Securing Approximate Homomorphic Encryption Using Differential Privacy

Abstract

AbstractRecent work of Li and Micciancio (Eurocrypt 2021) has shown that the traditional formulation of indistinguishability under chosen plaintext attack (\(\textsf {IND\text {-}CPA}\)) is not adequate to capture the security of approximate homomorphic encryption against passive adversaries, and identified a stronger \(\textsf {IND\text {-}CPA}^{\textsf {D}}\) security definition (\(\textsf {IND\text {-}CPA}\) with decryption oracles) as the appropriate security target for approximate encryption schemes. We show how to transform any approximate homomorphic encryption scheme achieving the weak \(\textsf {IND\text {-}CPA}\) security definition, into one which is provably \(\textsf {IND\text {-}CPA}^{\textsf {D}}\) secure, offering strong guarantees against realistic passive attacks. The method works by postprocessing the output of the decryption function with a mechanism satisfying an appropriate notion of differential privacy (DP), adding an amount of noise tailored to the worst-case error growth of the homomorphic computation.We apply these results to the approximate homomorphic encryption scheme of Cheon, Kim, Kim, and Song (CKKS, Asiacrypt 2017), proving that adding Gaussian noise to the output of CKKS decryption suffices to achieve \(\textsf {IND\text {-}CPA}^{\textsf {D}}\) security. We precisely quantify how much Gaussian noise must be added by proving nearly matching upper and lower bounds, showing that one cannot hope to significantly reduce the amount of noise added in this post-processing step. As an additional contribution, we present and use a finer grained definition of bit security that distinguishes between a computational security parameter (c) and a statistical one (s). Based on our upper and lower bounds, we propose parameters for the counter-measures recently adopted by open-source libraries implementing CKKS.Lastly, we investigate the plausible claim that smaller DP noise parameters might suffice to achieve \(\textsf {IND\text {-}CPA}^{\textsf {D}}\)-security for schemes supporting more accurate (dynamic, key dependent) estimates of ciphertext noise during decryption. Perhaps surprisingly, we show that this claim is false, and that DP mechanisms with noise parameters tailored to the error present in a given ciphertext, rather than worst-case error, are vulnerable to \(\textsf {IND\text {-}CPA}^{\textsf {D}}\) attacks.