Preventing adaptive key recovery attacks on the GSW levelled homomorphic encryption scheme

Abstract

A major open problem is to protect levelled homomorphic encryption from adaptive attacks that allow an adversary to learn the private key. The only positive results in this area are by Loftus, May, Smart and Vercauteren. They use a notion of “valid ciphertexts” and obtain an IND-CCA1 scheme under a strong knowledge assumption, but they also show their scheme is not secure under a natural adaptive attack based on a “ciphertext validity oracle”. The main contribution of this paper is to explore a new approach to achieve security against adaptive attacks, which does not rely on a notion of “valid ciphertexts”. Instead, our idea is to generate a “onetime” private key every time the decryption algorithm is run, so that even if an attacker can learn some bits of the one-time private key from each decryption query, this does not allow them to compute a valid private key. We demonstrate how this idea can be implemented with the Gentry-Sahai-Waters levelled homomorphic encryption scheme, and we give an informal explanation of why the known attacks no longer break the system.