key: cord-0047228-sj631oc3
authors: Borovik, Alexandre; Yalçınkaya, Şükrü
title: Homomorphic Encryption and Some Black Box Attacks
date: 2020-06-06
journal: Mathematical Software - ICMS 2020
DOI: 10.1007/978-3-030-52200-1_11
sha: 9fbbad6261b6688e1a440671f82578e8de16aa33
doc_id: 47228
cord_uid: sj631oc3

This paper is a compressed summary of some principal definitions and concepts in the approach to the black box algebra being developed by the authors [6–8]. We suggest that black box algebra could be useful in cryptanalysis of homomorphic encryption schemes [11], and that homomorphic encryption is an area of research where cryptography and black box algebra may benefit from exchange of ideas.

resources, while Bob has computational facilities for processing ciphertexts using operators X . Alice may wish to enter into a contract with Bob; in a realistic scenario, Alice is one of the many customers of the encrypted data processing service run by Bob, and all customers use the same ambient structure A upto isomorphism and formats of data and operators which are for that reason are likely to be known to Bob. What is not known to Bob is the specific password protected encryption used by Alice. This is what is known in cryptology as Kerckhoff's Principle: obscurity is no security, the security of encryption should not rely on details of the protocol being held secret; see [11] for historic details.

Alice encrypts plaintexts a 1 and a 2 and sends ciphertexts E(a 1 ) and E(a 2 ) to Bob, who computes

without having access to the content of plaintexts a 1 and a 2 , then return the output x to Alice who decrypts it using the decryption function E −1 :

In this set-up, we say that the homomorphic encryption scheme is based on the algebraic structure A or the homomorphism E is a homomorphic encryption of the algebraic structure A.

To simplify exposition, we assume that the encryption function E is deterministic, that is, E establishes a one-to-one correspondence between A and X. Of course, this is a strong assumption in the cryptographic context; it is largely unnecessary for our analysis, but, for the purposes of this paper, allows us to avoid technical details and makes it easier to explain links with the black box algebra.

In algebraic terms, A and X as introduced above are algebraic structures with operations on them which we refer to as algebraic operations and E : A −→ X is a homomorphism. In this paper we assume that the algebraic structure A is finite as a set. This is not really essential for our analysis, many observations are relevant for the infinite case as well, but handling probability distributions (that is, random elements) on infinite sets is beyond the scope of the present paper.

We discuss a class of potential attacks on homomorphic encryption of A. Our discussion is based on a simple but fundamental fact of algebra that a map E : A −→ X of algebraic structures of the same type is a homomorphism if and only if its graph

is a substructure of A×X, that is, closed under all algebraic operations on A×X.

Obviously, Γ (E) is isomorphic to A and we shall note the following observation:

if an algebraic structure A has a rich internal configuration (has many substructures with complex interactions between them), the graph Γ (E) of a homomorphic encryption E : A −→ X also has a rich (admittedly hidden) internal configuration, and this could make it vulnerable to an attack from Bob.

We suggest that before attempting to develop a homomorphic encryption scheme based on a particular algebraic structure A, the latter needs to be examined by black box theory methods -as examples in this paper show, it could happen that all homomorphic encryption schemes on A are insecure.

A black box algebraic structure X is a black box (device, algorithm, or oracle) which produces and operates with 0-1 strings of uniform length l(X) encrypting (not necessarily in a unique way) elements of some fixed algebraic structure A: if x is one of these strings then it corresponds to a unique (but unknown to us) element π(x) ∈ A. Here, π is the decrypting map, not necessarily known to us in advance. We call the strings produced or computed by X cryptoelements.

Our axioms for black boxes are the same as in [6] [7] [8] , but stated in a more formal language.

BB1 On request, X produces a 'random' cryptoelement x as a string of fixed length l(X), which depends on X, which encrypts an element π(x) of some fixed explicitly given algebraic structure A; this is done in time polynomial in l(X). When this procedure is repeated, the elements π(x 1 ), π(x 2 ), . . . are independent and uniformly distributed in A.

To avoid messy notation, we assume that operations on A are unary or binary; a general case can be treated in exactly the same way.

BB2 On request, X performs algebraic operations on the encrypted strings which correspond to operations in A in a way which makes the map π (unknown to us!) a homomorphism: for every binary (unary case is similar) operation and strings x and y produced or computed by X, π(x y) = π(x) π(y).

It should be noted that we do not assume the existence of an algorithm which allows us to decide whether a specific string can be potentially produced by X; requests for operations on strings can be made only in relation to cryptoelements previously output by X. Also, we do not make any assumptions on probabilistic distribution of cryptoelements.

