TY - GEN
T1 - Achievable CCA2 Relaxation for Homomorphic Encryption
AU - Akavia, Adi
AU - Gentry, Craig
AU - Halevi, Shai
AU - Vald, Margarita
N1 - Publisher Copyright: © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2022
Y1 - 2022
N2 - Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.
AB - Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.
UR - http://www.scopus.com/inward/record.url?scp=85146687491&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-031-22365-5_3
DO - https://doi.org/10.1007/978-3-031-22365-5_3
M3 - Conference contribution
SN - 9783031223648
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 70
EP - 99
BT - Theory of Cryptography - 20th International Conference, TCC 2022, Proceedings
A2 - Kiltz, Eike
A2 - Vaikuntanathan, Vinod
PB - Springer Science and Business Media Deutschland GmbH
T2 - 20th Theory of Cryptography Conference, TCC 2022
Y2 - 7 November 2022 through 10 November 2022
ER -