CCA-Secure Keyed-Fully Homomorphic Encryption

Lai, Junzuo; Deng, Robert H.; Ma, Changshe; Sakurai, Kouichi; Weng, Jian

doi:10.1007/978-3-662-49384-7_4

Junzuo Lai^5,6,
Robert H. Deng⁷,
Changshe Ma⁸,
Kouichi Sakurai⁹ &
…
Jian Weng⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9614))

2719 Accesses
11 Citations

Abstract

To simultaneously achieve CCA security and homomorphic property for encryption, Emura et al. introduced a new cryptographic primitive named keyed-homomorphic encryption, in which homomorphic ciphertext manipulations can only be performed by someone holding a devoted evaluation key which, by itself, does not enable decryption. A keyed-homomorphic encryption scheme should provide CCA2 security when the evaluation key is unavailable to the adversary and remain CCA1-secure when the evaluation key is exposed. While existing keyed-homomorphic encryption schemes only allow simple computations on encrypted data, our goal is to construct CCA-secure keyed-fully homomorphic encryption (keyed-FHE) capable of evaluating any functions on encrypted data with an evaluation key.

In this paper, we first introduce a new primitive called convertible identity-based fully homomorphic encryption (IBFHE), which is an IBFHE with an additional transformation functionality, and define its security notions. Then, we present a generic construction of CCA-secure keyed-FHE from IND-sID-CPA-secure convertible IBFHE and strongly EUF-CMA-secure signature. Finally, we propose a concrete construction of IND-sID-CPA-secure convertible IBFHE, resulting in the first CCA-secure keyed-FHE scheme in the standard model.

You have full access to this open access chapter, Download conference paper PDF

Constructions for the IND-CCA1 Secure Fully Homomorphic Encryption

On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes

On Extension of Evaluation Algorithms in Keyed-Homomorphic Encryption

Keywords

1 Introduction

Today’s information services are increasingly storing data across many servers shared with other data owners. An example of this is cloud computing which has the great potential of providing various services to the society at significantly reduced cost due to aggregated management of elastic resources. Since software systems are not guaranteed to be bug-free and hardware platforms are not under direct control of data owners in such distributed systems, security risks are abundant. To mitigate users’ privacy concern about their data, a common solution is to outsource data in encrypted form so that it will remain private even if data servers are not trusted or compromised. To not nullify the benefits of cloud computing, however, we need homomorphic encryption schemes that allow meaningful computations on encrypted data. Recently, in a breakthrough effort, Gentry [28] constructed a fully homomorphic encryption (FHE) scheme enabling anyone to compute arbitrary functions on encrypted data. On the other hand, security against chosen-ciphertext attack (CCA) [24, 42, 47] is now a commonly accepted standard security notion for encryption, and unfortunately, it is well-known that CCA security and the homomorphic property cannot be achieved simultaneously.

The incompatibility of CCA security and homomorphicity cannot be reconciled under the assumption that everyone can “freely” perform homomorphic operations on ciphertexts. Very recently, Emura et al. [25] showed that in the setting where homomorphic operations are performed in a “controlled” fashion, CCA security and homomorphicity can be simultaneously achieved. They suggested a new primitive called keyed-homomorphic encryption [25], where homomorphic ciphertext manipulations are only possible to a party holding a devoted evaluation key $\textsf {EK}$ which, by itself, does not enable decryption. A keyed-homomorphic encryption scheme should provide CCA2 security when the evaluation key is unavailable to the adversary and remain CCA1 secure when $\textsf {EK}$ is exposed. Emura et al. [25] presented a number of keyed-homomorphic encryption schemes through hash proof systems [22], which only allow simple computations on encrypted data (i.e., either adding or multiplying encrypted ciphertexts, but not both operations at the same time). This paper is motivated by the goal of constructing CCA-secure keyed-fully homomorphic encryption (keyed-FHE)^{Footnote 1} capable of evaluating any functions on encrypted data with a devoted evaluation key $\textsf {EK}$.

Our Contribution. One may hope to obtain CCA-secure keyed-FHE by using the double encryption methodology: a ciphertext of an “inner” CPA-secure FHE scheme is encrypted by an “outer” CCA-secure encryption scheme, and the evaluation key EK is the decryption key of the “outer” CCA-secure encryption scheme. Unfortunately, this naive construction is not secure in the sense of our security definition for keyed-fully homomorphic encryption. An adversary is allowed to issue decryption queries before the evaluation key EK is exposed to the adversary in our security definition. However, no such decryption query is allowed in the CPA security game of the underlying “inner” FHE scheme^{Footnote 2}.

We propose a generic paradigm of constructing CCA-secure keyed-FHE, which follows the line of CHK transformation [18]. It is worth noting that, one cannot achieve CCA-secure keyed-FHE from IND-sID-CPA-secure IBFHE by CHK transformation directly, since each IBE ciphertext is under a fresh identity and the homomorphic evaluation functionality of IBFHE does not work.

We define a new primitive named convertible identity-based fully homomorphic encryption (IBFHE) and its IND-sID-CPA security notions. Informally, a convertible IBFHE is an IBFHE with an additional transformation functionality, which may be of independent interest.
Based on our new primitive, IND-sID-CPA-secure convertible IBFHE, and strongly EUF-CMA-secure signature, we propose a generic paradigm of constructing CCA-secure keyed-FHE by modifying CHK transformation [18] slightly.
We construct a convertible identity-based (leveled) FHE scheme based on the adaptively-secure IBE scheme proposed by Agrawal et al. [1], and prove that it is IND-sID-CPA secure in the standard model, resulting in the first CCA-secure keyed-FHE scheme in the standard model. Actually, one can use our techniques to construct convertible IBFHE schemes based on the adaptively-secure IBE schemes proposed in [2, 19].

Convertible IBFHE. A convertible IBFHE scheme consists of seven algorithms: Setup, Extract, GenerateTK, Encrypt, Transform, Decrypt and Evaluate. Among these algorithms, $(\textsf {Setup}$, $\textsf {Extract}$, $\textsf {Encrypt}$, $\textsf {Decrypt}$, $\textsf {Evaluate})$ constitute the traditional IBFHE scheme; algorithms GenerateTK and Transform provide the following functionality: given a transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$ for an identity $\widetilde{\textsf {ID}}$, which is generated by an authority using algorithm GenerateTK, one with the help of algorithm Transform can transform a ciphertext CT under any identity into a ciphertext under identity $\widetilde{\textsf {ID}}$ without changing the underlying plaintext of CT.

The additional functionality of convertible IBFHE is reminiscent of identity-based proxy re-encryption (IBPRE) [32]. Unlike convertible IBFHE, in an IBPRE scheme, a transformation key (i.e., re-encryption key) $\textsf {TK}_{\textsf {ID}_1\rightarrow \textsf {ID}_2}$ associated with two identities $\textsf {ID}_1$ and $\textsf {ID}_2$, is generated by the user with identity $\textsf {ID}_1$, and one with the transformation key can only convert an encryption under identity $\textsf {ID}_1$ into the encryption under identity $\textsf {ID}_2$.

The adaptive security of convertible IBFHE requires that given a challenge ciphertext $\textsf {CT}^*$ under some identity $\textsf {ID}^*$, no PPT adversary can distinguish, except with a negligible advantage, whether $\textsf {CT}^*$ is an encryption of 1 under identity $\textsf {ID}^*$ or an encryption of 0 under identity $\textsf {ID}^*$. We allow an adversary to adaptively issue private key queries on identities $\textsf {ID}$ and transformation key queries on identities $\widetilde{\textsf {ID}}$, but with the natural constraints that: (1) the adversary cannot issue private key query for the challenge identity $\textsf {ID}^*$; (2) the adversary cannot issue private key query for an identity $\widetilde{\textsf {ID}}$ such that the adversary has issued a transformation key query on $\widetilde{\textsf {ID}}$, and vice versa.

For constructing CCA-secure keyed-FHE, we only require that the underlying convertible IBFHE be secure in a weaker security model, denoted as IND-sID-CPA security model. In this weaker security model, the transformation key query can be issued only once by the adversary, and the target identity $\textsf {ID}^*$ and the designated identity $\widetilde{\textsf {ID}}$ which the adversary wants to obtain the corresponding transformation key must be committed by the adversary ahead of the system setup.

CCA-secure keyed-FHE from IND-sID-CPA-secure convertible IBFHE. We give a high-level description on how to construct a CCA-secure keyed-FHE scheme from an IND-sID-CPA-secure convertible IBFHE scheme characterized by $(\textsf {GenerateTK}, \textsf {Transform})$, with the help of a strongly EUF-CMA-secure signature scheme $\mathcal {S}=(\textsf {Gen}, \textsf {Sign}, \textsf {Vrfy})$.

The public key of our proposed keyed-FHE scheme is the public parameters of the convertible IBFHE scheme, the secret key is the corresponding master key, and the evaluation key is $(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$, where $(\widetilde{vk},\widetilde{sk})$ is a key-pair for the signature scheme $\mathcal {S}$ and $\textsf {TK}_{\mapsto \widetilde{vk}}$ which is generated by algorithm GenerateTK of the convertible IBFHE scheme is the transformation key for “identity” $\widetilde{vk}$.

To encrypt a message bit, the encryption algorithm first runs algorithm $\mathcal {S}.\textsf {Gen}$ to obtain a key-pair (vk, sk), and then uses the convertible IBFHE scheme to encrypt the message bit with respect to the “identity” vk, with the resulting ciphertext denoted as $\textsf {CT}$. Next, the signing key sk is used to sign CT to obtain a signature $\sigma $. The final ciphertext C consists of the verification key vk, the convertible IBFHE ciphertext $\textsf {CT}$ and the signature $\sigma $. Given a ciphertext $C=(vk,\textsf {CT},\sigma )$, the decryption algorithm first uses algorithm $\mathcal {S}. \textsf {Vrfy}$ to verify the signature $\sigma $ on $\textsf {CT}$ with respect to vk and outputs $\perp $ if the verification fails. Otherwise, the decryption algorithm generates the private key $\textsf {SK}_{vk}$ corresponding to the “identity” vk, and decrypts the ciphertext $\textsf {CT}$ using the underlying convertible IBFHE scheme.

Given a tuple of ciphertexts ${\varvec{C}}=(C_1,\ldots ,C_k)$ where $C_i=(vk_i,\textsf {CT}_i,\sigma _i)$, and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$, the evaluation algorithm first verifies the signature $\sigma _i$ on $\textsf {CT}_i$ with respect to $vk_i$ for each $i\in [k]$ and outputs $\perp $ if the verification fails. Otherwise, for each $i\in [k]$, with $\textsf {TK}_{\mapsto \widetilde{vk}}$, it runs algorithm Transform of the convertible IBFHE scheme to convert the ciphertext $\textsf {CT}_i$ under “identity” $vk_i$ into a ciphertext $\widetilde{\textsf {CT}}_i$ under the “identity” $\widetilde{vk}$. Since now $\widetilde{\textsf {CT}}_1,\ldots , \widetilde{\textsf {CT}}_k$ are the ciphertexts under the same “identity” $\widetilde{vk}$, the evaluation algorithm can evaluate the Boolean circuit f on the ciphertexts $\widetilde{\textsf {CT}}_1,\ldots , \widetilde{\textsf {CT}}_k$ using the underlying convertible IBFHE scheme. Then the resulting ciphertext $\widetilde{\textsf {CT}}$ is signed using $\widetilde{sk}$ to obtain a signature $\tilde{\sigma }$, and the evaluation algorithm outputs the ciphertext $C=(\widetilde{vk},\widetilde{\textsf {CT}},\tilde{\sigma })$.

As for the security of our proposed keyed-FHE scheme, we show that if there exists an adversary $\mathcal {A}$ with a non-negligible advantage in the CCA security game, we can create a reduction algorithm $\mathcal {B}$ that breaks the IND-sID-CPA security of the underlying convertible IBFHE scheme. The reduction algorithm $\mathcal {B}$ is informally described as follows. $\mathcal {B}$ first runs $\mathcal {S}.\textsf {Gen}$ to obtain two key-pairs $(vk^*,sk^*)$ and $(\widetilde{vk},\widetilde{sk})$. Then, $\mathcal {B}$ sets $vk^*$ and $\widetilde{vk}$ as its target “identity” and designated “identity”, which are submitted to its challenger in the IND-sID-CPA security game of the convertible IBFHE scheme. $\mathcal {B}$ is given the public parameters of the convertible IBFHE scheme and the transformation key $\textsf {TK}_{\mapsto \widetilde{vk}}$ for “identity” $\widetilde{vk}$. Now, $\mathcal {B}$ can use $(\widetilde{vk},\widetilde{sk})$ and $\textsf {TK}_{\mapsto \widetilde{vk}}$ to answer $\mathcal {A}$’s evaluation queries and the evaluation key query, and the challenge ciphertext $C^*$ given to $\mathcal {A}$ is set as $(vk^*,\textsf {CT}^*,\sigma ^*)$, where $\textsf {CT}^*$ is $\mathcal {B}$’s challenge ciphertext of the convertible IBFHE scheme and $\sigma ^*\leftarrow \mathcal {S}.\textsf {Sign}(sk^*,\textsf {CT}^*)$. Next, we shall explain how $\mathcal {B}$ answers the decryption queries for ciphertexts $C=(vk,\textsf {CT},\sigma )$ issued by adversary $\mathcal {A}$.

