CCA1 secure FHE from PIO, revisited

Fully data using only public information. So far, most FHE schemes are CPA secure. In PKC 2017, Canetti et al. extended the generic transformation of Boneh, Canetti, Halevi and Katz to turn any multi-key identity-based FHE scheme into a CCA1-secure FHE scheme. Their main construction of multi-key identity-based FHE is from probabilistic indistinguishability obfuscation (PIO) and statistical trapdoor encryption.

We show that the above multi-key identity-based FHE is not secure by giving an attack. Then we give a solution to avoid the attack and redesign a more succinct and efficient multi-key identity-based FHE scheme. Compared with the scheme of Canetti et al., ours has smaller secret key of one identity and more efficient homomorphic operations. Thus we obtain a more efficient CCA1 secure FHE scheme.

Fully homomorphic encryption (FHE) is one of the holy grails of modern cryptography. For short, a FHE scheme is an encryption scheme that allows anyone to perform arbitrary computations on encrypted data using only public information. With this fascinating feature, FHE has many theoretical and practical applications, a typical one of which is outsourcing computation to untrusted entities without compromising one’s privacy. The basic security property considered for FHE is security against chosen plaintext attacks (CPA), where it is required that an adversary that has access to the public parameters cannot distinguish between ciphertexts that encrypt two plaintexts chosen by the adversary.

The notion of FHE is introduced by Rivest, Adleman and Dertouzos (Rivest et al. 1978) in 1978. But the first candidate scheme, Gentry’s groundbreaking work in 2009 (Gentry 2009a; 2009b), came 30 years later. While Gentry’s work is a major breakthrough, it is far from efficient in the practical point of view. Since 2009, a lot of designs (van Dijk et al. 2010; Smart and Vercauteren 2010; Brakerski and Vaikuntanathan 2011a, b; Smart and Vercauteren 2014; Brakerski et al. 2012; Brakerski 2012; Gentry et al. 2012a, b, 2013) have been proposed towards more efficient FHE. All the above FHE schemes are only proven to be CPA secure.

The security against chosen ciphertext attacks, also called CCA security (Naor and Yung 1990) which requires that ciphertexts indistinguishability holds even when the adversary can make decryption queries. CCA security contains two kinds: the first one is CCA1, where the adversary is limited to make decryption queries before she receives the challenge ciphertext; the second one is CCA2, where the adversary can make decryption queries even after she receives the challenge ciphertext. CCA2 security prevents any meaningful change of a given ciphertext, and so appears to be in direct contradiction with homomorphism, but CCA1 is not. For example, the Cramer-Shoup-lite (Cramer and Shoup 1998) scheme is both CCA1-secure and additively homomorphic. However, several works (Loftus et al. 2010; Zhang et al. 2012; Dahab et al. 2015) show CCA1 attacks against some existing FHE schemes.

Related work

In PKC 2016, Lai et al. (2016) first introduced a new primitive called convertible identity-based fully homomorphic encryption (IBFHE), which is an IBFHE with an additional transformation functionality. Based on this new primitive, IND-sID-CPA-secure convertible IBFHE, and strongly EUF-CMA-secure signature, they proposed a generic paradigm of constructing CCA-secure keyed-FHE (a CCA-secure keyed-FHE scheme should provide CCA security when the evaluation key is unavailable to the adversary and remain CPA-secure when the evaluation key is exposed) by modifying CHK transformation (Canetti et al. 2004) slightly. Finally, they proposed a concrete construction of IND-sID-CPA-secure convertible IBFHE from adaptively-secure IBE scheme (Agrawal et al. 2010), indistinguishability obfuscation (IO) (Sahai and Waters 2014), and Puncturable PRF (Sahai and Waters 2014).

In PKC 2017, Canetti et al. (2017) extended the generic transformation of Boneh, Canetti, Halevi and Katz (Boneh et al. 2007) to turn any multi-key IBFHE scheme into a CCA1-secure FHE scheme. They gave three instantiations of multi-key IBFHE: The first one is a generic construction from multi-key FHE and IBE due to Brakerski et al. (2016); The second one is from LWE in the random oracle model, and the third one is from sub-exponentially secure IO (which is used to construct PIO). The first two constructions are compact with respect to the function evaluated homomorphically but not compact with respect to the number of ciphertext involved in the homomorphic evaluation. The third construction from PIO is fully compact and unleveled, which is their main construction. Finally, they adopted the approach of Naor and Yung (1990) who showed that how to go from CPA encryption to CCA1 encryption using non-interactive zero-knowledge proofs to the FHE setting. They gave a compact CCA1 secure FHE scheme from any CPA secure FHE scheme and a zero-knowledge succinct non-interactive argument of knowledge.

Our results and techniques

We focus on construction of CCA1 secure FHE schemes. Our starting point is the work of Canetti et al. (2017) who showed that CCA1-secure FHE scheme can be constructed from any multi-key IBFHE scheme. Our contributions are as follows:

1. 1.

   We analyse the multi-key IBFHE scheme from PIO that proposed by Canetti et al. (2017) and show that their scheme is not secure by giving an attack. We give a solution to avoid the above attack and point out a mistake in their security proof.

2. 2.

   We redesign a more succinct and efficient multi-key IBFHE scheme. Compared with the scheme of Canetti et al. (2017), ours has smaller secret key of one identity and more efficient homomorphic operations. The concrete comparison is showed in Table 1.

   Full size table

Our multi-key IBFHE scheme is constructed from trapdoor encryption scheme, PIO, and puncturable PRF. Our first observation is that IND-sID-CPA secure IBFHE scheme can be obtained from FHE scheme, IO, and puncturable PRF (Clear and McGoldrick 2014) using the technique of “punctured programming” (Sahai and Waters 2014). Concretely, we use the puncturable PRF for the derivation of a user’s public key from her identity. Our second observation is that FHE scheme can be obtained from trapdoor encryption scheme and PIO (Canetti et al. 2015). Combining these two techniques, we can obtain an IND-sID-CPA secure IBFHE scheme. For the construction of CCA1-secure FHE schemes, we need a multi-key IBFHE scheme which is selective security for random identities. Toward this aim, we should be able to compute on IBE ciphertexts that all use the same master public key, but different identities. To keep the compactness of our scheme, we require that the identity corresponding to a resulting ciphertext that after some computation has the same length as a fresh identity. The method in (Canetti et al. 2017) is to set the resulting identity to be XOR of the identities that involved in the computation. However, we show that this method can be used to break the security of their scheme. We use the idea of randomization to avoid the above problem.

Let λ denote a security parameter. When we speak of a negligible function negl(λ), we mean a function that is asymptotically bounded from above by the reciprocal of all polynomials in λ.

CCA1-Secure fully homomorphic encryption

Definition 1

((Canetti et al. 2017)) Let \(\mathcal {M}\) be a message space. A CCA1-secure FHE scheme is a tuple of polynomial time algorithms (Gen,Enc,Dec,Eval), defined as follows, which satisfy the correctness, compactness and security properties below.

• Gen(1^λ): a randomized algorithm which outputs a public key, secret key pair (pk,sk).

• Enc(pk,m): a randomized algorithm which outputs a ciphertext ct.

• Dec(sk,ct): an algorithm which outputs a message \(m\in \mathcal {M}\).

• Eval({ct_i},C): an algorithm which takes a collection of ciphertexts {ct_i} and a circuit C to be evaluated and outputs an evaluated ciphertext ct_eval.

Correctness: For any \(m\in \mathcal {M}\), (pk,sk)←Gen(1^λ),

Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (pk,sk)←Gen(1^λ), ct_i←Enc(pk,m_i)

Compactness: There exists a polynomial poly(·) such that |ct_eval|≤poly(λ) for all ct_eval←Eval({ct_i},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.

CCA1 Security: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1. 1.

   \(\mathcal {C}\) draws (pk,sk)←Gen(1^λ) and sends pk to \(\mathcal {A}\).

2. 2.

   For α=1,...,poly: \(\mathcal {A}\) sends ct_α to \(\mathcal {C}\); \(\mathcal {C}\) computes m_α=Dec(sk,ct_α) and returns m_α to \(\mathcal {A}\).

3. 3.

   \(\mathcal {A}\) sends \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {C}\).

4. 4.

   \(\mathcal {C}\) draws ct^∗←Enc(pk,m_b) for b←{0,1} and sends ct^∗ to \(\mathcal {A}\).

5. 5.

   \(\mathcal {A}\) outputs a guess bit b^′ and wins if b^′=b.

Remark 1

We say that a FHE scheme is leveled if it permits evaluation of circuits of a-priori bounded polynomial depth on encrypted data. In contrast, a FHE scheme is pure (or unleveled) if it permits evaluation of circuits of any depth.

Multi-key IBFHE

Definition 2

((Canetti et al. 2017)) Let \(\mathcal {M}, \mathcal {ID}\) be message and identity spaces. A multi-key identity-based fully homomorphic encryption scheme is a tuple of polynomial time algorithms (Setup,KeyGen,Enc,Dec,Eval), defined as follows, which satisfy the correctness and security properties below.

• Setup(1^λ): output the master key pair (mpk,msk).

• KeyGen(msk,id): output a secret key sk_id for the identity id.

• Enc(mpk,id,m): encrypt message m under identity id, and outputs (id,ct_id).

• Dec(sk_id,id,ct_id): decrypt ct_id using sk_id and outputs m.

• Eval({(id_i,ct_i)},C): take a family of ciphertexts and a circuit and outputs (id_eval,ct_eval).

Correctness: For any \(m\in \mathcal {M}, id\in \mathcal {ID}\), and (mpk,msk)←Setup(1^λ), sk_id←KeyGen(msk,id)

Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), \(\{{id}_{i}\}\in \mathcal {ID}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (mpk,msk)←Setup(1^λ), sk_i←KeyGen(msk,id_i), ct_i←Enc(mpk,id_i,m_i)

where sk_eval←KeyGen(msk,id_eval).

Compactness: There exists a polynomial poly(·) such that |id_eval|,|ct_eval|≤poly(λ) for all id_eval,ct_eval←Eval({(id_i,ct_i)},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.

Selective Security for Random Identities: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1. 1.

   \(\mathcal {C}\) draws \(id^{\ast }\leftarrow \mathcal {ID}\) and (mpk,msk)←Setup(1^λ), sends mpk to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by \(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);}\\ \bot, & \text {otherwise.} \end {array} \right. \)

3. 3.

   \(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).

4. 4.

   \(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct^∗←Enc(mpk,id^∗,m_b).

5. 5.

   \(\mathcal {A}\) outputs a guess bit b^′ and wins if b^′=b.

CCA1 FHE from multi-key IBFHE

Let E be a multi-key IBFHE scheme. Then the construction of CCA1 secure FHE is as follows (Canetti et al. 2017).

• Gen(1^λ):Output (pk,sk)=(mpk,msk)←E.Setup(1^λ).

• Enc(pk,m): Draw \(id\leftarrow \mathcal {ID}\) and compute \(\phantom {\dot {i}\!}{ct}_{id}\leftarrow \text {E.Enc}(mpk,id,m)\). Output ct=(id,ct_id).

• Dec(sk,ct): Parse ct=(id,ct_id). Compute sk_id←E.KenGen(msk,id), and output m=E.Dec(sk_id,id,ct_id).

• Eval({ct_i},C): Parse \(\phantom {\dot {i}\!}{ct}_{i}=({id}_{i},{ct}_{{id}_{i}})\). Output \({ct}_{eval}=({id}_{eval}, \mathsf {E}.{ct}_{eval})\leftarrow \text {E.Eval}(\{({id}_{i},{ct}_{{id}_{i}})\}, C)\).

Lemma 1

The above scheme is a CCA1-secure FHE scheme.

The proof of this lemma can be found in (Canetti et al. 2017) and (Boneh et al. 2007).

Trapdoor encryption schemes

Definition 3

((Canetti et al. 2015)) An encryption scheme \(\prod =(\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec},\mathsf {tKeyGen})\) is a trapdoor encryption scheme, if (KeyGen,Enc,Dec) is a CPA-secure encryption scheme and the trapdoor key generation algorithm tKeyGen satisfies the following additional properties:

Trapdoor Public Keys: The following two ensembles are indistinguishable

Computational Hiding: The following two ensembles are indistinguishable

where m₀,m₁ are two distinct messages.

The basic trapdoor encryption scheme does not provide any advantage in the trapdoor mode than the honest mode. Obviously, any CPA secure encryption scheme implies a trapdoor encryption scheme. The following are two stronger variants.

μ-Hiding Trapdoor Encryption Scheme The distinguishing advantage of the two ensembles in the computational hiding property of the above definition is replaced by some μ(λ). Typically, μ(λ) is much smaller than the inverse exponentiation of the ciphertext length. Canetti et al. (2015) showed that μ-hiding trapdoor encryption scheme can be constructed from any μ-rerandomizable CPA encryption scheme.

Statistical Trapdoor Encryption Scheme The computational hiding property in the above definition is replaced by statistical hiding. Note that any lossy encryption scheme implies a statistical trapdoor encryption scheme.

Probabilistic indistinguishability obfuscation (PIO)

Probabilistic Indistinguishability Obfuscation (PIO) A notion that was recently introduced by Canetti et al. (2015). Roughly speaking, this is an obfuscator for probabilistic circuits with the guarantee that the obfuscations of any two “equivalent” circuits are computationally indistinguishable. Before formally defining PIO, we introduce some relevant notions. Let \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of sets of (randomized) circuits, where \(\mathcal {C}_{\lambda }\) contains circuits of size poly (λ). A circuit sampler for \(\mathcal {C}\) is a distribution ensemble \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) where the distribution D_λ ranges over triples (C₀,C₁,z) with \(C_{0}, C_{1}\in \mathcal {C}_{\lambda }\) such that C₀,C₁ take inputs of the same length, and z∈{0,1}^poly(λ). Moreover, a class S of samplers for \(\mathcal {C}\) is a set of circuit samplers for \(\mathcal {C}\).

Definition 4

((Canetti et al. 2015)) A uniform PPT machine \(pi\mathcal {O}\) is an indistinguishability obfuscator for a class of samplers S over the (potentially randomized) circuit family \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) if the following two conditions hold:

Correctness:\(pi\mathcal {O}\) on input a (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\) and the security parameter \(\lambda \in \mathbb {N}\) (in unary), outputs a deterministic circuit Λ of size poly (|C|,λ). Furthermore, for every non-uniform PPT distinguisher \(\mathcal {D}\), every (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\), and string z, we define the following two experiments:

• Exp\(_{\mathcal {D}}^{1}(1^{\lambda },C,z)\): \(\mathcal {D}\) on input 1^λ,C,z, participates in an unbounded number of iterations of his choice. In iteration i, it chooses an input x_i; if x_i is the same as any of the previously chosen input x_j for j<i, then abort; otherwise, \(\mathcal {D}\) receives C(x_i;r_i) using fresh random coins r_i (r_i = null if C is deterministic). At the end of all iterations, \(\mathcal {D}\) outputs a bit b. (Note that \(\mathcal {D}\) can keep state across iterations.)

• Exp\(_{\mathcal {D}}^{2}(1^{\lambda },C,z)\): Obfuscate circuit C to obtain \(\Lambda \leftarrow pi\mathcal {O}(1^{\lambda },C;r)\) using fresh random coins r. Run \(\mathcal {D}\) as described above, except that in each iteration, feed \(\mathcal {D}\) with Λ(x_i) instead.

Overload the notation Exp\(_{\mathcal {D}}^{i}(1^{\lambda },C,z)\)as the output of \(\mathcal {D}\)in experiment Exp\(_{\mathcal {D}}^{i}\). We require that for every non-uniform PPT distinguisher \(\mathcal {D}\), there is a negligible function μ, such that, for every \(\lambda \in \mathbb {N}\), every \(C\in \mathcal {C}_{\lambda }\), and every auxiliary input z∈{0,1}^poly(λ),

Security with Respect to S: For every sampler \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\in \mathbf {S}\), and for every non-uniform PPT machine \(\mathcal {A}\), there exists a negligible function μ such that

Puncturable Pseudorandom functions

In our construction, we will use the puncturable PRFs, which are PRFs that can be defined on all bit strings of a certain length, except for some polynomial-size set of inputs. Below we recall their definition, as given by Sahai and Waters (2014):

Definition 5

A puncturable family of PRFs F is given by a triple of Turing machines Key,Puncture,Eval, and a pair of computable functions n(·) and m(·), satisfying the following conditions:

• (Functionality preserved under puncturing.) For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^{\lambda })\) outputs a set S⊆{0,1}^n(λ), then for all x∈{0,1}^n(λ) where x∉S, we have that:

  $$ \begin{aligned} &\text{Pr}\left[\mathsf{Eval}(K,x)=\mathsf{Eval}(K_{S},x):K\leftarrow\mathsf{Key}(1^{\lambda}), K_{S}\right.\\ &\qquad\qquad\qquad\left.=\mathsf{Puncture}(K,S)\right]=1. \end{aligned} $$

• (Pseudorandom at punctured points.) For every PPT adversary \((\mathcal {A}_{1},\mathcal {A}_{2})\) such that \(\mathcal {A}_{1}(1^{\lambda })\) outputs a set S⊆{0,1}^n(λ) and any x∈S, consider an experiment where K←Key(1^λ) and K_S=Puncture(K,S). Then we have

  $$\begin{array}{*{20}l} |\Pr[\mathcal{A}_{2}(K_{S},x,\mathsf{Eval}(K,x))&=1]- \Pr[\mathcal{A}_{2}(K_{S},x,U_{m(\lambda)}) \\ &=1]|\leq\text{negl}(\lambda), \end{array} $$

  where U_m(λ) denotes the uniform distribution over m(λ) bits.

In PKC 2017, Canetti et al. (2017) constructed a multi-key IBFHE scheme from statistical trapdoor encryption, PIO, and puncturable PRF. Their key ideas are borrowed from works of Canetti et al. (2015) and Dodis et al. (2016). Firstly, they constructed a tag-puncturable additively homomorphic encryption scheme. For homomorphic computations, they use the method in (Dodis et al. 2016). Concretely, assume C is an algebraic circuit with n input, they first split every ciphertext into n ciphertexts corresponding to n identities. For an addition gate, they carry out n homomorphic additions and obtain n ciphertexts. For a multiplication gate, they first execute n² homomorphic computations obtaining 2n² ciphertexts and then execute n homomorphic computations obtaining n ciphertexts. Finally, at the output gate, they combine the resulting n ciphertexts to obtain the final ciphertext. The identity corresponding to the final ciphertext is XOR of n identities in the input, i.e. \(\mathbf {{id}_{eval}=\bigoplus {id}_{i}}\). There is a problem arising here. We give an attack in the following to show that this scheme is not secure.

Attack Our attack is as follows:

1. 1.

   The adversary \(\mathcal {A}\) queries a secret key of one identity sk_α for some identity id_α.

2. 2.

   \(\mathcal {A}\) receives the challenge ciphertext ct^∗ which encrypts m_b under identity id^∗.

3. 3.

   \(\mathcal {A}\) computes a ciphertext ct_m of some message m under identity \({id}_{\beta }\triangleq {id}_{\alpha } \oplus id^{\ast }\).

4. 4.

   \(\mathcal {A}\) homomorphicly adds ct_m with ct^∗ and obtains a ciphertext ct^∗∗ which encrypts m+m_b under identity id_β⊕id^∗=id_α.

5. 5.

   \(\mathcal {A}\) decrypts ct^∗∗ using sk_α and obtains message m+m_b.

6. 6.

   \(\mathcal {A}\) obtains the challenge plaintext m_b by subtracting m from the above message.

7. 7.

   \(\mathcal {A}\) compares m_b with m₀,m₁ and obtains the value of b with probability 1.

To resist the above attack, we use the idea of randomization. In particular, for every gate of the circuit, we set the identity of the output ciphertext to be a random identity. In this case, after the adversary \(\mathcal {A}\) performs some computation on the challenge ciphertext ct^∗, the identity corresponding to the final ciphertext will be completely random, hence the probability that it is same as some identity id_α for which \(\mathcal {A}\) has queried corresponding secret key of one identity sk_α is negligible.

We think there is a mistake in their security proof which exists in the last step of Proof of Claim 3. Concretely, we think the two games G₃ and G₄ are not indistinguishable, because when taking a ciphertext with tag (id^∗,i−1) as input, the two obfuscations in G₃ will output the encryptions of 0, but in G₄ they will output “abort”.

Besides the above security flaw, their scheme also has the following two drawbacks:

1. 1.

   The secret key of one identity is an obfuscation of some decryption circuit, which is very large;

2. 2.

   For a circuit with n inputs consisting of addition gates and multiplication gates, the numbers of computation for each addition gate and multiplication gate in their scheme are n and n²+n respectively, which are very inefficient.

