mirrors/lattigo
1
0
Fork 0
mirror of https://github.com/tuneinsight/lattigo.git synced 2025-09-13 03:27:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

typo in SECURITY.md

Browse Source
This commit is contained in:
Jean-Philippe Bossuat
2022-08-18 15:26:37 +02:00
parent a9c788365d
commit 285e777130
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SECURITY.md
View File

@@ -4,7 +4,7 @@ Lattigo 2.0.0 has been code-reviewed by ELCA in November 2020 and, within the al
# Security of Approximate-Numbers Homomorphic Encryption
Homomorphic encryption schemes are by definition malleable, and are therefore not secure against chosen ciphertext attacks (CCA security). They can be though secure against chosen plaintext attacks (CPA security).
Classified as an _approximate decryption_ scheme, the CKKS scheme is secure as long as the plaintext result of a decryption is only revealed to entities with knowledge of the secret-key. This is because, given a ciphertext (_-as + m + e_, _a_), the decryption outputs a plaintext _m+e_. [Li and Micciancio](https://eprint.iacr.org/2020/1533) show that using this plaintext, it is possible to recover the secret-key with ((_-as + m + e_) - (_m + e_)) * _a^-1 = asa^-1 = s_ (the probability of _a_ being invertible is overwhelming, and if _a_ is not invertible, only require a few more samples are required).
Classified as an _approximate decryption_ scheme, the CKKS scheme is secure as long as the plaintext result of a decryption is only revealed to entities with knowledge of the secret-key. This is because, given a ciphertext (_-as + m + e_, _a_), the decryption outputs a plaintext _m+e_. [Li and Micciancio](https://eprint.iacr.org/2020/1533) show that using this plaintext, it is possible to recover the secret-key with ((_-as + m + e_) - (_m + e_)) * _a^-1 = asa^-1 = s_ (the probability of _a_ being invertible is overwhelming, and if _a_ is not invertible, only a few more samples are required).
This attack demonstrates that, when using an approximate homomorphic encryption scheme, the usual CPA security may not sufficient depending on the application setting. Many applications do not require to share the result with external parties and are not affected by this attack, but the ones that do must take the appropriate steps to ensure that no key-dependent information is leaked. A homomorphic encryption scheme that provides such functionality and that can be secure when releasing decrypted plaintext to external parties is defined to be CPA<sup>D</sup> secure. The corresponding indistinguishability notion (IND-CPA<sup>D</sup>) is defined as "indistinguishability under chosen plaintext attacks with decryption oracles."