Distributed Functional Signature with Function Privacy and Its Application

Liu, Muhua; Wang, Lin; Wu, Qingtao; Song, Jianqiang

doi:https://doi.org/10.1155/2021/6699974

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Multimodality Data Analysis in Information Security

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6699974 | https://doi.org/10.1155/2021/6699974

Distributed Functional Signature with Function Privacy and Its Application

Muhua Liu,¹Lin Wang,¹Qingtao Wu,¹and Jianqiang Song¹

Academic Editor: Liguo Zhang

Received27 Dec 2020

Revised23 Feb 2021

Accepted27 Feb 2021

Published12 Mar 2021

Abstract

We introduce a novel notion of distributed functional signature. In such a signature scheme, the signing key for function will be split into shares and distributed to different parties. Given a message and a share , one can compute locally and obtain a pair signature . When given all of the signature pairs, everyone can recover the actual value and corresponding signature . When the number signature pairs are not enough, nobody can recover the signature . We formalize the notion of function privacy in this new model which is not possible for the standard functional signature and give a construction from standard functional signature and function secret sharing based on one-way function and learning with error assumption. We then consider the problem of hosting services in multiple untrusted clouds, in which the verifiability and program privacy are considered. The verifiability requires that the returned results from the cloud can be checked. The program privacy requires that the evaluation procedure does not reveal the program for the untrusted cloud. We give a verifiable distributed secure cloud service scheme from distributed functional signature and prove the securities which include untrusted cloud security (program privacy and verifiability) and untrusted client security.

1. Introduction

Digital signature schemes were introduced by Diffie and Hellman [1]. In a digital signature scheme, it has a secret signing key and a corresponding verification key. Only the person who has the secret key can sign a message, and any person can verify the signature with the verifiable key. Goldwasser et al. [2] gave a standard secure definition. A signature scheme is unforgeable against chosen message attack if an adversary produces a valid signature of any message with at most negligible probability in probabilistic polynomial time. The adversary is allowed to query signatures for a polynomial number of messages of his choice. Subsequently, it appeared to have many other forms of signatures, such as blind signature [3], group signature [4], ring signature [5], identity-based signature [6], homomorphic signature [7, 8], and so on.

Functional signatures (FSs) were proposed by Boyle et al. [9]. In a functional signature scheme, in addition to a master key which can sign any messages belonging to the message space, it also has a signing key for any function , which are derived from the master key. Using the signing key , one can sign any message in the range of . The security requires that the probability of producing a valid signature on message does not exceed a negligible function for any probability polynomial adversary which can query the signing key for functions of his choice and signatures of messages of his choice. A valid signature on means that does not equal to one of the queried messages or does not belong to range of one of the queried functions . For a functional signature scheme, a desirable property is function privacy which requires a signature should not reveal the function. A typical application is the signed photo-processing software [9]; the owner of photos want to remove red eyes or color scale, but does not allow more significant changes. At the same, the owner wishes the signed photos do not reveal the original image.

Boyle et al. [9] firstly gave a construction based on the existence of one-way functions, which does not satisfy the property of function privacy. Then, they transformed it into a construction that satisfied the function privacy by the noninteractive zero-knowledge arguments of knowledge for NP languages which is based on nonfalsifiable assumptions. In their secure definition of function privacy, it requires that the distribution of signatures on a message generated via different keys to be computationally indistinguishable. While this model restricted the application of the scheme, it is not clear how could this weakened notion be applied in the general setting. For example, a software company develops software and delegates the computation ability to a server. The company wishes it does not reveal the core function during the computational procedure and the returned results can be verified. In a functional signature scheme, standard function privacy cannot possibly satisfy this scenario. Since the attacker who has a signing key can generate the signature for the message on the fly, the attacker can obtain the evaluations of for the messages of its choices. It will reveal some functions of the software by the evaluation pairs .

Therefore, we try to find a realistic model that allows us to approach function privacy for functional signature based on some standard assumption, such as the existing one-way function and learning with error assumption.

1.1. Our Contributions

In this paper, we introduce the definition of distributed functional signature scheme. In such a model, the signing key for a function will be split into shares and distributed to different parties. Given a secret signing key , anyone can compute locally and obtain a pair signature . When given signatures on the message , everyone can reconstruct the function evaluation and the corresponding signature . While given less than signatures satisfying , anyone cannot reconstruct the evaluation and the corresponding signature . In our secure definition of function privacy, we require the attacker to not distinguish the distribution of signing key generated via different function , where . The attacker is allowed to query key generation oracle and evaluation oracle. This new definition of distributed functional signature generalizes the notion of threshold signature to the setting of functional signature, enables the participants to recover an evaluation of the function on input , and verifies the result by the corresponding signature together.

In our new model, it provides a possibility of function privacy in the setting of functional signature. Specifically, when given less than signing key for function , the adversary can only know corresponding to the share function which is not enough to determine . We give a construction for distributed functional signature by transforming any functional signature which does not support function privacy into a distributed version which satisfies both unforgeability and function privacy via function secret sharing [10]. Our scheme can be constructed based on the one-way function and learning with error assumption.

We remark here that our notion of function privacy is different from the standard function privacy [9]. The latter mainly considers that single signature does not reveal the function, while we consider that the signature process does not reveal the function by splitting each function into secret key shares. In our scheme, the attacker only gets at most secret key shares and thus obtains at most signatures satisfying . Anyone cannot reconstruct the value . Therefore, it satisfies the function privacy.

