Designs, Codes and Cryptography

, Volume 67, Issue 2, pp 209–232 | Cite as

Group homomorphic encryption: characterizations, impossibility results, and applications

  • Frederik Armknecht
  • Stefan Katzenbeisser
  • Andreas Peter


We give a complete characterization both in terms of security and design of all currently existing group homomorphic encryption schemes, i.e., existing encryption schemes with a group homomorphic decryption function such as ElGamal and Paillier. To this end, we formalize and identify the basic underlying structure of all existing schemes and say that such schemes are of shift-type. Then, we construct an abstract scheme that represents all shift-type schemes (i.e., every scheme occurs as an instantiation of the abstract scheme) and prove its IND-CCA1 (resp. IND-CPA) security equivalent to the hardness of an abstract problem called Splitting Oracle-Assisted Subgroup Membership Problem (SOAP) (resp. Subgroup Membership Problem, SMP). Roughly, SOAP asks for solving an SMP instance, i.e., for deciding whether a given ciphertext is an encryption of the neutral element of the ciphertext group, while allowing access to a certain oracle beforehand. Our results allow for contributing to a variety of open problems such as the IND-CCA1 security of Paillier’s scheme, or the use of linear codes in group homomorphic encryption. Furthermore, we design a new cryptosystem which provides features that are unique up to now: Its IND-CPA security is based on the k-linear problem introduced by Shacham, and Hofheinz and Kiltz, while its IND-CCA1 security is based on a new k-problem that we prove to have the same progressive property, namely that if the k-instance is easy in the generic group model, the (k+1)-instance is still hard.


Foundations Homomorphic encryption Public-key cryptography IND-CCA1 security Subgroup membership problem k-Linear problem 

Mathematics Subject Classification (2000)



