Cryptanalysis of a (Somewhat) Additively Homomorphic Encryption Scheme Used in PIR

  • Tancrède Lepoint
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8976)


Private Information Retrieval (PIR) protects users’ privacy in outsourced storage applications and can be achieved using additively homomorphic encryption schemes. Several PIR schemes with a “real world” level of practicality, both in terms of computational and communication complexity, have been recently studied and implemented. One of the possible building block is a conceptually simple and computationally efficient protocol proposed by Trostle and Parrish at ISC 2010, that relies on an underlying secret-key (somewhat) additively homomorphic encryption scheme, and has been reused in numerous subsequent works in the PIR community (PETS 2012, FC 2013, NDSS 2014, etc.).

In this paper, we show that this encryption scheme is not one-way: we present an attack that decrypts arbitrary ciphertext without the secret key, and is quite efficient: it amounts to applying the LLL algorithm twice on small matrices. Used against existing practical instantiations of PIR protocols, it allows the server to recover the users’ access pattern in a matter of seconds.


Encryption Scheme Homomorphic Encryption Message Space Private Information Retrieval Homomorphic Encryption Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BPMÖ12]
    Blass, E.-O., Di Pietro, R., Molva, R., Önen, M.: PRISM – privacy-preserving search in mapreduce. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 180–200. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  2. [CKGS98]
    Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–981 (1998)zbMATHMathSciNetCrossRefGoogle Scholar
  3. [CNT10]
    Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against emv signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  4. [DSH14]
    Doröz, Y., Sunar, B., Hammouri, G.: Bandwidth efficient PIR from NTRU. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) FC 2014 Workshops. LNCS, vol. 8438, pp. 195–207. Springer, Heidelberg (2014) Google Scholar
  5. [EÖM14]
    Elkhiyaoui, K., Önen, M., Molva, R.: Privacy preserving delegated word search in the cloud. In: Obaidat, M.S., Holzinger, A., Samarati, P. (eds.) SECRYPT 2014, pp. 137–150. SciTePress (2014)Google Scholar
  6. [Gen09]
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC 2009, pp. 169–178. ACM (2009)Google Scholar
  7. [GZL+13]
    Gao, Z., Zhu, H., Liu, Y., Li, M., Cao, Z.: Location privacy in database-driven cognitive radio networks: attacks and countermeasures. In: INFOCOM 2013, pp. 2751–2759. IEEE (2013)Google Scholar
  8. [IOM97]
    Itoh, K., Okamoto, E., Mambo, M.: Proposal of a fast public key cryptosystem. In: Adams, C., Just, M. (eds.) SAC 1997, pp. 224–230 (1997)Google Scholar
  9. [KO97]
    Kushilevitz, E., Ostrovsky, R.: Replication is NOT needed: SINGLE database, computationally-private information retrieval. In: FOCS 1997, pp. 364–373. IEEE Computer Society (1997)Google Scholar
  10. [LLL82]
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)Google Scholar
  11. [MBC13]
    Mayberry, T., Blass, E.-O., Chan, A.H.: PIRMAP: efficient private information retrieval for mapreduce. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 371–385. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  12. [MBC14]
    Mayberry, T., Blass, E.-O., Chan, A.H.: Efficient private file retrieval by combining ORAM and PIR. In: NDSS 2014 (2014)Google Scholar
  13. [NS97]
    Nguyen, P.Q., Stern, J.: Merkle-hellman revisited: a cryptanalysis of the Qu-vanstone cryptosystem based on group factorizations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  14. [NS98]
    Nguyen, P.Q., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at SAC 1997. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, p. 213. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  15. [NS01]
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  16. [NT12]
    Nguyen, P.Q., Tibouchi, M.: Lattice-based fault attacks on signatures. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography. Information Security and Cryptography, pp. 201–220. Springer (2012)Google Scholar
  17. [S+14]
    Stein, W.A., et al.: Sage Mathematics Software (Version 6.2). The Sage Development Team (2014).
  18. [TP10]
    Trostle, J., Parrish, A.: Efficient computationally private information retrieval from anonymity or trapdoor groups. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 114–128. Springer, Heidelberg (2011) CrossRefGoogle Scholar

Copyright information

© International Financial Cryptography Association 2015

Authors and Affiliations

  1. 1.CryptoExpertsParisFrance
  2. 2.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations