#### Abstract

Homomorphic encryption is widely used in the scenarios of big data and cloud computing for supporting calculations on ciphertexts without leaking plaintexts. Recently, Li et al. designed a symmetric homomorphic encryption scheme for outsourced databases. Wang et al. proposed a successful key-recovery attack on the homomorphic encryption scheme but required the adversary to know some plaintext/ciphertext pairs. In this paper, we propose a new ciphertext-only attack on the symmetric fully homomorphic encryption scheme. Our attack improves the previous Wang et al.’s attack by eliminating the assumption of known plaintext/ciphertext pairs. We show that the secret key of the user can be recovered by running lattice reduction algorithms twice. Experiments show that the attack successfully and efficiently recovers the secret key of the randomly generated instances with an overwhelming probability.

#### 1. Introduction

With the rapid development of big data, the significance of privacy and security issues was highly regarded. A series of cryptoghraphic applications, such as fair electronic transaction [1], outsourcing data classification [2], lightweight security system of Internet of Things [3], mobile Ecommerce [4], and data mining based on homomorphic encryption, have been proposed.

Homomorphic encryption schemes allow users to meaningfully calculate ciphertexts without knowing the underlying plaintexts. For example, the RSA cryptosystem [5] (Pallier cryptosystem [6], respectively) only supports homomorphic multiplications (additions, respectively) on ciphertexts. In 2009, Gentry [7] designed the first fully homomorphic encryption scheme with ideal lattices. Thereafter, significant efforts had been performed to improve the efficiency of homomorphic encryption schemes [8–10]. However, all the known fully homomorphic encryptions are criticized for the high ciphertext expansion and ciphertext refreshing costs and hence cannot be directly used in practice. So researchers designed some cryptographic schemes with homomorphic properties dedicated to some concrete computing scenarios [11–15].

Recently, Li et al. [16] designed a symmetric homomorphic encryption scheme for outsourced databases that allow multiple data owners to efficiently share their data securely without compromising the privacy of the data. However, Wang et al. [17] observed that if some plaintext/ciphertext pairs were succesfully overdropped, one can efficiently recover the corresponding secret key of the scheme from the obtained plaintext/ciphertext pairs.

In practical scenarios, it may be difficult for the adversary to capture plaintext/ciphertext pairs. In this paper, we propose a new efficient cryptanalytic attack on Li et al.’s homomorphic encryption scheme. The attack consists of two stages. In the first stage, we separate the parts of the ciphertexts, which contain no secret key . In the second stage, we separate the parts of the ciphertexts, which contain neither secret key nor . Thus and can be calculated during an acceptable time. The whole attack needs only several ciphertexts without corresponding plaintexts.

This paper is organised as follows. In Section 2, we review Li et al.’s symmetric homomorphic encryption scheme and introduce the concept of lattice. In Section 3, we propose our attack and give the experimental results. In Section 4, we conclude our work.

#### 2. Preliminaries

##### 2.1. Notations

In this paper, the symbol is used to denote the ring of integer. Matrices are represented with bold upper-case characters like , while vectors are represented with bold lower-case characters like . All of the vectors in this paper are represented as row vectors. The symbol means the length of vector under the Euclidean norm, while the symbol means the bit length of integer .

The symbol means “much less than”,* i.e.* if , the ratio is a negligible function of the security parameter . In mathematics, a negligible function means that for any polynomial function , there exists an integer such that for any ,

##### 2.2. Symmetric Homomorphic Encryption

The symmetric homomorphic encryption scheme proposed by Li et al. comprises these three algorithms as follows:(i)* Key generation algorithm* Input a security parameter , this algorithm outputs a secret key and a public parameter , where .(ii)* Encryption algorithm* Input a secret key , a plaintext and a parameter , this algorithm outputs a ciphertext . Notice that the parameter should satisfy .(iii)* Decryption algorithm* Input a secret key , a ciphertext and the ciphertext’s degree , this algorithm outputs a ciphertext . The proof of the correctness is simple: Notice that the correctness of requires and .

