Dan Boneh
Gil Segev
Brent Waters
ABSTRACT
We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of non-malleability introduced by Dolev, Dwork, and Naor (SICOMP '00), ensuring that the malleability of a scheme is targeted only at a specific set of "allowable" functions.
In this setting we are mainly interested in the efficiency of such schemes as a function of the number of repeated homomorphic operations. Whereas constructing a scheme whose ciphertext grows linearly with the number of such operations is straightforward, obtaining more realistic (or merely non-trivial) length guarantees is significantly more challenging.
We present two constructions that transform any homomorphic encryption scheme into one that offers targeted malleability. Our constructions rely on standard cryptographic tools and on succinct non-interactive arguments, which are currently known to exist in the standard model based on variants of the knowledge-of-exponent assumption. The two constructions offer somewhat different efficiency guarantees, each of which may be preferable depending on the underlying building blocks.
- J. H. An, Y. Dodis, and T. Rabin. On the security of joint signature and encryption. In Advances in Cryptology -- EUROCRYPT '02, pages 83--107, 2002. Google Scholar
Digital Library
- B. Applebaum, Y. Ishai, and E. Kushilevitz. From secrecy to soundness: Efficient verification via secure computation. In Proceedings of the 37th International Colloquium on Automata, Languages and Programming, pages 152--163, 2010. Google ScholarDigital Library
- M. Bellare and A. Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In Advances in Cryptology -- CRYPTO '04, pages 273--289, 2004.Google Scholar
- M. Bellare and A. Palacio. Towards plaintext-aware public-key encryption without random oracles. In Advances in Cryptology -- ASIACRYPT '04, pages 48--62, 2004.Google Scholar
- M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62--73, 1993. Google ScholarDigital Library
- M. Bellare and A. Sahai. Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In Advances in Cryptology -- CRYPTO '99, pages 519--536, 1999. The full version is available as Cryptology ePrint Archive, Report 2006/228. Google ScholarDigital Library
- M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pages 103--112, 1988. Google ScholarDigital Library
- M. Blum, A. D. Santis, S. Micali, and G. Persiano. Noninteractive zero-knowledge. SIAM Journal on Computing, 20(6):1084--1118, 1991. Google ScholarDigital Library
- R. Canetti, H. Krawczyk, and J. B. Nielsen. Relaxing chosen-ciphertext security. In Advances in Cryptology -- CRYPTO '03, pages 565--582, 2003.Google Scholar
- A. Chiesa and E. Tromer. Proof-carrying data and hearsay arguments from signature cards. In Proceedings of the 1st Symposium on Innovations in Computer Science, pages 310--331, 2010.Google Scholar
- K.-M. Chung, Y. Kalai, and S. Vadhan. Improved delegation of computation using fully homomorphic encryption. In Advances in Cryptology -- CRYPTO '10, pages 483--501, 2010. Google ScholarDigital Library
- R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. In Advances in Cryptology -- EUROCRYPT '97, pages 103--118, 1997. Google ScholarDigital Library
- R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Advances in Cryptology -CRYPTO '98, pages 13--25, 1998. Google ScholarDigital Library
- I. Damgård. Towards practical public key systems secure against chosen ciphertext attacks. In Advances in Cryptology -- CRYPTO '91, pages 445--456, 1991. Google ScholarDigital Library
- D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. SIAM Journal on Computing, 30(2):391--437, 2000. Google ScholarDigital Library
- C. Dwork, M. Naor, and O. Reingold. Immunizing encryption schemes from decryption errors. In Advances in Cryptology -- EUROCRYPT '04, pages 342--360, 2004.Google Scholar
- U. Feige, D. Lapidot, and A. Shamir. Multiple non-interactive zero knowledge proofs based on a single random string. In Proceedings of the 31st Annual IEEE Symposium on Foundations of Computer Science, pages 308--317, 1990. Google ScholarDigital Library
- R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In Advances in Cryptology -- CRYPTO '10, pages 465--482, 2010. Google ScholarDigital Library
- C. Gentry. A fully homomorphic encryption scheme. PhD Thesis, Stanford University, 2009. Available at http://crypto.stanford.edu/craig. Google ScholarDigital Library
- C. Gentry, S. Halevi, and V. Vaikuntanathan. i-hop homomorphic encryption and rerandomizable Yao circuits. In Advances in Cryptology -- CRYPTO '10, pages 155--172, 2010. Google ScholarDigital Library
- C. Gentry and D. Wichs. Separating succinct non-interactive arguments from all falsifiable assumptions. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, pages 99--108, 2011. Google ScholarDigital Library
- S. Goldwasser, Y. T. Kalai, and G. Rothblum. Delegating computation: Interactive proofs for muggles. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pages 113--122, 2008. Google ScholarDigital Library
- J. Groth. Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In Proceedings of the 1st Theory of Cryptography Conference, pages 152--170, 2004.Google ScholarCross Ref
- J. Groth. Short pairing-based non-interactive zero-knowledge arguments. In Advances in Cryptology -- ASIACRYPT '10, pages 321--340, 2010.Google Scholar
- Y. Lindell. A simpler construction of CCA2-secure public-key encryption under general assumptions. Journal of Cryptology, 19(3):359--377, 2006. Google ScholarDigital Library
- H. Lipmaa. Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. Cryptology ePrint Archive, Report 2011/009, 2011.Google Scholar
- S. Micali. Computationally sound proofs. SIAM Journal of Computing, 30(4):1253--1298, 2000. An extended abstract appeared in Proceedings of the 35th Annual IEEE Symposium on Foundations of Computer Science, 1994. Google ScholarDigital Library
- M. Naor. On cryptographic assumptions and challenges. In Advances in Cryptology -- CRYPTO '03, pages 96--109, 2003.Google Scholar
- M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pages 427--437, 1990. Google ScholarDigital Library
- R. Pass, A. Shelat, and V. Vaikuntanathan. Relations among notions of non-malleability for encryption. In Advances in Cryptology - ASIACRYPT '07, pages 519--535, 2007. Google ScholarDigital Library
- M. Prabhakaran and M. Rosulek. Rerandomizable RCCA encryption. In Advances in Cryptology -- CRYPTO '07, pages 517--534, 2007. Google ScholarDigital Library
- M. Prabhakaran and M. Rosulek. Homomorphic encryption with CCA security. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, pages 667--678, 2008. Google ScholarDigital Library
- R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. Foundations of Secure Computation, 1978.Google Scholar
- A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science, pages 543--553, 1999. Google ScholarDigital Library
- N. P. Smart and F. Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Public Key Cryptography -- PKC '10, pages 420--443, 2010. Google ScholarDigital Library
- P. Valiant. Incrementally verifiable computation -- or -- proofs of knowledge imply time/space efficiency. In Proceedings of the 5th Theory of Cryptography Conference, pages 1--18, 2008. Google ScholarDigital Library
- M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology -- EUROCRYPT '10, pages 24--43, 2010. Google ScholarDigital Library
Index Terms
- Targeted malleability: homomorphic encryption for restricted computations
Recommendations
A Black-Box Construction of Non-malleable Encryption from Semantically Secure Encryption
We show how to transform any semantically secure encryption scheme into a non-malleable one, with a black-box construction that achieves a quasi-linear blow-up in the size of the ciphertext. This improves upon the previous non-black-box construction of ...
Chosen ciphertext secure keyed-homomorphic public-key cryptosystems
In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can "freely" perform the operation inevitably means ...
Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security
ASIACRYPT'11: Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information SecurityLossy encryption was originally studied as a means of achieving efficient and composable oblivious transfer. Bellare, Hofheinz and Yilek showed that lossy encryption is also selective opening secure. We present new and general constructions of lossy ...
Comments