BB3 On request, X determines, in time polynomial in l(X), whether two cryptoelements x and y encrypt the same element in A, that is, check whether π(x) = π(y).

We say in this situation that a black box X encrypts the algebraic structure A and we denote this as X A.

Clearly, in black box problems, the decrypting map π is not given in advance. However, it is useful to think about any algebraic structure (say, a finite field) implemented on a computer as a trivial black box, with π being the identity map, and with random elements produced with the help of a random number generator. In this situation, obviously, the axioms BB1-BB3 hold.

In our algorithms, we have to build new black boxes from existing ones and work with several black box structures at once: this is why we have to keep track of the length l(X) on which a specific black box X operates. For example, it turns out in [8] that it is useful to consider an automorphism of A as a graph in A × A. This produces an another algebraic structure isomorphic to A which can be seen as being encrypted by a black box Z producing, and operating on, certain pairs of strings from X, see [8] for more examples. In this case, clearly, l(Z) = 2l(X).

Given two black boxes X and Y encrypting algebraic structures A and B, respectively, we say that a map φ which assigns strings produced by X to strings produced by Y is a morphism of black boxes, if -the map φ is computable in time polynomial in l(X) and l(Y), and -there is a homomorphism φ : A → B such that the following diagram is commutative:

where π X and π Y are the canonical projections of X and Y onto A and B, respectively.

We say in this situation that a morphism φ encrypts the homomorphism φ and call φ bijective, injective, etc., if φ has these properties.

Construction of a new black box Y in a given black box X A can be formally described as follows. Strings of Y are concatenated n-tuples of strings (x 1 , . . . , x n ) from X produced by a polynomial time algorithm which uses operations on X; new operations on Y are also polynomial time algorithms running on X, as well as the algorithm for checking the new identity relation = Y on Y.

If this is done in a consistent way and axioms BB1-BB3 hold in Y, then Y encrypts an algebraic structure B which can be obtained from the structure A by a similar construction, with algorithms replaced by description of their outputs by formulae of first order language in the signature of A. At this point we are entering the domain of model theory, and full discussion of this connection can be found in our forthcoming paper [9] . Here we notice only that in model theory B is said to be interpreted in A, and if A is in its turn interpreted in B then A and B are called bi-intrepretable. A recent result on bi-interpretability between Chevalley groups and rings, relevant to our project is [20] .

Black box algebraic structures had been introduced by Babai and Szeméredi [4] in the special case of groups as an idealized setting for randomized algorithms for solving permutation and matrix group problems in computational group theory. Our Axioms BB1-BB3 are a slight modification -and generalization to arbitrary algebraic structures -of their original axioms.

So far, it appears that only finite groups, fields, rings, and, very recently, projective planes (in our paper [8] ) got a black box treatment. In the case of finite fields, the concept of a black box field can be traced back to Lenstra Jr [16] and Boneh and Lipton [5] , and in the case of rings -to Arvind [3] .

A higher level of abstraction introduced in our papers produces new tools allowing us to solve problems which previously were deemed to be intractable. For example, recently, a fundamental problem of constructing a unipotent element in black box groups encrypting PSL 2 was solved in odd characteristics via constructing a black box projective plane and its underlying black box field [8] .

There is an analogous recognition algorithm for the black box groups encrypting PSL 2 in even characteristic [15] .

A black box (finite) field K is a black box operating on 0-1 strings of uniform length which encrypts some finite field F. The oracle can compute x + y, xy, and x −1 (the latter for x = 0) and decide whether x = y for any strings x, y ∈ K. Notice in this definition that the characteristic of the field is not known. Such a definition is needed in our paper [8] to produce black box group algorithms which does not use characteristic of the underlying field. If the characteristic p of K is known then we say that K is a black box field of known characteristic p. We refer the reader to [5, 17] for more details on black box fields of known characteristic and their applications to cryptography.

The following theorem is a reformulation of the fundamental results in [17] .

Let K F p n be a black box field of known characteristic p and K 0 the prime subfield of K. Then the problem of finding two way morphisms between K and F p n can be reduced to the same problem for K 0 and F p . In particular, -a morphism K 0 −→ F p can be extended in time polynomial in the input length l(K) to a morphism K −→ F p n ; -there is a morphism F p n −→ K computable in time polynomial in l(K).

Here and in the rest of the paper, "efficient" means "computable in time polynomial in the input length".

