Cryptanalysis of a homomorphic encryption scheme

Abstract

Homomorphic encryption allows to make specific operations on private data which stays encrypted. While applications such as cloud computing require to have a practical solution, the encryption scheme must be secure. In this article, we detail and analyze in-depth the homomorphic encryption scheme proposed by Zhou and Wornell (20). From the analysis of the encryption scheme, we are able to mount three attacks. The first attack enables to recover a secret plaintext message broadcasted to multiple users. The second attack performs a chosen ciphertext key recovery attack. The last attack is a related chosen plaintext decryption attack.

1 Introduction

Homomorphic encryption enables operations directly in the encrypted domain. The notion of homomorphic encryption was first introduced by Rivest et al. [15] in 1978. While this was instantiated at first only for addition or multiplication, a breakthrough in this area was done by Gentry [7] that introduced the first Fully Homomorphic Encryption (FHE) scheme. An FHE scheme is one that can support computation of any arbitrary functions in the encrypted domain. While there is an extensive work done in this area [1,2,3,4,5,6,7,8,9,10, 16,17,18], FHE is not yet practical and many applications do not require such a strong primitive. Instead, there are many schemes that offer a limited number of homomorphic operations. While more restrictive, these schemes may offer practical solutions depending on the application (e.g. database queries, protection of medical data).

The encryption scheme proposed in [20] is a homomorphic encryption scheme that supports three operations: addition, linear transformation and weighted inner products. Moreover, based on the three fundamental operations, the scheme enables to compute arbitrary polynomials. As stated in [20], these operations can be useful in applications where tasks as feature extraction, recognition, classification, and data aggregation are needed. This scheme is a natural generalization of the PVW scheme [13] from binary vectors to integer vectors where techniques as ciphertext packing [1] and key switching [3] are employed to optimize the scheme. Working with plaintexts that are integer vectors (and not bits) is efficient and attractive from a practical point of view.

Our contribution

It is desired by the cryptographic community and by many research communities (e.g. big data, medical research, cloud computing) to have a practical, secure homomorphic encryption scheme. While we believe that a lot of research should be invested in the area of homomorphic encryption, it is also essential to analyse and filter those schemes whose security is questionable.

In this article, we first formalize the homomorphic encryption scheme from [ 20 ]. The presentation in the original paper is not very intuitive nor easy to follow. As the devil is in the details, we believe it is important to be rigorous and careful with every step of the scheme. A clear description allows us to further discover weaknesses. Thus, we are able to mount three attacks: a broadcast encryption, a chosen ciphertext key recovery attack and a related chosen plaintext attack against this scheme. These attacks, together with an incomplete security analysis in the original work, suggest that another approach and work is required in order to be able to construct a homomorphic scheme that works with vectors of integers.

Structure of the paper

In Section 2, we formalize the encryption scheme from [20 ] and describe the operations which are possible in the encrypted domain. In Section 3 , we present three attacks against this encryption scheme. Finally we conclude with Section 4.

Notations

We will use small bold letters for vectors and capital bold letters for matrices (i.e a is a column vector). We define |a| to be the L _∞ -norm and ⌈a⌋ the round up of a to the nearest integer. The notation v e c(A) denotes the vector that consists of all the entries in a matrix A, where the values are taken column by column. Given a domain \(\mathcal {D}\), we denote by \(x \xleftarrow {U} \mathcal {D}\) the fact that x is drawn uniformly at random from \(\mathcal {D}\).

2 Encryption scheme on integer vectors

In this section we introduce the encryption scheme from [20] and the homomorphic operations that it supports. The presentation differs from the original description. Our goal is to properly formalize the scheme and eliminate any ambiguity.

The scheme from [20] encrypts vectors of integers and supports three homomorphic operations that are going to be presented later in this Section.

As noted in the original work [20], the scheme relies on the idea of key switching [3]. Given a pair of public key/secret key, (p k, s k), and a different secret key s k ^′ one is able to generate the new public key p k ^′ that corresponds to s k ^′. In terms of encryption, a ciphertext c, encryption of plaintext m under the public key pk, can be switched to a new ciphertext c ^′ that will decrypt correctly to m under the key s k ^′. We will formalize the scheme following the line of this concept.

We first present some methods that will ease the explanation of the encryption scheme. The first method, that we denote B i n, is taking a vector c where all the components are smaller than 2^ℓ. The method is constructing c ^∗, the binary representation of c, where each component of c is represented by ℓ bits.

The D e v procedure takes a matrix \(\mathbf {S} \in \mathbb {Z}^{m \times n}\) and an integer ℓ, and it constructs the matrix \(\mathbf {S^{*}} \!\in \! \mathbb {Z}^{m \times n \ell }\) such that each value S _{i j} is transformed into a block \(S^{*}_{ij} = \left [S_{ij}, S_{ij}2,\ldots , S_{ij}2^{\ell -1} \right ]\).

Given the description of these two procedures, we can state the following Lemma.

Lemma 1

Given a matrix \(\mathbf {S} \in \mathbb {Z}^{m \times n}\) , an integer ℓ and an integer vector \(\mathbf {c} \in \mathbb {Z}^{n}\) such that 0 ≤|c| < 2^ℓ , we have that S c = D e v(S, ℓ) ⋅ B i n(c, ℓ).

Proof

We write S ^∗ = D e v(S, ℓ) and c ^∗ = B i n(c, ℓ). We observe that for each block of values \(S^{*}_{ij}\) of S ^∗ and \(c_{j}^{*}\) of c ^∗ we have

$$\begin{array}{@{}rcl@{}} S^{*}_{ij}c^{*}_{j} &=& \left[\begin{array}{llll} S_{ij} & 2S_{ij} & {\cdots} & 2^{\ell-1}S_{ij} \end{array}\right] \left[\begin{array}{c} c_{j0}\\ c_{j1}\\ {\vdots} \\ c_{j(\ell-1)} \end{array}\right] \\&=& S_{ij}c_{j0} + 2S_{ij}c_{j1} + {\ldots} + 2^{\ell-1}S_{ij}c_{j(\ell-1)} \\ &=& S_{ij}(c_{j0} + 2c_{j1} + {\ldots} + 2^{\ell-1}c_{j(\ell-1)}) \\ &=& S_{ij}c_{j} \end{array} $$

Hence we have that S c = S ^∗ c ^∗ = D e v(S, ℓ)B i n(c, ℓ). □

The three generic algorithms of the encryption scheme from [20], i.e. key generation, encryption and decryption, are described below.

2.1 Key generation

As a first step, the user generates the public and secret keys that will be used for encryption and decryption. The key generation algorithm is described in Algorithm 3. Once the random matrices T and A and the noise matrix E, drawn from a noise distribution χ on \(\mathbb {Z}_{q}\), are sampled, the secret key S and the public key M are computed. The public key M is defined such that S M = D e v(I, ℓ) + E (mod q) is verified.

Conditions imposed on the parameters ℓ, m, n, p, q, w are the ones described in Algorithm 3. In the original work [20], the authors propose a set of parameters: ℓ = 28,m = 2⁷,n = 2⁸,p = 2⁸,q ≈ 2⁵⁰,w = 2²⁰.

2.2 Encryption

Given the public key M, the public parameter w, and the plaintext \(\mathbf {x} \in \mathbb {Z}^{m}\), the encryption algorithm outputs the ciphertext c that is computed as in Algorithm 4.

2.3 Decryption

At decryption, the user receives c and knows the value of the secret key S and the public parameter w. In order to decrypt, one reduces modulo q the value of S c. Once we change the domain from \(\mathbb {Z}_{q}\) to \(\mathbb {Z}\), by a mapping that maps \(i \in \mathbb {Z}_{q}\) to \(i \in \mathbb {Z}\), we perform division by w and round up to the nearest integer to obtain the plaintext x.

Correctness

The encryption scheme described above is correct, i.e., if c is the encryption of a plaintext x as above, then one decrypts c to x, provided that he knows the secret key S. This is possible when the noise is under a given threshold.

In order to prove the correctness of the scheme we need the following result that describes the relation that a valid encryption satisfies.

Theorem 1

We assume that q > w|x|and we have the plaintext \(\mathbf {x} \in \mathbb {Z}^{m}\) . We define ℓ = ⌈log 2(q)⌉. We take the distribution χ such that x ← χ is such that \( x < \frac {w}{2m \ell }\) with high probability. We assume that the output of the key generation is (S,M). The vector \(\mathbf {c} \in \mathbb {Z}^{n}_{q}\) is the ciphertext of x with length n > m . We have

$$ \mathbf{S}\mathbf{c} = q\mathbf{k} + w\mathbf{x} + \mathbf{e} $$

(1)

for some integer vectors k and e suchthat \(\vert \mathbf {e}\vert < \frac {w}{2}\).

Proof

We have defined the secret key \(\mathbf {S} = \left [\mathbf {I}, \mathbf {T} \right ] \in \mathbb {Z}^{m \times n}_{q}\) and the public key

$$\mathbf{M} \equiv \left( \begin{array}{c} -\mathbf{T}\mathbf{A} + Dev(\mathbf{I},\ell) + \mathbf{E} \\ \mathbf{A} \end{array}\right) \pmod{q} $$

We have

$$ \mathbf{S}\mathbf{M} \equiv Dev(\mathbf{I},\ell) + \mathbf{E} \pmod{q} $$

so,

$$\mathbf{S}\mathbf{M} = q\mathbf{k_{SM}} + Dev(\mathbf{I},\ell) + \mathbf{E} $$

with k _{S M} an integer matrix.

From Algorithm 4, the ciphertext c is computed as

$$ \mathbf{c} \equiv \mathbf{M} Bin(w \mathbf{x},\ell) \pmod{q}\\ $$

$$\mathbf{c} = q\mathbf{k^{*}} + \mathbf{M} Bin(w\mathbf{x}, \ell) $$

where k ^∗ is an integer vector and |k ^∗| is much smaller than q when |T| is much smaller than q.

Finally, we have

$$ \begin{array}{ll} \mathbf{S}\mathbf{c} & = q\mathbf{S}\mathbf{k^{*}} +\mathbf{SM} Bin(w\mathbf{x},\ell) \\ & = q\mathbf{S}\mathbf{k^{*}} + (q\mathbf{k_{SM}} + Dev(\mathbf{I},\ell) + \mathbf{E})Bin(w\mathbf{x},\ell) \\ & = q(\mathbf{S}\mathbf{k^{*}} + \mathbf{k_{SM}} Bin(w\mathbf{x},\ell)) + w\mathbf{x} + \mathbf{E} Bin(w\mathbf{x},\ell) \\ & = q\mathbf{k} + w\mathbf{x} + \mathbf{E} Bin(w\mathbf{x},\ell) \\ & = q\mathbf{k} + w\mathbf{x} + \mathbf{e} \end{array} $$

with D e v(I, ℓ)B i n(w x, ℓ) = w x (by Lemma 1), k = S k ^∗ + k _{S M} B i n(w x, ℓ) integer vector and e = E B i n(w x, ℓ) the noise vector. E is sampled from distribution χ and we have \(\vert \mathbf {E} Bin(w\mathbf {x},\ell ) \vert < \frac {w}{2}\). This is a required condition on (1) as this boundary will have an important role during the decryption. □

We can now prove the correctness of the scheme.

Lemma 2 (Correctness)

We assume that q > w|x|and that (M,S)is a pair of public-secret key. We assume c is a valid encryption of the plaintext x under key M , i.e. it satisfies the relation S c = q k + w x + e with \(|\mathbf {e}| < \frac {w}{2}\) . Then c decrypts correctly to x under key S .

Proof

If we follow the steps of the decryption algorithm we can see that by applying the modulo on S c we remove the q k value. Since we assume that w|x| < q, the value w x does not get modified by the modulo operation. We have

$$\mathbf{Sc} \equiv w\mathbf{x} + \mathbf{e} \pmod{q} $$

After the division in \(\mathbb {Z}\) we obtain

$$ \frac{\mathbf{Sc}}{w} = \mathbf{x} + \frac{\mathbf{e}}{w} $$

By performing the round up to the nearest integer we obtain

$$ \left\lceil\frac{\mathbf{Sc}}{w}\right\rfloor = \left\lceil\mathbf{x} + \frac{\mathbf{e}}{w}\right\rfloor = \left\lceil\mathbf{x} \right\rfloor+ \left\lceil\frac{\mathbf{e}}{w}\right\rfloor = \mathbf{x} $$

Since \(\vert \mathbf {e}\vert < \frac {w}{2}\), we have that

$$ \frac{e_{j}}{w} < \frac{w}{2w}\Rightarrow e_{j} < \frac{1}{2}, \ \forall \ 1\leq j \leq m $$

Thus, the decryption algorithm correctly recovers the plaintext x. □

2.4 Key-switching technique

As aforementioned, the encryption scheme relies on the concept of key-switching. We are given two secret keys \(\mathbf {S}, \mathbf {S^{\prime }} \in \mathbb {Z}^{m \times n}_{q}\). The ciphertext \(\mathbf {c} \in \mathbb {Z}^{n}_{q}\) decrypts to the plaintext \(\mathbf {x} \in \mathbb {Z}^{m}_{p}\) under the key S. We would like to compute a new matrix M ^′, that will produce a new ciphertext c ^′ such that the secret key S ^′ will decrypt c ^′ to the same x.

We describe below the two methods that perform this task.

The matrix M ^′ is generated such that

$$ \mathbf{S^{\prime}}\mathbf{M^{\prime}} = Dev(\mathbf{S},\ell) + \mathbf{E^{\prime}} \pmod{q} $$

Lemma 3

Let c be a valid encryption of the plaintext x . Let M ^′← S w i t c h S(S, S ^′)and c ^′← S w i t c h C(c, M ^′). Then we have that D e c(S ^′,c ^′) = D e c(S,c) = x given that \(|\mathbf {Sc} -w \mathbf {x} \bmod {q}| + n \ell |E^{\prime }| \leq \frac {w}{2} \) .

Proof

We have

$$ \begin{array}{ll} \mathbf{S^{\prime}}\mathbf{c^{\prime}} &= \mathbf{S^{\prime}}\mathbf{M^{\prime}} \times Bin(\mathbf{c},\ell) \pmod{q}\\ &= (Dev(\mathbf{S},\ell) + \mathbf{E^{\prime}}) \times Bin(\mathbf{c},\ell) \pmod{q}\\ &= Dev(\mathbf{S},\ell)Bin(\mathbf{c},\ell) + \mathbf{E^{\prime}} \times Bin(\mathbf{c},\ell) \pmod{q}\\ &= \mathbf{Sc} + \mathbf{E^{\prime}} \times Bin(\mathbf{c},\ell) \pmod{q}\\ &= w\mathbf{x} + \mathbf{e_{1}} + \mathbf{E^{\prime}} \times Bin(\mathbf{c},\ell) \pmod{q}\\ &= w\mathbf{x} + \mathbf{e^{\prime}} \pmod{q} \end{array} $$

where S c = w x + e ₁ (mod q), e ^′ = e ₁ + E ^′× B i n(c, ℓ). We see that the noise has been increased.

In order to have D e c(S ^′,c ^′) = D e c(S,c), it is sufficient that \(|\mathbf {e_{1}}| + n \ell |\mathbf {E^{\prime }} | < \frac {w}{2}\) due to Lemma 2. □

Using the key-switching technique we can rephrase the key generation and the encryption algorithms as:

G e n() →{S,M}:

S = [I,T] M = S w i t c h S(I,S)

E n c(M, w,x) →c :

c = S w i t c h C(w x,M)

2.5 Operations on encrypted data

Three types of fundamental operations on integer vectors can be performed based on the encryption scheme from [20]: addition, linear transformation and weighted inner products. We assume that all the plaintext values are between zero and \(\lfloor \frac {q}{w} \rfloor \) in order to avoid integer overflows.

2.5.1 Addition

Let c ₁ and c ₂ be the two ciphertexts of the integer vectors x ₁ and x ₂, respectively. The addition operation x ₁ + x ₂ is straightforward if c ₁ and c ₂ have the same secret key S. In this situation we have that c ^′ = c ₁ + c ₂ (mod q) is the encryption of x ₁ + x ₂.

In the case c ₁ and c ₂ do not have the same key, we need to switch one secret key to the other.

To guarantee a valid decryption after an addition in the encrypted domain, we need to have \(\vert \mathbf {e_{1}} + \mathbf {e_{2}}\vert < \frac {w}{2}\).

2.5.2 Linear transformation

The linear transformation G x ₁ follows the observation that

$$\mathbf{GSc_{1}} = q\mathbf{Gk_{1}} + w\mathbf{Gx_{1}} + \mathbf{Ge_{1}} $$

So if |G| is much smaller than q, we can treat c ^′ = c ₁ as the ciphertext of G x ₁ with secret key G S and error G e ₁. Hence to perform the linear transformation we have to compute D e c(G S, c ^′) = G x.

The resulting noise after the transformation and the key-switching will be G e ₁ = G E × B i n(w x, ℓ). Hence, to ensure a valid operation we must have \(\vert \mathbf {GE} \times Bin(w\mathbf {x},\ell )\vert < \frac {w}{2}\).

2.5.3 Weighted inner products

Given two plaintexts, x ₁ and x ₂, encrypted as c ₁ and c ₂ with the keys S ₁ and S ₂ and a matrix H, we can compute the weighted inner products x ₁ ^T H x ₂.

Let

$$\mathbf{S^{\prime}} = vec(\mathbf{{S^{T}_{1}}\mathbf{H}\mathbf{S}_{2}})^{T}$$

be the new secret key, and let

$$\mathbf{c^{\prime}} = \left\lceil \frac{vec\mathbf{(c_{1}{c^{T}_{2}}})}{w} \pmod{q} \right\rfloor $$

be the new ciphertext. By decrypting c ^′ with the secret key S ^′, we compute the weighted inner products \({\mathbf {x}^{T}_{1}}\mathbf {H}\mathbf {x}_{2}\). The proof of this result is presented in [19 , 20].

Again, in order for the decryption to work, we need to ensure that the noise level after this operation in under the \(\frac {w}{2}\) threshold.

As presented in [20] these three operation combined allow to compute arbitrary polynomial on integers. Note that every operation will increase the resulting noise. Hence, only a limited number of operations can be chained.

3 Attacking the scheme

We present in this section three attacks on the encryption scheme from [20]. These attacks were implemented and tested to certify their validity.

3.1 Attack on broadcast encryption

We can notice that the encryption algorithm performs the multiplication between the public key M and the binary representation of the vector w x. We have that \(\mathbf {M} \in \mathbb {Z}_{q}^{n \times m \ell }\) and B i n(w x, ℓ) ∈{0,1}^mℓ. This means we have n equations in \(\mathbb {Z}_{q}\) and m ℓ unknowns, where n < m ℓ. If we have access to \(\lceil \frac {m\ell }{n} \rceil \) equations \(\mathbf {c^{\prime }_{i}} = \mathbf {M_{i}} \times Bin(w\mathbf {x},\ell )\) , where M _i and \(\mathbf {c^{\prime }_{i}}\) are different at each equation but the same B i n(w x, ℓ) is used, then we could solve the system of equations by Gaussian elimination and recover the value of x.

