Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption
In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can ‘‘freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, a homomorphic transitional universal hash family, and present a number of KH-PKE schemes through hash proof systems. We also present a practical construction of KH-PKE from the DDH assumption. For ℓ-bit security, our DDH-based scheme yields only ℓ-bit longer ciphertext size than that of the Cramer-Shoup PKE scheme.
Keywordshomomorphic public key encryption CCA2 security hash proof system
Unable to display preview. Download preview PDF.
- 4.Boneh, D., Segev, G., Waters, B.: Targeted malleability: homomorphic encryption for restricted computations. In: ICTS, pp. 350–366 (2012)Google Scholar
- 10.Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. Cryptology ePrint Archive, Report 2001/085 (2001), http://eprint.iacr.org/
- 12.Galindo, D., Villar, J.L.: An instantiation of the Cramer-Shoup encryption paradigm using bilinear map groups. In: Workshop on Mathematical Problems and Techniques in Cryptology (2005)Google Scholar
- 15.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
- 16.Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377 (1982)Google Scholar
- 28.Shacham, H.: A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007), http://eprint.iacr.org/
- 29.Shoup, V.: A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112 (2001), http://eprint.iacr.org/