We say a ciphertext $C=(vk,\textsf {CT},\sigma )$ is valid if $\sigma $ is a valid signature on $\textsf {CT}$ with respect to vk. For $\mathcal {A}$’s decryption query on a ciphertext $C=(vk,\textsf {CT},\sigma )$ such that C is a valid ciphertext and $vk\notin \{vk^*,\widetilde{vk}\}$, $\mathcal {B}$ can issue a private key query on the “identity” vk to its challenger to obtain the corresponding private key $\textsf {SK}_{vk}$, and use the private key $\textsf {SK}_{vk}$ to answer $\mathcal {A}$’s query. The subtlety lies in how $\mathcal {B}$ deals with $\mathcal {A}$’s decryption query on a valid ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk\in \{vk^*,\widetilde{vk}\}$. Recall that $\mathcal {B}$ is not allowed to issue a private key query on the “identity” $vk\in \{vk^*,\widetilde{vk}\}$ to it’s own challenger in the IND-sID-CPA security game of the convertible IBFHE scheme. We first note that any valid ciphertext $C=(vk,\textsf {CT},\sigma )$ submitted by the adversary during its queries must, except with negligible probability, have $vk\ne vk^*$ by the strong security of the signature scheme $\mathcal {S}$. The crux of the security proof is then to show how $\mathcal {B}$ answers $\mathcal {A}$’s decryption query on a valid ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk=\widetilde{vk}$.

In our security definition of keyed-fully homomorphic encryption, the adversary can issue the decryption and evaluation queries only if it does not request the evaluation key to be exposed. Hence, for any valid ciphertext $C=(vk,\textsf {CT},\sigma )$ submitted by the adversary during its decryption queries, if $vk=\widetilde{vk}$, with overwhelming probability, C is one of $\mathcal {B}$’s responses to $\mathcal {A}$’s evaluation queries by the strong EUF-CMA security of the signature scheme $\mathcal {S}$. Based on the above observation, $\mathcal {B}$ will resort to a list EList to answer $\mathcal {A}$’s decryption query on a valid ciphertext $C=(vk=\widetilde{vk},\textsf {CT},\sigma )$. The list EList is set as $\emptyset $ initially and is updated while answering $\mathcal {A}$’s evaluations queries. Now, when $\mathcal {A}$ issues an evaluation query on a tuple of ciphertext ${\varvec{C}}=(C_1,\ldots ,C_k)$ and a Boolean circuit f, after sending the result C of the evaluation algorithm to the adversary, $\mathcal {B}$ additionally proceeds as follows.

1.
Check whether there exists an $i\in [k]$ such that $C_i=C^*$. If so, update the list by $\textsf {EList}\leftarrow \textsf {Elist}\cup \{(\perp ,C)\}$. Note that, to avoid an unachievable security definition, $\mathcal {B}$ answers $\perp $ for “unallowable ciphertext” that are the result of homomorphic evaluation for $C^*$ and any ciphertext of $\mathcal {A}$’s choice.
2.
For each valid ciphertext $C_i=(vk_i,\textsf {CT}_i,\sigma _i)$ where $i\in [k]$, obtain the corresponding plaintext $b_i$ by finding the corresponding record $(b_i,C_i)$ in the list EList if $vk_i=\widetilde{vk}$ or decrypting $\textsf {CT}_i$ with the help of issuing a private key query on the “identity” $vk_i$ to its challenger. Then, compute the message bit $m=f(b_1,\ldots ,b_k)$ and update the list by $\textsf {EList}\leftarrow \textsf {Elist}\cup \{(m,C)\}$.

Consequently, when $\mathcal {A}$ issues a decryption query on a valid ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk=\widetilde{vk}$, except with negligible probability, $\mathcal {B}$ can find a record (m, C) in the list EList and return m to the adversary as its answer. Hence, by the strong EUF-CMA security of the signature scheme $\mathcal {S}$, with overwhelming probability, $\mathcal {B}$ simulates the CCA security game of our proposed keyed-FHE scheme for $\mathcal {A}$ properly. Therefore, if $\mathcal {A}$ has a non-negligible advantage in the CCA security game, $\mathcal {B}$ breaks the IND-sID-CPA security of the underlying convertible IBFHE scheme with a non-negligible advantage.

Construction of IND-sID-CPA-secure convertible IBFHE. Based on the standard learning with errors (LWE) problem [49], Agrawal et al. [1] proposed an efficient identity-based encryption scheme and showed that their base construction can be extended to an adaptively-secure IBE using a lattice analog of the Waters IBE [56]. Our IND-sID-CPA-secure convertible IBFHE starts from the adaptively-secure IBE scheme in [1].

An encryption of a message bit b for an identity $\textsf {ID}=(d_1,\ldots ,d_\ell )\in \{-1,1\}^\ell $ in the adaptively-secure IBE scheme [1] takes the form of

$$\begin{aligned} c_0=u^\top s+x+b\lfloor \frac{q}{2}\rfloor \in \mathbb {Z}_q,\ c_1=F_{\textsf {ID}}^\top s +\left[ \begin{array}{c}y\\ R_{\textsf {ID}}^\top y\end{array}\right] \in \mathbb {Z}_q^{2m}, \end{aligned}$$

where $F_{\textsf {ID}}=A\mid B_0+\sum _{i=1}^\ell d_iB_i$, $R_\textsf {ID}=\sum _{i=1}^\ell d_iR_i$, and $A,B_0,B_1,\ldots ,B_\ell ,u$ are the system’s public parameters, a short basis $T_A$ for $\varLambda _q^{\bot }(A)$ is the master key, $s, x,y,R_1,\ldots ,R_\ell $ are noise vectors with short norm used in the encryption algorithm. The private key $\textsf {SK}_{\textsf {ID}}$ for identity $\textsf {ID}$ is a short vector $e_\textsf {ID}$ in $\varLambda _q^u(F_\textsf {ID})$, hence the message bit b can be recovered from $c_0-e_\textsf {ID}^\top c_1$.

Agrawal et al. [1] utilized the partitioning strategy to prove the adaptively-secure security of the above IBE scheme. In the security reduction, $B_1,\ldots ,B_\ell $ in the public parameters are set as $B_i=AR_i^*+h_iB_0$, where all the matrices $R_i^*$ are random and $h_i$ is a secret coefficient in $\mathbb {Z}_q$. Consequently,

$$\begin{aligned} F_\textsf {ID}=A\mid B_0+\sum _{i=1}^\ell d_iB_i=A\mid A(\sum _{i=1}^\ell d_iR_i^*)+h_\textsf {ID}B_0, \end{aligned}$$

where $h_\textsf {ID}=(1+\sum _{i=1}^\ell d_ih_i)$, and the identity space is partitioned into two parts according to whether $h_\textsf {ID}$ is equal to 0 or not. If $h_\textsf {ID}\ne 0$, the simulator, without knowing the master key, can use a trapdoor $T_{B_0}$ for $\varLambda _q^{\bot }(B_0)$ to generate the private key for identity $\textsf {ID}$, i.e., a short vector $e_\textsf {ID}$ in $\varLambda _q^u(F_\textsf {ID})$. The simulator cannot produce the corresponding private key for identities $\textsf {ID}$ such that $h_\textsf {ID}=0$, but will be able to construct a useful challenge to solve the given LWE problem instance. Let $\textsf {ID}^*$ be the challenge identity and let $\textsf {ID}_1,\ldots ,\textsf {ID}_Q$ be the identities for which the adversary issues private key queries. The security proof will require that for any $\textsf {ID}^*,\textsf {ID}_1,\ldots ,\textsf {ID}_Q$, with non-negligible probability,

$$\begin{aligned} h_{\textsf {ID}^*}=0\wedge h_{\textsf {ID}_1}\ne 0\wedge \ldots \wedge h_{\textsf {ID}_\ell }\ne 0, \end{aligned}$$

which can be satisfied by the abort-resistant hash family used in [7, 34, 56].

The idea of constructing convertible IBFHE is summarized as follows. We first show how to design a convertible IBE scheme (i.e. without the homomorphic evaluation functionality), and then extend it to a convertible IBFHE scheme. To construct convertible IBE, we should provide an approach to converting a ciphertext $\textsf {CT}$ under any identity $\textsf {ID}$ into a ciphertext $\widetilde{\textsf {CT}}$ under the designated identity $\widetilde{\textsf {ID}}$. For transformation correctness (i.e., decrypting $\textsf {CT}$ and $\widetilde{\textsf {CT}}$ with the corresponding private key $\textsf {SK}_\textsf {ID}$ for identity $\textsf {ID}$ and $\textsf {SK}_{\widetilde{\textsf {ID}}}$ for identity $\widetilde{\textsf {ID}}$ respectively, must have the same result), we need be able to check whether a ciphertext is well-formed. However, starting from the adaptively-secure IBE scheme proposed in [1], we are thrown into a dilemma. Agrawal et al. [1] proved that in their proposed IBE scheme, encryption of any message bit is indistinguishable from uniform vector over $\mathbb {Z}_q$ under the LWE assumption. That is, any well-formed ciphertext in [1] is pseudorandom; thus it is difficult to design a mechanism to check the well-formedness of a ciphertext. We resort to the recent advances in indistinguishability obfuscation [52] to overcome the obstacle.

Besides $A,B_0,B_1$, $\ldots ,B_\ell ,u$, the public parameters of our proposed convertible IBE include an indistinguishability obfuscation of the following program that takes as input an identity $\textsf {ID}=(d_1,\ldots ,d_\ell )\in \{-1,1\}^\ell $, a message bit $b\in \{0,1\}$ and randomness r,

1.
Set $t=\textsf {PRG}(r)$ and $(s, x,y,R_1,\ldots ,R_\ell )=\textsf {F}(\mathrm {K},\textsf {ID},t)$;
2.
Compute $c_0=u^\top s+x+b\lfloor \frac{q}{2}\rfloor \in \mathbb {Z}_q$, $c_1=F_{\textsf {ID}}^\top s +\left[ \begin{array}{c}y\\ R_{\textsf {ID}}^\top y\end{array}\right] \in \mathbb {Z}_q^{2m}$ and output $(t,c_0,c_1)$.

The system’s master key additionally includes the key $\mathrm {K}$ to the puncturable pseudorandom function (PRF) [52] F. Let $\mathbf {P}^{\textsf {Enc}}$ be the above obfuscated program. The encryption algorithm simply runs $\mathbf {P}^{\textsf {Enc}}(\textsf {ID},b,r)$ and outputs the result $(t,c_0,c_1)$. The private key $\textsf {SK}_{\textsf {ID}}$ for identity $\textsf {ID}$ is a short vector $e_\textsf {ID}$ in $\varLambda _q^u(F_\textsf {ID})$, and given a ciphertext $(t,c_0,c_1)$ under identity $\textsf {ID}$, the message bit b can be recovered from $c_0-e_\textsf {ID}^\top c_1$. Observe that, with the knowledge of $\mathrm {K}$, one can retrieve the randomness $s, x,y,R_1,\ldots ,R_\ell $ and the message bit b from a ciphertext $(t,c_0,c_1)$ under an identity $\textsf {ID}$, and thus can check the well-formedness of the ciphertext and re-encrypt b under another identity. Consequently, the transformation key for an designated identity $\widetilde{\textsf {ID}}=(\tilde{d}_1,\ldots ,\tilde{d}_\ell )\in \{-1,1\}^\ell $ is an indistinguishability obfuscation of the following program that takes as input a ciphertext $\textsf {CT}=(t,c_0,c_1)$ under an identity $\textsf {ID}=(d_1,\ldots ,d_\ell )\in \{-1,1\}^\ell $,

1.
Set $(s, x,y,R_1,\ldots ,R_\ell )=\textsf {F}(\mathrm {K},\textsf {ID},t)$, and check whether there exists $b\in \{0,1\}$ such that $c_0=u^\top s+x+b\lfloor \frac{q}{2}\rfloor $ and $c_1=F_{\textsf {ID}}^\top s +\left[ \begin{array}{c}y\\ R_{\textsf {ID}}^\top y\end{array}\right] $. If not, output $\perp $.
2.
Set $(\tilde{s}, \tilde{x},\tilde{y},\tilde{R}_1,\ldots ,\tilde{R}_\ell )=\textsf {F}(\mathrm {K},\widetilde{\textsf {ID}},t)$, and compute $\tilde{c}_0=u^\top \tilde{s}+\tilde{x}+b\lfloor \frac{q}{2}\rfloor $, $\tilde{c}_1=F_{\widetilde{\textsf {ID}}}^\top \tilde{s} +\left[ \begin{array}{c}\tilde{y}\\ \tilde{R}_{\widetilde{\textsf {ID}}}^\top \tilde{y}\end{array}\right] $ and output $(t,\tilde{c}_0,\tilde{c}_1)$.

Let $\mathbf {P}^{\textsf {Trans}}$ be the above obfuscated program. To convert an encryption $\textsf {CT}$ under identity $\textsf {ID}$ into the encryption under identity $\widetilde{\textsf {ID}}$, the transformation algorithm now simply runs $\mathbf {P}^{\textsf {Trans}}(\textsf {ID},\textsf {CT})$ and outputs the result.

As for the IND-sID-CPA security of the convertible IBE scheme, we follow the line of [1], i.e., utilizing the partitioning strategy. Let $\textsf {ID}^*$ be the challenge identity, $\widetilde{\textsf {ID}}$ be the designated identity which the adversary wants to obtain the corresponding transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}=(\widetilde{\textsf {ID}},\mathbf {P}^{\textsf {Trans}})$, and $\textsf {ID}_1,\ldots ,\textsf {ID}_Q$ be the identities for which the adversary issues private key queries. Let $\textsf {CT}^*=(t^*,c_0^*,c_1^*)$ be the challenge ciphertext for $\textsf {ID}^*$. In the security reduction, there exist some subtleties:

1.
It requires that $h_{\textsf {ID}^*}=0$, in order to construct the challenge $\textsf {CT}^*=(t^*,c_0^*,c_1^*)$ to solve the given LWE problem instance. Like the security reduction in [1], the randomness $s^*, x^*,y^*$ that are used to evaluate $c_0^*$ and $c_1^*$, come from the given LWE problem instance and is unknown to the simulator. Hence, when the adversary runs $\mathbf {P}^{\textsf {Trans}}(\textsf {ID}^*$, $\textsf {CT}^*)$, it will get an error symbol $\perp $, which enables it to distinguish the simulated settings and the real settings. We observe that the simulator can prepare $\textsf {CT}^*$ and $\widetilde{\textsf {CT}}^*$ at the setup phase, where $\widetilde{\textsf {CT}}^*$ denotes the corresponding result of calling the transformation algorithm on the challenge ciphertext $\textsf {CT}^*=(t^*,c_0^*,c_1^*)$, since in the IND-sID-CPA security game the adversary must commit $\textsf {ID}^*$ and $\widetilde{\textsf {ID}}$ ahead of the system setup. Consequently, the simulator can employ the technique of punctured programs, introduced by Sahai et al. [52], to simulate the transformation key for $\widetilde{\textsf {ID}}$ properly.
2.
It requires that for any $\textsf {ID}^*,\widetilde{\textsf {ID}},\textsf {ID}_1,\ldots ,\textsf {ID}_Q$, with non-negligible probability, $h_{\textsf {ID}^*}=0\wedge h_{\widetilde{\textsf {ID}}}=0\wedge h_{\textsf {ID}_1}\ne 0\wedge \ldots \wedge h_{\textsf {ID}_\ell }\ne 0$. Unfortunately, it cannot be satisfied by the abort-resistant hash family used in [7, 34, 56]. On the other hand, we observe that, if $\textsf {ID}^*$ and $\widetilde{\textsf {ID}}$ are chosen uniformly at random, with non-negligible probability, the requirement of $h_{\textsf {ID}^*}=0\wedge h_{\widetilde{\textsf {ID}}}=0\wedge h_{\textsf {ID}_1}\ne 0\wedge \ldots \wedge h_{\textsf {ID}_\ell }\ne 0$ can be satisfied by the abort-resistant hash family used in [7, 34, 56]. Therefore, we use another puncturable PRF to map an identity $\textsf {ID}$ into a random identity $\textsf {id}\in \{-1,1\}^\ell $, and replace $\textsf {ID}$ with $\textsf {id}$ in all functionalities. Similarly, since $\textsf {ID}^*$ and $\widetilde{\textsf {ID}}$ must be committed by the adversary ahead of the system setup, the technique of punctured programs allows the simulator’s simulation be performed properly.

So far, we obtain an IND-sID-CPA-secure convertible IBE scheme. Next, we show that the convertible IBE scheme extends to a convertible IBFHE scheme. Recently, Gentry et al. [31] described a simple “compiler” that transforms any LWE-based IBE scheme (that satisfies certain natural properties) into an identity-based (leveled) FHE scheme. Since our proposed convertible IBE scheme starts from the LWE-based IBE schemes proposed in [1] that have the required properties, we can utilize the “compiler” to transform it into a convertible identity-based (leveled) FHE scheme.

Related Work. Emura et al. [25] showed that CCA security does not rule out homomorphicity when the capability to compute on encrypted data is controlled, by introducing a primitive called keyed-homomorphic encryption. Other approaches to reconcile homomorphism and non-malleability were taken in [9, 20, 44–46] but they inevitably satisfy weaker security notions than CCA security.

Based on hash proof systems [22], Emura et al. [25] constructed a number of CCA-secure keyed-homomorphic schemes. Recently, Libert et al. [40] applied linearly homomorphic structure-preserving signatures [39] to quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proofs [37], proposed QA-NIZK proofs with unbounded simulation-soundness (USS), and constructed a CCA-secure keyed-homomorphic scheme with threshold decryption by applying USS. These CCA-secure keyed-homomorphic schemes only allow simple computations on encrypted data, i.e., either adding or multiplying encrypted ciphertexts, but not both operations at the same time.

Fully Homomorphic Encryption. The notion of fully homomorphic encryption (FHE) capable of performing any computations on encrypted data, was first put forward by Rivest et al. [50]. However, only in the past few years have candidate FHE schemes been proposed. The first such scheme was constructed by Gentry [28]; his work inspired a tremendous amount of research effort on improving the efficiency of his scheme [13, 21, 29, 30, 53, 54], realizations of FHE based on different assumptions [14, 16, 17, 55], and so on. Until now, fully homomorphic encryption schemes can only be proven secure against chosen-plaintext attack (CPA).

Controlled Homomorphic Encryption. Desmedt et al. [23] put forth the notion of a controllable homomorphic encryption scheme (CHES) that blends together the notion of a fully homomorphic encryption scheme and of a functional encryption scheme [8]. In a CHES, a designated homomorphic operation C can be efficiently performed on a single ciphertext by a party that has a special token for function C that is released by the owner of the secret key. Compared with CHES, keyed-FHE enables a party holding a devoted evaluation key to compute arbitrary functions on ciphertexts, and it can provide CCA2 security when the evaluation key is unavailable.

Indistinguishability Obfuscation. Program obfuscation deals with the problem of how to protect a program from reverse engineering while preserving functionality. Unfortunately, Barak et al. [5, 6] showed that the most natural simulation-based formulation of program obfuscation (a.k.a. “black-box obfuscation”) is impossible to achieve for general programs in a very strong sense. Faced with this impossibility result, Barak et al. [5, 6] suggested another notion of program obfuscation named indistinguishability obfuscation. Roughly speaking, an indistinguishability obfuscation scheme ensures that the obfuscations of any two functionally equivalent circuits are computationally indistinguishable. Recently, Garg et al. [27] proposed the first candidate construction of an efficient indistinguishability obfuscation ($i\mathcal {O}$) for general programs.

Recently, staring with [52] there has been much interest in investigating what can be built from $i\mathcal {O}$, since this model leads to poly-time obfuscation of unrestricted program classes, circumventing the known impossibility results of [5, 6]. Subsequently, many papers [11, 26, 33, 35, 36, 48, 52, 57] have shown a wide range of cryptographic applications of $i\mathcal {O}$. We utilize $i\mathcal {O}$ to construct an IND-sID-CPA-secure convertible IBFHE scheme.

Organization. The rest of the paper is organized as follows. Some preliminaries are given in Sect. 2. We introduce the notion and security model of convertible IBFHE in Sect. 3. We propose a paradigm of constructing CCA-secure keyed-FHE from IND-sID-CPA-secure convertible IBFHE and strongly EUF-CMA-secure signature in Sect. 4. We present a concrete construction of IND-sID-CPA-secure convertible identity-based (leveled) FHE in Sect. 5. Section 6 concludes the paper.

2 Preliminaries

If S is a set, then $s_1, \ldots , s_t\leftarrow S$ denotes the operation of picking elements $s_1, \ldots , s_t$ uniformly at random from S. If $n\in \mathbb {N}$ then [n] denotes the set $\{1,\ldots ,n\}$. For a probabilistic algorithm A, we denote $y\leftarrow A(x; R)$ the process of running A on input x and with randomness R, and assigning y the result. Let $\mathcal {R}_A$ denote the randomness space of A, and we write $y\leftarrow A(x)$ for $y\leftarrow A(x; R)$ with R chosen from $\mathcal {R}_A$ uniformly at random. A function $f(\kappa )$ is negligible, if for every $c>0$ there exists a $\kappa _c$ such that $f(\kappa )<1/\kappa ^c$ for all $\kappa >\kappa _c$. For a real $x\in \mathbb {R}$, $\lfloor {x}\rceil $ denotes the nearest integer to x, and $\lfloor {x}\rfloor $, $\lceil {x}\rceil $ for $x \ge 0$ to indicate rounding down or up.

2.1 Lattices

A full-rank lattice $\varLambda $ is the set of all integer linear combinations of n linearly independent basis vectors belonging to some $\mathbb {R}^n$. In this work, we are interested in full-rank integer lattices that are restricted to $\mathbb {Z}^n$.

Definition 1

Fixing q and given a matrix ${\varvec{A}} \in \mathbb {Z}^{n\times m}_q$, define the following m-dimensional Ajtai lattices,

$$\begin{aligned} \varLambda _q({\varvec{A}})= & {} \{ {\varvec{y}}\in \mathbb {Z}^m : {\varvec{y}} = {\varvec{A}}^T{\varvec{s}}\text { mod }q for some {\varvec{s}}\in \mathbb {Z}^n\},\\ \varLambda ^{\perp }_q({\varvec{A}})= & {} \{ {\varvec{y}}\in \mathbb {Z}^m : {\varvec{Ay}} = {\varvec{0}}\text { mod }q\}. \end{aligned}$$

For any ${\varvec{u}}\in \mathbb {Z}^n_q$ admitting an integral solution to ${\varvec{Ax}} = {\varvec{u}}\text { mod }q$, define the coset (or shifted lattice) $\varLambda ^{{\varvec{u}}}_q({\varvec{A}}) = \{ {\varvec{y}}\in \mathbb {Z}^m :{\varvec{Ay}} = {\varvec{u}}\text { mod }q\}=\varLambda ^{\perp }_q({\varvec{A}})+{\varvec{x}}$.

For a set of vectors ${\varvec{B}} = \{{\varvec{b}}_1, \ldots , {\varvec{b}}_m\}\in \mathbb {Z}^{n\times m}_q$, denote by $\Vert {\varvec{B}}\Vert $ the $L_2$ length of the longest vector in ${\varvec{B}}$ and denote by $\widetilde{{\varvec{B}}} = \{\widetilde{{\varvec{b}}}_1, \ldots , \widetilde{{\varvec{b}}}_m\}$ the Gram-Schmidt orthogonalization of ${\varvec{b}}_1, \ldots , {\varvec{b}}_m$ taken in that order. We refer to $\Vert \widetilde{{\varvec{B}}}\Vert $ as the Gram-Schmidt norm of ${\varvec{B}}$.

2.2 Discrete Gaussians

Let $\sigma \in \mathbb {R}^+$ and ${\varvec{c}}\in \mathbb {R}^m$, the Gaussian function On $\mathbb {R}^m$ with center $\mathbf {c}$ and parameter $\sigma $ is defined as $\rho _{\sigma , \mathbf {c}}(\mathbf {x}) = \exp (-\pi \Vert \mathbf {x} - \mathbf {c}\Vert ^2/\sigma ^2)$. For a positive integer $m\in \mathbb {N}$, and a lattice $\varLambda \in \mathbb {Z}^m$, define the infinite discrete sum of Gaussian function over the lattice $\varLambda $, $\rho _{\sigma , \mathbf {c}}(\varLambda ) = \sum _{\mathbf {x} \in \varLambda }\rho _{\sigma , \mathbf {c}}(\mathbf {x})$. The discrete Gaussian distribution $\mathcal {D}_{\varLambda , \sigma , \mathbf {c}}$ is the m-dimensional Gaussian distribution centered at $\mathbf {c}$ and restricted to the lattice $\varLambda $, defined as $\mathcal {D}_{\varLambda , \sigma ,\mathbf {c}}(\mathbf {x}) = \frac{\rho _{\sigma ,\mathbf {c}}(\mathbf {x})}{\rho _{\sigma , \mathbf {c}}(\varLambda )}$ for all the lattice point $\mathbf {x}\in \varLambda $. For ease of notation, we omit the center $\mathbf {c}$ if $\mathbf {c} = \mathbf {0}$, and then abbreviate $\mathcal {D}_{\varLambda , \sigma , \mathbf {0}}$ as $\mathcal {D}_{\varLambda , \sigma }$.

2.3 Sampling Algorithms

How to generate a random matrix ${\varvec{A}}$ statistically close to uniform in $\mathbb {Z}^{n\times m}_q$ along with a short basis (i.e., trapdoor) ${\varvec{T}}$ of $\varLambda ^{\perp }_q({\varvec{A}})$ is an important technique in lattice-based cryptography. It has been widely investigated by [3, 4, 41]. We use the trapdoor sampling algorithm proposed by Alwen and Peikert [4].

Theorem 1

Let $n\ge 1$ and q be an odd prime, and let $m \ge 6n\log q$. There is an efficient probabilistic polynomial-time algorithm $\mathsf {TrapGen}(q, n)$ that outputs ${\varvec{A}} \in \mathbb {Z}^{n\times m}_q$ and ${\varvec{T}} \in \mathbb {Z}^{m\times m}$ such that the distribution of ${\varvec{A}}$ is within negl(n) statistical distance of uniform and ${\varvec{T}}$ is a basis of $\varLambda ^{\perp }_q({\varvec{A}})$ satisfying $\Vert {\varvec{T}}\Vert \le O(n \log q)$ and $\Vert \widetilde{{\varvec{T}}}\Vert \le O(\sqrt{n \log q})$ with all but negligible probability in n.

In the construction and the simulation of our convertible IBFHE scheme, we employ the sampling algorithms $\mathsf {SampleLeft}$ and $\mathsf {SampleRight}$ given in [1], which can be used to sample relatively short vectors.

Theorem 2

Let ${\varvec{A}}$ be a rank n matrix in $\mathbb {Z}^{n\times m}_q$ and let ${\varvec{T}}_{{\varvec{A}}}$ be a “short” basis of $\varLambda ^{\perp }_q({\varvec{A}})$. Let ${\varvec{M}}_1$ be a matrix in $\mathbb {Z}^{n\times m_1}_q$ and let ${\varvec{F}}_1= {\varvec{A}}|{\varvec{M}}_1$. Let ${\varvec{u}}$ be a vector in $\mathbb {Z}^n_q$ and $\sigma >\Vert \widetilde{{\varvec{T}}_{{\varvec{A}}}}\Vert \cdot \omega (\sqrt{\log (m+m_1)})$. There is a probabilistic polynomial-time algorithm $\mathsf {SampleLeft}({\varvec{A}},{\varvec{M}}_1,{\varvec{T}}_{{\varvec{A}}},{\varvec{u}},\sigma )$ that outputs a vector ${\varvec{e}}\in \mathbb {Z}^{m+m_1}_q$ sampled from a distribution statistically close to $\mathcal {D}_{\varLambda ^{{\varvec{u}}}_q({\varvec{F}}_1),\sigma }$. In particular, ${\varvec{e}}\in \varLambda ^{{\varvec{u}}}_q(\mathbf {F}_1)$.

Theorem 3

Let ${\varvec{B}}$ be a rank n matrix in $\mathbb {Z}^{n\times m}_q$ and let ${\varvec{T}}_{{\varvec{B}}}$ be a “short” basis of $\varLambda ^{\perp }_q({\varvec{B}})$. Let ${\varvec{R}}$ be a matrix in $\mathbb {Z}^{k\times m}_q$. Let ${\varvec{A}}$ be a matrix in $\mathbb {Z}^{n\times k}_q$ and let ${\varvec{F}}_2= {\varvec{A}}|{\varvec{AR}}+{\varvec{B}}$. Let ${\varvec{u}}$ be a vector in $\mathbb {Z}^n_q$ and $\sigma >\Vert \widetilde{{\varvec{T}}_{{\varvec{B}}}}\Vert \cdot \Vert {\varvec{R}}\Vert \cdot \omega (\sqrt{\log (m)})$. There is a probabilistic polynomial-time algorithm $\mathsf {SampleRight}({\varvec{A}},{\varvec{B}},{\varvec{R}},{\varvec{T}}_{{\varvec{B}}},{\varvec{u}},\sigma )$ that outputs a vector ${\varvec{e}}\in \mathbb {Z}^{m+k}_q$ sampled from a distribution statistically close to $\mathcal {D}_{\varLambda ^{{\varvec{u}}}_q({\varvec{F}}_1),\sigma }$. In particular, ${\varvec{e}}\in \varLambda ^{{\varvec{u}}}_q(\mathbf {F}_2)$.

2.4 The LWE Hardness Assumption

Let n be a positive integer dimension, let $q\ge 2$ be a prime, and let $\chi $ be a probability distribution over $\mathbb {Z}_q$. For ${\varvec{s}}\in \mathbb {Z}_q^n$, let $A_{{\varvec{s}},\chi }$ and $U_{\$}$ be two distributions defined as follows:

$A_{{\varvec{s}},\chi }$: the probability distribution on $\mathbb {Z}_q^n\times \mathbb {Z}_q$ obtained by choosing a random vector ${\varvec{a}}\in \mathbb {Z}_q^n$ uniformly, choosing an error term $e\in \mathbb {Z}_q$ according to $\chi $, and outputting $({\varvec{a}},\langle {\varvec{a}},{\varvec{s}}\rangle + e)$.
$U_{\$}$: the uniform distribution over $\mathbb {Z}_q^n\times \mathbb {Z}_q$.

For uniformly random ${\varvec{s}}\in \mathbb {Z}_q^n$, an $(\mathbb {Z}_q,n,\chi )\text {-LWE}$ problem instance consists of access to a challenge oracle $\mathcal {O}$ that outputs samples $({\varvec{a}},b)$ from $\mathbb {Z}_q^n\times \mathbb {Z}_q$ according to, either the probability distribution $A_{{\varvec{s}},\chi }$, or the uniform distribution $U_{\$}$. The $(\mathbb {Z}_q,n,\chi )\text {-LWE}$ problem allows repeated queries to the challenge oracle $\mathcal {O}$. We say that an algorithm $\mathcal {A}$ decides the $\text {LWE}_{\mathbb {Z}_q,n,\chi }$ problem if

$$\begin{aligned} \text {Adv}_{\mathcal {A}}^{(\mathbb {Z}_q,n,\chi )\text {-LWE}}= |\Pr [\mathcal {A}^{\mathcal {O}_s}=1]-\Pr [\mathcal {A}^{\mathcal {O}_\$}=1]| \end{aligned}$$

is non-negligible for a random ${\varvec{s}}\in \mathbb {Z}^n_q$, where $\mathcal {O}_s$ and $\mathcal {O}_\$$ represent that the oracle $\mathcal {O}$ outputs samples from $\mathbb {Z}_q^n\times \mathbb {Z}_q$ according to $A_{{\varvec{s}},\chi }$ and $U_{\$}$ respectively.

Regev [49] and Perkert [43] showed that for certain noise distributions $\chi $, denoted $\bar{\varPsi }_\alpha $, the LWE problem is as hard as the worst-case SIVP and GapSVP under a quantum reduction. Brakerski et al. [15] provided the first classical hardness reduction of LWE with polynomial modulus.

Definition 2

Consider a real parameter $\alpha \in (0,1)$ and a prime q. Let $\mathbb {T}=\mathbb {R}/\mathbb {Z}$ denote the group of reals [0, 1) with addition modulo 1. Let $\varPsi _\alpha $ be the distribution on $\mathbb {T}$ obtained by sampling a normal variable with mean 0 and standard deviation $\alpha /\sqrt{2\pi }$ and reducing the result modulo 1. Let $\bar{\varPsi }_\alpha $ denote the discrete distribution over $\mathbb {Z}_q$ of the random variable $\lfloor qX \rceil $ where the random variable $X\in \mathbb {T}$ has distribution $\varPsi _\alpha $.

The following lemma about the distribution $\bar{\varPsi }_\alpha $ taken from [1] will be needed to show that decryption works correctly.

Lemma 1

Let ${\varvec{e}}$ be some vector in $\mathbb {Z}^m$ and let ${\varvec{y}}\leftarrow _R\bar{\varPsi }_\alpha $. Then the quantity $|{\varvec{e}}^\top {\varvec{y}}|$ treated as an integer in $[0,q-1]$ satisfies $|{\varvec{e}}^\top {\varvec{y}}|\le \Vert e\Vert q\alpha \omega (\sqrt{\log m})+\Vert e\Vert \sqrt{m}/2$ with all but negligible probability in m.

2.5 Vector Decomposition

Let k be an integer dimension, let $l=\lfloor \log _2q\rfloor +1$ and $N=k\cdot l$. Let ${\varvec{a}}, {\varvec{b}} \in \mathbb {Z}_q^k$. We show a way of decomposing vectors that preserves the inner product [31]. We often break vectors into their bit representations as defined below:

$\mathsf {BitDecomp}({\varvec{a}})$: For ${\varvec{a}}\in \mathbb {Z}_q^k$, let $a_{i,j}$ be the j-th bit in $a_i$’s binary representation, bits ordered least significant to most significant. Output the N-dimensional vector $(a_{1,0},\ldots ,a_{1,l-1},\ldots ,a_{k,0},\ldots ,a_{k,l-1})$. $\mathsf {BitDecomp}^{-1}({\varvec{a}}')$: It is the inverse of $\mathsf {BitDecomp}$. For ${\varvec{a}}'=(a_{1,0},\ldots ,a_{1,l-1},\ldots ,a_{k,0},\ldots ,a_{k,l-1})$, output $(\sum 2^j\cdot a_{1,j},\ldots ,\sum 2^j\cdot a_{k,j}).$ Note that, it is well-defined even if ${\varvec{a}}'$ is not a 0 / 1 vector.

$\mathsf {Flatten}({\varvec{a}}')$: For N-dimensional vector ${\varvec{a}}'$, output $\mathsf {BitDecomp}(\mathsf {BitDecomp}^{-1}({\varvec{a}}'))$, a N-dimensional vector with 0/1 coefficients.

$\mathsf {Powerof2}({\varvec{b}})$: For ${\varvec{b}}=(b_1,\ldots ,b_k)\in \mathbb {Z}_q^k$, output the N-dimensional vector $(b_1,2b_1$, $\ldots ,2^{l-1}b_1$, $\ldots $, $b_k, 2b_k,\ldots ,2^{l-1}b_k)$.

Claim 1

Let ${\varvec{a}}, {\varvec{b}}$ be vectors of some dimension k over $\mathbb {Z}_q$, let ${\varvec{a}}'$ be any N-dimensional vector. We have

$\langle \mathsf {BitDecomp}({\varvec{a}}),\mathsf {Powerof2}({\varvec{b}})\rangle = \langle {\varvec{a}},{\varvec{b}}\rangle $.
$\langle {\varvec{a}}',\mathsf {Powerof2}({\varvec{b}})\rangle = \langle \mathsf {BitDecomp}^{-1}({\varvec{a}}'),{\varvec{b}}\rangle = \langle \mathsf {Flatten}({\varvec{a}}'),\mathsf {Powerof2}({\varvec{b}})\rangle $.

When ${\varvec{A}}$ is a matrix, let $\mathsf {BitDecomp}({\varvec{A}})$, $\mathsf {BitDecomp}^{-1}({\varvec{A}})$ or $\mathsf {Flatten}({\varvec{A}})$ be the matrix formed by applying the operation to each row of ${\varvec{A}}$ separately.

2.6 Indistinguishability Obfuscation

Roughly speaking, an indistinguishability obfuscation ($i\mathcal {O}$) scheme ensures that the obfuscations of any two functionally equivalent circuits are computationally indistinguishable. Indistinguishability obfuscation was originally proposed by Barak et al. [5, 6] as a potential weakening of virtual-black-box obfuscation. We recall the definition from [27]. A uniform probabilistic polynomial time (PPT) machine $i\mathcal {O}$ is called an indistinguishability obfuscator for a circuit class $\{\mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}$ if the following conditions are satisfied:

Correctness. For all security parameters $\lambda \in \mathbb {N}$, for all $C\in \mathcal {C}_\lambda $, and for all input x, we have that $\text {Pr}[C'(x)=C(x):C'\leftarrow i\mathcal {O}(\lambda ,C)]=1$.
Security. For any (not necessarily uniform) PPT distinguisher D, for all pairs of circuits $C_0,C_1\in \mathcal {C}_\lambda $ such that $C_0(x)=C_1(x)$ on all inputs x the following distinguishing advantage is negligible:
$$\begin{aligned} \textsf {Adv}_{i\mathcal {O},C_0,C_1}^D(\lambda ):=|\text {Pr}[D(i\mathcal {O}(\lambda ,C_0))=1]-\text {Pr}[D(i\mathcal {O}(\lambda ,C_1))=1]|. \end{aligned}$$

2.7 Puncturable PRFs

A pseudorandom function (PRF) is a function $F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ such that the function $F(K,\cdot )$ is indistinguishable from random when $K\leftarrow \mathcal {K}$. Puncturable PRFs were defined by Sahai and Waters [52] as a simple type of constrained PRFs [10, 12, 38]. They defined a puncturable PRF as a PRF for which a key can be given out that allows evaluation of the PRF on all inputs, except for a designated polynomial-size set of inputs. Formally, a puncturable PRF $F(K,\cdot )$ is equipped with additional PPT algorithms $(\textsf {Eval}_F,\textsf {Puncture}_F)$ such that the following properties hold:

Correctness. For every PPT algorithm which on input a security parameter $\lambda $ outputs a set $S\subseteq \{0,1\}^n$, for all $x\in \{0,1\}^n\backslash S$, we have that
$$\begin{aligned} \text {Pr}[\textsf {Eval}_F(K\{S\},x)=F(K,x):K\leftarrow \mathcal {K},K\{S\}\leftarrow \textsf {Puncture}_F(K,S)]=1. \end{aligned}$$
Security. For any PPT algorithm $\mathcal {A}$, the following distinguishing advantage is negligible:
$$\begin{aligned} |\text {Pr}[\mathcal {A}(S,K\{S\},F(K,S))=1:S\leftarrow \mathcal {A}(\lambda ),K\{S\}\leftarrow \textsf {Puncture}_F(K,S)]-\\ \text {Pr}[\mathcal {A}(S,K\{S\},U_{\bar{\ell }\cdot |S|})=1:S\leftarrow \mathcal {A}(\lambda ), K\{S\}\leftarrow \textsf {Puncture}_F(K,S)]|, \end{aligned}$$
where F(K, S) denotes the concatenation of $F(K,x_1),\cdots ,F(K,x_k)$, $S =\{x_1,\cdots ,x_k\}$ is the enumeration of the elements of S in lexicographic order, $\bar{\ell }$ denotes the bit-length of the output F(K, x), and $U_\ell $ denotes the uniform distribution over $\ell $ bits.

2.8 Keyed-Fully Homomorphic Encryption

A keyed-fully homomorphic encryption scheme consists of the following four algorithms:

Setup $(1^\kappa )$ takes as input a security parameter $\kappa $. It outputs a public key PK, a decryption key DK and an evaluation key EK.
Enc $(\textsf {PK},b)$ takes as input a public key PK and a message bit $b\in \{0,1\}$. It outputs a ciphertext C.
Dec $(\textsf {PK}, \textsf {DK},C)$ takes as input a public key PK, a decryption key DK and a ciphertext C. It outputs a message bit b.
Eval $(\textsf {PK}, \textsf {EK}, {\varvec{C}}, f)$ takes as input a public key PK, an evaluation key EK, a tuple of ciphertexts ${\varvec{C}}=(C_1,\ldots ,C_k)$ and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$. It outputs a ciphertext C.

Correctness. We require that for each $(\textsf {PK},\textsf {DK},\textsf {EK})$ output by Setup $(1^\kappa )$, the following hold:

Encryption correctness: with overwhelming probability, for all message bit $b\in \{0,1\}$, we have $\textsf {Dec}(\textsf {PK},\textsf {DK},\textsf {Enc}(\textsf {PK},b))=b$.
Evaluation correctness: for any k-ciphertexts $(C_1,\ldots ,C_k)$ such that $\textsf {Dec}($ $\textsf {PK},\textsf {DK},C_i)=b_i\in \{0,1\}$, and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$, with overwhelming probability, we have
$$\begin{aligned} \textsf {Dec}(\textsf {PK},\textsf {DK}, \textsf {Eval}(\textsf {PK},\textsf {EK},{\varvec{C}}=(C_1,\ldots ,C_k), f))=f(b_1,\ldots ,b_k). \end{aligned}$$

Security. The CCA security of keyed-FHE scheme is defined using the following game between a PPT adversary $\mathcal {A}$ and a challenger. The adversary is only allowed to issue the decryption queries before it requests the evaluation key EK to be exposed in our security definition; thus it is slightly different from the definition given in [25]. That is, in our model, a keyed-FHE scheme should provide CCA security when the evaluation key is unavailable to the adversary and remain CPA-secure when the evaluation key is exposed.

