mirrors/lattigo
1
0
Fork 0
mirror of https://github.com/tuneinsight/lattigo.git synced 2025-09-13 03:27:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[ckks]: updated DecodePublic & updated SECURITY.md

Browse Source
This commit is contained in:
Jean-Philippe Bossuat
2023-10-26 17:04:23 +02:00
parent 779c67fccb
commit 0ed0c820dd
17 changed files with 281 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
SECURITY.md
View File

@@ -12,11 +12,15 @@ Classified as an _approximate decryption_ scheme, the CKKS scheme is secure as l
This attack demonstrates that, when using an approximate homomorphic encryption scheme, the usual CPA security may not sufficient depending on the application setting. Many applications do not require to share the result with external parties and are not affected by this attack, but the ones that do must take the appropriate steps to ensure that no key-dependent information is leaked. A homomorphic encryption scheme that provides such functionality and that can be secure when releasing decrypted plaintext to external parties is defined to be CPA<sup>D</sup> secure. The corresponding indistinguishability notion (IND-CPA<sup>D</sup>) is defined as "indistinguishability under chosen plaintext attacks with decryption oracles."
# CPA<sup>D</sup> Security for CKKS
Lattigo implements tools to mitigate _Li and Micciancio_'s attack. In particular, the decoding step of CKKS (and its real-number variant R-CKKS) allows the user to add a key-independent error $e$ of standard deviation $\sigma$ to the decrypted plaintext before decoding.
Lattigo implements tools to mitigate _Li and Micciancio_'s attack. In particular, the decoding step of CKKS (and its real-number variant R-CKKS) allows the user to specify the desired fixed-point bit-precision.
If at any point of an application, decrypted values have to be shared with external parties, then the user must ensure that each shared plaintext is first _sanitized_ before being shared. To do so, the user must use the $\textsf{DecodePublic}$ method instead of the usual $\textsf{Decode}$. $\textsf{DecodePublic}$ takes as additional input $\sigma$, and samples a key-independent error $e$ with standard deviation $\sigma$, that is added to the plaintext before decoding.
Let $\epsilon$ be the scheme error after the decoding step. We compute the bit precision of the output as $\log_{2}(1/\epsilon)$.
Estimating $\sigma$ must be done carefully and we suggest the following iterative process to do so:
If at any point of an application, decrypted values have to be shared with external parties, then the user must ensure that each shared plaintext is first _sanitized_ before being shared. To do so, the user must use the $\textsf{DecodePublic}$ method instead of the usual $\textsf{Decode}$. $\textsf{DecodePublic}$ takes as additional input the desired $\log_{2}(1/\epsilon)$-bit precision and rounds the value by evaluating $y = \lfloor x / \epsilon \rceil \cdot \epsilon$.
Estimating $E[\epsilon]$ of the circuit must be done carefully and we suggest the following iterative process to do so:
1. Given a security parameter $\lambda$ and a circuit $C$ that takes as inputs length-_n_ vectors $\omega$ following a distribution $\chi$, select the appropriate parameters enabling the homomorphic evaluation of $C(\omega)$, denoted by $H(C(\omega))$, which includes the encoding, encryption, evaluation, decryption and decoding.
2. Sample input vectors $\omega$ from the distribution $\chi$ and compute the standard deviation $\sigma$ in the time domain (coefficient domain) of $e=C(\omega) - H(C(\omega))$. This can be done using the encoder method $\textsf{GetErrSTDTimeDom}(C(\omega), H(C(\omega)), \Delta)$, where $\Delta$ is the scale of the plaintext after the decryption. The user should make sure that the underlying circuit computed by $H(C(\cdot))$ is identical to $C(\cdot)$; i.e., if the homomorphic implementation $H(C(\cdot))$ uses polynomial approximations, then $C(\cdot)$ should use them too, instead of using the original exact function. This will ensure that $e$, and therefore $\sigma$, are as close as possible to the actual underlying scheme error, and not influenced by function-approximation errors.
3. Use the encoder method $\textsf{DecodePublic}$ with the parameter $\sigma$ to decode plaintexts that will be published. $\textsf{DecodePublic}$ adds an error $e$ with standard deviation $\sigma$ bounded by $B = \sigma\sqrt{2\pi}$. The precision loss, compared to a private decoding, should be less than half a bit on average.
2. Sample input vectors $\omega$ from the distribution $\chi$ and record $\epsilon=C(\omega) - H(C(\omega))$. The user should make sure that the underlying circuit computed by $H(C(\cdot))$ is identical to $C(\cdot)$; i.e., if the homomorphic implementation $H(C(\cdot))$ uses polynomial approximations, then $C(\cdot)$ should use them too, instead of using the original exact function. Repeat until $\epsilon$ reaches a stable value.
3. Use the encoder method $\textsf{DecodePublic}$ with the parameter $\log_{2}(1/\epsilon)$ to decode plaintexts that will be published. $\textsf{DecodePublic}$ will round the values to $\log_{2}(1/\epsilon)$-bits of precision.
Note that, for composability with differential privacy, the variance of the error introduced by the rounding is $\text{Var}[x - \lfloor x \cdot \epsilon \rceil / \epsilon] = \tfrac{\epsilon}{12}$ and therefore $\text{Var}[x - \lfloor x/(\sigma\sqrt{12})\rceil\cdot(\sigma\sqrt{12})] = \sigma^2$.