On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures

Flavio Bergamaschi; Anamaria Costache; Dana Dachman-Soled; Hunter Kippen; Lucas LaBuff; Rui Tang

Paper 2024/424

On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures

Flavio Bergamaschi, Intel Labs

Anamaria Costache, Norwegian University of Science and Technology

Dana Dachman-Soled, University of Maryland, College Park

Hunter Kippen, University of Maryland, College Park

Lucas LaBuff, University of Maryland, College Park

Rui Tang, University of Maryland, College Park

Abstract

Approximate fully homomorphic encryption (FHE) schemes such as the CKKS scheme (Asiacrypt '17) are popular in practice due to their efficiency and utility for machine learning applications. Unfortunately, Li and Micciancio (Eurocrypt, '21) showed that, while achieving standard semantic (or $\mathsf{IND}\mbox{-}\mathsf{CPA}$ security), the CKKS scheme is broken under a variant security notion known as $\mathsf{IND}\mbox{-}\mathsf{CPA}^D$. Subsequently, Li, Micciancio, Schultz, and Sorrell (Crypto '22) proved the security of the CKKS scheme with a noise-flooding countermeasure, which adds Gaussian noise of sufficiently high variance before outputting the decrypted value. However, the variance required for provable security is very high, inducing a large loss in message precision. In this work, we ask whether there is an intermediate noise-flooding level, which may not be provably secure, but allows to maintain the performance of the scheme, while resisting known attacks. We analyze the security with respect to different adversarial models and various types of attacks. We investigate the effectiveness of lattice reduction attacks, guessing attacks and hybrid attacks with noise-flooding with variance $\rho^2_{\mathsf{circ}}$, the variance of the noise already present in the ciphertext as estimated by an average-case analysis, $100\cdot \rho^2_{\mathsf{circ}}$, and $t\cdot \rho^2_{\mathsf{circ}}$, where $t$ is the number of decryption queries. For noise levels of $\rho^2_{\mathsf{circ}}$ and $100\cdot \rho^2_{\mathsf{circ}}$, we find that a full guessing attack is feasible for all parameter sets and circuit types. We find that a lattice reduction attack is the most effective attack for noise-flooding level $t\cdot \rho^2_{\mathsf{circ}}$, but it only induces at most a several bit reduction in the security level. Due to the large dimension and modulus in typical FHE parameter sets, previous techniques even for estimating the concrete security of these attacks -- such as those in (Dachman-Soled, Ducas, Gong, Rossi, Crypto '20) -- become computationally infeasible, since they involve high dimensional and high precision matrix multiplication and inversion. We therefore develop new techniques that allow us to perform fast security estimation, even for FHE-size parameter sets.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Preprint.
Keywords: approximate fully homomorphic encryption noise-flooding countermeasures lattice reduction attack
Contact author(s): flavio @ intel com
anamaria costache @ ntnu no
danadach @ umd edu
hkippen @ umd edu
llabuff @ terpmail umd edu
ruitang @ umd edu
History: 2024-03-15: approved; 2024-03-11: received; See all versions
Short URL: https://ia.cr/2024/424
License: CC BY

BibTeX

@misc{cryptoeprint:2024/424,
      author = {Flavio Bergamaschi and Anamaria Costache and Dana Dachman-Soled and Hunter Kippen and Lucas LaBuff and Rui Tang},
      title = {On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures},
      howpublished = {Cryptology ePrint Archive, Paper 2024/424},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/424}},
      url = {https://eprint.iacr.org/2024/424}
}