[HN Gopher] Researchers can steal data during homomorphic encryp...
___________________________________________________________________
Researchers can steal data during homomorphic encryption
Author : sizzle
Score : 32 points
Date : 2022-03-04 20:18 UTC (2 hours ago)
(HTM) web link (news.ncsu.edu)
(TXT) w3m dump (news.ncsu.edu)
| blintz wrote:
| This is not a great headline. Side-channel attacks are possible
| on nearly any cryptographic or security-sensitive procedure. The
| paper doesn't show some kind of general vulnerability of
| homomorphic encryption (or lattice-based encryption), just a
| specific issue with a specific library. A more accurate headline
| would be "Exploitable side-channel leakage vulnerability in SEAL
| up to version 3.6". The cool contribution of the paper is that it
| does show how to leverage BKZ for this particular kind of leakage
| (which, over time, will probably occur eventually in other
| implementations of lattice-based cryptography).
| not2b wrote:
| I agree that this is an issue with this specific library. But
| well-designed cryptography code is written to be resistant to
| timing or power side channel attacks.
| mmastrac wrote:
| It's a side-channel attack on the encryption, not a break of
| homomorphic encryption:
|
| "We weren't able to crack homomorphic encryption using
| mathematical tools," says Aydin Aysu, senior author of a paper on
| the work and an assistant professor of computer engineering at
| North Carolina State University. "Instead, we used side-channel
| attacks. Basically, by monitoring power consumption in a device
| that is encoding data for homomorphic encryption, we are able to
| read the data as it is being encrypted. This demonstrates that
| even next generation encryption technologies need protection
| against side-channel attacks."
| azinman2 wrote:
| In which case you could also say the same thing about RSA
| encryption, or really anything. It's a pretty silly argument to
| make as rowhammer im sure could also "break" homomorphic
| encryption.
|
| Homomorphic encryption is really about the utility when it
| leaves the device, not at the encryption stage.
| not2b wrote:
| No, not "pretty much anything". Proper encryption code needs
| to be written so that the timing and power consumption does
| not depend on the data, to avoid these kinds of side channel
| attack. That usually means no conditional branches, so the
| same processor operations occur regardless of the ciphertext
| or the key.
| ChrisLomont wrote:
| >It's a pretty silly argument to make as rowhammer im sure
| could also "break" homomorphic encryption.
|
| There's no reason rowhammer should be able to break
| homomorphic encryption. Homomorphic encryption means at no
| point is the data on the machine unencrypted, so there is
| nothing to leak from RAM.
|
| >Homomorphic encryption is really about the utility when it
| leaves the device, not at the encryption stage.
|
| ???
|
| This make no sense. Homomorphic encryption is used for a
| device to do computations on encrypted data without the
| device knowing what the encrypted data is.
|
| For example, computing the square of an integer that is
| homorphically encrypted would not tell the device doing the
| computation what the original number is or what the square
| is. Encrypted data comes in, stays encrypted at all times, an
| algorithm does some operations on the encrypted data, and
| encrypted data is then sent out.
|
| This paper and attack are not about the encryption stage. The
| attack is on the operating on homomorphic data.
| CoastalCoder wrote:
| When talking about encryption techniques, I think we
| usually assume that the machine performing the encryption
| isn't compromised. I.e., keeping a machine uncompromised is
| a separate area of study / endeavor.
|
| What NC State achieved is cool, but it seems a bit like
| saying "Homomorphic encryption is broken when you can
| blackmail the sysadmin."
| [deleted]
| joshuamorton wrote:
| FTA:
|
| >Our proposed attack targets the Gaussian sampling in the
| SEAL's encryption phase
|
| It's literally about stealing the data from the encryptor,
| which is usually a trusted machine.
| azinman2 wrote:
| Exactly. Power consumption side channel attacks do
| nothing for devices operating on already encrypted data,
| because if it did, it would mean homomorphic encryption
| is fundamentally broken. The side channel attack is on
| the original encryptor.
| schoen wrote:
| It feels plausible to me that homomorphic encryption would be
| especially vulnerable to side-channel attacks because its
| schemes are so computation-heavy. I don't have a clear mental
| model for this, but it feels like there would be a lot of
| opportunities for attackers to detect data dependencies at the
| beginning of the process (if they have access to observe a
| relevant channel).
| karulont wrote:
| The encryption is data dependent. The homomorphic computation
| itself cannot be data dependent. Homomorphic encryption says
| that even if you see all the intermediate encrypted values,
| you will not know what the encrypted input or output value
| is. So side-channels do not matter for the computationally
| heavy evaluation part. In this paper they attacked the
| encryption part.
___________________________________________________________________
(page generated 2022-03-04 23:00 UTC)