Abstract
This paper is a compressed summary of some principal definitions and concepts in the approach to the black box algebra being developed by the authors [6–8]. We suggest that black box algebra could be useful in cryptanalysis of homomorphic encryption schemes [11], and that homomorphic encryption is an area of research where cryptography and black box algebra may benefit from exchange of ideas.
Keywords: Homomorphic encryption, Black box groups, Probabilistic methods
Homomorphic Encryption
“Cloud computing” appears to be a hot topic in information technology; in a nutshell, this is the ability of small and computationally weak devices to delegate hard resource-intensive computations to third party (and therefore untrusted) computers. To ensure the privacy of the data, the untrusted computer should receive data in an encrypted form but still being able to process it. It means that encryption should preserve algebraic structural properties of the data. This is one of the reasons for popularity of the idea of homomorphic encryption [1, 2, 10, 11, 13, 14, 18, 19, 21–23] which we describe here with some simplifications aimed at clarifying connections with black box algebra (as defined in Sect. 2.1).
Homomorphic Encryption: Basic Definitions
Let A and 
denote the sets of plaintexts and ciphertexts, respectively, and assume that we have some (say, binary) operators 
on A needed for processing data and corresponding operators 
on 
. An encryption function E is homomorphic if
 |
for all plaintexts 
, 
and all operators on A.
Suppose that Alice is the owner of data represented by plaintexts in A which she would like to process using operators 
but has insufficient computational resources, while Bob has computational facilities for processing ciphertexts using operators 
. Alice may wish to enter into a contract with Bob; in a realistic scenario, Alice is one of the many customers of the encrypted data processing service run by Bob, and all customers use the same ambient structure A upto isomorphism and formats of data and operators which are for that reason are likely to be known to Bob. What is not known to Bob is the specific password protected encryption used by Alice. This is what is known in cryptology as Kerckhoff’s Principle: obscurity is no security, the security of encryption should not rely on details of the protocol being held secret; see [11] for historic details.
Alice encrypts plaintexts 
and 
and sends ciphertexts 
and 
to Bob, who computes
 |
without having access to the content of plaintexts 
and 
, then return the output 
to Alice who decrypts it using the decryption function 
:
 |
In this set-up, we say that the homomorphic encryption scheme is based on the algebraic structure A or the homomorphism E is a homomorphic encryption of the algebraic structure A.
To simplify exposition, we assume that the encryption function E is deterministic, that is, E establishes a one-to-one correspondence between A and 
. Of course, this is a strong assumption in the cryptographic context; it is largely unnecessary for our analysis, but, for the purposes of this paper, allows us to avoid technical details and makes it easier to explain links with the black box algebra.
Back to Algebra
In algebraic terms, A and 
as introduced above are algebraic structures with operations on them which we refer to as algebraic operations and 
is a homomorphism. In this paper we assume that the algebraic structure A is finite as a set. This is not really essential for our analysis, many observations are relevant for the infinite case as well, but handling probability distributions (that is, random elements) on infinite sets is beyond the scope of the present paper.
We discuss a class of potential attacks on homomorphic encryption of A. Our discussion is based on a simple but fundamental fact of algebra that a map 
of algebraic structures of the same type is a homomorphism if and only if its graph
 |
is a substructure of 
, that is, closed under all algebraic operations on 
. Obviously, 
is isomorphic to A and we shall note the following observation:
if an algebraic structure A has a rich internal configuration (has many substructures with complex interactions between them), the graph
of a homomorphic encryption
also has a rich (admittedly hidden) internal configuration, and this could make it vulnerable to an attack from Bob.
We suggest that
before attempting to develop a homomorphic encryption scheme based on a particular algebraic structure A , the latter needs to be examined by black box theory methods – as examples in this paper show, it could happen that all homomorphic encryption schemes on A are insecure.
Black Box Algebra
Axiomatic Description of Black Box Algebraic Structures
A black box algebraic structure
is a black box (device, algorithm, or oracle) which produces and operates with 0–1 strings of uniform length 
encrypting (not necessarily in a unique way) elements of some fixed algebraic structure A: if 
is one of these strings then it corresponds to a unique (but unknown to us) element 
. Here, 
is the decrypting map, not necessarily known to us in advance. We call the strings produced or computed by 
cryptoelements.
Our axioms for black boxes are the same as in [6–8], but stated in a more formal language.
BB1 On request,
produces a ‘random’ cryptoelement 
as a string of fixed length 
, which depends on 
, which encrypts an element 
of some fixed explicitly given algebraic structure A; this is done in time polynomial in 
. When this procedure is repeated, the elements 
are independent and uniformly distributed in A.
To avoid messy notation, we assume that operations on A are unary or binary; a general case can be treated in exactly the same way.
- BB2 On request,
performs algebraic operations on the encrypted strings which correspond to operations in A in a way which makes the map 
(unknown to us!) a homomorphism: for every binary (unary case is similar) operation 
and strings 
and 
produced or computed by 
, 
It should be noted that we do not assume the existence of an algorithm which allows us to decide whether a specific string can be potentially produced by 
; requests for operations on strings can be made only in relation to cryptoelements previously output by 
. Also, we do not make any assumptions on probabilistic distribution of cryptoelements.
BB3 On request,
determines, in time polynomial in 
, whether two cryptoelements 
and 
encrypt the same element in A, that is, check whether 
.
We say in this situation that a black box 
encrypts the algebraic structure A and we denote this as 
.
Clearly, in black box problems, the decrypting map 
is not given in advance. However, it is useful to think about any algebraic structure (say, a finite field) implemented on a computer as a trivial black box, with 
being the identity map, and with random elements produced with the help of a random number generator. In this situation, obviously, the axioms BB1–BB3 hold.
In our algorithms, we have to build new black boxes from existing ones and work with several black box structures at once: this is why we have to keep track of the length 
on which a specific black box 
operates. For example, it turns out in [8] that it is useful to consider an automorphism of A as a graph in 
. This produces an another algebraic structure isomorphic to A which can be seen as being encrypted by a black box 
producing, and operating on, certain pairs of strings from 
, see [8] for more examples. In this case, clearly, 
.
Morphisms
Given two black boxes 
and 
encrypting algebraic structures A and B, respectively, we say that a map 
which assigns strings produced by 
to strings produced by 
is a morphism of black boxes, if
the map
is computable in time polynomial in 
and 
, andthere is a homomorphism
such that the following diagram is commutative: 
where 
and 
are the canonical projections of 
and 
onto A and B, respectively.
We say in this situation that a morphism 
encrypts the homomorphism 
and call 
bijective, injective, etc., if 
has these properties.
Construction and Interpretation
Construction of a new black box 
in a given black box 
can be formally described as follows.
Strings of 
are concatenated n-tuples of strings 
from 
produced by a polynomial time algorithm which uses operations on 
; new operations on 
are also polynomial time algorithms running on 
, as well as the algorithm for checking the new identity relation 
on 
.
If this is done in a consistent way and axioms BB1–BB3 hold in 
, then 
encrypts an algebraic structure B which can be obtained from the structure A by a similar construction, with algorithms replaced by description of their outputs by formulae of first order language in the signature of A. At this point we are entering the domain of model theory, and full discussion of this connection can be found in our forthcoming paper [9]. Here we notice only that in model theory B is said to be interpreted in A, and if A is in its turn interpreted in B then A and B are called bi-intrepretable. A recent result on bi-interpretability between Chevalley groups and rings, relevant to our project is [20].
A Few Historic Remarks
Black box algebraic structures had been introduced by Babai and Szeméredi [4] in the special case of groups as an idealized setting for randomized algorithms for solving permutation and matrix group problems in computational group theory. Our Axioms BB1–BB3 are a slight modification – and generalization to arbitrary algebraic structures – of their original axioms.
So far, it appears that only finite groups, fields, rings, and, very recently, projective planes (in our paper [8]) got a black box treatment. In the case of finite fields, the concept of a black box field can be traced back to Lenstra Jr [16] and Boneh and Lipton [5], and in the case of rings – to Arvind [3].
A higher level of abstraction introduced in our papers produces new tools allowing us to solve problems which previously were deemed to be intractable. For example, recently, a fundamental problem of constructing a unipotent element in black box groups encrypting 
was solved in odd characteristics via constructing a black box projective plane and its underlying black box field [8]. There is an analogous recognition algorithm for the black box groups encrypting 
in even characteristic [15].
Recognition of Black Box Fields
A black box (finite) field
is a black box operating on 0-1 strings of uniform length which encrypts some finite field 
. The oracle can compute 
, 
, and 
(the latter for 
) and decide whether 
for any strings 
. Notice in this definition that the characteristic of the field is not known. Such a definition is needed in our paper [8] to produce black box group algorithms which does not use characteristic of the underlying field. If the characteristic p of 
is known then we say that 
is a black box field of known characteristic p. We refer the reader to [5, 17] for more details on black box fields of known characteristic and their applications to cryptography.
The following theorem is a reformulation of the fundamental results in [17].
Theorem 1
Let 
be a black box field of known characteristic p and 
the prime subfield of 
. Then the problem of finding two way morphisms between 
and 
can be reduced to the same problem for 
and 
. In particular,
a morphism
can be extended in time polynomial in the input length 
to a morphism 
there is a morphism
computable in time polynomial in 
.
Here and in the rest of the paper, “efficient” means “computable in time polynomial in the input length”.
In our terminology (Sect. 2.6), Theorem 1 provides a structural proxy for black box fields of known characteristic. Indeed, if 
is a black box field of known characteristic p, then we can construct an isomorphism 
by the map
 |
where 
is the unit in 
; it is computable in linear in 
time by double-and-add method. We say that p is small if it is computationally feasible to make a lookup table for the inverse 
of this map. Construction of a morphism 
remains an open problem. However, we can observe that
Corollary 1
Let 
, where p is a known small prime number. Then there exist two way morphisms between 
and 
.
Construction of a Structural Proxy
Most groups of Lie type (we exclude 
, 
and 
to avoid technical details) can be seen as functors 
from the category of fields 
with an automorphism of order 
to the category of groups 
. There are also other algebraic structures which can be defined in a similar way as functors from 
, for example projective planes or simple Lie algebras (viewed as rings). The following problem is natural and, as our results show, useful in this context.
- Construction of a structural proxy: Suppose that we are given a black box structure
. Construct, in time polynomial in 
,- a black box field
, and - two way bijective morphisms
.
If we construct a black box field 
by using 
as a computational engine, then we can construct the natural representation 
of the structure A over the black box field 
. By Theorem 1, we can construct a polynomial time isomorphism 
which further provides an isomorphism 
completing a structure recovery of 
.
Structural proxies and structure recovery play a crucial role for algorithms developed in Theorem 3. We summarize relevant results about constructing structural proxies of black box algebraic structures from our papers [6, 8].
Theorem 2
We can construct structural proxies for the following black box structures.
, a projective plane with a polarity encrypting a projective plane 
over a finite field 
of odd characteristic.
over a finite field 
of unknown odd characteristic, under the assumption that we know a global exponent E of 
, that is, E such that 
for all 
and 
is polynomially bounded in terms of 
.
, a black box ring encrypting the ring of 
matrices over the known finite field 
of odd characteristic.
Black Boxes Associated with Homomorphic Encryption
As explained in Subsection 1.1, we assume that the algebraic structure A of plaintexts is represented in some standard form known to Bob. In agreement with the standard language of algebra – and with our terminology in [8] – we shall use the words plain element or just element in place of ‘plaintext’ and cryptoelement in place of ‘ciphertext’.
Let A be a set of plain elements, 
a set of cryptoelements, and E be the encryption function, that is, an isomorphism 
.
Supply of random cryptoelements from 
postulated in Axiom BB1 can be achieved by sampling a big dataset of cryptoelements provided by Alice, or computed on request from Alice. The computer system controlled by Bob performs algebraic operations referred to in Axiom BB2.
Axiom BB3 is redundant under the assumption that 
is a bijection but it gives us more freedom to construct new black boxes, for example, homomorphic images of 
. Axiom BB3 could also be useful for handling another quite possible scenario: For Alice, the cost of computing homomorphisms E and 
could be higher than the price charged by Bob for processing cryptoelements. In that case, it could be cheaper to transfer initial data to Bob (in encrypted form) and ask Bob to run a computer programme which uses the black box but does not send intermediate values back to Alice, returns only the final result; checking equality of cryptoelements becomes unavoidable.
A Black Box Attack on Homomorphic Encryption
We assume that Bob can accumulate a big dataset of cryptoelements sent from/to Alice, or intermediate results from running Alice’s programme, and that he can feed, without Alice’s knowledge, cryptoelements into a computer system (the black box) which performs operations on them, and retain the outputs for peruse – again without Alice’s knowledge. Bob’s aim is to compute the decryption function 
efficiently, that is, in time polynomial in terms of the lengths of plain elements and cryptoelements involved.
