Homomorphic Encryption with CCA Security

We address the problem of constructing public-key encryption schemes that meaningfullycombine useful computability features with non-malleability. In particular, we investigate schemesin which anyone can change an encryption of an unknown message m into an encryption of T (m)(as a feature), for a specific set of allowed functions T , but the scheme is “non-malleable” withrespect to all other operations. We formulate precise definitions that capture these intuitive re-quirements and also show relationships among our new definitions and other more standard ones(IND-CCA, gCCA, and RCCA). We further justify our definitions by showing their equivalenceto a natural formulation of security in the Universally Composable framework. We also considerextending the definitions to features which combine multiple ciphertexts, and show that a nat-ural definition is unattainable for a useful class of features. Finally, we describe a new family ofencryption schemes that satisfy our definitions for a wide variety of allowed transformations T ,and which are secure under the standard Decisional Diffie-Hellman (DDH) assumption. ∗An extended abstract of this work appears in Automata, Languages and Programming, 35th International Collo-quium, ICALP 2008, Springer-Verlag, 2008. This full version is available from http://eprint.iacr.org/2008/079.†Department of Computer Science, University of Illinois, Urbana-Champaign. {mmp,rosulek}@uiuc.edu. Partiallysupported by NSF grant CNS 07-47027.