In the following section, we propose our Multi-key IBFHE scheme, which eliminates the above drawbacks.

• Setup(1^λ): Let E be a trapdoor encryption scheme. Assume the message space \(\mathcal {M}\) and identity space \(\mathcal {ID}\) of our multi-key IBFHE are a ring and {0,1}^k, respectively. Assume E has the same message space \(\mathcal {M}\). Let \(pi\mathcal {O}\) be a PIO scheme and \(\mathcal {F}\) be a puncturable PRF.

  Sample a PRF key K. Let P_map[K] be the following program:

  1. 1.

     K is hardwired, take input id∈{0,1}^k;

  2. 2.

     Compute \(r_{id}=\mathcal {F}_{K}(id)\);

  3. 3.

     Compute (pk_id,sk_id)=E.Gen(1^λ,r_id);

  4. 4.

     Output pk_id.

  Let P_add[K] and P_mult[K] be the following probabilistic programs:

  1. 1.

     K is hardwired into both, both take inputs \(({id}_{1},{ct}_{1}),({id}_{2},{ct}_{2})\in \{0,1\}^{k}\times \mathsf {E}.\mathcal {CT}\);

  2. 2.

     Compute \(({pk}_{{id}_{i}}, {sk}_{{id}_{i}})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}({id}_{i}))\) for i=1,2;

  3. 3.

     Compute \(\phantom {\dot {i}\!}m_{i}=\text {E.Dec}({sk}_{{id}_{i}}, {ct}_{i})\) for i=1,2;

  4. 4.

     Sample r←{0,1}^k and set id_out=r, compute \(({pk}_{{id}_{out}}, {sk}_{{id}_{out}})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}({id}_{out}))\)

  5. 5.

     Now the programs differ:

     P_add[K]: Draw \({ct}_{out}\leftarrow \text {E.Enc}({pk}_{{id}_{out}}, m_{1}+m_{2})\), output (id_out,ct_out).

     P_mult[K]: Draw \({ct}_{out}\leftarrow \text {E.Enc}({pk}_{{id}_{out}}, m_{1}\times m_{2})\), output (id_out,ct_out).

  Let \(\mathcal {O}_{map}[K]\leftarrow pi\mathcal {O}(P_{map}[K])\), \(\mathcal {O}_{add}[K]\leftarrow pi\mathcal {O}(P_{add}[K])\) and \(\mathcal {O}_{mult}[K]\leftarrow pi\mathcal {O}(P_{mult}[K])\). Set msk=K and \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\).

• KeyGen(msk,id): Parse msk=K. Compute \(({pk}_{id}, {sk}_{id})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}(id))\) and output sk_id.

• Enc(mpk,id,m): Parse \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\), compute \({pk}_{id}=\mathcal {O}_{map}[K](id)\). Draw ct_id←E.Enc(pk_id,m) and output (id,ct_id).

• Dec(sk_id,id,ct_id): Output m=E.Dec(sk_id,ct_id).

• Eval(mpk,(id₁,ct₁),...,(id_t,ct_t),C): Parse \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\), view C as an algebraic circuit consisting of addition gates g₊ and multiplication gates g_× over the message space \(\mathcal {M}\). We process the circuit gate by gate, let u, v be encryption of the input values of some gate. For an addition gate g₊, evaluate g₊ homomorhpically by computing \(w=\mathcal {O}_{add}[K](u,v)\); For a multiplication gate g_×, evaluate g_× homomorhpically by computing \(w=\mathcal {O}_{mult}[K](u,v)\).

Lemma 2

If E is a trapdoor encryption scheme, \(pi\mathcal {O}\) is a PIO scheme and \(\mathcal {F}\) is a puncturable PRF, then the above scheme is a multi-key IBFHE scheme which is fully compact and unleveled.

Proof

Correctness and homomorphic correctness follow immediately from correctness of E and \(pi\mathcal {O}\).

For security, we show that for any PPT adversary \(\mathcal {A}\), its chance of winning the multi-key IBFHE selective security game for random identities is at most 1/2+negl. We use a hybrid argument.

Game 0: This is the original multi-key IBFHE selective security game for random identities.

1. 1.

   \(\mathcal {C}\) draws id^∗←{0,1}^k and (mpk,msk)←Setup(1^λ), sends mpk to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by

   \(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);} \\ \bot, & \text {otherwise.} \end {array} \right. \)

3. 3.

