
Abstract
The fabrication process of integrated circuits (ICs) is complex and requires the use of off-shore foundries to lower the costs and to have access to leading-edge manufacturing facilities. Such an outsourcing trend leaves the possibility of inserting malicious circuitry (a.k.a. hardware Trojans) during the fabrication process, causing serious security concerns. Hardware Trojans are very hard and expensive to detect and can disrupt the entire circuit or covertly leak sensitive information via a subliminal channel.
In this paper, we propose a formal model for assessing the security of ICs whose fabrication has been outsourced to an untrusted off-shore manufacturer. Our model captures that the IC specification and design are trusted but the fabrication facility(ies) may be malicious. Our objective is to investigate security in an ideal sense and follows a simulation based approach that ensures that Trojans cannot release any sensitive information to the outside. It follows that the Trojans’ impact in the overall IC operation, in case they exist, will be negligible up to simulation.
We then establish that such level of security is in fact achievable for the case of a single and of multiple outsourcing facilities. We present two compilers for ICs for the single outsourcing facility case relying on verifiable computation (VC) schemes, and another two compilers for the multiple outsourcing facilities case, one relying on multi-server VC schemes, and the other relying on secure multiparty computation (MPC) protocols with certain suitable properties that are attainable by existing schemes.
Giuseppe Ateniese, Aggelos Kiayias, Bernardo Magri, Yiannis Tselekounis, Daniele Venturi
On the Hardness of Learning Parity with Noise over Rings
Abstract
Learning Parity with Noise (LPN) represents a notoriously hard problem in learning theory and it is also closely related to the “decoding random linear codes” problem in coding theory. Recently LPN has found many cryptographic applications such as authentication protocols, pseudorandom generators/functions and even advanced tasks including public-key encryption (PKE) schemes and oblivious transfer (OT) protocols. Crypto-systems based on LPN are computationally efficient and parallelizable in concept, thanks to the simple algebraic structure of LPN, but they (especially the public-key ones) are typically inefficient in terms of public-key/ciphertext sizes and/or communication complexity. To mitigate the issue, Heyse et al. (FSE 2012) introduced the ring variant of LPN (Ring-LPN) that enjoys a compact structure and gives rise to significantly more efficient cryptographic schemes. However, unlike its large-modulus analogue Ring-LWE (to which a reduction from ideal lattice problems can be established), no formal asymptotic studies are known for the security of Ring-LPN or its connections to other hardness assumptions.
Informally, we show that for \(\mu =1/n^{0.5-\epsilon }\) and \(\delta =\mu \mu 'n=o(1)\): assume that the decisional LPN problem of noise rate \(\mu \) is hard even when its matrix is generated by a random Ring-LPN instance of noise rate \(\mu '\) (whose matrix is also kept secret in addition to secret and noise), then either Ring-LPN of noise rate \(\delta \) is hard or public-key cryptography is implied. We remark that the heuristic-based approach to public randomness generation (as used in the assumption) is widely adopted in practice, and the latter statement is less likely because noise rate \(\mu =1/n^{0.5-\epsilon }\) is believed to reside in the minicrypt-only regime for LPN. Therefore, our results constitute non-trivial evidence that Ring-LPN might be as hard as LPN.
Shuoyao Zhao, Yu Yu, Jiang Zhang

Public Key Encryption

Frontmatter
A CCA-Secure Collusion-Resistant Identity-Based Proxy Re-Encryption Scheme
Abstract
Cloud storage enables its users to store confidential information as encrypted files in the cloud. A cloud user (say Alice) can share her encrypted files with another user (say Bob) by availing proxy re-encryption services of the cloud. Proxy Re-Encryption (PRE) is a cryptographic primitive that allows transformation of ciphertexts from Alice to Bob via a semi-trusted proxy, who should not learn anything about the shared message. Typically, the re-encryption rights are enabled only for a bounded, fixed time and malicious parties may want to decrypt or learn messages encrypted for Alice, even beyond that time. The basic security notion of PRE assumes the proxy (cloud) is semi-trusted, which is seemingly insufficient in practical applications. The proxy may want to collude with Bob to obtain the private keys of Alice for later use. Such an attack is called collusion attack, allowing colluders to illegally access all encrypted information of Alice in the cloud. Hence, achieving collusion resistance is indispensable to real-world scenarios. Realizing collusion-resistant PRE has been an interesting problem in the ID-based setting. To this end, several attempts have been made to construct a collusion-resistant IB-PRE scheme and we discuss their properties and weaknesses in this paper. We also present a new collusion-resistant IB-PRE scheme that meets the adaptive CCA security under the decisional bilinear Diffie-Hellman hardness assumption in the random oracle model.
Arinjita Paul, Varshika Srinivasavaradhan, S. Sharmila Deva Selvi, C. Pandu Rangan
Multivariate Encryption Schemes Based on the Constrained MQ Problem
Abstract
The MQ problem is mathematical in nature and is related to the security of Multivariate Public Key Cryptography (MPKC). In this paper, we introduce the constrained MQ problem, which is a new mathematical problem derived from the MQ problem. We also propose an encryption scheme construction method in MPKC, the pq-method, whose security is mainly based on the difficulty of solving the constrained MQ problem. We analyze the difficulty level of solving the constrained MQ problem, including different approach from the usual for solving the MQ problem. Furthermore, based on the analysis of the constrained MQ problem, we present secure parameters for the pq-method, and implement the practical schemes.
Takanori Yasuda
Token-Based Multi-input Functional Encryption
Abstract
In this paper, we put forward the notion of a token-based multi-input functional encryption (token-based MIFE) scheme – a notion intended to give encryptors a mechanism to control the decryption of encrypted messages, by extending the encryption and decryption algorithms to additionally use tokens. The basic idea is that a decryptor must hold an appropriate decryption token in addition to his secrete key, to be able to decrypt. This type of scheme can address security concerns potentially arising in applications of functional encryption aimed at addressing the problem of privacy preserving data analysis. We firstly formalize token-based MIFE, and then provide two basic schemes based on an ordinary MIFE scheme and a public key encryption scheme and a pseudorandom function (PRF), respectively. Lastly, we extend the latter construction to allow decryption tokens to be restricted to specified set of encryptions, even if all encryptions have been done using the same encryption token. This is achieved by using a constrained PRF.
Nuttapong Attrapadung, Goichiro Hanaoka, Takato Hirano, Yutaka Kawai, Yoshihiro Koseki, Jacob C. N. Schuldt
On the CCA2 Security of McEliece in the Standard Model
Abstract
In this paper we study public-key encryption schemes based on error-correcting codes that are IND-CCA2 secure in the standard model. In particular, we analyze a protocol due to Dowsley, Müller-Quade and Nascimento, based on a work of Rosen and Segev. The original formulation of the protocol contained some ambiguities and incongruences, which we point out and correct; moreover, the protocol deviates substantially from the work it is based on. We then present a construction which resembles more closely the original Rosen-Segev framework, and show how this can be instantiated with the McEliece scheme.
Edoardo Persichetti
Efficient Attribute-Based Encryption with Blackbox Traceability
Abstract
Traitor tracing scheme can be used to identify a decryption key is illegally used in public-key encryption. In CCS’13, Liu et al. proposed an attribute-based traitor tracing (ABTT) scheme with blackbox traceability which can trace decryption keys embedded in a decryption blackbox/device rather than tracing a well-formed decryption key. However, the existing ABTT schemes with blackbox traceability are based on composite order group and the size of the decryption key depends on the policies and the number of system users. In this paper, we revisit blackbox ABTT and introduce a new primitive called attribute-based set encryption (ABSE) based on key-policy ABE (KP-ABE) and identity-based set encryption (IBSE), which allows aggregation of multiple related policies and reduce the decryption key size in ABTT to be irrelevant to the number of system users. We present a generic construction of the ABTT scheme from our proposed ABSE scheme and fingerprint code based on the Boneh-Naor paradigm in CCS’08. We then give a concrete construction of the ABSE scheme which can be proven secure in the random oracle model under the decisional BDH assumption and a variant of q-BDHE assumption.
Shengmin Xu, Guomin Yang, Yi Mu, Ximeng Liu

