Homomorphic encryption - Why does addition not imply multiplication?

Question

As far as I know:

There are some partially homomorphic encryption (PHE) systems that support either addition or multiplication.

A fully homomorphic encryption (FHE) system can do addition as well as multiplication and thus supports arbitrary computation on ciphertexts.

My question is (disregarding computational efficiency):

Why does a PHE-system that allows addition on ciphertext not directly imply that it also can do multiplication, since

$$a \times b$$

is the same as

$$\underbrace{a + a + \cdots + a}_{b\text{ times}}?$$

Are there some computations that are only possible with a direct multiplication instead of a continuous addition?

Answer 1

There are at least two problems;

1. The $b$-times addition leaks the $b$. A semi-honest observer can see that you add the $a$ by $b$ times. However, in FHE, the $b$ is also encrypted with semantically secure that leaks no information. The only information available to the observer is the circuit.

2. In FHE, the $b$ is coming (or may come) from another result, which means that $b$ is also encrypted. In additive PHE, you cannot multiply by $b$ without decryption.

You can look at some example of FHE circuits from this answer to see that some of them are not even possible with additive PHE.

Answer 2

$b$ is encrypted and therefore unknown to the machine doing the multiplication. So, you cannot just "add $b$ times".

One thing you may be tempted to think is just subtract 1 from the encrypted $b$ and stop when $b$ is zero. For a semantically secure homomorphic cipher, this is impossible. If your homomorphic cipher is not semantically secure, it can easily be broken.

Answer 3

The other answers are correct, but I wanted to note that:

If you can add ciphertexts together, then you can multiply them by a plaintext value, because of the reason you described in your question.

Similarly, if you can multiply ciphertexts together, then you can exponentiate them by a plaintext value as well.

So if you distribute two ciphertexts $c_0, c_1$ and your algorithm supports only the ability to add ciphertexts together, then it is not possible to meaningfully evaluate $c_0 c_1$, but it is possible for anyone to meaningfully evaluate $c_0p_0$.