Security and Communication Networks

Security and Communication Networks / 2019 / Article
Special Issue

Privacy and Security of Information Processing in Industrial Big Data and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2019 |Article ID 8319508 | https://doi.org/10.1155/2019/8319508

Quanbo Qu, Baocang Wang, Yuan Ping, Zhili Zhang, "Improved Cryptanalysis of a Fully Homomorphic Symmetric Encryption Scheme", Security and Communication Networks, vol. 2019, Article ID 8319508, 6 pages, 2019. https://doi.org/10.1155/2019/8319508

Improved Cryptanalysis of a Fully Homomorphic Symmetric Encryption Scheme

Guest Editor: Mingwu Zhang
Received05 Mar 2019
Accepted22 Apr 2019
Published02 Jun 2019

Abstract

Homomorphic encryption is widely used in the scenarios of big data and cloud computing for supporting calculations on ciphertexts without leaking plaintexts. Recently, Li et al. designed a symmetric homomorphic encryption scheme for outsourced databases. Wang et al. proposed a successful key-recovery attack on the homomorphic encryption scheme but required the adversary to know some plaintext/ciphertext pairs. In this paper, we propose a new ciphertext-only attack on the symmetric fully homomorphic encryption scheme. Our attack improves the previous Wang et al.’s attack by eliminating the assumption of known plaintext/ciphertext pairs. We show that the secret key of the user can be recovered by running lattice reduction algorithms twice. Experiments show that the attack successfully and efficiently recovers the secret key of the randomly generated instances with an overwhelming probability.

1. Introduction

With the rapid development of big data, the significance of privacy and security issues was highly regarded. A series of cryptoghraphic applications, such as fair electronic transaction [1], outsourcing data classification [2], lightweight security system of Internet of Things [3], mobile Ecommerce [4], and data mining based on homomorphic encryption, have been proposed.

Homomorphic encryption schemes allow users to meaningfully calculate ciphertexts without knowing the underlying plaintexts. For example, the RSA cryptosystem [5] (Pallier cryptosystem [6], respectively) only supports homomorphic multiplications (additions, respectively) on ciphertexts. In 2009, Gentry [7] designed the first fully homomorphic encryption scheme with ideal lattices. Thereafter, significant efforts had been performed to improve the efficiency of homomorphic encryption schemes [810]. However, all the known fully homomorphic encryptions are criticized for the high ciphertext expansion and ciphertext refreshing costs and hence cannot be directly used in practice. So researchers designed some cryptographic schemes with homomorphic properties dedicated to some concrete computing scenarios [1115].

Recently, Li et al. [16] designed a symmetric homomorphic encryption scheme for outsourced databases that allow multiple data owners to efficiently share their data securely without compromising the privacy of the data. However, Wang et al. [17] observed that if some plaintext/ciphertext pairs were succesfully overdropped, one can efficiently recover the corresponding secret key of the scheme from the obtained plaintext/ciphertext pairs.

In practical scenarios, it may be difficult for the adversary to capture plaintext/ciphertext pairs. In this paper, we propose a new efficient cryptanalytic attack on Li et al.’s homomorphic encryption scheme. The attack consists of two stages. In the first stage, we separate the parts of the ciphertexts, which contain no secret key . In the second stage, we separate the parts of the ciphertexts, which contain neither secret key nor . Thus and can be calculated during an acceptable time. The whole attack needs only several ciphertexts without corresponding plaintexts.

This paper is organised as follows. In Section 2, we review Li et al.’s symmetric homomorphic encryption scheme and introduce the concept of lattice. In Section 3, we propose our attack and give the experimental results. In Section 4, we conclude our work.

2. Preliminaries

2.1. Notations

In this paper, the symbol is used to denote the ring of integer. Matrices are represented with bold upper-case characters like , while vectors are represented with bold lower-case characters like . All of the vectors in this paper are represented as row vectors. The symbol means the length of vector under the Euclidean norm, while the symbol means the bit length of integer .

The symbol means “much less than”, i.e. if , the ratio is a negligible function of the security parameter . In mathematics, a negligible function means that for any polynomial function , there exists an integer such that for any ,

2.2. Symmetric Homomorphic Encryption

The symmetric homomorphic encryption scheme proposed by Li et al. comprises these three algorithms as follows:(i) Key generation algorithm  Input a security parameter , this algorithm outputs a secret key and a public parameter , where .(ii) Encryption algorithm  Input a secret key , a plaintext and a parameter , this algorithm outputs a ciphertext . Notice that the parameter should satisfy .(iii) Decryption algorithm  Input a secret key , a ciphertext and the ciphertext’s degree , this algorithm outputs a ciphertext . The proof of the correctness is simple:Notice that the correctness of requires and .

