An Attack on a Fully Homomorphic Encryption Scheme

Transcription

1 An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University, ,Jinan,China yhu@mail.xidian.edu.cn fenghe2166@163.com Abstract. In this aer we resent an attack on a fully homomorhic encrytion scheme on PKC2010. We construct a modified secret key, a modified decrytion algorithm and a subset of the cihertext sace. When the cihertext is from the subset, we can correctly decryt it by our modified secret key and modified decrytion algorithm. We also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Keywords: Fully Homomorhic Encrytion, lattice-based PKC, cloud-comutation. 1 Introduction: Bootstraing-based FHE and attacks Fully-homomorhic-Encrytion (FHE) is a novel technique alied to cloud-comutation. It is for such rocedure. The user needs to obtain the outut of ring-oerations in laintext sace, but wants to comute nothing but only decrytion. The sever imlements homomorhic oerations in cihertext sace of these oerations in laintext sace. That is, the server is given corresonding cihertexts of inut laintexts of these ring-oerations, and comutes corresonding cihertext of outut laintext of these ring-oerations. Then the server sends this outut cihertext to the user. The user then decryts this outut cihertext to obtain original outut laintext. To be fully-homomorhic, these ring-oerations in laintext sace must be of any deth. Lattice-based PKC can achieve homomorhic encrytion function for shallow ring-oerations in laintext sace. This homomorhic encrytion function is called somewhat homomorhic encrytion function. But lattice-based PKC belongs to the class of error correction tye PKC, so that the cihertext must include noise. Dee ring-oerations in laintext sace means dee homomorhic oerations in cihertext sace, and noise will be greatly enhanced, resulting in wrong decrytion. Therefore the major roblem to achieve fully-homomorhic-encrytion is to decrease the size of the noise. The frontier work to solve this roblem belongs to Gentry [1], who resented a novel technique named bootstraing. After that many fully-homomorhic-encrytion schemes were resented [2-21], with major efforts on decreasing the comutation comlexity. Among them is a fully-homomorhic-encrytion scheme [6], resented by Smart and Vercauteren, and on PKC2010. We call this aer SV10. SV10 scheme is one of efforts changing the cihertexts from olynomials to integers. It has relatively small key and cihertext sizes. In this aer we resent an attack on this fully homomorhic encrytion scheme. In fact, our attack only aims at its somewhat homomorhic encrytion algorithm. We construct a modified secret key, a modified decrytion algorithm and a subset of the cihertext sace. Whenever the cihertext is from the subset, we can correctly decryt it by our modified secret key and modified decrytion algorithm. We also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Our attack imlies that it should be careful for designing fully homomorhic encrytion over the integers.

2 The aer is organized as following. In section 2 we state the fully-homomorhic-encrytion scheme resented by SV10, including its correctness. In section 3 we resent our major roosition, which is the basis of our attack. In section 4 we resent our attack, including modified secret key, modified decrytion algorithm, and a subset of the cihertext sace. In this section we also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Section 5 is the conclusion. 2 The FHE scheme of SV The Somewhat Homomorhic Encrytion Algorithm Q[x] and Z[x] are resectively the set of olynomials with rational and integer coefficients. Given a olynomial g(x) = t g ix i Q[x], g(x) = max g i. For a ositive value r, B,N (r) is t=0,,t such set of olynomials with integer coefficients: B,N (r) = {g(x) = N 1 g i x i, g(x) r}. The scheme is arameterized by three values (N, η, µ). A tyical set of arameters would be (N, η, µ) = (N, 2 N, N), N = 2 n. KeyGen(.): 1. Set the laintext sace to be {0, 1}. Choose a monic irreducible olynomial F (x) Z[x] of degree N.Tyically we can take F (x) = x N + 1 = x 2n Reeat: S(x) R B,N (η/2). G(x) 1 + 2S(x). resultant(g(x), F (x)). -Until is rime. 3. D(x) gcd(g(x), F (x)) over F [x] -D(x) gcd(g(x), F (x)) over F [x] -Let α F denote the unique root of D(x). 4. Aly the XGCD algorithm over Q[x] to obtain Z(x) = N 1 z ix i Z[x] such that 5. B z 0 mod2 -The ublic key is (, α). The secret key B. Encryt(M,, α): 1. Let R(x) R B,N (µ/2). 2. Let C(x) M + 2R(x). 3. Let c C(α)mod. -Outut c. Z(x)G(x) = modf (x).

