## Cryptology ePrint Archive: Report 2013/390

Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption

Keita Emura and Goichiro Hanaoka and Koji Nuida and Go Ohtake and Takahiro Matsuda and Shota Yamada

Abstract: In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed.In addition, the property that anyone can \lq\lq freely'' perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call \emph{keyed-homomorphic public-key encryption} (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, \emph{transitional universal property}, and present a practical KH-PKE scheme from the DDH assumption. For $\ell$-bit security, our DDH-based KH-PKE scheme yields only $\ell$-bit longer ciphertext size than that of the Cramer--Shoup PKE scheme.

Category / Keywords: homomorphic public key encryption, CCA2 security, hash proof system

Publication Info: PKC 2013

Date: received 14 Jun 2013, last revised 12 May 2014

Contact author: k-emura at nict go jp

Available format(s): PDF | BibTeX Citation

Note: In the proceedings version, there were several bugs. We fix these bags in the current version. Note that in the previous eprint version (20130618:085049 (posted 18-Jun-2013 08:50:49 UTC)), we achieved a weaker security which we call weak KH-CCA security. In this version, we achieve KH-CCA security. See "Section 1.4 Differences from the Proceedings Version" for details.

[ Cryptology ePrint archive ]