Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption

Abstract: In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can "freely" perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously han… Show more

“…As a first application of our USS proofs, we build a chosen-ciphertext-secure keyed-homomorphic system with threshold decryption. Keyed-homomorphic encryption is a primitive, suggested by Emura et al [16], where homomorphic ciphertext manipulations are only possible to a party holding a devoted evaluation key SK h which, by itself, does not enable decryption. The scheme should provide IND-CCA2 security when the evaluation key is unavailable to the adversary and remain IND-CCA1 secure when SK h is exposed.…”

“…Other approaches to reconcile homomorphism and non-malleability were taken in [33-35, 8, 11] but they inevitably satisfy weaker security notions than adaptive chosen-ciphertext security [36]. The results of [16] showed that CCA2-security does not rule out homomorphicity when the capability to compute over encrypted data is restricted.…”

“…Emura et al [16] gave chosen-ciphertext-secure keyed-homomorphic schemes based on hash proof systems [13]. However, these do not readily enable threshold decryption -as would be desirable in voting protocols -since valid ciphertexts are not publicly recognizable, which makes it harder to prove CCA security in the threshold setting.…”

“…However, these do not readily enable threshold decryption -as would be desirable in voting protocols -since valid ciphertexts are not publicly recognizable, which makes it harder to prove CCA security in the threshold setting. Also, these solutions are not known to satisfy the strongest security definition of [16]. The reason is that this definition seemingly requires a form of unbounded simulation-soundness.…”

“…The keyedhomomorphic property is achieved by using the simulation trapdoor of the proof system as an evaluation key SK h , allowing the evaluator to generate proofs without the witnesses. As implicitly done in [16] using hash proof systems, the simulation trapdoor is used in the scheme and not only in the security proof.…”

Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures

“…As a first application of our USS proofs, we build a chosen-ciphertext-secure keyed-homomorphic system with threshold decryption. Keyed-homomorphic encryption is a primitive, suggested by Emura et al [16], where homomorphic ciphertext manipulations are only possible to a party holding a devoted evaluation key SK h which, by itself, does not enable decryption. The scheme should provide IND-CCA2 security when the evaluation key is unavailable to the adversary and remain IND-CCA1 secure when SK h is exposed.…”

“…Other approaches to reconcile homomorphism and non-malleability were taken in [33-35, 8, 11] but they inevitably satisfy weaker security notions than adaptive chosen-ciphertext security [36]. The results of [16] showed that CCA2-security does not rule out homomorphicity when the capability to compute over encrypted data is restricted.…”

“…Emura et al [16] gave chosen-ciphertext-secure keyed-homomorphic schemes based on hash proof systems [13]. However, these do not readily enable threshold decryption -as would be desirable in voting protocols -since valid ciphertexts are not publicly recognizable, which makes it harder to prove CCA security in the threshold setting.…”

“…However, these do not readily enable threshold decryption -as would be desirable in voting protocols -since valid ciphertexts are not publicly recognizable, which makes it harder to prove CCA security in the threshold setting. Also, these solutions are not known to satisfy the strongest security definition of [16]. The reason is that this definition seemingly requires a form of unbounded simulation-soundness.…”

“…The keyedhomomorphic property is achieved by using the simulation trapdoor of the proof system as an evaluation key SK h , allowing the evaluator to generate proofs without the witnesses. As implicitly done in [16] using hash proof systems, the simulation trapdoor is used in the scheme and not only in the security proof.…”

Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures

Keyed-Fully Homomorphic Encryption Without Indistinguishability Obfuscation

On Extension of Evaluation Algorithms in Keyed-Homomorphic Encryption