Bob’s Attack
As we discussed in Sect. 1.1, we can assume that Bob knows the algebraic structure A. Bob’s aim is to find an efficient algorithm which maps cryptoelements from 
to elements in A and vice versa while preserving the algebraic operations on 
and A. This means solving the constructive recognition problem for 
, that is, finding bijective morphisms
 |
such that 
is the identity map on A.
Assume that Bob solved the constructive recognition problem and can efficiently compute 
and 
.
Alice’s encryption function is a map 
; the composition 
is an automorphism of A. Therefore Bob reads not Alice’s plaintexts 
, but their images 
under an automorphism 
of A still unknown to him. This means that
solving the constructive recognition problem for
reduces the problem of inverting the encryption homomorphism
to a much simpler problem of inverting the automorphism
We are again in the situation of homomorphic encryption, but this time the sets of plaintexts and ciphertexts are the same. One would expect that this encryption is easier to break. For example, if Bob can guess the plaintexts of a few cryptoelements, and if the automorphism group 
of A is well understood, computation of 
and 
could be a more accessible problem than the constructive recognition for 
. For example, automorphism groups of finite fields are very small, and in that case 
can be found by direct inspection.
As soon as 
is known, Bob knows 
and can decrypt everything. Moreover, since 
the map E is also known and allows Bob to return to Alice cryptoelements which encrypt plaintexts of Bob’s choice.
We suggest that this approach to analysis of homomorphic encryption is useful because it opens up connections to black box algebra. Indeed the theory of black box structures is reasonably well developed for groups and fields, and its methods could provide insight into assessment of security of other algebraic structures if any are proposed for use in homomorphic encryption.
Application of Theorem 2 to Homomorphic Encryption
The procedures described in Theorem 3 below are reformulations of the principal results of our Theorem 2 in a homomorphic encryption setup. They demonstrate the depth of structural analysis involved and suggest that a similarly deep but revealing structural theory can be developed for other algebraic structures if they are sufficiently rich (‘rich’ here can mean, for example, ‘bi-interpretable with a finite field’). Also, it is worth noting that the procedures do not use any assumptions about the encryption homomorphism E, the analysis is purely algebraic.
Theorem 3
Assume that Alice and Bob run a homomorphic encryption protocol over the group 
, q odd, with Bob doing computations with cryptoelements using a black box 
. Assume that Bob knows A, including the representation of the field 
used by Alice. Then, by Theorem 2, Bob can construct a structural proxy 
for 
. Moreover:
(a) If, in addition, Bob has two way bijective morphisms between a black box field
and an explicitly given field 
(see Corollary 1), he gets two way bijective morphisms 
.(b) Under assumptions of (a), Bob gets an image of Alice’s data transformed by an automorphism
since Alice’s group A is an explicitly given 
.(c) Automorphisms of the group
are well known: every automorphism is a product of an inner automorphism and a field automorphism induced by an automorphism of the field 
. Therefore if Bob can run a few instances of known plaintexts attacks against Alice, he can compute the automorphism 
and after that read plaintexts of all Alice’s cryptoelements.(d) Moreover, under assumptions of (a) and (c), Bob can compute the inverse of
and pass to Alice, as answers to Alice’s requests, values of his choice.
Items (c) and (d) in Theorem 3 look as serious vulnerabilities of homomorphic encryptions of the groups 
. We conclude that homomorphic encryption of groups 
is no more secure than homomorphic encryption of the field 
. As a consequence of Theorem 1, homomorphic encryption of 
does not survive a known plaintext attack when the prime 
is small.
We think that this is a manifestation of a more general issue: for small odd primes p, there are no secure homomorphic encryption schemes based on sufficiently rich (say, bi-interpretable with finite fields) algebraic structures functorially defined over finite fields of characteristic p.
Acknowledgement
The authors worked on this paper during their visits to the Nesin Mathematics Village, Turkey. We thank Jeff Burdges, Adrien Deloro, Alexander Konovalov, and Chris Stephenson for fruitful advice, and the referees for their most perceptive comments.
Contributor Information
Anna Maria Bigatti, Email: bigatti@dima.unige.it.
Jacques Carette, Email: carette@mcmaster.ca.
James H. Davenport, Email: j.h.davenport@bath.ac.uk
Michael Joswig, Email: joswig@math.tu-berlin.de.
Timo de Wolff, Email: t.de-wolff@tu-braunschweig.de.
Alexandre Borovik, Email: alexandre@borovik.net, http://www.borovik.net.
