Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme

Transcription

1 Information Processing Letters ) 8 23 wwwelseviercom/locate/ipl Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme Jung Hee Cheon a, Woo-Hwan Kim b,, Hyun Soo Nam a a ISaC and Department of Mathematical Sciences, Seoul National University, San 56- Shinrim-dong, Kwanak-gu, Seoul 5-747, Republic of Korea b National Security Research Institute, 6 Gajeong-dong, Yuseong-gu, Daejeon , Republic of Korea Received May 2004; received in revised form 28 February 2005; accepted 27 September 2005 Available online 7 November 2005 Communicated by Y Desmedt Abstract We propose cryptanalysis of the First Domingo-Ferrer s algebraic privacy homomorphism E : Z n Z p Z q ) d where n = pq We show that the scheme can be broken by d + ) known plaintexts in Od 3 log 2 n) time Even when the modulus n is kept secret, it can be broken by 2d + ) known plaintexts in Od 4 log dn+ d 3 log 2 n + εm)) time with overwhelming probability 2005 Elsevier BV All rights reserved Keywords: Privacy homomorphism; Cryptanalysis; Safety/security in digital systems Introduction The conceptofprocessing encrypted data was firstly introduced by Rivest et al [] in 978 A privacy homomorphism is an encryption function which allows processing the encrypted data without knowledge of the decryption function More precisely, an algebraic privacy homomorphic encryption E over a ring R is an encryption function which has efficient algorithms to compute Exy) and Ex + y) from Ex) and Ey) without revealing x and y One example of an algebraic privacy homomorphism [] is as follows: * Corresponding author addresses: jhcheon@mathsnuackr JH Cheon), whkim5@etrirekr W-H Kim), hsnam@mathsnuackr HS Nam) Example Let p,q be large primes, and n = pq P = Z n, C = Z p Z q, Ex) = x mod p,x mod q) and decryption is done using the Chinese remainder theorem This function is an algebraic privacy homomorphism under the usual modular addition and modular multiplication Unfortunately, it is shown that this algebraic privacy homomorphism can be broken using a knownplaintext attack [5] In 99, Feigenbaum and Merritt [8] questioned directly whether an algebraic privacy homomorphism does exist Many schemes are suggested, but almost all of them are shown to be insecure [5,3,3,4] In particular, Ahituv et al showed that any algebraic privacy homomorphism can be broken efficiently by cho /$ see front matter 2005 Elsevier BV All rights reserved doi:006/jipl

2 JH Cheon et al / Information Processing Letters ) sen ciphertext attacks [2] Boneh and Lipton proved that any deterministic algebraic privacy homomorphism over rings Z n can be broken in sub-exponential time under a reasonable) number theoretic assumption [4] Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 and 2002 [6,7] The second one is broken by Bao [3] and Wagner [3,4] But there is no serious attack on the first scheme It is the only algebraic privacy homomorphism that remains secure to the authors knowledge In this paper, we analyze the original privacy homomorphism of Domingo-Ferrer [6], and show that it is not secure against known-plaintext attacks When we consider an encryption function from Z n to Z p Z q ) d for n = pq, it can be broken by d + plaintext ciphertext pairs in Od 3 log 2 n) with the probability larger than 2/p ) Even when n is kept secret, it can be broken by d + more pairs in Od 4 log dn + d 3 log 2 n + εm)) with the probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) The outline of the paper is as follows: In Section 2, we introduce the Domingo-Ferrer s scheme In Section 3, we propose known-plaintext attacks for the scheme The analysis consists of two parts One is the case that the modulus of the input space is public and the second is the case that the modulus is kept secret We conclude in Section 4 2 Domingo-Ferrer s algebraic privacy homomorphism In this section, we introduce the first Domingo-Ferrer scheme [6] Let p,q be large primes and n = pq Fora positive integer d,wesetp = Z n, C = Z p Z q ) d ) SetupTaketwolargeprimesp and q and compute n = pq Choose a positive integer d r p Z p and r q Z q are randomly selected so that each of them generates a large subgroup of Z p and Z q, respectively The public parameter is d, n) and the secret parameter is p,q,r p,r q ) To increase the security n can be kept secret, but in this case encrypted data can be processed less efficiently 2) Encrypt Randomly split x Z n into x,x 2,,x d so that x = d i= x i mod n and x i Z n Ex) = [x r p mod p,x r q mod q],, [x d rp d mod p,x drq d mod q]) 3) Decrypt For each j, to retrieve the [x j mod p, x j mod q], compute the scalar product of the jth coordinate [x j rp j mod p,x j rq j mod q] pair by [rp j mod p,rq j mod q]) Add them up to get [x mod p,x mod q] Use the Chinese remainder theorem to get x mod n To explain the operation of ciphertexts, we adopt a polynomial notation: Denote a polynomial fx) = a X + a 2 X a d X d by its coefficient vectors a,a 2,,a d ) Then we have Ex) = f x r p X) mod p, f x r q X) mod q) for a polynomial f x X) Z n [X] with f x 0) 0modn and f x ) x mod n GivenEx) = p x X), q x X)) and Ex ) = p x X), q x X)),wehave Ex + y) = p x X) + p x X) mod n, q x X) + q x X) mod n ), Exy) = p x X)p x X) mod n, q x X)q x X) mod n ) Note that a multiplication doubles up the number of components in a ciphertext If n is secret, the operations are done in Z[x] Domingo-Ferrer s scheme is an algebraic privacy homomorphism with respect to the operation of addition and multiplication in Z n [X] or Z[X] This scheme is claimed to be secure against knownplaintext attacks when d> Note that if d =, r p =, and r q =, Domingo-Ferrer s scheme is simply the scheme in Example 3 Cryptanalysis of Domingo-Ferrer s scheme We show that Domingo-Ferrer s scheme can be broken with d + known plaintexts when n is known and with one more known plaintexts when n is unknown Without loss of generality, we assume p<q throughout this paper 3 The case that n is public Assume we have d + plaintext ciphertext pairs {x i,y i,z i ) i =,,d + } where x i = x i + + x id mod n and Y i = y i,,y id ) = x i r p mod p,,x id rp d mod p), Z i = z i,,z id ) = x i r q mod q,,z id rq d mod q) for i =,,d + By letting t = rp,wehave f i t) = x i + y i t + y i2 t 2 + +y id t d 0modp for i =,,d+ This can be written as the following matrix:

3 20 JH Cheon et al / Information Processing Letters ) 8 23 x y y 2 y d x 2 y 2 y 22 y 2d x d+ y d+, y d+,2 y d+,d ṭ t d mod p ) Since the homogeneous equation ) has a nontrivial solution in Z d+ p, the determinant deta p ) of the coefficient matrix A p of Eq ) is zero mod p Wemay apply Gaussian elimination to A p over Z n to compute deta p ) since a prime factor of n can be obtained when a failure happens in Gaussian elimination Gaussian elimination of a d + ) d + ) matrix over Z n takes Od 3 log 2 n) bit operations On the other hand, Pr[detA p ) 0modq] is overwhelming as in the following lemma: Lemma 2 Let p and q be primes with p<qand M = v ij ) be an l l random matrix with 0 v ij <p Then the probability that detm) 0modq is larger than e 3/2p ) Proof Let v i = v i,,v li ) be the ith column vector of M Then detm) 0modq if and only if {v,, v l } is linearly independent over Z q Thus we estimate the size of the set I = { v,,v l ) {v,,v l } is linearly independent over Z q, 0 v ij <p } Suppose that {v,,v k } is linearly independent over Z q and each entry of v i is contained in [0,p ] Consider an l k matrix whose ith column is v i Since the rank of the matrix is k, there is a submatrix of rank k made by k rows of the matrix: v j v j 2 v j k v jk v jk 2 v jk k Denote the set of linear combinations of {v,,v k } over Z q by v,,v k Suppose v k+ is contained in v,,v k and v j,k+ [0,p ] for all j Then a,,a k Z q are uniquely determined such that v j k+ v j v j k = a + +a k v jk k+ v jk v jk k Other places of v k+ are determined according to v k+ = a i v i and the number of such v k+ s cannot exceed p k Therefore I is larger than p l )p l p) p l p l ) The probability that {v,v 2,,v l } is linearly independent is larger than p l )p l p) p l p l ) p l ) l = p ) l ) p l ) p e 3 2 p l +p+ +pl ) e 2p ) 3 x e 3 2 x for 0 x ) 2 From Lemma 2, we can obtain gcddeta) mod n, n) = p and q = n/p with probability larger than e 2p ) 3 Once p is known, r p can be obtained by computing gt) := gcd f t),, f d+ t) ) since t rp ) divides gt) The greatest common divisor of two polynomials in Z p [x] of degrees less than d can be computed by Od 2 log 2 p) bit operations [0] Thus gt) can be computed by Od 3 log 2 p) bit operations The degree of gt) may not be but we show that the probability is negligible Let f i = f i/t rp ) for i =,,d + We may assume that f i s are random polynomials of degree d over Z p Lemma 3 Let g,,g k be random polynomials of degree l over Z p Then there is no common root of g i s with probability larger than /p k ) l Proof Assume g has l distinct roots x,,x l For each i = 2,,k, the probability that g i x ) = 0is/p Thus Pr [ i such that g i x ) 0 ] = /p k, Pr [ j, j i such that g ji x j ) 0 ] = /p k ) l Since the number of distinct roots of g may be less than l, the probability is larger than /p k ) l By Lemma 3, f i s have no common root other than rp with the probability larger than /p d ) d Similarly r q can be computed The success probability of determining r p and r q uniquely is larger than /p d ) d /q d ) d e 3d )/2pd 3d )/2q d e 3d )pd e /2p )

