A group of scientists from North Carolina State University (USA) and the University on September 9th (Turkey) demonstrated the “first third-party attack” on homomorphic encryption, which can be used to leak data during the encryption process.
“By tracking the power consumption of a device encoding data for homomorphic encryption, we can read data. Thus, even next-generation encryption technologies need protection from attacks through third-party channels,” the experts said.
Homomorphic encryption is a form of encryption that allows certain types of calculations to be performed directly on encrypted data without decrypting it in the first place. It is also designed to preserve confidentiality, as it allows you to exchange confidential data with other third-party services for further processing, while the basic information remains encrypted and, accordingly, inaccessible to the service provider.
The data leak attack proposed by the researchers is related to a vulnerability in the implementation of Microsoft’s open source SEAL technology. Exploiting the problem allows you to recover a fragment of an open text message that was encrypted homomorphically, bypassing privacy protection.
The attack, dubbed RevEAL, “targets Gaussian sampling at the SEAL encryption stage and can extract all messages with a single power measurement,” taking advantage of “third-party channel leaks based on the power of the Microsoft SEAL version older than v3.6, which implements the Brakerski/Fan-Vercauteren (BFV) protocol.
As experts noted, the versions of SEAL 3.6 released on December 3, 2020, and later versions use a different sampling algorithm, but may contain other vulnerabilities.