3

Homomorphic encryption is hyped by computer sciences because it offers great potentials. For example you can perform cloud based calculation while nobody gets to know you data.

I am wondering if there is any homomorphic encryption scheme that is CCA secure. Can't you always just choose a random message, encrypt it and link the ciphertext to the challenge? A decryption oracle will decrypt it without hesitation. As the attacker know one plaintext message, he can easily calculate the second one. By doing so he always wins the CCA experiment.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
null
  • 248
  • 1
  • 13

1 Answers1

2

By definition, homomorphic encryption cannot be CCA secure. Therefore when using homomorphic encryption, care must be taken to prevent chosen-ciphertext attacks in the constructed system. Sometimes this requires proving in zero knowledge that certain actions were followed correctly, for example.

If you want to learn a bit more about what can be said about the CCA security of homomorphic encryption, see this paper (On CCA-Secure Somewhat Homomorphic Encryption).

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86