International Association
for Cryptologic Research

The rising tide of data breaches targeting large data storage centres, and servers has raised serious privacy and security concerns. Homomorphic Encryption schemes offer an effective defence against such attacks, but their adoption is hindered by substantial computational and communication overhead, both on the server and client sides. This challenge led to the development of Hybrid Homomorphic Encryption (HHE) schemes to reduce the cost of client-side computation and communication. Despite the existence of a multitude of HHE schemes in the literature, their security analysis is still in its infancy, especially in the context of physical attacks like Differential Fault Analysis (DFA). This work aims to address this critical gap for HHE schemes defined over prime fields (Fp − HHE) by introducing, implementing and validating SASTA, the first DFA on Fp − HHE and the first nonce-respecting FA over any HHE scheme. In this pursuit, we introduce a new nonce-respecting fault model (all current fault attacks on HHE schemes require a nonce-reuse), which leads to a unique attack that completely exploits both the asymmetric and symmetric facets of HHE. We target Fp − HHE schemes as they offer support for integer or real arithmetic, enabling more versatile applications, like machine learning, and better performance. The fault model benefits from what we call the mirror-effect, which allows the attack to work both on the client and the server. Our analysis reveals a significant vulnerability: a single fault within the Keccak permutation, employed as an extendable output function, results in complete key recovery for the Pasta HHE scheme. Moreover, this vulnerability extends to other HHE schemes, including Rasta, Masta, and Hera, amplifying the scope and impact of SASTA. For experimental validation, we mount an actual fault attack using ChipWhisperer-Lite board on the Keccak permutation. Following this, we also discuss the conventional countermeasures to defend against SASTA. Overall, SASTA constitutes the first nonce-respecting FA of HHE that offers new insights into how server-side or client-side computations can be manipulated for Fp − HHE schemes to recover the entire key with just a single fault. This work reaffirms the orthogonality of convenience and attack vulnerability and should contribute to the landscape of future HHE schemes.