Modification to Fully Homomorphic Modified Rivest Scheme

This document details the Fully Homomorphic Modified Rivest Scheme (FHMRS), a security issue in FHMRS, and a modification to FHMRS (mFHMRS) to mitigate the security issue.

💡 Research Summary

The paper “Modification to Fully Homomorphic Modified Rivest Scheme” first revisits the Fully Homomorphic Modified Rivest Scheme (FHMRS), a symmetric‑key fully homomorphic encryption (FHE) construction that relies on the Chinese Remainder Theorem (CRT) with two equal‑size primes p and q and an auxiliary prime u. In the original design, a message m is masked by adding a random multiple g·u, then reduced modulo p and q to produce a ciphertext pair (c₁, c₂). Homomorphic addition, constant addition, multiplication, and constant multiplication are performed component‑wise on these two shares, and decryption reconstructs the original value via CRT and a final reduction modulo n = p·q.

The authors identify a critical known‑plaintext attack (KPA). Because p and q are chosen larger than u, the reduction step leaves the masked value unchanged: (m + g·u) mod p = m + g·u. An adversary who obtains two plaintext‑ciphertext pairs can compute c₁−m₁ = g₁·u and c₂−m₂ = g₂·u, then take the greatest common divisor (GCD) of these two values to recover u. Once u is known, any ciphertext can be decrypted, breaking the scheme entirely. This vulnerability exists regardless of the number of supported homomorphic multiplications or additions.

To mitigate the flaw, the authors propose Modified FHMRS (mFHMRS). The key generation now creates a set of N+S distinct primes p₁,…,p_{N+S} (all of equal bit‑length) together with u, where the product of all pᵢ defines n. Encryption computes the same masked value m + g·u but reduces it modulo each pᵢ, yielding a ciphertext vector (c₁,…,c_{N+S}). Decryption uses an (N+S)-dimensional CRT to reconstruct the original message, dividing by u at the end. Homomorphic operations are extended naturally: addition, multiplication, and their constant variants are performed component‑wise across all shares, preserving the share count.

The security analysis focuses on three attack classes:

1. Brute‑Force – The effective key space is (d_{l_p})^{N+2}·d_{l_u}, where d_{l} approximates the number of l‑bit primes. With typical parameters (e.g., three 128‑bit pᵢ and a 130‑bit u), the work factor reaches about 2⁴⁹⁰ operations, rendering exhaustive search infeasible.

2. Lattice‑Based Attacks – By expressing each share as c_i = g_i·u + r_i (with r_i being a small error term), the problem reduces to an Approximate Common Divisor Problem (ACDP). The authors construct a (t+1)-dimensional lattice whose short vectors would reveal g₀ or u via the LLL algorithm. They derive bounds on l_p, l_u, and l_g that ensure the Euclidean norm of any legitimate vector exceeds the LLL reduction guarantee, thereby preventing successful lattice reduction.

3. Linear Equation Attacks – Constraints such as l_g ≥ λ/4 and λ ≤ l_{p_i} < l_u guarantee that the random multiplier g and the secret u cannot be solved from a system of linear equations derived from multiple ciphertexts.

Parameter selection guidelines are provided: l_p must satisfy l_p ≥ (N+1)(N+S)(l_u + l_g + 1) + A(N+S), while l_u must exceed the total message space size to keep decryption correct. Example configurations (λ=128, N=1, A=20, S=2) and (λ=128, N=14, A=30, S=5) illustrate feasible choices.

In conclusion, the original FHMRS is fundamentally insecure due to a simple GCD‑based KPA, whereas the proposed mFHMRS eliminates this weakness by expanding the ciphertext into multiple CRT shares and enforcing stringent size constraints. The modified scheme retains full homomorphic functionality without significant performance degradation, and its security rests on well‑studied hardness assumptions (prime enumeration, ACDP, lattice reduction). Future work is suggested on practical implementation, side‑channel resistance, and optimizing the trade‑off between ciphertext size and computational overhead.