Abstract
Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers?
We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show:
-
Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure.
-
In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure.
-
For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption).
Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.
The first author thanks the Israel Science Foundation (grant 3380/19) and Israel National Cyber Directorate via the Haifa, BIU and Tel-Aviv cyber centers for their support. The fourth author thanks Yaron Sheffer for helpful discussions. Pre-prints for preliminary versions of this works appeared in [2, 3, 7].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This leveled-funcCPA oracle is useful, for example, in applications where the oracle is employed to replace deep homomorphic computations that will consume many levels of the scheme by a query to the oracle that consumes only a single level.
- 2.
The server has no input or output, so we do not require security against the client.
- 3.
We note that the fully decryptable requirement addresses decryption errors. This requirement can be replaced by including in Definition 6 the following treatment of errors: in case of a decryption error, the funcCPA oracle returns an encryption of the queried function on an arbitrary message in the message space.
- 4.
We slightly abuse notations and allow \(\textsf {funcCPA}\) with respect to a circuit family.
- 5.
In case of an error, compute \(\textbf{e}'\leftarrow \textsf{Enc}_{pk_{\ell -1}}(G_n(m))\) for an arbitrary \(m\in \mathcal {M}\).
- 6.
We remark that the noise in the modified evaluation keys is slightly larger: the noise of a fresh ciphertext, rather than a sample from the error distribution; nonetheless, this makes essentially no difference when using the scheme.
- 7.
In case our \(\mathcal {G}\) of interest does not contain the identity function, we slightly modify \(\mathcal {E}^{f}\) by replacing each occurrence of \(\textsf{Enc}_{pk}(m^*)\) and \(f(m^*)\) in Fig. 1 with \(\textsf{Enc}_{pk}(G(m^*))\) and \(f(G(m^*))\) respectively for an efficiently computable \(G\in \mathcal {G}\), and slightly modify the proof by replacing each occurrence of \(\mathcal {I}\) by G.
- 8.
We note that a \(\mathcal {C}\times \mathcal {C}\)-homomorphic encryption scheme is also \(\mathcal {C}\)-homomorphic, as we can embed \(\mathcal {C}\) in \(\mathcal {C}\times \mathcal {C}\), e.g., by mapping every \(C\in \mathcal {C}\) into \((C,C)\in \mathcal {C}\times \mathcal {C}\).
References
Akavia, A., Feldman, D., Shaul, H.: Secure search on encrypted data via multi-ring sketch. In: Lie, D., Mannan, M., Backes, M., Wang, X., eds Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15–19, 2018, pages 985–1001. ACM (2018)
Akavia, A., Gentry, C., Halevi, S., Vald, M.: Achievable CCA2 relaxation for homomorphic encryption. Cryptology ePrint Archive, Paper 2022/282 (2022). https://eprint.iacr.org/2022/282
Akavia, A., Leibovich, M., Resheff, Y.S., Ron, R., Shahar, M., Vald, M.: Privacy-preserving decision tree training and prediction against malicious server. Cryptology ePrint Archive, Paper 2019/1282 (2019). https://eprint.iacr.org/2019/1282
Akavia, A., Leibovich, M., Resheff, Y.S., Ron, R., Shahar, M., Vald, M.: Privacy-preserving decision trees training and prediction. In: Hutter, F., Kersting, K., Lijffijt, J., Valera, I. (eds.) ECML PKDD 2020. LNCS (LNAI), vol. 12457, pp. 145–161. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-67658-2_9
Akavia, A., Leibovich, M., Resheff, Y.S., Ron, R., Shahar, M., Vald, M.: Privacy-preserving decision trees training and prediction. ACM Trans. Priv. Secur. 25(3), 1–30 (2022)
Akavia, A., Shaul, H., Weiss, M., Yakhini, Z.: Linear-regression on packed encrypted data in the two-server model. In: Brenner, M., Lepoint, T., Rohloff, K., eds Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography, WAHC@CCS 2019, London, UK, November 11–15, 2019, pp. 21–32. ACM (2019)
Akavia, A., Vald, M.: On the privacy of protocols based on CPA-secure homomorphic encryption. Cryptology ePrint Archive, Report 2021/803 (2021). https://ia.cr/2021/803
Bost, R., Popa, R.A., Tu, S., Goldwasser, S.: Machine learning classification over encrypted data. In: NDSS, vol. 4324, p. 4325 (2015)
Bourse, F., Del Pino, R., Minelli, M., Wee, H.: FHE circuit privacy almost for free. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 62–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_3
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical gapSVP. In: Advances in Cryptology - CRYPTO 2012–32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012, pp. 868–886. Proceedings (2012)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Innovations in Theoretical Computer Science 2012, Cambridge, MA, USA, January 8–10, 2012, pages 309–325 (2012)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43(2), 831–871 (2014)
