Cipher text only attacks on deterministic fully homomorphic encryption schemes

Question

If we have encryptions of additive and multiplicative identities in the corpus of cipher text of a deterministic fully homomorphic encryption (FHE) scheme, I guess we can break it.

If the FHE scheme is deterministic and works over integers and if the corpus of cipher text has $enc(1),enc(0)$ where $1$ being multiplicative identity and $0$ is additive identity for integers, I am thinking it is easy to break such scheme.

First we can verify if there any below inferences in the cipher text

if $eval(enc(x) + enc(y)) = enc(x)$ this means $enc(y)$ is encryption of $0$.

if $eval(enc(x) * enc(z)) = enc(z)$ this means $enc(z)$ is encryption of $1$.

if $eval(enc(x) + enc(a)) = enc(0)$ this means $a$ is additive inverse i.e $-x$.

if $eval(enc(x) * enc(b)) = enc(1)$ this means $b$ is multiplicative inverse i.e $1/x$.

if $eval(enc(x) + enc(c)) = enc(1)$ this means $x+c = 1$

Now it is easy to identify all the numbers without decrypting them.

if $eval(enc(w)+ n\times (enc(1)) = enc(0)$ this means $w= -n$.

Is this understanding correct ?

Answer 1

Yes, your understanding is correct.

It is well-known that homomorphic encryption schemes are vulnerable to cipher text attacks if they are deterministic. See, for example, the section 2.4 of the paper A Survey of Homomorphic Encryption for Nonspecialists

Consider that the attacker has a value $c_1$ that is known by him to be a encryption of some clear text $m$.

So, if this scheme accepts at most $L$ additions in sequence, the attacker can find the encryption of $L$ multipes of $m$ by adding $c$ to itself:

$c_2 = c_1 + c_1 \Rightarrow dec(c_2) = 2m$

$c_3 = c_1 + c_1 + c_1 \Rightarrow dec(c_3) = 3m$

...

$c_L = c_1 + c_1 + c_1 + ... + c_1 \Rightarrow dec(c_L) = L \cdot m$

Note that the attacker can combine the "intermediate" ciphertexts too (I mean, add the ciphertexts $c_2, c_3, c_4, .., c_{L-1}$ to themselves).

With just this, the attacker can learn a lot of pairs of cleartexts and correspondent ciphertexts. Then, since the scheme is deterministic, he will able to identify a lot of the ciphertext that are being sent.