Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cryptanalysis on Lightweight Verifiable Homomorphic Encryption

Jung Hee Cheon, Daehyun Jang

TL;DR

The paper analyzes lightweight verifiable homomorphic encryption schemes that embed verification data within ciphertexts to achieve efficient verifiability, focusing on REP, PE, vADDG, and VERITAS. It reveals practical forgery attacks that exploit homomorphic capabilities to recover secret encoding information (such as the replication index set $S$ or the interpolation parameter $oldsymbol{ u}$) and then craft cheating circuits to produce valid-looking results for incorrect functions, often with non-negligible probability or even 100% success under certain settings. By constructing both generic and parameter-sensitive attacks, the authors show that the claimed security of these lightweight schemes can be substantially weaker than advertised, with concrete attacks on vADDG (80-bit parameter sets yield far less than 80-bit security), REP, and REP$^{ ext{msk}}$, and a vulnerability in PE via ReQ-based deep circuits. The work argues for more robust verifiability mechanisms beyond embedding secrets in ciphertexts, highlights the trade-offs between depth, outsourcing, and security, and calls for further research into hardening VHE against homomorphic forgery and into formal reductions tying HE confidentiality to integrity. Overall, the paper provides a rigorous demonstration that lightweight approaches to verifiable HE can be structurally insecure and require substantial redesign to achieve real-world security guarantees.

Abstract

Verifiable Homomorphic Encryption (VHE) is a cryptographic technique that integrates Homomorphic Encryption (HE) with Verifiable Computation (VC). It serves as a crucial technology for ensuring both privacy and integrity in outsourced computation, where a client sends input ciphertexts ct and a function f to a server and verifies the correctness of the evaluation upon receiving the evaluation result f(ct) from the server. At CCS, Chatel et al. introduced two lightweight VHE schemes: Replication Encoding (REP) and Polynomial Encoding (PE). A similar approach to REP was used by Albrecht et al. in Eurocrypt to develop a Verifiable Oblivious PRF scheme (vADDG). A key approach in these schemes is to embed specific secret information within HE ciphertexts to verify homomorphic evaluations. This paper presents efficient attacks that exploit the homomorphic properties of encryption schemes. The one strategy is to retrieve the secret information in encrypted state from the input ciphertexts and then leverage it to modify the resulting ciphertext without being detected by the verification algorithm. The other is to exploit the secret embedding structure to modify the evaluation function f into f' which works well on input values for verification purposes. Our forgery attack on vADDG demonstrates that the proposed 80-bit security parameters in fact offer less than 10-bits of concrete security. Our attack on REP and PE achieves a probability 1 attack with linear time complexity when using fully homomorphic encryption.

Cryptanalysis on Lightweight Verifiable Homomorphic Encryption

TL;DR

The paper analyzes lightweight verifiable homomorphic encryption schemes that embed verification data within ciphertexts to achieve efficient verifiability, focusing on REP, PE, vADDG, and VERITAS. It reveals practical forgery attacks that exploit homomorphic capabilities to recover secret encoding information (such as the replication index set or the interpolation parameter ) and then craft cheating circuits to produce valid-looking results for incorrect functions, often with non-negligible probability or even 100% success under certain settings. By constructing both generic and parameter-sensitive attacks, the authors show that the claimed security of these lightweight schemes can be substantially weaker than advertised, with concrete attacks on vADDG (80-bit parameter sets yield far less than 80-bit security), REP, and REP, and a vulnerability in PE via ReQ-based deep circuits. The work argues for more robust verifiability mechanisms beyond embedding secrets in ciphertexts, highlights the trade-offs between depth, outsourcing, and security, and calls for further research into hardening VHE against homomorphic forgery and into formal reductions tying HE confidentiality to integrity. Overall, the paper provides a rigorous demonstration that lightweight approaches to verifiable HE can be structurally insecure and require substantial redesign to achieve real-world security guarantees.

Abstract

Verifiable Homomorphic Encryption (VHE) is a cryptographic technique that integrates Homomorphic Encryption (HE) with Verifiable Computation (VC). It serves as a crucial technology for ensuring both privacy and integrity in outsourced computation, where a client sends input ciphertexts ct and a function f to a server and verifies the correctness of the evaluation upon receiving the evaluation result f(ct) from the server. At CCS, Chatel et al. introduced two lightweight VHE schemes: Replication Encoding (REP) and Polynomial Encoding (PE). A similar approach to REP was used by Albrecht et al. in Eurocrypt to develop a Verifiable Oblivious PRF scheme (vADDG). A key approach in these schemes is to embed specific secret information within HE ciphertexts to verify homomorphic evaluations. This paper presents efficient attacks that exploit the homomorphic properties of encryption schemes. The one strategy is to retrieve the secret information in encrypted state from the input ciphertexts and then leverage it to modify the resulting ciphertext without being detected by the verification algorithm. The other is to exploit the secret embedding structure to modify the evaluation function f into f' which works well on input values for verification purposes. Our forgery attack on vADDG demonstrates that the proposed 80-bit security parameters in fact offer less than 10-bits of concrete security. Our attack on REP and PE achieves a probability 1 attack with linear time complexity when using fully homomorphic encryption.

Paper Structure

This paper contains 61 sections, 14 theorems, 38 equations, 4 figures, 1 table, 4 algorithms.

Table of Contents

  1. Introduction
  2. Lightweight Verifiable Homomorphic Encryptions
  3. vADDG.
  4. VERITAS.
  5. Replication Encoding.
  6. Polynomial Encoding and ReQuadratization.
  7. Attack Description on Lightweight VHE Schemes
  8. Attack on vADDG.
  9. Attack on Replication Encoding.
  10. Attack on Replication Encoding with Multiple Secret Keys.
  11. Attack on Polynomial Encoding.
  12. Methodology: Homomorphic Cryptanalysis
  13. Related Works
  14. Preliminaries
  15. Homomorphic Encryption
  16. ...and 46 more sections

Key Result

theorem thmcountertheorem

For a given parameter $(\alpha, \beta, \nu)$, the expected probability that the bootstrapping-depth one circuit in Algorithm alg: Attack against REP under SHE successfully forges the output is over the all random inputs.

Figures (4)

  • Figure 1: Workflow of the Homomorphic PRF suggested in cryptoeprint:PRF. The superscripted $\mathsf{sk}$ (resp. $\mathsf{sk'}$) denotes that the secret key is $\mathsf{sk}$ (resp. $\mathsf{sk'}$). $\bf k$ is the PRF key.
  • Figure 2: Finding Common Values among $n$ Slots.
  • Figure 3: An Overview of Homomorphic Forgery on Lightweight VHE. $f$ and $g$ denote the requested circuit and a malicious circuit, respectively.
  • Figure :

Theorems & Definitions (28)

  • definition thmcounterdefinition: Homomorphic Encryption
  • definition thmcounterdefinition: $\delta$-Correcteness
  • definition thmcounterdefinition
  • definition thmcounterdefinition: $\delta$-Completeness
  • definition thmcounterdefinition: Security against Malicious Adversary, modified from vFHE
  • definition thmcounterdefinition: Security against Covert Adversaries, informal
  • theorem thmcountertheorem
  • proof
  • corollary thmcountercorollary
  • theorem thmcountertheorem
  • ...and 18 more