4 JH Cheon et al / Information Processing Letters ) if d 2 and q>p>6d Hence the overall success probability is larger than e 3/2p ) e /2p ) e 2/p ) 2 p because e x x for 0 <x< 2 In summary, we have the following theorem Theorem 4 Suppose the modulus n = pq is public with 6d <p<qand d 2 in Domingo-Ferrer s privacy homomorphism The scheme can be broken by d + known plaintext ciphertext pairs in time Od 3 log 2 n) with probability larger than 2/p ) For example, when n and p q 2 52, the probability that the algorithm fails is less than 2/p ) The case that n is not public Domingo-Ferrer suggested that his scheme could be more secure by hiding the modulus n In this case, however, we can not perform many multiplications since one multiplication makes the length of ciphertexts four times longer We will show that even if n is not public, a similar cryptanalysis can be applied Assume that we have 2d + ) known plaintext ciphertext pairs From each d + pairs, we can induce two d + ) d + ) coefficient matrices, A and A 2 as ) First, we compute the determinant of A i s viewed as integer matrices When A = a ij ) is a d + ) d + ) integer matrix, it is known that deta) can be computed by Od 4 log d + log A ) + d 3 log 2 A ) bit operations where A =max i,j { a ij } [] and there are algorithms with the lower complexity For more detail, see [9]) For the matrix A i, we may assume that A i n and deta i ) can be computed by Od 4 log dn + d 3 log 2 n) bit operations Second, we compute p from the gcd of determinants of A i s We claim that gcddeta ), deta 2 )) = p, equivalently gcd deta )/p, deta 2 )/p ) = with high probability More precisely, we have Lemma 5 Assume that divisibility of an integer by different primes is independent Let N be a positive integer If positive integers n,,n k are randomly drawn from the interval 0,N), then the probability P k i) of the greatest common divisor of k integers n,,n k is equal to i, P k i) = lim Pr{ gcdn,n 2,,n k ) = i } N i k ζk), where ζk) is the Riemann s zeta function Proof See [2, Section 44] If l = gcddeta ), deta 2 )) is not prime and l has only small factors other than p, then we can easily calculate p by trial divisions or some integer factoring algorithms By Lemma 5, we have the probability for finding p greater than 2 m i= P 2 i) = 2 m i= = ζ2) i 2 ζ2) = ζ2) i=2 m + i 2 2 m i= i 2 assuming that prime factors of l smaller than 2 m can be easily calculated We can find q by the same method After getting p and q, we can compute the other secret keys r p and r q as the case that n is known Theorem 6 Suppose the modulus n = pq is secret with 2p>q>p 6d and d 2 in Domingo-Ferrer s algebraic privacy homomorphism The scheme can be broken by 2d +) known plaintext ciphertext pairs in time Od 4 log dn+ d 3 log 2 n + εm)) with the success probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) is the complexity of a factorization algorithm to find all factors less than 2 m Proof The computing time of deta i ) for i =, 2in Z is estimated as Od 4 log dn + d 3 log 2 n) Next,using a suitable factorization algorithm whose complexity is εm)), we can discard prime factors smaller than 2 m and obtain p by computing the gcd of deta i ) s The number of primes less than 2 m is approximately 2 m /log 2 m ) = 2 m /m log 2) LetM be the product of primes less than 2 m, then M = p i <2 m p i 2 m 2m/log 2m) = 2 2m/log 2) The approximate value of ζk) for k = 2, 4, 6, 8, 0 is , , , ,