Setup. The challenger runs Setup $(1^\lambda )$ to obtain a public key PK, a decryption key DK and an evaluation key EK. It sends the public key PK to the adversary $\mathcal {A}$. In addition, the challenger maintains a list DList, which is set as $\emptyset $ initially.
Query phase 1. The adversary $\mathcal {A}$ adaptively issues the following queries:
- DecCT $\langle C\rangle $: The challenger uses the decryption key DK to decrypt C with algorithm Dec. The result is sent back to $\mathcal {A}$. This query is not allowed to issue if $\mathcal {A}$ has queried to RevEK.
- EvalOnCT $\langle {\varvec{C}}=(C_1,\ldots ,C_k), f \rangle $: The challenger runs $\textsf {Eval}(\textsf {PK},\textsf {EK},{\varvec{C}}$, f) to obtain a ciphertext C, which is returned to $\mathcal {A}$. This query is not allowed to issue if $\mathcal {A}$ has queried to RevEK.
- RevEK: The challenger sends the evaluation key $\textsf {EK}$ to $\mathcal {A}$.
Challenge. The challenger first selects a message bit $b^*\in \{0,1\}$ uniformly at random. Then, it computes $C^*\leftarrow \textsf {Enc}(\textsf {PK}, b^*)$, and sends the challenge ciphertext $C^*$ to the adversary. Finally, the challenger updates the list by $\textsf {DList}\leftarrow \textsf {DList}\cup \{C^*\}$.
Query phase 2. The adversary $\mathcal {A}$ continues to adaptively issue the following queries:
- DecCT $\langle C\rangle $: If $C\in \textsf {DList}$, the challenger returns $\perp $. Otherwise, the challenger uses the decryption key DK to decrypt C with algorithm Dec, and the result is sent back to $\mathcal {A}$. This query is not allowed to issue if $\mathcal {A}$ has queried to RevEK.
- EvalOnCT $\langle {\varvec{C}}=(C_1,\ldots ,C_k), f \rangle $: The challenger runs $\textsf {Eval}(\textsf {PK},\textsf {EK},{\varvec{C}}$, f) to obtain a ciphertext C, which is returned to $\mathcal {A}$. In addition, if there exists $i\in [k]$ such that $C_i\in \textsf {DList}$, then the challenger updates the list by $\textsf {DList}\leftarrow \textsf {DList}\cup \{C\}$. This query is not allowed to issue if $\mathcal {A}$ has queried to RevEK.
- RevEK: The challenger sends the evaluation key $\textsf {EK}$ to $\mathcal {A}$.
Guess. The adversary $\mathcal {A}$ outputs its guess $b\in \{0,1\}$ for $b^*$ and wins the game if $b=b^*$.

The advantage of the adversary in this game is defined as $|\textsf {Pr}[b=b^*]-\frac{1}{2}|$ where the probability is taken over the random bits used by the challenger and the adversary.

Definition 3

A keyed-FHE scheme is CCA-secure if all probabilistic polynomial time adversaries have at most a negligible advantage in the above security game.

3 Convertible Identity-Based Fully Homomorphic Encryption

Informally, a convertible IBFHE is an IBFHE with an additional transformation functionality: given a transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$ for an identity $\widetilde{\textsf {ID}}$, which is generated by the authority, one can transform a ciphertext CT under any identity into a ciphertext under identity $\widetilde{\textsf {ID}}$ without changing the underlying plaintext of CT. Concretely, a convertible IBFHE scheme consists of the following seven algorithms:

Setup $(1^\kappa )$ takes as input a security parameter $\kappa $. It generates a public parameters PP and a master key MK.
Extract $(\textsf {PP}, \textsf {MK}, \textsf {ID})$ takes as input the public parameters PP, the master key MK and an identity ID. It produces a private key $\textsf {SK}_\textsf {ID}$ for identity ID.
GenerateTK $(\textsf {PP},\textsf {MK},\widetilde{\textsf {ID}})$ takes as input the public parameters PP, the master key MK and an identity $\widetilde{\textsf {ID}}$. It generates a transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$ for identity $\widetilde{\textsf {ID}}$.
Encrypt $(\textsf {PP}, \textsf {ID}, b)$ takes as input the public parameters PP, an identity $\textsf {ID}$ and a message bit $b\in \{0,1\}$. It outputs a ciphertext CT.
Transform $(\textsf {PP},\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}},\textsf {ID},\textsf {CT})$ takes as input the public parameters PP, a transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$, and a ciphertext CT for an identity $\textsf {ID}$. It outputs a ciphertext $\widetilde{\textsf {CT}}$ under identity $\widetilde{\textsf {ID}}$.
Decrypt $(\textsf {PP}, \textsf {SK}_\textsf {ID}, \textsf {CT})$ takes as input the public parameters PP, a private key $\textsf {SK}_\textsf {ID}$ and a ciphertext $\textsf {CT}$. It outputs a message bit $b\in \{0,1\}$.
Evaluate $(\textsf {PP}, \textsf {ID}, {\varvec{CT}}, f)$ takes as input the public parameters PP, a tuple of ciphertexts ${\varvec{CT}}=(\textsf {CT}_1,\ldots ,\textsf {CT}_k)$ under an identity $\textsf {ID}$ and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$. It outputs a ciphertext $\textsf {CT}$ under identity $\textsf {ID}$.

Correctness. We require that for each $(\textsf {PP},\textsf {MK})$ output by Setup $(1^\kappa )$, the following hold:

Encryption correctness: with overwhelming probability, for all identity $\textsf {ID}$ and message bit $b\in \{0,1\}$, we have $\textsf {Decrypt}(\textsf {PP},\textsf {Extract}(\textsf {PP},\textsf {MK},\textsf {ID}),\textsf {Encrypt}($ $\textsf {PP},\textsf {ID},b))=b$.
Transformation correctness: with overwhelming probability, for all identity $\textsf {ID},\widetilde{\textsf {ID}}$ and message bit $b\in \{0,1\}$, let $\textsf {CT}\leftarrow \textsf {Encrypt}(\textsf {PP},\textsf {ID},b)$, $\textsf {SK}_\textsf {ID}\leftarrow \textsf {Extract}(\textsf {PP},\textsf {MK},\textsf {ID})$, $\textsf {SK}_{\widetilde{\textsf {ID}}}\leftarrow \textsf {Extract}(\textsf {PP}$, $\textsf {MK},\widetilde{\textsf {ID}})$, $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}\leftarrow \textsf {GenerateTK}(\textsf {PP}$, $\textsf {MK},\widetilde{\textsf {ID}})$, and $\widetilde{\textsf {CT}}\leftarrow \textsf {Transform}(\textsf {PP},\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}},\textsf {ID},\textsf {CT})$, we have
$$\begin{aligned} \textsf {Decrypt}(\textsf {PP},\textsf {SK}_\textsf {ID},\textsf {CT})=\textsf {Decrypt}(\textsf {PP},\textsf {SK}_{\widetilde{\textsf {ID}}},\widetilde{\textsf {CT}}). \end{aligned}$$
Evaluation correctness: for any k-ciphertexts $(\textsf {CT}_1,\ldots ,\textsf {CT}_k)$ under an identity $\textsf {ID}$ such that $\textsf {Decrypt}(\textsf {PP},\textsf {Extract}(\textsf {PP},\textsf {MK},\textsf {ID}),\textsf {CT}_i)=b_i\in \{0,1\}$, and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$, with overwhelming probability, we have $\textsf {Decrypt}(\textsf {PP},\textsf {Extract}(\textsf {PP},\textsf {MK},\textsf {ID}), \textsf {Evaluate}(\textsf {PP},\textsf {ID},{\varvec{CT}}=(\textsf {CT}_1,\ldots ,\textsf {CT}_k)$, $f))=f(b_1,\ldots ,b_k)$.

Security. The IND-sID-CPA security of convertible IBFHE scheme is defined using the following game between a PPT adversary $\mathcal {A}$ and a challenger.

Init. The adversary submits a target identity $\textsf {ID}^*$ and a designated identity $\widetilde{\textsf {ID}}$.
Setup. The challenger first runs Setup $(1^\kappa )$ to obtain a public parameters PP and a master key MK. Then, it runs GenerateTK $(\textsf {PP},\textsf {MK},\widetilde{\textsf {ID}})$ to get the transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$ for identity $\widetilde{\textsf {ID}}$, and sends the public parameters PP and the transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}$ to the adversary $\mathcal {A}$.
Query phase 1. The adversary $\mathcal {A}$ adaptively issues the following queries:
- GetSK $\langle \textsf {ID}\rangle $: The challenger runs Extract $(\textsf {PP},\textsf {MK},\textsf {ID})$ to generate the corresponding private key $\textsf {SK}_\textsf {ID}$, which is returned to $\mathcal {A}$. We require that $\textsf {ID}\notin \{\textsf {ID}^*,\widetilde{\textsf {ID}}\}$.
Challenge. The challenger first selects a message bit $b^*\in \{0,1\}$ uniformly at random. Then, it computes $\textsf {CT}^*\leftarrow \textsf {Encrypt}(\textsf {PP}, \textsf {ID}^*, b^*)$, and sends the challenge ciphertext $\textsf {CT}^*$ to the adversary.
Query phase 2. This is same as Query phase 1.
Guess. The adversary $\mathcal {A}$ outputs its guess $b\in \{0,1\}$ for $b^*$ and wins the game if $b=b^*$.

The advantage of the adversary in this game is defined as $|\textsf {Pr}[b=b^*]-\frac{1}{2}|$, where the probability is taken over the random bits used by the challenger and the adversary.

Definition 4

A convertible IBFHE scheme is IND-sID-CPA secure, if the advantage in the above security game is negligible for all PPT adversaries.

4 Proposed CCA Secure Keyed-FHE Scheme

Given a convertible IBFHE scheme $\textsf {cIBE}=(\textsf {Setup}, \textsf {Extract}, \textsf {GenerateTK}, \textsf {Encrypt}$, $\textsf {Transform}$, $\textsf {Decrypt}$, $\textsf {Evaluate})$ for identities of length $\ell $ which is IND-sID-CPA secure, we construct a CCA-secure keyed-FHE scheme. In the construction, we use a strongly EUF-CMA secure signature scheme $\mathcal {S}=(\textsf {Gen}, \textsf {Sign}, \textsf {Vrfy})$ in which the verification key output by Gen has length $\ell $. The construction of our CCA-secure keyed-FHE scheme is described as follows.

Setup $(1^\kappa )\!\!:$ The setup algorithm first runs $\textsf {cIBE}.\textsf {Setup}(1^\kappa )$ to obtain $(\textsf {PP}, \textsf {MK})$, and calls $\mathcal {S}.\textsf {Gen}(1^\kappa )$ to obtain a key pair $(\widetilde{vk},\widetilde{sk})$. Then, it computes
$$\begin{aligned} \textsf {TK}_{\mapsto \widetilde{vk}}\leftarrow \textsf {cIBE}.\textsf {GenerateTK}(\textsf {PP},\textsf {MK},\widetilde{vk}). \end{aligned}$$
Finally, it sets the public key $\textsf {PK}=\textsf {PP}$, the decryption key $\textsf {DK}=\textsf {MK}$ and the evaluation key $\textsf {EK}=(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$.
Enc $(\textsf {PK},b\in \{0,1\})\!\!:$ The encryption algorithm takes as input the public key $\textsf {PK}=\textsf {PP}$, and a message bit $b\in \{0,1\}$. It proceeds as follows.
1. 1.
  Run $\mathcal {S}.\textsf {Gen}(1^\kappa )$ to obtain a key pair (vk, sk).
2. 2.
  Compute $\textsf {CT}\leftarrow \textsf {cIBE}.\textsf {Encrypt}(\textsf {PP},vk,b)$ and $\sigma \leftarrow \mathcal {S}.\textsf {Sign}(sk,\textsf {CT})$.
3. 3.
  Output the ciphertext $C=(vk,\textsf {CT},\sigma )$.
Dec $(\textsf {PK}, \textsf {DK}, C)\!\!:$ The decryption algorithm takes as input the public key $\textsf {PK}=\textsf {PP}$, the decryption key $\textsf {DK}=\textsf {MK}$ and a ciphertext $C=(vk,\textsf {CT},\sigma )$. This algorithm first checks whether $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$. If not, it outputs $\perp $. Otherwise, it computes $\textsf {SK}_{vk}\leftarrow \textsf {cIBE}.\textsf {Extract}(\textsf {PP},\textsf {MK}$, vk) and sets $b\leftarrow \textsf {cIBE}.\textsf {Decrypt}(\textsf {PP},\textsf {SK}_{vk},\textsf {CT})$. Then, it outputs the message bit b.
Eval $(\textsf {PK},\textsf {EK},{\varvec{C}}, f)\!\!:$ This algorithm takes as input the public key $\textsf {PK}=\textsf {PP}$, the evaluation key $\textsf {EK}=(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$, a tuple of ciphertexts ${\varvec{C}}=(C_1=(vk_1,\textsf {CT}_1,\sigma _1),\ldots ,C_k=(vk_k,\textsf {CT}_k,\sigma _k))$ and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$. For $i=1,\ldots ,k$, it proceeds as follows.
1. 1.
  Check whether $\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$. If not, it outputs $\perp $.
2. 2.
  Compute $\widetilde{\textsf {CT}}_i\leftarrow \textsf {cIBE}.\textsf {Transform}(\textsf {PP},\textsf {TK}_{\mapsto \widetilde{vk}},vk_i,\textsf {CT}_i)$.
Next, it calls $\textsf {cIBE}.\textsf {Evaluate}$ to obtain $\widetilde{\textsf {CT}}\leftarrow \textsf {cIBE}.\textsf {Evaluate}(\textsf {PP},\widetilde{vk},(\widetilde{\textsf {CT}}_1,\ldots $, $\widetilde{\textsf {CT}}_k),f)$. Then, it computes $\tilde{\sigma }\leftarrow \mathcal {S}.\textsf {Sign}(\widetilde{sk},\textsf {CT})$, and outputs the ciphertext $C=(\widetilde{vk},\widetilde{\textsf {CT}},\tilde{\sigma })$.

Correctness. If the underlying convertible IBFHE scheme $\mathsf {cIBE}$ satisfies encryption correctness, transformation correctness and evaluation correctness, it is obvious that the above construction satisfies the correctness requirements of keyed-FHE.

Theorem 4

If the underlying convertible IBFHE scheme is IND-sID-CPA secure, and the signature scheme $\mathcal {S}$ is strongly EUF-CMA secure, then our proposed keyed-FHE scheme is CCA-secure.

Proof

To prove the CCA security of our proposed keyed-FHE scheme, we consider the following games which is described by its modification from the previous game.

Game 0. This is the original CCA security game between an adversary $\mathcal {A}$ against our scheme and a CCA challenger.
Game 1. In this game, we slightly change the way that the challenger answers the adversary’s DecCT and EvalOnCT queries. Let $C^*=(vk^*,\textsf {CT}^*,\sigma ^*)$ be the challenge ciphertext. When the adversary $\mathcal {A}$ issues a DecCT query on ciphertext $C=(vk,\textsf {CT},\sigma )$, the challenger checks whether $vk=vk^*,C\ne C^*$ and $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$. If so, the challenger returns $\perp $; otherwise, it responds as in Game 0. When the adversary $\mathcal {A}$ issues an EvalOnCT query on $\langle {\varvec{C}}=(C_1,\ldots ,C_k), f \rangle $, the challenger first parses $C_i$ as $(vk_i,\textsf {CT}_i,\sigma _i)$ for each $i\in [k]$. Then, the challenger checks whether there exists $i\in [k]$ such that $vk_i=vk^*,C_i\ne C^*$ and $\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$. If so, the challenger returns $\perp $; otherwise, it responds as in Game 0.
Game 2. In this game, at the setup phase, except for the list $\textsf {DList}$, the challenger also maintains another list $\textsf {EList}$, which is set as $\emptyset $ initially. We also modify the way how the adversary $\mathcal {A}$’s DecCT and EvalOnCT queries are answered. Let $\textsf {PK},\textsf {DK},\textsf {EK}=(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$ be the public key, decryption key and evaluation key respectively, generated by the challenger at the setup phase. When the adversary $\mathcal {A}$ issues a DecCT query on ciphertext $C=(vk,\textsf {CT},\sigma )$, the challenger checks whether $vk=vk^*$ or $vk\ne \widetilde{vk}$. If so, the challenger responds as in Game 1; otherwise (i.e., $vk=\widetilde{vk}$), it proceeds as follows:
1. 1.
  Check whether $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$. If not, return $\perp $.
2. 2.
  Search the list $\textsf {EList}$ for a record (m, C). If such record does not exist, return $\perp $; otherwise, send m to $\mathcal {A}$.
When the adversary $\mathcal {A}$ issues an EvalOnCT query on $\langle {\varvec{C}}=(C_1,\ldots ,C_k),f\rangle $, the challenger first parses $C_i$ as $(vk_i,\textsf {CT}_i,\sigma _i)$ for each $i\in [k]$. Then, it checks whether there exists $i\in [k]$ such that one of the following conditions holds: (1) $vk_i=vk^*,\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$ and $C_i\ne C^*$; (2) $vk_i=\widetilde{vk},\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$ and the list $\textsf {EList}$ does not contain a record $(m_i,C_i)$. If so, the challenger returns $\perp $ to $\mathcal {A}$; otherwise, the challenger runs $\textsf {Eval}(\textsf {PK},\textsf {EK},{\varvec{C}},f)$ to obtain a ciphertext C, which is returned to $\mathcal {A}$. In addition, when the ciphertext $C\ne \perp $, the challenger checks whether there exists $i\in [k]$ such that $C_i\in \textsf {DList}$. If so, the challenger updates the list by $\textsf {DList}\leftarrow \textsf {DList}\cup \{C\}$; otherwise, it proceeds as follows.
1. 1.
  For each $i\in [k]$, if $vk_i=\widetilde{vk}$, the challenger finds the record $(m_i,C_i)$ in the list $\textsf {EList}$; otherwise (i.e., $vk_i\ne \widetilde{vk}$), the challenger uses the decryption key $\textsf {DK}$ to decrypt $C_i$ with algorithm $\textsf {Dec}$ and obtain a message bit $m_i$.
2. 2.
  The challenger computes $m=f(m_1,\ldots ,m_k)$ and updates the list by $\textsf {EList}\leftarrow \textsf {EList}\cup \{(m,C)\}$.

By the following lemmas, we prove these games are computationally indistinguishable, and in Game 2, the advantage of the adversary is negligible. Therefore, we conclude that the advantage of the adversary in Game 0 (i.e., the original CCA security game) is negligible. This completes the proof of Theorem 4.

Lemma 2

Suppose that the signature scheme $\mathcal {S}$ is strongly EUF-CMA-secure. Then Game 0 and Game 1 are computationally indistinguishable.

Proof

Let $C^*=(vk^*,\textsf {CT}^*,\sigma ^*)$ be the challenge ciphertext. Define event E: the adversary $\mathcal {A}$ submits a ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk=vk^*,C\ne C^*$ and $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$ during its DecCT or EvalOnCT queries. If E does not happen, Game 0 is identical to Game 1. All we have to do is to prove that E happens with negligible probability.

Suppose that E happens with non-negligible probability. Then we can build an algorithm $\mathcal {B}$ that breaks strong EUF-CMA security of the signature scheme $\mathcal {S}$ with non-negligible probability. Let $\mathcal {C}$ be the challenger corresponding to $\mathcal {B}$ in the strong EUF-CMA security game of the signature scheme $\mathcal {S}$. $\mathcal {B}$ is given the verification key $vk^*$ of the signature scheme $\mathcal {S}$, and simulates Game 1 to the adversary $\mathcal {A}$ as follows.

$\mathcal {B}$ runs Setup to obtain $(\textsf {PK},\textsf {DK},\textsf {EK})$, and sends the public key PK to $\mathcal {A}$. Since $\mathcal {B}$ knows the decryption key DK and the evaluation key EK associated with PK, thus it is able to answer all queries made by the adversary. At some point, $\mathcal {A}$ asks for the challenge ciphertext. $\mathcal {B}$ proceeds as follows.

1.
Choose a message bit $b^*\in \{0,1\}$ uniformly at random.
2.
Compute $\textsf {CT}^*\leftarrow \textsf {cIBE}.\textsf {Encrypt}(\textsf {PK},vk^*,b^*)$.
3.
Issue the signing query on $\textsf {CT}^*$ to its challenger $\mathcal {C}$ to obtain the corresponding signature $\sigma ^*$.
4.
Set the challenge ciphertext $C^*=(vk^*,\textsf {CT}^*,\sigma ^*)$ and send it to the adversary $\mathcal {A}$.

Suppose E happens during the simulation (i.e., the adversary submits a ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk=vk^*,C\ne C^*$ and $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$ during its DecCT or EvalOnCT queries), $\mathcal {B}$ outputs $(\textsf {CT},\sigma )$ which is not equal to $(\textsf {CT}^*,\sigma ^*)$, as its forgery of the signature scheme $\mathcal {S}$. Thus, if E happens with non-negligible probability, then $\mathcal {B}$ can break strong EUF-CMA security of the signature scheme $\mathcal {S}$ with non-negligible probability.

Lemma 3

Suppose that the signature scheme $\mathcal {S}$ is strongly EUF-CMA-secure. Then Game 1 and Game 2 are computationally indistinguishable.

Proof

Let $\textsf {EK}=(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$ be the evaluation key. Game 2 is the same as Game 1 except for the way of answering the adversary $\mathcal {A}$’s DecCT and EvalOnCT queries when $\mathcal {A}$ submits a ciphertext $C=(vk,\textsf {CT},\sigma )$ such that $vk=\widetilde{vk}$ and $\mathcal {S}.\textsf {Vrfy}(vk,\textsf {CT},\sigma )=1$. Recall that in our security definition of keyed-FHE, the adversary cannot issue the decryption or evaluation queries if it requests the evaluation key to be exposed. Since our proposed scheme satisfies the requirement of evaluation correctness, it is easy to observe that when $\mathcal {A}$ submits a ciphertext $C=(vk=\widetilde{vk},\textsf {CT},\sigma )$ during its DecCT or EvalOnCT queries such that C is the return of $\mathcal {A}$’s some EvalOnCT query, the challenger’s response is the same in Game 1 and Game 2.

Define event E: the adversary $\mathcal {A}$ submits a ciphertext $C=(vk=\widetilde{vk},\textsf {CT},\sigma )$ during its DecCT or EvalOnCT queries such that $\mathcal {S}.\textsf {Vrfy}(vk$, $\textsf {CT},\sigma )=1$ and C is not the response to $\mathcal {A}$’s some EvalOnCT query. If E does not happen, Game 1 is identical to Game 2. All we have to do is to prove that E happens with negligible probability.

One can prove that if the signature scheme $\mathcal {S}$ is strongly EUF-CMA-secure, then event E happens with negligible probability. We omit the details due to its similarity of Lemma 2.

Lemma 4

If the underlying convertible IBFHE scheme is IND-sID-CPA-secure, then in Game 2, the advantage of the adversary is negligible.

Proof

Suppose there exists an adversary $\mathcal {A}$ that achieves a non-negligible advantage in Game 2. Then we can build an algorithm $\mathcal {B}$ that makes use of $\mathcal {A}$ to attack the underlying convertible IBFHE scheme cIBE in the IND-sID-CPA security game with a non-negligible advantage. Let $\mathcal {C}$ be the challenger corresponding to $\mathcal {B}$ in the IND-sID-CPA security game of the convertible IBFHE scheme cIBE. $\mathcal {B}$ runs $\mathcal {A}$ executing the following steps.

Setup. $\mathcal {B}$ first runs $\mathcal {S}.\textsf {Gen}$ twice to obtain two key pairs $(vk^*,sk^*)$ and $(\widetilde{vk},\widetilde{sk})$. Then, it submits $(vk^*,\widetilde{vk})$ to $\mathcal {C}$ as its target identity and designated identity, and $\mathcal {C}$ returns the public parameters PP of the convertible IBFHE scheme cIBE and the transformation key $\textsf {TK}_{\mapsto \widetilde{vk}}$ for identity $\widetilde{vk}$ to $\mathcal {B}$. Next, $\mathcal {B}$ sets the public key $\textsf {PK}=\textsf {PP}$, the evaluation key $\textsf {EK}=(\widetilde{vk},\widetilde{sk},\textsf {TK}_{\mapsto \widetilde{vk}})$, and sends the public key PK to the adversary $\mathcal {A}$. In addition, $\mathcal {B}$ maintains two lists $\textsf {DList}$ and $\textsf {EList}$, which are set as $\emptyset $ initially.
Query phase 1. The adversary $\mathcal {A}$ adaptively issues the following queries:
- DecCT $\langle C\rangle $: $\mathcal {B}$ first parses the ciphertext C as $(vk,\textsf {CT},\sigma )$. Then, it checks whether $\mathcal {S}.\textsf {Vrfy}(vk$, $\textsf {CT},\sigma )=1$. If not, $\mathcal {B}$ returns $\perp $ to $\mathcal {A}$; otherwise, $\mathcal {B}$ proceeds as follows.
  1. 1.
    If $vk=vk^*$, $\mathcal {B}$ returns $\perp $ to $\mathcal {A}$.
  2. 2.
    If $vk\ne \widetilde{vk}$, $\mathcal {B}$ issues GetSK query on $\langle vk\rangle $ to its challenger $\mathcal {C}$ to obtain a private key $\textsf {SK}_{vk}$ for identity vk, and uses the private key $\textsf {SK}_{vk}$ to decrypt $\textsf {CT}$ with algorithm $\textsf {cIBE}.\textsf {Decrypt}$. The result is sent back to $\mathcal {A}$.
  3. 3.
    If $vk=\widetilde{vk}$ and $C\in \textsf {DList}$, $\mathcal {B}$ returns $\perp $ to $\mathcal {A}$.
  4. 4.
    Otherwise (i.e., $vk=\widetilde{vk}$ and $C\notin \textsf {DList}$), $\mathcal {B}$ search the list $\textsf {EList}$ for a record (m, C). If such record does not exist, $\mathcal {B}$ returns $\perp $ to $\mathcal {A}$; otherwise, $\mathcal {B}$ sends the message bit m to the adversary $\mathcal {A}$.
- EvalOnCT $\langle {\varvec{C}}=(C_1,\ldots ,C_k), f \rangle $: For each $i\in [k]$, $\mathcal {B}$ parses $C_i$ as $(vk_i,\textsf {CT}_i,\sigma _i)$. Then, $\mathcal {B}$ checks whether there exists $i\in [k]$ such that one of the following conditions holds: (1) $vk_i=vk^*,\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$ and $C_i\ne C^*$; (2) $vk_i=\widetilde{vk},\mathcal {S}.\textsf {Vrfy}(vk_i,\textsf {CT}_i,\sigma _i)=1$ and the list $\textsf {EList}$ does not contain a record $(m_i,C_i)$. If so, $\mathcal {B}$ returns $\perp $ to $\mathcal {A}$; otherwise, $\mathcal {B}$ runs $\textsf {Eval}(\textsf {PK},\textsf {EK},{\varvec{C}},f)$ to obtain a ciphertext C, which is returned to $\mathcal {A}$. In addition, when the ciphertext $C\ne \perp $, $\mathcal {B}$ checks whether there exists $i\in [k]$ such that $C_i\in \textsf {DList}$. If so, $\mathcal {B}$ updates the list by $\textsf {DList}\leftarrow \textsf {DList}\cup \{C\}$; otherwise, $\mathcal {B}$ proceeds as follows.
  1. 1.
    For each $i\in [k]$, if $vk_i=\widetilde{vk}$, $\mathcal {B}$ finds the record $(m_i,C_i)$ in the list $\textsf {EList}$; otherwise (i.e., $vk_i\ne \widetilde{vk}$), $\mathcal {B}$ issues GetSK query on $\langle vk_i\rangle $ to its challenger $\mathcal {C}$ to obtain a private key $\textsf {SK}_{vk_i}$ for identity $vk_i$, and uses the private key $\textsf {SK}_{vk_i}$ to decrypt $\textsf {CT}_i$ with algorithm $\textsf {cIBE}.\textsf {Decrypt}$ and obtain a message bit $m_i$.
  2. 2.
    $\mathcal {B}$ computes $m=f(m_1,\ldots ,m_k)$ and updates the list by $\textsf {EList}\leftarrow \textsf {EList}\cup \{(m,C)\}$.
- RevEK: The challenger sends the evaluation key $\textsf {EK}$ to $\mathcal {A}$.
Challenge. Firstly, $\mathcal {B}$ asks $\mathcal {C}$ for its challenge ciphertext of the convertible IBFHE scheme cIBE, and receives the ciphertext $\textsf {CT}^*$. Then, $\mathcal {B}$ computes $\sigma ^*\leftarrow \mathcal {S}.\textsf {Sign}(sk^*,\textsf {CT}^*)$, and sets the challenge ciphertext $C^*=(vk^*,\textsf {CT}^*,\sigma ^*)$. Finally, $\mathcal {B}$ sends $C^*$ to the adversary $\mathcal {A}$. In addition, $\mathcal {B}$ updates the list by $\textsf {DList}\leftarrow \textsf {DList}\cup \{C^*\}$.
Query phase 2. The adversary $\mathcal {A}$ continues to adaptively issue DecCT, EvalOnCT and RevEK queries. $\mathcal {B}$ responds as Query phase 1.
Guess. The adversary $\mathcal {A}$ outputs a bit $b\in \{0,1\}$. $\mathcal {B}$ also takes b as its output.

