[Resource Topic] 2022/1741: Demystifying the comments made on “A Practical Full Key Recovery Attack on TFHE and FHEW by Inducing Decryption Errors”

Welcome to the resource topic for 2022/1741

Demystifying the comments made on “A Practical Full Key Recovery Attack on TFHE and FHEW by Inducing Decryption Errors”

Authors: Bhuvnesh Chaturvedi, Anirban Chakraborty, Ayantika Chatterjee, Debdeep Mukhopadhyay


Fully Homomorphic Encryption (FHE) allows computations
on encrypted data without the need for decryption. Therefore, in the
world of cloud computing, FHE provides an essential means for users
to garner different computational services from potentially untrusted
servers while keeping sensitive data private. In such a context, the security
and privacy guarantees of well-known FHE schemes become paramount.
In a research article, we (Chaturvedi et al., ePrint 2022/1563) have shown
that popular FHE schemes like TFHE and FHEW are vulnerable to CVO
(Ciphertext Verification Oracle) attacks, which belong to the family of
“reaction attacks” [6]. We show, for the first time, that feedback from the
client (user) can be craftily used by the server to extract the error (noise)
associated with each computed ciphertext. Once the errors for some m
ciphertext (m > n, where n = key size) are retrieved, the original secret
key can be trivially leaked using the standard Gaussian Elimination
method. The results in the paper (Chaturvedi et al., ePrint 2022/1563)
show that FHE schemes should be subjected to further security evaluations,
specifically in the context of system-wide implementation, such
that CVO-based attacks can be eliminated. Quite recently, Michael Walter
published a document (ePrint 2022/1722), claiming that the timing
channel we used in our work (Chaturvedi et al., ePrint 2022/1563) “are
false”. In this document, we debunk this claim and explain how we use
the timing channel to improve the CVO attack. We explain that the
CVO-based attack technique we proposed in the paper (Chaturvedi et
al., ePrint 2022/1563) is a result of careful selection of perturbation values
and the first work in literature that showed reaction based attacks
are possible in the context of present FHE schemes in a realistic cloud
setting. We further argue that for an attacker, any additional information
that can aid a particular attack shall be considered as leakage and
must be dealt with due importance to stymie the attack.

ePrint: https://eprint.iacr.org/2022/1741

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .