Improved known plaintexts attack on Domingo-Ferrer homomorphic cryptosystem1
A.V. Trepacheva <[email protected]> Southern Federal University, 105/42, Bolshaya Sadovaya st., Rostov-on-Don, 344006, Russia.
Abstract. This paper is devoted to known plaintexts cryptanalysis of homomorphic cryptosystem proposed by Domingo-Ferrer. In previous works it was shown that at least d +1 pairs (plaintext, ciphertext) are necessary to recover secret key, where d is a degree of polynomials representing ciphertexts. Here we analyze existing known plaintext attack. And also slightly modified attack on this cryptosystem is presented. It allows to reduce the necessary number of pairs meaningfully. In particular interception only of two pairs may be enough for successful key recovering with overwhelming probability. The running time of our attack depends polynomially on d and logarithmically on plaintexts space size as well as for previous attack. We provide the results of computer experiments.
Key words: known plaintext cryptanalysis; homomorphic encryption; cloud computations.
1. Introduction
Homomorphic encryption (HE) is a cryptographic primitive supporting the additional property in comparison with ordinary encryption: HE allows computing over encrypted data. Let's explain what this means. We assume that plaintexts space P and ciphertexts space C are rings with operations +,,.-,, and +c,-c correspondingly. And let E,D be encryption and decryption functions of cryptosystem s. The last one is homomorphic if for \/x,yeP and VE(x). E(y) e C the following properties are satisfied:
D(E(x)+c E(y)) = x+P y, (1) D(E(x)-cE(y)) = x-Py. (2)
So the result of computations over ciphertexts will be an encryption of computations result over underlying plaintexts.
1 This work is supported by grant RFBR 15-07-00597-a
Homomorphic cryptosystems (HC) are of key importance for protecting sensitive data in clouds. Computationally weak clients may outsource computations over their data while keeping this data in secret. This makes the development of new homomorphic cryptosystems and cryptanalysis of existing a hot topic. By the present moment a variety of homomorphic cryptosystems were proposed (for example see [1-5]). RSA [1] is one of the most well known, because the product of RSA ciphertexts is an encryption of corresponding plaintexts product. But cryptosystems [1-5] are partially homomorphic, because they allow to compute over ciphertexts only functions lying in some bounded class. In particular for [1] only property (2) holds (multiplicatively homomorphic cryptosystems). Whereas for instance for [2] only (1) holds (additively homomorphic).
The simplest example of HC holding both (1), (2) was introduced in the fundamental paper [6] of Rivest, Adleman and Dertouzos. Encryption function i? : Zn Zp x Zg works as follows (xmod p.xmo&q). Unfortunately, in
[7] such encryption was shown to be unsecure against known plaintext attack (KPA). Beginning with [6] lots of cryptosystems with properties (1), (2) were suggested. Here two the most important groups may be highlighted. In the first group there are cryptosystems [8-11] with unlimited ciphertexts sizes growth during computing over them (their security analysis may be founded in [12,13]). Whereas cryptosystems of second group have some polynomially bounds on ciphertexts sizes growth. In this group for example there are cryptosystems [14-18] belonging to direction initiated by innovative work [14] of IBM researcher Craig Gentry. Second group obviously is more interesting for practice. But unfortunately existing cryptosystems are not enough efficient for usage in real applications. The development of Gentry-like HCs now has mostly theoretical character. And in practice at the present moment HCs from the first group are used. For instance cryptosystems [10, 11] proposed by Domingo-Ferrer are exploited in secure packet forwarding in mobile ad hoc networks (see [19-24]). The main reason is a conceptual simplicity of constructions from [10, 11].
In the light of this the analysis of Domingo-Ferrer HCs resistance to different attacks is of value. Here we will concentrate on KPA. In [25] the authors described KPA on [10] and showed that to recover secret key an adversary A should intercept t>d +1 pairs (plaintext, ciphertext), where d is a degree of polynomials representing ciphertext. The aim of the present work to demonstrate that [10] may be broken using even two pairs (plaintext, ciphertext). We give some theoretical reasoning to this fact. And also we provide an experimental confirmation.
2. Denotations
All logarithms are base-2. A probability of event M is denoted by Pr(.\/), ring of integers - by Z , ring of integers modulo n - by Z((. the multiplicative subgroup of Zn - by Z*. An adversary trying to break cryptosystem will be denoted by A. For
symmetric cryptosystem s : Р - plaintexts space, С - ciphertexts space, К - secret keys space, D - probabilistic distribution over P .
We denote by x<—-—R a random element sampled according to uniform distribution over ring R and also by x<——R - random ring element generated according distribution D over R. Denotation /(x)<—-—R [x] means that all coefficients of polynomial / are random values chosen uniformly and independently from R .
3. Overview of Domingo-Ferrer cryptosystem
Let's briefly recall cryptosystem from [10]. The author sets I' = 7Ln. CcZ [x]xZ И, ^T = Z*xZ*, where n = p-q, p,q- big primes, p <q, log p ~ log q. i.e. n - RSA modulus. Its factorization is a secret. Secret key is a pair A = (г г ) e К . Before encryption public parameter c/eZ is fixed.
Encryption( a eZn,d eZ+,p,q ,k = (rp, rq) e K):
d
• яе2л->й '(x) e Zn [x], where a '(x) = ^ a \ ■ x' and for
i=i
_ d-1
/ =2,J-l:a',.<-^Z„, a'd <—^—Ъп \{0} and a\ := (a-^V,)modw .
i=i
• Ciphertext is a pair of polynomials с = (cp (x), cq (x)), where cp (x) := a \rp ■ x) mod p and cq (x) := a \rq ■ x) mod q .
d
One may see that a = a'(l)(modn) (or a = ^a\(modn)).
i=i
Decryption( с = (cp (x), cq (x)) ,p, q,k~l = (rpl, rql)):
• a'p(x) := cp{rpl ■ x)modp a'q(x) := cq(rql ■ x)modq (clear
a' (x) = a '(x)(mod p) and a' (x) = a '(x)(mod q)).
• a := a' (1) mod p , a := a' (1) mod q (clear a = ap (mod p), a = aq(mo&q) ).
• a := CRT (a a p,q), where CRT(ap,aq, p,q) means the reconstruction
of a e Zn by ap e Ър , aq e Ъд using Chinese reminder theorem.
In [10] the author suggested two regimes of cryptosystem working. In the first variant modulus n is public and plaintexts and ciphertexts coefficients are treated by untrasted party as elements of Zn. In the second case n is hidden for providing
higher level of security. And then plaintexts and ciphertexts coefficients are treated as elements of Z . Here we will consider only the first case. Homomorphic properties: Let's suppose there are plaintexts al,a2eZn and ci = (CP i (xX cq i (x)), c2 = (CP 2 (xX cq 2 (x)) ~ its encryptions made on the same key k = (r r) andforthe same d . In [10] the authorproves the following statements. Statement 1. Ciphertext c+ = ((cpl(x) + ci)2(i))mod», (cql(x) + cq2(x))modn) is a correct encryption of plaintext +a2)mod« e Zn for key k = {rp,rq) and parameter d .
Statement 2. Ciphertext c, = ((c t (x) • cp 2 (x)) mod n,{cql (x) ■ cq 2 (x)) mod n) is a correct encryption of plaintext -a2)mod« e Zn for key k = (rp,rq) and parameter 2 • d .
One may see that multiplication of ciphertexts causes an unbounded growth of their sizes (the size is doubled). So in general this HC isn't good for practice. But its simplicity makes it good for applications requiring only computations of some special functions (see [19-24]).
Remark 1. In practice for example log« « 2048 may be chosen. Then the size S of ciphertext is 2048 • d bits. This implies that d < 500 should be chosen to obtain S < 10" bits. Such setting seems reasonable because in all latest HCs [14-18] S is usually about 106 bits. Larger value of S will make homomorphic computations too much expensive. But of course it is suitable only if additive homomorphism is necessary. But if multiplicative homomorphism will be exploited then d should be smaller.
4. Cryptanalysis of Domingo-Ferrer cryptosystem 4.1 Existing KPA
Here we briefly discuss existing results [25] concerning known plaintexts analysis of Domingo-Ferrer cryptosystem [10]. Let's suppose A has t pairs
(a,. eP,c, eC),i = l,t , where ct is an encryption of at and all ct are produced for
the same n, k = {rp,rq) and d. Ciphertexts ct are pairs
d d {cpi(x)eZp[xl cqi(x)e 1tq[x]), where Cpi(x) = Y,cp,,,-xJ, cgJ(x) = 2_lcgJJ-x/ .
j=i J=i
A needs to recover p, q, k'1 = (rp \ rql) using n and (aj e P, cj e C),i =l,t.
Remark 2. Here we consider the case of public n . So before recovering p, q A
works with polynomials cp, (x), cq, (x) modulo n . In [25] the authors also propose
an attack for hidden«. And in this case coefficients cpij, cqij are treated as integers at the first step of KPA.
