Designs, Codes and Cryptography

, Volume 86, Issue 8, pp 1623–1683 | Cite as

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

  • Keita Emura
  • Goichiro Hanaoka
  • Koji Nuida
  • Go Ohtake
  • Takahiro Matsuda
  • Shota Yamada


In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.


Homomorphic encryption CCA2 security Hash proof system 

Mathematics Subject Classification




We thank the anonymous reviewers and the members of Shin-Akarui-Angou-Benkyou-Kai for their helpful comments. This work was supported by JSPS KAKENHI Grant Number JP24700009 and by JST PRESTO Grant Number JPMJPR14E8, Japan.


  1. 1.
    Abe M., Groth J., Ohkubo M., Tibouchi M.: Unified, minimal and selectively randomizable structure-preserving signatures. In: TCC, pp. 688–712 (2014).Google Scholar
  2. 2.
    An J.H., Dodis Y., Rabin T.: On the security of joint signature and encryption. In: EUROCRYPT, pp. 83–107 (2002).Google Scholar
  3. 3.
    Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S.P., Yang K.: On the (im)possibility of obfuscating programs. In: CRYPTO, pp. 1–18 (2001).Google Scholar
  4. 4.
    Barbosa M., Farshim P.: Delegatable homomorphic encryption with applications to secure outsourcing of computation. In: CT-RSA, pp. 296–312 (2012).Google Scholar
  5. 5.
    Bellare M., Rogaway P.: Collision-resistant hashing: towards making UOWHFs practical. In: CRYPTO, pp. 470–484 (1997).Google Scholar
  6. 6.
    Bernhard D., Cortier V., Pereira O., Smyth B., Warinschi B.: Adapting Helios for provable ballot privacy. In: ESORICS, pp. 335–354 (2011).Google Scholar
  7. 7.
    Boneh D., Segev G., Waters B.: Targeted malleability: homomorphic encryption for restricted computations. In: ITCS, pp. 350–366 (2012).Google Scholar
  8. 8.
    Canetti R., Krawczyk H., Nielsen J.B.: Relaxing chosen-ciphertext security. In: CRYPTO, pp. 565–582 (2003).Google Scholar
  9. 9.
    Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: EUROCRYPT, pp. 207–222 (2004).Google Scholar
  10. 10.
    Canetti R., Raghuraman S., Richelson S., Vaikuntanathan V.: Chosen-ciphertext secure fully homomorphic encryption. In: Public-Key Cryptography, pp. 213–240 (2017).Google Scholar
  11. 11.
    Cash D., Kiltz E., Shoup V.: The twin Diffie-Hellman problem and applications. In: EUROCRYPT, pp. 127–145 (2008).Google Scholar
  12. 12.
    Chase M., Kohlweiss M., Lysyanskaya A., Meiklejohn S.: Malleable proof systems and applications. In: EUROCRYPT, pp. 281–300 (2012).Google Scholar
  13. 13.
    Cramer R., Shoup V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO, pp. 13–25 (1998).Google Scholar
  14. 14.
    Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. Cryptology ePrint Archive, Report 2001/085. (2001).
  15. 15.
    Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: EUROCRYPT, pp. 45–64 (2002).Google Scholar
  16. 16.
    Desmedt Y., Gennaro R., Kurosawa K., Shoup V.: A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. J. Cryptol. 23(1), 91–120 (2010).MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Desmedt Y., Iovino V., Persiano G., Visconti I.: Controlled homomorphic encryption: definition and construction. In: Workshop on Encrypted Computing and Applied Homomorphic Cryptography, pp. 100–122 (2017).Google Scholar
  18. 18.
    ElGamal T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory 31(4), 469–472 (1985).MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Emura K., Hanaoka G., Ohtake G., Matsuda T., Yamada S.: Chosen ciphertext secure keyed-homomorphic public-key encryption. In: Public Key Cryptography, pp. 32–50 (2013).Google Scholar
  20. 20.
    Emura K., Hayashi T., Kunihiro N., Sakuma J.: Mis-operation resistant searchable homomorphic encryption. In: ASIACCS, pp. 215–229 (2017).Google Scholar
  21. 21.
    Galindo D., Villar J.L.: An instantiation of the Cramer-Shoup encryption paradigm using bilinear map groups. Workshop on Mathematical Problems and Techniques in Cryptology (2005).Google Scholar
  22. 22.
    Gentry C.: Practical identity-based encryption without random oracles. In: EUROCRYPT, pp. 445–464 (2006).Google Scholar
  23. 23.
    Gentry C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009).Google Scholar
  24. 24.
    Goldwasser S., Micali S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377 (1982).Google Scholar
  25. 25.
    Groth J.: Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In: TCC, pp. 152–170 (2004).Google Scholar
  26. 26.
    Hanaoka G., Kurosawa K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie-Hellman assumption. In: ASIACRYPT, pp. 308–325 (2008).Google Scholar
  27. 27.
    Hemenway B., Ostrovsky R.: On homomorphic encryption and chosen-ciphertext security. In: Public Key Cryptography, pp. 52–65 (2012).Google Scholar
  28. 28.
    Hofheinz D., Kiltz E.: Secure hybrid encryption from weakened key encapsulation. In: CRYPTO, pp. 553–571 (2007).Google Scholar
  29. 29.
    Jutla C.S., Roy A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: ASIACRYPT, pp. 1–20 (2013).Google Scholar
  30. 30.
    Jutla C.S., Roy A.: Dual-system simulation-soundness with applications to UC-PAKE and more. In: ASIACRYPT, pp. 630–655 (2015).Google Scholar
  31. 31.
    Katz J., Vaikuntanathan V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In: ASIACRYPT, pp. 636–652 (2009).Google Scholar
  32. 32.
    Kiltz E.: Chosen-ciphertext security from tag-based encryption. In: TCC, pp. 581–600 (2006).Google Scholar
  33. 33.
    Kiltz E.: Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman. In: PKC, pp. 282–297 (2007).Google Scholar
  34. 34.
    Kiltz E., Pietrzak K., Stam M., Yung M.: A new randomness extraction paradigm for hybrid encryption. In: EUROCRYPT, pp. 590–609 (2009).Google Scholar
  35. 35.
    Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: CRYPTO, pp. 426–442 (2004).Google Scholar
  36. 36.
    Lai J., Deng R.H., Ma C., Sakurai K., Weng J.: CCA-secure keyed-fully homomorphic encryption. In: Public-Key Cryptography, pp. 70–98 (2016).Google Scholar
  37. 37.
    Libert B., Peters T., Joye M., Yung M.: Linearly homomorphic structure-preserving signatures and their applications. In: CRYPTO, pp. 289–307 (2013).Google Scholar
  38. 38.
    Libert B., Peters T., Joye M., Yung M.: Non-malleability from malleability: simulation-sound quasi-adaptive NIZK proofs and CCA2-secure encryption from homomorphic signatures. In: EUROCRYPT, pp. 514–532 (2014).Google Scholar
  39. 39.
    Loftus J., May A., Smart N.P., Vercauteren F.: On CCA-secure somewhat homomorphic encryption. In: Selected Areas in Cryptography, pp. 55–72 (2011).Google Scholar
  40. 40.
    Paillier P.: Public-key cryptosystems based on composite degree residuosity classes. In: EUROCRYPT, pp. 223–238 (1999).Google Scholar
  41. 41.
    Paterson K.G., Schuldt J.C.N., Stam M., Thomson S.: On the joint security of encryption and signature, revisited. In: ASIACRYPT, pp. 161–178. (2011).
  42. 42.
    Prabhakaran M., Rosulek M.: Rerandomizable RCCA encryption. In: CRYPTO, pp. 517–534 (2007).Google Scholar
  43. 43.
    Prabhakaran M., Rosulek M.: Homomorphic encryption with CCA security. In: ICALP, pp. 667–678 (2008).Google Scholar
  44. 44.
    Shacham H.: A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074. (2007).
  45. 45.
    Shoup V.: A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112. (2001).

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.National Institute of Information and Communications Technology (NICT)TokyoJapan
  2. 2.National Institute of Advanced Industrial Science and Technology (AIST)TokyoJapan
  3. 3.Japan Broadcasting CorporationTokyoJapan

Personalised recommendations