SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault

Aikata Aikata; Dhiman Saha; Sujoy Sinha Roy

Paper 2024/041

SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault

Aikata Aikata

, Graz University of Technology

Dhiman Saha

, Indian Institute of Technology Bhilai

Sujoy Sinha Roy

, Graz University of Technology

Abstract

The rising tide of data breaches targeting large data storage centres, and servers has raised serious privacy and security concerns. Homomorphic Encryption schemes offer an effective defence against such attacks, but their adoption is hindered by substantial computational and communication overhead, both on the server and client sides. This challenge led to the development of Hybrid Homomorphic Encryption (HHE) schemes to reduce the cost of client-side computation and communication. Despite the existence of a multitude of HHE schemes in the literature, their security analysis is still in its infancy, especially in the context of physical attacks like Differential Fault Analysis (DFA). This work aims to address this critical gap for HHE schemes defined over prime fields (Fp − HHE) by introducing, implementing and validating SASTA, the first DFA on Fp − HHE and the first nonce-respecting FA over any HHE scheme. In this pursuit, we introduce a new nonce-respecting fault model (all current fault attacks on HHE schemes require a nonce-reuse), which leads to a unique attack that completely exploits both the asymmetric and symmetric facets of HHE. We target Fp − HHE schemes as they offer support for integer or real arithmetic, enabling more versatile applications, like machine learning, and better performance. The fault model benefits from what we call the mirror-effect, which allows the attack to work both on the client and the server. Our analysis reveals a significant vulnerability: a single fault within the Keccak permutation, employed as an extendable output function, results in complete key recovery for the Pasta HHE scheme. Moreover, this vulnerability extends to other HHE schemes, including Rasta, Masta, and Hera, amplifying the scope and impact of SASTA. For experimental validation, we mount an actual fault attack using ChipWhisperer-Lite board on the Keccak permutation. Following this, we also discuss the conventional countermeasures to defend against SASTA. Overall, SASTA constitutes the first nonce-respecting FA of HHE that offers new insights into how server-side or client-side computations can be manipulated for Fp − HHE schemes to recover the entire key with just a single fault. This work reaffirms the orthogonality of convenience and attack vulnerability and should contribute to the landscape of future HHE schemes.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: Hybrid Homomorphic Encryption Differential Fault Attack Pasta Rasta Masta Hera Rubato Single Fault
Contact author(s): aikata @ iaik tugraz at
dhiman @ iitbhilai ac in
sujoy sinharoy @ iaik tugraz at
History: 2024-01-12: approved; 2024-01-10: received; See all versions
Short URL: https://ia.cr/2024/041
License: CC BY

BibTeX

@misc{cryptoeprint:2024/041,
      author = {Aikata Aikata and Dhiman Saha and Sujoy Sinha Roy},
      title = {SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault},
      howpublished = {Cryptology ePrint Archive, Paper 2024/041},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/041}},
      url = {https://eprint.iacr.org/2024/041}
}