On the IND-CCA1 Security of FHE Schemes

: Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it ﬁrst. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we grouped the SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1-secure FHE and SHE schemes. We concluded that none of the proposed schemes were IND-CCA1-secure and that the known general constructions all had their shortcomings.


Introduction
Fully homomorphic encryption (FHE) allows meaningful computation to be performed on encrypted material without decrypting it. Slightly more formally: for any circuit C, we require that Dec(C(c)) = C(Dec(c)) for any ciphertext c. The notion was initially suggested in the late 1970s by Rivest et al. [1], and Gentry proposed the first successful FHE scheme in 2009 [2].
Ever since Gentry's breakthrough, there has been much development in FHE, especially with regard to practicality. Although Gentry's initial scheme was later implemented [3], it was little more than a proof-of-concept and far from being practical. Today, the situation is very different, with several FHE libraries and examples of practical applications to real-world problems. For instance, recent field trials in the financial sector [4] included applying homomorphic encryption in a machine learning pipeline, making it possible to outsource work and analyses previously limited to in-house treatment. Furthermore, an international ISO/IEC standard is due by 2024 [5], and NIST is tracking the progress of FHE as a privacy-enhancing technology [6].
As FHE moves further into the realm of practicality and real-world application, it is crucial to study the security of these schemes in detail. The security notion most FHE schemes have aimed for, and several provably achieved based on hardness assumptions, is indistinguishability under chosen plaintext attacks (IND-CPA). The security notion captures whether an adversary with access to the public key is able to distinguish between encryptions of messages, i.e., whether a ciphertext leaks information about its content.
However, IND-CPA offers no security guarantees if an adversary can obtain decryptions of ciphertexts. Such a scenario is hardly far-fetched, e.g., if a malicious cloud does not return the ciphertext arising from an honest computation, but rather an adulterine ciphertext, the cloud may observe if the client rejects the ciphertext as invalid by requesting a recomputation. Zhang et al. showed how such an attack may be used to construct a probabilistic decryption oracle [7]. Chillotti et al. [8] demonstrated that the very setup of FHE schemes makes them susceptible to reaction and safe error attacks.
Similarly, a padding oracle attack [9,10] enables one to decrypt arbitrary ciphertexts by making use of a server that only tells whether or not the padding of an encrypted message is valid. Furthermore, it is difficult to rule out any adversarial access to decrypted material in the settings with rich data flows where FHE is being, or suggested to be, used, for example in scenarios with multiple collaborating parties exchanging data or in combination with machine learning [11,12]. Finally, Cheon et al. [13] pointed out that some applications demand that decrypted values be shared with each involved party, not just those in possession of the secret key, and gave multi-party computation and differential privacy as examples of such applications. In short, IND-CPA is not sufficient to guarantee security in some of the scenarios where FHE is being used.
Beyond IND-CPA, there are additional levels of indistinguishability: IND-CCA1, where the adversary obtains a decryption oracle for a limited amount of time, and IND-CCA2, where the adversary obtains a decryption oracle that can be used at any time. It is well known that if an encryption scheme has any homomorphic property, it cannot achieve IND-CCA2 security. Finding a fully homomorphic encryption scheme that achieves IND-CCA1 security is still an open problem (in contrast, group homomorphic schemes can be IND-CCA1-secure, e.g., CS-lite [14]). Some generic constructions of FHE schemes achieving IND-CCA1 security have been suggested, but none of them have been instantiated. Furthermore, although these constructions provably achieve IND-CCA1 security, they do suffer from various shortcomings, as will be discussed in Section 6.
All acknowledged FHE schemes are constructed in the same way. The starting point is a somewhat or levelled homomorphic encryption (SHE or LHE) scheme, with noise-based encryption, able to perform a limited number of homomorphic operations on ciphertexts before correct decryption is not guaranteed. The "base scheme" is then expanded into an FHE scheme by homomorphically evaluating the decryption circuit on a ciphertext, which reduces the amount of noise in the ciphertext. This procedure is called bootstrapping and requires publishing some encrypted secret key material.
It is worth stressing that bootstrapping excludes IND-CCA1 security. After all, if an adversary may decrypt any ciphertext she/he chooses, she/he can simply choose to decrypt the published secret key material, which then allows her/him to decrypt other ciphertexts. Furthermore, several LHE and SHE schemes rely on publishing encrypted versions of various secret keys for other purposes than bootstrapping, such as key switching (e.g., BGV [15]) or relinearisation (e.g., BV11a and BV11b [16,17]), which makes homomorphic evaluations composable. Note that publishing such encryptions also prevents IND-CCA1 security. Hence, it seems that the best we can hope for is an IND-CCA1-secure SHE or LHE scheme that does not rely on key switching, relinearisation, or any other operation that requires publishing encryptions of secret keys. It is therefore precisely these types of schemes we evaluated with respect to IND-CCA1 security in this overview paper. We stress that there is no result stating that homomorphic encryption schemes cannot achieve IND-CCA1 security. However, the presently known methods of constructing these schemes prevent such a level of security from being obtained or introduce some shortcoming.
Almost no published SHE or LHE schemes aim at achieving IND-CCA1 security, but settle for IND-CPA. Furthermore, the schemes that have attempted to achieve IND-CCA1 security have, as we shall see, since been proven insecure. Several SHE and LHE schemes have been shown to be susceptible to adaptive key recovery attacks: an adversary is able to recover the secret key if she/he has access to a decryption oracle. However, since security against adversaries able to decrypt has not been strived for, vulnerable schemes have been developed and improved further in different ways, but not necessarily with any effort to make them IND-CCA1-secure or resilient against adaptive key recovery attacks. Dahab, Galbraith, and Morais [18] made this point as well: "There are adaptive key recovery attacks on many schemes and these schemes were adapted and optimised later; thus such constructions should be assessed in order to verify whether the attacks are still feasible".
It is worth emphasizing that these adaptive key recovery attacks are not just a theoretical threat: as previously mentioned, it is possible to construct a (probabilistic) decryption oracle using reaction attacks [7], and there are use cases where decrypted material being made available to adversaries is either probable or inevitable. The fact that it is possible to mount attacks that recover the secret key also on LHE and SHE schemes, i.e., schemes that do not employ bootstrapping, makes assessing the security of these schemes especially pressing. These schemes are a natural alternative to bootstrapped FHE schemes if the users wish to avoid the risk of key recovery through the published bootstrapping key, and it is therefore important to assess whether there is still a risk of the secret key being recovered also for LHE and SHE schemes.

