Achievable CCA2 Relaxation for Homomorphic Encryption

Abstract

Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers?

We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show:

• Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.

• In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.

• For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption).

Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.

The first author thanks the Israel Science Foundation (grant 3380/19) and Israel National Cyber Directorate via the Haifa, BIU and Tel-Aviv cyber centers for their support. The fourth author thanks Yaron Sheffer for helpful discussions. Pre-prints for preliminary versions of this works appeared in [2, 3, 7].

A Proof of Lemma 2

We prove Lemma 2 showing that for every fully decryptable HE scheme \(\mathcal {E}\) that has a sanitization algorithm Sanitize, if its sanitized version \(\mathcal {E}^\textsf {santz}\) is \(\mathcal {C}\)-homomorphic, then it is circuit-private\(^+\) for \(\mathcal {C}\).

Proof

(of Lemma 2). Let \(\mathcal {E}=(\textsf{Gen},\textsf{Enc},\textsf{Dec},\textsf{Eval})\) be a fully decryptable HE scheme with a sanitization algorithm Sanitize. Denote by \(\mathcal {E}^\textsf {santz}= (\textsf{Gen},\textsf{Enc}^\textsf {santz},\textsf{Dec},\textsf{Eval}^\textsf {santz})\) its sanitized version as specified in Definition 7. Let \(\mathcal {C}\) be the set of circuits so that \(\mathcal {E}^\textsf {santz}\) is \(\mathcal {C}\)-homomorphic. We show that \(\mathcal {E}^\textsf {santz}\) is circuit-private\(^+\) for \(\mathcal {C}\).

Fix a circuit \(C\in \mathcal {C}\) over \(\ell \) inputs, ciphertexts \(c_1,\dots ,c_\ell \), a security parameter \(\lambda \). To prove circuit-privacy\(^+\) holds we need to show the two ciphertexts \(\textsf{Enc}^\textsf {santz}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\cdots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \) and \(\textsf{Eval}^\textsf {santz}_{pk}\left( C, c_1,\dots ,c_\ell \right) \) are statistically close, with overwhelming probability over the choice of \((pk,sk)\leftarrow \textsf{Gen}(\lambda )\).

By definition of \(\mathcal {E}^\textsf {santz}\),

$$\begin{aligned} \begin{aligned}&\textsf{Enc}^\textsf {santz}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\cdots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \\[1em]&= \textsf {Sanitize}_{pk}\left( \textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \right) \end{aligned} \end{aligned}$$

(10)

and

$$\begin{aligned} \begin{aligned}&\textsf{Eval}^\textsf {santz}_{pk}\left( C, c_1,\dots ,c_\ell \right) \\[1em]&= \textsf {Sanitize}_{pk}\left( \textsf{Eval}_{pk}\left( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) \right) \right) \end{aligned} \end{aligned}$$

(11)

By the sanitization property of \(\textsf {Sanitize}\), if two ciphertexts decrypt to the same plaintext then their sanitized version is statistically close. Therefore it is sufficient to show that the corresponding ciphertexts in the above two equations (i.e., \(\textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \) and \(\textsf{Eval}_{pk}( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) )\)) decrypt to the same plaintext.

The correctness property of \(\mathcal {E}\) together with it being fully decryptable ensures that for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\):

$$\begin{aligned} \forall i\in [\ell ]: \Pr [ \textsf{Dec}_{sk}(\textsf{Enc}_{pk}(\textsf{Dec}_{sk}(c_i)))= \textsf{Dec}_{sk}(c_i)] \ge 1-{\textsf{neg}}(\lambda ) \end{aligned}$$

(12)

and

$$\begin{aligned} \begin{aligned} \Pr \left[ \begin{array}{c} \textsf{Dec}_{sk}\left( \textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \right) \\ =C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \end{array}\right] \ge 1-{\textsf{neg}}(\lambda ) \end{aligned} \end{aligned}$$

(13)

where the probabilities are taken over the random coins of the encryption algorithm.

From Eq. 12 together with the sanitization property of \(\textsf {Sanitize}\), we obtain that, for each \( i\in [\ell ]\), with probability \(\ge 1 - {\textsf{neg}}(\lambda )\) over the choice of \((pk, sk) \leftarrow \textsf{Gen}(1^\lambda )\):

$$\begin{aligned} \varDelta \left( \left( \textsf {Sanitize}_{pk}(\textsf{Enc}_{pk}(\textsf{Dec}_{sk}(c_i))),(pk,sk) \right) , \left( \textsf {Sanitize}_{pk}(c_i),(pk, sk)\right) \right) \le {\textsf{neg}}(\lambda ) \end{aligned}$$

Moreover, with probability \(\ge 1-{\textsf{neg}}(\lambda )\), the above holds for all \(i\in [\ell ]\) simultaneously (by union bound).

Since \(\textsf {Sanitize}\) uses independent randomness for each \(i\in [\ell ]\), its output on distinct i’s is statistically independent. So the joint distribution over all \(i\in [\ell ]\) is likewise negligible (since the statistical distance of the joint distribution of independent random variables is the sum of their statistical distances, and the number of random variables is \(\ell ={\textsf{poly}}(\lambda )\)). Namely,

$$\begin{aligned} \varDelta \left( \begin{array}{c} \left( \textsf {Sanitize}_{pk}(\textsf{Enc}_{pk}(\textsf{Dec}_{sk}(c_1))),\dots ,\textsf {Sanitize}_{pk}(\textsf{Enc}_{pk}(\textsf{Dec}_{sk}(c_\ell ))),(pk, sk) \right) ,\\ \left( \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ),(pk, sk) \right) \end{array} \right) \le {\textsf{neg}}(\lambda ) \end{aligned}$$

(14)

The \(\mathcal {C}\)-homomorphism of \(\mathcal {E}^\textsf {santz}\) guarantees that \(\mathcal {E}^*=(\textsf{Gen},\textsf{Enc}^\textsf {santz},\textsf{Dec},\textsf{Eval})\) is likewise \(\mathcal {C}\)-homomorphic (due to the message-preservation property of \(\textsf {Sanitize}\)), and hence for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that,

$$\begin{aligned} \begin{aligned} \Pr \left[ \begin{array}{c} \textsf{Dec}_{sk} \left( \textsf{Eval}_{pk} \left( C, \textsf {Sanitize}_{pk}(\textsf{Enc}_{pk} (\textsf{Dec}_{sk}(c_1))),\dots ,\textsf {Sanitize}_{pk}(\textsf{Enc}_{pk}(\textsf{Dec}_{sk}(c_\ell ))) \right) \right) \\ = C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \end{array}\right] \ge 1-{\textsf{neg}}(\lambda ) \end{aligned} \end{aligned}$$

(15)

Combining Eqs.  14–15 we guarantee correctness of \(\textsf{Eval}\) on the sanitized \(c_1,\dots ,c_{\ell }\). That is, for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that,

$$\begin{aligned} \begin{aligned} \Pr \left[ \begin{array}{c} \textsf{Dec}_{sk} \left( \textsf{Eval}_{pk} \left( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) \right) \right) \\ = C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \end{array}\right] \ge 1-{\textsf{neg}}(\lambda ) \end{aligned} \end{aligned}$$

Using the correctness property of \(\mathcal {E}\) as stated in Eq. 13 we obtain that for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that with probability \(\ge 1-{\textsf{neg}}(\lambda )\) over the random coins of the experiment,

$$\begin{aligned} \begin{aligned}&\textsf{Dec}_{sk} \left( \textsf{Eval}_{pk} \left( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) \right) \right) \\[1em] =&\textsf{Dec}_{sk}\left( \textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \right) \end{aligned} \end{aligned}$$

This concludes the proof as by the sanitization property of \(\textsf {Sanitize}\), we obtain that with probability \(\ge 1 - {\textsf{neg}}(\lambda )\) over the choice of \((pk, sk) \leftarrow \textsf{Gen}(1^\lambda )\) and the random coins in \( \textsf{Enc}\) and \(\textsf{Eval}\) the following distributions are statistically close,

$$\begin{aligned} \textsf {Sanitize}_{pk}\left( \textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \right) \end{aligned}$$

and

$$\begin{aligned} \textsf {Sanitize}_{pk}\left( \textsf{Eval}_{pk} \left( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) \right) \right) \end{aligned}$$

as desired.    \(\square \)