Abstract
At ACM-CCS 2014, Cheon, Lee and Seo introduced a particularly fast additively homomorphic encryption scheme (CLS scheme) based on a new number theoretic assumption, the co-Approximate Common Divisor (co-ACD) assumption. However, at Crypto 2015, Fouque et al. presented several lattice-based attacks that effectively devastated this scheme. They proved that a few known plaintexts are sufficient to break both the symmetric-key and the public-key variants, and they gave a heuristic lattice method for solving the search co-ACD problem.
In this paper, we mainly improve in terms of the number of samples, and propose a new key-retrieval attack. We first give an effective attack by Coppersmith’s method to break the co-ACD problem with \(N=p_1\cdots p_n\) is known. If n is within a certain range, our work is theoretically valid for a wider range of parameters. When \(n=2\), we can successfully solve it with only two samples, that is the smallest number of needed samples to the best of our knowledge. A known plaintext attack on the CLS scheme can be simply converted to solving the co-ACD problem with a known N, again requiring fewer samples than before to retrieve the private key. Finally, we show a ciphertext-only attack with a hybrid approach of direct lattice and Coppersmith’s method that can recover the key with a smaller number of ciphertexts and without any restriction on the plaintext size, but N is needed. All of our attacks are heuristic, but we have experimentally verified that these attacks work efficiently for the parameters proposed in the CLS scheme, which can be broken in seconds by experiments.
The work of this paper was supported in part by the National Natural Science Foundation of China (No.61732021).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\pi _1\) denotes the projection onto \(\langle \vec {b}_1 \rangle ^\perp \).
References
Bauer, A., Joux, A.: Toward a rigorous variation of Coppersmith’s algorithm on three variables. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 361–378. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_21
Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors: breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_30
Cheon, J.H., Cho, W., Hhan, M., Kim, J., Lee, C.: Algorithms for CRT-variant of approximate greatest common divisor problem. J. Math. Cryptol. 14(1), 397–413 (2020)
Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi, M., Yun, A.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_20
Cheon, J.H., Lee, H.T., Seo, J.H.: A new additive homomorphic encryption based on the co-ACD problem. In: Ahn, G., Yung, M., Li, N. (eds.) ACM SIGSAC Conference on Computer and Communications Security, pp. 287–298. ACM (2014)
Cohn, H., Heninger, N.: Approximate common divisors via lattices. CoRR abs/1108.2714 (2011)
Cominetti, E.L., Jr., Simplicio, M.A.: Fast additive partially homomorphic encryption from the approximate common divisor problem. IEEE Trans. Inf. Forensics Secur. 15, 2988–2998 (2020)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_14
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Coron, J.-S., Faugère, J.-C., Renault, G., Zeitoun, R.: Factoring \(N=p^rq^s\) for large r and s. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 448–464. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_26
Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryption over the integers with shorter public keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_28
Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_27
Coron, J., Notarnicola, L., Wiese, G.: Simultaneous diagonalization of incomplete matrices and applications. CoRR abs/2005.13629 (2020)
Coron, J.-S., Zeitoun, R.: Improved factorization of \(N=p^rq^s\). In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 65–79. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_4
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2
Fouque, P.-A., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of the co-ACD assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 561–580. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_27
Galbraith, S.D., Gebregiyorgis, S.W., Murphy, S.: Algorithms for the approximate common divisor problem. IACR Cryptology ePrint Archive, p. 215 (2016)
Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_4
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458
Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_6
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18
Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_22
Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_25
Lenstra, A.: Factoring polynomial with rational coefficients. Mathematiche Annalen 261, 515–534 (1982)
Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 189–213. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_9
May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003). http://ubdata.uni-paderborn.de/ediss/17/2003/may/disserta.pdf
May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm - Survey and Applications. ISC, pp. 315–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_10
May, A., Nowakowski, J., Sarkar, S.: Partial key exposure attack on short secret exponent CRT-RSA. IACR Cryptology ePrint Archive, p. 972 (2021)
Nguyen, P., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052236
Nguyen, P., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at SAC ’97. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 213–218. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_17
Nguyen, P., Stern, J.: The hardness of the hidden subset sum problem and its cryptographic implications. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 31–46. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_3
Suzuki, K., Takayasu, A., Kunihiro, N.: Extended partial key exposure attacks on RSA: improvement up to full size decryption exponents. Theor. Comput. Sci. 841, 62–83 (2020)
Xu, J., Sarkar, S., Hu, L., Wang, H., Pan, Y.: New results on modular inversion hidden number problem and inversive congruential generator. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 297–321. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_11
Acknowledgements
The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Natural Science Foundation of China (No.61732021) and the National Key R &D Program of China (No.2018YFB0803801 and No.2018YFA0704704).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Calculation of \(w_N\) and \(w_X\)
A Calculation of \(w_N\) and \(w_X\)
First, we compute \(w_X\):
Since that \(s_1, \cdots , s_m\) are identical in terms of value and weight, then\(\sum _{0\le s_1+\ldots +s_m\le t}s_1=\cdots =\sum _{0\le s_1+\cdots +s_m\le t}s_m.\) This way, we can get
Next, we compute \(w_N=\sum \limits _{0\le s_1+\ldots +s_m\le t}(t-\sum \limits ^{n-1}_{j=1}\lfloor \frac{s_j}{n}\rfloor -\sum \limits ^m_{k=n}s_k)\). Clearly,
Denote \(\lfloor \frac{s_j}{n}\rfloor =\frac{s_j}{n}-\delta _j\) where \(0 \le \delta _j <1\), then
Moreover,
Summarizing the above analysis, we find
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Gao, J., Xu, J., Wang, T., Hu, L. (2022). New Results of Breaking the CLS Scheme from ACM-CCS 2014. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-15777-6_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15776-9
Online ISBN: 978-3-031-15777-6
eBook Packages: Computer ScienceComputer Science (R0)