3 Decryt(c, B): M c cb/p mod2 -Outut M. Add(c 1, c 2,, α): c 3 c 1 + c 2 mod. -Outut c 3. Mult(c 1, c 2,, α): c 3 c 1 c 2 mod. -Outut c Some Notes It should be ointed out that, although Z(x) is obtained by the XGCD algorithm over Q[x], Z(x)Z(x) because = resultant(g(x), F (x)). According to tyical arameters, the cihertext can be correctly decryted. Again according to tyical arameters, the scheme allows about d homomorhic multilications over the cihertext sace, where d log 2 2 N log N. In other words, the N roduct of not more than d cihertexts can be correctly decryted. The value of d increases with the value of N. For N = 256, d = 0. For (N = 512, d = 1). For N = 65536, d = 10. The scheme of SV10 uses both the somewhat homomorhic encrytion algorithm and the bootstraing technique to achieve FHE. Our attack only aims at the somewhat homomorhic encrytion algorithm, so that we don t introduce the bootstraing. 3 Our Major Proosition 3.1 The Proosition Take a ositive integer δ such that δ < N. Take = 2α k (modq), k = 0, 1,, N 1. Define N + 2 sets {A 0, A 1,, A N 1, A, A } as follows. For k = 0, 1, 2,, N 1, if (mod2) = 0, and if (mod2) = 1. A k = (0, ) { + (2i 1, 2i 1 + ) } µ(δ + 2) µ(δ + 2) A k = (0, ) { + ((2i + 1) 1, (2i + 1) 1 + ) } µ(δ + 2) µ(δ + 2) A = (0, ) { + (2i 2(δ + 2), 2i + 2(δ + 2) )}. A = (0, ) { + 1 (2i + 1 µδ(δ + 2), 2i µδ(δ + 2) )}. It is clear that A = (0, 2(δ+2) ), A 0 = (0, µ(δ+2) ). For δ integers k 1, k 2,, k δ, such that 0 k 1 < k 2 < < k δ N 1, define the intersection set A(k 1, k 2,, k δ ) = A k1 Ak2 Akδ A A, N

4 and define the subset of the cihertext sace C(k 1, k 2,, k δ ) = { C(α)(mod) C(x) = M+r k1 x k 1 +r k2 x k 2 + +r kδ x k δ, r ki even, r ki µ, i = 1,, δ } Proosition 1. Take a real number B from the set A(k 1, k 2,, k δ ). Then any cihertext c from C(k 1, k 2,, k δ ) can be correctly decryted by the algorithm c cb/. Proof. c = M +( r k r k r k δ 2 δ ) u, where r k i 2 is an integer, r k 2 2 µ 2, i = 1, 2,, δ. It is immediate that 0 u µ 2 δ. Notice the definition of A(k 1, k 2,, k δ ). 0 MB 1 2 is in ( 1 2(δ+2), 1 2(δ+2) ) neighboring field of an integer, and that integer is modular 2 congruent with r ki i ub is in ( 1 2(δ+2), 1 2(δ+2) ) neighboring field of an integer, and that integer is modular 2 congruent with u. From all of the above, c cb/ (mod2) = M MB/ + r k1 1 r k1 1 B/ + r k1 1 r k2 2 B/ + + r k1 1 r kδ δ B/ u + ub (mod2) = M. 2(δ+2). r ki i B 3.2 Time Cost for Finding a B from A(k 1, k 2,, k δ ) Suose δ = 0(mod2) (δ = 1(mod2)), for i = 0, 1, check whether the interval (2i 1, 2i + 1 ) (the interval ((2i + 1) 1, (2i + 1) + 1 ) intersects the set {A 0, A 1,, A δ 1, A, A } until it intersects all of them. Then take any real number B from such intersection set. Checking whether an interval intersects the set {A k2, A k3,, A δ, A, A } is a quite simle task. On the other hand, A = (0, 2(δ+2) ), and is extremely large. The length of the set A k is about µ(δ+2). The length of the set A is about µδ(δ+2). Then the length of the intersection set A k1 Ak2 Akδ A is about. This means that the length of the µ δ+1 δ(δ+2) δ+1 intersection set A(k 1, k 2,, k δ ) = A k1 Ak2 Akδ A A is about, and 2µ δ+1 δ(δ+2) δ+2 A(k 1, k 2,, k δ ) (0, 2(δ+2) ). If k 1 > 0, the oint of A(k 1, k 2,, k δ ) are randomly distributed within (0, 2(δ+2) ). If k 1 = 0, A(k 1, k 2,, k δ ) (0, µ(δ+2) ), and the oints of A(k 1, k 2,, k δ ) are randomly distributed within (0, µ(δ+2) ). Therefore there should be a oint of A(k 1, k 2,, k δ ) which is smaller than O(µ δ+1 δ(δ + 2) δ+1 ), and checking at most O(µ δ+1 δ(δ + 2) δ+1 ) intervals should find a real number B of A(k 1, k 2,, k δ ). Suose N = 256, then µ = N = 16. Take δ = 3, O(µ δ+1 δ(δ + 2) δ+1 ) = O( ) O(2 27 ). Take δ = 9, O(µ δ+1 δ(δ + 2) δ+1 ) = O( ) O(2 78 ). Table 1 lists n(δ) the aroriate number of intervals for checking, with N = Our Attack 4.1 The Modified Decrytion Algorithm Suose that for any δ integers k 1, k 2,, k δ such that 0 k 1 < k 2 < < k δ N 1, we have chosen a real number B(k 1, k 2,, k δ ) from the set A(k 1, k 2,, k δ ). Our modified secret key is

