TY - GEN
T1 - How to Handle Invalid Queries for Malicious-Private Protocols Based on Homomorphic Encryption
AU - Nuida, Koji
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/5/30
Y1 - 2022/5/30
N2 - We consider a setting of two-party computation between a server and a client where every message received by the server is encrypted by a fully homomorphic encryption (FHE) scheme and its decryption key is held by the client only. Akavia and Vald (IACR ePrint Archive, 2021) revisited the privacy problem in such protocols against malicious servers and revealed (as opposed to a naive expectation) that under certain condition, a malicious server can recover the client's input even if the underlying FHE scheme is IND-CPA secure. They also gave some sufficient conditions for the FHE scheme to ensure the privacy against malicious servers. However, their argument did not consider the possibility that a query from a malicious server to a client involves an invalid ciphertext. In this paper, we show, by giving a concrete example, that if such an invalid query is just rejected by the client, then the sufficient conditions in Akavia and Vald's result do not in general ensure the privacy against malicious servers. We also propose another option to handle an invalid query in a way that the client returns a random ciphertext (without explicitly rejecting the query), and show that such a protocol is private against malicious servers if the underlying FHE scheme is IND-CPA secure, sanitizable (in the sense of Ducas and Stehlé, EUROCRYPT 2016), and circular secure.
AB - We consider a setting of two-party computation between a server and a client where every message received by the server is encrypted by a fully homomorphic encryption (FHE) scheme and its decryption key is held by the client only. Akavia and Vald (IACR ePrint Archive, 2021) revisited the privacy problem in such protocols against malicious servers and revealed (as opposed to a naive expectation) that under certain condition, a malicious server can recover the client's input even if the underlying FHE scheme is IND-CPA secure. They also gave some sufficient conditions for the FHE scheme to ensure the privacy against malicious servers. However, their argument did not consider the possibility that a query from a malicious server to a client involves an invalid ciphertext. In this paper, we show, by giving a concrete example, that if such an invalid query is just rejected by the client, then the sufficient conditions in Akavia and Vald's result do not in general ensure the privacy against malicious servers. We also propose another option to handle an invalid query in a way that the client returns a random ciphertext (without explicitly rejecting the query), and show that such a protocol is private against malicious servers if the underlying FHE scheme is IND-CPA secure, sanitizable (in the sense of Ducas and Stehlé, EUROCRYPT 2016), and circular secure.
UR - http://www.scopus.com/inward/record.url?scp=85134394667&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85134394667&partnerID=8YFLogxK
U2 - 10.1145/3494105.3526238
DO - 10.1145/3494105.3526238
M3 - Conference contribution
AN - SCOPUS:85134394667
T3 - APKC 2022 - Proceedings of the 9th ACM ASIA Public-Key Cryptography Workshop
SP - 15
EP - 25
BT - APKC 2022 - Proceedings of the 9th ACM ASIA Public-Key Cryptography Workshop
PB - Association for Computing Machinery, Inc
T2 - 9th ACM Asia Public-Key Cryptography Workshop, APKC 2022, in conjunction with the 17th ACM ASIA Conference on Computer and Communications Security, ASIACCS 2022
Y2 - 30 May 2022
ER -