Our Contributions
In this overview paper, we provide precisely the assessment requested by Dahab et al.: we review all acknowledged SHE and LHE schemes with respect to adaptive key recovery attacks and show that all schemes are susceptible to such an attack, and we provide an overview stating which schemes are broken by which attack. We determined if the schemes were vulnerable to a previously published attack and provide novel attacks for those not susceptible to already known attacks. Seeing as schemes strongly inspired by earlier schemes are likely to be susceptible to the same attack, we also provide a table of scheme genealogy: an overview of which schemes have been directly based on which. Additionally, we provide an overview of which schemes are no longer deemed IND-CPA-secure. A summary of our findings with regard to security is listed in Table 1. We also discuss the prospect of noiseless schemes and the existing generic constructions for IND-CCA1-secure homomorphic encryption schemes. However, we do not discuss implemented variants of schemes, e.g., if an implementation improves the bootstrapping procedure of a presented scheme, as it does not affect the achieved security of the basis scheme. Table 1. IND-CCA1 attacks and affected schemes. The second column lists schemes mentioned by the attack paper, while the third column lists schemes we found to be affected as well. An asterisk (*) denotes schemes that have been shown to not be IND-CPA-secure. Note that the paper by Loftus et al. presented both an attack and a scheme, where the asterisk denotes that the scheme is not IND-CPA-secure, and the attack breaks the schemes listed in the table. The two final rows are novel attacks.
We grouped schemes into five broad categories primarily based on the underlying hardness problem: (R)LWE, ideal lattices, AGCD, NTRU, and "other". Note that the schemes in the category "ideal lattices" are based on several hardness assumptions, which is why we prefer referring to this category by the structure on which the schemes are based. Furthermore, all the schemes based on AGCD are defined over the integers, and we also refer to these schemes as "integer-based schemes". The motivation for this categorisation is that it essentially corresponds to groups of schemes susceptible to the same attack. For example, a large majority of the schemes based on AGCD is broken by an attack by Chenal and Tang [11]. The schemes in the fifth "other" category are schemes that are not based on either of the already mentioned hardness assumptions. For each category, we sketch the existing attacks and show that these attacks can be extended to several other SHE schemes in the same category by relatively easy modifications. As mentioned previously, we also provide novel attacks for the schemes not affected by any of the already known attacks or their extensions.