The symmetric homomorphic encryption scheme proposed by Li et al. supports homomorphic addition and multiplication and is used to construct their secure outsourced comparison scheme and privacy-preserving mining solutions. Though our attack needs no homomorphic properties, we still list a brief proof, for the reason that it implies the setting of parameters.(i) Homomorphic addition: For the ciphertext of two plaintexts , we have The correct decryption of requires and .(ii) Homomorphic multiplication: For the ciphertext of two plaintexts , we have The correct decryption of requires .

2.3. Lattice

An -dimension lattice can be regarded as a set of all integer coefficient linear combinations of basis vectors , that is . If , we call that is a full-rank lattice.

One of the most famous problems involving lattice is the shortest vector problem (SVP). Given a basis of a lattice, the goal is to find one non-zero vector, which has the shortest length . Some approximation algorithms are usually used for solving SVP as oracles, such as LLL and BKZ algorithms. The LLL algorithm is developed by A. K. Lenstra, H. W. Lenstra, Jr. and L. Lovasz [18] in 1982. Given a basis of a lattice, the LLL algorithm outputs a reduced basis, which has a smaller size by Gram-Schmidt orthogonalization. It has various applications in cryptanalysis and other fields, such as integer programming and finding integer relations.

3. The Proposed Attack

3.1. Main Idea

Define as , and as . Our attack has two stages. In the first stage, we construct a lattice with ’s and run the LLL algorithm to obtain a short vector, which contains ’s. In the second stage, we construct a lattice with ’s and run the LLL algorithm again to obtain a short vector which contains ’s. It is obvious that the secret key can be computed as and . Notice that there is no need for the plaintexts ’s in the attack.

3.2. Details

In this part, we give a specification of the attack in Algorithm 1. The input of the attack algorithm contains a set of ciphertexts and the modular of the encryption scheme without plaintexts ’s. The output of the attack algorithm contains and which can be used to decrypt ciphertexts.

Input:   ciphertexts
Output:  private key
for    to    do
  
end for
 Set with ’s
for    to    do
  
end for
 Set with ’s
for    to    do
  
end for
 Compute
 Compute
return  

In the first stage, the lattice is constructed as Thus a short vector could be expressed as

Through LLL’s algorithm, we could obtain a short vector .

Claim 1. Parameters are close to , while is close to , where means the ’th entry of the output vector .

Sketch of Proof. Suppose that , then we have . Because , . Hence, values of are close to those of . Because is small, we can obtain that . Hence, values of are close to those of . Since and are both close to , we obtain that values of are close to . With a non-negligible probability, equal , and is equal to .

As is close to , we have or . Considering , we believe that , thus . Similarly, as is small, we have or , i.e. , thus .

In the second stage, the lattice is constructed as Thus a short vector could be expressed as

Through LLL’s algorithm, we could obtain a short vector .

Claim 2. Parameters are close to , where means the ’th entry of the output vector .

Sketch of Proof. Considering , we have . Hence, values of are close to those of .

Because is small, we can obtain that . Hence, values of are close to those of . Since and are both close to , we obtain that values of are close to . With a non-negligible probability, equal , and is equal to .

Likewise, we have and .

Since we have recovered all the ’s and ’s, the secret key could be simply computed as and . Parameters and are used to compute in the algorithm.

3.3. Experiments

We run our proposed cryptanalytic algorithm on a personal computer using NTL library [19]. The environment is listed as follows:(i)CPU: Intel(R) Core (TM) i3-7100 3.90GHz(ii)RAM: 4.00GB(iii)OS: Windows 10 64bit

Notice that the output of the attack algorithm is . In [16], the parameter is called ciphertext degree and is believed to be a small positive integer. It means that we could collect enough -degree ciphertexts we need, and it is not difficult to recover from . For the -degree ciphertexts, the encryption and decryption algorithms only require rather than . Thus, it is sufficient to break the scheme if we can recover . For convenience, we suppose the parameter in the encryption algorithm. When , our algorithm still works correctly.

The results are given in Table 1. As a result of the approximation, the chance of success is relavant to , , and . The best situation is when and . To make it easier to understand our proposed attack, we give an example to illustrate the procedure of the algorithm in Table 2. The parameters are set as , , , and .


InstancesSuccessesAverage Time

256 64 64 20100 9828.65s
256 64 64 20100 1029.20s
256 64 96 20100 2339.70s
256 64 48 20100 225.09s
256 48 48 20100 5120.56s


The Encryption SchemeKeyGen9667660090081161853810342777895287998619
4318084870939447026698628675235799451
17957200991146257161
5710889004555322387
1
47863226783593508
13683909070104700313
1403306518881428241485832704008411265962
802817946162878687
8614814073974658
15727429030749794270
1612872723066650760854493964947953343890
747803002904919536

The Cryptanalytic AlgorithmThe First Stage-199463957636154746239994027808094961893
245724705516439382626385136850318784901
The Second Stage-233711443236476253781580056731358133
13683909070104700313
5710889004555322387
17957200991146257161

Firstly, we compute all the ’s with the input ciphertexts . Secondly, we use LLL algorithm to obtain a short vector for solving all ’s. Thirdly, we use LLL algorithm again to obtain a short vector for solving all ’s. Finally, we compute secret key with ’s and ’s.

