 Research
 Open Access
 Published:
CCA1 secure FHE from PIO, revisited
Cybersecurityvolume 1, Article number: 11 (2018)
Abstract
Fully data using only public information. So far, most FHE schemes are CPA secure. In PKC 2017, Canetti et al. extended the generic transformation of Boneh, Canetti, Halevi and Katz to turn any multikey identitybased FHE scheme into a CCA1secure FHE scheme. Their main construction of multikey identitybased FHE is from probabilistic indistinguishability obfuscation (PIO) and statistical trapdoor encryption.
We show that the above multikey identitybased FHE is not secure by giving an attack. Then we give a solution to avoid the attack and redesign a more succinct and efficient multikey identitybased FHE scheme. Compared with the scheme of Canetti et al., ours has smaller secret key of one identity and more efficient homomorphic operations. Thus we obtain a more efficient CCA1 secure FHE scheme.
Introduction
Fully homomorphic encryption (FHE) is one of the holy grails of modern cryptography. For short, a FHE scheme is an encryption scheme that allows anyone to perform arbitrary computations on encrypted data using only public information. With this fascinating feature, FHE has many theoretical and practical applications, a typical one of which is outsourcing computation to untrusted entities without compromising one’s privacy. The basic security property considered for FHE is security against chosen plaintext attacks (CPA), where it is required that an adversary that has access to the public parameters cannot distinguish between ciphertexts that encrypt two plaintexts chosen by the adversary.
The notion of FHE is introduced by Rivest, Adleman and Dertouzos (Rivest et al. 1978) in 1978. But the first candidate scheme, Gentry’s groundbreaking work in 2009 (Gentry 2009a; 2009b), came 30 years later. While Gentry’s work is a major breakthrough, it is far from efficient in the practical point of view. Since 2009, a lot of designs (van Dijk et al. 2010; Smart and Vercauteren 2010; Brakerski and Vaikuntanathan 2011a, b; Smart and Vercauteren 2014; Brakerski et al. 2012; Brakerski 2012; Gentry et al. 2012a, b, 2013) have been proposed towards more efficient FHE. All the above FHE schemes are only proven to be CPA secure.
The security against chosen ciphertext attacks, also called CCA security (Naor and Yung 1990) which requires that ciphertexts indistinguishability holds even when the adversary can make decryption queries. CCA security contains two kinds: the first one is CCA1, where the adversary is limited to make decryption queries before she receives the challenge ciphertext; the second one is CCA2, where the adversary can make decryption queries even after she receives the challenge ciphertext. CCA2 security prevents any meaningful change of a given ciphertext, and so appears to be in direct contradiction with homomorphism, but CCA1 is not. For example, the CramerShouplite (Cramer and Shoup 1998) scheme is both CCA1secure and additively homomorphic. However, several works (Loftus et al. 2010; Zhang et al. 2012; Dahab et al. 2015) show CCA1 attacks against some existing FHE schemes.
Related work
In PKC 2016, Lai et al. (2016) first introduced a new primitive called convertible identitybased fully homomorphic encryption (IBFHE), which is an IBFHE with an additional transformation functionality. Based on this new primitive, INDsIDCPAsecure convertible IBFHE, and strongly EUFCMAsecure signature, they proposed a generic paradigm of constructing CCAsecure keyedFHE (a CCAsecure keyedFHE scheme should provide CCA security when the evaluation key is unavailable to the adversary and remain CPAsecure when the evaluation key is exposed) by modifying CHK transformation (Canetti et al. 2004) slightly. Finally, they proposed a concrete construction of INDsIDCPAsecure convertible IBFHE from adaptivelysecure IBE scheme (Agrawal et al. 2010), indistinguishability obfuscation (IO) (Sahai and Waters 2014), and Puncturable PRF (Sahai and Waters 2014).
In PKC 2017, Canetti et al. (2017) extended the generic transformation of Boneh, Canetti, Halevi and Katz (Boneh et al. 2007) to turn any multikey IBFHE scheme into a CCA1secure FHE scheme. They gave three instantiations of multikey IBFHE: The first one is a generic construction from multikey FHE and IBE due to Brakerski et al. (2016); The second one is from LWE in the random oracle model, and the third one is from subexponentially secure IO (which is used to construct PIO). The first two constructions are compact with respect to the function evaluated homomorphically but not compact with respect to the number of ciphertext involved in the homomorphic evaluation. The third construction from PIO is fully compact and unleveled, which is their main construction. Finally, they adopted the approach of Naor and Yung (1990) who showed that how to go from CPA encryption to CCA1 encryption using noninteractive zeroknowledge proofs to the FHE setting. They gave a compact CCA1 secure FHE scheme from any CPA secure FHE scheme and a zeroknowledge succinct noninteractive argument of knowledge.
Our results and techniques
We focus on construction of CCA1 secure FHE schemes. Our starting point is the work of Canetti et al. (2017) who showed that CCA1secure FHE scheme can be constructed from any multikey IBFHE scheme. Our contributions are as follows:

1.
We analyse the multikey IBFHE scheme from PIO that proposed by Canetti et al. (2017) and show that their scheme is not secure by giving an attack. We give a solution to avoid the above attack and point out a mistake in their security proof.

2.
We redesign a more succinct and efficient multikey IBFHE scheme. Compared with the scheme of Canetti et al. (2017), ours has smaller secret key of one identity and more efficient homomorphic operations. The concrete comparison is showed in Table 1.
Our multikey IBFHE scheme is constructed from trapdoor encryption scheme, PIO, and puncturable PRF. Our first observation is that INDsIDCPA secure IBFHE scheme can be obtained from FHE scheme, IO, and puncturable PRF (Clear and McGoldrick 2014) using the technique of “punctured programming” (Sahai and Waters 2014). Concretely, we use the puncturable PRF for the derivation of a user’s public key from her identity. Our second observation is that FHE scheme can be obtained from trapdoor encryption scheme and PIO (Canetti et al. 2015). Combining these two techniques, we can obtain an INDsIDCPA secure IBFHE scheme. For the construction of CCA1secure FHE schemes, we need a multikey IBFHE scheme which is selective security for random identities. Toward this aim, we should be able to compute on IBE ciphertexts that all use the same master public key, but different identities. To keep the compactness of our scheme, we require that the identity corresponding to a resulting ciphertext that after some computation has the same length as a fresh identity. The method in (Canetti et al. 2017) is to set the resulting identity to be XOR of the identities that involved in the computation. However, we show that this method can be used to break the security of their scheme. We use the idea of randomization to avoid the above problem.
Preliminaries
Let λ denote a security parameter. When we speak of a negligible function negl(λ), we mean a function that is asymptotically bounded from above by the reciprocal of all polynomials in λ.
CCA1Secure fully homomorphic encryption
Definition 1
((Canetti et al. 2017)) Let \(\mathcal {M}\) be a message space. A CCA1secure FHE scheme is a tuple of polynomial time algorithms (Gen,Enc,Dec,Eval), defined as follows, which satisfy the correctness, compactness and security properties below.

Gen(1^{λ}): a randomized algorithm which outputs a public key, secret key pair (pk,sk).

Enc(pk,m): a randomized algorithm which outputs a ciphertext ct.

Dec(sk,ct): an algorithm which outputs a message \(m\in \mathcal {M}\).

Eval({ct_{i}},C): an algorithm which takes a collection of ciphertexts {ct_{i}} and a circuit C to be evaluated and outputs an evaluated ciphertext ct_{eval}.
Correctness: For any \(m\in \mathcal {M}\), (pk,sk)←Gen(1^{λ}),
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (pk,sk)←Gen(1^{λ}), ct_{i}←Enc(pk,m_{i})
Compactness: There exists a polynomial poly(·) such that ct_{eval}≤poly(λ) for all ct_{eval}←Eval({ct_{i}},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
CCA1 Security: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1.
\(\mathcal {C}\) draws (pk,sk)←Gen(1^{λ}) and sends pk to \(\mathcal {A}\).

2.
For α=1,...,poly: \(\mathcal {A}\) sends ct_{α} to \(\mathcal {C}\); \(\mathcal {C}\) computes m_{α}=Dec(sk,ct_{α}) and returns m_{α} to \(\mathcal {A}\).

3.
\(\mathcal {A}\) sends \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {C}\).

4.
\(\mathcal {C}\) draws ct^{∗}←Enc(pk,m_{b}) for b←{0,1} and sends ct^{∗} to \(\mathcal {A}\).

5.
\(\mathcal {A}\) outputs a guess bit b^{′} and wins if b^{′}=b.
Remark 1
We say that a FHE scheme is leveled if it permits evaluation of circuits of apriori bounded polynomial depth on encrypted data. In contrast, a FHE scheme is pure (or unleveled) if it permits evaluation of circuits of any depth.
Multikey IBFHE
Definition 2
((Canetti et al. 2017)) Let \(\mathcal {M}, \mathcal {ID}\) be message and identity spaces. A multikey identitybased fully homomorphic encryption scheme is a tuple of polynomial time algorithms (Setup,KeyGen,Enc,Dec,Eval), defined as follows, which satisfy the correctness and security properties below.

Setup(1^{λ}): output the master key pair (mpk,msk).

KeyGen(msk,id): output a secret key sk_{id} for the identity id.

Enc(mpk,id,m): encrypt message m under identity id, and outputs (id,ct_{id}).

Dec(sk_{id},id,ct_{id}): decrypt ct_{id} using sk_{id} and outputs m.

Eval({(id_{i},ct_{i})},C): take a family of ciphertexts and a circuit and outputs (id_{eval},ct_{eval}).
Correctness: For any \(m\in \mathcal {M}, id\in \mathcal {ID}\), and (mpk,msk)←Setup(1^{λ}), sk_{id}←KeyGen(msk,id)
Homomorphic Correctness: For any \(\{m_{i}\}\in \mathcal {M}^{\text {poly}(\lambda)}\), \(\{{id}_{i}\}\in \mathcal {ID}^{\text {poly}(\lambda)}\), circuit C of polynomial size, and (mpk,msk)←Setup(1^{λ}), sk_{i}←KeyGen(msk,id_{i}), ct_{i}←Enc(mpk,id_{i},m_{i})
where sk_{eval}←KeyGen(msk,id_{eval}).
Compactness: There exists a polynomial poly(·) such that id_{eval},ct_{eval}≤poly(λ) for all id_{eval},ct_{eval}←Eval({(id_{i},ct_{i})},C). In particular, poly(·) is independent of the size, depth or number of inputs to C.
Selective Security for Random Identities: For any PPT adversary \(\mathcal {A}\), its chance of winning the following game against a challenger \(\mathcal {C}\) is at most 1/2+negl.

1.
\(\mathcal {C}\) draws \(id^{\ast }\leftarrow \mathcal {ID}\) and (mpk,msk)←Setup(1^{λ}), sends mpk to \(\mathcal {A}\).

2.
\(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by \(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);}\\ \bot, & \text {otherwise.} \end {array} \right. \)

3.
\(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).

4.
\(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct^{∗}←Enc(mpk,id^{∗},m_{b}).

5.
\(\mathcal {A}\) outputs a guess bit b^{′} and wins if b^{′}=b.
CCA1 FHE from multikey IBFHE
Let E be a multikey IBFHE scheme. Then the construction of CCA1 secure FHE is as follows (Canetti et al. 2017).

Gen(1^{λ}):Output (pk,sk)=(mpk,msk)←E.Setup(1^{λ}).

Enc(pk,m): Draw \(id\leftarrow \mathcal {ID}\) and compute \(\phantom {\dot {i}\!}{ct}_{id}\leftarrow \text {E.Enc}(mpk,id,m)\). Output ct=(id,ct_{id}).

Dec(sk,ct): Parse ct=(id,ct_{id}). Compute sk_{id}←E.KenGen(msk,id), and output m=E.Dec(sk_{id},id,ct_{id}).

Eval({ct_{i}},C): Parse \(\phantom {\dot {i}\!}{ct}_{i}=({id}_{i},{ct}_{{id}_{i}})\). Output \({ct}_{eval}=({id}_{eval}, \mathsf {E}.{ct}_{eval})\leftarrow \text {E.Eval}(\{({id}_{i},{ct}_{{id}_{i}})\}, C)\).
Lemma 1
The above scheme is a CCA1secure FHE scheme.
The proof of this lemma can be found in (Canetti et al. 2017) and (Boneh et al. 2007).
Trapdoor encryption schemes
Definition 3
((Canetti et al. 2015)) An encryption scheme \(\prod =(\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec},\mathsf {tKeyGen})\) is a trapdoor encryption scheme, if (KeyGen,Enc,Dec) is a CPAsecure encryption scheme and the trapdoor key generation algorithm tKeyGen satisfies the following additional properties:
Trapdoor Public Keys: The following two ensembles are indistinguishable
Computational Hiding: The following two ensembles are indistinguishable
where m_{0},m_{1} are two distinct messages.
The basic trapdoor encryption scheme does not provide any advantage in the trapdoor mode than the honest mode. Obviously, any CPA secure encryption scheme implies a trapdoor encryption scheme. The following are two stronger variants.
μHiding Trapdoor Encryption Scheme The distinguishing advantage of the two ensembles in the computational hiding property of the above definition is replaced by some μ(λ). Typically, μ(λ) is much smaller than the inverse exponentiation of the ciphertext length. Canetti et al. (2015) showed that μhiding trapdoor encryption scheme can be constructed from any μrerandomizable CPA encryption scheme.
Statistical Trapdoor Encryption Scheme The computational hiding property in the above definition is replaced by statistical hiding. Note that any lossy encryption scheme implies a statistical trapdoor encryption scheme.
Probabilistic indistinguishability obfuscation (PIO)
Probabilistic Indistinguishability Obfuscation (PIO) A notion that was recently introduced by Canetti et al. (2015). Roughly speaking, this is an obfuscator for probabilistic circuits with the guarantee that the obfuscations of any two “equivalent” circuits are computationally indistinguishable. Before formally defining PIO, we introduce some relevant notions. Let \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of sets of (randomized) circuits, where \(\mathcal {C}_{\lambda }\) contains circuits of size poly (λ). A circuit sampler for \(\mathcal {C}\) is a distribution ensemble \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\) where the distribution D_{λ} ranges over triples (C_{0},C_{1},z) with \(C_{0}, C_{1}\in \mathcal {C}_{\lambda }\) such that C_{0},C_{1} take inputs of the same length, and z∈{0,1}^{poly(λ)}. Moreover, a class S of samplers for \(\mathcal {C}\) is a set of circuit samplers for \(\mathcal {C}\).
Definition 4
((Canetti et al. 2015)) A uniform PPT machine \(pi\mathcal {O}\) is an indistinguishability obfuscator for a class of samplers S over the (potentially randomized) circuit family \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) if the following two conditions hold:
Correctness:\(pi\mathcal {O}\) on input a (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\) and the security parameter \(\lambda \in \mathbb {N}\) (in unary), outputs a deterministic circuit Λ of size poly (C,λ). Furthermore, for every nonuniform PPT distinguisher \(\mathcal {D}\), every (potentially probabilistic) circuit \(C\in \mathcal {C}_{\lambda }\), and string z, we define the following two experiments:

Exp\(_{\mathcal {D}}^{1}(1^{\lambda },C,z)\): \(\mathcal {D}\) on input 1^{λ},C,z, participates in an unbounded number of iterations of his choice. In iteration i, it chooses an input x_{i}; if x_{i} is the same as any of the previously chosen input x_{j} for j<i, then abort; otherwise, \(\mathcal {D}\) receives C(x_{i};r_{i}) using fresh random coins r_{i} (r_{i} = null if C is deterministic). At the end of all iterations, \(\mathcal {D}\) outputs a bit b. (Note that \(\mathcal {D}\) can keep state across iterations.)

Exp\(_{\mathcal {D}}^{2}(1^{\lambda },C,z)\): Obfuscate circuit C to obtain \(\Lambda \leftarrow pi\mathcal {O}(1^{\lambda },C;r)\) using fresh random coins r. Run \(\mathcal {D}\) as described above, except that in each iteration, feed \(\mathcal {D}\) with Λ(x_{i}) instead.
Overload the notation Exp\(_{\mathcal {D}}^{i}(1^{\lambda },C,z)\)as the output of \(\mathcal {D}\)in experiment Exp\(_{\mathcal {D}}^{i}\). We require that for every nonuniform PPT distinguisher \(\mathcal {D}\), there is a negligible function μ, such that, for every \(\lambda \in \mathbb {N}\), every \(C\in \mathcal {C}_{\lambda }\), and every auxiliary input z∈{0,1}^{poly(λ)},
Security with Respect to S: For every sampler \(D=\{D_{\lambda }\}_{\lambda \in \mathbb {N}}\in \mathbf {S}\), and for every nonuniform PPT machine \(\mathcal {A}\), there exists a negligible function μ such that
Puncturable Pseudorandom functions
In our construction, we will use the puncturable PRFs, which are PRFs that can be defined on all bit strings of a certain length, except for some polynomialsize set of inputs. Below we recall their definition, as given by Sahai and Waters (2014):
Definition 5
A puncturable family of PRFs F is given by a triple of Turing machines Key,Puncture,Eval, and a pair of computable functions n(·) and m(·), satisfying the following conditions:

(Functionality preserved under puncturing.) For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^{\lambda })\) outputs a set S⊆{0,1}^{n(λ)}, then for all x∈{0,1}^{n(λ)} where x∉S, we have that:
$$ \begin{aligned} &\text{Pr}\left[\mathsf{Eval}(K,x)=\mathsf{Eval}(K_{S},x):K\leftarrow\mathsf{Key}(1^{\lambda}), K_{S}\right.\\ &\qquad\qquad\qquad\left.=\mathsf{Puncture}(K,S)\right]=1. \end{aligned} $$ 
(Pseudorandom at punctured points.) For every PPT adversary \((\mathcal {A}_{1},\mathcal {A}_{2})\) such that \(\mathcal {A}_{1}(1^{\lambda })\) outputs a set S⊆{0,1}^{n(λ)} and any x∈S, consider an experiment where K←Key(1^{λ}) and K_{S}=Puncture(K,S). Then we have
$$\begin{array}{*{20}l} \Pr[\mathcal{A}_{2}(K_{S},x,\mathsf{Eval}(K,x))&=1] \Pr[\mathcal{A}_{2}(K_{S},x,U_{m(\lambda)}) \\ &=1]\leq\text{negl}(\lambda), \end{array} $$where U_{m(λ)} denotes the uniform distribution over m(λ) bits.
Review of PIO based multikey IBFHE proposed by Canetti et al. (2017)
In PKC 2017, Canetti et al. (2017) constructed a multikey IBFHE scheme from statistical trapdoor encryption, PIO, and puncturable PRF. Their key ideas are borrowed from works of Canetti et al. (2015) and Dodis et al. (2016). Firstly, they constructed a tagpuncturable additively homomorphic encryption scheme. For homomorphic computations, they use the method in (Dodis et al. 2016). Concretely, assume C is an algebraic circuit with n input, they first split every ciphertext into n ciphertexts corresponding to n identities. For an addition gate, they carry out n homomorphic additions and obtain n ciphertexts. For a multiplication gate, they first execute n^{2} homomorphic computations obtaining 2n^{2} ciphertexts and then execute n homomorphic computations obtaining n ciphertexts. Finally, at the output gate, they combine the resulting n ciphertexts to obtain the final ciphertext. The identity corresponding to the final ciphertext is XOR of n identities in the input, i.e. \(\mathbf {{id}_{eval}=\bigoplus {id}_{i}}\). There is a problem arising here. We give an attack in the following to show that this scheme is not secure.
Attack Our attack is as follows:

1.
The adversary \(\mathcal {A}\) queries a secret key of one identity sk_{α} for some identity id_{α}.

2.
\(\mathcal {A}\) receives the challenge ciphertext ct^{∗} which encrypts m_{b} under identity id^{∗}.

3.
\(\mathcal {A}\) computes a ciphertext ct_{m} of some message m under identity \({id}_{\beta }\triangleq {id}_{\alpha } \oplus id^{\ast }\).

4.
\(\mathcal {A}\) homomorphicly adds ct_{m} with ct^{∗} and obtains a ciphertext ct^{∗∗} which encrypts m+m_{b} under identity id_{β}⊕id^{∗}=id_{α}.

5.
\(\mathcal {A}\) decrypts ct^{∗∗} using sk_{α} and obtains message m+m_{b}.

6.
\(\mathcal {A}\) obtains the challenge plaintext m_{b} by subtracting m from the above message.

7.
\(\mathcal {A}\) compares m_{b} with m_{0},m_{1} and obtains the value of b with probability 1.
To resist the above attack, we use the idea of randomization. In particular, for every gate of the circuit, we set the identity of the output ciphertext to be a random identity. In this case, after the adversary \(\mathcal {A}\) performs some computation on the challenge ciphertext ct^{∗}, the identity corresponding to the final ciphertext will be completely random, hence the probability that it is same as some identity id_{α} for which \(\mathcal {A}\) has queried corresponding secret key of one identity sk_{α} is negligible.
We think there is a mistake in their security proof which exists in the last step of Proof of Claim 3. Concretely, we think the two games G_{3} and G_{4} are not indistinguishable, because when taking a ciphertext with tag (id^{∗},i−1) as input, the two obfuscations in G_{3} will output the encryptions of 0, but in G_{4} they will output “abort”.
Besides the above security flaw, their scheme also has the following two drawbacks:

1.
The secret key of one identity is an obfuscation of some decryption circuit, which is very large;

2.
For a circuit with n inputs consisting of addition gates and multiplication gates, the numbers of computation for each addition gate and multiplication gate in their scheme are n and n^{2}+n respectively, which are very inefficient.
In the following section, we propose our Multikey IBFHE scheme, which eliminates the above drawbacks.
Our multikey IBFHE from trapdoor encryption and PIO

Setup(1^{λ}): Let E be a trapdoor encryption scheme. Assume the message space \(\mathcal {M}\) and identity space \(\mathcal {ID}\) of our multikey IBFHE are a ring and {0,1}^{k}, respectively. Assume E has the same message space \(\mathcal {M}\). Let \(pi\mathcal {O}\) be a PIO scheme and \(\mathcal {F}\) be a puncturable PRF.
Sample a PRF key K. Let P_{map}[K] be the following program:

1.
K is hardwired, take input id∈{0,1}^{k};

2.
Compute \(r_{id}=\mathcal {F}_{K}(id)\);

3.
Compute (pk_{id},sk_{id})=E.Gen(1^{λ},r_{id});

4.
Output pk_{id}.
Let P_{add}[K] and P_{mult}[K] be the following probabilistic programs:

1.
K is hardwired into both, both take inputs \(({id}_{1},{ct}_{1}),({id}_{2},{ct}_{2})\in \{0,1\}^{k}\times \mathsf {E}.\mathcal {CT}\);

2.
Compute \(({pk}_{{id}_{i}}, {sk}_{{id}_{i}})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}({id}_{i}))\) for i=1,2;

3.
Compute \(\phantom {\dot {i}\!}m_{i}=\text {E.Dec}({sk}_{{id}_{i}}, {ct}_{i})\) for i=1,2;

4.
Sample r←{0,1}^{k} and set id_{out}=r, compute \(({pk}_{{id}_{out}}, {sk}_{{id}_{out}})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}({id}_{out}))\)

5.
Now the programs differ:
P_{add}[K]: Draw \({ct}_{out}\leftarrow \text {E.Enc}({pk}_{{id}_{out}}, m_{1}+m_{2})\), output (id_{out},ct_{out}).
P_{mult}[K]: Draw \({ct}_{out}\leftarrow \text {E.Enc}({pk}_{{id}_{out}}, m_{1}\times m_{2})\), output (id_{out},ct_{out}).
Let \(\mathcal {O}_{map}[K]\leftarrow pi\mathcal {O}(P_{map}[K])\), \(\mathcal {O}_{add}[K]\leftarrow pi\mathcal {O}(P_{add}[K])\) and \(\mathcal {O}_{mult}[K]\leftarrow pi\mathcal {O}(P_{mult}[K])\). Set msk=K and \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\).

1.

KeyGen(msk,id): Parse msk=K. Compute \(({pk}_{id}, {sk}_{id})=\text {E.Gen}(1^{\lambda },\mathcal {F}_{K}(id))\) and output sk_{id}.

Enc(mpk,id,m): Parse \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\), compute \({pk}_{id}=\mathcal {O}_{map}[K](id)\). Draw ct_{id}←E.Enc(pk_{id},m) and output (id,ct_{id}).

Dec(sk_{id},id,ct_{id}): Output m=E.Dec(sk_{id},ct_{id}).

Eval(mpk,(id_{1},ct_{1}),...,(id_{t},ct_{t}),C): Parse \(mpk=(\mathcal {O}_{map}[K], \mathcal {O}_{add}[K], \mathcal {O}_{mult}[K])\), view C as an algebraic circuit consisting of addition gates g_{+} and multiplication gates g_{×} over the message space \(\mathcal {M}\). We process the circuit gate by gate, let u, v be encryption of the input values of some gate. For an addition gate g_{+}, evaluate g_{+} homomorhpically by computing \(w=\mathcal {O}_{add}[K](u,v)\); For a multiplication gate g_{×}, evaluate g_{×} homomorhpically by computing \(w=\mathcal {O}_{mult}[K](u,v)\).
Lemma 2
If E is a trapdoor encryption scheme, \(pi\mathcal {O}\) is a PIO scheme and \(\mathcal {F}\) is a puncturable PRF, then the above scheme is a multikey IBFHE scheme which is fully compact and unleveled.
Proof
Correctness and homomorphic correctness follow immediately from correctness of E and \(pi\mathcal {O}\).
For security, we show that for any PPT adversary \(\mathcal {A}\), its chance of winning the multikey IBFHE selective security game for random identities is at most 1/2+negl. We use a hybrid argument.
Game 0: This is the original multikey IBFHE selective security game for random identities.

1.
\(\mathcal {C}\) draws id^{∗}←{0,1}^{k} and (mpk,msk)←Setup(1^{λ}), sends mpk to \(\mathcal {A}\).

2.
\(\mathcal {A}\) makes queries to an oracle \(\mathcal {O}\) defined by
\(\mathcal {O}(id)=\left \{ \begin {array}{ll} \mathsf {KeyGen}(msk,id), & \text {if \(id\neq id^{\ast }\);} \\ \bot, & \text {otherwise.} \end {array} \right. \)

3.
\(\mathcal {A}\) chooses two messages \(m_{0},m_{1}\in \mathcal {M}\) and sends them to the challenger \(\mathcal {C}\).

4.
\(\mathcal {C}\) uniformly samples a bit b←{0,1}, and returns ct^{∗}←Enc(mpk,id^{∗},m_{b}).

5.
\(\mathcal {A}\) outputs a guess bit b^{′} and wins if b^{′}=b.
Game 1: This is the same as Game 0 except for the following changes. \(\mathcal {C}\) computes K^{∗}←PRF.Puncture(K,id^{∗}) and answer secret key queries using K^{∗} instead of K.
The adversary cannot detect any difference between Game 0 and Game 1, since for all id≠id^{∗} it holds that \(\mathcal {F}_{K}(id)=\mathcal {F}_{K^{\ast }}(id)\).
Game 2: This is the same as Game 1 except that we make the following changes to P_{add}[ K] and P_{mult}[ K]:

1.
Replace K with K^{∗}. id^{∗} and \(\mathcal {F}_{K}(id^{\ast })\) is also hardwired.

2.
In step 2, if id_{i}=id^{∗}, then use \(\mathcal {F}_{K}(id^{\ast })\) instead of \(\mathcal {F}_{K^{\ast }}({id}_{i})\); In step 4, if id_{out}=id^{∗}, then use \(\mathcal {F}_{K}(id^{\ast })\) instead of \(\mathcal {F}_{K^{\ast }}({id}_{out})\).
Note that the modified programs is functionally equivalent to P_{add}[ K] and P_{mult}[ K], and due to the security of PIO, their respective obfuscations are thus computationally indistinguishable. So Game 1 and Game 2 are computationally indistinguishable.
Game 3: This is the same as Game 2 except that we make the following changes to P_{map}[ K]:

1.
Replace K with K^{∗}. id^{∗} and \(\mathcal {F}_{K}(id^{\ast })\) is also hardwired.

2.
In step 2, if id=id^{∗}, then sample r←{0,1}^{n} where \(n=\mathcal {F}_{K}(id^{\ast })\), and set r_{id}=r.
By the security of the puncturable PRF, we have that the following two distributions are computationally indistinguishable.
Due to the security of PIO, it follows that Game 2 and Game 3 are computationally indistinguishable.
Game 4: This is the same as Game 3 except that we make futher changes to P_{map}[ K]:

1.
If id=id^{∗}, then output tpk←E.tGen(1^{λ}).
Due to the keyindistinguishability of trapdoor encryption scheme E, the output distributions of the program P_{map}[K] in Game 3 and Game 4 are close, and hence, the security of PIO implies that the obfuscations of the programs are also indistinguishable (even given the punctured key). It follows that Game 3 and Game 4 are computationally indistinguishable.
In Game 4, due to the hiding property in the trapdoor mode of trapdoor encryption scheme E, the success advantage of adversary \(\mathcal {A}\) in this Game is negligible. This completes our proof of security. □
In our multikey IBFHE scheme, secret key of one identity is a normal secret key, which is much smaller than that of Canetti et al.’s scheme; the numbers of computation for each addition gate and multiplication gate are all 1 instead of n and n^{2}+n in Canetti et al.’s scheme.
Combining Lemma 2 with Lemma 1 we get the following result immediately.
Theorem 1
If there exists PIO, a trapdoor encryption scheme, and a puncturable PRF, then there is a CCA1 secure FHE scheme which is fully compact and unleveled.
Conclusion
In this work, we focus on construction of CCA1 secure FHE schemes. Our starting point is the work of Canetti et al. (2017) who showed that CCA1secure FHE scheme can be constructed from any multikey IBFHE scheme. We analysed the multikey IBFHE scheme from PIO that proposed by Canetti et al. (2017) and showed that their scheme is not secure by giving an attack. We gave a solution to avoid the above attack and redesigned a more succinct and efficient multikey identitybased FHE scheme. Thus we obtained a more efficient CCA1 secure FHE scheme.
References
Agrawal, S, Boneh D, Boyen X (2010) Efficient lattice (H)IBE in the standard model In: Advances in Cryptology  EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, 553–572.. Springer, Berlin, Heidelberg. May 30  June 3, 2010. Proceedings. https://doi.org/10.1007/9783642131905_28.
Boneh, D, Canetti R, Halevi S, Katz J (2007) Chosenciphertext security from identitybased encryption. SIAM J Comput 36(5):1301–1328. https://doi.org/10.1137/S009753970544713X.
Brakerski, Z, Vaikuntanathan V (2011a) Efficient fully homomorphic encryption from (standard) LWE In: IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011., 97–106.. IEEE Computer Society, Washington. October 2225, 2011. https://doi.org/10.1109/FOCS.2011.12.
Brakerski, Z, Vaikuntanathan V (2011b) Fully homomorphic encryption from ringlwe and security for key dependent messages In: Advances in Cryptology  CRYPTO 2011  31st Annual Cryptology Conference,505–524.. Springer, Heidelberg. August 1418, 2011. Proceedings. https://doi.org/10.1007/9783642227929_29.
Brakerski, Z, Gentry C, Vaikuntanathan V (2012) (leveled) fully homomorphic encryption without bootstrapping In: Innovations in Theoretical Computer Science  ITCS 2012, 309–325.. ACM, New York. January 810, 2012. http://doi.acm.org/10.1145/2090236.2090262.
Brakerski, Z (2012) Fully homomorphic encryption without modulus switching from classical gapsvp In: Advances in Cryptology  CRYPTO 2012  32nd Annual Cryptology Conference, 868–886.. Springer, Heidelberg. August 1923, 2012. Proceedings. https://doi.org/10.1007/9783642320095_50.
Brakerski, Z, Cash D, Tsabary R, Wee H (2016) Targeted homomorphic attributebased encryption In: Theory of Cryptography  14th International Conference, TCC 2016B, 330–360.. Springer, Berlin, Heidelberg, Beijing. October 31  November 3, 2016, Proceedings, Part II. https://doi.org/10.1007/9783662536445_13.
Canetti, R, Halevi S, Katz J (2004) Chosenciphertext security from identitybased encryption In: Advances in Cryptology  EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, 207–222.. Springer, Berlin, Heidelberg. May 26, 2004, Proceedings. https://doi.org/10.1007/9783540246763_13.
Cramer, R, Shoup V (1998) A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack In: Advances in Cryptology  CRYPTO ’98, 18th Annual International Cryptology Conference, 13–25.. Springer, Berlin, Heidelberg. August 2327, 1998, Proceedings. https://doi.org/10.1007/BFb0055717.
Clear, M, McGoldrick C (2014) Bootstrappable identitybased fully homomorphic encryption In: Cryptology and Network Security  13th International Conference, CANS 2014, 1–19.. Springer, Cham. October 2224, 2014. Proceedings. https://doi.org/10.1007/9783319122809_1.
Canetti, R, Lin H, Tessaro S, Vaikuntanathan V (2015) Obfuscation of probabilistic circuits and applications In: Theory of Cryptography  12th Theory of Cryptography Conference, TCC 2015, 468–497.. Springer, Berlin, Heidelberg, Warsaw. March 2325, 2015, Proceedings, Part II. https://doi.org/10.1007/9783662464977_19.