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Canetti, R., Raghuraman, S., Richelson, S., Vaikuntanathan, V.: Chosen-ciphertext secure fully homomorphic encryption. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 213–240. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_8
Cash, D., Green, M., Hohenberger, S.: New definitions and separations for circular security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 540–557. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_32
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33, 34–91 (2019)
Chongchitmate, W., Ostrovsky, R.: Circuit-private multi-key FHE. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 241–270. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_9
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Ducas, L., Stehlé, D.: Sanitization of FHE ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 294–310. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_12
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)
Gentry, C.: A fully homomorphic encryption scheme. Ph. D thesis, Stanford University (2009). https://crypto.stanford.edu/craig
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC ’09, pp. 169–178. Association for Computing Machinery, (2009)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Giacomelli, I., Jha, S., Joye, M., Page, C.D., Yoon, K.: Privacy-preserving ridge regression with only linearly-homomorphic encryption. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 243–261. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_13
Goldreich, O.: The Foundations of Cryptography - Basic Techniques, vol. 1. Cambridge University Press, Cambridge (2001)
Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols. ISC, Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14303-8
Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_31
Juvekar, C., Vaikuntanathan, V., Chandrakasan, A.: Gazelle: a low latency framework for secure neural network inference. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC’18, pp. 1651–1668. USENIX Association (2018)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography (Chapman & Hall/CRC Cryptography and Network Security Series). Chapman & Hall/CRC (2007)
Lai, J., Deng, R.H., Ma, C., Sakurai, K., Weng, J.: CCA-Secure Keyed-Fully Homomorphic Encryption. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 70–98. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_4
Li, B., Micciancio, D.: On the security of homomorphic encryption on approximate numbers. IACR Cryptology ePrint Archive 2020, 1533 (2020)
Loftus, J., May, A., Smart, N.P., Vercauteren, F.: On CCA-secure somewhat homomorphic encryption. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 55–72. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_4
Malavolta, G.: Circuit privacy for quantum fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2020, 1454 (2020)
Nuida, K.: How to handle invalid queries for malicious-private protocols based on homomorphic encryption. In: Proceedings of the 9th ACM on ASIA Public-Key Cryptography Workshop, APKC ’22, pp. 15–25, New York, NY, USA (2022). Association for Computing Machinery
Ostrovsky, R., Paskin-Cherniavsky, A., Paskin-Cherniavsky, B.: Maliciously circuit-private FHE. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 536–553. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_30
Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016)
Prabhakaran, M., Rosulek, M.: Homomorphic encryption with CCA security. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 667–678. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_54
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 84–93 (2009)
Rosulek, M.: The joy of cryptography. http://joyofcryptography.com
Shoup, V.: A proposal for an ISO standard for public key encryption. IACR Cryptol. ePrint Arch., p. 112 (2001)
Wang, W., et al.: Toward scalable fully homomorphic encryption through light trusted computing assistance. CoRR abs/1905.07766 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Lemma 2
A Proof of Lemma 2
We prove Lemma 2 showing that for every fully decryptable HE scheme \(\mathcal {E}\) that has a sanitization algorithm Sanitize, if its sanitized version \(\mathcal {E}^\textsf {santz}\) is \(\mathcal {C}\)-homomorphic, then it is circuit-private\(^+\) for \(\mathcal {C}\).
Proof
(of Lemma 2). Let \(\mathcal {E}=(\textsf{Gen},\textsf{Enc},\textsf{Dec},\textsf{Eval})\) be a fully decryptable HE scheme with a sanitization algorithm Sanitize. Denote by \(\mathcal {E}^\textsf {santz}= (\textsf{Gen},\textsf{Enc}^\textsf {santz},\textsf{Dec},\textsf{Eval}^\textsf {santz})\) its sanitized version as specified in Definition 7. Let \(\mathcal {C}\) be the set of circuits so that \(\mathcal {E}^\textsf {santz}\) is \(\mathcal {C}\)-homomorphic. We show that \(\mathcal {E}^\textsf {santz}\) is circuit-private\(^+\) for \(\mathcal {C}\).
