A note about Authenticated Transciphering: decrypting AES under Homomorphic Encryption using CKKS

Abstract. Fully homomorphic encryption (FHE) is a cryptographic primitive that allows performing computation on encrypted data. It is mentioned by NISTIR 8214C, e.g., in the FHE-Based AES Oblivious Enciphering example. Here, an FHE capability a.k.a transciphering is used for decrypting an AES ciphertext under FHE. There are various transciphering implementations of AES under FHE and recently, we showed that using the CKKS FHE scheme with 128-bit security and commodity GPU, it is possible to decrypt 512 KBs of AES256-CTR encrypted data under FHE encryption in only 2.33 minutes, i.e., only 4.3 milliseconds per AES block, and several orders-of-magnitude faster than reported before when using other FHE schemes such as BGV, B/FV, or TFHE. Today, many applications prefer using an Authenticated Encryption with Associated Data (AEAD) scheme such as AES-GCM instead of just symmetric encryption because the latter only provides confidentiality while the former also provides integrity for the encrypted data. To this end, we showed for the first time that it is possible to decrypt 512KB of AES256-GCM encrypted data under CKKS in 7.66 minutes, i.e., only 14 milliseconds per AES block. In this short talk, we intend to inform the community about our results and implementation. In addition, we will present the concept of Authenticated Transciphering (AT), which is needed for maintaining the integrity guarantees provided by AEAD schemes. This is especially relevant in the context of threshold decryption where each party can see the plaintext, and therefore the AT scheme should nullify the encrypted content if the integrity verification fails to prevent the spreading of the unverified data. While the AT concept refers to all FHE and threshold-FHE schemes, it is particularly challenging when using CKKS. Moreover, as mentioned in Comment Set #5 to NISTIR 8214C, there is a challenge with using threshold-CKKS-based solutions even in the passive security model due to the CKKS error model. We think that because of the benefits that CKKS provides, even in the case of decrypting AES-GCM ciphertexts, it is worth raising the question of whether CKKS fits for threshold constructions again to the community while suggesting several research directions to resolve the issue raised in Comment Set #5. This will enable threshold-FHE-based solution designers to include more efficient CKKS-based implementations in their proposals.

[Video]