International Association for Cryptologic Research

International Association
for Cryptologic Research


Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions

Fukang Liu , Tokyo Institute of Technology, Tokyo, Japan
Abul Kalam , Indian Institute of Technology Madras, Chennai, India
Santanu Sarkar , Indian Institute of Technology Madras, Chennai, India
Willi Meier , University of Applied Sciences and Arts Northwestern Switzerland (FHNW), Windisch, Switzerland
DOI: 10.46586/tosc.v2024.i1.214-233
Search ePrint
Search Google
Abstract: Fully homomorphic encryption (FHE) is an advanced cryptography technique to allow computations (i.e., addition and multiplication) over encrypted data. After years of effort, the performance of FHE has been significantly improved and it has moved from theory to practice. The transciphering framework is another important technique in FHE to address the issue of ciphertext expansion and reduce the client-side computational overhead. To apply the transciphering framework to the CKKS FHE scheme, a new transciphering framework called the Real-to-Finite-Field (RtF) framework and a corresponding FHE-friendly symmetric-key primitive called HERA were proposed at ASIACRYPT 2021. Although HERA has a very similar structure to AES, it is considerably different in the following aspects: 1) the power map x → x3 is used as the S-box; 2) a randomized key schedule is used; 3) it is over a prime field Fp with p > 216. In this work, we perform the first third-party cryptanalysis of HERA, by showing how to mount new algebraic attacks with multiple collisions in the round keys. Specifically, according to the special way to randomize the round keys in HERA, we find it possible to peel off the last nonlinear layer by using collisions in the last-round key and a simple property of the power map. In this way, we could construct an overdefined system of equations of a much lower degree in the key, and efficiently solve the system via the linearization technique. As a esult, for HERA with 192 and 256 bits of security, respectively, we could break some parameters under the same assumption made by designers that the algebra constant ω for Gaussian elimination is ω = 2, i.e., Gaussian elimination on an n × n matrix takes O(nω) field operations. If using more conservative choices like ω ∈ {2.8, 3}, our attacks can also successfully reduce the security margins of some variants of HERA to only 1 round. However, the security of HERA with 80 and 128 bits of security is not affected by our attacks due to the high cost to find multiple collisions. In any case, our attacks reveal a weakness of HERA caused by the randomized key schedule and its small state size.
  title={Algebraic Attack on FHE-Friendly Cipher HERA Using Multiple Collisions},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 1},
  author={Fukang Liu and Abul Kalam and Santanu Sarkar and Willi Meier},