   \(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).

4. 4.

   \(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct^∗←Enc(mpk,id^∗,m_b).

5. 5.

   \(\mathcal {A}\) outputs a guess bit b^′ and wins if b^′=b.

Game 1: This is the same as Game 0 except for the following changes. \(\mathcal {C}\) computes K^∗←PRF.Puncture(K,id^∗) and answer secret key queries using K^∗ instead of K.

The adversary cannot detect any difference between Game 0 and Game 1, since for all id≠id^∗ it holds that \(\mathcal {F}_{K}(id)=\mathcal {F}_{K^{\ast }}(id)\).

Game 2: This is the same as Game 1 except that we make the following changes to P_add[ K] and P_mult[ K]:

1. 1.

   Replace K with K^∗. id^∗ and \(\mathcal {F}_{K}(id^{\ast })\) is also hardwired.

2. 2.

   In step 2, if id_i=id^∗, then use \(\mathcal {F}_{K}(id^{\ast })\) instead of \(\mathcal {F}_{K^{\ast }}({id}_{i})\); In step 4, if id_out=id^∗, then use \(\mathcal {F}_{K}(id^{\ast })\) instead of \(\mathcal {F}_{K^{\ast }}({id}_{out})\).

Note that the modified programs is functionally equivalent to P_add[ K] and P_mult[ K], and due to the security of PIO, their respective obfuscations are thus computationally indistinguishable. So Game 1 and Game 2 are computationally indistinguishable.

Game 3: This is the same as Game 2 except that we make the following changes to P_map[ K]:

1. 1.

   Replace K with K^∗. id^∗ and \(\mathcal {F}_{K}(id^{\ast })\) is also hardwired.

2. 2.

   In step 2, if id=id^∗, then sample r←{0,1}ⁿ where \(n=|\mathcal {F}_{K}(id^{\ast })|\), and set r_id=r.

By the security of the puncturable PRF, we have that the following two distributions are computationally indistinguishable.

Due to the security of PIO, it follows that Game 2 and Game 3 are computationally indistinguishable.

Game 4: This is the same as Game 3 except that we make futher changes to P_map[ K]:

1. 1.

   If id=id^∗, then output tpk←E.tGen(1^λ).

Due to the key-indistinguishability of trapdoor encryption scheme E, the output distributions of the program P_map[K] in Game 3 and Game 4 are close, and hence, the security of PIO implies that the obfuscations of the programs are also indistinguishable (even given the punctured key). It follows that Game 3 and Game 4 are computationally indistinguishable.

In Game 4, due to the hiding property in the trapdoor mode of trapdoor encryption scheme E, the success advantage of adversary \(\mathcal {A}\) in this Game is negligible. This completes our proof of security. □

In our multi-key IBFHE scheme, secret key of one identity is a normal secret key, which is much smaller than that of Canetti et al.’s scheme; the numbers of computation for each addition gate and multiplication gate are all 1 instead of n and n²+n in Canetti et al.’s scheme.

Combining Lemma 2 with Lemma 1 we get the following result immediately.

Theorem 1

If there exists PIO, a trapdoor encryption scheme, and a puncturable PRF, then there is a CCA1 secure FHE scheme which is fully compact and unleveled.

In this work, we focus on construction of CCA1 secure FHE schemes. Our starting point is the work of Canetti et al. (2017) who showed that CCA1-secure FHE scheme can be constructed from any multi-key IBFHE scheme. We analysed the multi-key IBFHE scheme from PIO that proposed by Canetti et al. (2017) and showed that their scheme is not secure by giving an attack. We gave a solution to avoid the above attack and redesigned a more succinct and efficient multi-key identity-based FHE scheme. Thus we obtained a more efficient CCA1 secure FHE scheme.

Funding

This work was supported by National Natural Science Foundation of China [grant number 61472414,61772514,61602061], and National Key R&D Program of China (2017YFB1400700).

Authors and Affiliations

1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

   Biao Wang, Xueqing Wang & Rui Xue

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100049, China

   Biao Wang, Xueqing Wang & Rui Xue

Contributions

The first author conceived the idea of the study and wrote the paper. All authors discussed the results and revised the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Biao Wang.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and Permissions