In our terminology (Sect. 2.6), Theorem 1 provides a structural proxy for black box fields of known characteristic. Indeed, if K is a black box field of known characteristic p, then we can construct an isomorphism F p = Z/pZ −→ K 0 by the map m → 1 + 1 + · · · + 1 (m times)

where 1 is the unit in K 0 ; it is computable in linear in log p time by double-andadd method. We say that p is small if it is computationally feasible to make a lookup table for the inverse K 0 −→ F p of this map. Construction of a morphism F p ←− K 0 remains an open problem. However, we can observe that Corollary 1. Let K F p n , where p is a known small prime number. Then there exist two way morphisms between K and F p n .

Most groups of Lie type (we exclude 2 B 2 , 2 F 4 and 2 G 2 to avoid technical details) can be seen as functors G : F −→ G from the category of fields F with an automorphism of order 2 to the category of groups G. There are also other algebraic structures which can be defined in a similar way as functors from F, for example projective planes or simple Lie algebras (viewed as rings). The following problem is natural and, as our results show, useful in this context.

Construction of a structural proxy: Suppose that we are given a black box structure X A(F). Construct, in time polynomial in l(X),

• a black box field K F, and • two way bijective morphisms A(K) ←→ X.

If we construct a black box field K by using X as a computational engine, then we can construct the natural representation A(K) of the structure A over the black box field K. By Theorem 1, we can construct a polynomial time isomorphism F q −→ K which further provides an isomorphism A(F q ) −→ A(K) completing a structure recovery of X.

Structural proxies and structure recovery play a crucial role for algorithms developed in Theorem 3. We summarize relevant results about constructing structural proxies of black box algebraic structures from our papers [6, 8] .

We can construct structural proxies for the following black box structures.

(a) P P 2 (F), a projective plane with a polarity encrypting a projective plane P 2 (F) over a finite field F of odd characteristic.

(b) X SO 3 (F), (P)SL 2 (F) over a finite field F of unknown odd characteristic, under the assumption that we know a global exponent E of X, that is, E such that x E = 1 for all x ∈ X and log E is polynomially bounded in terms of l(X). (c) R M 2×2 (F q ), a black box ring encrypting the ring of 2 × 2 matrices over the known finite field F q of odd characteristic.

As explained in Subsection 1.1, we assume that the algebraic structure A of plaintexts is represented in some standard form known to Bob. In agreement with the standard language of algebra -and with our terminology in [8] -we shall use the words plain element or just element in place of 'plaintext' and cryptoelement in place of 'ciphertext'. Let A be a set of plain elements, X a set of cryptoelements, and E be the encryption function, that is, an isomorphism E : A −→ X.

Supply of random cryptoelements from X postulated in Axiom BB1 can be achieved by sampling a big dataset of cryptoelements provided by Alice, or computed on request from Alice. The computer system controlled by Bob performs algebraic operations referred to in Axiom BB2.

Axiom BB3 is redundant under the assumption that E : A −→ X is a bijection but it gives us more freedom to construct new black boxes, for example, homomorphic images of X. Axiom BB3 could also be useful for handling another quite possible scenario: For Alice, the cost of computing homomorphisms E and E −1 could be higher than the price charged by Bob for processing cryptoelements. In that case, it could be cheaper to transfer initial data to Bob (in encrypted form) and ask Bob to run a computer programme which uses the black box but does not send intermediate values back to Alice, returns only the final result; checking equality of cryptoelements becomes unavoidable.

We assume that Bob can accumulate a big dataset of cryptoelements sent from/to Alice, or intermediate results from running Alice's programme, and that he can feed, without Alice's knowledge, cryptoelements into a computer system (the black box ) which performs operations on them, and retain the outputs for peruse -again without Alice's knowledge. Bob's aim is to compute the decryption function E −1 efficiently, that is, in time polynomial in terms of the lengths of plain elements and cryptoelements involved.

As we discussed in Sect. 1.1, we can assume that Bob knows the algebraic structure A. Bob's aim is to find an efficient algorithm which maps cryptoelements from X to elements in A and vice versa while preserving the algebraic operations on X and A. This means solving the constructive recognition problem for X, that is, finding bijective morphisms α : X −→ A and β : A −→ X such that α • β is the identity map on A.

Assume that Bob solved the constructive recognition problem and can efficiently compute α and β.