5 Table 1. he Aroriate Number of Intervals for Checking (N=256) δ n(δ) δ n(δ) B(k 1, k 2,, k δ ) 0 k 1 < k 2 < < k δ N 1. For any δ 1 integers l 1, l 2,, l δ 1 such that 0 l 1 < l 2 < < l δ 1 N 1, define the set S(l 1, l 2,, l δ 1 ) = {B(k 1, k 2,, l δ ) {l 1, l 2,, l δ 1 }}. Notice that S(l 1, l 2,, l δ 1 ) = N δ + 1. The modified decrytion algorithm is as the follow. For a cihertext c, comute {c cb(k 1, k 2,, k δ )/ (mod2) 0 k 1 < k 2 < < k δ N 1}. If there is some S(l 1, l 2,, l δ 1 ), such that all values {c cb(k 1, k 2,, k δ )/ (mod2) B(k 1, k 2,, k δ ) S(l 1, l 2,, l δ 1 )} are same, take the laintext as such same value. If there is no such S(l 1, l 2,, l δ 1 ), the decrytion fails. 4.2 The Correctness For a cihertext c, the corresonding olynomial is C(x) = M + 2R(x). If R(x) has m non-zero coefficients, we say that the Hamming weight of c is m. Define C(m) as the set of all cihertexts with the Hamming weights not more than m. It is clear that C(m) =, and that 0 l 1 <l 2 < <l m N 1 C(0) C(1) C(N). C(N) is the cihertext sace. Now we exlain that our algorithm makes wrong decrytion with a negligible robability for the cihertexts from C(δ 1). Take any cihertext c C(δ 1), any C(l 1, l 2,, l δ 1 ) C(δ 1). If c C(l 1, l 2,, l δ 1 ), all value {c cb(k 1, k 2,, k δ )/ (modq) B(k 1, k 2,, k δ ) S(l 1, l 2,, l δ 1 )} are the laintext of c. If c / C(l 1, l 2,, l δ 1 ), value {c cb(k 1, k 2,, k δ )/ (modq) B(k 1, k 2,, k δ ) 1 S(l 1, l 2,, l δ 1 )} are random, therefore the robability they are same as the wrong value is. 2 N δ+1 There are at most C δ 1 N 1 different C(l 1, l 2,, l δ 1 ) such that c / C(l 1, l 2,, l δ 1 ), therefore the robability c is decryted as wrong value is not larger than Cδ 1 N 1. For N 256, δ 17, this 2 N δ+1 robability is negligible. 4.3 The Efficiency Our modified secret key includes C δ N real numbers. Our modified decrytion algorithm includes Cδ N ordinary decrytions, and a judgment.

