3

Homomorphic encryption is hyped by computer sciences because it offers great potentials. For example you can perform cloud based calculation while nobody gets to know you data.

I am wondering if there is any homomorphic encryption scheme that is CCA secure. Can't you always just choose a random message, encrypt it and link the ciphertext to the challenge? A decryption oracle will decrypt it without hesitation. As the attacker know one plaintext message, he can easily calculate the second one. By doing so he always wins the CCA experiment.

e-sushi
  • 17,891
  • 12
  • 83
  • 229
null
  • 248
  • 1
  • 12

1 Answers1

2

By definition, homomorphic encryption cannot be CCA secure. Therefore when using homomorphic encryption, care must be taken to prevent chosen-ciphertext attacks in the constructed system. Sometimes this requires proving in zero knowledge that certain actions were followed correctly, for example.

If you want to learn a bit more about what can be said about the CCA security of homomorphic encryption, see this paper (On CCA-Secure Somewhat Homomorphic Encryption).

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83