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Armknecht F., Sadeghi A.R.: A new approach for algebraically homomorphic encryption. Cryptol. ePr. Arch. Report 2008/422. (2008). Accessed 3 Oct 2010.
  2. Bellare M., Desai A., Pointcheval D., Rogaway P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk H. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 1462, pp. 26–45. Springer, Berlin (1998).Google Scholar
  3. Benaloh J.: Verifiable secret-ballot elections. PhD Thesis, Yale University, New Haven (1987).Google Scholar
  4. Boneh D., Silverberg A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2002)MathSciNetCrossRefGoogle Scholar
  5. Boneh D., Boyen X., Shacham H.: Short group signatures. In: Franklin, M.K. (eds) CRYPTO Lecture Notes in Computer Science vol 3152., pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  6. Boneh D., Goh E.J., Nissim K.: Evaluating 2-dnf formulas on ciphertexts. In: Kilian, J. (eds) TCC Lecture Notes in Computer Science vol 3378., pp. 325–341. Springer, Heidelberg (2005)Google Scholar
  7. Canetti R., Krawczyk H., Nielsen J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (eds) CRYPTO Lecture Notes in Computer Science vol 2729., pp. 565–582. Springer, Heidelberg (2003)Google Scholar
  8. Catalano D., Gennaro R., Howgrave-Graham N., Nguyen P.Q.: Paillier’s cryptosystem revisited. In: ACM Conference on Computer and Communications Security, pp. 206–214 (2001).Google Scholar
  9. Chung K.M., Kalai Y., Vadhan S.: Improved delegation of computation using fully homomorphic encryption. In: Rabin, T. (eds) Advances in Cryptology CRYPTO 2010., pp. 483–501. Lecture Notes in Computer Science vol 6223. Springer, Berlin (2010)CrossRefGoogle Scholar
  10. Cohen J.D., Fischer M.J.: A robust and verifiable cryptographically secure election scheme (extended abstract). In: FOCS, pp. 372–382. IEEE, Oregon (1985).Google Scholar
  11. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (eds) EUROCRYPT., pp. 45–64. Lecture Notes in Computer Science vol 2332. Springer, Amsterdam (2002)Google Scholar
  12. Cramer R., Franklin M.K., Schoenmakers B., Yung M.: Multi-autority secret-ballot elections with linear work. In: EUROCRYPT, pp. 72–83 (1996).Google Scholar
  13. Cramer R., Gennaro R., Schoenmakers B.: A secure and optimally efficient multi-authority election scheme. In: EUROCRYPT, pp. 103–118 (1997).Google Scholar
  14. Cramer R., Damgård I., Nielsen J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (eds) EUROCRYPT Lecture Notes in Computer Science vol 2045., pp. 280–299. Springer, Heidelberg (2001)Google Scholar
  15. Damgård I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (eds) CRYPTO Lecture Notes in Computer Science vol 576., pp. 445–456. Springer, New York (1991)Google Scholar
  16. Damgård I., Jurik M.: A generalisation, a simplification and some applications of paillier’s probabilistic public-key system. In: Kim, K. (eds) Public Key Cryptography Lecture Notes in Computer Science vol 1992., pp. 119–136. Springer, Berlin (2001)Google Scholar
  17. Fellows M., Koblitz N.: Combinatorial cryptosystems galore! In: Finite Fields: Theory, Applications, and Algorithms. Contemporary Mathematics, vol. 168, pp. 51–61. American Mathematical Society, Providence (1993).Google Scholar
  18. Gamal T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: CRYPTO, pp. 10–18 (1984).Google Scholar
  19. Gennaro R., Gentry C., Parno B.: Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In: Rabin, T. (eds) CRYPTO Lecture Notes in Computer Science vol 6223., pp. 465–482. Springer, Heidelberg (2010)Google Scholar
  20. Gentry C.: A fully homomorphic encryption scheme. PhD Thesis, Stanford University. (2009a). Accessed 2 Feb 2011.
  21. Gentry C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher M. (ed.) STOC. ACM, pp. 169–178 (2009b).Google Scholar
  22. Gentry C., Halevi S.: Implementing Gentry’s Fully-Homomorphic Encryption Scheme. (2010). Accessed 27 Aug 2010.Google Scholar
  23. Gjøsteen K.: Homomorphic cryptosystems based on subgroup membership problems. In: Dawson E., Vaudenay S. (eds.) Mycrypt. Lecture Notes in Computer Science, vol. 3715, pp. 314–327. Springer (2005a).Google Scholar
  24. Gjøsteen K.: Symmetric subgroup membership problems. In: Vaudenay, S. (eds) Public Key Cryptography Lecture Notes in Computer Science vol 3386., pp. 104–119. Springer, Berlin (2005)Google Scholar
  25. Gjøsteen K.: A new security proof for Damgård’s ElGamal. In: Pointcheval, D. (eds) CT-RSA Lecture Notes in Computer Science vol 3860., pp. 150–158. Springer, Heidelberg (2006)Google Scholar
