Homomorphic encryption allows third parties and third-party technologies to conduct operations on encrypted data. Homomorphic encryption is appealing because it preserves data privacy but allows users to make use of the data. It is considered a next generation data security technology, but researchers have identified a vulnerability that could allow threat actors to steal data even as it is being encrypted.
“The first side-channel attack on homomorphic encryption”
A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated "the first side-channel attack on homomorphic encryption” that could be exploited to leak data as the encryption process is underway.
“We weren’t able to crack homomorphic encryption using mathematical tools,” says Aydin Aysu, senior author of a paper on the work and an assistant professor of computer engineering at North Carolina State University. “Instead, we used side-channel attacks. Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted. This demonstrates that even next generation encryption technologies need protection against side-channel attacks.”
The paper, “RevEAL: Single-Trace Side-Channel Leakage of the SEAL Homomorphic Encryption Library,” will be presented on March 23 at the virtual DATE22 conference.
According to the paper abstract, the researchers “reveal a power-based side-channel leakage of Microsoft SEAL prior to v3.6 that implements the Brakerski/Fan-Vercauteren (BFV) protocol.” Microsoft has been a leader in homomorphic encryption and created the SEAL Homomorphic Encryption Library to facilitate research and development on homomorphic encryption by the broader research community.
The researchers noted that SEAL versions 3.6, released on December 3, 2020, and later use a different sampling algorithm, while warning that newer versions of the library may suffer from another vulnerability. “We’re not sure if this vulnerability will be addressed in the most recent versions—or if there may be new vulnerabilities that we haven’t identified in more recent versions,” Aysu says.
How the vulnerability works
“What we’ve found is that there is a way to ‘crack’ homomorphic encryption that is done using that library via a side-channel attack,” Aysu says. “We were able to do this with a single power measurement.”
A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm (e.g. cryptanalysis and software bugs). An attacker utilizes the data gained from monitoring patterns in physical parameters such as EMF radiation, power consumption, response times, and acoustic emissions during cryptographic operations performed by the system.
The vulnerability allows attackers to “listen” to the equipment performing data encryption and figure out if a 0 bit is being processed or a 1 bit. "It's a few lines in the software code that give out the data being executed on the device," Aysu explains. "This information allows us to use some fancy equations and figure out the secret messages being encrypted in a homomorphic encryption scheme."
To execute the attack, an adversary would need to be able to measure power consumption of the device. That means the attacker would either need to be co-located or have to ability to remotely monitor power consumption on the device, the researchers explain.
An attacker wouldn't need to spend a whole lot of money or time to execute an attack via the vulnerability. The researchers at NC State, for instance, required equipment costing less than $1,000 and about an hour at most to execute the attacks in practice. However, these types of attacks are well beyond the capabilities of the average attackers. "These are hard attacks to execute [that] need Ph.D.-level knowledge" to execute.
To mitigate this vulnerability, the researchers “encourage countermeasures based on shuffling and better software coding practices to eliminate conditional executions on sensitive values.” To learn more or to read the research paper, click here.