Fully Homomorphic Encryption (FHE) is seeing increasing real-world deployment to protect data in use by allowing computation over encrypted data. However, the same malleability that enables homomorphic computations also raises integrity issues, which have so far been mostly overlooked. While FHEs lack of integrity has obvious implications for correctness, it also has severe implications for confidentiality: a malicious server can leverage the lack of integrity to carry out interactive key-recovery attacks. As a result, virtually all FHE schemes and applications assume an honest-but-curious server who does not deviate from the protocol. In practice, however, this assumption is insufficient for a wide range of deployment scenarios. While there has been work that aims to address this gap, these have remained isolated efforts considering only aspects of the overall problem and fail to fully address the needs and characteristics of modern FHE schemes and applications. In this paper, we analyze existing FHE integrity approaches, present attacks that exploit gaps in prior work, and propose a new notion for maliciously-secure verifiable FHE. We then instantiate this new notion with a range of techniques, analyzing them and evaluating their performance in a range of different settings. We highlight their potential but also show where future work on tailored integrity solutions for FHE is still required.
翻译:完全成形加密(FHE)通过允许对加密数据进行计算,发现为保护使用中的数据,正在越来越多地使用真实世界的部署来保护正在使用的数据。然而,同样能够使同质计算法的可容性也提出了完整性问题,而这些问题迄今大多被忽略了。虽然FHE缺乏完整性对正确性有明显的影响,但也对保密产生严重影响:恶意服务器可以利用缺乏完整性来进行交互式关键回收攻击;结果,几乎所有FHE计划和应用程序都包含一个诚实但又有说服力的服务器,而这种服务器并不偏离协议。然而,实际上,这一假设不足以满足广泛的部署设想。虽然已经开展了旨在解决这一差距的工作,但这些仍然是孤立的努力,只考虑整个问题的各个方面,不能完全解决现代FHE计划和应用的需求和特点。我们在本文件中分析现有的FHE完整性方法,提出利用先前工作中的差距进行攻击,并提出一个恶意可靠可核查的FHE的新概念。我们接着用一系列技术来概括这一新概念,分析它们并评估它们在不同环境中的业绩。我们还强调了它们的潜力,但未来需要的FHEH工作。