The symmetric homomorphic encryption scheme proposed by Li et al. supports homomorphic addition and multiplication and is used to construct their secure outsourced comparison scheme and privacy-preserving mining solutions. Though our attack needs no homomorphic properties, we still list a brief proof, for the reason that it implies the setting of parameters.(i)* Homomorphic addition*: For the ciphertext of two plaintexts , we have The correct decryption of requires and .(ii)* Homomorphic multiplication*: For the ciphertext of two plaintexts , we have The correct decryption of requires .

##### 2.3. Lattice

An -dimension lattice can be regarded as a set of all integer coefficient linear combinations of basis vectors , that is . If , we call that is a full-rank lattice.

One of the most famous problems involving lattice is the shortest vector problem (SVP). Given a basis of a lattice, the goal is to find one non-zero vector, which has the shortest length . Some approximation algorithms are usually used for solving SVP as oracles, such as LLL and BKZ algorithms. The LLL algorithm is developed by A. K. Lenstra, H. W. Lenstra, Jr. and L. Lovasz [18] in 1982. Given a basis of a lattice, the LLL algorithm outputs a reduced basis, which has a smaller size by Gram-Schmidt orthogonalization. It has various applications in cryptanalysis and other fields, such as integer programming and finding integer relations.

#### 3. The Proposed Attack

##### 3.1. Main Idea

Define as , and as . Our attack has two stages. In the first stage, we construct a lattice with ’s and run the LLL algorithm to obtain a short vector, which contains ’s. In the second stage, we construct a lattice with ’s and run the LLL algorithm again to obtain a short vector which contains ’s. It is obvious that the secret key can be computed as and . Notice that there is no need for the plaintexts ’s in the attack.

##### 3.2. Details

In this part, we give a specification of the attack in Algorithm 1. The input of the attack algorithm contains a set of ciphertexts and the modular of the encryption scheme without plaintexts ’s. The output of the attack algorithm contains and which can be used to decrypt ciphertexts.

Input: ciphertexts | |

Output: private key | |

for to do | |

end for | |

Set with ’s | |

for to do | |

end for | |

Set with ’s | |

for to do | |

end for | |

Compute | |

Compute | |

return |

In the first stage, the lattice is constructed as Thus a short vector could be expressed as

Through LLL’s algorithm, we could obtain a short vector .

*Claim 1. *Parameters are close to , while is close to , where means the ’th entry of the output vector .

*Sketch of Proof*. Suppose that , then we have . Because , . Hence, values of are close to those of . Because is small, we can obtain that . Hence, values of are close to those of . Since and are both close to , we obtain that values of are close to . With a non-negligible probability, equal , and is equal to .

As is close to , we have or . Considering , we believe that , thus . Similarly, as is small, we have or , i.e. , thus .

In the second stage, the lattice is constructed as Thus a short vector could be expressed as

Through LLL’s algorithm, we could obtain a short vector .

*Claim 2. *Parameters are close to , where means the ’th entry of the output vector .

*Sketch of Proof*. Considering , we have . Hence, values of are close to those of .

Because is small, we can obtain that . Hence, values of are close to those of . Since and are both close to , we obtain that values of are close to . With a non-negligible probability, equal , and is equal to .

Likewise, we have and .

Since we have recovered all the ’s and ’s, the secret key could be simply computed as and . Parameters and are used to compute in the algorithm.

##### 3.3. Experiments

We run our proposed cryptanalytic algorithm on a personal computer using NTL library [19]. The environment is listed as follows:(i)CPU: Intel(R) Core (TM) i3-7100 3.90GHz(ii)RAM: 4.00GB(iii)OS: Windows 10 64bit

Notice that the output of the attack algorithm is . In [16], the parameter is called* ciphertext degree* and is believed to be a small positive integer. It means that we could collect enough *-degree ciphertexts* we need, and it is not difficult to recover from . For the *-degree ciphertexts*, the encryption and decryption algorithms only require rather than . Thus, it is sufficient to break the scheme if we can recover . For convenience, we suppose the parameter in the encryption algorithm. When , our algorithm still works correctly.

