Achievable CCA2 Relaxation for Homomorphic Encryption

Adi Akavia; Craig Gentry; Shai Halevi; Margarita Vald

doi:10.1007/978-3-031-22365-5_3

Achievable CCA2 Relaxation for Homomorphic Encryption

Adi Akavia, Craig Gentry, Shai Halevi, Margarita Vald

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.

Original language	English
Title of host publication	Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings
Editors	Eike Kiltz, Vinod Vaikuntanathan
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	70-99
Number of pages	30
ISBN (Print)	9783031223648
DOIs	https://doi.org/10.1007/978-3-031-22365-5_3
State	Published - 2022
Event	20th Theory of Cryptography Conference, TCC 2022 - Chicago, United States Duration: 7 Nov 2022 → 10 Nov 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13748 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th Theory of Cryptography Conference, TCC 2022
Country/Territory	United States
City	Chicago
Period	7/11/22 → 10/11/22

Bibliographical note

Publisher Copyright:
© 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-22365-5_3

Cite this

Akavia, A., Gentry, C., Halevi, S., & Vald, M. (2022). Achievable CCA2 Relaxation for Homomorphic Encryption. In E. Kiltz, & V. Vaikuntanathan (Eds.), Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings (pp. 70-99). (Lecture Notes in Computer Science; Vol. 13748 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-22365-5_3

@inproceedings{eb736860502e47e9a366f4a534f8dbdb,

title = "Achievable CCA2 Relaxation for Homomorphic Encryption",

abstract = "Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized{"} – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.",

author = "Adi Akavia and Craig Gentry and Shai Halevi and Margarita Vald",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 20th Theory of Cryptography Conference, TCC 2022 ; Conference date: 07-11-2022 Through 10-11-2022",

year = "2022",

doi = "10.1007/978-3-031-22365-5\_3",

language = "English",

isbn = "9783031223648",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "70--99",

editor = "Eike Kiltz and Vinod Vaikuntanathan",

booktitle = "Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings",

address = "Germany",

}

Akavia, A, Gentry, C, Halevi, S & Vald, M 2022, Achievable CCA2 Relaxation for Homomorphic Encryption. in E Kiltz & V Vaikuntanathan (eds), Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. Lecture Notes in Computer Science, vol. 13748 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 70-99, 20th Theory of Cryptography Conference, TCC 2022, Chicago, United States, 7/11/22. https://doi.org/10.1007/978-3-031-22365-5_3

Achievable CCA2 Relaxation for Homomorphic Encryption. / Akavia, Adi; Gentry, Craig; Halevi, Shai et al.
Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings. ed. / Eike Kiltz; Vinod Vaikuntanathan. Springer Science and Business Media Deutschland GmbH, 2022. p. 70-99 (Lecture Notes in Computer Science; Vol. 13748 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Achievable CCA2 Relaxation for Homomorphic Encryption

AU - Akavia, Adi

AU - Gentry, Craig

AU - Halevi, Shai

AU - Vald, Margarita

PY - 2022

Y1 - 2022

N2 - Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.

AB - Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.

UR - https://www.scopus.com/pages/publications/85146687491

U2 - 10.1007/978-3-031-22365-5_3

DO - 10.1007/978-3-031-22365-5_3

M3 - Conference contribution

AN - SCOPUS:85146687491

SN - 9783031223648

T3 - Lecture Notes in Computer Science

SP - 70

EP - 99

BT - Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings

A2 - Kiltz, Eike

A2 - Vaikuntanathan, Vinod

PB - Springer Science and Business Media Deutschland GmbH

T2 - 20th Theory of Cryptography Conference, TCC 2022

Y2 - 7 November 2022 through 10 November 2022

ER -