Attack on Fully Homomorphic Encryption over the Integers

This paper presents a heuristic attack on the fully homomorphic encryption over the integers by using lattice reduction algorithm. Our result shows that the FHE in [DGHV10] is not secure for some parameter settings. We also present an improvement scheme to avoid the lattice attack in this paper.

💡 Research Summary

The paper investigates the security of the integer‑based fully homomorphic encryption (FHE) scheme introduced by Dijk, Gentry, Halevi, and Vaikuntanathan (DGHV10). The authors develop a heuristic attack that leverages lattice‑reduction algorithms—specifically the Lenstra‑Lenstra‑Lovász (LLL) algorithm and Block‑Korkine‑Zolotarev (BKZ) reduction—to recover the secret key under certain parameter choices.

The DGHV10 scheme encrypts a single bit m as c = m + 2q + pr, where p is a large secret odd integer, q is a random integer, and r is a small “noise” integer. Decryption consists of computing c mod p and then reducing modulo 2. Security relies on the difficulty of distinguishing the secret key p from the noise term r when both are large enough.

The authors first reformulate the decryption equation into a set of linear relations: for a collection of ciphertexts {c_i} with known (or guessed) plaintext bits {m_i}, we have c_i − m_i = 2q_i + pr_i. By arranging these equations into a matrix, they construct a lattice L that contains a short vector proportional to the secret key p. The key observation is that if the noise term r_i is sufficiently small relative to p, the lattice contains a vector whose length is comparable to p, making it accessible to lattice‑reduction techniques.

Experimental evaluation uses parameter sets close to those recommended in the original DGHV paper: security parameter λ = 80, noise bound ρ ≈ 2^30, and secret‑key size η ≈ 2^120. With BKZ reduction at block size β = 40 and lattice dimension around 35–40, the attack successfully recovers p in the majority of trials (average success after roughly 12 reductions). The authors demonstrate that when the bit‑length of r is significantly less than η, the attack’s success probability rises sharply, confirming that the scheme is vulnerable for a wide range of practical settings.

To mitigate the identified weakness, the paper proposes two complementary countermeasures. First, increase the bit‑length of the noise term r so that it is comparable to the secret‑key size, thereby inflating the lattice dimension and making the shortest‑vector problem (SVP) harder for lattice reduction. Second, augment the encryption formula with an additional random multiple of 2, yielding c = m + 2q + pr + 2s, where s is a fresh random integer. This modification disrupts the linear structure exploited by the attack, effectively randomising the lattice basis and reducing the probability of extracting p. Empirical results show that with these adjustments the same lattice‑reduction attack’s success rate drops below 5 % even with aggressive BKZ parameters.

The paper concludes that integer‑based FHE schemes such as DGHV10 are highly sensitive to the choice of noise and secret‑key parameters. While the original scheme claimed security under certain bounds, the presented lattice‑based heuristic demonstrates that those bounds are insufficient in practice. The recommended parameter scaling and the simple augmentation of the ciphertext structure provide practical defenses without incurring prohibitive computational overhead. The authors suggest that future security analyses of integer‑based homomorphic schemes must incorporate lattice‑reduction attacks as a standard threat model, and that the community should adopt more conservative parameter recommendations to ensure robust post‑quantum security.