Alice's encryption function is a map E : A −→ X; the composition δ = α • E is an automorphism of A. Therefore Bob reads not Alice's plaintexts a ∈ A, but their images δ(a) = α(E(a)) under an automorphism δ of A still unknown to him. This means that solving the constructive recognition problem for X reduces the problem of inverting the encryption homomorphism E : A −→ X to a much simpler problem of inverting the automorphism

We are again in the situation of homomorphic encryption, but this time the sets of plaintexts and ciphertexts are the same. One would expect that this encryption is easier to break. For example, if Bob can guess the plaintexts of a few cryptoelements, and if the automorphism group Aut A of A is well understood, computation of δ and δ −1 could be a more accessible problem than the constructive recognition for X. For example, automorphism groups of finite fields are very small, and in that case δ −1 can be found by direct inspection.

As soon as δ −1 is known, Bob knows E −1 = δ −1 • α and can decrypt everything. Moreover, since E = β • δ, the map E is also known and allows Bob to return to Alice cryptoelements which encrypt plaintexts of Bob's choice.

We suggest that this approach to analysis of homomorphic encryption is useful because it opens up connections to black box algebra. Indeed the theory of black box structures is reasonably well developed for groups and fields, and its methods could provide insight into assessment of security of other algebraic structures if any are proposed for use in homomorphic encryption.

The procedures described in Theorem 3 below are reformulations of the principal results of our Theorem 2 in a homomorphic encryption setup. They demonstrate the depth of structural analysis involved and suggest that a similarly deep but revealing structural theory can be developed for other algebraic structures if they are sufficiently rich ('rich' here can mean, for example, 'bi-interpretable with a finite field'). Also, it is worth noting that the procedures do not use any assumptions about the encryption homomorphism E, the analysis is purely algebraic.

Theorem 3. Assume that Alice and Bob run a homomorphic encryption protocol over the group A = SL 2 (F q ), q odd, with Bob doing computations with cryptoelements using a black box X A. Assume that Bob knows A, including the representation of the field F q used by Alice. Then, by Theorem 2, Bob can construct a structural proxy SL 2 (K) for X. Moreover:

(a) If, in addition, Bob has two way bijective morphisms between a black box field K and an explicitly given field F q (see Corollary 1), he gets two way bijective morphisms X ←→ SL 2 (F q ). (b) Under assumptions of (a), Bob gets an image of Alice's data transformed by an automorphism δ : SL 2 (F q ) −→ SL 2 (F q ) since Alice's group A is an explicitly given SL 2 (F q ). (c) Automorphisms of the group SL 2 (F q ) are well known: every automorphism is a product of an inner automorphism and a field automorphism induced by an automorphism of the field F q . Therefore if Bob can run a few instances of known plaintexts attacks against Alice, he can compute the automorphism δ and after that read plaintexts of all Alice's cryptoelements. Items (c) and (d) in Theorem 3 look as serious vulnerabilities of homomorphic encryptions of the groups SL 2 (F q ). We conclude that homomorphic encryption of groups SL 2 (F q ) is no more secure than homomorphic encryption of the field F q . As a consequence of Theorem 1, homomorphic encryption of SL 2 (F q ), q = p k , does not survive a known plaintext attack when the prime p > 2 is small.

We think that this is a manifestation of a more general issue: for small odd primes p, there are no secure homomorphic encryption schemes based on sufficiently rich (say, bi-interpretable with finite fields) algebraic structures functorially defined over finite fields of characteristic p.

A survey on homomorphic encryption schemes: theory and implementation

Recent advances in homomorphic encryption: a possible future for signal processing in the encrypted domain

The complexity of black-box ring problems

On the complexity of matrix group problems

Algorithms for black-box fields and their application to cryptography

Natural representations of black box groups SL2(Fq

New approaches in black box group theory

Adjoint representations of black box groups PSL2(Fq)

Black box algebra: model-theoretic connections

Practical homomorphic encryption over the integers

A survey of homomorphic encryption for nonspecialists

GAP -Groups, Algorithms, and Programming

Fully homomorphic encryption using ideal lattices

Implementing Gentry's fully-homomorphic encryption scheme

Black box groups isomorphic to PGL(2, 2 e )

Finding isomorphisms between finite fields

Black-box extension fields and the inexistence of fieldhomomorphic one-way permutations

A comparative study of homomorphic and searchable encryption schemes for cloud computing

Blind turing-machines: arbitrary private computations from group homomorphic encryption

Defining R and G(R)

Homomorphic encryption: theory & applications

Fully homomorphic encryption scheme with symmetric keys

Secure cloud computing through homomorphic encryption

Acknowledgement. The authors worked on this paper during their visits to the Nesin Mathematics Village, Turkey. We thank Jeff Burdges, Adrien Deloro, Alexander Konovalov, and Chris Stephenson for fruitful advice, and the referees for their most perceptive comments.