Paper 2022/1741

Demystifying the comments made on “A Practical Full Key Recovery Attack on TFHE and FHEW by Inducing Decryption Errors”

Bhuvnesh Chaturvedi, Indian Institute of Technology, Kharagpur
Anirban Chakraborty, Indian Institute of Technology, Kharagpur
Ayantika Chatterjee, Indian Institute of Technology, Kharagpur
Debdeep Mukhopadhyay, Indian Institute of Technology, Kharagpur

Fully Homomorphic Encryption (FHE) allows computations on encrypted data without the need for decryption. Therefore, in the world of cloud computing, FHE provides an essential means for users to garner different computational services from potentially untrusted servers while keeping sensitive data private. In such a context, the security and privacy guarantees of well-known FHE schemes become paramount. In a research article, we (Chaturvedi et al., ePrint 2022/1563) have shown that popular FHE schemes like TFHE and FHEW are vulnerable to CVO (Ciphertext Verification Oracle) attacks, which belong to the family of “reaction attacks” [6]. We show, for the first time, that feedback from the client (user) can be craftily used by the server to extract the error (noise) associated with each computed ciphertext. Once the errors for some m ciphertext (m > n, where n = key size) are retrieved, the original secret key can be trivially leaked using the standard Gaussian Elimination method. The results in the paper (Chaturvedi et al., ePrint 2022/1563) show that FHE schemes should be subjected to further security evaluations, specifically in the context of system-wide implementation, such that CVO-based attacks can be eliminated. Quite recently, Michael Walter published a document (ePrint 2022/1722), claiming that the timing channel we used in our work (Chaturvedi et al., ePrint 2022/1563) “are false”. In this document, we debunk this claim and explain how we use the timing channel to improve the CVO attack. We explain that the CVO-based attack technique we proposed in the paper (Chaturvedi et al., ePrint 2022/1563) is a result of careful selection of perturbation values and the first work in literature that showed reaction based attacks are possible in the context of present FHE schemes in a realistic cloud setting. We further argue that for an attacker, any additional information that can aid a particular attack shall be considered as leakage and must be dealt with due importance to stymie the attack.

Available format(s)
Attacks and cryptanalysis
Publication info
Contact author(s)
bhuvneshchaturvedi2512 @ gmail com
ch anirban00727 @ gmail com
cayantika @ gmail com
debdeep mukhopadhyay @ gmail com
2022-12-25: approved
2022-12-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Bhuvnesh Chaturvedi and Anirban Chakraborty and Ayantika Chatterjee and Debdeep Mukhopadhyay},
      title = {Demystifying the comments made on “A Practical Full Key Recovery Attack on TFHE and FHEW by Inducing Decryption Errors”},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1741},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.