Paper 2024/424
On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures
Abstract
Approximate fully homomorphic encryption (FHE) schemes such as the CKKS scheme (Asiacrypt '17) are popular in practice due to their efficiency and utility for machine learning applications. Unfortunately, Li and Micciancio (Eurocrypt, '21) showed that, while achieving standard semantic (or $\mathsf{IND}\mbox{-}\mathsf{CPA}$ security), the CKKS scheme is broken under a variant security notion known as $\mathsf{IND}\mbox{-}\mathsf{CPA}^D$. Subsequently, Li, Micciancio, Schultz, and Sorrell (Crypto '22) proved the security of the CKKS scheme with a noise-flooding countermeasure, which adds Gaussian noise of sufficiently high variance before outputting the decrypted value. However, the variance required for provable security is very high, inducing a large loss in message precision. In this work, we ask whether there is an intermediate noise-flooding level, which may not be provably secure, but allows to maintain the performance of the scheme, while resisting known attacks. We analyze the security with respect to different adversarial models and various types of attacks. We investigate the effectiveness of lattice reduction attacks, guessing attacks and hybrid attacks with noise-flooding with variance $\rho^2_{\mathsf{circ}}$, the variance of the noise already present in the ciphertext as estimated by an average-case analysis, $100\cdot \rho^2_{\mathsf{circ}}$, and $t\cdot \rho^2_{\mathsf{circ}}$, where $t$ is the number of decryption queries. For noise levels of $\rho^2_{\mathsf{circ}}$ and $100\cdot \rho^2_{\mathsf{circ}}$, we find that a full guessing attack is feasible for all parameter sets and circuit types. We find that a lattice reduction attack is the most effective attack for noise-flooding level $t\cdot \rho^2_{\mathsf{circ}}$, but it only induces at most a several bit reduction in the security level. Due to the large dimension and modulus in typical FHE parameter sets, previous techniques even for estimating the concrete security of these attacks -- such as those in (Dachman-Soled, Ducas, Gong, Rossi, Crypto '20) -- become computationally infeasible, since they involve high dimensional and high precision matrix multiplication and inversion. We therefore develop new techniques that allow us to perform fast security estimation, even for FHE-size parameter sets.
Metadata
- Available format(s)
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- approximate fully homomorphic encryptionnoise-flooding countermeasureslattice reduction attack
- Contact author(s)
-
flavio @ intel com
anamaria costache @ ntnu no
danadach @ umd edu
hkippen @ umd edu
llabuff @ terpmail umd edu
ruitang @ umd edu - History
- 2024-03-15: approved
- 2024-03-11: received
- See all versions
- Short URL
- https://ia.cr/2024/424
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/424, author = {Flavio Bergamaschi and Anamaria Costache and Dana Dachman-Soled and Hunter Kippen and Lucas LaBuff and Rui Tang}, title = {On the Concrete Security of Approximate FHE with Noise-Flooding Countermeasures}, howpublished = {Cryptology ePrint Archive, Paper 2024/424}, year = {2024}, note = {\url{https://eprint.iacr.org/2024/424}}, url = {https://eprint.iacr.org/2024/424} }