On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes

Abstract: In this paper, we continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to recover the private keys through a number of decryption oracle queries. The schemes, that we study in detail, include those by Brakerski and Vaikuntanathan at Crypto 2011 and FOCS 2011, and that by Gentry, Sahai and Waters at Crypto … Show more

“…Zhang, Plantard, and Susilo [4] have shown a CCA1 attack against the Dijk-Gentry-Halevi-Vaikuntanathan scheme [16] that recovers a secret key by O(λ 2 ) decryption queries (where λ is a security parameter). Chenal and Tang [5] have shown several key recovery attacks such as the Brakerski-Vaikuntanathan scheme [17] with nN decryption queries, where a secret key is an element of Z n q and N = log 2 (q − 1) + 1, the other Brakerski-Vaikuntanathan scheme [18] with log 2 (q − 1) + 1/ log 2 (t − 1) + 1 decryption queries where t = poly(λ) ∈ Z * q , the Gentry-Sahai-Waters scheme [19] that each decryption query recovers 1 bit of each coefficient t i of the secret vector t ∈ Z n q . They have also shown that these attacks work against the Brakerski-Gentry-Vaikuntanathan scheme [20].…”

On the Security of Keyed-Homomorphic PKE: Preventing Key Recovery Attacks and Ciphertext Validity Attacks

“…Zhang, Plantard, and Susilo [4] have shown a CCA1 attack against the Dijk-Gentry-Halevi-Vaikuntanathan scheme [16] that recovers a secret key by O(λ 2 ) decryption queries (where λ is a security parameter). Chenal and Tang [5] have shown several key recovery attacks such as the Brakerski-Vaikuntanathan scheme [17] with nN decryption queries, where a secret key is an element of Z n q and N = log 2 (q − 1) + 1, the other Brakerski-Vaikuntanathan scheme [18] with log 2 (q − 1) + 1/ log 2 (t − 1) + 1 decryption queries where t = poly(λ) ∈ Z * q , the Gentry-Sahai-Waters scheme [19] that each decryption query recovers 1 bit of each coefficient t i of the secret vector t ∈ Z n q . They have also shown that these attacks work against the Brakerski-Gentry-Vaikuntanathan scheme [20].…”

On the Security of Keyed-Homomorphic PKE: Preventing Key Recovery Attacks and Ciphertext Validity Attacks

“…It is trivial that any homomorphic encryption scheme can be broken by CCA2 (i.e., if the adversary can make decryption queries after the challenge). It can also be broken by CCA1 attacks [15] (i.e., if the adversary can make decryption queries, but only before the challenge). The correctness of any FHE algorithm relies on the honesty of the server that it will execute the exact algorithm.…”

SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classifiers

“…As previously explained in Section 2.3, the first fully homomorphic cryptosystem was described by Gentry (GENTRY, 2009a) Unfortunately, it has been proven that most existing homomorphic encryption schemes are not IND-CCA1 secure (LOFTUS et al, 2012;SZYDLO, 2003;TANG, 2014;DAHAB;GALBRAITH;MORAIS, 2015;TANG, 2015). In fact, these schemes "suffer from key recovery attacks (stronger than a typical IND-CCA1 attacks), which allow an adversary to recover the private keys through a number of decryption oracle queries" (CHENAL; TANG, 2014).…”

“…In fact, these schemes "suffer from key recovery attacks (stronger than a typical IND-CCA1 attacks), which allow an adversary to recover the private keys through a number of decryption oracle queries" (CHENAL; TANG, 2014). The only scheme thus far deemed to be IND-CCA1 secure is the one by Loftus et al (LOFTUS et al, 2012).…”

“…Nevertheless, this work represents a major breakthrough, and prompted the development of many other constructions, some even based on different kinds of lattices. Unfortunately, most of these have already succumbed to cryptanalysis (SZYDLO, 2003;TANG, 2014), with the exception of the method proposed by Loftus et al (LOFTUS et al, 2012), known as LMSV and a direct descendant of Gentry's original scheme. That scheme is proven to be IND-CCA1, uniquely among all fully or somewhat homomorphic encryption schemes known today.…”

Métodos eficientes para criptografia baseada em reticulados.