Digital Signature

Frontmatter
A Code-Based Linkable Ring Signature Scheme
Abstract
Linkable ring signature schemes are cryptographic primitives which have important applications in e-voting and e-cash. They are ring signature schemes with the extra property that, if the same user signs two messages, a verifier knows they were signed by the same user. In this work, we present a new linkable ring signature scheme. The security of our proposal is based on the hardness of the syndrome decoding problem. To construct it, we use a variant of Stern’s protocol and apply the Fiat-Shamir transform to it. We prove that the scheme has the usual properties for a linkable ring signature scheme: unforgeability, signer anonymity, non-slanderability and linkability.
Pedro Branco, Paulo Mateus
Towards Static Assumption Based Cryptosystem in Pairing Setting: Further Applications of DéjàQ and Dual-Form Signature (Extended Abstract)
Abstract
A large number of parameterized complexity assumptions have been introduced in the bilinear pairing setting to design novel cryptosystems and an important question is whether such “q-type” assumptions can be replaced by some static one. Recently Ghadafi and Groth captured several such parameterized assumptions in the pairing setting in a family called bilinear target assumption (BTA). We apply the DéjàQ techniques for all q-type assumptions in the BTA family. In this process, first we formalize the notion of extended adaptive parameter-hiding property and use it in the Chase-Meiklejohn’s DéjàQ framework to reduce those q-type assumptions from subgroup hiding assumption in the asymmetric composite-order pairing. In addition, we extend the BTA family further into BTA1 and BTA2 and study the relation between different BTA variants. We also discuss the inapplicability of DéjàQ techniques on the q-type assumptions that belong to BTA1 or BTA2 family. We then provide one further application of Gerbush et al.’s dual-form signature techniques to remove the dependence on a q-type assumption for which existing DéjàQ techniques are not applicable. This results in a variant of Abe et al.’s structure-preserving signature with security based on a static assumption in composite order setting.
Sanjit Chatterjee, R. Kabaleeshwaran
Digital Signatures from the Middle-Product LWE
Abstract
We construct digital signatures secure in the quantum random oracle model (QROM) under the middle-product learning with errors problem, which is recently proposed by Roşca et al. (CRYPTO 2017) and shown by Roşca et al. (EUROCRYPT 2018) that it can be reduced from the worst-case hardness of ideal lattice problems for a large class of polynomial rings. The previous signatures secure under the lattice problems not specified in a certain ring is based on the short integer solution (SIS) problems for bounded-degree polynomials (Lyubashevsky, ASIACRYPT 2016). The standard path to construct efficient signatures secure in the QROM (Kiltz et al., EUROCRYPT 2018) requires hardness of a decision problem, but the SIS problems for polynomial rings are not known to have search-to-decision reductions. Our signatures are the first efficient signatures secure in the QROM under the worst-case hardness of ideal lattice problems for many rings.
Ryo Hiromasa
Generic Double-Authentication Preventing Signatures and a Post-quantum Instantiation
Abstract
Double-authentication preventing signatures (DAPS) are a variant of digital signatures which have received considerable attention recently (Derler et al. EuroS&P 2018, Poettering Africacrypt 2018). They are unforgeable signatures in the usual sense and sign messages that are composed of an address and a payload. Their distinguishing feature is the property that signatures on two different payloads with respect to the same address allow to publicly extract the secret signing key. Thus, they are a means to disincentivize double-signing and are a useful tool in various applications.
DAPS are known in the factoring, the discrete logarithm and the lattice setting. The majority of the constructions are ad-hoc. Only recently, Derler et al. (EuroS&P 2018) presented the first generic construction that allows to extend any discrete logarithm based secure signature scheme to DAPS. However, their scheme has the drawback that the number of potential addresses (the address space) used for signing is polynomially bounded (and in fact small) as the size of secret and public keys of the resulting DAPS are linear in the address space. In this paper we overcome this limitation and present a generic construction of DAPS with constant size keys and signatures. Our techniques are not tailored to a specific algebraic setting and in particular allow us to construct the first DAPS without structured hardness assumptions, i.e., from symmetric key primitives, yielding a candidate for post-quantum secure DAPS.
David Derler, Sebastian Ramacher, Daniel Slamanig
A Simpler Construction of Identity-Based Ring Signatures from Lattices
Abstract
Ring signature is an attractive cryptographic primitive that has been widely used in many fields because of its anonymity. Traditional ring signatures rely on the public key infrastructure and require lots of digital certificates. To eliminate the digital certificates, Zhang and Kim (Asiacrypt’02) introduced the concept of identity-based ring signatures. So far, however there is few identity-based ring signatures built on lattice-related assumptions and they are not efficient enough for applications. In this paper we present a new identity-based ring signature scheme from lattices. Compared with the existing counterparts, our scheme has the advantages of higher computational efficiency and lower storage overhead. We prove the security of our construction in the random oracle model under the short integer solution assumption.
Gongming Zhao, Miaomiao Tian

