# Linearly Homomorphic Encryption from DDH

@article{Castagnos2015LinearlyHE, title={Linearly Homomorphic Encryption from DDH}, author={Guilhem Castagnos and Fabien Laguillaumie}, journal={IACR Cryptol. ePrint Arch.}, year={2015}, volume={2015}, pages={47} }

. We design a linearly homomorphic encryption scheme whose security relies on the hardness of the decisional Diﬃe-Hellman problem. Our approach requires some special features of the underlying group. In particular, its order is unknown and it contains a subgroup in which the discrete logarithm problem is tractable. Therefore, our instantiation holds in the class group of a non maximal order of an imaginary quadratic ﬁeld. Its algebraic structure makes it possible to obtain such a linearly…

## 49 Citations

### Using Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

- Mathematics, Computer ScienceCCS
- 2014

A technique to transform a linearly-homomorphic encryption into a scheme capable of evaluating degree-2 computations on ciphertexts and is extended to build a protocol for outsourcing computation on encrypted data using two (non-communicating) servers.

### Homomorphic Secret Sharing for Low Degree Polynomials

- Computer Science, MathematicsASIACRYPT
- 2018

This work presents the first plain-model homomorphic secret sharing scheme that supports the evaluation of polynomials with degree higher than 2, and relies on any degree-k (multi-key) homomorphic encryption scheme.

### On the Weakness of Fully Homomorphic Encryption

- Computer Science, MathematicsArXiv
- 2015

It is stressed that any computations performed on encrypted data are constrained to the encrypted domain (finite fields or rings), which makes the primitive useless for most computations involving common arithmetic expressions and relational expressions.

### New Ideas to Build Noise-Free Homomorphic Cryptosystems

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

A very simple private-key encryption scheme whose decryption function is a rational function and a nonlinear additive homomorphic operator is specifically developed, which proves IND-CPA security in the generic ring model.

### Practical Fully Secure Unrestricted Inner Product Functional Encryption modulo p

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

Though their schemes are only secure in the selective model, Agrawal, Libert, and Stehle soon provided adaptively secure schemes for the same functionality, which suffer of various practical drawbacks.

### A Geometric Approach to Homomorphic Secret Sharing

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work uses a general compiler to generalize and improve on the HSS scheme of Lai, Malavolta, and Schröder, and proposes a new application of HSS to MPC with preprocessing, which obtains communication-efficient MPC protocols for low-degree polynomials that use fewer parties than previous protocols based on the same assumptions.

### Non-zero Inner Product Encryptions: Strong Security under Standard Assumptions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This paper provides adaptively secure public-key NIPE under the standard Decision Diffie-Hellman (DDH) assumption that enables one to encrypt messages of sufficiently small length and upgrades two pNIPEs, capable of encrypting large messages with inner products over integers.

### Secure Multiparty Computation from Threshold Encryption based on Class Groups

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work constructs the first actively-secure threshold version of the cryptosystem based on class groups from the so-called CL framework and designs a new zero-knowledge protocol for proving multiplicative relations between encrypted values.

### Encryption Switching Protocols Revisited: Switching Modulo p

- Computer Science, MathematicsCRYPTO
- 2017

If an ESP is built with two schemes that are respectively additively and multiplicatively homomorphic, it naturally gives rise to a secure 2-party computation protocol, thus perfectly suited for evaluating functions, such as multivariate polynomials, given as arithmetic circuits.

### The Paillier's Cryptosystem and Some Variants Revisited

- Computer Science, MathematicsInt. J. Netw. Secur.
- 2017

It is shown that there is a big difference between the original Paillier's encryption and some variants, and the alternative decryption procedure of Bresson-Catalano-Pointcheval encryption scheme proposed at Asiacrypt'03 is simplified.

## References

SHOWING 1-10 OF 46 REFERENCES

### Using Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

- Mathematics, Computer ScienceCCS
- 2014

A technique to transform a linearly-homomorphic encryption into a scheme capable of evaluating degree-2 computations on ciphertexts and is extended to build a protocol for outsourcing computation on encrypted data using two (non-communicating) servers.

### Homomorphic Encryption for Multiplications and Pairing Evaluation

- Mathematics, Computer ScienceSCN
- 2012

The semantic security under chosen plaintext attack of the proposed homomorphic encryption scheme under a generalized subgroup membership assumption is proved, and it is proved that it cannot achieve ind-cca1 security.

### A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time

- Computer Science, MathematicsJournal of Cryptology
- 2000

A new cryptosystem based on ideal arithmetic in quadratic orders, which is a probabilistic encryption scheme and has the homomorphy property, and the implementation shows that it is comparably as fast as the encryption time of the RSA cryptos system with e=216+1.

### A Cryptosystem Based on Non-maximal Imaginary Quadratic Orders with Fast Decryption

- Mathematics, Computer ScienceEUROCRYPT
- 1998

It is shown that inverting the proposed cryptosystem is computationally equivalent to factoring the non-fundamental discriminant δq, which is intractable for a suitable choice of δ and q, and how one may embed key escrow capability into classical imaginary quadratic field Cryptosystems.

### Encoding-Free ElGamal Encryption Without Random Oracles

- Computer Science, MathematicsPublic Key Cryptography
- 2006

Partially homomorphic in customizable ways, this paper's encryptions are comparable to plain ElGamal in efficiency, and boost the encryption ratio from about 13 for classical parameters to the optimal value of 2.

### A new public key cryptosystem based on higher residues

- Computer Science, MathematicsCCS '98
- 1998

The probabilistic version of the scheme is an homomorphic encryption scheme whose expansion rate is much better than previously proposed such systems and has se- mantic security, relative to the hardness of computing higher residues for suitable moduli.

### A New Public-Key Cryptosystem as Secure as Factoring

- Computer Science, MathematicsEUROCRYPT
- 1998

This paper proposes a novel public-key cryptosystem, which is practical, provably secure and has some other interesting properties as follows: It can be proven to be as secure as the intractability of factoring n = p2q (in the sense of the security of the whole plaintext) against passive adversaries.

### The Security of Cryptosystems Based on Class Semigroups of Imaginary Quadratic Non-maximal Orders

- Mathematics, Computer ScienceACISP
- 2004

It is shown that well-known structural properties of the class semigroup render these crytosystems insecure, and that any cryptosystemS based on the classSemigroup are unlikely to provide any more security than those using the class group.

### On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis

- Mathematics, Computer ScienceEUROCRYPT
- 2009

A drastic cryptanalysis is proposed which factors Δ q (and hence recovers the secret key), only given this element, in cubic time in the security parameter, and takes less than a second on a standard PC.

### Fully homomorphic encryption using ideal lattices

- Computer Science, MathematicsSTOC '09
- 2009

This work proposes a fully homomorphic encryption scheme that allows one to evaluate circuits over encrypted data without being able to decrypt, and describes a public key encryption scheme using ideal lattices that is almost bootstrappable.