Hosting services securely in multiple untrusted clouds. In recent years, cloud computing has become a very hot research area in cryptography. Boneh et al. [11] first studied hosting service in the cloud. They considered the security which includes protecting program information and client’s inputs against untrusted cloud and protecting program information and authorization procedure against untrusted clients. It has wide applications to protect program information against untrusted client and cloud, such as software protected. Fan and Tang [12] gave a construction from distributed functional encryption. However, it requires that the cloud is semihonest. Sometimes, the cloud may run a fast but incorrect computation due to a financial incentive. Therefore, we also consider another property of verifiability which requires that the returned results from the cloud can be checked in the untrusted cloud model.

In addition, the construction of Fan and Tang [12] is based on the generic functional encryption. As far as we know, most works have approached the problem of constructing generic functional encryption by proposing a candidate under the existing of indistinguishability obfuscation [13]. Meanwhile, the construction of Boneh et al. [11] is also based on the existing indistinguishability obfuscation. However, indistinguishability obfuscation is not a particularly appealing assumption since the security of constructions relies on an exponential number of assumptions [14]. Recently, numerous attacks on multilinear maps [15] have reduced the community’s confidence in the security of existing construction of indistinguishability obfuscation. In this work, we provide a construction of secure cloud service scheme based on some more general assumptions, such as the existing one-way function and learning with error assumption.

A secure cloud service scheme satisfying the verifiability can be constructed by a distributed functional signature scheme and a standard signature scheme. The standard signature scheme is used to authenticate the client. In order to achieve the verifiability, the service first generates some signing key for the program . When the client receives the returned results from clouds, it can get the evaluation by the reconstruction algorithm of distributed signature scheme. To prove that , the client verifies the signature of , where the signature could only be obtained if is in the range of .

1.2. Related Works

The concept of identity-based signature was proposed by Shamir in [16]. Bellare and Fuchsbauer [17] introduced policy-based signatures, where a signer can only sign messages satisfying some authority-specified policy. Backes et al. [18] introduced delegatable functional signatures which support the delegation of signing capabilities to another party with respect to a functionality. This new notion unifies several signature primitives, such as policy-based signature, functional signature, identity-based signature, and blind signature.

Homomorphic signature was first proposed by Johnson et al. [19], which was initially designed to establish authentication in network coding. In addition, it can also be used to authenticate the stored data. In a homomorphic signature scheme, a holder which has the signature pairs and can construct a new signature on the value for some function without the signing key. Freeman [20] gave a linearly homomorphic signature scheme which allows authentication of linear functions on signed data. Catalano et al. [21] constructed a homomorphic signature scheme for polynomial functions.

The concept of functional encryption comes from the work of Sahai and Waters [22]. The definition of simulation-based security was firstly proposed by Boneh et al. [23]. Garg et al. [13] firstly proposed a construction for functional encryption which supported all polynomial size circuits. Goldwasser et al. [24] constructed a succinct functional encryption scheme based on reusable garbled circuits and identity-based encryption for any polynomial-time function. Subsequently, Goldwasser et al. [25] introduced the notion of multi-input functional encryption, which supported the multi-input functions, and gave a construction based on indistinguishability obfuscation. In a multi-input functional encryption, the decryption key for a function takes multiple ciphertexts as input and outputs a function evaluation. Besides, there are many other functional encryptions for inner-product functions [26–28].

Boneh et al. [11] gave a construction of hosting service in the cloud. Their construction relied on indistinguishability obfuscation and restricted the number of colluded clients for the security. Fan and Tang [12] presented a new definition of distributed public key functional encryption. In their scheme, the decryption key for a function is split into several sharing key . Given a ciphertext that encrypts a message and a sharing key , it can evaluate a shared value which reveals nothing about the plaintext and the value of . One can recover the value of by adding all the shared values . With this approach, it can achieve function privacy which is not possible in the setting of regular public key functional encryption. Then, they considered the problem of hosting services in the untrusted cloud. Applying the function private distributed public key functional encryption to the setting of hosting service in multiple clouds, it can remove the restriction that the number of corrupted clients has to be bounded and known in the previous works.

Boyle et al. [9] firstly proposed functional signatures, which allowed an authority to generate signing keys corresponding to various functions such that a user with a signing key can sign the image of function on a message . Okamoto and Takashima [29] firstly introduced the concept of a decentralised multiauthority functional signatures, which supports nonmonotone access structures combined with inner-product relations. Liang and Mitrokotsa [30] generalised the definition of decentralised multiauthority functional signature for more general policy functions. Datta et al. [31] introduced the concept of functional signcryption, which provided the functionalities of both functional encryption and functional signature. Pan et al. [32] introduced the notion of hierarchical functional signcryption which expanded the scope of functional signcryption in hierarchical access-control application. Li et al. [33] introduced the notion of private functional signatures, in which the signing key can be used to generate a signature on the ciphertext , where is a ciphertext for message .

Blockchains originate from Bitcoin and are essentially a decentralised database that uses peer-to-peer network. It is a new application mode of computer technology such as distributed data storage, point-to-point transmission, and consensus mechanism. This makes blockchains potentially suitable for recording events, medical records, and other management activities. Although it can realize the function of software protection, it does not possess computing capabilities. In this work, our goal is to achieve software protection while ensuring software availability.

Notation. In what follows, we will denote with a security parameter. We say is negligible if holds for all polynomials and all sufficiently large . Denote as the set . We abbreviate probabilistic polynomial time as PPT. Denote as the number of elements in the set .

