TY - JOUR
T1 - Reconciling Non-malleability with Homomorphic Encryption
AU - Prabhakaran, Manoj
AU - Rosulek, Mike
N1 - Funding Information:
Mike Rosulek: Supported by NSF Grant CCF 11-49647.
Funding Information:
Manoj Prabhakaran: Supported in part by NSF Grants CNS 07-47027, CNS 07-16626 and CNS 12-28856.
Funding Information:
The main results in this paper have appeared previously in [, , , ]. Work done while the second author was a student at the University of Illinois and supported by NSF Grants CNS 07-47027 and CNS 07-16626.
Publisher Copyright:
© 2016, International Association for Cryptologic Research.
PY - 2017/7/1
Y1 - 2017/7/1
N2 - Homomorphic encryption schemes are useful in designing conceptually simple protocols that operate on encrypted inputs. On the other hand, non-malleable encryption schemes are vital for designing protocols with robust security against malicious parties, in a composable setting. In this paper, we address the problem of constructing public-key encryption schemes that meaningfully combine these two opposing demands. The intuitive tradeoff we desire in an encryption scheme is that anyone should be able to change encryptions of unknown messages m1, … , mk into a (fresh) encryption of T(m1, … , mk) for a specific set of allowed functions T, but the scheme should be otherwise “non-malleable.” That is, no adversary should be able to construct a ciphertext whose value is related to that of other ciphertexts in any other way. For the case where the allowed functions T are all unary, we formulate precise definitions that capture our intuitive requirements and show relationships among these new definitions and other more standard ones (IND-CCA, gCCA, and RCCA). We further justify these new definitions by showing their equivalence to a natural formulation of security in the framework of Universally Composable security. Next, we describe a new family of encryption schemes that satisfy our definitions for a wide variety of allowed transformations T and prove their security under the Decisional Diffie-Hellman (DDH) assumption in two groups with related sizes. Finally, we demonstrate how encryption schemes that satisfy our definitions can be used to implement conceptually simple protocols for non-trivial computation on encrypted data, which are secure against malicious adversaries in the UC framework without resorting to general-purpose multi-party computation or zero-knowledge proofs. For the case where the allowed functions T are binary, we show that a natural generalization of our definitions is unattainable if some T is a group operation. On the positive side, we show that if one of our security requirements is relaxed in a natural way, we can in fact obtain a scheme that is homomorphic with respect to (binary) group operations, and non-malleable otherwise.
AB - Homomorphic encryption schemes are useful in designing conceptually simple protocols that operate on encrypted inputs. On the other hand, non-malleable encryption schemes are vital for designing protocols with robust security against malicious parties, in a composable setting. In this paper, we address the problem of constructing public-key encryption schemes that meaningfully combine these two opposing demands. The intuitive tradeoff we desire in an encryption scheme is that anyone should be able to change encryptions of unknown messages m1, … , mk into a (fresh) encryption of T(m1, … , mk) for a specific set of allowed functions T, but the scheme should be otherwise “non-malleable.” That is, no adversary should be able to construct a ciphertext whose value is related to that of other ciphertexts in any other way. For the case where the allowed functions T are all unary, we formulate precise definitions that capture our intuitive requirements and show relationships among these new definitions and other more standard ones (IND-CCA, gCCA, and RCCA). We further justify these new definitions by showing their equivalence to a natural formulation of security in the framework of Universally Composable security. Next, we describe a new family of encryption schemes that satisfy our definitions for a wide variety of allowed transformations T and prove their security under the Decisional Diffie-Hellman (DDH) assumption in two groups with related sizes. Finally, we demonstrate how encryption schemes that satisfy our definitions can be used to implement conceptually simple protocols for non-trivial computation on encrypted data, which are secure against malicious adversaries in the UC framework without resorting to general-purpose multi-party computation or zero-knowledge proofs. For the case where the allowed functions T are binary, we show that a natural generalization of our definitions is unattainable if some T is a group operation. On the positive side, we show that if one of our security requirements is relaxed in a natural way, we can in fact obtain a scheme that is homomorphic with respect to (binary) group operations, and non-malleable otherwise.
UR - http://www.scopus.com/inward/record.url?scp=84964506789&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964506789&partnerID=8YFLogxK
U2 - 10.1007/s00145-016-9231-y
DO - 10.1007/s00145-016-9231-y
M3 - Article
AN - SCOPUS:84964506789
SN - 0933-2790
VL - 30
SP - 601
EP - 671
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 3
ER -