Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attack on Fully Homomorphic Encryption over Principal Ideal Lattice

Published byJared Franklin Modified over 6 years ago

Similar presentations

Presentation on theme: "Attack on Fully Homomorphic Encryption over Principal Ideal Lattice"— Presentation transcript:

1 Attack on Fully Homomorphic Encryption over Principal Ideal Lattice
1 (1.02) 1 ( ) 2 1 ( ) Gu Chun-sheng1,2 Gu Ji-xing3 b   L   L 1 School of Computer Engineering, Jiangsu Teachers University of Technology, China Changzhou 2 School of Computer Science and Technology, University of Science and Technology of China, China Hefei 3 Institute of Image Communication & Information Processing, Shanghai Jiaotong University, China Shanghai Abstract. For the fully homomorphic encryption schemes in [3, 6], this paper presents attacks to solve an equivalent secret key and directly recover plaintext from ciphertext for lattice dimensions n=2048 by using lattice reduction algorithm. Suppose the average-case behavior of LLL in [8] is true, then their schemes are also not secure for n=8192. Keywords: Fully Homomorphic Encryption, Cryptanalysis, Principal Ideal Lattice, Lattice Reduction 1 Introduction n Rivest, Adleman and Dertouzos [1] first presented the concept of homomorphic encryption, which has many applications in cryptography. But until 2009, Gentry [2] constructed the first fully homomorphic encryptions based on ideal lattice, all previous schemes are insecure. After the scheme of [2], Smart and Vercauteren [3] presented an optimizating FHE with smaller ciphertext and key by using principal ideal lattice. Dijk, Gentry, Halevi, and Vaikuntanathan [4] proposed a simple fully homomorphic encryption scheme over the integers, whose security depends on the hardness of solving approximate GCD over the integers. Stehle and Steinfeld [5] improved Gentry's fully homomorphic scheme and obtained to a faster fully homomorphic scheme. Similar to [3], Gentry and Halevi [6] implemented Gentry’s scheme by applying principal ideal lattice. The security of FHE’s in [3, 6] depends on the hardness assumption of finding small principal ideal lattice, given its HNF form or two elements form. This paper will present two lattice attacks for FHE’s in [3, 6]. 380 By using block lattice reduction algorithm [7], we solve an equivalent secret key for n=2048 of FHE’s in [3, 6]. Suppose the average case behavior of LLL [8], then the ratio is about , i.e. for n=8192, where 380 is the bit-size of the coefficients in the generator polynomial of [6]. So, our first result shows the FHE’s in [3, 6] are not secure for n=8192. 26

2 , then one can correctly recover the bit in a ciphertext.
2 Preliminaries w ( x )  C ( x )  p / 2 Let be security parameter, . Let be a ring of integer polynomials modulo , i.e., , where is an irreducible polynomial of degree over the integers. Let denote the polynomial ring over modulo . For , we denote by the infinity norm of , the coefficient vector of , the polynomial of ’s coefficients modulo 2. Theorem 2.1 (Theorem 2.6 [10]) Every block -reduced basis of lattice satisfies , where is another lattice constant using in Schnorr’s algorithm analysis. Theorem 2.2 (Theorem 2, 3 [7]) For all , Schnorr’s constant satisfies: . Asymptotically it satisfies . In particular, (3 k  1)/4 n /(2 k )  1   12 k k  (4 / 3)   2 for all . Theorem 2.3 ([8]). Suppose the average case behavior of LLL is true, then the first vector of LLL is satisfied to on the average for lattice . 3 Attack on Smart-Vercauteren’s FHE Theorem 3.1. Given a principal ideal in either two element or HNF representation, there is a polynomial time algorithm which finds over such that . Proof. Since is a root of over modulo , so . It is easy to verify . Assume . One constructs the following lattice . g 0  - 1 p g 1 g 0 - g 2 g n - 2 g n - 3 1  g n-2 . M  - g 1  0  0 p - 1 g0 0  p  To reduce lattice , one calls the lattice reduction algorithm in [7,10]. By Theorem 2.1, 2.2, one gets such that . Recall that since .■ When , and , . Hence, if , then one can correctly recover the bit in a ciphertext. 27

3 4 Attack on Gentry-Halevi’s FHE
By the decryption algorithm in [6], a ciphertext vector is . Hence, . On the other hand, we have , where is fractional part, and with small vectors and . So, . That is, for any decryptable ciphertext . We apply the same method in Section 3, which finds a small multiple of the secret key . When all the entries of are less than , we may recover the message bit in a ciphertext as follows: if , otherwise . Thus, we finds over with by Theorem 3.1. When , and , we can recover the message bit in a ciphertext by the above method. Furthermore, we can also recover the message bit in a ciphertext for , by Theorem 2.3. Reference R. Rivest, L. Adleman, and M. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages , 1978. C. Gentry. Fully homomorphic encryption using ideal lattices. STOC 2009, pages N. P. Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. PKC 2010, LNCS 6056, pages M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. Eurocrypt 2010, LNCS 6110, pages D. Stehle and R. Steinfeld. Faster Fully Homomorphic Encryption. Asiacrypt 2010, LNCS 6477, pages C. Gentry and Shai Halevi. Implementing Gentry’s fully-homomorphic encryption scheme. EUROCRYPT 2011, LNCS 6632, pages N. Gama, N. Howgrave-Graham, H. Koy, and P. Q. Nguyen. Rankin’s constant and blockwise lattice reduction. CRYPTO 2006, pages 112–130. P. Q. Nguyen and D. Stehle, LLL on the average. ANTS VII, 2006, LNCS 4076, pages H. W. Lenstra Jr., A.K. Lenstra and L. Lov´asz, Factoring polynomials with rational coefficients, Mathematische Annalen 261, pages , 1982. C. P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science, 53, pages , 1987. Miklos Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. STOC 2001, pages 28

Download ppt "Attack on Fully Homomorphic Encryption over Principal Ideal Lattice"

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.

1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)

Cryptanalysis of the Revised NTRU Signature Scheme (NSS) Craig Gentry (DoCoMo) Mike Szydlo (RSA)
Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.
Homomorphic Encryption: WHAT, WHY, and HOW

Homomorphic Encryption: WHAT, WHY, and HOW
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.

10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.

Similar presentations

Ads by Google