TY - JOUR
T1 - Chosen ciphertext secure keyed-homomorphic public-key cryptosystems
AU - Emura, Keita
AU - Hanaoka, Goichiro
AU - Nuida, Koji
AU - Ohtake, Go
AU - Matsuda, Takahiro
AU - Yamada, Shota
N1 - Publisher Copyright:
© 2017, Springer Science+Business Media, LLC.
PY - 2018/8/1
Y1 - 2018/8/1
N2 - In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For ℓ-bit security, our DDH-based KH-PKE scheme yields only ℓ-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.
AB - In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For ℓ-bit security, our DDH-based KH-PKE scheme yields only ℓ-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.
UR - http://www.scopus.com/inward/record.url?scp=85030865540&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85030865540&partnerID=8YFLogxK
U2 - 10.1007/s10623-017-0417-6
DO - 10.1007/s10623-017-0417-6
M3 - Article
AN - SCOPUS:85030865540
SN - 0925-1022
VL - 86
SP - 1623
EP - 1683
JO - Designs, Codes, and Cryptography
JF - Designs, Codes, and Cryptography
IS - 8
ER -