When Homomorphism Becomes a Liability
We show that an encryption scheme cannot have a simple decryption function and be homomorphic at the same time, even with added noise. Specifically, if a scheme can homomorphically evaluate the majority function, then its decryption cannot be weakly-learnable (in particular, linear), even if the probability of decryption error is high. (In contrast, without homomorphism, such schemes do exist and are presumed secure, e.g. based on LPN.)
An immediate corollary is that known schemes that are based on the hardness of decoding in the presence of low hamming-weight noise cannot be fully homomorphic. This applies to known schemes such as LPN-based symmetric or public key encryption.
Using these techniques, we show that the recent candidate fully homomorphic encryption, suggested by Bogdanov and Lee (ePrint ’11, henceforth BL), is insecure. In fact, we show two attacks on the BL scheme: One that uses homomorphism, and another that directly attacks a component of the scheme.
KeywordsEncryption Scheme Homomorphic Encryption Decryption Function Decryption Error Cryptology ePrint Archive
- 1.Alekhnovich, M.: More on average case vs approximation complexity. In: FOCS, pp. 298–307. IEEE Computer Society (2003)Google Scholar
- 3.Bogdanov, A., Lee, C.H.: Homomorphic encryption from codes. Cryptology ePrint Archive, Report 2011/622 (2011), http://eprint.iacr.org/
- 5.Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012 (2012), http://eprint.iacr.org/2011/277
- 7.Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky , pp. 97–106, References are to full version http://eprint.iacr.org/2011/344
- 8.Gauthier, V., Otmani, A., Tillich, J.-P.: A distinguisher-based attack of a homomorphic encryption scheme relying on reed-solomon codes. Cryptology ePrint Archive, Report 2012/168 (2012), http://eprint.iacr.org/
- 9.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
- 14.Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: Lewis, H.R., Simons, B.B., Burkhard, W.A., Landweber, L.H. (eds.) STOC, pp. 365–377. ACM (1982)Google Scholar
- 17.Ostrovsky, R. (ed.): IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, Palm Springs, CA, USA, October 22-25. IEEE (2011)Google Scholar
- 18.Schapire, R.E.: The strength of weak learnability. Machine Learning 5, 197–227 (1990); Preliminary version in FOCS 1989Google Scholar
- 20.Vaikuntanathan, V.: Computing blindfolded: New developments in fully homomorphic encryption. In: Ostrovsky , pp. 5–16Google Scholar