2. Preliminaries

In this section, we present definition for various cryptographic primitives that we will use in our construction of distributed functional signature. We assume familiarity with standard signature satisfying unforgeability against adaptively chosen message attack. Below, we first recall the notions of function secret sharing and functional signature.

2.1. Function Secret Sharing

We give the formal definition following the syntax of [10]. An function secret sharing scheme for a function family is a tuple of algorithms (, ) described as follows:(i): on inputting the security parameter , the number of sharers , and the description of function family , this algorithm outputs the public parameters .(ii): on inputting the parameters and a function , this algorithm outputs shares for function .(iii): on inputting values which evaluated each function share on , this algorithm reconstructs all the share values and outputs .

Definition 1. Correctness: an function secret sharing scheme for the function family is correct, if for any function , and , we have

Definition 2. Security: we say an function secret sharing scheme is secure if for any PPT adversary , the advantage in the following game is negligible:(i)The challenger generates and sends to the adversary .(ii)The adversary outputs , where , , and .(iii)The challenger randomly chooses a bit , computes , and sends to the adversary .(iv) outputs a guess . The advantage of is defined as .

2.2. Functional Signatures

We describe the definition of a functional signature scheme, which is proposed by Boyle et al. in [9]. A functional signature scheme for a message space and a function family consists of four algorithms (, ):(i): on inputting the security parameter, the setup algorithm outputs the master verification key and the master signing key .(ii): on inputting the master signing key and a function , the key generation algorithm outputs a constrained signing key , which just signs the message for any .(iii): on inputting the function , constrained signing key , and a message , the signing algorithm outputs a pair signature .(iv): on inputting the verification algorithm , a message , and a signature , the verifiable algorithm outputs “” or “,” where 1 indicates that the signature is valid.

Definition 3. Correctness: for any and , , , , it holds that

Definition 4. Unforgeability: the scheme is unforgeable if the successful probability of any PPT algorithm in the following game is negligible:(i)The challenger runs and sends to the adversary .(ii)The adversary can query a key generation oracle and a signing oracle. The challenger initializes a dictionary indexed by tuples , which contains the signing keys: .(iii)Key generation oracle: on inputting , the challenger runs as follows:(1)If there is an entry for in the dictionary, then output the corresponding key .(2)Otherwise, sample a fresh key , update the dictionary , and output .(iv)Signing oracle: on inputting , the challenger runs as follows:(1)If there is an entry for the key in the dictionary, then output the signature .(2)Otherwise, sample a fresh key , update the dictionary , and output the signature .(v)The adversary succeeds if it outputs a signature such that(1).(2)There does not exist such that for any which was sent as a query to the key generation oracle.(3)There does not exist a such that was queried to the signing oracle and .

Lemma 1. (see [9]). A functional signature scheme can be constructed based on any one-way function that supports signing keys for any function which is computed by a polynomial-sized circuit. This scheme satisfies the property of unforgeability, but not function privacy.

2.3. General Aggregate Signatures

A general aggregate signature scheme [34] consists of four algorithms (, , , ). The key generation algorithm and signing algorithm are the same as a standard digital signature. In the aggregate algorithm, it produce a new signature by . Given a sequence of public key, message, and signature triples, anyone can yield an aggregate signature . Through , anyone can verify the correctness of generation aggregate signature.

In addition to satisfying unforgeability under chosen message attack of the standard signature, it needs to satisfy aggregate unforgeability. The security requires that it is computationally infeasible to produce an aggregate forgery for a PPT adversary which can corrupt at most players. The detailed description of security is given as follows.

Definition 5. Aggregate security: a general aggregate signature scheme is aggregate unforgeable, if it holds thatwhere the probability is over the experiment , .

Lemma 2. (see [34]). A general aggregate signature scheme can be constructed based on the difficulty of coCDH problem.

3. Distributed Functional Signature with Function Privacy

In this section, we give a detailed study of distributed functional signature (), -out-of- threshold functional signature. In an scheme, during the key generation algorithm, the secret key corresponding to the function is split into secret key shares . Then, we can obtain a pair shared signature by running partial signature algorithm on the secret key share corresponding to the shared function and a message . There is also a reconstruction algorithm that outputs a pair signature on shared signatures .

3.1. Syntax and Security Definition

We present a formal definition of a distributed functional signature, specifying the properties of unforgeability and function privacy. A distributed functional signature scheme for a message space and function family consists of algorithms .(i): on inputting the secure parameter and threshold parameter , the setup algorithm outputs the master verifiable key and the secret key .(ii): on inputting the master secret key and a function , the key generation algorithm outputs secret key shares for the function .(iii): on inputting the signing key for a function and an input , the signature algorithm outputs a value and a signature .(iv): on inputting the master verifiable key and signing pairs for the same function , the reconstruction algorithm outputs a signing pair .(v): on inputting the master verifiable key , a message , and a signature , the verifiable algorithm outputs “” or “,” where 1 implies that the signature is valid.

Definition 6. Correctness: an scheme is correct if for any , any , and any , , it holds thatwhere , , and the probability is taken over the coins in algorithms and .