In practice, the first row (, respectively) of the reduced basis of (, respectively) which is a row vector with a short norm; thus we regard it as the short vector (, respectively) we need.

The chance of success depends on the bit lengths of , , and . In the first stage, requires . In the second stage, requires . Thus we need to hold . Besides, the recovery of from also limit the setting of parameters. Notice that , where . If , the result of is equal to . However, when , we cannot confirm that . In conclusion, the best situation is when and is slightly greater than .

3.4. Complexity Analysis

We start with some simple conclusions about computational complexity.(1)The computational complexity of modular inverse modulo is .(2)The computational complexity of modular multiplication modulo is .(3)The computational complexity of the LLL algorithm is [20], where is the dimension of the lattice, and is the maximum length of input basis under the Euclidean norm.

Combining (1) and (2), we can conclude that the computational complexity of calculating ’s, ’s, , and is . In our attack, and . We can obtain the computational complexity of the LLL algorithmBecause , we can obtain , thus .

In practice, the computational complexity of our attack is mainly dependent on that of the LLL algorithm. For example, suppose that we can obtain . If we set , then . It means that is a -bit-length prime, while the bit length of the prime we usually use is or .

Above all, the computational complexity of our attack algorithm is . Obviously, it is worse than the complexity of Wang et al.’s attack [17]; however, our attack eliminates the assumption of known plaintext/ciphertext pairs.

3.5. Discussions

Notice that in the attack algorithm, the output of the LLL algorithm is a vector, such as and , rather than a reduced basis. We regard the first row vector of an LLL-reduced basis as the goal short vector. We explain the reason below.

An -LLL-reduced has two important properties:(1),(2),

where is the Gram-Schmidt orthogonalization of , and the coefficient .

From these two properties, we can conclude that where is the length of the shortest non-zero vector in . Please refer to [21] for more detailed introduction and proof.

The efficiency of our attack algorithm is mainly subject to the parameter . Smaller implies a greater chance of success for the reason that ’s and ’s can be recovered from the LLL algorithm easier while the runtime of the LLL algorithm rises rapidly. In our experiment, we recommend that should be set as 20 considering both the chance of success and the runtime. In addition, the chance of success is also limited by sizes of , , and .

Table 3 gives a comparision of Wang et al’s attack and ours. Although the bit lengths of the parameters and are close but different, the average time of Wang et al’s is much less than ours. However, the improved attack algorithm eliminates the assumption of known plaintext/ciphertext pairs, thus a ciphertext-only adversary can break the encryption scheme through this way.


Chance of Success Average Time Plaintexts Needed?

Attack in [17]241 80 400.1292sYes
Our Attack256 64 6428.65sNo

4. Conclusion

In this paper, we propose a new attack algorithm on the symmetric homomorphic encryption scheme presented by Li et al. Our attack can recover the secret key pair from several ciphertexts without plaintexts. In our experiment, the attack an be finished during an acceptable period of time with recovering most of the secret key in the generated instances. For the cases , the key-recovery cryptanalytic algorithm only takes about 29 seconds. Although the running time and the opportunity of success depend on the sizes of parameters, the attack algorithm can still be used in real practice to recover secret key pairs.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work is supported by the National Key R&D Program of China under Grant No. 2017YFB0802000, the National Natural Science Foundation of China under Grant Nos. 61572390, U1736111, the National Cryptography Development Fund under Grant No. MMJJ20180111, the Plan For Scientific Innovation Talent of Henan Province under Grand no. 184100510012, the Program for Science & Technology Innovation Talents in Universities of Henan Province under Grant No. 18HASTIT022, and the Innovation Scientists and Technicians Troop Construction Projects of Henan Province, Science & technology planning project in Henan Province (182102210124).

