Cryptology ePrint Archive: Report 2016/1164
Attacking FHE-based applications by software fault injections
Ilaria Chillotti and Nicolas Gama and Louis Goubin
Abstract: The security of fully homomorphic encryption is often studied at the primitive level, and a lot of questions remain open when the
cryptographer needs to choose between incompatible options, like IND-
CCA1 security versus circular security or search-to-decision reduction.
The aim of this report is to emphasize the well known (and often under-
estimated) fact that the ability to compute every function, which is the most desired feature of Homomorphic Encryption schemes, is also their main weakness. We show that it can be exploited to perform very realistic attacks in the context of secure homomorphic computations in the cloud. In order to break a fully homomorphic system, the cloud provider who runs the computation will not target the primitive but the overall system. The attacks we describe are a combination between safe-errors attacks (well known in the smart cards domain) and reaction attacks, they are easy to perform and they can reveal one secret key bit per query. Furthermore, as homomorphic primitives gets improved, and become T times faster with K times smaller keys, these attacks become KT times more practical. Our purpose is to highlight the fact, that if a semantically-secure model is in general enough to design homomorphic primitives, additional protections need to be adopted at a system level to secure cloud applications. We do not attack a specific construction but the entire idea of homomorphic encryption, by pointing out all the possible targets of this attack (encrypted data, bootstrapping keys, trans-ciphering keys, etc.). We also propose some possible countermeasures (or better precautions) in order to prevent the loss of information.
Category / Keywords: foundations / FHE, safe errors, reaction attacks, cloud security
Date: received 19 Dec 2016
Contact author: ilaria chillotti at uvsq fr
Available format(s): PDF | BibTeX Citation
Version: 20161228:140620 (All versions of this report)
Short URL: ia.cr/2016/1164
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]