Definition 7. Unforgeability: the scheme is unforgeable if the successful probability of any PPT adversary in the following game is negligible:(i)The challenger generates and sends to .(ii)The adversary is allowed to query a key generation oracle and a signing oracle. The challenger initializes a dictionary indexed by tuples , which contains signing keys .(iii)Key generation oracle: on inputting , the challenger runs as follows:(1)If there exists an entry for the key in the dictionary, then output the corresponding value .(2)Else, run the key generation algorithm , add an entry to the dictionary, and output .(iv)Signing oracle: on inputting , the challenger runs as follows:(1)If there exists an entry for the key in the dictionary, then run and and output .(2)Else, run the key generation algorithm , add an entry to the dictionary, and generate a signature on by the following steps: , .(v)The adversary succeeds if it can produce such that(1).(2)There does not exist such that and for any which was contained in the dictionary.(3)There does not exist a pair such that was queried to the signing oracle and .

Definition 8. Ind-based function privacy: intuitively, we require that the successful advantage of any PPT adversary in the following game is negligible:(i)Setup: the challenger generates a key pair and sends the verifiable key to the adversary .(ii)Key query: proceeding adaptively, the adversary submits to the challenger. The challenger computes and sends to the adversary .(iii)Challenge phase: sends the challenge function pair which is not queried in the key query phase. The challenger computes and sends to the adversary , where and is chosen randomly from such that .(iv)Proceeding adaptively, the adversary can query the key generation oracle and evaluation oracle.(1)Key query: sends a function with a restriction that and . The challenger answers the same as previous key query.(2)Evaluation query: sends an input with a restriction that . For , challenger returns .(v)Guess: finally, the adversary outputs a bit . The successful advantage of is defined as .

4. The Construction of DFS

We are now ready to describe a construction of distributed functional signature scheme. Informally, our scheme works as follows. In the setup algorithm, the master verifiable key contains a public parameter of function secret sharing scheme and a verifiable key of functional signature. It sets the master signing key of functional signature scheme to the master secret key. The key generation algorithm consists of sharing function algorithm and key generation algorithm of functional signature, which generates constrained signature keys corresponding to the shadow function . In the signing algorithm, it computes signing pairs on inputting a message . When enough signatures had been collected, anyone can reconstruct the function value and verify its correctness by the verifiable algorithm. We give a detailed description below. Let be a function secret sharing scheme for function ensemble and be a functional signature scheme. The construction of is given as follows.(i):(1)Run the setup algorithm of and generate a key pair .(2)Run the setup algorithm of and generate a public parameter .(3)Set the master verifiable key to be and the master secret key to be .(ii):(1)Run the function sharing algorithm of and get sharing functions .(2)Run the key generation algorithm of and generate constrained signature keys for .(3)Output the signature pairs .(iii): given the th secret key , it computes and outputs .(iv): it computes and .(v):(1)If , then it runs for . If all of the verifiable algorithms output “” and , it outputs “”; else, it outputs “.”(2)If not, it runs and outputs the corresponding result.

Remark 1. In our verifiable algorithm, it can verify two forms of signature. One is generated by the reconstruction algorithm. The another is generated by the signing algorithm.
Correctness. The correctness of our construction follows from the correctness of and . Firstly, the outputs of signature algorithm satisfy by the reconstruction algorithm of . Secondly, the verifiable algorithm will output “1” if the signature is generated correctly by the scheme.

Theorem 1. Let be an unforgeability functional signature scheme; then, our construction of described above is secure (c.f. Definition 7).

Proof. We now prove that if there exists a PPT adversary that can break the unforgeable security of with non-negligible probability, then another adversary can be constructed to break the unforgeable security of with the same probability.
Let be the challenger for the scheme. We construct the adversary by as follows:(i) first honestly runs the secure experiment of and gets of functional signature. Then, it generates . The adversary returns to .(ii) initializes a dictionary indexed by tuples , which contains signing keys .(iii)Key generation oracle: on inputting , operates as follows:(1)If there exists an entry for the key in the dictionary, then output the corresponding pair .(2)Else, compute . For , queries the key generation oracle of and gets secret keys . Add an entry to the dictionary and output .(iv)Signing oracle: on inputting , operates as follows:(1)If there exists an entry for the key in the dictionary, then run and and output .(2)Else, compute . For , queries the signing oracle of and gets signature pairs . Then, it computes and returns to .(v)The adversary produces a forgeable signature . Then, computes as follows:(1)If is the form of , then returns to the challenger.(2)Else, returns to the challenger. We observe that perfectly simulates the unforgeable experiment of . If successfully outputs a forgeable signature , it must satisfy the following:(1).(2)There does not exist such that and for any which was contained in the dictionary.(3)There does not exist a such that was a query to the signing oracle and .If the forgeable signature is the first form, then for any . Because is not contained in the dictionary and is not queried to the signature oracle, is a legally forgeable signature for the functional signature scheme. If the forgeable signature is the second form, then is a distributive signature and . There does not exist such that which is contained in the dictionary; it is also a legally forgeable signature. Therefore, if can break the unforgeability security of with non-negligible probability, then we can construct another adversary which breaks the unforgeability security of with the same probability.

Theorem 2. Assume is an invertible algorithm. is an invertible algorithm if for any inputs and an output , it can compute the th input , where the functions share function of . For example, Fan and Tang [12] gave a function secret sharing in which the reconstruction algorithm is , and . Let be a secure function secret sharing scheme (c.f. Definition 2); then, our construction of described above satisfies function privacy (c.f. Definition 8).

Proof. We now prove that if there exists a PPT adversary that can break the function privacy of with non-negligible probability, then another adversary can be constructed to break the security of with the same probability.
Let be the challenger for the scheme. We construct the adversary by as follows:(i) first honestly runs the secure experiment of and gets of function secret sharing scheme. Then, it generates . The adversary returns to .(ii) initializes a dictionary indexed by tuples , which contains signing keys .(iii)Key query: on inputting , operates as follows:(1)If there exists an entry for the key in the dictionary, then output .(2)Else, compute . For , computes . Add an entry to the dictionary and output .(iv) sends the challenge function pair to the adversary , where both and were not queried in the previous phase, and . Then, queries the challenger of on and gets . For , computes and returns to the adversary .(v)Proceeding adaptively, can query the key generation oracle and evaluation oracle.(1)Key query: sends a function with a restriction that and . answers the same as previous key query.(2)Evaluation query: sends an input with a restriction that . For , first computes and . Then, computes by the invertible property of and a corresponding signature by the master secret key of functional signature. For a functional signature scheme, it has a master signing key , which can be used to sign any message. At the same time, it also has a constrained key for the function , which only signs the message in the range of . returns to .(vi)At last, the adversary outputs the guess of the adversary .Although the generation way of the signature is changed, it does not influence the view of because this signature can be verified by the verifiable algorithm of . Therefore, perfectly simulates function private experiment. If can distinguish the function and with non-negligible advantage, then can break the security of with the same advantage.
In the above construction, the size of combined signature depends on the threshold, which will reduce the verification efficiency. In order to improve the efficiency, it can use aggregate signature to compress the final signature size based on the construction of functional signature proposed by Boyle et al. [9]. In their key generation algorithm, it generates the secret key for the function by a standard signature scheme. Therefore, we can change the standard signature into an aggregate signature. The generated signatures of functional signature scheme can be aggregated into a single signature . This change does not affect the security of the construction because the security of Boyle’s construction is reduced to the unforgeability of a standard signature. On the one hand, it does not use the aggregate property. On inputting an aggregate signature, the verifiable algorithm of functional signature will output one bit “0.” On the other hand, if the adversary can produce a forgeable signature for functional signature scheme by the aggregate signature, then it can be used to break the aggregate security. Based on the first construction, we modify the reconstruction algorithm and verifiable algorithm. The specific description is as follows.(i): it runs the same as before.(ii): it runs the same as before.(iii): it runs the same as before.(iv): it computes and and returns .(v):(1)If , then it runs . If the verifiable algorithms output and , it outputs “”; otherwise, it outputs “.”(2)If not, it runs and outputs the corresponding result.The secure proofs of the modified construction are similar to the Theorems 1 and 2. In the proof of unforgeability, there are two forms of signature. The first one is which satisfies . Because the reconstruction algorithm is run honestly, there exists an index such that . Meanwhile, it satisfies that is not contained in the dictionary, and is not queried to the signature oracle. So, is a legally forgeable signature for the functional signature scheme. The second form of signature is the same as Theorem 1, which can also be reduced to the security of functional signature. The proof of function privacy is exactly the same as Theorem 2.

5. Hosting Services Securely in Multiple Untrusted Clouds

We consider the setting of hosting service in untrusted clouds which was first presented by Boneh [11]. In this model, it has three parties: service provider, who owns a program , cloud server, who provides the computation capability, and arbitrary many clients. The service provider wants to host the program on a cloud server and authenticate the clients who pay for the service provided by program . Only the authenticated clients can access the program hosted on the cloud server and compute output on inputs of their choice. Meanwhile, the program may contain proprietary information, and it needs to protect its privacy. Moreover, the scheme should satisfy some properties [11]:(i)Weak client: the total cost of the client should only depend on the size of input and security parameter and should be independent of the running time of program .(ii)Delegation: the service provider only needs to run one-time setup of the whole system and authentication clients. The total cost should be bounded by a fixed polynomial in the program size in the setup phase and should only depend on the security parameter in the authentication phase.(iii)Polynomial slowdown: the running time of the cloud is bounded by a fixed polynomial in the running time of the program .

In our verifiable distributed secure cloud service scheme, the service provider generates a set of encoded program shares for program and then hosts each encoded program share on one cloud server. Any authenticated client can access the encoded program shares hosted in multiple cloud servers and compute output on inputs of his choice. Meanwhile, we require the client to verify the correctness of returned result from the cloud servers.

5.1. Syntax and Security Definitions

We recall the notion of secure cloud service scheme proposed by Boneh et al. [11] and make some changes based on [12]. The verifiable distributed secure cloud service scheme consists of five algorithms which is described as follows:(i): on inputting the security parameter , the threshold parameter , and a program , the program generation algorithm outputs encoded programs and a secret key which is used in the authentication algorithm.(ii): on inputting an identity of a client and the secret key , the authentication algorithm outputs a token for the client.(iii): on inputting the token and an input , this algorithm outputs an encoded input and which is used by client to verify the evaluated value.(iv): on inputting the encoded program and input , the evaluation algorithm outputs a result .(v): on inputting the verifiable information and the evaluated value , the verifiable algorithm outputs the value or , which implies that the client rejects the evaluated result.

The procedure runs as follows: the server provider first runs the algorithm and obtains the distributed encoded program and a secret key . Then, it sends to the th cloud server. If a client wants to access the program hosted on the cloud server, the service provider would authenticate the client by the secret key . An authenticated client with identity can encode its inputs by the algorithm and send to each cloud servers, respectively. Every cloud server will evaluate the sharing program on encoded input and return the evaluation . Finally, the client can reconstruct the value by the algorithm and verify its correctness. In Figure 1, we give the algorithm flowchart for the verifiable distributed secure cloud service scheme.