Canetti, R, Raghuraman S, Richelson S, Vaikuntanathan V (2017) Chosenciphertext secure fully homomorphic encryption In: PublicKey Cryptography  PKC 2017  20th IACR International Conference on Practice and Theory in PublicKey Cryptography, 213–240.. Springer, Berlin, Heidelberg. March 2831, 2017, Proceedings, Part II. https://doi.org/10.1007/9783662543887_8.
Dahab, R, Galbraith SD, Morais E (2015) Adaptive key recovery attacks on ntrubased somewhat homomorphic encryption schemes In: Information Theoretic Security  8th International Conference, ICITS 2015, 283–296.. Springer, Cham. May 25, 2015. Proceedings. https://doi.org/10.1007/9783319174709_17.
Dodis, Y, Halevi S, Rothblum RD, Wichs D (2016) Spooky encryption and its applications In: Advances in Cryptology  CRYPTO 2016  36th Annual International Cryptology Conference, 93–122.. Springer, Berlin, Heidelberg. August 1418, 2016, Proceedings, Part III. https://doi.org/10.1007/9783662530153_4.
Gentry, C (2009a) A fully homomorphic encryption scheme. PhD thesis, Stanford, CA, USA. http://crypto.stanford.edu/craig.
Gentry, C (2009b) Fully homomorphic encryption using ideal lattices In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, 169–178.. ACM, New York. May 31  June 2 2009. https://doi.acm.org/10.1145/1536414.1536440.
Gentry, C, Halevi S, Smart NP (2012a) Better bootstrapping in fully homomorphic encryption In: Public Key Cryptography  PKC 2012  15th International Conference on Practice and Theory in Public Key Cryptography Darmstadt, 1–16.. Springer, Berlin, Heidelberg. May 2123, 2012. Proceedings. https://doi.org/10.1007/9783642300578_1.
Gentry, C, Halevi S, Smart NP (2012b) Fully homomorphic encryption with polylog overhead In: Advances in Cryptology  EUROCRYPT 2012  31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 465–482.. Springer, Berlin, Heidelberg. April 1519, 2012. Proceedings. https://doi.org/10.1007/9783642290114_28.
Gentry, C, Sahai A, Waters B (2013) Homomorphic encryption from learning with errors: Conceptuallysimpler, asymptoticallyfaster, attributebased In: Advances in Cryptology  CRYPTO 2013  33rd Annual Cryptology Conference, 75–92.. Springer, Berlin, Heidelberg. August 1822, 2013. Proceedings, Part I. https://doi.org/10.1007/9783642400414_5.
Loftus, J, May A, Smart NP, Vercauteren F (2010) On ccasecure fully homomorphic encryption. IACR Cryptol ePrint Arch 2010:560.
Lai, J, Deng RH, Ma C, Sakurai K, Weng J (2016) CCAsecure keyedfully homomorphic encryption In: PublicKey Cryptography  PKC 2016  19th, IACR International Conference on Practice and Theory in PublicKey Cryptography, 70–98.. Springer, Berlin, Heidelberg. March 69, 2016, Proceedings, Part I. https://doi.org/10.1007/9783662493847_4.
Naor, M, Yung M (1990) Publickey cryptosystems provably secure against chosen ciphertext attacks In: Symposium on Theory of Computing, STOC 1990, 427–437.. ACM, New York. May 1317, 1990. http://doi.acm.org/10.1145/100216.100273.
Rivest, RL, Adleman L, Dertouzos ML (1978) On data banks and privacy homomorphisms. Found Secure Comput 4:169–179.
Smart, NP, Vercauteren F (2010) Fully homomorphic encryption with relatively small key and ciphertext sizes In: Public Key Cryptography  PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, 420–443.. Springer, Berlin,Heidelberg. May 2628, 2010. Proceedings. https://doi.org/10.1007/9783642130137_25.
Smart, NP, Vercauteren F (2014) Fully homomorphic SIMD operations. Des. Codes Crypt 71(1):57–81. https://doi.org/10.1007/s1062301297204. Springer US.
Sahai, A, Waters B (2014) How to use indistinguishability obfuscation: deniable encryption, and more In: Symposium on Theory of Computing, STOC 2014, 475–484, New York. May 31  June 03, 2014. http://doi.acm.org/10.1145/2591796.2591825. ACM, New York.
van Dijk, M, Gentry C, Halevi S, Vaikuntanathan V (2010) Fully homomorphic encryption over the integers In: Advances in Cryptology  EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, 24–43.. Springer, Berlin, Heidelberg. May 30  June 3, 2010. Proceedings. https://doi.org/10.1007/9783642131905_2.
Zhang, Z, Plantard T, Susilo W (2012) On the CCA1 security of somewhat homomorphic encryption over the integers In: Information Security Practice and Experience  8th International Conference, ISPEC 2012, 353–368.. Springer, Berlin, Heidelberg. April 912, 2012. Proceedings. https://doi.org/10.1007/9783642291012_24.
Funding
This work was supported by National Natural Science Foundation of China [grant number 61472414,61772514,61602061], and National Key R&D Program of China (2017YFB1400700).
Author information
Affiliations
Contributions
The first author conceived the idea of the study and wrote the paper. All authors discussed the results and revised the manuscript. All authors read and approved the final manuscript.
Corresponding author
Correspondence to Biao Wang.
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Received
Accepted
Published
DOI
Keywords
 Fully homomorphic encryption
 CCA1
 Probabilistic indistinguishability obfuscation