Related Work
The security notions mentioned so far all assume the decryption procedure returns an exact message: if m has been encrypted, an unaltered ciphertext will decrypt to exactly m. However, this is not the case for all homomorphic encryption schemes, most notably CKKS [21], where decryption returns an approximation of the message. This discrepancy was noted by Li and Micciancio [58], who also proposed a novel security notion for approximate encryption schemes, termed IND-CPA D , which reduces to IND-CPA for exact schemes, and showed that CKKS is not IND-CPA D -secure. They also presented a key recovery attack that does not rely on a decryption oracle, demonstrating the practical implication of the discovered insecurity. Cheon et al. published a report addressing the insecurity, discussed which applications the attack is applicable to, and introduced extensions to libraries to prevent the key recovery attack [13].
Loftus et al. [37] discussed attacks on homomorphic encryption schemes in the verification setting, IND-CVA, where the adversary has access to a verification oracle, rather than a decryption oracle, which determines if the decryption algorithm will output ⊥ when given a specific ciphertext c. Loftus et al. demonstrated that an IND-CCA1-secure scheme may be IND-CVA2-insecure, if the adversary has access to the verification oracle after she/he has received the challenge ciphertext [37]. The vast majority of homomorphic encryption schemes consider all elements in the ciphertext domain as valid inputs to the decryption procedure, though. In these settings, the verification oracle is of no help to the adversary, as all ciphertexts are valid.
However, Chillotti et al. [8] and Zhang et al. [7] argued that the notion of a verification oracle should be extended from whether a ciphertext decrypts, to whether a ciphertext decrypts to something meaningful. They presented the following scenario: A malicious cloud returns a "dishonest" ciphertext to a client who has asked for a computation. If this ciphertext does not decrypt to something the client deems meaningful or valid, the client will ask the cloud for a recomputation, thus leaking that the decryption was not meaningful, and similarly leaking that a decryption was meaningful if no action is taken. Either result leaks information about the decrypted result. Chillotti et al. and Zhang et al. showed that the very structure of homomorphic encryption makes the schemes susceptible to these fault injection, safe-error, and reaction attacks and that the attacks are a viable threat to real-world applications.
Finally, keyed homomorphic encryption is a primitive, suggested by Lai et al. [59], closely related to homomorphic encryption. Here, any homomorphic evaluation of a ciphertext requires access to a particular evaluation key, which does not enable decryption. Lai et al. suggested an instantiation of such a scheme and proved that encrypted messages are indistinguishable even if an adversary has access to a decryption oracle.

Notation
We use two distinct modular reductions: p = r mod q denotes centrally reducing p modulo q to r ∈ (−q/2, q/2], whilst p = r mod q denotes the modular reduction to r ∈ [0, q − 1]. In both cases, we may also write p ≡ r mod q or p ≡ r mod q if we wish to stress that p is equivalent to r modulo q: p = r + nq. This convention generalises to vectors and polynomials.
Vectors are denoted by bold lower case letters, whilst matrices are denoted by bold upper case letters. Normal letters are used to denote both integers and polynomials. We aimed to strike a balance between having a consistent notation throughout the paper and also not diverging too much from the original articles. For example, parameters are denoted by Greek letters for schemes defined over the integers, but not for the other schemes.
Several schemes use the gadget vector or matrix with respect to a base b and a parameter l: the gadget vector g is defined as the column vector (1, b, . . . , b l−1 ) T , and the gadget matrix is defined as G = I n ⊗ g ∈ Z nl×n (i.e., G is a matrix with g on the "diagonal"). For an integer a < b l , we define the function g −1 (a) : Z → Z l so that g −1 (a) is the row vector with the (signed) base b decomposition of a, i.e., g −1 (−a) = −g −1 (a) for a positive integer a, and g −1 (a) · g = a. This notion extends naturally to vectors, so for an n-length vector a, we define the function G −1 (a) = [g −1 (a 1 ), g −1 (a 2 ), . . . , g −1 (a n )] ∈ Z nl . The function extends similarly to matrices: for a matrix A ∈ Z n×n , G −1 (A) ∈ Z n×nl simply applies G −1 to each row of A. Moreover, G −1 (A) · G = A [54].
We always denote schemes by the initials of the authors or the first three letters of the surname if there is a single author. This is mostly in line with the naming convention of the field, but we stress that we do this also for schemes with other proposed names, e.g., TFHE (CGGI [31]) and YASHE (BLLN [49]).

Notions
There are different flavours of homomorphic encryption, and we briefly present them here. As previously mentioned, all suggested schemes use the same approach of adding noise to a message to encrypt it, which builds up as the ciphertext is evaluated. If the noise grows too much, decryption is not guaranteed to be correct. For a more thorough discussion, see Appendix A: • Somewhat homomorphic encryption (SHE) refers to schemes able to perform a limited number of homomorphic additions and/or multiplications before an evaluated ciphertext is not guaranteed to decrypt correctly. Although the number of operations may be estimated, it cannot be set explicitly; • Levelled homomorphic encryption (LHE) schemes are similar to SHE schemes in that they allow for a limited amount of operations to be performed on a ciphertext. Here, though, the amount can be set explicitly and is included as a parameter, the "levels" L, in the key generation; • Fully homomorphic encryption (FHE) allows for an unlimited number of homomorphic operations to be performed on a ciphertext. The only known way of achieving an FHE scheme is to bootstrap an SHE or LHE scheme.
It is required that all these types of schemes achieve compactness (not all definitions insist SHE schemes achieve compactness [60]): there exists a polynomial p such that the size of any evaluated ciphertext is less than p(λ), where λ is the security parameter of the scheme in question. In other words, the growth of an evaluated ciphertext should be independent of both the size of the circuit and, in the case of LHE, the level parameter L [60].
We refer to all three types of schemes collectively as *HE schemes to emphasise that the schemes are homomorphic both with respect to addition and multiplication. We also refer to them as "homomorphic encryption schemes", which must not be confused with group homomorphic schemes.
We recall the notion of indistinguishability under (non-adaptive) chosen ciphertext attack (IND-CCA1) for an encryption scheme E = (KeyGen, Enc, Dec): any PPT adversary A has at most a 1/2 + chance of winning the following game against a challenger C, where is negligible in the security parameter λ: • C draws a key pair (pk, sk) ← KeyGen(params) and sends pk to A; • A makes polynomially many ciphertext queries to her decryption oracle O Dec , which returns Dec(c) for any ciphertext c that A has sent it; • A sends two plaintexts of equal length (m 0 , m 1 ) to C; • C returns c ← Enc(pk, m b ) to A, for a randomly chosen bit b ∈ {0, 1}; • A outputs the bit b * and wins if b * = b.
Here, params denotes the security parameter λ of the scheme and possibly other parameters output by a SetUp(λ) algorithm. The notion of IND-CPA security is defined in a similar way, but here, A does not have access to a decryption oracle.
Finally, we note that all the attacks discussed in this paper are adaptive key recovery attacks, where an adversary with access to a decryption oracle is able to recover the secret key. These attacks are strictly stronger than a regular IND-CCA1 attack, as it allows an adversary to decrypt any ciphertext of her/his choosing, not just distinguishing between the encryptions of two chosen messages.