  26. Goldwasser S., Micali S.: Probabilistic encryption. J. Comput. Syst. Sci 28(2), 270–299 (1984)MathSciNetMATHCrossRefGoogle Scholar
  27. Groth J., Ostrovsky R., Sahai A.: Non-interactive zaps and new techniques for nizk. In: Dwork, C. (eds) CRYPTO Lecture Notes in Computer Science vol 4117., pp. 97–111. Springer, Heidelberg (2006)Google Scholar
  28. Hemenway B., Ostrovsky R.: Lossy trapdoor functions from smooth homomorphic hash proof systems. Electron. Colloq. Comput. Complex. 16, 127 (2009)Google Scholar
  29. Hofheinz D., Kiltz E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes A. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 4622, pp. 553–571. Springer, Heidelberg (2007).Google Scholar
  30. Joux A., Nguyen K.: Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003)MathSciNetMATHCrossRefGoogle Scholar
  31. Kiltz E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds) TCC Lecture Notes in Computer Science vol 3876., pp. 581–600. Springer, Berlin (2006)Google Scholar
  32. Kurzweil H., Stellmacher B.: The Theory of Finite Groups An Introduction. Springer, Berlin (2004)MATHGoogle Scholar
  33. Kushilevitz E., Ostrovsky R.: Replication is not needed: single database, computationally-private information retrieval. In: FOCS, pp. 364–373 (1997).Google Scholar
  34. Lang S.: Algebra Graduate Texts in Mathematics vol 211. Springer-Verlag, New York (2002)Google Scholar
  35. Lewko, A.B., Waters, B.: Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM Conference on Computer and Communications Security, pp. 112–120. ACM (2009)Google Scholar
  36. Lipmaa H.: On the cca1-security of ElGamal and Damgård’s ElGamal. In: Proceedings of Inscrypt 2010. Springer. (2010). Accessed 20 Oct 2010.
  37. Maurer U.M.: Abstract models of computation in cryptography. In: Smart N.P. (ed.) IMA Int. Conf. Lecture Notes in Computer Science, vol. 3796, pp. 1–12. Springer (2005).Google Scholar
  38. Naccache D., Stern J.: A new public key cryptosystem based on higher residues. In: ACM Conference on Computer and Communications Security, pp. 59–66 (1998).Google Scholar
  39. Naor M., Pinkas B.: Oblivious polynomial evaluation. SIAM J. Comput 35(5), 1254–1281 (2006)MathSciNetMATHCrossRefGoogle Scholar
  40. Naor M., Segev G.: Public-key cryptosystems resilient to key leakage. In: Halevi S. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 5677, pp. 18–35. Springer (2009).Google Scholar
  41. Okamoto T., Uchiyama S.: A new public-key cryptosystem as secure as factoring. In: EUROCRYPT, pp. 308–318 (1998).Google Scholar
  42. Paillier P.: Public-key cryptosystems based on composite degree residuosity classes. In: EUROCRYPT, pp. 223–238 (1999).Google Scholar
  43. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork, C. (ed.) STOC, pp. 187–196. ACM (2008)Google Scholar
  44. Prabhakaran M., Rosulek M.: Homomorphic encryption with cca security. In: Aceto L., Damgård I., Goldberg L.A., Halldórsson M.M., Ingólfsdóttir A., Walukiewicz I. (eds.) ICALP (2). Lecture Notes in Computer Science, vol. 5126, pp. 667–678. Springer (2008).Google Scholar
  45. Shacham H.: A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptol. ePr. Arch. Report 2007/074. (2007). Accessed 10 Nov 2010.
  46. Shoup V.: Lower bounds for discrete logarithms and related problems. In: EUROCRYPT, pp. 256–266 (1997).Google Scholar
  47. Smart N.P., Vercauteren F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen P.Q., Pointcheval D. (eds.) Public Key Cryptography. Lecture Notes in Computer Science, vol. 6056, pp. 420–443. Springer, Berlin (2010).Google Scholar
  48. Tsiounis Y., Yung M.: On the security of ElGamal based encryption. In: Imai, H., Zheng, Y. (eds) Public Key Cryptography Lecture Notes in Computer Science vol 1431., pp. 117–134. Springer, Berlin (1998)Google Scholar
  49. van Dijk M., Gentry C., Halevi S., Vaikuntanathan V.: Fully homomorphic encryption over the integers. In: Gilbert H. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 6110, pp. 24–43. Springer, Berlin (2010).Google Scholar
  50. Wu J., Stinson D.: On the security of the ElGamal encryption scheme and damgards variant. Cryptol. ePr. Arch. Report 2008/200. Accessed 10 Nov 2010.

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Frederik Armknecht
    • 1
  • Stefan Katzenbeisser
    • 2
  • Andreas Peter
    • 2
  1. 1.Arbeitsgruppe für theoretische Informatik und DatensicherheitUniversität MannheimMannheimGermany
  2. 2.Security Engineering GroupTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations