Journal of Cryptology

, Volume 30, Issue 3, pp 601–671 | Cite as

Reconciling Non-malleability with Homomorphic Encryption

  • Manoj Prabhakaran
  • Mike Rosulek


Homomorphic encryption schemes are useful in designing conceptually simple protocols that operate on encrypted inputs. On the other hand, non-malleable encryption schemes are vital for designing protocols with robust security against malicious parties, in a composable setting. In this paper, we address the problem of constructing public-key encryption schemes that meaningfully combine these two opposing demands. The intuitive tradeoff we desire in an encryption scheme is that anyone should be able to change encryptions of unknown messages \(m_1, \ldots , m_k\) into a (fresh) encryption of \(T(m_1, \ldots , m_k)\) for a specific set of allowed functions T, but the scheme should be otherwise “non-malleable.” That is, no adversary should be able to construct a ciphertext whose value is related to that of other ciphertexts in any other way. For the case where the allowed functions T are all unary, we formulate precise definitions that capture our intuitive requirements and show relationships among these new definitions and other more standard ones (IND-CCA, gCCA, and RCCA). We further justify these new definitions by showing their equivalence to a natural formulation of security in the framework of Universally Composable security. Next, we describe a new family of encryption schemes that satisfy our definitions for a wide variety of allowed transformations T and prove their security under the Decisional Diffie-Hellman (DDH) assumption in two groups with related sizes. Finally, we demonstrate how encryption schemes that satisfy our definitions can be used to implement conceptually simple protocols for non-trivial computation on encrypted data, which are secure against malicious adversaries in the UC framework without resorting to general-purpose multi-party computation or zero-knowledge proofs. For the case where the allowed functions T are binary, we show that a natural generalization of our definitions is unattainable if some T is a group operation. On the positive side, we show that if one of our security requirements is relaxed in a natural way, we can in fact obtain a scheme that is homomorphic with respect to (binary) group operations, and non-malleable otherwise.



We thank Josh Benaloh, Ran Canetti, Anna Lisa Ferrara, Rui Xue, and many anonymous referees for helpful suggestions on earlier versions of these results.


