[Resource Topic] 2023/1800: Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions

Welcome to the resource topic for 2023/1800

Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions

Authors: Fukang Liu, Abul Kalam, Santanu Sarkar, Willi Meier


Fully homomorphic encryption (FHE) is an advanced cryptography technique to allow computations (i.e., addition and multiplication) over encrypted data. After years of effort, the performance of FHE has been significantly improved and it has moved from theory to practice. The transciphering framework is another important technique in FHE to address the issue of ciphertext expansion and reduce the client-side computational overhead. Motivated by this framework, several FHE-friendly symmetric-key primitives have been proposed since the publication of LowMC at EUROCRYPT 2015. To apply the transciphering framework to the CKKS scheme, a new transciphering framework called the Real-to-Finite-Field (RtF) framework and a corresponding FHE-friendly symmetric-key primitive called HERA were proposed at ASIACRYPT 2021. Although HERA has a very similar structure to AES, it is considerably different in the following aspects: 1) the power map x\mapsto x^3 is used as the S-box; 2) a randomized key schedule is used; 3) it is over a prime field \mathbb F_p with p>2^{16}. In this work, we perform the first third-party cryptanalysis of HERA, by showing how to mount new algebraic attacks with multiple collisions in the round keys. Specifically, according to the special way to randomize the round keys in HERA, we find it possible to peel off the last nonlinear layer by using collisions in the last-round key and a simple property of the power map. In this way, we could construct an overdefined system of equations of a much lower degree in the key, and efficiently solve the system via the linearization technique. As a result, for HERA with 192 and 256 bits of security, respectively, we could break some parameters under the same assumption made by designers that the algebra constant \omega for Gaussian elimination is \omega=2, i.e., Gaussian elimination on an n\times n matrix takes \mathcal{O}(n^{\omega}) field operations. If using more conservative choices like \omega\in\{2.8,3\}, our attacks can also successfully reduce the security margins of some variants of \hera to only 1 round. However, the security of HERA with 80 and 128 bits of security is not affected by our attacks due to the high cost to find multiple collisions. In any case, our attacks reveal a weakness of HERA caused by the randomized key schedule and its small state size.

ePrint: https://eprint.iacr.org/2023/1800

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .