Additively homomorphic encryption with a double decryption mechanism, revisited

We revisit the notion of additively homomorphic encryption with a double decryption mechanism (DD-PKE), which allows for additions in the encrypted domain while having a master decryption procedure that can decrypt all properly formed ciphertexts by using a special master secret. This type of encryption is generally considered as a practical way to enforce access control in hierachical organisations where some form of malleability properties are required. Up to now, only two additively homomorphic DD-PKE schemes have been proposed: CS-Lite by Cramer and Shoup (Eurocrypt 2002), and a variant called BCP by Bresson, Catalano and Pointcheval (Asiacrypt 2003). In this work, we argue that the two existing schemes only provide partial solutions for hierarchical organisations. Essentially, this is due to the fact that the master authority, being in possession of the master secret, has no control on the validity of given ciphertexts. We say that the master is unable to “detect invalid ciphertexts‿, which limits the employment of such schemes in practice. Therefore, we propose the first additively homomorphic DD-PKE scheme which allows the master to detect invalid ciphertexts. In fact, our scheme has the additional property that the master decryption is independent of the users’ public keys. Our solution is based on elliptic curves over rings and we prove it to be semantically secure under a DDH-related assumption. Moreover, we give experimental results on the choice of elliptic curves and their effect on the efficiency of our scheme’s setup