Symmetric Key Cryptography

Frontmatter
Generic Construction of Sequential Aggregate MACs from Any MACs
Abstract
The aggregate message authentication code (aggregate MAC) is a cryptographic primitive which can compress MAC tags on multiple messages into a short aggregate MAC tag. Furthermore, the sequential aggregate MAC can check not only the validity of multiple messages but also the (sequential) order of messages. In this paper, we introduce a new model of sequential aggregate MACs where an aggregation algorithm generates a sequential aggregate tag depending only on any multiple and independent MAC tags with no secret-key, and we formally define security in this model. We also propose a generic construction of sequential aggregate MACs starting from various MACs without changing the structure of the MACs. This property is useful to make the existing networks more efficient by combining the aggregation algorithm with various MAC schemes already existing in the networks.
Shingo Sato, Shoichi Hirose, Junji Shikata
Length-Preserving Encryption Based on Single-Key Tweakable Block Cipher
Abstract
We present a Single-key Length Doubler built on an n-bit Tweakable block cipher (SLDT), which is a length-preserving cipher on the strings with bit length in integer interval \(\left[ n, n+1, \ldots , 2n-1\right] \). SLDT is mainly motivated to reduce the key material size of a length doubler proposed by Chen et al. at FSE2018, since the key management is always challenging in practice. We prove that SLDT is a strong pseudo-random permutation (SPRP) if the underlying tweakable block cipher is SPRP.
Xiangyang Zhang, Yaobin Shen, Hailun Yan, Ying Zou, Ming Wan, Zheyi Wu, Lei Wang

Applications

Frontmatter
Modeling Privacy in WiFi Fingerprinting Indoor Localization
Abstract
In this paper, we study privacy models for privacy-preserving Wifi fingerprint based indoor localization (PPIL) schemes. We show that many existing models are insufficient and make unrealistic assumptions regarding adversaries’ power. To cover the state-of-the-art practical attacks, we propose the first formal security model which formulates the security goals of both client-side and server-side privacy beyond the curious-but-honest setting. In particular, our model considers various malicious behaviors such as exposing secrets of principles, choosing malicious Wifi fingerprints in location queries, and specifying the location area of a target client. Furthermore, we formulate the client-side privacy in an indistinguishability manner where an adversary is required to distinguish a client’s real location from a random one. The server-side privacy requires that adversaries cannot generate a fabricate database which provides a similar function to the real database of the server. In particular, we formally define the similarity between databases with a ball approach that has not been formalized before. We show the validity and applicability of our model by applying it to analyze the security of an existing PPIL protocol.
Zheng Yang, Kimmo Järvinen
Security Notions for Cloud Storage and Deduplication
Abstract
Cloud storage is in widespread use by individuals and enterprises but introduces a wide array of attack vectors. A basic step for users is to encrypt their data, yet it is not obvious what security properties are required for such encryption. Furthermore, cloud storage providers often use techniques such as data deduplication for improving efficiency which restricts the application of semantically-secure encryption. Generic security goals and attack models have thus far proved elusive: primitives are considered in isolation and protocols are often proved secure under ad hoc models for restricted classes of adversaries.
We formally model natural security notions for cloud storage and deduplication using a generic syntax for storage systems. We define security notions for confidentiality and integrity in encrypted cloud storage and determine relations between these notions. We show how to build cloud storage systems that satisfy our defined security notions using standard cryptographic components.
Colin Boyd, Gareth T. Davies, Kristian Gjøsteen, Håvard Raddum, Mohsen Toorani
Forward Secrecy of SPAKE2
Abstract
Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question.
In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.
José Becerra, Dimiter Ostrev, Marjan Škrobot

