Part 5. How secure is CKKS?
The current FHE standard is 128-bit security. The choice of 128 is partly a historical convention and partly a practical compromise:
- 128 is a power of two and thus a round, familiar number,
- using 256-bit security is much more computationally expensive, because it forces the ring dimension up to $2^{17}$, and
- at 128 bits, the best known attacks would still take billions of years even if all the world's current computing power were thrown at them.
Whether CKKS hits this target, and what needs to be done to ensure it does, depends on the use case. In the outsourced computation setting (described in Section 1.3), the scheme without any modifications (as given in Part 3) already meets the standard target. But in any model where decryptions are revealed back to the computation server, the scheme has to incorporate a mitigation called noise flooding, which adds nontrivial computational overhead to every workload that needs it.
It is important to remember that FHE is still a young field, and the picture isn't static. The security of any system changes whenever a new attack is published on an underlying hardness assumption, typically forcing a parameter change and a corresponding slowdown in computation.
In this section, we'll cover:
- the security models CKKS is analyzed under and which use cases they apply to (5.1),
- the trust assumptions a CKKS deployment requires about its participants (5.2), and
- the known attacks against CKKS (5.3).