skip to main content

Explore Research Products in the NSF-PAR

Title: On the Security of Homomorphic Encryption on Approximate Numbers
We present passive attacks against CKKS, the homomorphic encryption scheme for arithmetic on approximate numbers presented at Asiacrypt 2017. The attack is both theoretically efficient (running in expected polynomial time) and very practical, leading to complete key recovery with high probability and very modest running times. We implemented and tested the attack against major open source homomorphic encryption libraries, including HEAAN, SEAL, HElib and PALISADE, and when computing several functions that often arise in applications of the CKKS scheme to machine learning on encrypted data, like mean and variance computations, and approximation of logistic and exponential functions using their Maclaurin series. The attack shows that the traditional formulation of IND-CPA security (or indistinguishability against chosen plaintext attacks) achieved by CKKS does not adequately capture security against passive adversaries when applied to approximate encryption schemes, and that a different, stronger definition is required to evaluate the security of such schemes. We provide a solid theoretical basis for the security evaluation of homomorphic encryption on approximate numbers (against passive attacks) by proposing new definitions, that naturally extend the traditional notion of IND-CPA security to the approximate computation setting. We propose both indistinguishability-based and simulation-based variants, as well as restricted versions of the definitions that limit the order and number of adversarial queries (as may be enforced by some applications). We prove implications and separations among different definitional variants, and discuss possible modifications to CKKS that may serve as a countermeasure to our attacks.  more » « less
Award ID(s):
1936703
NSF-PAR ID:
10340712
Author(s) / Creator(s):
;
Editor(s):
Canteaut, A.; Standaert, F.
Date Published:
Journal Name:
Advances in Cryptology – EUROCRYPT 2021
Volume:
LNCS 12696
Page Range / eLocation ID:
648 - 677
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ( , International Conference on the Theory and Application of Cryptology and Information Security)
    null (Ed.)
    Updatable encryption (UE) is an attractive primitive, which allows the secret key of the outsourced encrypted data to be updated to a fresh one periodically. Several elegant works exist studying various security properties. We notice several major issues in existing security models of (ciphertext dependent) updatable encryption, in particular, integrity and CCA security. The adversary in the models is only allowed to request the server to re-encrypt honestly generated ciphertext, while in practice, an attacker could try to inject arbitrary ciphertexts into the server as she wishes. Those malformed ciphertext could be updated and leveraged by the adversary and cause serious security issues. In this paper, we fill the gap and strengthen the security definitions in multiple aspects: most importantly our integrity and CCA security models remove the restriction in previous models and achieve standard notions of integrity and CCA security in the setting of updatable encryption. Along the way, we refine the security model to capture post-compromise security and enhance the re-encryption indistinguishability to the CCA style. Guided by the new models, we provide a novel construction ReCrypt+, which satisfies our strengthened security definitions. The technical building block of homomorphic hash from a group may be of independent interests. We also study the relations among security notions; and a bit surprisingly, the folklore result in authenticated encryption that IND-CPA plus ciphertext integrity imply IND-CCA security does not hold for ciphertext dependent updatable encryption. 
    more » « less
  2. ; ; ; ( , Theory of Quantum Computing, Communication, and Cryptography 2019)
    Large-scale quantum computing is a significant threat to classical public-key cryptography. In strong "quantum access" security models, numerous symmetric-key cryptosystems are also vulnerable. We consider classical encryption in a model which grants the adversary quantum oracle access to encryption and decryption, but where the latter is restricted to non-adaptive (i.e., pre-challenge) queries only. We define this model formally using appropriate notions of ciphertext indistinguishability and semantic security (which are equivalent by standard arguments) and call it QCCA1 in analogy to the classical CCA1 security model. Using a bound on quantum random-access codes, we show that the standard PRF- and PRP-based encryption schemes are QCCA1-secure when instantiated with quantum-secure primitives. We then revisit standard IND-CPA-secure Learning with Errors (LWE) encryption and show that leaking just one quantum decryption query (and no other queries or leakage of any kind) allows the adversary to recover the full secret key with constant success probability. In the classical setting, by contrast, recovering the key uses a linear number of decryption queries, and this is optimal. The algorithm at the core of our attack is a (large-modulus version of) the well-known Bernstein-Vazirani algorithm. We emphasize that our results should *not* be interpreted as a weakness of these cryptosystems in their stated security setting (i.e., post-quantum chosen-plaintext secrecy). Rather, our results mean that, if these cryptosystems are exposed to chosen-ciphertext attacks (e.g., as a result of deployment in an inappropriate real-world setting) then quantum attacks are even more devastating than classical ones. 
    more » « less
  3. ; ; ( , Eurocrypt 2018)
    We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i) ciphertext unforgeability, (ii) indistinguishability under adaptive chosen-ciphertext attack, and (iii) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies INT-CTXT , (ii) implies IND-CCA2 , and (iii) implies AE . All of our new notions also imply QIND-CPA privacy. Combining one-time authentication and classical pseudorandomness, we construct symmetric-key quantum encryption schemes for each of these new security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts. 
    more » « less
  4. ; ; ; ; ; ( , Cryptography)
    null (Ed.)
    Electronic money (e-money or e-Cash) is the digital representation of physical banknotes augmented by added use cases of online and remote payments. This paper presents a novel, anonymous e-money transaction protocol, built based on physical unclonable functions (PUFs), titled PUF-Cash. PUF-Cash preserves user anonymity while enabling both offline and online transaction capability. The PUF’s privacy-preserving property is leveraged to create blinded tokens for transaction anonymity while its hardware-based challenge–response pair authentication scheme provides a secure solution that is impervious to typical protocol attacks. The scheme is inspired from Chaum’s Digicash work in the 1980s and subsequent improvements. Unlike Chaum’s scheme, which relies on Rivest, Shamir and Adlemans’s (RSA’s) multiplicative homomorphic property to provide anonymity, the anonymity scheme proposed in this paper leverages the random and unique statistical properties of synthesized integrated circuits. PUF-Cash is implemented and demonstrated using a set of Xilinx Zynq Field Programmable Gate Arrays (FPGAs). Experimental results suggest that the hardware footprint of the solution is small, and the transaction rate is suitable for large-scale applications. An in-depth security analysis suggests that the solution possesses excellent statistical qualities in the generated authentication and encryption keys, and it is robust against a variety of attack vectors including model-building, impersonation, and side-channel variants. 
    more » « less
  5. ( , Cryptography)
    Electronic money (e‐money or e‐Cash) is the digital representation of physical banknotes augmented by added use cases of online and remote payments. This paper presents a novel, anonymous e‐money transaction protocol, built based on physical unclonable functions (PUFs), titled PUF‐Cash. PUF‐Cash preserves user anonymity while enabling both offline and online transaction capability. The PUF’s privacy‐preserving property is leveraged to create blinded tokens for transaction anonymity while its hardware‐based challenge–response pair authentication scheme provides a secure solution that is impervious to typical protocol attacks. The scheme is inspired from Chaum’s Digicash work in the 1980s and subsequent improvements. Unlike Chaum’s scheme, which relies on Rivest, Shamir and Adlemans’s (RSA’s) multiplicative homomorphic property to provide anonymity, the anonymity scheme proposed in this paper leverages the random and unique statistical properties of synthesized integrated circuits. PUF‐Cash is implemented and demonstrated using a set of Xilinx Zynq Field Programmable Gate Arrays (FPGAs). Experimental results suggest that the hardware footprint of the solution is small, and the transaction rate is suitable for large‐scale applications. An in‐depth security analysis suggests that the solution possesses excellent statistical qualities in the generated authentication and encryption keys, and it is robust against a variety of attack vectors including model‐building, impersonation, and side‐ channel variants. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email