# On the IND-CCA1 Security of FHE Schemes

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. Our Contributions

#### 1.2. Related Work

## 2. Preliminaries

#### 2.1. Notation

#### 2.2. Notions

- Somewhat homomorphic encryption (SHE) refers to schemes able to perform a limited number of homomorphic additions and/or multiplications before an evaluated ciphertext is not guaranteed to decrypt correctly. Although the number of operations may be estimated, it cannot be set explicitly;
- Levelled homomorphic encryption (LHE) schemes are similar to SHE schemes in that they allow for a limited amount of operations to be performed on a ciphertext. Here, though, the amount can be set explicitly and is included as a parameter, the “levels” L, in the key generation;
- Fully homomorphic encryption (FHE) allows for an unlimited number of homomorphic operations to be performed on a ciphertext. The only known way of achieving an FHE scheme is to bootstrap an SHE or LHE scheme.

- $\mathcal{C}$ draws a key pair $(pk,sk)\leftarrow \mathrm{KeyGen}\left(params\right)$ and sends $pk$ to $\mathbb{A}$;
- $\mathbb{A}$ makes polynomially many ciphertext queries to her decryption oracle ${\mathcal{O}}_{\mathrm{Dec}}$, which returns Dec$\left(c\right)$ for any ciphertext c that $\mathbb{A}$ has sent it;
- $\mathbb{A}$ sends two plaintexts of equal length $({m}_{0},{m}_{1})$ to $\mathcal{C}$;
- $\mathcal{C}$ returns $c\leftarrow \mathrm{Enc}(pk,{m}_{b})$ to $\mathbb{A}$, for a randomly chosen bit $b\in \{0,1\}$;
- $\mathbb{A}$ outputs the bit ${b}^{*}$ and wins if ${b}^{*}=b$.

## 3. Schemes

#### 3.1. (R)LWE

- The private key is a vector $\mathbf{s}\in {R}^{n}$ for some polynomial ring R (in the case of RLWE) or for $R={\mathbb{Z}}_{q}$ (in the case of LWE). For RLWE, $n=1$. The private key is drawn from either a bounded Gaussian distribution or a uniform distribution over polynomials with binary or ternary coefficients;
- The public key generation first computes an (R)LWE sample ${\mathit{a}}^{\prime}=\mathit{A}\mathit{s}+\mathit{e}$, where $\mathit{A}\in {R}^{N\times n}$ is a randomly sampled matrix and $\mathit{e}\in {R}^{N}$ is sampled from a noise distribution $\chi $. Then, the public key $\mathit{PK}\in {R}^{N\times (n+1)}$ is constructed using $\mathit{A}$ and ${\mathit{a}}^{\prime}$ such that $\mathit{PK}\xb7(-\mathit{s}\parallel 1)=\mathit{e}$;
- Encryption of a message $m\in \mathbb{M}$ first encodes it as ${\mathit{m}}^{\prime}\in {R}^{n+1}$ (e.g., ${\mathit{m}}^{\prime}=(0,\dots ,0,m)$), samples some randomness $\mathit{r}\in {R}^{N}$, and outputs $c=\mathit{r}\xb7\mathit{PK}+{\mathit{m}}^{\prime}\in {R}^{n+1}$. In some variants, ${\mathit{m}}^{\prime}$ and $\mathit{r}$ are matrices instead of vectors;
- Decryption parses the ciphertext as $c=(\mathbf{a},b)$ where $\mathit{a}\in {R}^{n}$ and $b\in R$, then computes $m=\rho (\langle \mathit{a},\mathit{s}\rangle -b)$ (for LWE) or $m=\rho (\mathit{a}\xb7\mathit{s}-b)$ (for RLWE), where $\rho :R\to \mathbb{M}$ is a rounding function into the plaintext space.

#### 3.2. Ideal Lattices

#### 3.3. Approximate Greatest Common Divisor

#### 3.3.1. vDGHV

- KeyGen: Choose an odd integer p from the interval $[{2}^{\eta -1},{2}^{\eta})$. Output $sk=p$;
- Enc($p,m\in \{0,1\}$): Draw $q,r\leftarrow \chi $ such that $2r<p/2$, and output $c=pq+2r+m$;
- Dec($p,c$): Output $(c$ mod $p)\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}2$.

#### 3.3.2. BBL

- KeyGen: Sample an $\eta $-bit integer p, and sample an integer ${x}_{0}\leftarrow {\chi}_{\gamma ,\rho}$ such that the bit-length is $\gamma $. Then, sample $\tau $ integers ${x}_{i}\leftarrow {\chi}_{\gamma ,\rho}$ such that ${x}_{i}\le {x}_{0}$ for $1\le i\le \tau $; we write $\mathbf{x}=[{x}_{1},\cdots ,{x}_{\tau}]$. Output $pk=({x}_{0},\mathbf{x}),sk=p$;
- Enc($pk,m$): Draw a matrix $\mathbf{S}\leftarrow {\{0,1\}}^{\tau \times \gamma}$, and output $\mathbf{c}=m{\mathbf{g}}^{T}+\mathbf{x}\mathbf{S}$mod ${x}_{0}$;
- Dec($p,\mathbf{c}$): Compute $\mu =\mathbf{c}{g}^{-1}(p/2)$ mod p. If $\left|\mu \right|\ge p/4$, return one, else return zero.

