On the IND-CCA1 Security of FHE Schemes
Round 1
Reviewer 1 Report
In this article, the authors group somewhat homomorphic encryption (SHE) schemes into broad categories based on their similarities and underlying hardness problems. Additionally, the authors show that the SHE schemes are susceptible to considered attacks. This article is well-organized and written. The list of references is suitable and actual for considered problems. Data security is a significant problem in our life. We require that our data remain safe, so we use specially designated methods. These methods should be checked and verified. I suggest the publication of this article in its current form.
Author Response
Thank you for your feedback!
Reviewer 2 Report
1. Pie chart or flow chart of representation is preferable for explaining the state of arts. 2. Most of the necessary investigations have been performed. 3. Provide a comparison table, if possible.Author Response
Regarding your point 1, we believe that flow charts would not make the exposition better, as many FHE schemes have been developed concurrently.
The ones that are extensions of others are noted in Table 2, but they only extend for one step.
We also considered adding a pie chart, but our classification of FHE schemes is done according to the type of schemes so that it follows what attack extends from one scheme to the other.
We believe a pie chart would be much better suited to emphasize, e.g., that more schemes are based on the GSW scheme compared to the BGV scheme, but our focus is not on the amount, but rather which specific schemes are susceptible to the same attack due to similar constructions.
Thank you for your point number 2!
About point 3, in Table 1 we already do compare the schemes that other authors have identified as insecure w.r.t. IND-CCA1 (second column) with schemes that we have investigated and verified are also vulnerable to the given attacks.
Furthermore, we compare the different constructions for IND-CCA1 security and their restrictions and assumptions in Table 3.
Reviewer 3 Report
In their paper, the authors analyze existing (fully) homomorphic encryption schemes regarding their IND-CCA security. For this, they divide the existing homomorphic schemes into groups, review known attacks against these schemes and present some new attacks. They come to the (not very surprising) conclusion that the existing approaches for homomorphic encryption schemes don't reach INC-CCA1 security. The paper is well written and easily understandable.
The ratio between the contribution of the authors and the amount of the paper is, in my eyes, rather small. The authors results mainly restrict to Section 5 (4 of 22 pages). In the rest of the paper, the authors mainly discuss existing schemes and already published attacks. So I would denote the paper rather as a survey paper on existing homomorphic schemes and existing attacks and not as an research paper.
For the purpose of a survey paper, the (first part of the paper) is well suited and gives a person (rather student or engineer than researcher) a nice introduction into the field of (fully) homomorphic encryption and the existing approaches.
Two emphasise the different structure of the two parts of the paper, I would recommend the authors to split their paper into two papers: A real survey paper (containing Sections 3 and 4) and a paper on new attacks containing an enlarged Section 5.
Author Response
We see your point that most of the paper is a survey paper, and we appreciate your suggestion to split the paper in two. However, before making the submission we decided on writing a single paper, as the new attacks we introduce in the latter part are rather simple and do not warrant a publication on their own. We agree that our paper should first and foremost be understood as a survey paper, and we have added some text in the introduction to put more emphasis on that fact. The contribution in the first part of the paper is that we systematize FHE schemes proposed in the literature as well as known attacks, and check whether any of the schemes are susceptible to known attacks.
The third column of Table 1 lists many schemes whose IND-CCA1 security has not been reported on earlier, but are easily seen to be susceptible to known attacks if one does the work to check. The novel attacks we give in the latter parts of the paper are not very sophisticated (maybe apart from the attack on the Per scheme) and are presented for completeness.
These attacks are needed to arrive at the main conclusion that as of today we do not have any concrete IND-CCA1 secure FHE schemes.
Round 2
Reviewer 3 Report
In the paper the authors consider the IND-CCA1 security of existing fully homomorphic encryption schemes. They do this by dividing the existing schemes into several groups and show that each group is vulnerable against (already known or proposed) attacks. They therefore come to the conclusion that none of the proposed schemes achieves CCA1 security.
The second version of the paper resembles much the first version. In particular, I still think that the authors contribution is rather limited and would denote the paper as a survey paper.
However, the authors changed some formulizations (e.g. in the abstract) to make their results and contributions more clear.
All in all, the paper gives a good overview of the current state of the available schemes for fully homomorphic encryption and their security.
As for the first version of the paper, the paper is easily understandable and written in a clear and good language.
In spite of the upper concerns (limited contribution), I recommend the acceptance of the paper.
Author Response
OK, thanks for your comments!
