Nothing Special   »   [go: up one dir, main page]

Skip to main content
Log in

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. When there are only less than \(\kappa \) refreshing processes, we simply ignore the case of \(\kappa '\) beyond the number of the refreshing processes. Similar remarks are applied to the following arguments.

  2. We remark that such a transition is acceptable if we make an information-theoretic jump, i.e., Assumption I. However, we still require that, for Assumptions A and U, PPT adversaries need to use the private evaluation algorithms of \(\mathbf {P}\) and \(\widehat{\mathbf {P}}\) for regular input by using k and \(\widehat{k}\) since we use computationally universal properties. However, again the projective property of the projective hash family implies that the computed value is not changed by the modification, and thus still the simulation works well. See the description of adversaries \({\mathcal {A}}_{3,1}\) and \({\mathcal {A}}_{3,2}\) later.

  3. More precisely, the adversary outputs any object that trivially yields loss of the game.

  4. Note that this process does not require the key for \(\widetilde{\mathbf {P}}\); since all the ciphertexts appearing during the refreshing process are guaranteed to be \(\widetilde{H}\)-consistent, and the consistency checks for the fourth components can be omitted.

  5. Note that this notion is (somewhat similar to but) different from the smoothness of a projective hash family.

  6. Even if this “non-uniform” security assumption is not justified (and only security against uniform PPT adversaries is assumed), n can still be as small as at most \(2\ell \)-bit, which is still smaller than (or in some group equal to) the size of an element in the group \({\mathbb {G}}\).See our analysis of smoothness of these cryptographic functions in Appendix 1.

  7. The probability that \(g_*\) is not a generator of L is \(1 - (1 - 1/p')(1 - 1/q') = 1/p' + 1/q' - 1 / (p'q')\), which is negligible (otherwise, the DCR assumption can be trivially broken since \({\mathbb {Z}}^*_{N^2}\) is not large enough).

  8. The distribution of the \(g_*^{\omega }\) and the uniform distribution on L have statistical distance \((\lfloor N/4 \rfloor - p'q')(2/(p'q') - 1/(p'q')) \le (2p'+1)(2q'+1)/(4p'q') - 1 = 1/(2p') + 1/(2q') + 1/(4p'q')\), which is negligible.

  9. In this paper, we assume that the \(\mathsf{IBE.KeyGen}\) algorithm is deterministic as in the definition of the Gentry IBE.

  10. Recall that a non-uniform algorithm is an algorithm that takes as an advice string (which is dependent only on the input length) as an additional input. The class of non-uniform PPT algorithms is equivalent to the class of polynomial-sized circuit families.

  11. In general, there could be multiple strings \(y \in \{0,1\}^{\ell }\) that maximize the probability \(\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y]\). Choosing the lexicographically smallest one is to canonically specify one of such strings.

References

  1. Abe M., Groth J., Ohkubo M., Tibouchi M.: Unified, minimal and selectively randomizable structure-preserving signatures. In: TCC, pp. 688–712 (2014).

  2. An J.H., Dodis Y., Rabin T.: On the security of joint signature and encryption. In: EUROCRYPT, pp. 83–107 (2002).

  3. Barak B., Goldreich O., Impagliazzo R., Rudich S., Sahai A., Vadhan S.P., Yang K.: On the (im)possibility of obfuscating programs. In: CRYPTO, pp. 1–18 (2001).

  4. Barbosa M., Farshim P.: Delegatable homomorphic encryption with applications to secure outsourcing of computation. In: CT-RSA, pp. 296–312 (2012).

  5. Bellare M., Rogaway P.: Collision-resistant hashing: towards making UOWHFs practical. In: CRYPTO, pp. 470–484 (1997).

  6. Bernhard D., Cortier V., Pereira O., Smyth B., Warinschi B.: Adapting Helios for provable ballot privacy. In: ESORICS, pp. 335–354 (2011).

  7. Boneh D., Segev G., Waters B.: Targeted malleability: homomorphic encryption for restricted computations. In: ITCS, pp. 350–366 (2012).

  8. Canetti R., Krawczyk H., Nielsen J.B.: Relaxing chosen-ciphertext security. In: CRYPTO, pp. 565–582 (2003).

  9. Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: EUROCRYPT, pp. 207–222 (2004).

  10. Canetti R., Raghuraman S., Richelson S., Vaikuntanathan V.: Chosen-ciphertext secure fully homomorphic encryption. In: Public-Key Cryptography, pp. 213–240 (2017).

  11. Cash D., Kiltz E., Shoup V.: The twin Diffie-Hellman problem and applications. In: EUROCRYPT, pp. 127–145 (2008).

  12. Chase M., Kohlweiss M., Lysyanskaya A., Meiklejohn S.: Malleable proof systems and applications. In: EUROCRYPT, pp. 281–300 (2012).

  13. Cramer R., Shoup V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO, pp. 13–25 (1998).

  14. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. Cryptology ePrint Archive, Report 2001/085. http://eprint.iacr.org/ (2001).

  15. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: EUROCRYPT, pp. 45–64 (2002).

  16. Desmedt Y., Gennaro R., Kurosawa K., Shoup V.: A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. J. Cryptol. 23(1), 91–120 (2010).

    Article  MathSciNet  MATH  Google Scholar 

  17. Desmedt Y., Iovino V., Persiano G., Visconti I.: Controlled homomorphic encryption: definition and construction. In: Workshop on Encrypted Computing and Applied Homomorphic Cryptography, pp. 100–122 (2017).

  18. ElGamal T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inform. Theory 31(4), 469–472 (1985).

    Article  MathSciNet  MATH  Google Scholar 

  19. Emura K., Hanaoka G., Ohtake G., Matsuda T., Yamada S.: Chosen ciphertext secure keyed-homomorphic public-key encryption. In: Public Key Cryptography, pp. 32–50 (2013).

  20. Emura K., Hayashi T., Kunihiro N., Sakuma J.: Mis-operation resistant searchable homomorphic encryption. In: ASIACCS, pp. 215–229 (2017).

  21. Galindo D., Villar J.L.: An instantiation of the Cramer-Shoup encryption paradigm using bilinear map groups. Workshop on Mathematical Problems and Techniques in Cryptology (2005).

  22. Gentry C.: Practical identity-based encryption without random oracles. In: EUROCRYPT, pp. 445–464 (2006).

  23. Gentry C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009).

  24. Goldwasser S., Micali S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377 (1982).

  25. Groth J.: Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In: TCC, pp. 152–170 (2004).

  26. Hanaoka G., Kurosawa K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie-Hellman assumption. In: ASIACRYPT, pp. 308–325 (2008).

  27. Hemenway B., Ostrovsky R.: On homomorphic encryption and chosen-ciphertext security. In: Public Key Cryptography, pp. 52–65 (2012).

  28. Hofheinz D., Kiltz E.: Secure hybrid encryption from weakened key encapsulation. In: CRYPTO, pp. 553–571 (2007).

  29. Jutla C.S., Roy A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: ASIACRYPT, pp. 1–20 (2013).

  30. Jutla C.S., Roy A.: Dual-system simulation-soundness with applications to UC-PAKE and more. In: ASIACRYPT, pp. 630–655 (2015).

  31. Katz J., Vaikuntanathan V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In: ASIACRYPT, pp. 636–652 (2009).

  32. Kiltz E.: Chosen-ciphertext security from tag-based encryption. In: TCC, pp. 581–600 (2006).

  33. Kiltz E.: Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman. In: PKC, pp. 282–297 (2007).

  34. Kiltz E., Pietrzak K., Stam M., Yung M.: A new randomness extraction paradigm for hybrid encryption. In: EUROCRYPT, pp. 590–609 (2009).

  35. Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: CRYPTO, pp. 426–442 (2004).

  36. Lai J., Deng R.H., Ma C., Sakurai K., Weng J.: CCA-secure keyed-fully homomorphic encryption. In: Public-Key Cryptography, pp. 70–98 (2016).

  37. Libert B., Peters T., Joye M., Yung M.: Linearly homomorphic structure-preserving signatures and their applications. In: CRYPTO, pp. 289–307 (2013).