According to encryption procedure the following congruences holds:
ср;(гр1)-а^0(то&р), (3)
с,A""')" =0(mod9). (4) So polynomials ft(x) = cp t(x) -at e Zn[x], /' = I,t have a common root rpl modulo p. Similarly g,(x) = cq Дх) - at e ZJx], i = I, t have a common root rql modulo q . And please note that r,1. rql are not obligatory roots of j](x). g,(x) modulo n. So KPA should proceed in three steps:
• A recovers secret modulus p and sets q = n/ p .
• A computes r , as a common root of j](x). i = \t modulo p.
• A computes rql as a common root of g,(x), i=l,t modulo (f.
4.1.1 Recovering of modulus^
For computing p in [25] the authors propose to consider the following matrix
A e z'„x(rf+1):
Cp,l,d Cp,2,d
_~at Cp,t, 1 ••• Cp,t,d _ According to (3) homogeneous system of linear equations (A | 0) has a nontrivial solution modulo p :
vr=a rp\(rpi)\...,(rpl)d). Therefore for / = d +1 A is a square matrix having zero determinant modulo p.
Then equality det(A) = p-s e Z((. .v e ¡О. 1.....<г/ — 1J holds. The last one means that if
s фО p may be recovered as follows:
p := GCD(det(A),w).
According to Chinese reminder theorem we have det(A) = (det(A) mod q) ■ p ■ (¿г1 mod q). So 5 = 0 if and only if det(A) mod q = 0 . The authors of [25] prove that
Pr(det(A) mod q Ф 0) > e(5) ,
A =
a2 Cp, 2,1
where for large p value e 3 2":|> 1:1 «1. Thus having d +1 pairs (plaintext, ciphertext) A may recover p with probability «1. Asymptotical complexity of computing p using this method is 0(d3 • log2 (n)).
Remark 3. Inequality (5) in [25] was proven using assumptions that cp i j <—-—7Lp and a, modg<—-—Zg. But of course this is correct only if probabilistic distribution
Dover P is uniform. For not uniform D (5) is not true. In the worst case D may be such that Pr(0) «1 and for moderate values of d Pr(det(A) mod q = 0) > 1 / 2 , because if the first column of A is a zero vector then dct(A) modi/ = 0 holds. So for such D the probability of successful cryptanalysis is not so good. In general additional study is necessary, because it is not immediately clear how to estimate Pr(det( A) mod q^ 0) for arbitrary D.
4.1.2 Recovering of r~\r~l
Now we suppose t = d +1 and p is recovered using (aj e I'. cj e C),i = l,t. The first way to compute r , is to solve the system of linear equations (A | 0). The second way is to compute:
f(x) = GCD(fpA(x),...,f^+l(x)),
where fp i (x) := ft (x) mod p = cp i (x) - ap i, ap i := ai mod p . Obviously
f{x) = {x-rpl)-GCD{fpX{x\...Jld+x{x))
holds, where f°pJ{x) = fp .{x)l{x-rpl) e Zp[x], i = lJT1. If
GCD(fpl(x),...,fpd+l(x)) = 1 then f(x) = x-rpl and therefore rpl is recovered.
Based on assumption that for all /' = 1, d +1:
fpj (x) "— ^p tx]' dcg( /;''( (x)) = d -1, the authors of [25] give an estimation
Pr{fix) = x-rpl) = Pr{GCD{f°pl{x\...J°pd+l{x)) = 1) > (1-1 !pd)d-\ (6)
So for large p and moderate d the probability to recover r , becomes close to 1.
Remark 4. Both ways to compute rpl have equivalent complexity ()(d"' ■ log2 (p)).
In [25] the authors didn't give a proof that all fpJ (x) are uniformly random. So here we fill this gap.
Statement 3. Let distribution D is uniform and let there is a polynomial
f{x) = cp{x)-a e Zn[x], deg(/) = d constructed using pair(a,c = (cp(x),cq(x)).
Then fp(x) = fp(x)l (x-rpl) e 7Lp[x] is uniformly random with deg(fp (x)) = d-1, where fp(x) := f(x)modp .
d
Proof: Let's look at fp(x) = ^fpi -x e Z;j|x|. According to encryption procedure
/=0
_ d
fP,i '■= («' • r'P)mod P,i = \d and fpfi := (-X «)mod P (:= ("«)mod P) • Using
i=i
ordinary polynomial division it's easy to verify that
/;(*) = fP (*)/(*-rpl) = §/;,. • x', where f^ =rdp -a(mod,
1=0
= <a'd +a)(mod/7), ..., = rp2 • (a+ a'rf_i +... + a\)(modp) and fp.i =rP'(a'd + a'd-1 + ••• + «'1 )(modp) = rp ■ «(modp). Coefficients fpJ,/' = 0,d-1 are independent random values, where fpi,<—^—Z;j./ = l.c/-2.
fp.o^—^p- So obviously if D is uniform then fP (x) ^^ [x] and deg(/; (x)) = d -1. □
One may see that for not uniform D polynomials fpj(x),i = \,d + \ are not
uniformly random . And in this case it is not clear whether estimation (6) is true. Thus additional study should be carried out.
