Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions

Fukang Liu, Abul Kalam, Santanu Sarkar, Willi Meier
{"title":"Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions","authors":"Fukang Liu, Abul Kalam, Santanu Sarkar, Willi Meier","doi":"10.46586/tosc.v2024.i1.214-233","DOIUrl":null,"url":null,"abstract":"Fully homomorphic encryption (FHE) is an advanced cryptography technique to allow computations (i.e., addition and multiplication) over encrypted data. After years of effort, the performance of FHE has been significantly improved and it has moved from theory to practice. The transciphering framework is another important technique in FHE to address the issue of ciphertext expansion and reduce the client-side computational overhead. To apply the transciphering framework to the CKKS FHE scheme, a new transciphering framework called the Real-to-Finite-Field (RtF) framework and a corresponding FHE-friendly symmetric-key primitive called HERA were proposed at ASIACRYPT 2021. Although HERA has a very similar structure to AES, it is considerably different in the following aspects: 1) the power map x → x3 is used as the S-box; 2) a randomized key schedule is used; 3) it is over a prime field Fp with p > 216. In this work, we perform the first third-party cryptanalysis of HERA, by showing how to mount new algebraic attacks with multiple collisions in the round keys. Specifically, according to the special way to randomize the round keys in HERA, we find it possible to peel off the last nonlinear layer by using collisions in the last-round key and a simple property of the power map. In this way, we could construct an overdefined system of equations of a much lower degree in the key, and efficiently solve the system via the linearization technique. As a esult, for HERA with 192 and 256 bits of security, respectively, we could break some parameters under the same assumption made by designers that the algebra constant ω for Gaussian elimination is ω = 2, i.e., Gaussian elimination on an n × n matrix takes O(nω) field operations. If using more conservative choices like ω ∈ {2.8, 3}, our attacks can also successfully reduce the security margins of some variants of HERA to only 1 round. However, the security of HERA with 80 and 128 bits of security is not affected by our attacks due to the high cost to find multiple collisions. In any case, our attacks reveal a weakness of HERA caused by the randomized key schedule and its small state size.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"108 23","pages":"1800"},"PeriodicalIF":0.0000,"publicationDate":"2024-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2024.i1.214-233","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Fully homomorphic encryption (FHE) is an advanced cryptography technique to allow computations (i.e., addition and multiplication) over encrypted data. After years of effort, the performance of FHE has been significantly improved and it has moved from theory to practice. The transciphering framework is another important technique in FHE to address the issue of ciphertext expansion and reduce the client-side computational overhead. To apply the transciphering framework to the CKKS FHE scheme, a new transciphering framework called the Real-to-Finite-Field (RtF) framework and a corresponding FHE-friendly symmetric-key primitive called HERA were proposed at ASIACRYPT 2021. Although HERA has a very similar structure to AES, it is considerably different in the following aspects: 1) the power map x → x3 is used as the S-box; 2) a randomized key schedule is used; 3) it is over a prime field Fp with p > 216. In this work, we perform the first third-party cryptanalysis of HERA, by showing how to mount new algebraic attacks with multiple collisions in the round keys. Specifically, according to the special way to randomize the round keys in HERA, we find it possible to peel off the last nonlinear layer by using collisions in the last-round key and a simple property of the power map. In this way, we could construct an overdefined system of equations of a much lower degree in the key, and efficiently solve the system via the linearization technique. As a esult, for HERA with 192 and 256 bits of security, respectively, we could break some parameters under the same assumption made by designers that the algebra constant ω for Gaussian elimination is ω = 2, i.e., Gaussian elimination on an n × n matrix takes O(nω) field operations. If using more conservative choices like ω ∈ {2.8, 3}, our attacks can also successfully reduce the security margins of some variants of HERA to only 1 round. However, the security of HERA with 80 and 128 bits of security is not affected by our attacks due to the high cost to find multiple collisions. In any case, our attacks reveal a weakness of HERA caused by the randomized key schedule and its small state size.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
利用多重碰撞对 FHE 友好密码 HERA 的代数攻击
全同态加密(FHE)是一种先进的加密技术,允许在加密数据上进行计算(即加法和乘法)。经过多年的努力,全同态加密的性能已得到显著提高,并已从理论走向实践。反加密框架是 FHE 的另一项重要技术,可解决密文扩展问题并减少客户端计算开销。为了将转密框架应用于 CKKS FHE 方案,在 2021 年的 ASIACRYPT 会议上提出了一种名为实到有限域(RtF)框架的新转密框架,以及相应的 FHE 友好对称密钥基元 HERA。尽管 HERA 的结构与 AES 非常相似,但在以下方面却有很大不同:1)使用幂映射 x → x3 作为 S 盒;2)使用随机密钥时间表;3)在质数域 Fp 上进行,p > 216。在这项工作中,我们首次对 HERA 进行了第三方密码分析,展示了如何利用轮密钥中的多次碰撞发动新的代数攻击。具体来说,根据 HERA 中随机化轮密钥的特殊方法,我们发现可以利用最后一轮密钥中的碰撞和幂图的一个简单属性来剥离最后一层非线性层。这样,我们就可以在密钥中构建一个度数更低的超定义方程组,并通过线性化技术高效地求解该方程组。结果,对于分别具有 192 位和 256 位安全性的 HERA,我们可以在设计者所做的相同假设下破解一些参数,即高斯消元法的代数常数 ω = 2,也就是说,对 n × n 矩阵进行高斯消元法需要 O(nω) 次场运算。如果使用ω∈{2.8, 3}这样更保守的选择,我们的攻击也能成功地将 HERA 某些变体的安全系数降低到只有 1 轮。然而,由于发现多次碰撞的成本很高,我们的攻击不会影响具有 80 和 128 比特安全系数的 HERA 的安全性。无论如何,我们的攻击揭示了 HERA 的一个弱点,即随机密钥安排和较小的状态大小。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Synchronous Distributed Key Generation without Broadcasts Optimizing and Implementing Fischlin's Transform for UC-Secure Zero-Knowledge A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers Efficient isochronous fixed-weight sampling with applications to NTRU Decentralized Multi-Client Functional Encryption with Strong Security
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1