Cryptanalysis of the Co-ACD Assumption
At ACM-CCS 2014, Cheon, Lee and Seo introduced a new number-theoretic assumption, the Co-Approximate Common Divisor (Co-ACD) assumption, based on which they constructed several cryptographic primitives, including a particularly fast additively homomorphic encryption scheme. For their proposed parameters, they found that their scheme was the “most efficient of those that support an additive homomorphic property”. Unfortunately, it turns out that those parameters, originally aiming at 128-bit security, can be broken in a matter of seconds.
Indeed, this paper presents several lattice-based attacks against the Cheon–Lee–Seo (CLS) homomorphic encryption scheme and of the underlying Co-ACD assumption that are effectively devastating for the proposed constructions. A few known plaintexts are sufficient to decrypt any ciphertext in the symmetric-key CLS scheme, and small messages can even be decrypted without any known plaintext at all. This breaks the security of both the symmetric-key and the public-key variants of CLS encryption as well as the underlying decisional Co-ACD assumption. Moreover, Coppersmith techniques can be used to solve the search variant of the Co-ACD problem and mount a full key recovery on the CLS scheme.
KeywordsCryptanalysis Lattice reduction Coppersmith theorem Homomorphic encryption Co-ACD problem
The authors thank Jung Hee Cheon, Paul Kirchner, Changmin Lee, Guénaël Renault, Jae Hong Seo, and Yong Soo Song for helpful discussions. The second author was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (No. 2012R1A1A2039129).
- [Bro01]Broughan, K.A.: The gcd-sum function. J. Integer Sequences 4, 01.2.2, 19 (2001)Google Scholar
- [CH12]Cohn, H., Heninger, N.: Approximate common divisors via lattices. In: ANTS X (2012)Google Scholar
- [CLS14]Cheon, J.H., Lee, H.T., Seo, J.H.: A new additive homomorphic encryption based on the Co-ACD problem. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS, pp. 287–298. ACM, New York (2014)Google Scholar
- [FLLT14]Fouque, P.-A., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of the Co-ACD assumption. Cryptology ePrint Archive. Full version of this paper, Report 2014/1024 (2014). http://eprint.iacr.org/
- [LT15]Lepoint, T., Tibouchi, M.: Cryptanalysis of a (somewhat) additively homomorphic encryption scheme used in PIR. In: WAHC (2015)Google Scholar
- [May03]May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. thesis, University of Paderborn (2003)Google Scholar
- [Ngu10]Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, Information Security and Cryptography, pp. 19–69. Springer, Berlin (2010)Google Scholar
- [NLV11]Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Cachin, C., Ristenpart, T. (eds), ACM CCSW, pp. 113–124, ACM (2011)Google Scholar
- [S+14]Stein, W. et al.: Sage Mathematics Software (Version 6.4). The Sage Development Team (2014). http://www.sagemath.org