Skip to main content
SpringerLink
Log in

On the Security of Homomorphic Encryption on Approximate Numbers

  • Conference paper
  • First Online:
Book cover Advances in Cryptology – EUROCRYPT 2021 (EUROCRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12696))

Abstract

We present passive attacks against CKKS, the homomorphic encryption scheme for arithmetic on approximate numbers presented at Asiacrypt 2017. The attack is both theoretically efficient (running in expected polynomial time) and very practical, leading to complete key recovery with high probability and very modest running times. We implemented and tested the attack against major open source homomorphic encryption libraries, including HEAAN, SEAL, HElib and PALISADE, and when computing several functions that often arise in applications of the CKKS scheme to machine learning on encrypted data, like mean and variance computations, and approximation of logistic and exponential functions using their Maclaurin series.

The attack shows that the traditional formulation of \(\textsf {IND}\hbox {-}\textsf {CPA}\) security (or indistinguishability against chosen plaintext attacks) achieved by CKKS does not adequately capture security against passive adversaries when applied to approximate encryption schemes, and that a different, stronger definition is required to evaluate the security of such schemes.

We provide a solid theoretical basis for the security evaluation of homomorphic encryption on approximate numbers (against passive attacks) by proposing new definitions, that naturally extend the traditional notion of \(\textsf {IND}\hbox {-}\textsf {CPA}\) security to the approximate computation setting. We propose both indistinguishability-based and simulation-based variants, as well as restricted versions of the definitions that limit the order and number of adversarial queries (as may be enforced by some applications). We prove implications and separations among different definitional variants, and discuss possible modifications to CKKS that may serve as a countermeasure to our attacks.

Research supported by Global Research Cluster program of Samsung Advanced Institute of Technology and NSF Award 1936703.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This computation may or may not be secret, depending on whether the scheme is “circuit-hiding”.

  2. 2.

    We remark that this use of decryption oracle is only a technical detail of our formulation, and it is quite different from the decryption oracle used for defining active (chosen ciphertext) attacks: Our decryption oracle only provides access to the plaintext output interface of a decryption algorithm, and does not allow to apply the decryption algorithm on adversarially chosen ciphertexts.

  3. 3.

    The name \(\textsf {IND}\hbox {-}\textsf {CPA}^{+}\) was used in earlier versions of this paper. An alternative notation could be IND-CPA-D.

  4. 4.

    The source code of our attack implementations are available at https://github.com/ucsd-crypto/CKKSKeyRecovery.

References

  1. Albrecht, M., et al.: Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto, Canada, November 2018. https://homomorphicencryption.org/standard/

  2. Badawi, A.A., Hoang, L., Mun, C.F., Laine, K., Aung, K.M.M.: Privft: private and fast text classification with homomorphic encryption. CoRR, abs/1908.06972 (2019)

    Google Scholar 

  3. Bai, S., Lepoint, T., Roux-Langlois, A., Sakzad, A., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. J. Cryptol. 31(2), 610–640 (2018)

    Article  Google Scholar 

  4. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, pp. 394–403. IEEE Computer Society (1997)

    Google Scholar 

  5. Bergamaschi, F., Halevi, S., Halevi, T.T., Hunt, H.: Homomorphic training of 30,000 logistic regression models. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 592–611. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_29

    Chapter  Google Scholar 

  6. Boemer, F., Costache, A., Cammarota, R., Wierzynski, C.: nGraph-HE2: a high-throughput framework for neural network inference on encrypted data. CoRR, abs/1908.04172 (2019)

    Google Scholar 

  7. Boemer, F., Lao, Y., Cammarota, R., Wierzynski, C.: nGraph-HE: a graph compiler for deep learning on homomorphically encrypted data. In: CF 2019, pp. 3–13. ACM (2019)

    Google Scholar 

  8. Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9

    Chapter  MATH  Google Scholar 

  9. Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50

    Chapter  Google Scholar 

  10. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory 6(3), 13:1–13:36 (2014)

    Article  MathSciNet  Google Scholar 

  11. Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29

    Chapter  Google Scholar 

  12. Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43(2), 831–871 (2014)

    Article  MathSciNet  Google Scholar 

  13. Brisebarre, N., Joldes, M., Muller, J., Nanes, A., Picot, J.: Error analysis of some operations involved in the Cooley-Tukey fast fourier transform. ACM Trans. Math. Softw. 46(2), 11:1–11:27 (2020)

    Article  MathSciNet  Google Scholar 

  14. Chen, H., Chillotti, I., Song, Y.: Improved bootstrapping for approximate homomorphic encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 34–54. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_2

    Chapter  Google Scholar 

  15. Chen, H., Laine, K., Player, R.: Simple encrypted arithmetic library - SEAL v2.1. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_1

    Chapter  Google Scholar 

  16. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14

    Chapter  Google Scholar 

  17. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson, M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 347–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_16

    Chapter  Google Scholar 

  18. Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15

    Chapter  Google Scholar 

  19. Cheon, J.H., Kim, D., Park, J.H.: Towards a practical clustering analysis over encrypted data. IACR Cryptology ePrint Archive 2019/465 (2019)

    Google Scholar 

  20. Dathathri, R., et al.: CHET: compiler and runtime for homomorphic evaluation of tensor programs. CoRR, abs/1810.00845 (2018)

    Google Scholar 

  21. Dathathri, R., et al.: CHET: an optimizing compiler for fully-homomorphic neural-network inferencing. In: PLDI 2019, pp. 142–156. ACM (2019)

    Google Scholar 

  22. Ducas, L., Stehlé, D.: Sanitization of FHE ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 294–310. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_12

    Chapter  Google Scholar 

  23. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178. ACM (2009)

    Google Scholar 

  24. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49

    Chapter  Google Scholar 

  25. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    Article  MathSciNet  Google Scholar 

  26. Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31

    Chapter  MATH  Google Scholar 

  27. Halevi, S., Shoup, V.: Bootstrapping for HElib. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 641–670. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_25

    Chapter  Google Scholar 

  28. Halevi, S., Shoup, V.: Faster homomorphic linear transformations in HElib. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 93–120. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_4

    Chapter  MATH  Google Scholar 

  29. Han, K., Hong, S., Cheon, J.H., Park, D.: Logistic regression on homomorphic encrypted data at scale. In: AAAI 2019, pp. 9466–9471. AAAI Press (2019)

    Google Scholar 

  30. HEAAN (release 2.1). SNUCRYPTO (2018). https://github.com/snucrypto/HEAAN

  31. HElib (release 1.1.0). IBM (2020). https://github.com/homenc/HElib

  32. Kim, A., Papadimitriou, A., Polyakov, Y.: Approximate homomorphic encryption with reduced approximation error. Cryptology ePrint Archive, Report 2020/1118 (2020). https://eprint.iacr.org/2020/1118

  33. Kim, D., Song, Y.: Approximate homomorphic encryption over the conjugate-invariant ring. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 85–102. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12146-4_6

    Chapter  Google Scholar 

  34. Lattigo 2.0.0. EPFL-LDS, October 2020. http://github.com/ldsec/lattigo

  35. Li, Z., Galbraith, S.D., Ma, C.: Preventing adaptive key recovery attacks on the Gentry-Sahai-Waters leveled homomorphic encryption scheme. IACR Cryptology ePrint Archive 2016/1146 (2016)

    Google Scholar 

  36. Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13

    Chapter  Google Scholar 

  37. Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4

    Chapter  Google Scholar 

  38. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)

    Article  MathSciNet  Google Scholar 

  39. Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3

    Chapter  Google Scholar 

  40. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007)

    Article  MathSciNet  Google Scholar 

  41. PALISADE lattice cryptography library (release 1.10.4). PALISADE Project (2020). https://gitlab.com/palisade/

  42. Park, S., Lee, J., Cheon, J.H., Lee, J., Kim, J., Byun, J.: Security-preserving support vector machine with fully homomorphic encryption. In: SafeAI@AAAI 2019. CEUR Workshop Proceedings, vol. 2301. CEUR-WS.org (2019)

    Google Scholar 

  43. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8

    Chapter  Google Scholar 

  44. Raisaro, J.L., Klann, J.G., Wagholikar, K.B., Estiri, H., Hubaux, J.-P., Murphy, S.N.: Feasibility of homomorphic encryption for sharing I2B2 aggregate-level data in the cloud. AMIA Summits Transl. Sci. Proc. 2017, 176–185 (2018)

    Google Scholar 

  45. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)

    Article  MathSciNet  Google Scholar 

  46. RNS-HEAAN. SNUCRYPTO (2018). https://github.com/KyoohyungHan/FullRNS-HEAAN

  47. Microsoft SEAL (release 3.5). Microsoft Research, Redmond, April 2020. https://github.com/Microsoft/SEAL

  48. Sun, X., Yu, F.R., Zhang, P., Xie, W., Peng, X.: A survey on secure computation based on homomorphic encryption in vehicular ad hoc networks. Sensors 20(15), 4253 (2020)

    Article  Google Scholar 

Download references

Acknowledgment

We would like to thank Mark Schultz, Jessica Sorrell, and the SAIT research team for useful discussions. We would like to thank Victor Shoup and Jingwei Chen for pointing out errors in an earlier version of this paper.

Author information

Authors and Affiliations

  1. University of California, San Diego, USA

    Baiyu Li & Daniele Micciancio

Authors
  1. Baiyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Micciancio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Baiyu Li .

Editor information

Editors and Affiliations

  1. Inria, Paris, France

    Anne Canteaut

  2. UCLouvain, Louvain-la-Neuve, Belgium

    François-Xavier Standaert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, B., Micciancio, D. (2021). On the Security of Homomorphic Encryption on Approximate Numbers. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12696. Springer, Cham. https://doi.org/10.1007/978-3-030-77870-5_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77870-5_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77869-9

  • Online ISBN: 978-3-030-77870-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation