lattigo/SECURITY.md

Report a Vulnerability

To report a vulnerability please contact us directly using the following email: lattigo@tuneinsight.com.

Code Review

Lattigo 2.0.0 has been code-reviewed by ELCA in November 2020 and, within the allocated time for the code review, no critical or high-risk issues were found.

Security of Approximate Homomorphic Encryption

Homomorphic encryption schemes are by definition malleable, and are therefore not secure against chosen ciphertext attacks (CCA security). They can be though secure against chosen plaintext attacks (CPA security).

Classified as an approximate decryption scheme, the CKKS scheme is secure as long as the plaintext result of a decryption is only revealed to entities with knowledge of the secret-key. This is because, given a ciphertext (-as + m + e, a), the decryption outputs a plaintext m+e. Li and Micciancio show that using this plaintext, it is possible to recover the secret-key with ((-as + m + e) - (m + e)) \cdot a^{-1} = asa^{-1} = s (the probability of a being invertible is overwhelming, and if a is not invertible, only a few more samples are required).

This attack demonstrates that, when using an approximate homomorphic encryption scheme, the usual CPA security may not sufficient depending on the application setting. Many applications do not require to share the result with external parties and are not affected by this attack, but the ones that do must take the appropriate steps to ensure that no key-dependent information is leaked. A homomorphic encryption scheme that provides such functionality and that can be secure when releasing decrypted plaintext to external parties is defined to be CPA^D secure. The corresponding indistinguishability notion (IND-CPA^D) is defined as "indistinguishability under chosen plaintext attacks with decryption oracles."

IND-CPA^D Security for Approximate Homomorphic Encryption

Lattigo implements tools to mitigate Li and Micciancio's attack. In particular, the decoding step of CKKS (and its real-number variant R-CKKS) allows the user to specify the desired fixed-point bit-precision.

Let \epsilon be the scheme error after the decoding step. We compute the bit precision of the output as \log_{2}(1/\epsilon).

If at any point of an application, decrypted values have to be shared with external parties, then the user must ensure that each shared plaintext is first sanitized before being shared. To do so, the user must use the \textsf{DecodePublic} method instead of the usual \textsf{Decode}. \textsf{DecodePublic} takes as additional input the desired $\log_{2}(1/\epsilon)$-bit precision and rounds the value by evaluating y = \lfloor x / \epsilon \rceil \cdot \epsilon.

Estimating \text{Pr}[\epsilon < x] \leq 2^{-s} of the circuit must be done carefully and we suggest the following process to do so:

1. Given a security parameter \lambda and a circuit C that takes as inputs length-n vectors \omega following a distribution \chi, select the appropriate parameters enabling the homomorphic evaluation of C(\omega), denoted by H(C(\omega)), which includes the encoding, encryption, evaluation, decryption and decoding.
2. Sample input vectors \omega from the distribution \chi and record \epsilon = C(\omega) - H(C(\omega)) for each slots. The user should make sure that the underlying circuit computed by H(C(\cdot)) is identical to C(\cdot); i.e., if the homomorphic implementation H(C(\cdot)) uses polynomial approximations, then C(\cdot) should use them too, instead of using the original exact function. Repeat until enough data points are collected to construct a CDF of \textsf{Pr}[\epsilon > x].
3. Use the CDF to select the value \text{E}[\epsilon] such that any given slot will fail with probability 2^{-\varepsilon} (where \varepsilon is a user-defined security parameter) to reach \log_{2}(1/\epsilon) bits of precision.
4. Use the encoder method \textsf{DecodePublic} with the parameter \log_{2}(1/\epsilon) to decode plaintexts that will be published.

Note that, for composability with differential privacy, the variance of the error introduced by the rounding is \text{Var}[x - \lfloor x \cdot \epsilon \rceil / \epsilon] = \tfrac{\epsilon^2}{12} and therefore \text{Var}[x - \lfloor x/(\sigma\sqrt{12})\rceil\cdot(\sigma\sqrt{12})] = \sigma^2.

A second approach to achieve IND-CPA^D secure CKKS is to use a version of CKKS that returns the exact message with probability \delta, called $delta$-exact CKKS and proposed in the recent research paper Bossuat et al., The autors achieve this by rounding off the noise after the CKKS decryption, based on probabilistic bounds on the noise. $\delta$-exact CKKS is a step towards obtaining practical IND-CPA-D security for CKKS. In Lattigo, we are planning to implement a detailed noise analysis for all basic operations, including bootstrapping, based on the work by Bossuat et al.. To support this, we will provide a noise estimator tool that combines the noise bounds for individual operations, allowing for accurate estimates even for complex circuits.

Security of Exact Homomorphic Encryption

In recent papers Checri et al. and Cheon et al., the authors revealed new passive key-recovery attacks targeting also the exact FHE cryptosystems, including BFV, BGV, and TFHE. They exploit imperfect correctness and show that BFV, BGV and TFHE are not protected against IND-CPA^D attackers.

IND-CPA^D Security for Exact Homomorphic Encryption

Achieving IND-CPA^D security for the exact homomorphic encryption schemes requires near-perfect correctness, meaning decryption failures must be exceptionally rare, with a probability lower than 2^{−\lambda}, where \lambda is a user-defined security parameter. Such failures should be so unlikely that finding one is computationally infeasible. For exact schemes like BFV and BGV, implemented in Lattigo, near-perfect correctness can be maintained by adjusting scheme parameters to bound decryption noise, though this comes at the cost of performance. The scheme must also control noise growth by limiting the number and type of operations performed at each computation level.

Recommendation for applicative countermeasures

1. FHE ciphertexts are inherently malleable, and this malleability, combined with vulnerabilities such as circular security and decision-to-search attacks, can lead to key-recovery attacks. As a foundational principle, it’s crucial that FHE ciphertexts are transmitted only through private and authenticated channels, encapsulated within traditional cryptographic methods.
2. Most IND-CPA^D attacks require hundreds of thousands of queries to the evaluation and decryption oracles. By employing ephemeral keys or key rotations, we can limit the number of available plaintext-ciphertext pairs, effectively reducing the attack surface and mitigating these types of attacks.
3. A zero-knowledge proof can be employed to verify both the correctness of the ciphertext and the prover's knowledge of the corresponding plaintext, without revealing any information about the plaintext itself.
4. To ensure the accuracy of the public results, it is recommended that independent parties independently replicate the computation.
5. Circuit Privacy: Ensuring that the output of an FHE computation does not leak any secret information from the evaluator.
6. other physical limitations: firewall, rate control, enclaves