#### 3.3.3. Per

- KeyGen($\lambda ,B,n,\eta ,\rho ,{\rho}_{0},\gamma $): Draw an $\eta $-bit prime p, then sample ${x}_{0}$ from ${\chi}_{{\rho}_{0},p}$ such that the bit-length of ${x}_{0}$ is $\gamma $ and ${x}_{0}=qp+r$ for $\left|r\right|\le {2}^{{\rho}_{0}}$. Sample $\mathbf{K}$ uniformly from ${\mathbb{Z}}_{{x}_{0}}^{n\times n}$ until ${\mathbf{K}}^{-1}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{x}_{0}$ exists. Finally, define $\alpha =\lfloor \frac{{2}^{\eta -1}}{2B+1}\rceil $; output $sk=(p,\mathbf{K})$; update the set of public parameters $\{B,n,\eta ,\rho ,{\rho}_{0},\gamma \}$ to include $\{\alpha ,{x}_{0}\}$;
- EncMat($sk,\mathbf{M}$): Construct the matrix $\mathbf{X}=p\mathbf{Q}+\mathbf{R}$ by sampling each matrix element from $\chi <{x}_{0}$, which only outputting elements smaller than ${x}_{0}$. Compute $\mathbf{C}=(\mathbf{X}+\mathbf{G}\mathbf{K}\mathbf{M}){\mathbf{K}}^{-1}$ mod ${x}_{0}$, and output $\mathbf{C}$;
- DecMat($sk,\mathbf{C}$): Compute ${\mathbf{C}}^{\prime}={G}^{-1}\left(\alpha {\mathbf{K}}^{-1}\right)\mathbf{C}\mathbf{K}$ mod ${x}_{0}$, then ${\mathbf{C}}^{*}={\mathbf{C}}^{\prime}$ mod p, and finally, output $\lfloor {\mathbf{C}}^{*}/\alpha \rceil $;
- EncVec($sk,\mathbf{m}$): Construct an n-length vector $\mathbf{x}=p\mathbf{q}+\mathbf{r}$, again by sampling every vector element from ${\chi}_{<{x}_{0}}$. Compute and output $\mathbf{c}=(\mathbf{x}+\alpha \mathbf{m}){\mathbf{K}}^{-1}$;
- DecVec($sk,\mathbf{c}$): Compute ${\mathbf{c}}^{\prime}=\mathbf{c}\mathbf{K}$ mod ${x}_{0}$, then ${\mathbf{c}}^{*}={\mathbf{c}}^{\prime}$ mod p. Return $\lfloor {\mathbf{c}}^{*}/\alpha \rceil $.

#### 3.4. NTRU

#### BLLN

- ParamsGen($\lambda $): Given $\lambda $, fix n to determine the ring $\mathbb{Z}\left[x\right]/({x}^{n}+1)$. The security parameter also determines the moduli q and p, as well as the noise distributions ${\chi}_{k}$ and ${\chi}_{e}$;
- KeyGen($n,q,p,{\chi}_{k},{\chi}_{e}$): Draw ${f}^{\prime},g\leftarrow {\chi}_{k}$; set $f=p{f}^{\prime}+1$ mod q; compute ${f}^{-1}\in {R}_{q}$ (redrawing if ${f}^{-1}$ does not exist); output $(pk,sk)=(h=g{f}^{-1},f)$;
- Enc($pk,m\in [-p/2,p/2)$): Draw $r,e\leftarrow {\chi}_{e}$, and compute $c=\lfloor q/p\rfloor m+r+he$ mod q as an element of R;
- Dec($sk,c$): Compute and output $m=\lceil \frac{p}{q}(fc$ mod $q)\rfloor $ mod $p\in R$.

#### 3.5. Miscellaneous Schemes

#### 3.5.1. AFFHP

- Enc(m): Draw f of bounded degree at random from ${\mathbb{F}}_{q}[{x}_{0},\dots ,{x}_{n-1}]$. Compute ${f}_{0}=f-(f\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\mathsf{G})$, and select $e\leftarrow \chi $ at random. Return $C={f}_{0}+2e+m$;
- Dec(C): Compute and return $(C\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\mathsf{G})\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}2$.

#### 3.5.2. DHPSSWZ

- Enc($m\left(x\right)$): Draw $r\left(x\right)$ from a distribution giving small polynomials. Output $C\left(y\right)=2r\left(\varphi \right(y\left)\right)+m\left(\varphi \right(y\left)\right)$ mod $F\left(y\right)$;
- Dec($C\left(y\right)$): Replace y by $\psi \left(x\right)$ in the polynomial C, and output $\left(C\right(\psi \left(x\right))$ mod $f\left(x\right))\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}2$.