The results are given in Table 1. As a result of the approximation, the chance of success is relavant to , , and . The best situation is when and . To make it easier to understand our proposed attack, we give an example to illustrate the procedure of the algorithm in Table 2. The parameters are set as , , , and .

Firstly, we compute all the ’s with the input ciphertexts . Secondly, we use LLL algorithm to obtain a short vector for solving all ’s. Thirdly, we use LLL algorithm again to obtain a short vector for solving all ’s. Finally, we compute secret key with ’s and ’s.

In practice, the first row (, respectively) of the reduced basis of (, respectively) which is a row vector with a short norm; thus we regard it as the short vector (, respectively) we need.

The chance of success depends on the bit lengths of , , and . In the first stage, requires . In the second stage, requires . Thus we need to hold . Besides, the recovery of from also limit the setting of parameters. Notice that , where . If , the result of is equal to . However, when , we cannot confirm that . In conclusion, the best situation is when and is slightly greater than .

##### 3.4. Complexity Analysis

We start with some simple conclusions about computational complexity.(1)The computational complexity of modular inverse modulo is .(2)The computational complexity of modular multiplication modulo is .(3)The computational complexity of the LLL algorithm is [20], where is the dimension of the lattice, and is the maximum length of input basis under the Euclidean norm.

Combining (1) and (2), we can conclude that the computational complexity of calculating ’s, ’s, , and is . In our attack, and . We can obtain the computational complexity of the LLL algorithmBecause , we can obtain , thus .

In practice, the computational complexity of our attack is mainly dependent on that of the LLL algorithm. For example, suppose that we can obtain . If we set , then . It means that is a -bit-length prime, while the bit length of the prime we usually use is or .

Above all, the computational complexity of our attack algorithm is . Obviously, it is worse than the complexity of Wang et al.’s attack [17]; however, our attack eliminates the assumption of known plaintext/ciphertext pairs.

##### 3.5. Discussions

Notice that in the attack algorithm, the output of the LLL algorithm is a vector, such as and , rather than a reduced basis. We regard the first row vector of an LLL-reduced basis as the goal short vector. We explain the reason below.

An -LLL-reduced has two important properties:(1),(2),

where is the Gram-Schmidt orthogonalization of , and the coefficient .

From these two properties, we can conclude that where is the length of the shortest non-zero vector in . Please refer to [21] for more detailed introduction and proof.

The efficiency of our attack algorithm is mainly subject to the parameter . Smaller implies a greater chance of success for the reason that ’s and ’s can be recovered from the LLL algorithm easier while the runtime of the LLL algorithm rises rapidly. In our experiment, we recommend that should be set as 20 considering both the chance of success and the runtime. In addition, the chance of success is also limited by sizes of , , and .

Table 3 gives a comparision of Wang et al’s attack and ours. Although the bit lengths of the parameters and are close but different, the average time of Wang et al’s is much less than ours. However, the improved attack algorithm eliminates the assumption of known plaintext/ciphertext pairs, thus a ciphertext-only adversary can break the encryption scheme through this way.

#### 4. Conclusion

In this paper, we propose a new attack algorithm on the symmetric homomorphic encryption scheme presented by Li et al. Our attack can recover the secret key pair from several ciphertexts without plaintexts. In our experiment, the attack an be finished during an acceptable period of time with recovering most of the secret key in the generated instances. For the cases , the key-recovery cryptanalytic algorithm only takes about 29 seconds. Although the running time and the opportunity of success depend on the sizes of parameters, the attack algorithm can still be used in real practice to recover secret key pairs.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work is supported by the National Key R&D Program of China under Grant No. 2017YFB0802000, the National Natural Science Foundation of China under Grant Nos. 61572390, U1736111, the National Cryptography Development Fund under Grant No. MMJJ20180111, the Plan For Scientific Innovation Talent of Henan Province under Grand no. 184100510012, the Program for Science & Technology Innovation Talents in Universities of Henan Province under Grant No. 18HASTIT022, and the Innovation Scientists and Technicians Troop Construction Projects of Henan Province, Science & technology planning project in Henan Province (182102210124).