  1. 1.
    J. H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, abhi shelat, and B. Waters. Computing on authenticated data. In R. Cramer, editor, TCC, volume 7194 of Lecture Notes in Computer Science, pp. 1–20. Springer, 2012.Google Scholar
  2. 2.
    J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Knudsen [46], pp. 83–107.Google Scholar
  3. 3.
    J. K. Andersen and E. W. Weisstein. Cunningham chain. From MathWorld–A Wolfram Web Resource., 2005.
  4. 4.
    M. Bellare, A. Boldyreva, A. Desai, and D. Pointcheval. Key-privacy in public-key encryption. In C. Boyd, editor, ASIACRYPT, volume 2248 of Lecture Notes in Computer Science, pp. 566–582. Springer, 2001.Google Scholar
  5. 5.
    M. Bellare and A. Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In M. J. Wiener, editor, CRYPTO, volume 1666 of Lecture Notes in Computer Science, pp. 519–536. Springer, 1999.Google Scholar
  6. 6.
    J. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Department of Computer Science, Yale University, 1987.Google Scholar
  7. 7.
    M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. In K. Nyberg, editor, EUROCRYPT, volume 1403 of Lecture Notes in Computer Science, pp. 127–144. Springer, 1998.Google Scholar
  8. 8.
    D. Boneh. The decision Diffie-Hellman problem. In J. Buhler, editor, ANTS, volume 1423 of Lecture Notes in Computer Science, pp. 48–63. Springer, 1998.Google Scholar
  9. 9.
    D. Boneh, editor. Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings, volume 2729 of Lecture Notes in Computer Science. Springer, 2003.Google Scholar
  10. 10.
    D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on ciphertexts. In Kilian [44], pp. 325–341.Google Scholar
  11. 11.
    D. Boneh, G. Segev, and B. Waters. Targeted malleability: homomorphic encryption for restricted computations. In S. Goldwasser, editor, ITCS, pp. 350–366. ACM, 2012.Google Scholar
  12. 12.
    D. Boneh and B. Waters. Conjunctive, subset, and range queries on encrypted data. In Vadhan [65], pp. 535–554.Google Scholar
  13. 13.
    A. Broadbent and A. Tapp. Information-theoretic security without an honest majority. In Kurosawa [48], pp. 410–426.Google Scholar
  14. 14.
    R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, 2005.Google Scholar
  15. 15.
    R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption. In C. Cachin and J. Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pp. 207–222. Springer, 2004.Google Scholar
  16. 16.
    R. Canetti and J. Herzog. Universally composable symbolic analysis of mutual authentication and key-exchange protocols. In Halevi and Rabin [39], pp. 380–403.Google Scholar
  17. 17.
    R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. In P. Ning, S. D. C. di Vimercati, and P. F. Syverson, editors, ACM Conference on Computer and Communications Security, pp. 185–194. ACM, 2007.Google Scholar
  18. 18.
    R. Canetti, H. Krawczyk, and J. B. Nielsen. Relaxing chosen-ciphertext security. In Boneh [9], pp. 565–582.Google Scholar
  19. 19.
    M. Chase, M. Kohlweiss, A. Lysyanskaya, and S. Meiklejohn. Malleable proof systems and applications. In D. Pointcheval and T. Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pp. 281–300. Springer, 2012.Google Scholar
  20. 20.
    D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–88, 1981.CrossRefGoogle Scholar
  21. 21.
    B. Chor, N. Gilboa, and M. Naor. Private information retrieval by keywords. TR CS0917, Department of Computer Science, Technion, 1997.Google Scholar
  22. 22.
    R. Cramer, M. K. Franklin, B. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with linear work. In U. M. Maurer, editor, EUROCRYPT, volume 1070 of Lecture Notes in Computer Science, pp. 72–83. Springer, 1996.Google Scholar
  23. 23.
    R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pp. 13–25. Springer, 1998.Google Scholar
  24. 24.
    R. Cramer and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Knudsen [46], pp. 45–64.Google Scholar
  25. 25.
    I. Damgård, N. Fazio, and A. Nicolosi. Non-interactive zero-knowledge from homomorphic encryption. In Halevi and Rabin [39], pp. 41–59.Google Scholar
  26. 26.
    I. Damgård and J. B. Nielsen. Universally composable efficient multiparty computation from threshold homomorphic encryption. In Boneh [9], pp. 247–264.Google Scholar
  27. 27.
    G. Danezis. Breaking four mix-related schemes based on universal re-encryption. Int. J. Inf. Sec., 6(6):393–402, 2007.CrossRefzbMATHGoogle Scholar
  28. 28.
    D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography (extended abstract). In C. Koutsougeras and J. S. Vitter, editors, STOC, pp. 542–552. ACM, 1991.Google Scholar
  29. 29.
    T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In G. R. Blakley and D. Chaum, editors, CRYPTO, volume 196 of Lecture Notes in Computer Science, pp. 10–18. Springer, 1984.Google Scholar
  30. 30.
    Free Haven Project. Anonymity bibliography., 2006.
  31. 31.
    C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, editor, STOC, pp. 169–178. ACM, 2009.Google Scholar
  32. 32.
    Y. Gertner, T. Malkin, and S. Myers. Towards a separation of semantic and CCA security for public key encryption. In Vadhan [65], pp. 434–455.Google Scholar
  33. 33.
    S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, Apr. 1984. Preliminary version appeared in STOC’ 82.Google Scholar
  34. 34.
    P. Golle, M. Jakobsson, A. Juels, and P. F. Syverson. Universal re-encryption for mixnets. In T. Okamoto, editor, CT-RSA, volume 2964 of Lecture Notes in Computer Science, pp. 163–178. Springer, 2004.Google Scholar
  35. 35.
    J. Groth. A verifiable secret shuffle of homomorphic encryptions. In Y. Desmedt, editor, Public Key Cryptography, volume 2567 of Lecture Notes in Computer Science, pp. 145–160. Springer, 2003.Google Scholar
  36. 36.
    J. Groth. Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In Naor [50], pp. 152–170.Google Scholar
  37. 37.
    J. Groth and S. Lu. A non-interactive shuffle with pairing based verifiability. In Kurosawa [48], pp. 51–67.Google Scholar
  38. 38.
    J. Groth and S. Lu. Verifiable shuffle of large size ciphertexts. In T. Okamoto and X. Wang, editors, Public Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pp. 377–392. Springer, 2007.Google Scholar
  39. 39.
    S. Halevi and T. Rabin, editors. Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006, Proceedings, volume 3876 of Lecture Notes in Computer Science. Springer, 2006.Google Scholar
  40. 40.
    M. Hirt and K. Sako. Efficient receipt-free voting based on homomorphic encryption. In B. Preneel, editor, EUROCRYPT, volume 1807 of Lecture Notes in Computer Science, pp. 539–556. Springer, 2000.Google Scholar
  41. 41.
    Y. Ishai, E. Kushilevitz, and R. Ostrovsky. Sufficient conditions for collision-resistant hashing. In Kilian [44], pp. 445–456.Google Scholar
  42. 42.
    M. J. Jurik. Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols. PhD thesis, BRICS, 2003.Google Scholar
  43. 43.
    A. Kiayias and M. Yung. Non-interactive zero-sharing with applications to private distributed decision making. In R. N. Wright, editor, Financial Cryptography, volume 2742 of Lecture Notes in Computer Science, pp. 303–320. Springer, 2003.Google Scholar
  44. 44.
    J. Kilian, editor. Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10-12, 2005, Proceedings, volume 3378 of Lecture Notes in Computer Science. Springer, 2005.Google Scholar
  45. 45.
    M. Klonowski, M. Kutylowski, A. Lauks, and F. Zagórski. Universal re-encryption of signatures and controlling anonymous information flow. In WARTACRYPT ’04 Conference on Cryptology. Bedlewo/Poznan, 2006.Google Scholar
  46. 46.
    L. R. Knudsen, editor. Advances in Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28 - May 2, 2002, Proceedings, volume 2332 of Lecture Notes in Computer Science. Springer, 2002.Google Scholar
  47. 47.
    T. Koshy. Elementary Number Theory with Applications. Academic Press, 2001.Google Scholar
  48. 48.
    K. Kurosawa, editor. Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings, volume 4833 of Lecture Notes in Computer Science. Springer, 2007.Google Scholar
  49. 49.
    P. D. MacKenzie, M. K. Reiter, and K. Yang. Alternatives to non-malleability: Definitions, constructions, and applications (extended abstract). In Naor [50], pp. 171–190.Google Scholar
  50. 50.
    M. Naor, editor. Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Cambridge, MA, USA, February 19-21, 2004, Proceedings, volume 2951 of Lecture Notes in Computer Science. Springer, 2004.Google Scholar
  51. 51.
    M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In H. Ortiz, editor, STOC, pp. 427–437. ACM, 1990.Google Scholar
  52. 52.
    P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In J. Stern, editor, EUROCRYPT, volume 1592 of Lecture Notes in Computer Science, pp. 223–238. Springer, 1999.Google Scholar
  53. 53.
    A. Patil. On symbolic analysis of cryptographic protocols. Master’s thesis, Massachusetts Institute of Technology, 2005.Google Scholar
  54. 54.
    M. Prabhakaran and M. Rosulek. Rerandomizable RCCA encryption. In A. Menezes, editor, CRYPTO, volume 4622 of Lecture Notes in Computer Science, pp. 517–584. Springer, 2007. Full version available from
  55. 55.
    M. Prabhakaran and M. Rosulek. Cryptographic complexity of multi-party computation problems: Classifications and separations. In D. Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pp. 262–279. Springer, 2008.Google Scholar
  56. 56.
    M. Prabhakaran and M. Rosulek. Homomorphic encryption with CCA security. In L. Aceto, I. Damgård, L. A. Goldberg, M. M. Halldórsson, A. Ingólfsdóttir, and I. Walukiewicz, editors, ICALP (2), volume 5126 of Lecture Notes in Computer Science, pp. 667–678. Springer, 2008. Full version available from
  57. 57.
    M. Prabhakaran and M. Rosulek. Towards robust computation on encrypted data. In J. Pieprzyk, editor, ASIACRYPT, volume 5350 of Lecture Notes in Computer Science, pp. 216–233. Springer, 2008.Google Scholar
  58. 58.
    C. Rackoff and D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, editor, CRYPTO, volume 576 of Lecture Notes in Computer Science, pp. 433–444. Springer, 1991.Google Scholar
  59. 59.
    M. Rosulek. The Structure of Secure Multi-Party Computation. PhD thesis, Department of Computer Science, University of Illinois at Urbana-Champaign, 2009.Google Scholar
  60. 60.
    A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In P. Beame, editor, FOCS, pp. 543–553, 1999.Google Scholar
  61. 61.
    K. Sako and J. Kilian. Secure voting using partially compatible homomorphisms. In Y. Desmedt, editor, CRYPTO, volume 839 of Lecture Notes in Computer Science, pp. 411–424. Springer, 1994.Google Scholar
  62. 62.
    T. Sander, A. Young, and M. Yung. Non-interactive cryptocomputing for NC\(^{1}\). In P. Beame, editor, FOCS, pp. 554–567, 1999.Google Scholar
  63. 63.
    V. Shoup. A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112, 2001.
  64. 64.
    D. X. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In IEEE Symposium on Security and Privacy, pp. 44–55, 2000.Google Scholar
  65. 65.
    S. P. Vadhan, editor. Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007, Proceedings, volume 4392 of Lecture Notes in Computer Science. Springer, 2007.Google Scholar
  66. 66.
    D. Wikström. A note on the malleability of the El Gamal cryptosystem. In A. Menezes and P. Sarkar, editors, INDOCRYPT, volume 2551 of Lecture Notes in Computer Science, pp. 176–184. Springer, 2002.Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Illinois, Urbana-ChampaignUrbanaUSA
  2. 2.School of Electrical Engineering and Computer ScienceOregon State UniversityCorvallisUSA

Personalised recommendations