How would one construct a security model to play against the adversary, and define the security of the overall scheme? This is in reference to the scheme introduced in "Fully Homomorphic Encryption Over Ideal Lattices".
Asked
Active
Viewed 460 times
1 Answers
1
Usually, the FHE schemes are proved to be CPA secure, therefore, the game is similar to the IND-CPA game, with the caveat that the attacker also hold a evaluation key (generally necessary to perform the homomorphic operations). Note that the evaluation key is public anyway, therefore it could just be considered as a part of the public key so that the game would be the same (this is done, for example, in the proof of security of BGV).
If there is some type of circular assumption (which is normally the case), then, you suppose that the evaluation key depends on the private key. However, this does not change the game.
Thus, the game would be more or less like this:
- Parameters are set, keys are generated and the adversary receives the public and the evaluation keys.
- The adversary can encrypt messages and compute over the ciphertexts freely.
- The adversary sends two messages $m_0$ and $m_1$ to the challenger and receive a ciphertext $c_b$ corresponding to $m_b$ (for a random $b$).
- The adversary can again encrypt and perform other computations.
- The adversary outputs a bit $b'$.
Side note:
As noted by @Maeher in the comments, we have to be careful when talking about CCA security and homomorphic encryption. It is already known that homomorphic encryption schemes cannot be CCA2 secure, thus, in your model, the best you could do to prove CCA security would be to use a game for IND-CCA1 security, as it is done, for instance, on this article (although they are dealing with Somewhat Homomorphic Encryption instead of FHE).
Hilder Vitor Lima Pereira
- 7,476
- 1
- 25
- 45