#### 3.5.3. LGM

- Setup(${1}^{\kappa},{1}^{L}$): Let $n=n(\kappa ,L)$ and $m=m(\kappa ,L)$, and choose a modulus q and bounded noise distribution $\chi =\chi (\kappa ,L)$ on $\mathbb{Z}$ such that at least ${2}^{\kappa}$ security against known attacks is achieved. Choose the number of secret keys $t=O(logn)$. Let $l=logq+1$ and $N=(t+m)l$. Output $params=(n,q,\chi ,m,t,l,N)$;
- KeyGen($params$): Uniformly sample $\mathbf{B}\in {\mathbb{Z}}_{q}^{n\times m}$. For $i\in [1,t]$, sample ${\mathit{e}}_{i}$ from ${\chi}^{m}$; set ${\mathbf{u}}_{i}=\mathbf{B}{\mathit{e}}_{i}$; set ${\mathbf{s}}_{i}={({\mathbf{r}}_{i}\parallel -{\mathit{e}}_{i}^{T})}^{T}$, where ${\mathbf{r}}_{i}$ is the i-th row of the $t\times t$ identity matrix. Return the public key $\mathbf{A}=[{\mathbf{u}}_{1}\parallel \dots \parallel {\mathbf{u}}_{t}\parallel \mathbf{B}]\in {\mathbb{Z}}_{q}^{n\times (t+m)}$ and the secret key $\mathbf{s}=({\mathbf{s}}_{1},\dots ,{\mathbf{s}}_{t})$;
- Enc($\mathbf{A},\mu \in {\mathbb{Z}}_{2}$): Let $\mathbf{G}$ be the $(t+m)\times N$ gadget matrix. Sample $\mathbf{R}\leftarrow {\mathbb{Z}}_{q}^{n\times N}$ and $\mathbf{X}\leftarrow {\chi}^{(t+m)\times N}$. Output $\mathbf{C}=\mu \xb7\mathbf{G}+{\mathbf{A}}^{T}\mathbf{R}+\mathbf{X}\in {\mathbb{Z}}_{q}^{(t+m)\times N}$;
- Dec($\mathbf{s},\mathbf{C}$): Sample $({\lambda}_{1},\dots ,{\lambda}_{t})\in {\mathbb{Z}}_{q}^{t}\setminus {\left\{0\right\}}^{t}$ until the generated ${\mathbf{s}}^{\prime}={\sum}_{i=1}^{t}{\lambda}_{i}{\mathbf{s}}_{i}$ has a sufficiently small norm. Let $i\in [1,t],j,I=(i-1)l+j$ be integers such that ${\lambda}_{i}\ne 0$, ${2}^{j-1}\in (q/4,q/2]$ and $I\in [1,tl]$. Compute $u=\langle {\mathbf{C}}_{I},{\mathbf{s}}^{\prime}\rangle \phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, where ${\mathbf{C}}_{I}$ is the Ith column of the ciphertext matrix $\mathbf{C}$. Finally, output $|u/{2}^{j-1}|\in \{0,1\}$.

#### 3.6. Noise-Free Attempts

## 4. Existing Attacks

#### 4.1. (R)LWE Attacks

#### 4.2. AGCD Attacks

#### 4.3. NTRU Attack

#### 4.4. LGM Attack

## 5. Attacking Other Schemes

#### 5.1. Applying the (R)LWE Attack on Other Schemes

#### 5.2. Attacks on AGCD-Based Schemes

#### 5.2.1. Applying the Known Attack on Other Schemes

#### 5.2.2. BBL

#### 5.2.3. Per

- Step 1:
- Recovering p

- Step 2:
- Recovering $\mathbf{K}$

#### 5.3. Attacks on AFFHP and DHPSSWZ

#### 5.3.1. CCA Key Recovery Attack on AFFHP

#### 5.3.2. CCA Key Recovery Attack on DHPSSWZ

## 6. Generic Constructions of IND-CCA1-Secure *HE

#### 6.1. LMSV

#### 6.2. Constructions from Multi-Key Identity-Based Encryption

- KeyGen: Same as for the multi-key IBHE scheme. The secret key is the master secret key $msk$, and the public key is the master public key $mpk$;
- Enc($mpk,m$): Sample a random identity $id$; compute $c={\mathrm{Enc}}_{\mathrm{IBHE}}(mpk,id,m)$; output $(c,id)$;
- Dec($msk,(\mathbf{c},id)$): Parse $\mathbf{c}=(c,id)$; compute $s{k}_{id}=\mathrm{Ext}(id,msk)$; output $m={\mathrm{Dec}}_{\mathrm{IBHE}}(s{k}_{id},id,c)$;
- Eval: Uses the IBHE evaluation function.

#### 6.3. (Probabilistic) iO-Based

#### 6.4. zk-SNARK Construction

## 7. Discussion

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## Appendix A. Background

**Definition**

**A1**

## Appendix B. Plaintext Awareness

**Table A1.**The games ${\mathrm{Exp}}_{\mathcal{E},\mathbb{A},\mathcal{D}}^{PA-1-d}\left(\lambda \right)$ and ${\mathrm{Exp}}_{\mathcal{E},\mathbb{A},\mathcal{D},{\mathbb{A}}^{*}}^{PA-1-x}\left(\lambda \right)$.

${\mathbf{Exp}}_{\mathcal{E},\mathbb{A},\mathcal{D}}^{\mathbf{PA}-1-\mathit{d}}\left(\mathit{\lambda}\right)$ | ${\mathbf{Exp}}_{\mathcal{E},\mathbb{A},\mathcal{D},{\mathbb{A}}^{*}}^{\mathbf{PA}-1-\mathit{x}}\left(\mathit{\lambda}\right)$ |
---|---|

$(pk,sk)\leftarrow $ KeyGen($\lambda $) | $(pk,sk)\leftarrow $ KeyGen($\lambda $) |

$x\leftarrow {\mathbb{A}}^{\mathrm{Decrypt}(\xb7,sk)}\left(pk\right)$ | Choose coins coins$\left[\mathbb{A}\right]$ and coins$\left[{\mathbb{A}}^{*}\right]$ |

$d\leftarrow \mathcal{D}\left(x\right)$ | St $\leftarrow (pk,\mathrm{coins}[\mathbb{A}\left]\right)$ |

Return d | $x\leftarrow {\mathbb{A}}^{\mathcal{O}}$, replying to oracle queries $\mathcal{O}\left(c\right)$: |

$(m,\mathrm{St})\leftarrow {\mathbb{A}}^{*}(c,\mathrm{St};\mathrm{coins}\left[{\mathbb{A}}^{*}\right])$ | |

Return m to $\mathbb{A}$ | |

$d\leftarrow \mathcal{D}\left(x\right)$ | |

Return d |

**Definition**

**A2**

## References

- Rivest, R.L.; Adleman, L.; Dertouzos, M.L. On data banks and privacy homomorphisms. Found. Secur. Comput.
**1978**, 4, 169–180. [Google Scholar] - Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, Bethesda, MD, USA, 31 May–2 June 2009; pp. 169–178. [Google Scholar] [CrossRef][Green Version]
- Gentry, C.; Halevi, S. Implementing Gentry’s Fully-Homomorphic Encryption Scheme. In Proceedings of the EUROCRYPT 2011, 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, 15–19 May 2011; Volume 6632, pp. 129–148. [Google Scholar] [CrossRef][Green Version]
- Masters, O.; Hunt, H.; Steffinlongo, E.; Crawford, J.; Bergamaschi, F.; Rosa, M.E.D.; Quini, C.C.; Alves, C.T.; de Souza, F.; Ferreira, D.G. Towards a Homomorphic Machine Learning Big Data Pipeline for the Financial Services Sector. Cryptol. ePrint Arch.
**2019**. eprint.iacr.org/2019/1113. [Google Scholar] - Laine, K. Updates on ISO/IEC Standardization; Email sent to the mailing list [email protected], 15 September 2021; ISO: Geneva, Switzerland, 2021. [Google Scholar]
- Privacy Enhancing Technologies. Available online: https://csrc.nist.gov/Projects/pec (accessed on 23 September 2021).
- Zhang, Z.; Plantard, T.; Susilo, W. Reaction Attack on Outsourced Computing with Fully Homomorphic Encryption Schemes. In Proceedings of the ICISC 2011, 14th International Conference, Seoul, Korea, 30 November–2 December 2011; Volume 7259, pp. 419–436. [Google Scholar]
- Chillotti, I.; Gama, N.; Goubin, L. Attacking FHE-Based Applications by Software Fault Injections. Cryptol. ePrint Arch.
**2016**. eprint.iacr.org/2016/1164. [Google Scholar] - Manger, J. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. In Proceedings of the CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; Volume 2139, pp. 230–238. [Google Scholar] [CrossRef]
- Vaudenay, S. Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS. In Proceedings of the EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, 28 April–2 May 2002; Volume 2332, pp. 534–546. [Google Scholar] [CrossRef][Green Version]
- Chenal, M.; Tang, Q. On Key Recovery Attacks Against Existing Somewhat Homomorphic Encryption Schemes. In Proceedings of the LATINCRYPT 2014, Third International Conference on Cryptology and Information Security in Latin America, Florianópolis, Brazil, 17–19 September 2014; Volume 8895, pp. 239–258. [Google Scholar] [CrossRef][Green Version]
- Peng, Z. Danger of using fully homomorphic encryption: A look at Microsoft SEAL. arXiv
**2019**, arXiv:1906.07127. [Google Scholar] - Cheon, J.H.; Hong, S.; Kim, D. Remark on the Security of CKKS Scheme in Practice. Cryptol. ePrint Arch.
**2020**. eprint.iacr.org/2020/1581. [Google Scholar] - Cramer, R.; Shoup, V. A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In Proceedings of the CRYPTO ’98, 18th Annual International Cryptology Conference, Santa Barbara, CA, USA, 23–27 August 1998; Volume 1462, pp. 13–25. [Google Scholar] [CrossRef][Green Version]
- Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. In Proceedings of the ITCS 2012, Cambridge, MA, USA, 8–10 January 2012; pp. 309–325. [Google Scholar] [CrossRef][Green Version]
- Brakerski, Z.; Vaikuntanathan, V. Efficient Fully Homomorphic Encryption from (Standard) LWE. In Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, Palm Springs, CA, USA, 22–25 October 2011; pp. 97–106. [Google Scholar] [CrossRef][Green Version]
- Brakerski, Z.; Vaikuntanathan, V. Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. In Proceedings of the CRYPTO 2011, 31st Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Volume 6841, pp. 505–524. [Google Scholar] [CrossRef][Green Version]
- Dahab, R.; Galbraith, S.; Morais, E. Adaptive Key Recovery Attacks on NTRU-Based Somewhat Homomorphic Encryption Schemes. In Proceedings of the ICITS 2015, 8th International Conference, Lugano, Switzerland, 2–5 May 2015; Volume 9063, pp. 283–296. [Google Scholar] [CrossRef]
- Brakerski, Z. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In Proceedings of the CRYPTO 2012, 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Volume 7417, pp. 868–886. [Google Scholar] [CrossRef][Green Version]
- Gentry, C.; Sahai, A.; Waters, B. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In Proceedings of the CRYPTO 2013, 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2013; Volume 8042, pp. 75–92. [Google Scholar] [CrossRef][Green Version]
- Cheon, J.H.; Kim, A.; Kim, M.; Song, Y.S. Homomorphic Encryption for Arithmetic of Approximate Numbers. In Proceedings of the ASIACRYPT 2017, 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017; Volume 10624, pp. 409–437. [Google Scholar] [CrossRef]
- Fan, J.; Vercauteren, F. Somewhat Practical Fully Homomorphic Encryption. Cryptol. ePrint Arch.
**2012**. eprint.iacr.org/2012/144. [Google Scholar] - Bootland, C.; Castryck, W.; Iliashenko, I.; Vercauteren, F. Efficiently processing complex-valued data in homomorphic encryption. J. Math. Cryptol.
**2020**, 14, 55–65. [Google Scholar] [CrossRef] - Arita, S.; Nakasato, S. Fully homomorphic encryption for point numbers. In Proceedings of the International Conference on Information Security and Cryptology, Beijing, China, 4–6 November 2016; pp. 253–270. [Google Scholar]
- Chen, H.; Laine, K.; Player, R.; Xia, Y. High-Precision Arithmetic in Homomorphic Encryption. In Proceedings of the CT-RSA 2018, The Cryptographers’ Track at the RSA Conference 2018, San Francisco, CA, USA, 16–20 April 2018; Volume 10808, pp. 116–136. [Google Scholar] [CrossRef]
- Chen, H.; Iliashenko, I.; Laine, K. When HEAAN Meets FV: A New Somewhat Homomorphic Encryption with Reduced Memory Overhead. IACR Cryptol.
**2020**, 2020, 121. [Google Scholar] - Brakerski, Z.; Vaikuntanathan, V. Lattice-based FHE as secure as PKE. In Proceedings of the ITCS 2014, Princeton, NJ, USA, 12–14 January 2014; pp. 1–12. [Google Scholar] [CrossRef][Green Version]
- Berkoff, A.; Liu, F.H. Leakage Resilient Fully Homomorphic Encryption. In Proceedings of the TCC 2014, 11th Theory of Cryptography Conference, San Diego, CA, USA, 24–26 February 2014; Volume 8349, pp. 515–539. [Google Scholar] [CrossRef][Green Version]
- Chen, H.; Chillotti, I.; Song, Y. Multi-Key Homomorphic Encryption from TFHE. In Proceedings of the ASIACRYPT 2019, 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 8–12 December 2019; Volume 11922, pp. 446–472. [Google Scholar] [CrossRef]
- Clear, M.; McGoldrick, C. Multi-identity and Multi-key Levelled FHE from Learning with Errors. In Proceedings of the CRYPTO 2015, 35th Annual Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 2015; Volume 9216, pp. 630–656. [Google Scholar] [CrossRef][Green Version]
- Chillotti, I.; Gama, N.; Georgieva, M.; Izabachène, M. TFHE: Fast Fully Homomorphic Encryption Over the Torus. J. Cryptol.
**2020**, 33, 34–91. [Google Scholar] [CrossRef] - Joux, A. Fully Homomorphic Encryption Modulo Fermat Numbers. Cryptol. ePrint Arch.
**2019**. eprint.iacr.org/2019/187. [Google Scholar] - Brakerski, Z.; Perlman, R. Lattice-Based Fully Dynamic Multi-key FHE with Short Ciphertexts. In Proceedings of the CRYPTO 2016, 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Volume 9814, pp. 190–213. [Google Scholar] [CrossRef]
- Arita, S.; Handa, S. Subring Homomorphic Encryption. In Proceedings of the ICISC 17, 20th International Conference, Seoul, Korea, 29 November–1 December 2017; Volume 10779, pp. 112–136. [Google Scholar] [CrossRef]
- Peikert, C.; Shiehian, S. Multi-key FHE from LWE, Revisited. In Proceedings of the TCC 2016-B, 14th International Conference Theory of Cryptography, Beijing, China, 31 October–3 November 2016; Volume 9986, pp. 217–238. [Google Scholar] [CrossRef]
- Costache, A.; Smart, N.P. Homomorphic Encryption without Gaussian Noise. Cryptol. ePrint Arch.
**2017**. eprint.iacr.org/2017/163. [Google Scholar] - Loftus, J.; May, A.; Smart, N.P.; Vercauteren, F. On CCA-Secure Somewhat Homomorphic Encryption. In Proceedings of the SAC 2011, 18th International Workshop, SAC 2011, Toronto, ON, Canada, 11–12 August 2011; Volume 7118, pp. 55–72. [Google Scholar] [CrossRef][Green Version]
- Smart, N.P.; Vercauteren, F. Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes. In Proceedings of the PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, 26–28 May 2010; Volume 6056, pp. 420–443. [Google Scholar] [CrossRef][Green Version]
- Stehlé, D.; Steinfeld, R. Faster Fully Homomorphic Encryption. In Proceedings of the ASIACRYPT 2010, 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 5–9 December 2010; Volume 6477, pp. 377–394. [Google Scholar] [CrossRef][Green Version]
- Smart, N.P.; Vercauteren, F. Fully homomorphic SIMD operations. Des. Codes Cryptogr.
**2014**, 71, 57–81. [Google Scholar] [CrossRef][Green Version] - Zhang, Z.; Plantard, T.; Susilo, W. On the CCA-1 Security of Somewhat Homomorphic Encryption over the Integers. In Proceedings of the International Conference on Information Security Practice and Experience, Hangzhou, China, 9–12 April 2012; pp. 353–368. [Google Scholar] [CrossRef]
- Coron, J.S.; Mandal, A.; Naccache, D.; Tibouchi, M. Fully Homomorphic Encryption over the Integers with Shorter Public Keys. In Proceedings of the CRYPTO 2011, 31st Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Volume 6841, pp. 487–504. [Google Scholar] [CrossRef][Green Version]
- van Dijk, M.; Gentry, C.; Halevi, S.; Vaikuntanathan, V. Fully Homomorphic Encryption over the Integers. In Proceedings of the EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco/French Riviera, 30 May–3 June 2010; Volume 6110, pp. 24–43. [Google Scholar] [CrossRef][Green Version]
- Coron, J.S.; Naccache, D.; Tibouchi, M. Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. In Proceedings of the EUROCRYPT 2012, 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Volume 7237, pp. 446–464. [Google Scholar] [CrossRef][Green Version]
- Cheon, J.H.; Stehlé, D. Fully Homomophic Encryption over the Integers Revisited. In Proceedings of the EUROCRYPT 2015, 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 26–30 April 2015; Volume 9056, pp. 513–536. [Google Scholar] [CrossRef][Green Version]
- Coron, J.S.; Lepoint, T.; Tibouchi, M. Scale-Invariant Fully Homomorphic Encryption over the Integers. In Proceedings of the PKC 2014, 17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, 26–28 March 2014; Volume 8383, pp. 311–328. [Google Scholar] [CrossRef][Green Version]
- Cheon, J.H.; Coron, J.S.; Kim, J.; Lee, M.S.; Lepoint, T.; Tibouchi, M.; Yun, A. Batch Fully Homomorphic Encryption over the Integers. In Proceedings of the EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, 26–30 May 2013; Volume 7881, pp. 315–335. [Google Scholar] [CrossRef][Green Version]
- Kim, J.; Lee, M.S.; Yun, A.; Cheon, J.H. CRT-based Fully Homomorphic Encryption over the Integers. Cryptol. ePrint Arch.
**2013**. eprint.iacr.org/2013/057. [Google Scholar] - Bos, J.W.; Lauter, K.; Loftus, J.; Naehrig, M. Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme. In Proceedings of the 14th IMA International Conference on Cryptography and Coding, Oxford, UK, 17–19 December 2013; Volume 8308, pp. 45–64. [Google Scholar] [CrossRef][Green Version]
- López-Alt, A.; Tromer, E.; Vaikuntanathan, V. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of the STOC 2012, 44th Symposium on Theory of Computing Conference, New York, NY, USA, 19–22 May 2012; pp. 1219–1234. [Google Scholar] [CrossRef][Green Version]
- Rohloff, K.; Cousins, D.B. A Scalable Implementation of Fully Homomorphic Encryption Built on NTRU. In Proceedings of the FC 2014 Workshops, Christ Church, Barbados, 7 March 2014; Volume 8438, pp. 221–234. [Google Scholar] [CrossRef]
- Fauzi, P.; Hovd, M.N.; Raddum, H. A Practical Adaptive Key Recovery Attack on the LGM (GSW-like) Cryptosystem. In Proceedings of the PQCRYPTO 2021, 12th International Workshop, PQCrypto 2021, Daejeon, Korea, 20–22 July 2021; pp. 483–498. [Google Scholar]
- Li, Z.; Galbraith, S.D.; Ma, C. Preventing Adaptive Key Recovery Attacks on the GSW Levelled Homomorphic Encryption Scheme. In Proceedings of the ProvSec 2016, 10th International Conference, Nanjing, China, 10–11 November 2016; Volume 10005, pp. 373–383. [Google Scholar] [CrossRef]
- Pereira, H.V.L. Efficient AGCD-based homomorphic encryption for matrix and vector arithmetic. In Proceedings of the International Conference on Applied Cryptography and Network Security, Rome, Italy, 19–22 October 2020; pp. 110–129. [Google Scholar]
- Benarroch, D.; Brakerski, Z.; Lepoint, T. FHE over the Integers: Decomposed and Batched in the Post-Quantum Regime. In Proceedings of the PKC 2017, 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, 28–31 March 2017; Volume 10175, pp. 271–301. [Google Scholar] [CrossRef]
- Doröz, Y.; Hoffstein, J.; Pipher, J.; Silverman, J.H.; Sunar, B.; Whyte, W.; Zhang, Z. Fully Homomorphic Encryption from the Finite Field Isomorphism Problem. In Proceedings of the PKC 2018, 21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; Volume 10769, pp. 125–155. [Google Scholar] [CrossRef]
- Albrecht, M.R.; Farshim, P.; Faugère, J.C.; Perret, L. Polly Cracker, Revisited. In Proceedings of the ASIACRYPT 2011, 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, Korea, 4–8 December 2011; Volume 7073, pp. 179–196. [Google Scholar] [CrossRef][Green Version]
- Li, B.; Micciancio, D. On the Security of Homomorphic Encryption on Approximate Numbers. In Proceedings of the EUROCRYPT 2021, 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, 17–21 October 2021; Volume 12696, pp. 648–677. [Google Scholar]
- Lai, J.; Deng, R.H.; Ma, C.; Sakurai, K.; Weng, J. CCA-Secure Keyed-Fully Homomorphic Encryption. In Proceedings of the PKC 2016, 19th IACR International Conference on Practice and Theory in Public-Key Cryptography, Taipei, Taiwan, 6–9 March 2016; Volume 9614, pp. 70–98. [Google Scholar] [CrossRef]
- Armknecht, F.; Boyd, C.; Carr, C.; Gjøsteen, K.; Jäschke, A.; Reuter, C.A.; Strand, M. A Guide to Fully Homomorphic Encryption. Cryptol. ePrint Arch.
**2015**. eprint.iacr.org/2015/1192. [Google Scholar] - Biasse, J.F.; Fieker, C. Subexponential class group and unit group computation in large degree number fields. LMS J. Comput. Math.
**2014**, 17, 385–403. [Google Scholar] [CrossRef][Green Version] - Biasse, J.F.; Song, F. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, Arlington, VA, USA, 10–12 January 2016; pp. 893–902. [Google Scholar] [CrossRef][Green Version]
- Cramer, R.; Ducas, L.; Peikert, C.; Regev, O. Recovering Short Generators of Principal Ideals in Cyclotomic Rings. In Proceedings of the EUROCRYPT 2016, 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, 8–12 May 2016; Volume 9666, pp. 559–585. [Google Scholar] [CrossRef][Green Version]
- Albrecht, M.R.; Bai, S.; Ducas, L. A Subfield Lattice Attack on Overstretched NTRU Assumptions, Cryptanalysis of Some FHE and Graded Encoding Schemes. In Proceedings of the CRYPTO 2016, 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Volume 9814, pp. 153–178. [Google Scholar] [CrossRef][Green Version]
- Hovd, M.N. A Successful Subfield Lattice Attack on a Fully Homomorphic Encryption Scheme. In Proceedings of the 11th Norwegian Information Security Conference, Longyearbyen, Norway, 18–20 September 2018. [Google Scholar]
- Stehlé, D.; Steinfeld, R. Making NTRU as Secure as Worst-Case Problems over Ideal Lattices. In Proceedings of the EUROCRYPT 2011, 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, 15–19 May 2011; Volume 6632, pp. 27–47. [Google Scholar] [CrossRef][Green Version]
- Li, Z.; Galbraith, S.D.; Ma, C. Preventing Adaptive Key Recovery Attacks on the Gentry-Sahai-Waters Levelled Homomorphic Encryption Scheme. Cryptol. ePrint Arch.
**2016**. eprint.iacr.org/2016/1146. [Google Scholar] - Gjøsteen, K.; Strand, M. Fully Homomorphic Encryption Must Be Fat or Ugly? Cryptol. ePrint Arch.
**2016**. eprint.iacr.org/2016/105. [Google Scholar] - Nuida, K. Candidate Constructions of Fully Homomorphic Encryption on Finite Simple Groups without Ciphertext Noise. Cryptol. ePrint Arch.
**2014**. eprint.iacr.org/2014/097. [Google Scholar] - Kedlaya, K.S.; Umans, C. Fast Polynomial Factorization and Modular Composition. SIAM J. Comput.
**2011**, 40, 1767–1802. [Google Scholar] [CrossRef] - Bellare, M.; Palacio, A. Towards Plaintext-Aware Public-Key Encryption without Random Oracles. In Proceedings of the ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, 5–9 December 2004; Volume 3329, pp. 48–62. [Google Scholar] [CrossRef][Green Version]
- Boneh, D.; Canetti, R.; Halevi, S.; Katz, J. Chosen-Ciphertext Security from Identity-Based Encryption. SIAM J. Comput.
**2007**, 36, 1301–1328. [Google Scholar] [CrossRef] - Canetti, R.; Raghuraman, S.; Richelson, S.; Vaikuntanathan, V. Chosen-Ciphertext Secure Fully Homomorphic Encryption. In Proceedings of the PKC 2017, 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, 28–31 March 2017; Volume 10175, pp. 213–240. [Google Scholar] [CrossRef]
- Brakerski, Z.; Cash, D.; Tsabary, R.; Wee, H. Targeted Homomorphic Attribute Based Encryption. Cryptol. ePrint Arch.
**2016**. eprint.iacr.org/2016/691. [Google Scholar] - Wang, B.; Wang, X.; Xue, R. CCA1 secure FHE from PIO, revisited. Cybersecurity
**2018**, 1, 11. [Google Scholar] [CrossRef] - Naor, M.; Yung, M. Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 13–17 May 1990; pp. 427–437. [Google Scholar] [CrossRef]
- Yasuda, S.; Kitagawa, F.; Tanaka, K. Constructions for the IND-CCA1 Secure Fully Homomorphic Encryption. In Mathematical Modelling for Next-Generation Cryptography: CREST Crypto-Math Project; Springer: Singapore, 2018; pp. 331–347. [Google Scholar]
- Gentry, C.; Wichs, D. Separating succinct non-interactive arguments from all falsifiable assumptions. In Proceedings of the 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA, 6–8 June 2011; pp. 99–108. [Google Scholar] [CrossRef][Green Version]
- Rivest, R.L.; Shamir, A.; Adleman, L.M. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. Assoc. Comput. Mach.
**1978**, 21, 120–126. [Google Scholar] - ElGamal, T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Proceedings of the CRYPTO’84, Santa Barbara, CA, USA, 19–22 August 1984; Volume 196, pp. 10–18. [Google Scholar]

**Table 1.**IND-CCA1 attacks and affected schemes. The second column lists schemes mentioned by the attack paper, while the third column lists schemes we found to be affected as well. An asterisk (*) denotes schemes that have been shown to not be IND-CPA-secure. Note that the paper by Loftus et al. presented both an attack and a scheme, where the asterisk denotes that the scheme is not IND-CPA-secure, and the attack breaks the schemes listed in the table. The two final rows are novel attacks.

Attack | Affected Schemes | Extends to |
---|---|---|

Chenal and Tang ((R)LWE) [11] | Bra12 [19], BGV [15], BV11a [16], BV11b [17], GSW [20] | CKKS [21], FV [22], BCIV [23], AN [24], CLPX [25], CIL [26], BV14 [27], BL [28], CCS [29], CM [30], CGGI [31], Jou [32], BP [33], AH [34], PS [35], CS17 [36] |

Loftus et al. * (Ideal Lattice) [37] | Gen [2], GH * [3], SV *[38] | SS * [39], SV14 * [40] |

Zhang et al. (AGCD) [41] and | CMNT [42], vDGHV [43] | CNT [44], CS15 [45] |

Chenal and Tang (AGCD) [11] | CLT [46], CCKLLTY [47], KLYC [48] | |

Dahab et al. (NTRU) [18] | BLLN [49], LATV * [50] | RC * [51] |

Fauzi et al. (other) [52] | LGM [53] | |

Section 5.2 (AGCD) | Per [54], BBL [55] | |

Section 5.3 (other) | DHPSSWZ [56], AFFHP [57] |

**Table 2.**The genealogy of various homomorphic schemes. “Children” are schemes directly based on the “parent” scheme. Schemes in bold are based on ideal lattices; schemes in italics are defined over the integers; the rest are schemes based on (R)LWE. Schemes that are not based directly on a parent scheme (“orphans”) are not listed.

Parent | Child(ren) |
---|---|

BGV [15] | CKKS [21] |

Bra12 [19] | FV [22] |

FV [22] | BCIV [23], AN [24], CLPX [25], CIL [26], AH [34] |

GSW [20] | BV14 [27], BL [28], CM [30], CCS [29], CGGI [31], PS [35], BP [33], Jou [32] |

Gen [2] | SS [39] |

SV [38] | GH [3], LMSV [37], SV14 [40] |

vDGHV [43] | CLT [46], KLYC [48], CNT [44], CCKLLTY [47], CMNT [42] |

**Table 3.**Generic constructions of IND-CCA1 *HE. The first construction has an insecure instantiation, while the other constructions only have a generic instantiation. Hence, none of these generic strategies provide a concrete instantiation.

Generic Construction | Instantiation | Notes |
---|---|---|

*HE + PA-1 [37,71] | GH variant of SV + lattice knowledge assumption [37] | SV now insecure; PA-1 uses non-falsifiable assumption |

Multi-key IBHE [72,73] | Multi-key *HE + IBE [74] | Only compact w.r.t. circuit complexity |

SubExp LWE + random oracle [30] | Only compact w.r.t. circuit complexity | |

SubExp iO + SubExp DDH [73,75] | SubExp iO is a very strong assumption | |

FHE + zk-SNARK [73,76] | FHE without bootstrapping + knowledge assumptions [73] | FHE without bootstrapping currently only known using SubExp iO |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Fauzi, P.; Hovd, M.N.; Raddum, H. On the IND-CCA1 Security of FHE Schemes. *Cryptography* **2022**, *6*, 13.
https://doi.org/10.3390/cryptography6010013

**AMA Style**

Fauzi P, Hovd MN, Raddum H. On the IND-CCA1 Security of FHE Schemes. *Cryptography*. 2022; 6(1):13.
https://doi.org/10.3390/cryptography6010013

**Chicago/Turabian Style**

Fauzi, Prastudy, Martha Norberg Hovd, and Håvard Raddum. 2022. "On the IND-CCA1 Security of FHE Schemes" *Cryptography* 6, no. 1: 13.
https://doi.org/10.3390/cryptography6010013