It is easy to observe that, $\mathcal {B}$’s simulation is perfect. Thus, if $\mathcal {A}$ has a non-negligible advantage in Game 2, then $\mathcal {B}$ attacks the underlying convertible IBFHE scheme cIBE in the IND-sID-CPA security game with a non-negligible advantage.

5 Proposed Convertible IBFHE Scheme

We denote $\textsf {SampleUS}(\mathbb {Z}_q^n;r_S)$ as a sample algorithm that chooses an element in $\mathbb {Z}_q^n$ uniformly at random with the randomness $r_S$, $\textsf {SampleGX}(\mathbb {Z}_q,\bar{\varPsi }_\alpha ;r_X)$ as a sample algorithm that chooses an element in $\mathbb {Z}_q$ from the distribution $\bar{\varPsi }_\alpha $ with the randomness $r_X$, $\textsf {SampleGY}(\mathbb {Z}_q^m,\bar{\varPsi }_\alpha ^m;r_Y)$ as a sample algorithm that chooses an element in $\mathbb {Z}_q^m$ from the distribution $\bar{\varPsi }_\alpha ^m$ with the randomness $r_Y$, and $\textsf {SampleURs}(\{-1,1\}^{m\times m};r_R)$ as a sample algorithm that chooses $\ell $-elements in domain $\{-1,1\}^{m\times m}$ uniformly at random with the randomness $r_R$. Let $\textsf {F}_D:\mathcal {K}_D\times \{0,1\}^*\rightarrow \{-1,1\}^\ell ,\ \textsf {F}_S:\mathcal {K}_S\times \{0,1\}^*\times \{0,1\}^{2\kappa }\times [N]\rightarrow \mathcal {R}_{\textsf {SampleUS}},\ \textsf {F}_X:\mathcal {K}_X\times \{0,1\}^*\times \{0,1\}^{2\kappa }\times [N]\rightarrow \mathcal {R}_{\textsf {SampleGX}},\ \textsf {F}_Y:\mathcal {K}_Y\times \{0,1\}^*\times \{0,1\}^{2\kappa }\times [N]\rightarrow \mathcal {R}_{\textsf {SampleGY}},\ \textsf {F}_R:\mathcal {K}_R\times \{0,1\}^*\times \{0,1\}^{2\kappa }\times [N]\rightarrow \mathcal {R}_{\textsf {SampleURs}}$ be puncturable PRFs, and let $\textsf {PRG}:\{0,1\}^\kappa \rightarrow \{0,1\}^{2\kappa }$ be a pseudorandom generator. Let $i\mathcal {O}$ be a program indistinguishability obfuscator. Our proposed convertible identity-based (leveled) FHE scheme consists of the following algorithms:

Setup $(1^\kappa ,1^L)$: On input a security parameter $\kappa $ and a number of levels L (maximum circuit depth to support), this algorithm first chooses the parameters $(q,n,m,\sigma ,\alpha )$ as specified in Sect. 5.1 below. Let $N=(2m+1)\cdot (\lfloor \log q\rfloor +1)$. It then invokes $\textsf {TrapGen}(q,n)$ to generate a uniformly random matrix $A\in \mathbb {Z}_q^{n\times m}$ and a short basis $T_A\in \mathbb {Z}^{m\times m}$ for $\varLambda _q^{\bot }(A)$. It also chooses uniformly random matrices $B_0,B_1,\ldots ,B_\ell \in \mathbb {Z}_q^{n\times m}$, and a uniformly random vector $u\in \mathbb {Z}_q^n$. Next, it chooses puncturable PRF keys $\mathrm {K}_D\leftarrow \mathcal {K}_D, \mathrm {K}_S\leftarrow \mathcal {K}_S, \mathrm {K}_X\leftarrow \mathcal {K}_X, \mathrm {K}_Y\leftarrow \mathcal {K}_Y, \mathrm {K}_R\leftarrow \mathcal {K}_R$, and creates an obfuscation of the program ProduceCT Fig. 1 as $\mathbf {P}^{\textsf {Enc}}\leftarrow i\mathcal {O}(\kappa ,\textsf {ProduceCT})$, Finally, it outputs the public parameters
$$\begin{aligned} \textsf {PP}=\Big (\textsf {PP}_{\textsf {ABB}}=(A,B_0,B_1,\ldots ,B_\ell ,u),\mathbf {P}^{\textsf {Enc}},\textsf {PRG},\textsf {F}_D,\textsf {F}_S,\textsf {F}_X,\textsf {F}_Y,\textsf {F}_R\Big ), \end{aligned}$$
and master key $\textsf {MK}=\Big (T_A,\mathrm {K}_D,\mathrm {K}_S,\mathrm {K}_X,\mathrm {K}_Y,\mathrm {K}_R\Big )$.
Extract $(\textsf {PP}, \textsf {MK}, \textsf {ID})$: On input public parameters PP, a master key MK, and an identity $\textsf {ID}\in \{0,1\}^*$, this algorithm first sets $\textsf {id}=\textsf {F}_D(\mathrm {K}_D,\textsf {ID})=(d_1,\ldots ,d_\ell )\in \{-1,1\}^\ell $ and evaluates ${\varvec{e}}_\textsf {ID}\leftarrow \textsf {SampleLeft}(A, B_0+\sum _{i=1}^\ell d_iB_i,T_A,u,\sigma )$ to obtain a short vector in $\varLambda _q^u(F_\textsf {id})$, where $F_\textsf {id}=A\mid B_0+\sum _{i=1}^\ell d_iB_i$ and ${\varvec{e}}_\textsf {ID}$ is distributed as $D_{\varLambda _q^u(F_\textsf {id}),\sigma }$. Then, it sets ${\varvec{s}}_\textsf {ID}=(1, -{\varvec{e}}_\textsf {ID})$ and ${\varvec{v}}_\textsf {ID}=\mathsf {Powersof2}({\varvec{s}}_\textsf {ID})$, and outputs the private key $\textsf {SK}_\textsf {ID}={\varvec{v}}_\textsf {ID}$ for identity ID.
GenerateTK $(\textsf {PP},\textsf {MK},\widetilde{\textsf {ID}})$: On input public parameter PP, a master key MK, and an identity $\widetilde{\textsf {ID}}\in \{0,1\}^*$, this algorithm creates an obfuscation of the program ConvertTAID Fig. 2 as $\mathbf {P}^{\textsf {Trans}}\leftarrow i\mathcal {O}(\kappa ,\textsf {ConvertTAID})$, and outputs the transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}=\Big (\widetilde{\textsf {ID}},\mathbf {P}^{\textsf {Trans}} \Big )$.
Encrypt $(\textsf {PP}, \textsf {ID}, b)$: On input public parameters PP, an identity $\textsf {ID}\in \{0,1\}^*$, and a message $b\in \{0,1\}$, the encryption algorithm first chooses $r\in \{0,1\}^\kappa $ uniformly at random. Then, it computes $(t,C_\textsf {ID})=\mathbf {P}^{\textsf {Enc}}(\textsf {ID},b,r)$, and outputs the ciphertext $\textsf {CT}=(t,C_\textsf {ID})$.
Transform $(\textsf {PP}, \textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}, \textsf {ID},\textsf {CT})$: On input public parameters PP, a transformation key $\textsf {TK}_{\mapsto \widetilde{\textsf {ID}}}=(\widetilde{\textsf {ID}}, \mathbf {P}^{\textsf {Trans}} )$, a ciphertext $\textsf {CT}=(t,C_\textsf {ID})$ for an identity $\textsf {ID}$, this algorithm computes $(\tilde{t},C_{\widetilde{\textsf {ID}}})=\mathbf {P}^{\textsf {Trans}}(\textsf {ID},\textsf {CT})$, and outputs the transformed ciphertext $\widetilde{\textsf {CT}}=(\tilde{t},C_{\widetilde{\textsf {ID}}})$.
Decrypt $(\textsf {PP}, \textsf {SK}_{\textsf {ID}}, \textsf {CT})$: The decryption algorithm takes as input public parameters PP, a private key $\textsf {SK}_\textsf {ID}={\varvec{v}}_\textsf {ID}$, and a ciphertext $\textsf {CT}=(t, C_\textsf {ID})$. Observe that the first $\lfloor \log q\rfloor +1$ coefficients of ${\varvec{v}}_\textsf {ID}$ are $1,2,\ldots ,2^{\lfloor \log q\rfloor }$. Among these coefficients, let $v_{\textsf {ID},i} = 2^i$ be in (q / 4, q / 2]. Let $C_{\textsf {ID},i}$ be the i-th row of $C_{\mathsf {ID}}$. This algorithm computes $x_i\leftarrow \langle C_{\textsf {ID},i},{\varvec{v}}_{\mathsf {ID}} \rangle $ and outputs $\mu '=\lfloor x_i/v_{\textsf {ID},i}\rceil $.
Evaluate $(\textsf {PP},\textsf {ID},{\varvec{CT}},f)$: The evaluation algorithm takes as input public parameters PP, a tuple of ciphertext ${\varvec{CT}}=(\textsf {CT}_1,\ldots ,\textsf {CT}_k)$ under an identity $\textsf {ID}$ and a Boolean circuit $f:\{0,1\}^k\rightarrow \{0,1\}$. It is a remarkable fact that, Boolean circuits computed over encryptions of binary values can be converted to use only NAND gates [31]. Let $\mathsf {CT}_i=(t_i, ct_i)$ be an encryption of $b_i\in \{0,1\}$ for all $i\in [k]$, the NAND homomorphic operation is described below: $\mathsf {NAND}(ct_1,ct_2)$: To NAND ciphertexts $ct_1,ct_2\in \mathbb {Z}_q^{N\times N}$, output $\mathsf {Flatten}(I_N-ct_1\cdot ct_2)$. Let ct be the result of $f(ct_1,\ldots ,ct_k)$ through appropriate leveled application of the NAND homomorphic operation. The algorithm chooses a random value $t\in \{0,1\}^{2\kappa }$ and outputs the resulting ciphertext $\mathsf {CT}=(t, ct)$.
ABBEnc0 $(\textsf {PP}_{\textsf {ABB}},\textsf {id},r_S,r_X,r_Y,r_R)$: On input public parameters $\textsf {PP}_{\textsf {ABB}}$, an identity $\textsf {id}=(d_1,\ldots ,d_\ell )\in \{-1,1\}^\ell $ and randomness $r_S\in \mathcal {R}_{\textsf {SampleUS}},r_X\in \mathcal {R}_{\textsf {SampleGX}},r_Y\in \mathcal {R}_{\textsf {SampleGY}},r_R\in \mathcal {R}_{\textsf {SampleURs}}$, this algorithm proceeds as follows.
1. 1.
  Let $F_\textsf {id}=A\mid B_0+\sum _{i=1}^\ell d_iB_i\in \mathbb {Z}_q^{n\times 2m}$.
2. 2.
  Evaluate $s=\textsf {SampleUS}(\mathbb {Z}_q^n;r_S), x=\textsf {SampleGX}(\mathbb {Z}_q,\bar{\varPsi }_\alpha ;r_{X})$ and $y=\textsf {SampleGY}(\mathbb {Z}_q^m, \bar{\varPsi }_\alpha ^m;r_{Y})$.
3. 3.
  Evaluate $(R_{1},\ldots ,R_{\ell })=\textsf {SampleURs}(\{-1,1\}^{m\times m};r_{R})$.
4. 4.
  Set $R_{\textsf {id}}=\sum _{i=1}^\ell d_iR_{i}$ and compute $z=R_{\textsf {id}}^\top y$.
5. 5.
  Compute $c_{0}=u^\top s+x\in \mathbb {Z}_q,\ c_{1}=F_\textsf {id}^\top s+\left[ \begin{array}{c}y\\ z\end{array}\right] \in \mathbb {Z}_q^{2m}$, and return $(c_0,c_1)$.

