Improved known plaintexts attack on Domingo-Ferrer homomorphic cryptosystem 1

This paper is devoted to known plaintexts cryptanalysis of homomorphic cryptosystem proposed by Domingo-Ferrer. In previous works it was shown that at least 1 d  pairs (plaintext, ciphertext) are necessary to recover secret key, where d is a degree of polynomials representing ciphertexts. Here we analyze existing known plaintext attack. And also slightly modified attack on this cryptosystem is presented. It allows to reduce the necessary number of pairs meaningfully. In particular interception only of two pairs may be enough for successful key recovering with overwhelming probability. The running time of our attack depends polynomially on d and logarithmically on plaintexts space size as well as for previous attack. We provide the results of computer experiments.


Improved known plaintexts attack on
Domingo-Ferrer homomorphic cryptosystem1

Introduction
Homomorphic encryption (HE) is a cryptographic primitive supporting the additional property in comparison with ordinary encryption: HE allows computing over encrypted data.Let's explain what this means.We assume that plaintexts space P and ciphertexts space C are rings with operations , P P   and , correspondingly.And let , E D be encryption and decryption functions of cryptosystem  .The last one is homomorphic if for , x y P   and ( ), ( ) E x E y C   the following properties are satisfied: ( ( ) ( )) , ( ( ) ( )) .
So the result of computations over ciphertexts will be an encryption of computations result over underlying plaintexts.
Homomorphic cryptosystems (HC) are of key importance for protecting sensitive data in clouds.Computationally weak clients may outsource computations over their data while keeping this data in secret.This makes the development of new homomorphic cryptosystems and cryptanalysis of existing a hot topic.
The simplest example of HC holding both ( 1), (2) was introduced in the fundamental paper [6] 1), (2) were suggested.Here two the most important groups may be highlighted.In the first group there are cryptosystems [8][9][10][11] with unlimited ciphertexts sizes growth during computing over them (their security analysis may be founded in [12,13]).Whereas cryptosystems of second group have some polynomially bounds on ciphertexts sizes growth.In this group for example there are cryptosystems [14][15][16][17][18] belonging to direction initiated by innovative work [14] of IBM researcher Craig Gentry.
Second group obviously is more interesting for practice.But unfortunately existing cryptosystems are not enough efficient for usage in real applications.The development of Gentry-like HCs now has mostly theoretical character.And in practice at the present moment HCs from the first group are used.For instance cryptosystems [10,11] proposed by Domingo-Ferrer are exploited in secure packet forwarding in mobile ad hoc networks (see [19][20][21][22][23][24]). The main reason is a conceptual simplicity of constructions from [10,11].
In the light of this the analysis of Domingo-Ferrer HCs resistance to different attacks is of value.Here we will concentrate on KPA.In [25] the authors described KPA on [10] and showed that to recover secret key an adversary  should , where d is a degree of polynomials representing ciphertext.The aim of the present work to demonstrate that [10] may be broken using even two pairs (plaintext, ciphertext).We give some theoretical reasoning to this fact.And also we provide an experimental confirmation.

Denotations
All logarithms are base-2.A probability of event M is denoted by Pr( ) M , ring of integers -by  , ring of integers modulo n -by n  , the multiplicative subgroup of n  -by * n  .An adversary trying to break cryptosystem will be denoted by  .For symmetric cryptosystem  : P -plaintexts space, C -ciphertexts space, K -secret keys space,  -probabilistic distribution over P .We denote by $ x R   a random element sampled according to uniform distribution over ring R and also by means that all coefficients of polynomial f are random values chosen uniformly and independently from R .
a CRT a a p q  , where ( , , , ) p q CRT a a p q means the reconstruction of n a   by p p a   , q q a   using Chinese reminder theorem.
In [10] the author suggested two regimes of cryptosystem working.In the first variant modulus n is public and plaintexts and ciphertexts coefficients are treated by untrusted party as elements of n  .In the second case n is hidden for providing higher level of security.And then plaintexts and ciphertexts coefficients are treated as elements of  .Here we will consider only the first case.
One may see that multiplication of ciphertexts causes an unbounded growth of their sizes (the size is doubled).So in general this HC isn't good for practice.But its simplicity makes it good for applications requiring only computations of some special functions (see [19][20][21][22][23][24]). Remark 1.In practice for example log 2048 n  may be chosen.Then the size S of ciphertext is 2048 d  bits.This implies that 500 d  should be chosen to obtain 6 10 S  bits.Such setting seems reasonable because in all latest HCs [14][15][16][17][18] S is usually about 6 10 bits.Larger value of S will make homomorphic computations too much expensive.But of course it is suitable only if additive homomorphism is necessary.But if multiplicative homomorphism will be exploited then d should be smaller.

Existing KPA
Here we briefly discuss existing results [25] concerning known plaintexts analysis of Domingo-Ferrer cryptosystem [10].
Let's suppose  has t pairs ( , ), 1 , , where i c is an encryption of i a and all i c are produced for the same n , ( , ) , where , , , 1 ( ) , Remark 2.Here we consider the case of public n .So before recovering , p q  works with polynomials , , ( ), ( ) In [25] the authors also propose an attack for hidden n .And in this case coefficients , , , , , p i j q i j c c are treated as integers at the first step of KPA.
  computes 1 p r  as a common root of ( ), 1,

Recovering of modulus p
For computing p in [25] the authors propose to consider the following matrix
Remark 3. Inequality (5) in [25] was proven using assumptions that $ , , p i j p c    and $ mod i q a q   .But of course this is correct only if probabilistic distribution  over P is uniform.For not uniform  (5) is not true.In the worst case  may be such that Pr(0) 1  and for moderate values of d Pr(det( ) mod 0) 1/ 2 q   A , because if the first column of A is a zero vector then det( ) mod 0 q  A holds.So for such  the probability of successful cryptanalysis is not so good.In general additional study is necessary, because it is not immediately clear how to estimate Pr(det( ) mod 0) q  A for arbitrary . 1 1  ,

Recovering of
Now we suppose 1 t d   and p is recovered using ( , ), 1 , The first way to compute 1 p r  is to solve the system of linear equations ( | ) A 0 .The second way is to compute: , ,..., ( )), where , , .
In [25] the authors didn't give a proof that all 0 , ( ) One may see that for not uniform  polynomials 0 , ( ), 1, 1 uniformly random .And in this case it is not clear whether estimation ( 6) is true.
Thus additional study should be carried out.
Let's turn on to the uniform .We would like to note that in this case instead of estimation (6) one may obtain the exact value of 0 0 ,1 , 1 Pr( ( ( ),..., ( )) 1) In [26] the following result based on Euclidean algorithm was proved.

Corollary 1 ([26]
).Let 1 ( ,..., ) m d d be an ordered m -tuple of nonnegative integers all zero) and for where p is a prime.Then the probability that 1 ( ),..., ( ) m a x a x are relatively prime is Based on this corollary we have Pr( ( ( ),..., ( )) 1) ( )mod ( ) . And finally we obtain that the probability to recover 1 1  , . It should be noted that the last one is true because according to encryption procedure for uniform  for i  polynomials , ( ) , ( ) g x may be considered as independent random polynomials.
for ( ), ( ) f x g x : The resultant of polynomials have at least one common root or factor modulo p (or q ) then 0 p   (or 0 q   ), where We skip the proof because this statements may be immediately derived from Chinese reminder theorem and congruences properties.Let's return to KPA on cryptosystem [10].Now we will demonstrate that interception only of two pairs (plaintext, ciphertext) may be enough to recover factorization of n and ( , )

Recovering of modulus
, deg( ( )) Re ( ( ), ( )) . As we've already seen 1 2 ( ), ( ) f x f x have a common root Please note that the last one is true because here q is prime and GCD( , ) 1 s q  for 0, As a result we obtain that to recover p it's enough to have only two pairs ( , ), 1,2 i i a c i  with 0   .So it's necessary to find out how much the probability 0 Pr Pr( 0)    for randomly intercepted pairs.To estimate 0 Pr we should note that according to statement 5 0   if and only if 0 q   and then 0 Pr Pr( 0 ], 1,2 f x f x were uniformly random in would be equal to 1 1/ q  according to corollary 1. But unfortunately in fact ,i , , 0 ( ) , 1,2 are not strictly uniform even if distribution  is uniform.Indeed for uniform  there are $ , , {0,1,..., 1}, 1, 1 we are not ready to prove now.But (8) correlates very good with computer experiments.In tables 1,2 we present practical estimation of 0 Pr for uniform  for different d .Remark 5. Cryptosystem from [10] and presented KPA were implemented using Qt 1.3.1 and NTL library [28].For practical estimation of 0 Pr two pairs ( , ) i i a c were generated randomly 5 10 times.Then the number of cases with 0 q   was counted.
The case of not uniform  should be studied additionally.The only thing we can say now that in the worst case  may be such that Pr(0)   , where 1   and then 2 0 Pr Pr( 0) .
Finally we would like to note that the idea to compute resultant of polynomials for recovering p we borrow from [29].In [29] the author presented KPA on another Doming-Ferrer homomorphic cryptosystem [11].Encryption in [11]  n is hidden and n is public.It should be pointed out that in spite of similarity construction from [10] is not a special case of [11] and vice versa.
To break cryptosystem [11]  first should compute ' n and second .
Summarizing all said above we would like to stress out that idea of computing resultants doesn't work so good for cryptosystem [11], because  must intercept many pairs to recover secret modulus with overwhelming probability.But for [10] computing resultant allows to decrease t meaningfully.Now the only case in which we while don't know how to find p is 1 t  . 1 1  ,

Recovering of
. For uniform  according to corollary 1 we obtain Similarly 1 q r  may recovered with probability 1 1/ q  .So the total probability to find 1 1  , . The last one is 1  for large , p q .
The asymptotical complexity of computing 1 1  , To conclude we would like to present the total running time T of our KPA (time to recover , p q and 1 1 , ).Time measurements were done using PC with the following characteristics: Quad Core Celerone 1,7 GHz with 4 GB memory.94

Conclusion
We have analysed the existing method [25] of known plaintext cryptanalysis of Domingo .This analysis shows that it provably works with overwhelming probability only for uniform probabilistic distribution  over plaintexts space.The case of arbitrary  requires the further study.Also based on results obtained in [29] we slightly modified KPA from [25].
The obtained KPA works successful even for the number t of intercepted pairs (plaintext, ciphertext) equal to 2 .This is in contrast to [25] where

So for large p and moderate d the probability to recover 1 p
of Rivest, Adleman and Dertouzos.Encryption function : [7] such encryption was shown to be unsecure against known plaintext attack (KPA).Beginning with [6] lots of cryptosystems with properties (

Table 1 .
for such  this KPA fails with overwhelming probability.Estimations of 0