Security models

There are two common security models for CKKS: IND-CPA and IND-CPA^D. IND-CPA^D security is stronger than IND-CPA security, and should be used when the decryptions of results are broadcast publicly or an attacker otherwise has access to many decryptions.

IND-CPA

[WORK IN PROGRESS]

The FHE standard is IND-CPA security. In a chosen-plaintext attack, the attacker has access to the public key — so it can encrypt any plaintext it wants — but never sees a decryption. The game proceeds as follows:

1. The challenger generates a public/secret key pair and sends the public key to the attacker.
2. The attacker picks two distinct plaintexts $m_0$ and $m_1$.
3. The challenger picks a random bit $b \in \{0, 1\}$, encrypts $m_b$ under the public key, and sends the ciphertext to the attacker.
4. The attacker outputs a guess $b' \in \{0, 1\}$.

A scheme is IND-CPA secure if no efficient attacker can guess $b$ correctly with probability noticeably better than $1/2$. Naive CKKS is IND-CPA secure, and its security reduces to the RLWE assumption (see Section 5.3 for known attacks).

IND-CPA^D

[WORK IN PROGRESS]

In approximate FHE schemes like CKKS, the residual noise left over after decryption can leak information about the secret key. The IND-CPA^D model captures this by extending IND-CPA with a decryption oracle: the attacker can create ciphertexts, evaluate arithmetic circuits on them, and ask for decryptions of the results. The game proceeds as follows:

1. The challenger generates a public/secret key pair and sends the public key to the attacker.
2. The attacker picks two distinct plaintexts $m_0$ and $m_1$ and an arithmetic circuit $f$ satisfying $f(m_0) = f(m_1)$.
3. The challenger picks a random bit $b \in \{0, 1\}$, encrypts $m_b$, evaluates $f$ homomorphically on the ciphertext, decrypts the result, and sends the noisy decryption to the attacker.
4. The attacker outputs a guess $b' \in \{0, 1\}$.

A scheme is IND-CPA^D secure if no efficient attacker can win this game with probability noticeably better than $1/2$. The constraint $f(m_0) = f(m_1)$ is essential: without it, the attacker could trivially distinguish by reading the decrypted plaintext, regardless of the encryption scheme. With it in place, the two underlying plaintexts agree, and the only signal available to the attacker is the noise riding on the decryption.

Naive CKKS does not have IND-CPA^D security, because the residual noise after decryption carries information about the secret key (see Section 5.3 for specific attacks). To fix it, the secret-key holder must obscure decryptions by adding additional Gaussian noise — a technique called noise flooding, discussed in Section 3.6.