Let us assume we have a network of more than \(\lceil \frac {m\ell }{n} \rceil \) users where every user i has its own public key M _i . Now, let us assume that a user, e.g. Bob, wants to broadcast a secret information x to the users using the fixed parameters p, q, w. Hence, Bob will compute \(\mathbf {c^{\prime }_{i}} = \mathbf {M_{i}} \times Bin(w\mathbf {x},\ell )\) for all the users. By listening to the traffic, an adversary \(\mathcal {A}\) could obtain all the values \(\mathbf {c^{\prime }_{i}}\) broadcasted by Bob and he would have enough information to solve the system.

Indeed, the attacker \(\mathcal {A}\) could use all the gathered information to produce

$$\mathbf{\widetilde{M}} = \left( \begin{array}{c} \mathbf{M_{1}}\\ \mathbf{M_{2}} \\ {\vdots} \\ \mathbf{M_{z}} \end{array}\right) \in \mathbb{Z}^{zn \times m\ell}_{q} $$

and

$$\mathbf{\widetilde{c}} = \left( \begin{array}{c} \mathbf{c_{1}}\\ \mathbf{c_{2}} \\ {\vdots} \\ \mathbf{c_{z}} \end{array}\right) \in \mathbb{Z}^{m\ell}_{q} $$

where \(z> \lceil \frac {m\ell }{n} \rceil \).

Hence, the attacker could solve the system \(\mathbf {\widetilde {M}} \times Bin(w\mathbf {x},\ell )= \mathbf {\widetilde {c}}\) using a Gaussian elimination algorithm in \(\mathcal {O}((m\ell )^{3})\).¹

This attack can be seen as similar to the broadcast encryption in RSA with small keys [11]. The difference is that our attack should always work as \(\frac {m \ell }{n}\) should not be too large. Using the parameters proposed in the work of Zhou and Warnell [20], we obtain \(\frac {m \ell }{n} = \frac {2^{7} * 28}{2^{8}} = 14\) which is a small number of users that an adversary needs to spy on.

A valid scenario for this attack would be one where a service provider has to send an activation key to its customers. For our scenario, the activation key is the same for all the customers. In such case, when the service provider has to send the encrypted activation key to enough customers, an unauthorized user could recover the activation key.

3.2 Chosen ciphertext key recovery attack

In this attack we assume that the adversary has access to an oracle that decrypts a given ciphertext. His goal is to retrieve the secret key S.

We recall that the secret key is of the form \(\mathbf {S} = \left [\mathbf {I}, \mathbf {T} \right ] \in \mathbb {Z}^{m \times n}_{q}\), with \(\mathbf {I} \in \mathbb {Z}^{m \times m}\) the identity matrix and \(\mathbf {T} \in \mathbb {Z}^{m \times (n - m)}_{q}\) a random matrix. Let us define \(\mathbf {T} = \left (\begin {array}{cccc} t_{a1} & t_{a2} & {\dots } & t_{a(n-m)} \\ t_{b1} & t_{b2} & {\dots } & t_{b(n-m)} \\ {\vdots } & {\vdots } & {\vdots } & {\vdots } \\ t_{m1} & t_{m2} & {\dots } & t_{m(n-m)} \end {array}\right )\). An attacker could construct n − m ciphertexts c _i , with i ∈ [1,n − m] and where c _i is a vector of size n that contains zeros except a value w at the (m + i)^th position.

With these special c _i we have that \(\mathbf {S}\mathbf {c_{i}} = \left (\begin {array}{c} wt_{ai} \\ wt_{bi} \\ {\vdots } \\ wt_{mi} \end {array}\right )\).

The attacker could ask for decryption of every c _i which would result in

$$Dec(\mathbf{S},w,\mathbf{c_{i}}) = \mathbf{x_{i}} = \left( \begin{array}{c} x_{i1} \\ x_{i2} \\ {\vdots} \\ x_{im} \end{array}\right) = \left( \begin{array}{c} \lceil\frac{wt_{ai}}{w}\rfloor \\ \lceil\frac{wt_{bi}}{w}\rfloor \\ {\vdots} \\ \lceil\frac{wt_{mi}}{w}\rfloor \end{array}\right) $$

The second equality holds if w|T| < q. As described in [20] the matrix T is chosen such that |T|≪ w and that w < q. Thus, with a high probability we have that w|T| < q. The decryption algorithm will output the vector

$$\mathbf{x_{i}} = \left( \begin{array}{c} \lceil\frac{wt_{ai}}{w}\rfloor \\ \lceil\frac{wt_{bi}}{w}\rfloor \\ {\vdots} \\ \lceil\frac{wt_{mi}}{w}\rfloor \end{array}\right) = \left( \begin{array}{c} t_{ai} \\ t_{bi} \\ {\vdots} \\ t_{mi} \end{array}\right) $$

Hence, by asking for the decryption of the n − m c _i ciphertexts, we can recover the T matrix, hence the entire secret key S. The attack has a complexity of (m − n) requests to the decryption oracle. With the parameters proposed in the original work [20] this means 2⁷ requests. With a small complexity and by observing some special properties of the scheme, the attacker is able to recover the secret key. Even though this setting looks less practical than the broadcast attack, this attack is important and shows that the scheme by Zhou and Wornell [20] does not provide the security we would want to have.

We stress that our attack is a key recovery attack. Chosen ciphertext decryption attacks are trivial and unavoidable for homomorphic schemes. But key recovery attacks are devastating and should not be possible.

3.3 Chosen related plaintext attack

In order to describe the following attack, we first introduce the notions we need.

Definition 1

Given two integers a and b, we define

$$\mathsf{carry}(a,b) = (a+b) \oplus a \oplus b$$

where ⊕ denotes the bitwise exclusive OR.

We similarly define c a r r y(a, b) for integer vectors component-wise.

Lemma 4

Given two integers a and b, where their binary decomposition is a = a ₀ + a ₁ ∗ 2 + … + a _n 2ⁿ and b = b ₀ + b ₁ ∗ 2 + … + b _n 2ⁿ , we have

$$(a+b)_{i} = a_{i} + b_{i} + \mathsf{carry}(a,b)_{i} - 2 \cdot \mathsf{carry}(a,b)_{i+1}.$$

Proof

The binary addition is defined as follows:

So, by induction we have c _i = c a r r y(a, b) _i at each iteration. □

Lemma 5

Given two integer vectors x and y , we have

$$Bin(\mathbf{x}+\mathbf{y},\ell) = Bin(\mathbf{x},\ell) + Bin(\mathbf{y},\ell) + (I-2J) \cdot Bin(\mathsf{carry}(\mathbf{x},\mathbf{y}),\ell),$$

where |x|,|y| < 2^ℓ, I isthe identity matrix and J is the block diagonal matrix having blocks with a diagonal of1 just over the main diagonal, i.e.

$$\left( \begin{array}{ccccc} 0 & 1 & {\cdots} & 0 & 0 \\ 0 & 0 & 1 & {\cdots} & 0 \\ {\vdots} & {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ 0 & {\cdots} & 0 & 0 & 1\\ 0 & {\cdots} & 0 & 0& 0 \end{array}\right)$$

Theorem 2

Given two integer vectors x and y , we have

$$Enc(\mathbf{x}+\mathbf{y}) = Enc(\mathbf{x}) + Enc(\mathbf{y}) + M (I - 2J) Bin(\mathsf{carry}(w\mathbf{x},w\mathbf{y}),\ell),$$

whereM is the public key and I and J are defined in Lemma 5.

We recall that the encryption scheme from [20] is homomorphic for the addition. This means that we expect to have E n c(x + y) = E n c(x) + E n c(y). But, since the ciphertext space is larger than the plaintext one, several ciphertexts map to the same plaintext. We have that M(I − 2J)B i n(c a r r y(w x, w y),ℓ) is an encryption of the zero vector. Thus the relation from above is valid and it can be translated to E n c(x + y) = E n c(x) + E n c(y) + E n c(0).

In the attack we propose, we assume there is a secret x and that the adversary can obtain E n c(x + y) for many chosen y values. The purpose is to recover x. Interestingly, the adversary will take advantage in getting the encryption of x + y which is not E n c(x) + E n c(y). In clear, we will see that the y → M(I − 2J)B i n(c a r r y(w x, w y),ℓ) function leaks.

