Anamaria Costache, Associate Professor, NTNU, Norway
Approximate fully homomorphic encryption (FHE) schemes such as the CKKS scheme (Asiacrypt ’17) are popular in practice due to their efficiency and utility for machine learning applications. Unfortunately, Li and Micciancio (Eurocrypt, ’21) showed that, while achieving standard semantic (or IND-CPA security), the CKKS scheme is broken under a variant security notion known as IND-CPAD. Subsequently, Li, Micciancio, Schultz, and Sorrell (Crypto ’22) proved the security of the CKKS scheme with a noise-flooding countermeasure, which adds Gaussian noise of sufficiently high variance before outputting the decrypted value. However, the variance required for provable security is very high, inducing a large loss in message precision.
In this work, we ask whether there is an intermediate noise-flooding level, which may not be provably secure, but allows to maintain the performance of the scheme, while resisting known attacks. We analyze the security with respect to different adversarial models and various types of attacks. We investigate the effectiveness of lattice reduction attacks, guessing attacks and hybrid attacks with noise-flooding with variance ρ2circ, the variance of the noise already present in the ciphertext as estimated by an average-case analysis, 100 · ρ2circ, and t · ρ2circ, where t is the number of decryption queries. For noise levels of ρ2circ and 100 · ρ2circ, we find that a full guessing attack is feasible for all parameter sets and circuit types. We find that a lattice reduction attack is the most effective attack for noise-flooding level t · ρ2circ, but it only induces at most a several bit reduction in the security level.
Due to the large dimension and modulus in typical FHE parameter sets, previous techniques even for estimating the concrete security of these attacks – such as those in (Dachman-Soled, Ducas, Gong, Rossi, Crypto ’20) – become computationally infeasible, since they involve high dimensional and high precision matrix multiplication and inversion. We therefore develop new techniques that allow us to perform fast security estimation, even for FHE-size parameter sets.