Let's turn on to the uniformD. We would like to note that in this case instead of estimation (6) one may obtain the exact value of Pr(GCD(fp l(x),...,fp d+l(x)) = 1). In [26] the following result based on Euclidean algorithm was proved. Corollary 1 ([26]). Let {dl,...,dm) be an ordered m -tuple of nonnegative integers (not all zero) and for 1 <i <m let a,.(x)<—-—Zp[x] deg(a,(x)) = dt, where /»is a prime. Then the probability that a1(x),...,am(x) are relatively prime is 1-1///" . Based on this corollaiy we have Pr(GCD(fp l(x),...,fp d+l(x)) = 1) = 1-1/pd that is «1 for large p.
Similarly g(x) = GCD(gql(x),...,gqi+l(x)) = x-rqx with probability \- \ I q''. where g,. (x) = cq . (x) - a,, e Zn [x], / = 1, d +1, gqJ (x) := g,. (x) mod q = cq . (x) - aq ., aqj := a modi/. And finally we obtain that the probability to recover rp\rql is equal to (1 -1 / pd) ■ (1 -1 / qd). It should be noted that the last one is true because according to encryption procedure for uniform Dfor V/' polynomials fpi(x) and gq, (x) may be considered as independent random polynomials.
Summarizing all said above we see that KPA proposed in [25] requires t >d +1 pairs (plaintext, ciphertext) to recover secret key with probability Pr «1 . But estimation Pr «1 is proved only for uniform D. The total asymptotical complexity of KPA is 0(d3 - log2 00).
4.2 Our improvement of KPA
Now we discuss how to reduce the number of pairs t necessary for successful KPA
on cryptosystem [10]. First we recall the notion of resultant for two polynomials.
dx d2
Let there are/(x) = ^f -x'.g(x) = ^g,,-x' e ZJx]. One may compose a
1 = 0 1 = 0
Sylvester matrix SeZ for f(x\g(x):
fo ... u 0 0 ... 0 0 f ... /rf] 0 ... 0
0 ... 0
0 ... 0 0 g ... g,.
The resultant of polynomials /(x),g(x) e Z„[x] is defined as follows: © = Rc.v(/"(x).g(x)) = dct(S) mod« e Z„. It is well known result that © = 0 if and only if /(x) and g(x) have at least one common root or factor modulo n (for details see [27]). For further discussion we need the following simple statements. Statement 4 . If for n = p- q polynomials /(x),g(x) e Z„[x] have at least one common root or factor modulo p(or q) then = 0 (or (~)q = 0). where &p := © mod p , © := © mod q .
Statement 5. If n = p- q. where p ^ (/. GCD(p, q) = 1, then © = 0 if and only if
&p=o,&q=o.
We skip the proof because this statements may be immediately derived from Chinese reminder theorem and congruences properties.
Let's return to KPA on cryptosystem [10]. Now we will demonstrate that interception only of two pairs (plaintext, ciphertext) may be enough to recover factorization of n and k = {r , r).
S =
0 g„
4.2.1 Recovering of modulus р
Let's suppose A intercepted (a,., c, = (cpi(x) e Zp[x], cg,.(x) e Zg[x])),/' = 1,2 , where deg(cp(x)) = d, deg(cg(x)) = d. Let's look at the resultant © = Res(fx (x), f2 (x)) e Zn,where ft (x) = cp t (x) - at e Zn[x], /' = 1,2. As we've already seen j\ (x), f2 (x) have a common root r , modulo p. According to statement 4 &p=0 and hence © = p-s, s e {0,l,...,g-l} . So for s^O Acan compute p according formula:
p := GCD(©,w).
Please note that the last one is true because here q is prime and CCD (v. q) = 1 for .
As a result we obtain that to recover p it's enough to have only two pairs (д . cj). /' = 1,2 with © Ф 0 . So it's necessary to find out how much the probability Pr0 = Pr(© ф 0) for randomly intercepted pairs. To estimate Pr0 we should note that according to statement 5 © = 0 if and only if &q = 0 and then Pr0 = Pr(©g ф 0). Obviously ©g*0 if and only if GCD(fql(x)Jq2(x))= 1, where f ¡(x) = /(x)mod^ e Z [x],i = 1,2. If fql{x),f 2{x) were uniformly random in
Zq[x] then Pr0 =Pr(©g ^0) would be equal to 1-1/q according to corollary 1.
d
But unfortunately in fact fq (x) = ^ fq j; • x' ./ = 1.2 are not strictly uniform even
j=0
if distribution D is uniform. Indeed for uniform D there are <-М0Д...,/7-1} J = 1^1, /,W<-41">P-1} and /9A0<-i-Z,. Estimation
Pib »1-1/? (8)
we are not ready to prove now. But (8) correlates very good with computer experiments. In tables 1,2 we present practical estimation of Pr0 for uniform D for different d.
Remark 5. Cryptosystem from [10] and presented KPA were implemented using Qt 1.3.1 and NTL library [28]. For practical estimation of Pr0two pairs (а,., с ) were
generated randomly 105 times. Then the number of cases with ®q ф0 was counted.
The case of not uniform D should be studied additionally. The only thing we can say now that in the worst case D may be such thatPr(0) = /i, where /?«1 and then
Pr0 = Pr(©g = 0) > fV that is «1. So for such D this KPA fails with overwhelming
probability.
Table 1. Estimations of Pr0 for different p,q and d = 10 .
n P q Practical estimation of Pr0 1-1 lq
6 2 3 0.67 0.67
35 5 7 0.86 0.86
91 7 13 0.922 0.923
253 11 23 0.956 0.957
1517 37 41 0.97 0.97
3599 59 61 0.98 0.99
9991 97 103 0.99 0.991
Table 2. Estimations of Pr0 for different p,q and d = 50.
n P q Practical estimation of Pr0 1-1 lq
15 3 5 0.8 0.8
221 13 17 0.92 0.94
1147 31 37 0.954 0.972
2173 41 53 0.999 0.999
13943 103 131 0.999 0.999
The asymptotical complexity of this method to recover p is Oid "' • log2 («)).
Finally we would like to note that the idea to compute resultant of polynomials for recovering p we borrow from [29]. In [29] the author presented KPA on another Doming-Ferrer homomorphic cryptosystem [11]. Encryption in [11] works similar to [10]. Plaintext aeZ,, first is mapped into random polynomial a'(x) e Zn,[x] such that a'(I) = a(modn'), deg(a'(x)) = d. a\ 0) = 0 . Ciphertext is a polynomial c(x)eZJx] such that c(x) := a'(r-x) mod« . w here reZ* - secret key, n - big integer (log(w) «1000) with many small divisors, n' | n and log(V) = 100. Modulus n' is hidden and n is public. It should be pointed out that in spite of similarity construction from [10] is not a special case of [11] and vice versa. To break cryptosystem [11] A first should compute n' and second (r')1 :=r l modn' as a common root of polynomials f, (x) = c, (x) - aj e Zn [x], i = \,t modulo n'. According to congruences properties (r')"' may be used for decryption instead of r . For recovering n' in [29] the author proposes to compute«" = GCD(«,Re5(^,/2),Re5(/3,/3),...,Re5(/(_1,/()). Obviously
Pr(„ " = „') = Pr(GCD(n / nRe s{f J2)/ n', Re s(f3, /3) / n',..., Re Jt)l n1) = 1) (/ is integer division) holds. Here in contrast to [10] it's not enough to take t = 2. 92
because п has many small divisors. So to estimate Pr0 = Pr(GCD(n / n ', Re s(f, f) / n', Re s(f, f) / n',..., Re , /,) / ri) = 1) one should involve a known result about the probability that randomly chosen integers are coprime. According to this result Pr0 и 1 / / 2 + 1) holds (we suppose I is even), where <^is Riemann's zeta function. So for t = 2 we have Pr0 и 0,61. That is not enough of course. To obtain Pr0 и 1 one should take t > 100.
Summarizing all said above we would like to stress out that idea of computing resultants doesn't work so good for cryptosystem [11], because A must intercept many pairs to recover secret modulus with overwhelming probability. But for [10] computing resultant allows to decrease t meaningfully. Now the only case in which we while don't know how to find p is t = 1.
4.2.2 Recovering of rp\rql
For recovering r , A may compute
f{x) = GCD(fpl(x), fp2(x)) e Zp[x], where / (x) := f (x) mod p, /. (x) = cp(x) - ai e Ъп[x], /' = 1,2. For uniform D according to corollary 1 we obtain Pr(/(x) = x-rpl) = 1-1/p that is «1 for large p . Similarly rql may recovered with probability 1 -1 / q . So the total probability to find r~1, rql now is Pr; = (1 -1 / p) ■ (1 -1 / q). The last one is «1 for large p, q. The asymptotical complexity of computing rpl, r now is 0(d2 • log2 (q)). To conclude we would like to present the total running time T of our KPA (time to recover p,q and rp 1. r 1 ). Time measurements were done using PC with the following characteristics: Quad Core Celerone 1,7 GHz with 4 GB memory.
Table 3. Running time of KPA.
d T for log и = 210,log p = 29 T for log« = 2u,logp = 210
8 38 ms 112 ms
16 121 ms 387 ms
32 460 ms 1.5 s
64 1.9 s 6 s
128 9.5 s 27 s
256 52 s 2 min
512 5 min 12 min
1024 22 min 50 min
5. Conclusion
We have analysed the existing method [25] of known plaintext cryptanalysis of Domingo-Ferrer homomorphic cryptosystem [10]. This analysis shows that it provably works with overwhelming probability only for uniform probabilistic distribution Dover plaintexts space. The case of arbitrary Drequires the further study. Also based on results obtained in [29] we slightly modified KPA from [25]. The obtained KPA works successful even for the number t of intercepted pairs (plaintext, ciphertext) equal to 2. This is in contrast to [25] where t>d +1 must be satisfied. But unfortunately our attack also provably recovers secret parameters with probability «1 only for uniform D. And the case of arbitrary Dalso should be studied additionally. If Dis such that Pr(0)«l than both attack fails with probability close to 1. In future we are planning to investigate the resistance of Domingo-Ferrer homomorphic cryptosystem to ciphertext only attack.
References
[1]. R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key crypto systems. Communications of the ACM, 1978, vol. 21, no. 2, pp. 120-126.
[2]. S. Goldwasser and S. Micali. Probabilistic encryption & how to play mental poker keeping secret all partial information. Proceedings of the fourteenth annual ACM symposium on Theory of computing. ACM, 1982, pp. 365-377.
[3]. P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. Advances in cryptologyEUROCRYPT99. Springer, 1999, pp. 223-238.
[4]. D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-dnf formulas on ciphertexts. Theory of cryptography. Springer, 2005, pp. 325-341.
[5]. Damgârd I., Jurik M. A generalisation, a simplification and some applications of Paillier's probabilistic public-key system . Public Key Cryptography. - Springer Berlin Heidelberg, 2001, pp. 119-136.
[6]. Rivest R. L., Adleman L., Dertouzos M. L. On data banks and privacy homomorphisms . Foundations of secure computation, 1978, vol. 4, no. 11, pp. 169-180.
[7]. Brickell E. F., Yacobi Y. On privacy homomorphisms . Advances in Cryptology— EUROCRYPT'87. -Springer Berlin Heidelberg, 1988,pp. 117-125.
[8]. Fellows M., Koblitz N. Combinatorial cryptosy stems galore //Contemporary Mathematics, 1993, vol. 168, no. 2, pp. 51-61.
[9]. O. Zhirov, O. V. Zhirova, and S. F. Krendelev. Bezopasnye oblachnye vychisleniya s pomoshh'yu gomomorfnoj kriptografii. [Secure cloud computing using homomorphic cryptography], Bezopasnost' informatsionnykh tekhnologij. [The security of information technologies], vol. 1, pp. 6-12, 2013 (in Russian).
[10]. J. D. i. Ferrer, A new privacy homomorphism and applications. Information Processing Letters, vol. 60, no. 5, pp. 277-282,1996.
[11]. J. Domingo-Ferrer. A provably secure additive and multiplicative privacy homomorphism. Information Security. Springer, 2002, pp.471^183.
[12]. A. Trepacheva and L. Babenko. Known plaintexts attack on polynomial based homomorphic encryption. Proceedings of the Seventh International Conference on Security of Information and Networks. ACM, 2014.
[13]. M. R. Albrecht, P. Farshim, J.-C. Faugere, and L. Perret. Polly cracker, revisited. Advances in Ciyptology-ASIACRYPT 2011. Springer, 2011, pp. 179-196.
[14]. C. Gentry. A fully homomorphic encryption scheme. Ph.D. dissertation, Stanford University, 2009.
[15]. M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. in Advances in Cryptology-EUROCRYPT 2010. Springer, 2010, pp. 24^13.
[16]. Z. Brakerski, C. Gentry, and V. Vaikuntanathan,. (Leveled) Fully homomorphic encryption without bootstrapping. Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. ACM, 2012, pp. 309-325.
[17]. N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Designs, Codes and Cryptography, pp. 1-25, 2011.
[18]. M. Naehrig, K. Lauter, and V. Vaikuntanathan. Can homomorphic encryption be practical?. Proceedings of the 3rd ACM workshop on Cloud computing security workshop. ACM, 2011, pp. 113-124.
[19]. L. Ertaul and J. H. Yang. Implementation of domingo ferrer's a new privacy homomorphism (df a new ph) in securing wireless sensor networks (wsn)/ Security and Management. Citeseer, 2008, pp. 498-504.
[20]. L. Ertaul, Vaidehi. Implementation of Homomorphic Encryption Schemes for Secure Packet Forwarding in Mobile Ad Hoc Networks (MANETs). I.TCSNS International Journal of Computer Science and Network Security, 2007, vol. 7, no. 11 pp. 132-141.
[21]. V. Jariwala and D. Jinwala. Evaluating homomorphic encryption algorithms for privacy in wireless sensor networks. International Journal of Advancements in Computing Technology, vol. 3, no. 6, 2011.
[22]. Vaghasia and K. Bathwar.Public key encryption algorithms for wireless sensor networks in tinyos. IJITEE, 2013, vol. 2, no. 4.
[23]. Somiotti, L. Gomez, K. Wrona, and L. Odorico. Secure and trusted in-network data processing in wireless sensor networks: a survey. Journal of Information Assurance and Security, 2007, vol. 2, no. 3, pp. 189-199.
[24]. Westhoff, J. Girao, and M. Acharya. Concealed data aggregation for reverse multicast traffic in sensor networks: Encryption, key distribution, and routing adaptation. Mobile Computing, IEEE Transactions on, 2006, vol. 5, no. 10, pp. 1417-1431.
[25]. J. H. Cheon, W.-H. Kim, and H. S. Nam. Known-plaintext cryptanalysis of the domingo-ferrer algebraic privacy homomorphism scheme. Information Processing Letters, 2006, vol. 97, no. 3, pp. 118-123.
[26]. T. Benjamin and C. D. Bennett. The probability of relatively prime polynomials. Mathematics Magazine, 2007, pp. 196-202.
[27]. Davenport, James H., Y. Siret, and E. Tournier. Computer algebra. London: Academic Press, 1988,263 p.
[28]. Shoup V. NIL: A library for doing number theory. - 2001.
[29]. Wagner. Cryptanalysis of an algebraic privacy homomorphism. Information Security. Springer, 2003, pp. 234-239.
Улучшенная атака по известным открытым текстам на гомоморфную криптосистему Доминго-Феррера
А.В. Трепачееа <[email protected] > Южный федеральный университет, Россия, 344006, г. Ростов-на-Дону, ул. Большая Садовая 105/42.
Аннотация. Данная работа посвящена криптоанализу по известным открытым текстам гомоморфной криптосистемы, предложенной Доминго-Феррером. В предыдущих работах было показано, что для раскрытия секретного ключа необходимо перехватить по меньшей мере d +1 пару (открытый текст, шифртекст), где d - степень полиномов, являющихся шифртекстами. Здесь мы проводим анализ существующей атаки по известным открытым текстам, а также показываем, как можно её модифицировать так, чтобы значительно уменьшить нужное количество перехваченных пар. А именно, оказывается, что достаточно всего лишь двух пар для раскрытия секретного ключа. Время работы предложенной атаки так же, как и для уже существующей, зависит полиномиально от d и логарифмически от размера пространства открытых текстов. Представлены результаты компьютерных экспериментов.
Ключевые слова: атака по известным открытым текстам; гомоморфное шифрование; облачные вычисления.
Литература
[1]. R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key crypto systems. Communications of the ACM, 1978, vol. 21, no. 2, pp. 120-126.
[2]. S. Goldwasser and S. Micali. Probabilistic encryption & how to play mental poker keeping secret all partial information. Proceedings of the fourteenth annual ACM symposium on Theory of computing. ACM, 1982, pp. 365-377.
[3]. P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. Advances in cryptologyEUROCRYPT99. Springer, 1999, pp. 223-238.
[4]. D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-dnf formulas on ciphertexts. Theory of cryptography. Springer, 2005, pp. 325-341.
[5]. Damgard I., Jurik M. A generalisation, a simplification and some applications of Paillier's probabilistic public-key system . Public Key Cryptography. - Springer Berlin Heidelberg, 2001, pp. 119-136.
[6]. Rivest R. L., Adleman L., Dertouzos M. L. On data banks and privacy homomorphisms . Foundations of secure computation, 1978, vol. 4, no. 11, pp. 169-180.
[7]. Brickell E. F., Yacobi Y. On privacy homomorphisms . Advances in Crypto logy— EUROCRYPT'87. - Springer Berlin Heidelberg, 1988, pp. 117-125.
[8]. Fellows M., Koblitz N. Combinatorial cryptosystems galore //Contemporary Mathematics, 1993, vol. 168, no. 2, pp. 51-61.
[9]. Жиров А.О., Жирова О.В., Кренделев С.Ф.. Безопасные облачные вычисления с помощью гомоморфной криптографии. Безопасность информационных технологий, 2013, Т. 1, С. 6-12.
[10]. J. D. i. Ferrer, A new privacy homomorphism and applications. Information Processing Letters, vol. 60, no. 5, pp. 277-282, 1996.
[11]. J. Domingo-Ferrer. A provably secure additive and multiplicative privacy homomorphism. Information Security. Springer, 2002, pp.471^183.
[12]. A. Trepacheva and L. Babenko. Known plaintexts attack on polynomial based homomorphic encryption. Proceedings of the Seventh International Conference on Security of Information and Networks. ACM, 2014.
[13]. M. R. Albrecht, P. Farshim, J.-C. Faugere, and L. Perret. Polly cracker, revisited. Advances in Ciyptology-ASIACRYPT 2011. Springer, 2011, pp. 179-196.
[14]. C. Gentry. A fully homomorphic encryption scheme. Ph.D. dissertation, Stanford University, 2009.
[15]. M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. in Advances in Cryptology-EUROCRYPT 2010. Springer, 2010, pp. 24^13.
[16]. Z. Brakerski, C. Gentry, and V. Vaikuntanathan,. (Leveled) Fully homomorphic encryption without bootstrapping. Proceedings of the 3rd Innovations in Theoretical Computer Science Conference. ACM, 2012, pp. 309-325.
[17]. N. P. Smart and F. Vercauteren. Fully homomorphic SIMD operations. Designs, Codes and Cryptography, pp. 1-25, 2011.
[18]. M. Naehrig, K. Lauter, and V. Vaikuntanathan. Can homomorphic encryption be practical?. Proceedings of the 3rd ACM workshop on Cloud computing security workshop. ACM, 2011, pp. 113-124.
[19]. L. Ertaul and J. H. Yang. Implementation of domingo ferrer's a new privacy homomorphism (df a new ph) in securing wireless sensor networks (wsn)/ Security and Management. Citeseer, 2008, pp. 498-504.
[20]. L. Ertaul, Vaidehi. Implementation of Homomorphic Encryption Schemes for Secure Packet Forwarding in Mobile Ad Hoc Networks (MANETs). I.TCSNS International Journal of Computer Science and Network Security, 2007, vol. 7, no. 11 pp. 132-141.
[21]. V. Jariwala and D. Jinwala. Evaluating homomorphic encryption algorithms for privacy in wireless sensor networks. International Journal of Advancements in Computing Technology, vol. 3, no. 6, 2011.
[22]. Vaghasia and К. Вathwar.Public key encryption algorithms for wireless sensor networks in tinyos. IJITEE, 2013, vol. 2, no. 4.
[23]. Somiotti, L. Gomez, K. Wrona, and L. Odorico. Secure and trusted in-network data processing in wireless sensor networks: a survey. Journal of Information Assurance and Security, 2007, vol. 2, no. 3, pp. 189-199.
[24]. Westhoff, J. Girao, and M. Acharya. Concealed data aggregation for reverse multicast traffic in sensor networks: Encryption, key distribution, and routing adaptation. Mobile Computing, IEEE Transactions on, 2006, vol. 5, no. 10, pp. 1417-1431.
[25]. J. H. Cheon, W.-H. Kim, and H. S. Nam. Known-plaintext cryptanalysis of the domingo-ferrer algebraic privacy homomorphism scheme. Information Processing Letters, 2006, vol. 97, no. 3, pp. 118-123.
[26]. T. Benjamin and C. D. Bennett. The probability of relatively prime polynomials. Mathematics Magazine, 2007, pp. 196-202
[27]. Davenport, James H., Y. Siret, and E. Tournier. Computer algebra. London: Academic Press, 1988,263 p.
[28]. Shoup V. NTL: A library for doing number theory. - 2001.
[29]. Wagner. Cryptanalysis of an algebraic privacy homomorphism. Information Security. Springer, 2003, pp. 234-239.