5.1 Parameters and Correctness

Let $\mathsf {CT}_1=(t_1, ct_1=\mathsf {Flatten}(b_1\cdot I_N+\mathsf {BitDecomp}(c_1)))$ be an encryption of $b_1\in \{0,1\}$ under an identity $\mathsf {ID}$. Recall that $c_1$ is a N-row matrix whose rows are encryptions of 0 generated by using ABBEnc0, and the private key ${\varvec{v}}_\textsf {ID}=\mathsf {Powersof2}({\varvec{s}}_\textsf {ID})$. By Claim 1, we have

$$ct_1\cdot {\varvec{v}}_{\textsf {ID}} = (b_1\cdot I_N+\mathsf {BitDecomp}(c_1))\cdot {\varvec{v}}_{\textsf {ID}} = b_1\cdot {\varvec{v}}_{\textsf {ID}}+c_1\cdot {\varvec{s}}_{\textsf {ID}}.$$

Let $c_{1,i}$ be the i-th row of the matrix $c_1$, and let $v_{\textsf {ID},i}$ be the i-th coefficient of ${\varvec{v}}_\textsf {ID}$. Algorithm Decrypt only uses the i-th coefficient of $ct_1\cdot {\varvec{v}}_{\textsf {ID}}$, which is $x_i=b_1\cdot v_{\textsf {ID},i}+c_{1,i}\cdot {\varvec{s}}_{\textsf {ID}}$. If $c_{1,i}$ is properly generated using ABBEnc0, then the norm of the inner product $c_{1,i}\cdot {\varvec{s}}_{\textsf {ID}}$ is bounded w.h.p by $B=q\sigma \ell m\alpha \omega (\sqrt{\log m})+O(\sigma m^{3/2})$ by Lemma 24 of [1]. Similarly as in [31], if $B<q/8$ and $v_{\textsf {ID},i}\in (q/4,q/2]$, then $x_i/v_{\textsf {ID},i}$ differs from $b_1$ by at most $(q/8)/v_{\textsf {ID},i}<1/2$, and algorithm Decrypt uses rounding to output the correct value of $b_1$.

It is clear that our system satisfies transformation correctness if encryption correctness holds. Regarding evaluation correctness, let $\mathsf {CT}_2=(t_2, ct_2=\mathsf {Flatten}(b_2\cdot I_N+\mathsf {BitDecomp}(c_2)))$ be an encryption of another bit $b_2\in \{0,1\}$ under the same identity $\mathsf {ID}$, where $c_2$ is also a N-row matrix whose rows are encryptions of 0 generated by using ABBEnc0. We have

$$\mathsf {NAND}(ct_1,ct_2)\cdot {\varvec{v}}_{\textsf {ID}} = (I_N-ct_1\cdot ct_2)\cdot {\varvec{v}}_{\textsf {ID}} = (1-b_1b_2)\cdot {\varvec{v}}_{\textsf {ID}}-b_2\cdot (c_1\cdot {\varvec{s}}_{\textsf {ID}})-ct_1\cdot (c_2\cdot {\varvec{s}}_{\textsf {ID}}).$$

Note that NAND maintains the invariant that if $ct_1$ and $ct_2$ are encryptions of messages in $\{0,1\}$, then the output ciphertext is also encryption of message in $\{0,1\}$. After an NAND homomorphic operation, the error is increased by a factor of at most $N+1$.

Recall that we represent the homomorphic function f over encryptions of binary values as a Boolean circuit that can be converted to use only NAND gates. Through appropriate leveled application of the NAND homomorphic operation, the final ciphertext’s error will be bounded by $(N+1)^L\cdot B$, where L is the NAND-depth of the circuit. As long as $(N+1)^L\cdot B<q/8$, the decryption algorithm will decrypt correctly.

Hence, for the system to work correctly and evaluate a circuit of depth L, we set the parameters $(q,n,m,\sigma ,\alpha )$ that satisfy the following requirements, taking n to be the security parameter $\kappa $:

the error term has magnitude at most q / 8 w.h.p (i.e. $B\cdot (N+1)^L< q/8$),
algorithm TrapGen can operate (i.e. $m> 6n\log q$),
$\sigma $ is sufficiently large for SampleLeft and SampleRight (i.e. $\sigma >\ell m\omega (\sqrt{\log m})$),
Regev’s reduction applies [49] (i.e. $\alpha q> 2\sqrt{n}$),
our security reduction applies (i.e. $q> 2Q+4$, where Q is the number of private key queries from the adversary).

5.2 Security

We now state the security theorem of our proposed scheme.

Theorem 5

If the $(\mathbb {Z}_q,n,\bar{\varPsi }_\alpha )$-LWE assumptions holds, the proposed convertible IBFHE scheme is IND-sID-CPA secure.

Proof

See the full version of this paper.

6 Conclusion

We introduced a new primitive called convertible IBFHE which is an IBFHE with an additional transformation functionality. We showed that CCA-secure keyed-FHE can be constructed from IND-sID-CPA-secure convertible IBFHE and strongly EUF-CMA-secure signature. Utilizing the recent advances in indistinguishability obfuscation, we presented a concrete construction of IND-sID-CPA-secure convertible IBFHE without random oracles, and yielded the first CCA-secure keyed-FHE scheme in the standard model. Since indistinguishability obfuscation is a slightly cumbersome primitive currently, thus it would be interesting to construct an efficient IND-sID-CPA-secure convertible IBFHE without using indistinguishability obfuscation, even in the random oracle model.

Notes

1.
We focus on leveled keyed-FHE schemes, and typically omit the term “leveled”. In a leveled keyed-FHE scheme, the parameters of the scheme may depend on the depth, but not the size, of the circuits that the scheme can evaluate.
2.
Another naive approach to construct CCA-secure keyed-FHE is to utilize Naor-Yung paradigm [42]: a plaintext is encrypted twice (independently) by CPA-secure FHE, and then a non-malleable non-interactive zero-knowledge (NIZK) [51] proof is used in order to prove that both ciphertexts are encryptions to the same plaintext (the CRS needed for the NIZK is part of the public key); the evaluation key EK is the trapdoor associated with the CRS. However, as the construct by using the double encryption methodology, this construction is not secure in the sense of our security definition: the adversary is allowed to use the decryption oracle even after the challenge phase, just before the adversary requests EK.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)
MATH Google Scholar
Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010)
MATH Google Scholar
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, p. 1. Springer, Heidelberg (1999)
Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: Proceedings of 26th International Symposium on Theoretical Aspects of Computer Science, STACS 2009, Freiburg, Germany, pp. 75–86, 26–28 February 2009
Google Scholar
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 1. Springer, Heidelberg (2001)
Google Scholar
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)
MathSciNet MATH Google Scholar
Bellare, M., Ristenpart, T.: Simulation without the artificial abort: simplified proof and improved concrete security for waters’ IBE scheme. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 407–424. Springer, Heidelberg (2009)
Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Google Scholar
Boneh, D., Segev, G., Waters, B., Targeted malleability: homomorphic encryption for restricted computations. In: Innovations in Theoretical Computer Science, Cambridge, MA, USA, pp. 350–366, 8–10 January 2012
Google Scholar
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013)
Google Scholar
Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014)
Google Scholar
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)
Google Scholar
Brakerski, Z., Gentry, C., Halevi, S.: Packed ciphertexts in LWE-based homomorphic encryption. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 1–13. Springer, Heidelberg (2013)
Google Scholar
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325 (2012)
Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, pp. 575–584, 1–4 June 2013
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS, pp. 97–106 (2011)
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)
Google Scholar
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004)
Google Scholar
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)
Google Scholar
Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012)
Google Scholar
Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi, M., Yun, A.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013)
Google Scholar
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 45. Springer, Heidelberg (2002)
Google Scholar
Desmedt, Y., Iovino, V., Persiano, G., Visconti, I.: Controlled homomorphic encryption: definition and construction. IACR Cryptology ePrint Arch. 2014, 989 (2014)
Google Scholar
Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
MathSciNet MATH Google Scholar
Emura, K., Hanaoka, G., Ohtake, G., Matsuda, T., Yamada, S.: Chosen ciphertext secure keyed-homomorphic public-key encryption. In: Hanaoka, G., Kurosawa, K. (eds.) PKC 2013. LNCS, vol. 7778, pp. 32–50. Springer, Heidelberg (2013)
MATH Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014)
Google Scholar
Garg, S., Gentry, C., Halevi S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, pp. 40–49, 26–29 October 2013
Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)
Google Scholar
Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 1–16. Springer, Heidelberg (2012)
Google Scholar
Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012)
Google Scholar
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)
Google Scholar
Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007)
Google Scholar
Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions. IACR Cryptology ePrint Arch. 2014, 720 (2014)
Google Scholar
Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008)
Google Scholar
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. IACR Cryptology ePrint Arch. 2014, 521 (2014)
MATH Google Scholar
Hohenberger, S., Sahai, A., Waters, B.: Replacing a random Oracle: full domain hash from indistinguishability obfuscation. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 201–220. Springer, Heidelberg (2014)
Google Scholar
Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013)
Google Scholar
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, pp. 669–684, 4–8 November (2013)
Google Scholar
Libert, B., Peters, T., Joye, M., Yung, M.: Linearly homomorphic structure-preserving signatures and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 289–307. Springer, Heidelberg (2013)
Google Scholar
Libert, B., Peters, T., Joye, M., Yung, M.: Non-malleability from malleability: simulation-sound quasi-adaptive NIZK proofs and CCA2-secure encryption from homomorphic signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 514–532. Springer, Heidelberg (2014)
Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)
Google Scholar
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437 (1990)
Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem,extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, pp. 333–342, 31 May - 2 June (2009)
Google Scholar
Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 517–534. Springer, Heidelberg (2007)
Google Scholar
M. Prabhakaran, M. Rosulek. Homomorphic encryption with CCA security. In Automata, Languages, Programming, 35th International Colloquium, ICALP: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations, pp. 667–678, (2008)
Google Scholar
M. Prabhakaran and M. Rosulek. Towards robust computation on encrypted data. In Advances in Cryptology - ASIACRYpPT , 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7–11, Proceedings, pp. 216–233, (2008)
Google Scholar
Rackoff, Charles, Simon, Daniel R.: Non-interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, Joan (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)
Google Scholar
Ramchen, K., Waters, B.: Fully secure and fast signing from obfuscation. IACR Cryptology ePrint Archive 2014, 523 (2014)
Google Scholar
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22–24, pp. 84–93, (2005)
Google Scholar
Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Foundations of secure computation 32(4), 169–178 (1978)
MathSciNet Google Scholar
A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In 40th Annual Symposium on Foundations of Computer Science, FOCS ’99, 17–18 , New York, NY, USA, pp. 543–553, 1999., October 1999
Google Scholar
Sahai, A., Waters, B., How to use indistinguishability obfuscation, : deniable encryption, and more. In Symposium on Theory of Computing, STOC , New York, NY, USA, May 31 - June 03, pp. 475–484, (2014)
Google Scholar
N. P. Smart and F. Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Public Key Cryptography, pp. 420–443, (2010)
MATH Google Scholar
Stehlé, D., Steinfeld, R.: Faster fully homomorphic encryption. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 377–394. Springer, Heidelberg (2010)
Google Scholar
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)
Google Scholar
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Google Scholar
Waters, B.: A punctured programming approach to adaptively secure functional encryption. IACR Cryptology ePrint Arch. 2014, 588 (2014)
Google Scholar

Download references

Acknowledgement

We are grateful to the anonymous reviewers for their helpful comments. The work of Junzuo Lai was supported by National Natural Science Foundation of China (Nos. 61572235, 61300226), Research Fund for the Doctoral Program of Higher Education of China (No. 20134401120017), Guangdong Natural Science Funds for Distinguished Young Scholar (No. 2015A030306045), Natural Science Foundation of Guangdong Province (No. 2014A030310156), Pearl River S&T Nova Program of Guangzhou and Fundamental Research Funds for the Central Universities (No. 21615445). The work of Jian Weng was supported by National Natural Science Foundation of China (Nos. 61272413, 61472165, 61133014).

Author information

Authors and Affiliations

Department of Computer Science, Jinan University, Guangzhou, China
Junzuo Lai & Jian Weng
The State Key Laboratory of Integrated Services Networks, Xidian University, Xidian, China
Junzuo Lai
School of Information Systems, Singapore Management University, Singapore, Singapore
Robert H. Deng
School of Computer, South China Normal University, Guangzhou, China
Changshe Ma
Department of Computer Science and Communication Engineering, Kyushu University, Fukuoka, Japan
Kouichi Sakurai

Authors

Junzuo Lai
View author publications
You can also search for this author in PubMed Google Scholar
Robert H. Deng
View author publications
You can also search for this author in PubMed Google Scholar
Changshe Ma
View author publications
You can also search for this author in PubMed Google Scholar
Kouichi Sakurai
View author publications
You can also search for this author in PubMed Google Scholar
Jian Weng
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jian Weng .

Editor information

Editors and Affiliations

National Taiwan University, Taipei, Taiwan
Chen-Mou Cheng
Academia Sinica, Taipei, Taiwan
Kai-Min Chung
Università di Salerno, Fisciano, Italy
Giuseppe Persiano
Academia Sinica, Taipei, Taiwan
Bo-Yin Yang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Lai, J., Deng, R.H., Ma, C., Sakurai, K., Weng, J. (2016). CCA-Secure Keyed-Fully Homomorphic Encryption. In: Cheng, CM., Chung, KM., Persiano, G., Yang, BY. (eds) Public-Key Cryptography – PKC 2016. Lecture Notes in Computer Science(), vol 9614. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49384-7_4

Download citation

DOI: https://doi.org/10.1007/978-3-662-49384-7_4
Published: 18 February 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49383-0
Online ISBN: 978-3-662-49384-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

CCA-Secure Keyed-Fully Homomorphic Encryption

Abstract

Similar content being viewed by others

Constructions for the IND-CCA1 Secure Fully Homomorphic Encryption

On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes

On Extension of Evaluation Algorithms in Keyed-Homomorphic Encryption

Keywords

1 Introduction

2 Preliminaries

2.1 Lattices

Definition 1

2.2 Discrete Gaussians

2.3 Sampling Algorithms

Theorem 1

Theorem 2

Theorem 3

2.4 The LWE Hardness Assumption

Definition 2

Lemma 1

2.5 Vector Decomposition

Claim 1

2.6 Indistinguishability Obfuscation

2.7 Puncturable PRFs

2.8 Keyed-Fully Homomorphic Encryption

Definition 3

3 Convertible Identity-Based Fully Homomorphic Encryption

Definition 4

4 Proposed CCA Secure Keyed-FHE Scheme

Theorem 4

Proof

Lemma 2

Proof

Lemma 3

Proof

Lemma 4

Proof

5 Proposed Convertible IBFHE Scheme

5.1 Parameters and Correctness

5.2 Security

Theorem 5

Proof

6 Conclusion

Notes

References

Acknowledgement

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Search

Navigation