[HN Gopher] Researchers can steal data during homomorphic encryp... ___________________________________________________________________ Researchers can steal data during homomorphic encryption Author : sizzle Score : 32 points Date : 2022-03-04 20:18 UTC (2 hours ago) (HTM) web link (news.ncsu.edu) (TXT) w3m dump (news.ncsu.edu) | blintz wrote: | This is not a great headline. Side-channel attacks are possible | on nearly any cryptographic or security-sensitive procedure. The | paper doesn't show some kind of general vulnerability of | homomorphic encryption (or lattice-based encryption), just a | specific issue with a specific library. A more accurate headline | would be "Exploitable side-channel leakage vulnerability in SEAL | up to version 3.6". The cool contribution of the paper is that it | does show how to leverage BKZ for this particular kind of leakage | (which, over time, will probably occur eventually in other | implementations of lattice-based cryptography). | not2b wrote: | I agree that this is an issue with this specific library. But | well-designed cryptography code is written to be resistant to | timing or power side channel attacks. | mmastrac wrote: | It's a side-channel attack on the encryption, not a break of | homomorphic encryption: | | "We weren't able to crack homomorphic encryption using | mathematical tools," says Aydin Aysu, senior author of a paper on | the work and an assistant professor of computer engineering at | North Carolina State University. "Instead, we used side-channel | attacks. Basically, by monitoring power consumption in a device | that is encoding data for homomorphic encryption, we are able to | read the data as it is being encrypted. This demonstrates that | even next generation encryption technologies need protection | against side-channel attacks." | azinman2 wrote: | In which case you could also say the same thing about RSA | encryption, or really anything. It's a pretty silly argument to | make as rowhammer im sure could also "break" homomorphic | encryption. | | Homomorphic encryption is really about the utility when it | leaves the device, not at the encryption stage. | not2b wrote: | No, not "pretty much anything". Proper encryption code needs | to be written so that the timing and power consumption does | not depend on the data, to avoid these kinds of side channel | attack. That usually means no conditional branches, so the | same processor operations occur regardless of the ciphertext | or the key. | ChrisLomont wrote: | >It's a pretty silly argument to make as rowhammer im sure | could also "break" homomorphic encryption. | | There's no reason rowhammer should be able to break | homomorphic encryption. Homomorphic encryption means at no | point is the data on the machine unencrypted, so there is | nothing to leak from RAM. | | >Homomorphic encryption is really about the utility when it | leaves the device, not at the encryption stage. | | ??? | | This make no sense. Homomorphic encryption is used for a | device to do computations on encrypted data without the | device knowing what the encrypted data is. | | For example, computing the square of an integer that is | homorphically encrypted would not tell the device doing the | computation what the original number is or what the square | is. Encrypted data comes in, stays encrypted at all times, an | algorithm does some operations on the encrypted data, and | encrypted data is then sent out. | | This paper and attack are not about the encryption stage. The | attack is on the operating on homomorphic data. | CoastalCoder wrote: | When talking about encryption techniques, I think we | usually assume that the machine performing the encryption | isn't compromised. I.e., keeping a machine uncompromised is | a separate area of study / endeavor. | | What NC State achieved is cool, but it seems a bit like | saying "Homomorphic encryption is broken when you can | blackmail the sysadmin." | [deleted] | joshuamorton wrote: | FTA: | | >Our proposed attack targets the Gaussian sampling in the | SEAL's encryption phase | | It's literally about stealing the data from the encryptor, | which is usually a trusted machine. | azinman2 wrote: | Exactly. Power consumption side channel attacks do | nothing for devices operating on already encrypted data, | because if it did, it would mean homomorphic encryption | is fundamentally broken. The side channel attack is on | the original encryptor. | schoen wrote: | It feels plausible to me that homomorphic encryption would be | especially vulnerable to side-channel attacks because its | schemes are so computation-heavy. I don't have a clear mental | model for this, but it feels like there would be a lot of | opportunities for attackers to detect data dependencies at the | beginning of the process (if they have access to observe a | relevant channel). | karulont wrote: | The encryption is data dependent. The homomorphic computation | itself cannot be data dependent. Homomorphic encryption says | that even if you see all the intermediate encrypted values, | you will not know what the encrypted input or output value | is. So side-channels do not matter for the computationally | heavy evaluation part. In this paper they attacked the | encryption part. ___________________________________________________________________ (page generated 2022-03-04 23:00 UTC)