Group homomorphic encryption: characterizations, impossibility results, and applications

• Published in: Designs, codes, and cryptography Vol. 67; no. 2; pp. 209 - 232
• Main Authors: Armknecht, Frederik, Katzenbeisser, Stefan, Peter, Andreas
• Format: Journal Article
• Language: English
• Published: Boston Springer US 01.05.2013; Springer
• Subjects: Algebraic combinatorics; Applied sciences; Circuits; Coding and Information Theory; Combinatorics; Combinatorics. Ordered structures; Computer Science; Cryptography; Cryptology; Data Structures and Information Theory; Discrete Mathematics in Computer Science; Exact sciences and technology; Information and Communication; Information, signal and communications theory; Mathematics; Sciences and techniques of general use; Signal and communications theory; Telecommunications and information theory; Linear problem; Foundations; 94A60; Public-key cryptography; Homomorphic encryption; IND-CCA1 security; Subgroup membership problem; Shift; Algebraic combinatorics; k-Linear problem; Decryption; Modeling; Linear code; Multilinear function; Cryptanalysis; Public key cryptography; Oracle
• ISSN: 0925-1022; 1573-7586
• DOI: 10.1007/s10623-011-9601-2

We give a complete characterization both in terms of security and design of all currently existing group homomorphic encryption schemes, i.e., existing encryption schemes with a group homomorphic decryption function such as ElGamal and Paillier. To this end, we formalize and identify the basic underlying structure of all existing schemes and say that such schemes are of shift-type . Then, we construct an abstract scheme that represents all shift-type schemes (i.e., every scheme occurs as an instantiation of the abstract scheme) and prove its IND-CCA1 (resp. IND-CPA) security equivalent to the hardness of an abstract problem called Splitting Oracle-Assisted Subgroup Membership Problem (SOAP) (resp. Subgroup Membership Problem, SMP). Roughly, SOAP asks for solving an SMP instance, i.e., for deciding whether a given ciphertext is an encryption of the neutral element of the ciphertext group, while allowing access to a certain oracle beforehand. Our results allow for contributing to a variety of open problems such as the IND-CCA1 security of Paillier’s scheme, or the use of linear codes in group homomorphic encryption. Furthermore, we design a new cryptosystem which provides features that are unique up to now: Its IND-CPA security is based on the k -linear problem introduced by Shacham, and Hofheinz and Kiltz, while its IND-CCA1 security is based on a new k -problem that we prove to have the same progressive property, namely that if the k -instance is easy in the generic group model, the ( k +1)-instance is still hard.