6 4.4 The Imact Our modified decrytion algorithm can correctly decryt all cihertexts in C(δ 1). If in the encrytion rocedure, the ste R(x) R B,N (µ/2) is under uniform distribution, C(δ 1) is negligible in the cihertext sace. However, the cihertext with small Hamming weight will have great advantage in somewhat homomorhic oerations, esecially in multilication homomorhic oerations. If the ste R(x) R B,N (µ/2) is artial to the smaller Hamming weights C(δ 1) is not negligible, and our attack is effective. 5 Conclusions SV10 scheme is not as strong as some other fully homomorhic encrytion schemes. Our attack at least threatens the distribution of the ste R(x) R B,N (µ/2) of the encrytion rocedure. Our attack imlies that it should be careful for designing fully homomorhic encrytion over the integers. Acknowledgements This work was suorted by the National Natural Science Foundation of China (Grant Nos , ) and Science and Technology on Communication Security Laboratory (9140C C1102). This work was also suorted by Huawei Co. (YBCB ). References 1. C. Gentry. Fully homomorhic encrytion using ideal lattices. In STOC 09, , Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorhic encrytion from (standard) LWE. In FOCS 2011, D. Stehle and R. Steinfeld. Faster fully homomorhic encrytion. In Asiacryt 10, M. v. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorhic encrytion over the integers. In ASIACRYPT 10, Z. Brakerski and V. Vaikuntanathan. Fully Homomorhic Encrytion from Ring-LWE and Security for Key Deendent Messages. In CRYPTO 2011, N. P. Smart, F. Vercauteren. Fully Homomorhic Encrytion with Relatively Small Key and Cihertext Sizes. In PKC 2010, , C. Gentry, S. Halevi. Imlementing Gentry s full homomorhic encrytion scheme. In EUROCRYPT 2011, , C. Gentry. Toward basing fully homomorhic encrytion on worst-case hardness. In Cryto 2010, C. Gentry, S. Halevi. Fully homomorhic encrytion without squashing using deth-3 arithmetic circuits. In FOCS 2011, Z. Brakerski, C. Gentry, V. Vaikuntanathan. Fully homomorhic without Bootstraing. htt:// erint.iacr.org/2011/ Jean-Sbastien Coron, Avradi Mandal, David Naccache, Mehdi Tibouchi. Fully Homomorhic Encrytion over the Integers with Shorter Public Keys. In Cryto Yuanmi Chen, Phong Q. Nguyen. Faster Algorithms for Aroximate Common Divisors: Breaking Fully-Homomorhic-Encrytion Challenges over the Integers. In Eurocryto 2012, (htt://erint.iacr.org/2011/436) 13. Craig Gentry, Shai Halevi and Vinod Vaikuntanathan. i-ho Homomorhic Encrytion and Rerandomizable Yao Circuits. In Cryto Zvika Brakerski. Fully Homomorhic Encrytion without Modulus Switching from Classical GaSVP. htt://erint.iacr.org/2012/ Junfeng Fan and Frederik Vercauteren. Somewhat Practical Fully Homomorhic Encrytion. htt://erint.iacr.org/2012/ Craig Gentry and Shai Halevi and Nigel P. Smart. Fully Homomorhic Encrytion with Polylog Overhead. In Eurocryto 2012, (htt://erint.iacr.org/2011/566).

7 17. P. Scholl and N.P. Smart. Imroved Key Generation For Gentry s Fully Homomorhic Encrytion Scheme. htt://erint.iacr.org/2011/ Steven Myers and Mona Sergi and abhi shelat. Threshold Fully Homomorhic Encrytion and Secure Comutation. htt://erint.iacr.org/2011/ Loftus and A. May and N.P. Smart and F. Vercauteren. On CCA-Secure Fully Homomorhic Encrytion. htt://erint.iacr.org/2010/ Craig Gentry and Shai Halevi and Nigel P. Smart. Homomorhic Evaluation of the AES Circuit. htt://erint.iacr.org/2012/ Jean-Sbastien Coron, David Naccache, Mehdi Tibouchi. Public-key Comression and Modulus Switching for Fully Homomorhic Encrytion over the Integers. In Eurocryto