5 22 JH Cheon et al / Information Processing Letters ) 8 23 and log M 2 m /log 2) 2 m+ The computation of gcdm, det A i ) takes O2 m+ ) 2 ) bit operations and εm) = O2 2m ) follows By Lemma 5, we have Pr [ gcd deta ), deta 2 ) ) = p ] ζ2) i=2 m + i 2 Also the same probability holds for computing q Let Error be the event that p or q is not determined Since i=2 m + and ζ2), i 2 2 m Pr[Error] ζ2) i=2 m + ) 2 i 2 ) 2 2 m 2 m 2 The computation of r p, r q and its complexity is the same as the case when n is known The total complexity is O d 4 log dn+ d 3 log 2 n + 2 2m) The success probability is Pr [ ] Error Findr p Findr q ) 2 m 2 2 ) p Note that the probability that the algorithm fails, is less than 0 3 if m 2, n and d 0 Remark 7 In fact, d + 2) known plaintext ciphertext pairs are enough to make two d + ) d + ) matrices by use of a plaintext ciphertext pair twice In Lemma 5, it is assumed that the integers are chosen randomly and in order to apply the lemma, we assume 2d + ) known plaintext ciphertext pairs Table The summary of the proposed attacks Case The number of known-plaintexts The success probability Time complexity bit operations) n is known p 2 52 ) n is unknown m 2, d 0) d + 2d + ) 2 p 2 5 ) 2m 2 ) 2 p ) 0 3 ) Od 3 log 2 n) Od 4 log dn+ d 3 log 2 n + 2 2m ) 32 Example This example is in the paper of Domingo-Ferrer [6] We illustrate the above analysis by this example Let p = 7, q = 3, r p = 2, and r q = 3 be secret key We can encrypt, 3,, 2, 4, and 5 as follows: E ) = E2, 3) = [4, 6], [5, 2] ), E3) = E2, ) = [4, 6], [4, 9] ), E) = E4, 3) = [8, 2], [5, 2] ), E2) = E3, ) = [6, 9], [3, 4] ), E4) = E3, ) = [6, 9], [4, 9] ), E5) = E6, ) = [2, 5], [3, 4] ) We use three plaintext ciphertext pairs, {, E )), 3, E3)),, E))} to make a coefficient matrix A where ) 4 5 A = 3 4 4, deta) = 68, 8 5 gcd deta), 3 7 = 22 ) = 7 If n = 22 is unknown, with three more plaintext ciphertext pair, make another matrix for {2, E2)), 4, E4)), 5, E5))}, ) B = 4 6 4, detb) = 02, gcd deta), detb) ) = 34 We next calculate r p by using + 4t + 5t 2 = 0, 3 + 4t + 4t 2 = 0 then by elimination 9 + 4t = 0 mod 7 so t = 9 mod 7, r p = t mod 7 = 2 4 Conclusion Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 [6] and 2002 [7] The second was analyzed by Bao [3] and Wagner [3,4], but no attack against the first one was announced In this paper we firstly analyzed the first Domingo-Ferrer s algebraic privacy homomorphism It can be broken by d + ) plaintext ciphertext pairs by known plaintext attacks when the modulus is public Even when the modulus is kept secret, it can be broken by 2d + ) pairs Therefore, it is still open to decide whether an algebraic privacy homomorphism exists References [] J Abbot, M Bronstein, T Mulders, Fast deterministic computation of determinants of dense matrices, in: International Conference on Symbolic and Algebraic Computation Proceedings of

6 JH Cheon et al / Information Processing Letters ) the 999 International Symposium on Symbolic and Algebraic Computation, pp [2] N Ahituv, Y Lapid, S Neumann, Processing encrypted data, Comm ACM ) [3] F Bao, Cryptanalysis of a provable secure additive and multiplicative privacy homomorphism, in: International Workshop on Coding and Cryptography WCC), 2003 [4] D Boneh, R Lipton, Searching for elements in black-box fields and applications, in: Advances in Cryptology, Crypto 96, in: Lecture Notes in Comput Sci, vol 09, Springer-Verlag, Berlin, 996, pp [5] E Brickell, Y Yacobi, On privacy homomorphisms, in: Advances in Cryptology, Eurocrypt 87, in: Lecture Notes in Comput Sci, vol 304, Springer-Verlag, Berlin, 988, pp 7 25 [6] J Domingo-Ferrer, A new privacy homomorphism and applications, Inform Process Lett 60 5) 996) [7] J Domingo-Ferrer, A provably secure additive and multiplicative privacy homomorphism, in: ISC2002, in: Lecture Notes in Comput Sci, vol 2443, Springer-Verlag, Berlin, 2002, pp [8] J Feigenbaum, M Merritt, Open questions, talk abstracts, and summary of discussions, in: DIMACS series in Discrete Mathematics and Theoretical Computer Science, vol 2, Amer Math Soc, 99, pp 45 [9] E Kaltofen, G Villard, Computing the sign or the value of the determinant of an integer matrix, a complexity survey, J Comput Appl Math ) [0] A Menezes, P van Oorschot, S Vanstone, Handbook of Applied Cryptography, CRC Press, Inc, Boca Raton, FL, 997 [] R Rivest, L Adleman, M Dertouzos, On data banks and privacy homomorphisms, in: Foundations of Secure Computation, Academic Press, New York, 978, pp [2] M Schroeder, Number Theory in Science and Communication, second ed, Springer-Verlag, Berlin, 986 [3] D Wagner, Cryptanalysis of an algebraic privacy homomorphism, in: ISC2003, in: Lecture Notes in Comput Sci, vol 285, Springer-Verlag, Berlin, 2003, pp [4] D Wagner, Erratum concerning Cryptanalysis of an Algebraic Privacy Homomorphism, available at edu/~daw/papers/