컨텐츠 시작
학술대회/행사
초록검색
| 제출번호(No.) | 0161 |
|---|---|
| 분류(Section) | Contributed Talk |
| 분과(Session) | (CR) Cryptography (CR) |
| 발표시간(Time) | 19th-A-11:10 -- 11:30 |
| 영문제목 (Title(Eng.)) |
Attacks against the IND-CPA$^D$ security of exact FHE schemes |
| 저자(Author(s)) |
Jung Hee Cheon1, Hyeongmin Choe2, Alain Passelègue3, Damien Stehlé3, Elias Suvanto4 Seoul National University / CryptoLab Inc.1, Seoul National University2, CryptoLab Inc.3, CryptoLab Inc. / University of Luxembourg4 |
| 초록본문(Abstract) | A new security model for fully homomorphic encryption (FHE), called IND-CPA$^D$ security and introduced by Li and Micciancio [Eurocrypt'21], strengthens IND-CPA security by giving the attacker access to a decryption oracle for ciphertexts for which it should know the underlying plaintexts. This includes ciphertexts that it (honestly) encrypted and those obtained from the latter by evaluating circuits that it chose. Li and Micciancio singled out the CKKS FHE scheme for approximate data [Asiacrypt'17] by giving an IND-CPA$^D$ attack on it and (erroneously) claiming that IND-CPA security and IND-CPA$^D$ security coincide for FHEs on exact data. We correct the widespread belief according to which IND-CPA$^D$ attacks are specific to approximate homomorphic computations. Indeed, the equivalency formally proved by Li and Micciancio assumes that the schemes are not only exact but have a negligible probability of incorrect decryption. However, almost all competitive implementations of exact FHE schemes give away strong correctness by analyzing correctness heuristically and allowing noticeable probabilities of incorrect decryption. We exploit this imperfect correctness to mount efficient indistinguishability and key-recovery attacks against all major exact FHE schemes. We illustrate their strength by concretely breaking the default BFV implementation of OpenFHE and simulating an attack for the default parameter set of the CGGI implementation of TFHE-rs (the attack is too expensive to be run on commodity desktops, because of the cost of CGGI bootstrapping). Our attacks extend to threshold versions of the exact FHE schemes, when the correctness is similarly loose. |
| 분류기호 (MSC number(s)) |
94A60 |
| 키워드(Keyword(s)) | Fully homomorphic encryption, IND-CPA, IND-CPA^D, key recovery attack |
| 강연 형태 (Language of Session (Talk)) |
Korean |