References

  1. M. Zhang, Y. Zhang, Y. Jiang, and J. Shen, “Obfuscating EVES algorithm and its application in fair electronic transactions in public clouds,” IEEE Systems Journal, pp. 1–9, 2019. View at: Publisher Site | Google Scholar
  2. X. Li, Y. Zhu, J. Wang, Z. Liu, Y. Liu, and M. Zhang, “On the soundness and security of privacy-preserving SVM for outsourcing data classification,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 906–912, 2018. View at: Publisher Site | Google Scholar
  3. Z. Liu, X. Huang, Z. Hu, M. K. Khan, H. Seo, and L. Zhou, “On emerging family of elliptic curves to secure internet of things: ECC comes of age,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 3, pp. 237–248, 2017. View at: Publisher Site | Google Scholar
  4. M. Zhang, Y. Yao, Y. Jiang, B. Li, and C. Tang, “Accountable mobile E-commerce scheme in intelligent cloud system transactions,” Journal of Ambient Intelligence and Humanized Computing, vol. 9, no. 6, pp. 1889–1899, 2018. View at: Publisher Site | Google Scholar
  5. R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and privacy homomorphisms,” Foundations of Secure Computation, pp. 169–179, 1978. View at: Google Scholar
  6. P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Advances in Cryptology—EUROCRYPT ’99, J. Stern, Ed., vol. 1592, pp. 223–238, Springer, Berlin, Germany, 1999. View at: Publisher Site | Google Scholar | MathSciNet
  7. C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st annual ACM symposium on Theory of Computing (STOC '09), pp. 169–178, ACM, New York, NY, USA, 2009. View at: Google Scholar | MathSciNet
  8. Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS '11), pp. 97–106, Palm Springs, Calif, USA, October 2011. View at: Publisher Site | Google Scholar
  9. Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-LWE and security for key dependent messages,” in Advances in Cryptology – CRYPTO 2011, R. Phillip, Ed., vol. 6841, pp. 505–524, Springer, Berlin, Germany, 2011. View at: Publisher Site | Google Scholar | MathSciNet
  10. M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Advances in cryptology—EUROCRYPT 2010, H. Gilbert, Ed., vol. 6110, pp. 24–43, Springer, Berlin, Germany, 2010. View at: Publisher Site | Google Scholar | MathSciNet
  11. F. Armknecht and T. Strufe, “An efficient distributed privacy-preserving recommendation system,” in Proceedings of the 2011 the 10th IFIP Annual Mediterranean Ad Hoc Networking Workshop, Med-Hoc-Net'2011, pp. 65–70, Italy, June 2011. View at: Google Scholar
  12. C. Bosch, A. Peter, P. Hartel, and W. Jonker, “SOFIR: Securely outsourced Forensic image recognition,” in Proceedings of the 2014 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2014, pp. 2694–2698, Italy, May 2014. View at: Google Scholar
  13. A. Jeckmans, A. Peter, and P. Hartel, “Efficient privacy-enhanced familiarity-based recommender system,” in Computer Security – ESORICS 2013, J. Crampton, S. Jajodia, and K. Mayes, Eds., vol. 8134 of Lecture Notes in Computer Science, pp. 400–417, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013. View at: Publisher Site | Google Scholar
  14. M. Naehrig, L. Kristin, and V. Vaikuntanathan, “Can homomorphic encryption be practical?” in Proceedings of the ACM Cloud Computing Security Workshop, Ccsw 2011, pp. 113–124, Chicago, Ill, Usa, October 2011. View at: Google Scholar
  15. Z. Yang, S. Zhong, and R. N. Wright, “Privacy-preserving classification of customer data without loss of accuracy,” in Proceedings of the SDM, pp. 92–102, 2005. View at: Google Scholar
  16. L. Li, R. Lu, K.-K. R. Choo, A. Datta, and J. Shao, “Privacy-preserving-outsourced association rule mining on vertically partitioned databases,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 8, pp. 1547–1861, 2016. View at: Publisher Site | Google Scholar
  17. B. Wang, Y. Zhan, and Z. Zhang, “Cryptanalysis of a symmetric fully homomorphic encryption scheme,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 6, pp. 1460–1467, 2018. View at: Publisher Site | Google Scholar
  18. A. K. Lenstra, H. W. Lenstra Jr., and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, vol. 261, no. 4, pp. 515–534, 1982. View at: Publisher Site | Google Scholar | MathSciNet
  19. V. Shoup, Ntl: A Library for Doing Number Theory, vol. 01, 2003.
  20. Y. Park and J. Park, “Analysis of the upper bound on the complexity of LLL algorithm,” Journal of the Korean Society for Industrial and Applied Mathematics, vol. 20, no. 2, pp. 107–121, 2016. View at: Publisher Site | Google Scholar | MathSciNet
  21. O. Regev, “Lattices in computer science,” in Proceedings of the Lecture notes of a course given in Tel Aviv University, vol. 31, 2004. View at: Google Scholar

Copyright © 2019 Quanbo Qu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Related articles

No related content is available yet for this article.
 PDF Download Citation Citation
 Download other formatsMore
 Order printed copiesOrder
Views780
Downloads750
Citations

Related articles

No related content is available yet for this article.

Article of the Year Award: Outstanding research contributions of 2020, as selected by our Chief Editors. Read the winning articles.