Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

Abstract

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.

Appendix A: Smoothness of cryptographic functions

In this section, we show that natural cryptographic functions, a one-way function (OWF), an always second-preimage resistant (aSec secure) hash function [41], and a key derivation function (KDF) [16], are smooth in the sense of Definition 10.

Interestingly, although the amount of smoothness, \({\mathsf {Smth}}_f\), is always negligible, its “tightness” is different depending on whether the function f is secure against uniform adversaries or against non-uniform adversaries.¹⁰ More specifically, for each cryptographic function f considered here, we show that the smoothness of f is (essentially) upperbounded by the square root of the advantage of some (uniform) PPT adversary \({\mathcal {A}}\) attacking the security of the function f. We also show that the smoothness of f is (essentially) upperbounded by the advantage of some non-uniform PPT adversary \(\mathrm {A}_{\mathrm {nu}}\). These results suggest that if we can assume the security of these cryptographic functions against non-uniform adversaries, then the output length can be as small as \(\ell \)-bit for \(\ell \)-bit security, because the smoothness of the functions are “tightly” upperbounded by the advantage of “non-uniform” adversaries attacking the security of the cryptographic functions Furthermore, even if this “non-uniform” security assumption is not justified (and instead only security against uniform adversaries is assumed), the output length the function can still be as small as at most \(2\ell \)-bit, because the main term that contribute to the smoothness is the square root of the advantage of an adversary attacking the security of the cryptographic functions (against uniform PPT adversaries).

In practice, for example, (an appropriate modification of) cryptographic hash functions such as SHA-series, can be assumed to be the cryptographic functions (secure against non-uniform adversaries) considered here.

Some notation To show the smoothness of each cryptographic function, it is useful to introduce the following notation. Let \(f :{\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function. For each \(\ell \in {{\mathbb {N}}}\), let \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) be the lexicographically smallest string¹¹ such that \(\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }] \ge \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y]\) holds for any \(y \in \{0,1\}^{\ell }\). Then, by definition, we have \({\mathsf {Smth}}_f = \max _{y \in \{0,1\}^{\ell }} \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y] = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }]\). Next, for each \(\ell \in {{\mathbb {N}}}\), we define \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) to be the lexicographically smallest string in the set \(\{x \in {\mathcal {X}}_{\ell } | f(x) = y^{\max }_{\ell }\}\). Note that \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) and \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) are uniquely determined for each \(\ell \in {{\mathbb {N}}}\).

For the function f, it is also useful to note the following properties about the probability of “collision” for random inputs:

$$\begin{aligned} \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }] = {\mathsf {Smth}}_f \quad \quad \text {and} \quad \quad \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = f(x')] \ge ({\mathsf {Smth}}_f)^2, \end{aligned}$$

(3)

where the former is by definition, and the latter is obtained as follows:

$$\begin{aligned} \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x)&= f(x')] \ge \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell } \wedge f(x) = y^{\max }_{\ell }]\\&= (\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }])^2 = ({\mathsf {Smth}}_f)^2 \end{aligned}$$

1.1 A.1 One-way function

Definition 18

(One-Way Function (OWF)) Let \(f : {\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function, where \(n = n(\ell ) := \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that f is a one-way function (OWF) if (1) f is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) we can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), and (3) \(Adv^\mathsf{{OWF}}_{{\mathcal {A}}}(\ell ):=\Pr _{x\mathop {\leftarrow }\limits ^{\$}{\mathcal {X}}_{\ell }}[x' \leftarrow {\mathcal {A}}(1^{\ell },f(x)) : f(x') = f(x)]\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that f is a OWF against non-uniform adversaries if the condition (3) is replaced with “\(Adv^\mathsf{{OWF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )\) is negligible for any non-uniform PPT algorithms \({\mathcal {A}}_{\mathrm {nu}}\).”

Lemma 12

If f is a OWF as defined in Definition 18, then f is smooth. Specifically, there exists a PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{f} \le \sqrt{Adv^{\mathsf {OWF}}_{{\mathcal {A}}}(\ell )}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{f} = Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ). \end{aligned}$$

Proof

We first show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the one-wayness of f. Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and \(y = f(x)\) (where \(x \in {\mathcal {X}}_{\ell }\) is chosen uniformly at random) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and terminates with output this \(x'\). Note that \({\mathcal {A}}\) is a (uniform) PPT algorithm, and its one-wayness advantage is as follows:

$$\begin{aligned} Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}}(\ell ) = \Pr _{x, x' \leftarrow {\mathcal {X}}_{\ell }}[f(x) = f(x')] \ge ({\mathsf {Smth}}_f)^2 \end{aligned}$$

where in the last step we use the inequation (3). Therefore, we have \({\mathsf {Smth}}_f \le \sqrt{Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}}(\ell )}\), as required.

We next show the existence of the non-uniform adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the one-wayness of f. Consider the non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(x^{\max }_{\ell }\) as an advice (i.e. \(x^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each security parameter \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and \(y = f(x)\) as input (where \(x \in {\mathcal {X}}_{\ell }\) is chosen uniformly at random), and terminates with output the string \(x^{\max }_{\ell }\). Clearly \({\mathcal {A}}_{\mathrm {nu}}\) is PPT, and its one-wayness advantage is:

$$\begin{aligned} Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = f(x^{\max }_{\ell })] = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[ f(x) = y^{\max }_{\ell }] = {\mathsf {Smth}}_f, \end{aligned}$$

as required.

This completes the proof of Lemma 12. \(\square \)

1.2 A.2 Always second-preimage resistant hash functions

Definition 19

(Always Second-Preimage Resistant (aSec) Hash Functions [41]) Let \({\mathsf {H}} : {\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function, where \(n = n(\ell ) := \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that \({\mathsf {H}}\) is an always second-preimage resistant (aSec secure) hash function if (1) \({\mathsf {H}}\) is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) we can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), (3) \(Adv^\mathsf{{aSec}}_{{\mathcal {A}}}(\ell ):= \Pr _{x\mathop {\leftarrow }\limits ^{\$}{\mathcal {X}}_{\ell }}[x' \leftarrow {\mathcal {A}}(1^{\ell },x) : \mathsf {H}(x') = \mathsf {H}(x) \wedge x' \ne x]\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that \(\mathsf {H}\) is an aSec secure hash function against non-uniform adversaries if the condition (3) is replaced with “\(Adv^\mathsf{{aSec}}_{{\mathcal {A}}}(\ell )\) is negligible for any non-uniform PPT algorithm.”

We remark that an aSec secure hash function is (close to but) different from the notion of universal one way hash function (UOWHF) [5]. UOWHF is a family of hash functions (or a keyed hash function), and in the security experiment, an adversary is allowed to choose the first message x for which the adversary has to find a collision, but is required to find a colliding input \(x'\) under a randomly chosen key hk.

Lemma 13

If \(\mathsf {H}\) is an aSec secure hash function as defined in Definition 19, then \(\mathsf {H}\) is smooth. Specifically, there exists a PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{\mathsf {H}} \le \sqrt{Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{\mathsf {H}} = Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}. \end{aligned}$$

Proof

The proof proceeds very similarly to that of Lemma 12. First, we show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the aSec security of \(\mathsf {H}\). Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and x (for a uniformly chosen value \(x \in {\mathcal {X}}_{\ell }\)) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and terminates with output this \(x'\). Note that \({\mathcal {A}}\) is trivially a (uniform) PPT algorithm, and its advantage against aSec security of \({\mathcal {H}}\) is as follows:

$$\begin{aligned} Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell )&= \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x') \wedge x \ne x']\\&= \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x')] - \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[x = x']\\&\ge (\mathsf {Smth}_{\mathsf {H}})^2 - |{\mathcal {X}}_{\ell }|^{-1} \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{\mathsf {H}} \le \sqrt{Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}}\), as required.

We next show the existence of the non-uniform adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the aSec security of \(\mathsf {H}\). Consider the non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) as an advice (i.e. \(x^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each security parameter \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and x as input (where x is chosen uniformly at random), and terminates with output the string \(x^{\max }_{\ell }\). Clearly \({\mathcal {A}}_{\mathrm {nu}}\) is PPT, and its advantage is:

$$\begin{aligned} Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )&= \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x^{\max }_{\ell }) \wedge x \ne x^{\max }_{\ell }]\\&= \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[ \mathsf {H}(x) = y^{\max }_{\ell }] - \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[x = x^{\max }_{\ell }]\\&= {\mathsf {Smth}}_{\mathsf {H}} - |{\mathcal {X}}_{\ell }|^{-1}, \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{\mathsf {H}} = Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}\), as required.

This completes the proof of Lemma 13. \(\square \)

1.3 A.3 Key derivation function

Definition 20

(Key Derivation Function (KDF) [16]) Let \(\mathsf {KDF}:{\mathcal {X}}_{\ell } \rightarrow \{0,1\}^\ell \) be a function, where \(n = n(\ell ):= \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that \(\mathsf {KDF}\) is a secure key derivation function (KDF) if (1) \(\mathsf {KDF}\) is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) We can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), and (3) \(Adv^{{\mathsf {KDF}}}_{{\mathcal {A}}}(\ell ):=|\Pr _{x\mathop {\leftarrow }\limits ^{\$}\varDelta }[{\mathcal {A}}(1^{\ell },\mathsf{KDF}(x))=1]-\Pr _{y \mathop {\leftarrow }\limits ^{\$}\{0,1\}^\ell }[{\mathcal {A}}(1^{\ell }, y)=1]|\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that \(\mathsf {KDF}\) is a secure KDF against non-uniform adversaries if \(Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )\) is negligible for any non-uniform algorithm \({\mathcal {A}}_{\mathrm {nu}}\).

Lemma 14

If \(\mathsf {KDF}\) be a secure key derivation function as defined in Definition 20, then \(\mathsf {KDF}\) is smooth. Specifically, there exists a uniform PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} \mathsf {Smth}_{\mathsf {KDF}} \le \sqrt{Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell ) + 2^{-\ell }}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{nu}\) such that

$$\begin{aligned} \mathsf {Smth}_{\mathsf {KDF}} = Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + 2^{-\ell }. \end{aligned}$$

Proof

We first show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the security of \(\mathsf {KDF}\). Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and \(y \in \{0,1\}^{\ell }\) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and returns 1 if \(G(x') = y\) or returns 0 otherwise. Note that \({\mathcal {A}}\) is clearly PPT, and its advantage is as follows:

$$\begin{aligned} Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell )&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[{\mathcal {A}}(1^{\ell }, \mathsf {KDF}(x)) = 1] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[{\mathcal {A}}(1^{\ell }, y)=1]|\\&=|\Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {KDF}(x) = \mathsf {KDF}(x')] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[y = \mathsf {KDF}(x')]|\\&\ge (\mathsf {Smth}_{\mathsf {KDF}})^2 - 2^{-\ell }, \end{aligned}$$

where in the last inequality we use the inequality (3) and the fact that y is chosen uniformly at random from \(\{0,1\}^{\ell }\). Therefore, we have \(\mathsf {Smth}_{\mathsf {KDF}} \le \sqrt{Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell ) + 2^{-\ell }}\), as required.

Next, we show the existence of the non-uniform PPT adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the security of \(\mathsf {KDF}\). Consider the algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) as an advice (i.e. \(y^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and \(y \in \{0,1\}^{\ell }\) as input, and returns 1 if \(y = y^{\max }_{\ell }\) or returns 0 otherwise. Note that \({\mathcal {A}}_{\mathrm {nu}}\) is clearly PPT, and its advantage is as follows:

$$\begin{aligned} Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {A}_{\mathrm {nu}}(1^{\ell },\mathsf {KDF}(x)) = 1] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[\mathsf {A}_{\mathrm {nu}}(1^{\ell },y) = 1]|\\&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {KDF}(x) = y^{\max }_{\ell }] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[y = y^{\max }_{\ell }]|\\&=\mathsf {Smth}_{\mathsf {KDF}} - 2^{-\ell }. \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{{\mathsf {KDF}}} = Adv^{{\mathsf {KDF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + 2^{-\ell }\), as required.

This completes the proof of Lemma 14. \(\square \)