Cryptanalysis of the MORE symmetric key fully homomorphic encryption scheme

The fully homomorphic symmetric encryption scheme MORE encrypts keys by conjugation with a random invertible matrix over an RSA modulus. We provide a two known-ciphertexts cryptanalysis recovering a linear dependence among the two encrypted keys. 1. The FHE scheme MORE In their paper [1], Kipnis and Hibshoosh propose, among other things, to use the following type of fully homomorphic encryption (FHE) of keys, which they named Matrix Operation for Randomization or Encryption (MORE). Let N be an RSA modulus. The secret key is an invertible matrix A ∈ GL2(ZN). The scheme only encrypts random elements k ∈ ZN , and is constrained not to encrypt the same element twice. The encryption is randomized. To encrypt a key k, choose a random secret s ∈ ZN , and output EA(k) := A −1 ( s 0 0 k ) A. To decrypt, conjugate by A−1 instead of A. It is immediate that this is a fully homomorphic function of k. This scheme is proved to be secure in the sense that, given encryptions of uniformly random, independent keys k1, . . . , kn, for arbitrary n, one can learn nothing about the key k1 [1, page 12]. A second FHE proposed in [1], Polynomial Operation for Randomization or Encryption (PORE), is shown there to be equivalent to MORE. An application to signatures is provided in [1], but Hibshoosh reported to us that this specific application has in the meanwhile been cryptanalyzed. 2. Cryptanalysis of MORE We do not invalidate the Kipnis-Hibshoosh proof of security. But we identify another potential problem with improper uses of this scheme. 1 2 BOAZ TSABAN AND NOAM LIFSHITZ Lemma 2.1. A 2 × 2 matrix commutes with all diagonal matrices if an only if it is diagonal. Proof. It is necessary that C commutes with the basis matrix E11, which implies that the off-diagonal entries of C are 0. Thus, C is diagonal. Being diagonal is also sufficient for C commuting with all diagonal matrices. Lemma 2.2. Each matrix A with nonzero diagonal entries is of the form ( a 0 0 d )( 1 ∗ ∗ 1 ) . Proof. We have that ( a b c d ) = ( a 0 0 d )( 1 b/a c/d 1 ) . The cryptanalysis. Let A be the secret matrix. We may assume that the diagonal entries of A are nonzero, and thus write