Şükrü Yalçınkaya, Email: sukru.yalcinkaya@istanbul.edu.tr.
References
- 1.Acar A, Aksu H, Uluagac AS, Conti M. A survey on homomorphic encryption schemes: theory and implementation. ACM Comput. Surv. 2018;51(4):79. doi: 10.1145/3214303. [DOI] [Google Scholar]
- 2.Aguilar-Melchor C, Fau S, Fontaine C, Gogniat G, Sirdey R. Recent advances in homomorphic encryption: a possible future for signal processing in the encrypted domain. IEEE Sig. Process. Mag. 2013;30(2):108–117. doi: 10.1109/MSP.2012.2230219. [DOI] [Google Scholar]
- 3.Arvind V, Das B, Mukhopadhyay P. The complexity of black-box ring problems. In: Chen DZ, Lee DT, editors. Computing and Combinatorics; Heidelberg: Springer; 2006. pp. 126–135. [Google Scholar]
- 4.Babai, L., Szemerédi, E.: On the complexity of matrix group problems. In: Proceedings of 25th IEEE Symposium Foundations Computer Science, pp. 229–240 (1984)
- 5.Boneh D, Lipton RJ. Algorithms for black-box fields and their application to cryptography. In: Koblitz N, editor. Advances in Cryptology — CRYPTO 1996; Heidelberg: Springer; 1996. pp. 283–297. [Google Scholar]
-
6.Borovik, A., Yalçınkaya, Ş.: Natural representations of black box groups
. http://arxiv.org/abs/2001.10292
- 7.Borovik A, Yalçınkaya Ş. New approaches in black box group theory. In: Hong H, Yap C, editors. Mathematical Software – ICMS 2014; Heidelberg: Springer; 2014. pp. 53–58. [Google Scholar]
-
8.Borovik A, Yalçınkaya Ş. Adjoint representations of black box groups
J. Algebra. 2018;506:540–591. doi: 10.1016/j.jalgebra.2018.02.022. [DOI] [Google Scholar] - 9.Borovik, A., Yalçınkaya, Ş.: Black box algebra: model-theoretic connections (in preparation)
- 10.Dyer, J., Dyer, M., Xu, J.: Practical homomorphic encryption over the integers. http://arxiv.org/abs/1702.07588
- 11.Fontaine C, Galand F. A survey of homomorphic encryption for nonspecialists. J. Inform. Secur. 2009;1:41–50. [Google Scholar]
- 12.The GAP Group: GAP - Groups, Algorithms, and Programming, Version 4.11.0 (2020). http://www.gap-system.org
- 13.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, New York, NY, USA, pp. 169–178. STOC 2009. ACM (2009)
- 14.Gentry C, Halevi S. Implementing Gentry’s fully-homomorphic encryption scheme. In: Paterson KG, editor. Advances in Cryptology – EUROCRYPT 2011; Heidelberg: Springer; 2011. pp. 129–148. [Google Scholar]
-
15.Kantor WM, Kassabov M. Black box groups isomorphic to
J. Algebra. 2015;421:16–26. doi: 10.1016/j.jalgebra.2014.08.014. [DOI] [Google Scholar] - 16.Lenstra HW., Jr Finding isomorphisms between finite fields. Math. Comput. 1991;56(193):329–347. doi: 10.1090/S0025-5718-1991-1052099-2. [DOI] [Google Scholar]
- 17.Maurer U, Raub D. Black-box extension fields and the inexistence of field-homomorphic one-way permutations. In: Kurosawa K, editor. Advances in Cryptology – ASIACRYPT 2007; Heidelberg: Springer; 2007. pp. 427–443. [Google Scholar]
- 18.Prasanna, B.T., Akki, C.B.: A comparative study of homomorphic and searchable encryption schemes for cloud computing. http://arxiv.org/abs/1505.03263
- 19.Rass, S.: Blind turing-machines: arbitrary private computations from group homomorphic encryption (2013). http://arxiv.org/abs/1312.3146
-
20.Segal, D., Tent, K.: Defining
and 
. http://arxiv.org/abs/2004.13407
- 21.Sen, J.: Homomorphic encryption: theory & applications. http://arxiv.org/abs/1305.5886
- 22.Sharma, I.: Fully homomorphic encryption scheme with symmetric keys. http://arxiv.org/abs/1310.2452
- 23.Tebaa, M., Hajji, S.E.: Secure cloud computing through homomorphic encryption. http://arxiv.org/abs/1409.0829