Functional Message Authentication Codes With Message and Function Privacy

Functional signatures were allowed anyone to sign any messages in the range of function f , who possesses the secret key s k f . However, the existing construction does not satisfy the property of message and function privacy. In this paper, we propose a new notion which is called functional message authentication codes (MACs). In a functional MAC scheme, there are two types of secret keys. One is a master secret key which can be used to generate a valid tag for any messages. The other is authenticating keys for a function f , which can be used to authenticate any messages belonged to the range of f . Except the unforgeability, we require the proposed functional MAC to satisfy function and message privacy which indicates that the authenticating process reveals nothing other than the function values and the corresponding tags. We give a functional MAC construction based on a functional encryption (FE) scheme with function privacy, a perfectly binding commitment scheme, a standard signature scheme, and a symmetric encryption scheme with semantic security. Then, we show an application of functional MAC to constructing verifiable outsourcing computation, which ensures that the client does not accept an incorrect evaluation from the server with overwhelming probability.