We present Argos, a simple approach for adding verifiability to fully homomorphic encryption (FHE) schemes using trusted hardware. Traditional approaches to verifiable FHE require expensive cryptographic proofs, which incur an overhead of up to seven orders of magnitude on top of FHE, making them impractical. With Argos, we show that trusted hardware can be securely used to provide verifiability for FHE computations, with minimal overhead relative to the baseline FHE computation. An important contribution of Argos is showing that the major security pitfall associated with trusted hardware, microarchitectural side channels, can be completely mitigated by excluding any secrets from the CPU and the memory hierarchy. This is made possible by focusing on building a platform that only enforces program and data integrity and not confidentiality (which is sufficient for verifiable FHE, since all data remain encrypted at all times). All secrets related to the attestation mechanism are kept in a separate coprocessor (e.g., a TPM) inaccessible to any software-based attacker. Relying on a discrete TPM typically incurs significant performance overhead, which is why (insecure) software-based TPMs are used in practice. As a second contribution, we show that for FHE applications, the attestation protocol can be adapted to only incur a fixed cost. Argos requires no dedicated hardware extensions and is supported on commodity processors from 2008 onward. Our prototype implementation introduces 6% overhead to the FHE evaluation, and 8% for more complex protocols. In particular, we show that Argos can be adapted for real-world applications of FHE, such as PIR and PSI. By demonstrating how to combine cryptography with trusted hardware, Argos paves the way for widespread deployment of FHE-based protocols beyond the semi-honest setting, without the overhead of cryptographic proofs.

翻译：我们提出Argos，一种利用可信硬件为全同态加密方案添加可验证性的简洁方法。传统的可验证FHE方案需要昂贵的密码学证明，其开销比FHE本身高出多达七个数量级，导致实际应用困难。通过Argos，我们证明可信硬件能够以相对于基线FHE计算极小的开销，为FHE计算提供可验证性。Argos的重要贡献在于揭示了：通过避免在CPU和内存层次结构中存储任何密钥，可以完全规避与可信硬件相关的主要安全风险——微架构侧信道攻击。这一方案得以实现，是因为我们专注于构建仅保障程序与数据完整性（而非机密性）的平台（这对可验证FHE已足够，因为所有数据始终处于加密状态）。所有与认证机制相关的密钥均保存在独立协处理器（如TPM）中，任何基于软件的攻击者都无法访问。依赖独立TPM通常会产生显著性能开销，这也是实践中采用（不安全的）基于软件的TPM的原因。作为第二项贡献，我们证明对于FHE应用，认证协议可调整为仅产生固定成本。Argos无需专用硬件扩展，支持2008年后的商用处理器。我们的原型实现为FHE计算仅引入6%的开销，对更复杂的协议则为8%。特别地，我们证明Argos可适配于FHE的实际应用场景，如PIR和PSI。通过展示密码学与可信硬件的结合路径，Argos为超越半诚实场景的FHE协议广泛部署铺平了道路，且无需承担密码学证明的开销。