Optimized stream-cipher-based transciphering by means of functional-bootstrapping

Fully homomorphic encryption suffers from a large expansion in the size of encrypted data, which makes FHE impractical for low-bandwidth networks. Fortunately, transciphering allows to circumvent this issue by involving a symmetric cryptosystem which does not carry the disadvantage of a large expansion factor, and maintains the ability to recover an FHE ciphertext with the cost of extra homomorphic computations on the receiver side. Recent works have started to investigate the efficiency of TFHE as the FHE layer in transciphering, combined with various symmetric schemes including a NIST finalist for lightweight cryptography, namely Grain128-AEAD. Yet, this has so far been done without taking advantage of TFHE functional bootstrapping abilities, that is, evaluating any discrete function ``for free\u27\u27 within the bootstrapping operation. In this work, we thus investigate the use of TFHE functional bootstrapping for implementing Grain128-AEAD in a more efficient base ($B > 2$) representation, rather than a binary one. This significantly reduces the overall number of necessary bootstrappings in a homomorphic run of the stream-cipher, for example reducing the number of bootstrappings required in the warm-up phase by a factor of $\approx$ 3 when $B=16$

Practical Homomorphic Evaluation of Block-Cipher-Based Hash Functions with Applications

Fully homomorphic encryption (FHE) is a powerful cryptographic technique allowing to perform computation directly over encrypted data. Motivated by the overhead induced by the homomorphic ciphertexts during encryption and transmission, the transciphering technique, consisting in switching from a symmetric encryption to FHE encrypted data was investigated in several papers. Different stream and block ciphers were evaluated in terms of their FHE-friendliness , meaning practical implementations costs while maintaining sufficient security levels. In this work, we present a first evaluation of hash functions in the homomorphic domain, based on well-chosen block ciphers. More precisely, we investigate the cost of transforming PRINCE, SIMON, SPECK, and LowMC, a set of lightweight block-ciphers into secure hash primitives using well-established hash functions constructions based on block-ciphers, and provide evaluation under bootstrappable FHE schemes. We also motivate the necessity of practical homomorphic evaluation of hash functions by providing several use cases in which the integrity of private data is also required. In particular, our hash constructions can be of significant use in a threshold-homomorphic based protocol for the single secret leader election problem occurring in blockchains with Proof-of-stake consensus. Our experiments showed that using a TFHE implementation of a hash function, we are able to achieve practical runtime, and appropriate security levels (e.g., for PRINCE it takes 1.28 minutes to obtain a 128 bits of hash)

Homomorphic Sortition – Single Secret Leader Election for PoS Blockchains

In a single secret leader election protocol (SSLE), one of the system participants is chosen and, unless it decides to reveal itself, no other participant can identify it. SSLE has a great potential in protecting blockchain consensus protocols against denial of service (DoS) attacks. However, all existing solutions either make strong synchrony assumptions or have expiring registration, meaning that they require elected processes to re-register themselves before they can be re-elected again. This, in turn, prohibits the use of these SSLE protocols to elect leaders in partially-synchronous consensus protocols as there may be long periods of network instability when no new blocks are decided and, thus, no new registrations (or re-registrations) are possible. In this paper, we propose Homomorphic Sortition -- the first asynchronous SSLE protocol with non-expiring registration, making it the first solution compatible with partially-synchronous leader-based consensus protocols. Homomorphic Sortition relies on Threshold Fully Homomorphic Encryption (ThFHE) and is tailored to proof-of-stake (PoS) blockchains, with several important optimizations with respect to prior proposals. In particular, unlike most existing SSLE protocols, it works with arbitrary stake distributions and does not require a user with multiple coins to be registered multiple times. Our protocol is highly parallelizable and can be run completely off-chain after setup. Some blockchains require a sequence of rounds to have non-repeating leaders. We define a generalization of SSLE, called Secret Leader Permutation (SLP) in which the application can choose how many non-repeating leaders should be output in a sequence of rounds and we show how Homomorphic Sortition also solves this problem

Revisiting Stream-Cipher-Based Homomorphic Transciphering in the TFHE Era

International audienc

FairCognizer: A model for accurate predictions with inherent fairness evaluation (extended abstract)

International audienceAlgorithmic fairness is a critical challenge in build-1 ing trustworthy Machine Learning (ML) mod-2 els. ML classifiers strive to make predictions 3 that closely match real-world observations (ground 4 truth). However, if the ground truth data itself 5 reflects biases against certain sub-populations, a 6 dilemma arises: prioritize fairness and potentially 7 reduce accuracy, or emphasize accuracy at the ex-8 pense of fairness. This work proposes a novel train-9 ing framework that goes beyond achieving high ac-10 curacy. Our framework trains a classifier to not 11 only deliver optimal predictions but also to identify 12 potential fairness risks associated with each predic-13 tion. To do so, we specify a dual-labeling strategy 14 where the second label contains a per-prediction 15 fairness evaluation, referred to as an unfairness 16 risk evaluation. In addition, we identify a sub-17 set of samples as highly vulnerable to group-unfair 18 classifiers. Our experiments demonstrate that our 19 classifiers attain optimal accuracy levels on both 20 the Adult-Census-Income and Compas-Recidivism 21 datasets. Moreover, they identify unfair predictions 22 with nearly 75% accuracy at the cost of expanding 23 the size of the classifier by 45

Unveiling the (in) security of threshold FHE-based federated learning: the practical impact of recent CPA D attacks

International audienceThe security of Fully Homomorphic Encryption (FHE) has received a lot of attention in recent years with new security notions emerging to better understand the practical attacks that may threaten the real-world deployments of passively secure FHE schemes. One such new notions is CPA D a slight extension of CPA security modelling a passive adversary who is granted access to a decryption oracle accepting only wellformed ciphertexts. While successful CPA D attacks have initially been performed on approximate FHE schemes such as CKKS, recent works have also demonstrated practical CPA D attacks on all mainstream non-approximate FHE, such as BFV, BGV or TFHE. Despite their clear computational practicality, these latter attacks however focus on the abstract security game defining CPA D security. In this paper, we show how to concretely build on these to mount successful FHE key recovery attacks in the Federated Learning (FL) setting, an application scenario of choice for FHE techniques. In FL, participating entities or workers encrypt successive model updates based on their local training data, enabling a central server to aggregate them in order to homomorphically update a global model. As this paper demonstrates, this environment provides a playground for an attacker to launch key recovery attacks against the FHE underlying the secure aggregation mechanism. As such, our findings reveal substantial stealthy key-recovery threats from both the server and a single worker, with very limited impact on the FL training progression or final model qualit

FairCognizer: a model for accurate predictions with inherent fairness evaluation

International audienceAlgorithmic fairness is a critical challenge in building trustworthy Machine Learning (ML) models. ML classifiers strive to make predictions that closely match real-world observations (ground truth). However, if the ground truth data itself reflects biases against certain sub-populations, a dilemma arises: prioritize fairness and potentially reduce accuracy, or emphasize accuracy at the expense of fairness. This work proposes a novel training framework that goes beyond achieving high accuracy. Our framework trains a classifier to not only deliver optimal predictions but also to identify potential fairness risks associated with each prediction. To do so, we specify a dual-labeling strategy where the second label contains a per-prediction fairness evaluation, referred to as an unfairness risk evaluation. In addition, we identify a subset of samples as highly vulnerable to group-unfair classifiers. Our experiments demonstrate that our classifiers attain optimal accuracy levels on both the Adult-Census-Income and Compas-Recidivism datasets. Moreover, they identify unfair predictions with nearly 75% accuracy at the cost of expanding the size of the classifier by a mere 45%

Optimized Stream-Cipher-Based Transciphering by Means of Functional-Bootstrapping

International audienceFully homomorphic encryption suffers from a large expansion in the size of encrypted data, which makes FHE impractical for low-bandwidth networks. Fortunately, transciphering allows to circumvent this issue by involving a symmetric cryptosystem which does not carry the disadvantage of a large expansion factor, and maintains the ability to recover an FHE ciphertext with the cost of extra homomorphic computations on the receiver side. Recent works have started to investigate the efficiency of TFHE as the FHE layer in transciphering, combined with various symmetric schemes including a NIST finalist for lightweight cryptography, namely Grain128-AEAD. Yet, this has so far been done without taking advantage of TFHE functional bootstrapping abilities, that is, evaluating any discrete function “for free” within the bootstrapping operation. In this work, we thus investigate the use of TFHE functional bootstrapping for implementing Grain128-AEAD in a more efficient base (B>2) representation, rather than a binary one. This significantly reduces the overall number of necessary bootstrappings in a homomorphic run of the stream-cipher, for example reducing the number of bootstrappings required in the warm-up phase by a factor of ~3 when B=16

Practical homomorphic evaluation of block-cipher-based hash functions with applications

International audienceFully homomorphic encryption (FHE) is a powerful cryptographic technique allowing to perform computation directly over encrypted data. Motivated by the overhead induced by the homomorphic ciphertexts during encryption and transmission, the transciphering technique, consisting in switching from a symmetric encryption to FHE encrypted data was investigated in several papers. Different stream and block ciphers were evaluated in terms of their "FHE-friendliness", meaning practical implementations costs while maintaining sufficient security levels.In this work, we present a first evaluation of hash functions in the homomorphic domain, based on well-chosen block ciphers. More precisely, we investigate the cost of transforming PRINCE and SIMON, two lightweight block-ciphers into secure hash functions using well-established block-cipher-based hash functions constructions, and provide evaluation under bootstrappable FHE schemes. We also motivate the necessity of practical homomorphic evaluation of hash functions by providing several use cases in which the integrity of private data is also required. In particular, our hash constructions can be of significant use in a threshold-homomorphic based protocol for the single secret leader election problem occuring in blockchains with Proof-of-stake consensus. Our experiments showed that using a TFHE implementation of a hash function, we are able to achieve practical runtime, and appropriate security levels