Skip to main content

New Results of Breaking the CLS Scheme from ACM-CCS 2014

  • 1113 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13407)

Abstract

At ACM-CCS 2014, Cheon, Lee and Seo introduced a particularly fast additively homomorphic encryption scheme (CLS scheme) based on a new number theoretic assumption, the co-Approximate Common Divisor (co-ACD) assumption. However, at Crypto 2015, Fouque et al. presented several lattice-based attacks that effectively devastated this scheme. They proved that a few known plaintexts are sufficient to break both the symmetric-key and the public-key variants, and they gave a heuristic lattice method for solving the search co-ACD problem.

In this paper, we mainly improve in terms of the number of samples, and propose a new key-retrieval attack. We first give an effective attack by Coppersmith’s method to break the co-ACD problem with \(N=p_1\cdots p_n\) is known. If n is within a certain range, our work is theoretically valid for a wider range of parameters. When \(n=2\), we can successfully solve it with only two samples, that is the smallest number of needed samples to the best of our knowledge. A known plaintext attack on the CLS scheme can be simply converted to solving the co-ACD problem with a known N, again requiring fewer samples than before to retrieve the private key. Finally, we show a ciphertext-only attack with a hybrid approach of direct lattice and Coppersmith’s method that can recover the key with a smaller number of ciphertexts and without any restriction on the plaintext size, but N is needed. All of our attacks are heuristic, but we have experimentally verified that these attacks work efficiently for the parameters proposed in the CLS scheme, which can be broken in seconds by experiments.

Keywords

  • co-ACD problem
  • Lattice
  • LLL algorithm
  • Coppersmith’s method

The work of this paper was supported in part by the National Natural Science Foundation of China (No.61732021).

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    \(\pi _1\) denotes the projection onto \(\langle \vec {b}_1 \rangle ^\perp \).

References

  1. Bauer, A., Joux, A.: Toward a rigorous variation of Coppersmith’s algorithm on three variables. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 361–378. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_21

    CrossRef  Google Scholar 

  2. Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors: breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_30

    CrossRef  Google Scholar 

  3. Cheon, J.H., Cho, W., Hhan, M., Kim, J., Lee, C.: Algorithms for CRT-variant of approximate greatest common divisor problem. J. Math. Cryptol. 14(1), 397–413 (2020)

    CrossRef  MathSciNet  MATH  Google Scholar 

  4. Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi, M., Yun, A.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_20

    CrossRef  Google Scholar 

  5. Cheon, J.H., Lee, H.T., Seo, J.H.: A new additive homomorphic encryption based on the co-ACD problem. In: Ahn, G., Yung, M., Li, N. (eds.) ACM SIGSAC Conference on Computer and Communications Security, pp. 287–298. ACM (2014)

    Google Scholar 

  6. Cohn, H., Heninger, N.: Approximate common divisors via lattices. CoRR abs/1108.2714 (2011)

    Google Scholar 

  7. Cominetti, E.L., Jr., Simplicio, M.A.: Fast additive partially homomorphic encryption from the approximate common divisor problem. IEEE Trans. Inf. Forensics Secur. 15, 2988–2998 (2020)

    CrossRef  Google Scholar 

  8. Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16

    CrossRef  Google Scholar 

  9. Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_14

    CrossRef  Google Scholar 

  10. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)

    CrossRef  MathSciNet  MATH  Google Scholar 

  11. Coron, J.-S., Faugère, J.-C., Renault, G., Zeitoun, R.: Factoring \(N=p^rq^s\) for large r and s. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 448–464. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_26

    CrossRef  Google Scholar 

  12. Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully homomorphic encryption over the integers with shorter public keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_28

    CrossRef  Google Scholar 

  13. Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 446–464. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_27

    CrossRef  Google Scholar 

  14. Coron, J., Notarnicola, L., Wiese, G.: Simultaneous diagonalization of incomplete matrices and applications. CoRR abs/2005.13629 (2020)

    Google Scholar 

  15. Coron, J.-S., Zeitoun, R.: Improved factorization of \(N=p^rq^s\). In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 65–79. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_4

    CrossRef  Google Scholar 

  16. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_2

    CrossRef  Google Scholar 

  17. Fouque, P.-A., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of the co-ACD assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 561–580. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_27

    CrossRef  Google Scholar 

  18. Galbraith, S.D., Gebregiyorgis, S.W., Murphy, S.: Algorithms for the approximate common divisor problem. IACR Cryptology ePrint Archive, p. 215 (2016)

    Google Scholar 

  19. Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_4

    CrossRef  Google Scholar 

  20. Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458

    CrossRef  Google Scholar 

  21. Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_6

    CrossRef  Google Scholar 

  22. Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18

    CrossRef  MATH  Google Scholar 

  23. Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_22

    CrossRef  Google Scholar 

  24. Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_25

    CrossRef  Google Scholar 

  25. Lenstra, A.: Factoring polynomial with rational coefficients. Mathematiche Annalen 261, 515–534 (1982)

    CrossRef  MathSciNet  MATH  Google Scholar 

  26. Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 189–213. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_9

    CrossRef  Google Scholar 

  27. May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003). http://ubdata.uni-paderborn.de/ediss/17/2003/may/disserta.pdf

  28. May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm - Survey and Applications. ISC, pp. 315–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_10

    CrossRef  MATH  Google Scholar 

  29. May, A., Nowakowski, J., Sarkar, S.: Partial key exposure attack on short secret exponent CRT-RSA. IACR Cryptology ePrint Archive, p. 972 (2021)

    Google Scholar 

  30. Nguyen, P., Stern, J.: Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 198–212. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052236

    CrossRef  Google Scholar 

  31. Nguyen, P., Stern, J.: Cryptanalysis of a fast public key cryptosystem presented at SAC ’97. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 213–218. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_17

    CrossRef  Google Scholar 

  32. Nguyen, P., Stern, J.: The hardness of the hidden subset sum problem and its cryptographic implications. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 31–46. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_3

    CrossRef  Google Scholar 

  33. Suzuki, K., Takayasu, A., Kunihiro, N.: Extended partial key exposure attacks on RSA: improvement up to full size decryption exponents. Theor. Comput. Sci. 841, 62–83 (2020)

    CrossRef  MathSciNet  MATH  Google Scholar 

  34. Xu, J., Sarkar, S., Hu, L., Wang, H., Pan, Y.: New results on modular inversion hidden number problem and inversive congruential generator. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 297–321. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_11

    CrossRef  Google Scholar 

Download references

Acknowledgements

The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was supported by the National Natural Science Foundation of China (No.61732021) and the National Key R &D Program of China (No.2018YFB0803801 and No.2018YFA0704704).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jun Xu .

Editor information

Editors and Affiliations

A Calculation of \(w_N\) and \(w_X\)

A Calculation of \(w_N\) and \(w_X\)

First, we compute \(w_X\):

$$\begin{aligned} \begin{aligned} w_X&=\sum \limits _{0\le s_1+\ldots +s_m\le t}\sum \limits _{k=1}^ms_k=\sum \limits _{0\le s_1+\ldots +s_m\le t}(s_1+\cdots +s_m)\\&=\sum \limits ^t_{l=0}\sum \limits _{s_1+\cdots +s_m=l}l=\sum \limits ^t_{l=0}l\left( {\begin{array}{c}m+l-1\\ m-1\end{array}}\right) \\&=m\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) .\\ \end{aligned} \end{aligned}$$

Since that \(s_1, \cdots , s_m\) are identical in terms of value and weight, then\(\sum _{0\le s_1+\ldots +s_m\le t}s_1=\cdots =\sum _{0\le s_1+\cdots +s_m\le t}s_m.\) This way, we can get

$$ \sum _{0\le s_1+\ldots +s_m\le t}s_i=\frac{1}{m}\sum \limits _{0\le s_1+\ldots +s_m\le t}\sum \limits _{k=1}^ms_k=\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) $$

Next, we compute \(w_N=\sum \limits _{0\le s_1+\ldots +s_m\le t}(t-\sum \limits ^{n-1}_{j=1}\lfloor \frac{s_j}{n}\rfloor -\sum \limits ^m_{k=n}s_k)\). Clearly,

$$\sum \limits _{0\le s_1+\cdots +s_m\le t}t=t\sum \limits _{0\le s_1+\cdots +s_m\le t}1=t\left( {\begin{array}{c}m+t\\ m\end{array}}\right) .$$

Denote \(\lfloor \frac{s_j}{n}\rfloor =\frac{s_j}{n}-\delta _j\) where \(0 \le \delta _j <1\), then

$$\begin{aligned} \begin{aligned} -\sum \limits _{0\le s_1+\ldots +s_m\le t}\sum ^{n-1}_{j=1}\lfloor \frac{s_j}{n}\rfloor&=\sum \limits _{0\le s_1+\ldots +s_m\le t}\left( -\frac{s_1+\cdots +s_{n-1}}{n}+\delta _1+\cdots +\delta _{n-1}\right) \\&=-\frac{n-1}{n}\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) +\sum \limits _{0\le s_1+\ldots +s_m\le t}(\delta _1+\cdots +\delta _{n-1})\\&<-\frac{n-1}{n}\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) +(n-1)\left( {\begin{array}{c}m+t\\ m\end{array}}\right) .\\ \end{aligned} \end{aligned}$$

Moreover,

$$ -\sum _{0\le s_1+\ldots +s_m\le t}\sum \limits ^m_{k=n}s_k=-(m-n+1)\sum _{0\le s_1+\ldots +s_m\le t}s_k=-(m-n+1)\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) . $$

Summarizing the above analysis, we find

$$\begin{aligned} \begin{aligned} w_N&<t\left( {\begin{array}{c}m+t\\ m\end{array}}\right) -\frac{n-1}{n}\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) +(n-1)\left( {\begin{array}{c}m+t\\ m\end{array}}\right) -(m-n+1)\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) \\&=\frac{-mn-2n+n^2+1}{n}\left( {\begin{array}{c}m+t\\ m+1\end{array}}\right) +(t+n-1)\left( {\begin{array}{c}m+t\\ m\end{array}}\right) .\\ \end{aligned} \end{aligned}$$

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gao, J., Xu, J., Wang, T., Hu, L. (2022). New Results of Breaking the CLS Scheme from ACM-CCS 2014. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15777-6_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)