Table of Contents
Fetching ...

Side Channel Analysis in Homomorphic Encryption

Baraq Ghaleb, William J Buchanan

TL;DR

This work surveys side-channel threats in fully and partially homomorphic encryption, emphasizing lattice-based HE schemes (e.g., BFV/BGV and CKKS) and libraries such as SEAL and OpenFHE. It catalogs SCA categories and presents real-world case studies showing how single-trace measurements or induced decryption errors can compromise keys or plaintext, exemplified by attacks that reduce security levels from $2^{128}$ to $2^{4.4}$ and require only a handful of queries. The paper then discusses mitigation strategies, notably constant-time implementations, masking/blinding, and shuffling/randomization, and highlights the need for hardened HE libraries in privacy-preserving cloud and ML deployments. Overall, it underscores that practical HE deployments face non-mathematical vulnerabilities in implementations, which must be addressed to realize secure in-process encrypted computation.

Abstract

Homomorphic encryption provides many opportunities for privacy-aware processing, including with methods related to machine learning. Many of our existing cryptographic methods have been shown in the past to be susceptible to side channel attacks. With these, the implementation of the cryptographic methods can reveal information about the private keys used, the result, or even the original plaintext. An example of this includes the processing of the RSA exponent using the Montgomery method, and where 0's and 1's differ in their processing time for modular exponentiation. With FHE, we typically use lattice methods, and which can have particular problems in their implementation in relation to side channel leakage. This paper aims to outline a range of weaknesses within FHE implementations as related to side channel analysis. It outlines a categorization for side-channel analysis, some case studies, and mitigation strategies.

Side Channel Analysis in Homomorphic Encryption

TL;DR

This work surveys side-channel threats in fully and partially homomorphic encryption, emphasizing lattice-based HE schemes (e.g., BFV/BGV and CKKS) and libraries such as SEAL and OpenFHE. It catalogs SCA categories and presents real-world case studies showing how single-trace measurements or induced decryption errors can compromise keys or plaintext, exemplified by attacks that reduce security levels from to and require only a handful of queries. The paper then discusses mitigation strategies, notably constant-time implementations, masking/blinding, and shuffling/randomization, and highlights the need for hardened HE libraries in privacy-preserving cloud and ML deployments. Overall, it underscores that practical HE deployments face non-mathematical vulnerabilities in implementations, which must be addressed to realize secure in-process encrypted computation.

Abstract

Homomorphic encryption provides many opportunities for privacy-aware processing, including with methods related to machine learning. Many of our existing cryptographic methods have been shown in the past to be susceptible to side channel attacks. With these, the implementation of the cryptographic methods can reveal information about the private keys used, the result, or even the original plaintext. An example of this includes the processing of the RSA exponent using the Montgomery method, and where 0's and 1's differ in their processing time for modular exponentiation. With FHE, we typically use lattice methods, and which can have particular problems in their implementation in relation to side channel leakage. This paper aims to outline a range of weaknesses within FHE implementations as related to side channel analysis. It outlines a categorization for side-channel analysis, some case studies, and mitigation strategies.
Paper Structure (34 sections, 14 equations, 6 figures, 1 algorithm)

This paper contains 34 sections, 14 equations, 6 figures, 1 algorithm.

Figures (6)

  • Figure 1: Possible side channels of a cryptographic device during an encryption strobel2009side.
  • Figure 2: Observing RSA key bits using power analysis: The left peak shows the power consumption during the squaring-only step, the right (broader) peak shows the multiplication step, allowing exponent bits 0 and 1 to be distinguished power_image.
  • Figure 3: Asymmetric encryption (public key)
  • Figure 4: Symmetric encryption
  • Figure 5: Bootstrapping
  • ...and 1 more figures