  38. Libert B., Peters T., Joye M., Yung M.: Non-malleability from malleability: simulation-sound quasi-adaptive NIZK proofs and CCA2-secure encryption from homomorphic signatures. In: EUROCRYPT, pp. 514–532 (2014).

  39. Loftus J., May A., Smart N.P., Vercauteren F.: On CCA-secure somewhat homomorphic encryption. In: Selected Areas in Cryptography, pp. 55–72 (2011).

  40. Paillier P.: Public-key cryptosystems based on composite degree residuosity classes. In: EUROCRYPT, pp. 223–238 (1999).

  41. Paterson K.G., Schuldt J.C.N., Stam M., Thomson S.: On the joint security of encryption and signature, revisited. In: ASIACRYPT, pp. 161–178. http://eprint.iacr.org/2011/486 (2011).

  42. Prabhakaran M., Rosulek M.: Rerandomizable RCCA encryption. In: CRYPTO, pp. 517–534 (2007).

  43. Prabhakaran M., Rosulek M.: Homomorphic encryption with CCA security. In: ICALP, pp. 667–678 (2008).

  44. Shacham H.: A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074. http://eprint.iacr.org/ (2007).

  45. Shoup V.: A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112. http://eprint.iacr.org/ (2001).

Download references

Acknowledgements

We thank the anonymous reviewers and the members of Shin-Akarui-Angou-Benkyou-Kai for their helpful comments. This work was supported by JSPS KAKENHI Grant Number JP24700009 and by JST PRESTO Grant Number JPMJPR14E8, Japan.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Keita Emura.

Additional information

Communicated by M. Albrecht.

An extended abstract appears in the 16th International Conference on Practice and Theory in Public Key Cryptography (PKC 2013) [19]. This is the full version.

Appendix A: Smoothness of cryptographic functions

Appendix A: Smoothness of cryptographic functions

In this section, we show that natural cryptographic functions, a one-way function (OWF), an always second-preimage resistant (aSec secure) hash function [41], and a key derivation function (KDF) [16], are smooth in the sense of Definition 10.

Interestingly, although the amount of smoothness, \({\mathsf {Smth}}_f\), is always negligible, its “tightness” is different depending on whether the function f is secure against uniform adversaries or against non-uniform adversaries.Footnote 10 More specifically, for each cryptographic function f considered here, we show that the smoothness of f is (essentially) upperbounded by the square root of the advantage of some (uniform) PPT adversary \({\mathcal {A}}\) attacking the security of the function f. We also show that the smoothness of f is (essentially) upperbounded by the advantage of some non-uniform PPT adversary \(\mathrm {A}_{\mathrm {nu}}\). These results suggest that if we can assume the security of these cryptographic functions against non-uniform adversaries, then the output length can be as small as \(\ell \)-bit for \(\ell \)-bit security, because the smoothness of the functions are “tightly” upperbounded by the advantage of “non-uniform” adversaries attacking the security of the cryptographic functions Furthermore, even if this “non-uniform” security assumption is not justified (and instead only security against uniform adversaries is assumed), the output length the function can still be as small as at most \(2\ell \)-bit, because the main term that contribute to the smoothness is the square root of the advantage of an adversary attacking the security of the cryptographic functions (against uniform PPT adversaries).

In practice, for example, (an appropriate modification of) cryptographic hash functions such as SHA-series, can be assumed to be the cryptographic functions (secure against non-uniform adversaries) considered here.

Some notation To show the smoothness of each cryptographic function, it is useful to introduce the following notation. Let \(f :{\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function. For each \(\ell \in {{\mathbb {N}}}\), let \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) be the lexicographically smallest stringFootnote 11 such that \(\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }] \ge \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y]\) holds for any \(y \in \{0,1\}^{\ell }\). Then, by definition, we have \({\mathsf {Smth}}_f = \max _{y \in \{0,1\}^{\ell }} \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y] = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }]\). Next, for each \(\ell \in {{\mathbb {N}}}\), we define \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) to be the lexicographically smallest string in the set \(\{x \in {\mathcal {X}}_{\ell } | f(x) = y^{\max }_{\ell }\}\). Note that \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) and \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) are uniquely determined for each \(\ell \in {{\mathbb {N}}}\).

For the function f, it is also useful to note the following properties about the probability of “collision” for random inputs:

$$\begin{aligned} \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }] = {\mathsf {Smth}}_f \quad \quad \text {and} \quad \quad \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = f(x')] \ge ({\mathsf {Smth}}_f)^2, \end{aligned}$$
(3)

where the former is by definition, and the latter is obtained as follows:

$$\begin{aligned} \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x)&= f(x')] \ge \Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell } \wedge f(x) = y^{\max }_{\ell }]\\&= (\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = y^{\max }_{\ell }])^2 = ({\mathsf {Smth}}_f)^2 \end{aligned}$$

1.1 A.1 One-way function

Definition 18

(One-Way Function (OWF)) Let \(f : {\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function, where \(n = n(\ell ) := \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that f is a one-way function (OWF) if (1) f is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) we can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), and (3) \(Adv^\mathsf{{OWF}}_{{\mathcal {A}}}(\ell ):=\Pr _{x\mathop {\leftarrow }\limits ^{\$}{\mathcal {X}}_{\ell }}[x' \leftarrow {\mathcal {A}}(1^{\ell },f(x)) : f(x') = f(x)]\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that f is a OWF against non-uniform adversaries if the condition (3) is replaced with “\(Adv^\mathsf{{OWF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )\) is negligible for any non-uniform PPT algorithms \({\mathcal {A}}_{\mathrm {nu}}\).”

Lemma 12

If f is a OWF as defined in Definition 18, then f is smooth. Specifically, there exists a PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{f} \le \sqrt{Adv^{\mathsf {OWF}}_{{\mathcal {A}}}(\ell )}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{f} = Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ). \end{aligned}$$

Proof

We first show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the one-wayness of f. Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and \(y = f(x)\) (where \(x \in {\mathcal {X}}_{\ell }\) is chosen uniformly at random) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and terminates with output this \(x'\). Note that \({\mathcal {A}}\) is a (uniform) PPT algorithm, and its one-wayness advantage is as follows:

$$\begin{aligned} Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}}(\ell ) = \Pr _{x, x' \leftarrow {\mathcal {X}}_{\ell }}[f(x) = f(x')] \ge ({\mathsf {Smth}}_f)^2 \end{aligned}$$

where in the last step we use the inequation (3). Therefore, we have \({\mathsf {Smth}}_f \le \sqrt{Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}}(\ell )}\), as required.

We next show the existence of the non-uniform adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the one-wayness of f. Consider the non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(x^{\max }_{\ell }\) as an advice (i.e. \(x^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each security parameter \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and \(y = f(x)\) as input (where \(x \in {\mathcal {X}}_{\ell }\) is chosen uniformly at random), and terminates with output the string \(x^{\max }_{\ell }\). Clearly \({\mathcal {A}}_{\mathrm {nu}}\) is PPT, and its one-wayness advantage is:

$$\begin{aligned} Adv^{{\mathsf {OWF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[f(x) = f(x^{\max }_{\ell })] = \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[ f(x) = y^{\max }_{\ell }] = {\mathsf {Smth}}_f, \end{aligned}$$

as required.

This completes the proof of Lemma 12. \(\square \)

1.2 A.2 Always second-preimage resistant hash functions

Definition 19

(Always Second-Preimage Resistant (aSec) Hash Functions [41]) Let \({\mathsf {H}} : {\mathcal {X}}_{\ell } \rightarrow \{0,1\}^{\ell }\) be a function, where \(n = n(\ell ) := \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that \({\mathsf {H}}\) is an always second-preimage resistant (aSec secure) hash function if (1) \({\mathsf {H}}\) is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) we can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), (3) \(Adv^\mathsf{{aSec}}_{{\mathcal {A}}}(\ell ):= \Pr _{x\mathop {\leftarrow }\limits ^{\$}{\mathcal {X}}_{\ell }}[x' \leftarrow {\mathcal {A}}(1^{\ell },x) : \mathsf {H}(x') = \mathsf {H}(x) \wedge x' \ne x]\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that \(\mathsf {H}\) is an aSec secure hash function against non-uniform adversaries if the condition (3) is replaced with “\(Adv^\mathsf{{aSec}}_{{\mathcal {A}}}(\ell )\) is negligible for any non-uniform PPT algorithm.”

We remark that an aSec secure hash function is (close to but) different from the notion of universal one way hash function (UOWHF) [5]. UOWHF is a family of hash functions (or a keyed hash function), and in the security experiment, an adversary is allowed to choose the first message x for which the adversary has to find a collision, but is required to find a colliding input \(x'\) under a randomly chosen key hk.

Lemma 13

If \(\mathsf {H}\) is an aSec secure hash function as defined in Definition 19, then \(\mathsf {H}\) is smooth. Specifically, there exists a PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{\mathsf {H}} \le \sqrt{Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) such that

$$\begin{aligned} {\mathsf {Smth}}_{\mathsf {H}} = Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}. \end{aligned}$$

Proof

The proof proceeds very similarly to that of Lemma 12. First, we show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the aSec security of \(\mathsf {H}\). Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and x (for a uniformly chosen value \(x \in {\mathcal {X}}_{\ell }\)) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and terminates with output this \(x'\). Note that \({\mathcal {A}}\) is trivially a (uniform) PPT algorithm, and its advantage against aSec security of \({\mathcal {H}}\) is as follows:

$$\begin{aligned} Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell )&= \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x') \wedge x \ne x']\\&= \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x')] - \Pr _{x, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[x = x']\\&\ge (\mathsf {Smth}_{\mathsf {H}})^2 - |{\mathcal {X}}_{\ell }|^{-1} \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{\mathsf {H}} \le \sqrt{Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}}\), as required.

We next show the existence of the non-uniform adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the aSec security of \(\mathsf {H}\). Consider the non-uniform PPT algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(x^{\max }_{\ell } \in {\mathcal {X}}_{\ell }\) as an advice (i.e. \(x^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each security parameter \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and x as input (where x is chosen uniformly at random), and terminates with output the string \(x^{\max }_{\ell }\). Clearly \({\mathcal {A}}_{\mathrm {nu}}\) is PPT, and its advantage is:

$$\begin{aligned} Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )&= \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {H}(x) = \mathsf {H}(x^{\max }_{\ell }) \wedge x \ne x^{\max }_{\ell }]\\&= \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[ \mathsf {H}(x) = y^{\max }_{\ell }] - \Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[x = x^{\max }_{\ell }]\\&= {\mathsf {Smth}}_{\mathsf {H}} - |{\mathcal {X}}_{\ell }|^{-1}, \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{\mathsf {H}} = Adv^{{\mathsf {aSec}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + |{\mathcal {X}}_{\ell }|^{-1}\), as required.

This completes the proof of Lemma 13. \(\square \)

1.3 A.3 Key derivation function

Definition 20

(Key Derivation Function (KDF) [16]) Let \(\mathsf {KDF}:{\mathcal {X}}_{\ell } \rightarrow \{0,1\}^\ell \) be a function, where \(n = n(\ell ):= \log _2 |{\mathcal {X}}_{\ell }| \in \omega (\log _2 \ell )\). We say that \(\mathsf {KDF}\) is a secure key derivation function (KDF) if (1) \(\mathsf {KDF}\) is efficiently computable in terms of the security parameter \(\ell \) (and thus n is some polynomial of \(\ell \)), (2) We can efficiently sample an element uniformly at random from the domain \({\mathcal {X}}_{\ell }\), and (3) \(Adv^{{\mathsf {KDF}}}_{{\mathcal {A}}}(\ell ):=|\Pr _{x\mathop {\leftarrow }\limits ^{\$}\varDelta }[{\mathcal {A}}(1^{\ell },\mathsf{KDF}(x))=1]-\Pr _{y \mathop {\leftarrow }\limits ^{\$}\{0,1\}^\ell }[{\mathcal {A}}(1^{\ell }, y)=1]|\) is negligible for any PPT algorithm \({\mathcal {A}}\).

Furthermore, we say that \(\mathsf {KDF}\) is a secure KDF against non-uniform adversaries if \(Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )\) is negligible for any non-uniform algorithm \({\mathcal {A}}_{\mathrm {nu}}\).

Lemma 14

If \(\mathsf {KDF}\) be a secure key derivation function as defined in Definition 20, then \(\mathsf {KDF}\) is smooth. Specifically, there exists a uniform PPT algorithm \({\mathcal {A}}\) such that

$$\begin{aligned} \mathsf {Smth}_{\mathsf {KDF}} \le \sqrt{Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell ) + 2^{-\ell }}. \end{aligned}$$

Furthermore, there exists a non-uniform PPT algorithm \({\mathcal {A}}_{nu}\) such that

$$\begin{aligned} \mathsf {Smth}_{\mathsf {KDF}} = Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + 2^{-\ell }. \end{aligned}$$

Proof

We first show the existence of the uniform PPT adversary \({\mathcal {A}}\) against the security of \(\mathsf {KDF}\). Consider the algorithm \({\mathcal {A}}\) that takes \(1^{\ell }\) and \(y \in \{0,1\}^{\ell }\) as input, picks \(x' \in {\mathcal {X}}_{\ell }\) uniformly at random, and returns 1 if \(G(x') = y\) or returns 0 otherwise. Note that \({\mathcal {A}}\) is clearly PPT, and its advantage is as follows:

$$\begin{aligned} Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell )&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[{\mathcal {A}}(1^{\ell }, \mathsf {KDF}(x)) = 1] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[{\mathcal {A}}(1^{\ell }, y)=1]|\\&=|\Pr _{x,x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {KDF}(x) = \mathsf {KDF}(x')] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }, x' \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[y = \mathsf {KDF}(x')]|\\&\ge (\mathsf {Smth}_{\mathsf {KDF}})^2 - 2^{-\ell }, \end{aligned}$$

where in the last inequality we use the inequality (3) and the fact that y is chosen uniformly at random from \(\{0,1\}^{\ell }\). Therefore, we have \(\mathsf {Smth}_{\mathsf {KDF}} \le \sqrt{Adv^{\mathsf {KDF}}_{{\mathcal {A}}}(\ell ) + 2^{-\ell }}\), as required.

Next, we show the existence of the non-uniform PPT adversary \({\mathcal {A}}_{\mathrm {nu}}\) against the security of \(\mathsf {KDF}\). Consider the algorithm \({\mathcal {A}}_{\mathrm {nu}}\) that has \(y^{\max }_{\ell } \in \{0,1\}^{\ell }\) as an advice (i.e. \(y^{\max }_{\ell }\) is hard-wired inside \({\mathcal {A}}_{\mathrm {nu}}\) for each \(\ell \in {{\mathbb {N}}}\)), takes \(1^{\ell }\) and \(y \in \{0,1\}^{\ell }\) as input, and returns 1 if \(y = y^{\max }_{\ell }\) or returns 0 otherwise. Note that \({\mathcal {A}}_{\mathrm {nu}}\) is clearly PPT, and its advantage is as follows:

$$\begin{aligned} Adv^{\mathsf {KDF}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell )&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {A}_{\mathrm {nu}}(1^{\ell },\mathsf {KDF}(x)) = 1] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[\mathsf {A}_{\mathrm {nu}}(1^{\ell },y) = 1]|\\&= |\Pr _{x \mathop {\leftarrow }\limits ^{\$} {\mathcal {X}}_{\ell }}[\mathsf {KDF}(x) = y^{\max }_{\ell }] - \Pr _{y \mathop {\leftarrow }\limits ^{\$} \{0,1\}^{\ell }}[y = y^{\max }_{\ell }]|\\&=\mathsf {Smth}_{\mathsf {KDF}} - 2^{-\ell }. \end{aligned}$$

Therefore, we have \({\mathsf {Smth}}_{{\mathsf {KDF}}} = Adv^{{\mathsf {KDF}}}_{{\mathcal {A}}_{\mathrm {nu}}}(\ell ) + 2^{-\ell }\), as required.

This completes the proof of Lemma 14. \(\square \)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Emura, K., Hanaoka, G., Nuida, K. et al. Chosen ciphertext secure keyed-homomorphic public-key cryptosystems. Des. Codes Cryptogr. 86, 1623–1683 (2018). https://doi.org/10.1007/s10623-017-0417-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-017-0417-6

Keywords

Mathematics Subject Classification

Navigation