Fix a circuit \(C\in \mathcal {C}\) over \(\ell \) inputs, ciphertexts \(c_1,\dots ,c_\ell \), a security parameter \(\lambda \). To prove circuit-privacy\(^+\) holds we need to show the two ciphertexts \(\textsf{Enc}^\textsf {santz}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\cdots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \) and \(\textsf{Eval}^\textsf {santz}_{pk}\left( C, c_1,\dots ,c_\ell \right) \) are statistically close, with overwhelming probability over the choice of \((pk,sk)\leftarrow \textsf{Gen}(\lambda )\).
By definition of \(\mathcal {E}^\textsf {santz}\),
and
By the sanitization property of \(\textsf {Sanitize}\), if two ciphertexts decrypt to the same plaintext then their sanitized version is statistically close. Therefore it is sufficient to show that the corresponding ciphertexts in the above two equations (i.e., \(\textsf{Enc}_{pk}\left( C\left( \textsf{Dec}_{sk}(c_1),\ldots ,\textsf{Dec}_{sk}(c_\ell ) \right) \right) \) and \(\textsf{Eval}_{pk}( C, \textsf {Sanitize}_{pk}(c_1),\dots ,\textsf {Sanitize}_{pk}(c_\ell ) )\)) decrypt to the same plaintext.
The correctness property of \(\mathcal {E}\) together with it being fully decryptable ensures that for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\):
and
where the probabilities are taken over the random coins of the encryption algorithm.
From Eq. 12 together with the sanitization property of \(\textsf {Sanitize}\), we obtain that, for each \( i\in [\ell ]\), with probability \(\ge 1 - {\textsf{neg}}(\lambda )\) over the choice of \((pk, sk) \leftarrow \textsf{Gen}(1^\lambda )\):
Moreover, with probability \(\ge 1-{\textsf{neg}}(\lambda )\), the above holds for all \(i\in [\ell ]\) simultaneously (by union bound).
Since \(\textsf {Sanitize}\) uses independent randomness for each \(i\in [\ell ]\), its output on distinct i’s is statistically independent. So the joint distribution over all \(i\in [\ell ]\) is likewise negligible (since the statistical distance of the joint distribution of independent random variables is the sum of their statistical distances, and the number of random variables is \(\ell ={\textsf{poly}}(\lambda )\)). Namely,
The \(\mathcal {C}\)-homomorphism of \(\mathcal {E}^\textsf {santz}\) guarantees that \(\mathcal {E}^*=(\textsf{Gen},\textsf{Enc}^\textsf {santz},\textsf{Dec},\textsf{Eval})\) is likewise \(\mathcal {C}\)-homomorphic (due to the message-preservation property of \(\textsf {Sanitize}\)), and hence for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that,
Combining Eqs. 14–15 we guarantee correctness of \(\textsf{Eval}\) on the sanitized \(c_1,\dots ,c_{\ell }\). That is, for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that,
Using the correctness property of \(\mathcal {E}\) as stated in Eq. 13 we obtain that for every \((pk,sk)\leftarrow \textsf{Gen}(1^\lambda )\) it holds that with probability \(\ge 1-{\textsf{neg}}(\lambda )\) over the random coins of the experiment,
This concludes the proof as by the sanitization property of \(\textsf {Sanitize}\), we obtain that with probability \(\ge 1 - {\textsf{neg}}(\lambda )\) over the choice of \((pk, sk) \leftarrow \textsf{Gen}(1^\lambda )\) and the random coins in \( \textsf{Enc}\) and \(\textsf{Eval}\) the following distributions are statistically close,
and
as desired. \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Akavia, A., Gentry, C., Halevi, S., Vald, M. (2022). Achievable CCA2 Relaxation for Homomorphic Encryption. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13748. Springer, Cham. https://doi.org/10.1007/978-3-031-22365-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-22365-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22364-8
Online ISBN: 978-3-031-22365-5
eBook Packages: Computer ScienceComputer Science (R0)