Paper 2024/1159

LaPSuS – A Lattice-Based Private Stream Aggregation Scheme under Scrutiny

Johannes Ottenhues, University of St. Gallen
Alexander Koch, National Council for Scientific Research, Université Paris Cité, IRIF
Abstract

Private Stream Aggregation (PSA) allows clients to send encryptions of their private values to an aggregator that is then able to learn the sum of these values but nothing else. It has since found many applications in practice, e.g. for smart metering or federated learning. In 2018, Becker et al. proposed the first lattice-based PSA scheme LaPS (NDSS 2018), with putative post-quantum security, which has subsequently been patented. In this paper, we describe two attacks on LaPS that break the claimed aggregator obliviousness security notion, where the second attack even allows to recover the secret keys of the clients, given enough encryptions. Moreover, we review the PSA literature for other occurrences of the responsible flawed proof steps. By explicitly tracking down and discussing these flaws, we clarify and hope to contribute to the literature on PSA schemes, in order to prevent further insecure schemes in practice. Finally, we point out that a Real-or-Random variant of the security notion that is often used as a substitute to make proofs easier, is not well-defined and potentially weaker than the standard PSA security notion. We propose a well defined variant and show that it is equivalent to the standard security notion of PSA under mild assumptions.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Major revision. SCN 2024
Keywords
Security NotionsPrivate Stream AggregationCryptanalysisAggregate Statistics
Contact author(s)
johannes ottenhues @ posteo org
alexander koch @ irif fr
History
2024-07-19: approved
2024-07-17: received
See all versions
Short URL
https://ia.cr/2024/1159
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX

@misc{cryptoeprint:2024/1159,
      author = {Johannes Ottenhues and Alexander Koch},
      title = {{LaPSuS} – A Lattice-Based Private Stream Aggregation Scheme under Scrutiny},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1159},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1159}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.