SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault

Aikata Aikata; Ahaan Dabholkar; Dhiman Saha; Sujoy Sinha Roy

Paper 2024/041

SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault

Aikata Aikata

, Graz University of Technology

Ahaan Dabholkar

, Purdue University West Lafayette

Dhiman Saha

, Indian Institute of Technology Bhilai

Sujoy Sinha Roy

, Graz University of Technology

Abstract

Fully Homomorphic Encryption offers an effective solution for privacy-preserving computation, but its adoption is hindered by substantial computational and communication overheads. To address these, the Hybrid Homomorphic Encryption (HHE) protocol was developed, where the client encrypts data using a symmetric encryption scheme (SE), and the server homomorphically evaluates its decryption. Previous studies have demonstrated that the HHE protocol has no impact on the correctness of applications; however, in this work, we shift the focus to its security resilience when subjected to Differential Fault Analysis (DFA). While DFA has proven effective against standalone symmetric-key primitives, no DFA study has been proposed that exploits the HHE protocol as a whole. Furthermore, previous DFA approaches on SE rely on strong assumptions such as nonce reuse, which limits their applicability in real-world protocols or practical applications. In this work, we show that the structure of the HHE protocol itself exposes new avenues for fault exploitation. We introduce Sasta-DFA, which, to our knowledge, is the first DFA targeting HHE protocol in its entirety. Our study demonstrates that an attacker can achieve complete key recovery with a single fault injection. A key feature of this attack is that it does not require nonce reuse, thus adhering to nonce-related specifications. We adapt the IND-CPAD threat model proposed by Li and Micciancio at Eurocrypt’21 for HHE in the context of fault attacks. We conduct the first DFA study on the emerging HHE-specific integer-based SE schemes— Rubato, Hera, Pasta, and Masta. Notably, our attack methodology is generalizable and applicable to a broader class of HHE-friendly SE schemes, including boolean schemes like Rasta and even the standard scheme AES. We also present the first experimental validation of fault analysis on these new HHE-enabling schemes. Our attack, mounted on an ATXmega128D4-AU microcontroller, successfully demonstrates full key recovery. Finally, we also extend Sasta-DFA to Authenticated Transciphering protocols under a weaker threat model that removes any functional dependency.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: Homomorphic Encryption Hybrid Encryption Transciphering Fault attacks AES-GCM PASTA HERA RASTA RUBATO
Contact author(s): aikata @ tugraz at
adabholk @ purdue edu
dhiman @ iitbhilai ac in
sujoy sinharoy @ tugraz at
History: 2025-04-16: last of 3 revisions; 2024-01-10: received; See all versions
Short URL: https://ia.cr/2024/041
License: CC BY

BibTeX

@misc{cryptoeprint:2024/041,
      author = {Aikata Aikata and Ahaan Dabholkar and Dhiman Saha and Sujoy Sinha Roy},
      title = {{SASTA}: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/041},
      year = {2024},
      url = {https://eprint.iacr.org/2024/041}
}