3

I have a vector of int called $Xreg = [x1, x2, ..., xn]$ that I need to send from a client to a server for storage in a database.

If an attacker gains access to the database or the server he shouldn't be able to recover the original vector $Xreg$.

To do so, I had the idea to multiply each component of $Xreg$ with two big numbers ($S0$ and $S1$) of 512 bits each.

Therefore the client will send $S0.S1.Xreg$ = $[S0.S1.x1, S0.S1.x2, ..., S0.S1.xn]$.

The client will keep the record of $S0$ and creates a new $Si$ each time he wants to connect to the server. Therefore the second time, client will send $S0.S2.Xreg$ and server will replace it in the database.

My question is, if a malicious or semi-honest adversaries gains access to the server or the database will he be able to recover the original $Xreg$ ? Let's suppose that if the server is compromised, the communications will stop so the attacker could possibly get only one record of $S0.Si.Xreg$ and possibly $S0.S_{i-1}.Xreg$ and $S_i/S_{i-1}$

Thanks in advance.

e-sushi
  • 17,617
  • 12
  • 80
  • 223
thib.v
  • 53
  • 4

1 Answers1

6

Given a vector $[S_0 S_1 x_1, S_0 S_1 x_2, ...]$, it is quite easy to recover $S_0 S_1$ (by computing the GCD of the various elements). With that information, the attacker can then recover the values $x_1, x_2, ...$, and so yes, a semihonest adversary could easily recover the $X_{reg}$ values.

poncho
  • 138,335
  • 11
  • 217
  • 344
  • Note that taking the GCD might sometimes return a proper multiple of $S_0 S_1$, if all the $x_i$ values just happen to share a common factor. If the vector is long enough, however, and the values in it are not deliberately chosen to share a factor, then this is quite unlikely to happen. And in general, if the adversary can somehow recognize that the decrypted vector is incorrect, then they can try multiplying the values with small factors of the GCD to see if that yields the correct decryption. – Ilmari Karonen Oct 31 '16 at 10:42