Short Papers

Frontmatter
User-Mediated Authentication Protocols and Unforgeability in Key Collision
Abstract
This research provides a computational analysis of the ISO 9798-6 standard’s Mechanism 7a authentication protocol. In contrast to typical authentication protocols, ISO 9798-6 mechanism 7a requires user interaction and aims to authenticate data possession instead of identities. Consequently, we introduce a 3-party possession user mediated authentication (3-PUMA) model. Furthermore, we demonstrate the necessary security guarantees of the MAC primitive – which include non-standard assumptions – and introduce existential unforgeability under key collision attacks (EUF-KCA). The resulting analysis demonstrates a notable lack in the standard’s requirements and has implications for other PUMA protocols.
Britta Hale
BAdASS: Preserving Privacy in Behavioural Advertising with Applied Secret Sharing
Abstract
Online advertising forms the primary source of income for many publishers offering free web content by serving advertisements tailored to users’ interests. The privacy of users, however, is threatened by the widespread collection of data that is required for behavioural advertising. In this paper, we present BAdASS, a novel privacy-preserving protocol for Online Behavioural Advertising that achieves significant performance improvements over the state-of-the-art without disclosing any information about user interests to any party. BAdASS ensures user privacy by combining efficient secret-sharing techniques with a machine learning method commonly encountered in existing systems. Our protocol serves advertisements within a fraction of a second, based on highly detailed user profiles and widely used machine learning methods.
Leon J. Helsloot, Gamze Tillem, Zekeriya Erkin
Signcryption with Quantum Random Oracles
Abstract
Signcryption is a cryptographic scheme that achieves the functionalities of both public-key encryption and digital signatures. It is an important scheme for realizing a mechanism of sending and/or receiving messages in a secure way, since it is understood that signcryption is a public-key based protocol to realize a secure channel from an insecure channel. On the other hand, various post-quantum cryptographic schemes have been proposed so far. Recently, several cryptographic schemes have been proposed in the quantum random oracle model where an adversary can submit quantum queries to a random oracle. In this paper, we propose a generic construction of signcryption in the quantum random oracle model for the first time. Our construction achieves both of the strongest confidentiality and strongest integrity in the multi-user setting tightly.
Shingo Sato, Junji Shikata
Formal Treatment of Verifiable Privacy-Preserving Data-Aggregation Protocols
Abstract
Homomorphic encryption allows computation over encrypted data and can be used for delegating computation: data providers encrypt their data and send them to an aggregator, and then the aggregator performs computation for a receiver with the data kept secret. However, since the aggregator is merely the third party, it may be malicious, and particularly may submit a result of incorrect aggregation to the receiver. Ohara et al. (APKC2014) studied secure aggregation of time-series data while enabling the correctness of aggregation to be verified. However, they only provided a concrete construction in the smart metering system and only gave an intuitive argument of security. In this paper, we give general syntax of their scheme as verifiable homomorphic encryption (VHE) and introduce formal security definitions. Further, we formally prove that Ohara et al.’s VHE scheme satisfies our proposed security definitions.
Satoshi Yasuda, Yoshihiro Koseki, Yusuke Sakai, Fuyuki Kitagawa, Yutaka Kawai, Goichiro Hanaoka
Backmatter
Metadata
Title
Provable Security
Editors
Joonsang Baek
Willy Susilo
Jongkil Kim
Copyright Year
2018
Electronic ISBN
978-3-030-01446-9
Print ISBN
978-3-030-01445-2
DOI
https://doi.org/10.1007/978-3-030-01446-9

Premium Partner

    Image Credits