Two cases for security definition are considered in [11], untrusted cloud security and untrusted client security. We consider the case of untrusted cloud security into two subcases, program privacy and verifiability.

Definition 9. (untrusted cloud security: program privacy) (see [12], Definition 4.1). A VDS scheme is program privacy in untrusted cloud security if the successful advantage of any PPT adversary in the following experiment is negligible:(i)The adversary sends challenge program to challenger such that , and . The challenger samples a random bit , computes the encoded program , and sends to adversary .(ii)Proceeding adaptively, the adversary can make the authentication query and input query:(1)Authentication query: the challenger initializes a dictionary indexed by . When queries an identity , the challenger returns to adversary if there exists a in the dictionary. If not, the challenger returns and updates the dictionary .(2)Input query: sends to the challenger. If there exists in the dictionary, challenger returns . If not, challenger computes , returns , and updates the dictionary .(iii)Finally, the adversary outputs his guess for the bit . The adversary succeeds if . The advantage of ’s success is defined as .

Definition 10. (untrusted cloud security: verifiability). A scheme is verifiable in untrusted cloud security if the successful probability of any PPT adversary in the following experiment is negligible:(i)The adversary sends challenge program to challenger. The challenger samples the encoded program and sends to adversary .(ii)Proceeding adaptively, the adversary can make the authentication query. The challenger initializes a dictionary indexed by . When queries an identity , the challenger returns to adversary if there exists a in the dictionary. If not, the challenger returns and updates the dictionary .(iii)Finally, outputs . succeeds if .For untrusted client security, we require that a collection of corrupt clients with the help of a subset of corrupt servers does not distinguish which program is encoded.

Definition 11. (untrusted client security) (see [12], Definition 4.4). The scheme is untrusted client security if the successfully advantage of any PPT adversary in the following experiment is negligible:(i)The adversary sends challenge program to challenger such that . The challenger samples a random bit , computes the encoded program , and sends to adversary .(ii)Proceeding adaptively, the adversary can make the authentication query and evaluation query:(1)Authentication query: the challenger initializes a dictionary indexed by . When queries an identity , the challenger returns to adversary if there exists a in the dictionary. If not, the challenger returns and updates the dictionary .(2)Evaluation query: sends an encoding for the input to the challenger such that . For , challenger returns .(iii)Finally, the adversary outputs his guess for the bit . The adversary succeeds if . The successful advantage of is defined as .

5.2. Our VDS Construction

Let be a distributed functional signature scheme and be an existential unforgeable signature scheme. Now, we describe our construction as follows:(i):(1)Run and .(2)Construct a new program , which is given in Figure 2.(3)Compute .(4)Set and .(ii): parse , compute the signature , and output .(iii): parse and set and .(iv): parse and compute .(v): parse . Compute . Parse . If and , output . Else, it rejects the returned results.

Correctness. The correctness of our construction follows from the correctness of underlying distributed functional signature scheme and the signature scheme . We can observe that it outputs for an invalid signature in the encoded program . Otherwise, it outputs . By the correctness of , the output of is .

Efficiency. We do not consider the time cost of algorithm because the cost of encoding the program can be amortized over many input computations. For each invocation of , the service provider generates a signature for the client . Therefore, it is efficient for the service provider. The work of the client in handling his inputs only depends polynomially on the size of inputs and a security parameter. For the verifiable algorithm, the client needs to reconstruct the function evaluation and verify a signature, which is independent of the complexity of the program. In the phase of reconstructing the function evaluation, the client just needs to compute a summation operation by using the function secret sharing proposed by Fan and Tang [12].

Security. We show that our construction satisfies untrusted cloud security (program privacy and verifiability) and untrusted client security defined as above.

Theorem 3. Let be a distributed functional signature scheme against the security of function privacy (c.f. Definition 8); then, our construction of described above has program privacy in untrusted cloud security (c.f. Definition 9).

Proof. We prove that if there exists a PPT adversary that can break the program privacy of with non-negligible probability, then another adversary can be constructed to break the function privacy of with the same probability.
Let be the challenger for the scheme. We construct the adversary by as follows:(i)The adversary sends challenge program to such that . samples a signing key , constructs two new programs as defined in Figure 2, and sends to the challenger of . The challenger returns . returns to and sets .(ii)Proceeding adaptively, the adversary can make the authentication query and input query:(1)Authentication query: initializes a dictionary indexed by . When queries an identity , returns to if there exists a in the dictionary. If not, computes , then returns , and updates the dictionary .(2)Input query: sends to the challenger. If there exists in the dictionary, returns to adversary. Else, computes , returns , and updates the dictionary .(iii)Finally, the adversary outputs the guess of .We observe that perfectly simulates program private experiment of . Therefore, if could distinguish the program and with non-negligible advantage in untrusted cloud security, then can break the security of with the same advantage.

Theorem 4. Let be a distributed functional signature scheme against the security of unforgeability (c.f. Definition 7); then, our construction of described above is verifiable in untrusted cloud security (c.f. Definition 10).

Proof. We prove that if there exists a PPT adversary that can break verifiability of with non-negligible probability, then another adversary can be constructed to break unforgeability of with the same probability.
Let be the challenger for the scheme. We construct the adversary by as follows:(i) honestly runs the unforgeable experiment of and gets of distributed functional signature. Then, samples a signing pair .(ii) sends challenge program to . defines a new function which is described in Figure 2 and sends to the challenger of . The challenger returns , sets , and sends to adversary .(iii)Proceeding adaptively, can make the authentication query. initializes a dictionary indexed by . When queries an identity , the challenger returns to adversary if there exists a in the dictionary. If not, the challenger returns and updates the dictionary , where .(iv)Finally, outputs . Then, computes and outputs the forgeable signature , where .Assume that succeeded in the experiment of verifiability; then, it must satisfy that , , and . For , ; then, must be contained in the range of program . Because the adversary can just sign the message belonging to the range of encoded programs , the evaluation must be computed correctly. In addition, is not contained in the range of because of . is validly forgeable signature for the scheme. So, if there exists an adversary that breaks the verifiability of with non-negligible probability, then there exists another adversary that breaks the unforgeability of with the same probability.

Theorem 5. Let be a distributed functional signature scheme against the security of function privacy (c.f. Definition 8) and be an unforgeable signature scheme; then, our construction of described above is secure in untrusted client security (c.f. Definition 11).

Proof. We prove that if there exists a PPT adversary that can break security in untrusted client security with non-negligible probability, then another adversary can be constructed to break function privacy of with the same probability.
Let be the challenger for the scheme. We construct the adversary by as follows:(i) runs the function private experiment of and gets a master verifiable key of . Then, samples a signing pair .(ii)The adversary sends challenge program to such that . defines two new functions and which are described in Figure 2 and sends to the challenger of . The challenger returns , sets , and sends to adversary .(iii)Proceeding adaptively, the adversary can make the authentication query and evaluation query:(1)Authentication query: initializes a dictionary indexed by . When queries an identity , the challenger returns to adversary if there exists a in the dictionary. If not, the challenger returns and updates the dictionary , where .(2)Evaluation query: sends an encoding for the input to . first checks whether is equal to . If not, stops the experiment. Otherwise, queries the evaluation oracle of and returns the output to .(iv)Finally, the adversary outputs the result of the adversary .We observe that perfectly simulates the secure experiment in untrusted client model. Therefore, if can distinguish the program and with non-negligible advantage, then can break the function private security of with the same advantage.

6. Conclusion

In this work, we introduce the notion of distributed functional signature. In such model, it provides a possibility of function privacy in the setting of functional signature. We give a construction from function secret sharing and functional signature. The function secret sharing can be constructed based on learning with error assumption, and the functional signature can be constructed based on the existence of one-way function. Therefore, our construction can be obtained from one-way function and learning with error assumption. In addition, we apply it to the host service in multiple untrusted clouds in which the clouds will be dishonest. We require that the returned result from the clouds can be verified.

Data Availability

No underlying data were used in the study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study was supported by the National Natural Science Foundation of China (nos. 61871430 and 61971458) and the Key Technologies R&D Program of Henan Province (nos. 212102210088 and 202102210169).

References

W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
View at: Publisher Site | Google Scholar
S. Goldwasser, S. Micali, and R. L. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM, vol. 17, no. 2, pp. 281–308, 1988.
View at: Google Scholar
D. Chaum, “Blind signature system,” in Advances in Cryptology, Proc. CRYPTO’83, D. Chaum, Ed., p. 153, Plenum Press, New York, NY, USA, 1984.
View at: Google Scholar
D. Chaum and E. van Heyst, “Group signatures,” in Proceedings of the Advances in Cryptology - EUROCRYPT ’91, Workshop on the Theory and Application of of Cryptographic Techniques, pp. 257–265, Brighton, UK, April 1991.
View at: Google Scholar
R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Proceedings of the Advances in Cryptology-ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, pp. 552–565, Gold Coast, Australia, December 2001.
View at: Google Scholar
J. Chang, H. Wang, F. Wang, A. Zhang, and Y. Ji, “RKA security for identity-based signature scheme,” IEEE Access, vol. 8, pp. 17833–17841, 2020.
View at: Publisher Site | Google Scholar
J. Chang, Y. Ji, B. Shao, M. Xu, and R. Xue, “Certificateless homomorphic signature scheme for network coding,” IEEE/ACM Transactions on Networking, vol. 28, no. 6, pp. 2615–2628, 2020.
View at: Publisher Site | Google Scholar
J. Chang, B. Shao, Y. Ji, M. Xu, and R. Xue, “Secure network coding from secure proof of retrievability,” Science China Information Sciences [Ol], Early Access, vol. 24, 2021.
View at: Publisher Site | Google Scholar
E. Boyle, S. Goldwasser, and I. Ivan, “Functional signatures and pseudorandom functions,” in Proceedings of the Public-Key Cryptography-PKC 2014-17th International Conference on Practice and Theory in Public-Key Cryptography, pp. 501–519, Buenos Aires, Argentina, March 2014.
View at: Google Scholar
E. Boyle, N. Gilboa, and Y. Ishai, “Function secret sharing: improvements and extensions,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1292–1303, Vienna, Austria, October 2016.
View at: Google Scholar
D. Boneh, D. Gupta, I. Mironov, and A. Sahai, “Hosting services on an untrusted cloud,” in Proceedings of the Advances in Cryptology-EUROCRYPT 2015-34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 404–436, Sofia, Bulgaria, April 2015.
View at: Google Scholar
X. Fan and Q. Tang, “Making public key functional encryption function private, distributively,” in Proceedings of the Public-Key Cryptography-PKC 2018-21st IACR International Conference on Practice and Theory of Public-Key Cryptography, pp. 218–244, Rio de Janeiro, Brazil, March 2018.
View at: Google Scholar
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, pp. 40–49, Berkeley, CA, USA, October, 2013.
View at: Google Scholar
Z. Brakerski and G. N. Rothblum, “Virtual black-box obfuscation for all circuits via generic graded encoding,” in Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014 Lecture Notes in Computer Science, Y. Lindell, Ed., Springer, San Diego, CA, USA, 2014.
View at: Google Scholar
Y. Hu and H. Jia, “Cryptanalysis of GGH map,” in Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques Lecture Notes in Computer Science, M. Fischlin and J. Coron, Eds., Springer, Vienna, Austria, 2016.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advances in Cryptology, Proc. CRYPTO’ 84, LNCS 196, G. R. Blakley and D. C. Chaum, Eds., pp. 47–53, Springer, Berlin, Germany, 1985.
View at: Google Scholar
M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in Proceedings of the Public-Key Cryptography-PKC 2014-17th International Conference on Practice and Theory in Public-Key Cryptography, pp. 520–537, Buenos Aires, Argentina, March 2014.
View at: Google Scholar
M. Backes, S. Meiser, and D. Schröder, “Delegatable functional signatures,” in Proceedings of the Public-Key Cryptography-PKC 2016-19th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 357–386, Taipei, Taiwan, March 2016.
View at: Google Scholar
R. Johnson, D. Molnar, D. X. Song, and D. A. Wagner, “Homomorphic signature schemes,” in Proceedings of the Topics in Cryptology-CT-RSA 2002, the Cryptographer’s Track at the RSA Conference, 2002, pp. 244–262, San Jose, CA, USA, February 2002.
View at: Google Scholar
D. M. Freeman, “Improved security for linearly homomorphic signatures: a generic framework,” in Proceedings of the Public Key Cryptography-PKC 2012-15th International Conference on Practice and Theory in Public Key Cryptography, pp. 697–714, Darmstadt, Germany, May 2012.
View at: Google Scholar
D. Catalano, D. Fiore, and B. Warinschi, “Homomorphic signatures with efficient verification for polynomial functions,” in Proceedings of the Advances in Cryptology-CRYPTO 2014-34th Annual Cryptology Conference, pp. 371–389, Santa Barbara, CA, USA, August 2014.
View at: Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Advances in Cryptology-EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Google Scholar
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: definitions and challenges,” in Proceedings of the Theory of Cryptography-8th Theory of Cryptography Conference, TCC 2011, pp. 253–273, Providence, RI, USA, March 2011.
View at: Google Scholar
S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich, “Reusable garbled circuits and succinct functional encryption,” in Proceedings of the Symposium on Theory of Computing Conference, STOC’13, pp. 555–564, Palo Alto, CA, USA, June 2013.
View at: Google Scholar
S. Goldwasser, S. D. Gordon, V. Goyal et al., “Multi-input functional encryption,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 578–602, Copenhagen, Denmark, May 2014.
View at: Google Scholar
M. Abdalla, F. Bourse, A. D. Caro, and D. Pointcheval, “Simple functional encryption schemes for inner products,” in Proceedings of the Public-Key Cryptography-PKC 2015-18th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 733–751, Gaithersburg, MD, USA, April 2015.
View at: Google Scholar
S. Agrawal, B. Libert, and D. Stehlé, “Fully secure functional encryption for inner products, from standard assumptions,” in Proceedings of the Advances in Cryptology-CRYPTO 2016-36th Annual International Cryptology Conference, pp. 333–362, Santa Barbara, CA, USA, August 2016.
View at: Google Scholar
F. Benhamouda, F. Bourse, and H. Lipmaa, “Cca-secure inner-product functional encryption from projective hash functions,” in Proceedings of the Public-Key Cryptography-PKC 2017-20th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 36–66, Amsterdam, The Netherlands, March 2017.
View at: Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” in Public-Key Cryptography-PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography Lecture Notes in Computer Science, K. Kurosawa and G. Hanaoka, Eds., pp. 125–142, Springer, Nara, Japan, 2013.
View at: Google Scholar
B. Liang and A. Mitrokotsa, “Decentralised functional signatures,” Mobile Networks and Applications, vol. 24, no. 3, pp. 934–946, 2019.
View at: Publisher Site | Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Functional signcryption: notion, construction, and applications,” in Provable Security-9th International Conference, ProvSec 2015, Proceedings. Lecture Notes in Computer Science, M. H. Au and A. Miyaji, Eds., Springer, Kanazawa, Japan, 2015.
View at: Google Scholar
D. Pan, B. Liang, H. Li, and P. Ni, “Hierarchical functional signcryption: notion and construction,” in Provable Security-13th International Conference, ProvSec 2019 Lecture Notes in Computer Science, R. Steinfeld and T. H. Yuen, Eds., pp. 167–185, Springer, Cairns, QLD, Australia, 2019.
View at: Google Scholar
S. Li, B. Liang, and R. Xue, “Private functional signatures: definition and construction,” in Information Security and Privacy-23rd Australasian Conference, ACISP 2018 Lecture Notes in Computer Science, W. Susilo and G. Yang, Eds., Springer, Wollongong, NSW, Australia, 2018.
View at: Google Scholar
M. Bellare, C. Namprempre, and G. Neven, “Unrestricted aggregate signatures,” in Automata, Languages and Programming, 34th International Colloquium, ICALP 2007 Lecture Notes in Computer Science, L. Arge, C. Cachin, T. Jurdzinski, and A. Tarlecki, Eds., Springer, Wroclaw, Poland, 2007.
View at: Google Scholar

Copyright

Copyright © 2021 Muhua Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

376

Downloads

637

Citations