In the scheme we analyse here, the parameter w is not so large. So, its Hamming weight is small. Let us denote it by ν = H W(w). For example, in [20] we have w = 2²⁰, so ν = 1. We assume that w is an odd multiple of 2^λ of weight ν.

First, we precompute the list \(\mathcal {L}_{i}\) of all possible c = c a r r y(u, w2ⁱ), for every possible i. We note that the size of \(\mathcal {L}_{i}\) is bounded by ℓ ^ν.

For each i and j, we set t _{i, j} = [0,…,0,2ⁱ,0,…,0] (where 2ⁱ is at position j). Then, we insert c in the list T _{i, j} [M(I − 2J)B i n(c t _0,j , ℓ)] = c for all \(c\in \mathcal {L}_{i}\). We obtain many tables T _{i, j} .

Having E n c(x), E n c(t _{i, j} ) and E n c(x + t _{i, j} ) and the hash tables T _{i, j} , we can obtain the value

$$\gamma_{i,j}=M(I-2J)Bin(\mathsf{carry}(w \mathbf{x},w\mathbf{t_{i,j}}),\ell). $$

If all the elements of T _{i, j} [γ _{i, j} ] end with λ + i + 2 zero bits, we deduce that the (λ + i + 1)th least significant bit of w x _j is zero. If all elements of T _{i, j} [γ _{i, j} ] end with a bit 1 followed by λ + i + 1 zero bits, we deduce that the (λ + i + 1)th least significant bit of w x _j is one. In other cases, we cannot conclude, but these cases are unlikely to occur.

Note that the λ first least significant bits of w x _j are all zero.

By repeating this for all i and j, we recover the bits of w x and thus recover the secret x.

The complexity of this attack consists in computing the carry for the lists \(\mathcal {L}_{i}\) and filling in the hash tables T _{i, j} . The size of the \(\mathcal {L}_{i}\) is bounded by ℓ ^ν. Thus, we need to compute at most log 2(p)ℓ ^ν carries. Once we have these values we can construct the hash tables. We have m log 2(p) tables and each table has at most ℓ ^ν elements. For each element in the table we need to compute the value M(I − 2J)B i n(c t _0,j , ℓ). Given the special structure of I − 2J, we perform \(\mathcal {O}(n m \ell )\) operations in \(\mathbb {Z}_{q}\). For all tables we perform \(\mathcal {O}(n m^{2} \ell ^{\nu +1} \log _{2}(p))\) operations in \(\mathbb {Z}_{q}\). In order to recover one bit of one element from x we request one encryption and compare the result with the hash tables. This means that we need to request m log 2(p) encryptions. With the proposed parameters this means \(\mathcal {O}(2^{35})\) operations in \(\mathbb {Z}_{2^{50}}\) and 2¹⁰ accesses to the oracle.

This attack can easily be improved to reduce the number of chosen related plaintexts and the complexity.

Even tough the concrete impact of this attack is unknown, so far, it clearly shows that an encryption oracle leaks much more than expected.

Implementation

To experiment with the encryption scheme and to test these three attacks, we developed an implementation of the scheme in Matlab. The implementation offers all the high level functions described in Section 2 such as G e n(), D e v(S, ℓ), E n c(M, w, x), etc., which enables an easy use of the encryption scheme. We implemented the three attacks. For the chosen ciphertext attack we tested the attack with several parameters, including those provided in [20]. Our tests certify that we can recover the secret key. We ran tests for the third attack and we were able to recover the unknown plaintext.

4 Conclusion

In this article we have formalized and analysed the scheme from [20]. The analysis of the homomorphic encryption scheme showed some weaknesses which resulted into three attacks. The attacks rely on realistic scenarios and enable an attacker to retrieve sensitive information such as the plaintext or the secret key.

We have shown, in particular, that chosen ciphertext attacks are devastating (as they reveal the secret key) and that encryption leaks more than expected.