Schemes
Most schemes are grouped according to which known attack they are susceptible to, which largely corresponds to which problem they are based on, and we let the titles of the subsections reflect this. There are a handful of schemes that do not fit into either of these groups, i.e., not broken by a known attack nor based on the same problem as previously broken schemes, which are presented separately in Section 3.5. Finally, we briefly discuss noise-free *HE. Unless explicitly stated, none of the schemes or constructions discussed are fully homomorphic.
All the attacks presented in Sections 4 and 5 only use decryption results of ciphertexts to reconstruct the secret key. We therefore focused on key generation, encryption, and decryption when presenting the schemes. In particular, we do not discuss the addition or multiplication algorithms of the schemes.
As previously mentioned, several schemes are based on earlier work, sometimes more or less copying a "base" scheme. We refer to such a base scheme as a "parent" and a scheme that has been based on it (and greatly resembles it) as its "child"; see Table 2 for an overview of this genealogy. Seeing as there are so many schemes with great similarities, we do not present all suggested *HE schemes, but rather the parent schemes, from which others are easily derived, and present a generalisation of all proposed schemes in the (R)LWE case. We also present "orphan" schemes: those that are not directly based on earlier work. Table 2. The genealogy of various homomorphic schemes. "Children" are schemes directly based on the "parent" scheme. Schemes in bold are based on ideal lattices; schemes in italics are defined over the integers; the rest are schemes based on (R)LWE. Schemes that are not based directly on a parent scheme ("orphans") are not listed.

(R)LWE
There are several (R)LWE-based *HE schemes, most of which are children of BGV [15], Bra12 [19], or GSW [20]. These schemes have a common structure: • The private key is a vector s ∈ R n for some polynomial ring R (in the case of RLWE) or for R = Z q (in the case of LWE). For RLWE, n = 1. The private key is drawn from either a bounded Gaussian distribution or a uniform distribution over polynomials with binary or ternary coefficients; • The public key generation first computes an (R)LWE sample a = As + e, where A ∈ R N×n is a randomly sampled matrix and e ∈ R N is sampled from a noise distribution χ. Then, the public key PK ∈ R N×(n+1) is constructed using A and a such that PK · (−s 1) = e; • Encryption of a message m ∈ M first encodes it as m ∈ R n+1 (e.g., m = (0, . . . , 0, m)), samples some randomness r ∈ R N , and outputs c = r · PK + m ∈ R n+1 . In some variants, m and r are matrices instead of vectors; • Decryption parses the ciphertext as c = (a, b) where a ∈ R n and b ∈ R, then computes

Ideal Lattices
The most important schemes in this category are Gentry's original scheme Gen [2] and its most notable children GH [3] and SV [38]. Gentry presented his original scheme in rather general terms, whereas later schemes are specialisations of it. As a consequence, the "general" scheme Gen is based on the bounded distance decoding problem (BDDP) and the sparse subset sum problem (SSSP), but the "specialisation schemes" GH, SV, and their children are based on a different, but related problem, namely the short principal ideal problem (SPIP). This computational assumption has since been proven insecure [61][62][63], meaning in particular that SV and its children (see Table 2) are not IND-CPA-secure.
For this reason, we chose not to present any particular scheme in this subsection, nor any attack later in the article. Instead, we mention that both GH and SV were proven to be susceptible to an adaptive key recovery attack, which also extends to Gen [18,37]. The LMSV scheme was suggested in the same paper as the attack [37], which was considered the only IND-CCA1-secure SHE scheme for many years. The starting point for the LMSV construction was the SV scheme, though, and it is therefore now known to not be IND-CPA-secure. We discuss the LMSV scheme and the construction it relied on in Section 6.1.

vDGHV
The original homomorphic scheme defined over the integers was presented by van Dijk et al. [43], and we refer to it as vDGHV.
The bit-length η of the secret key is chosen according to the security parameter λ, as is the noise distribution χ. The symmetric encryption scheme is: KeyGen: Choose an odd integer p from the interval [2 η−1 , 2 η ). Output sk = p; Enc(p, m ∈ {0, 1}): Draw q, r ← χ such that 2r < p/2, and output c = pq + 2r + m; The IND-CPA security of vDGHV is based on the difficulty of the approximate greatest common divisor (AGCD) problem: given a collection of ciphertexts, it should not be possible for an adversary to deduce p, the approximate greatest common divisor of the ciphertexts.

BBL
Another scheme based on the AGCD problem is BBL [55], which differs significantly from the vDGHV scheme. The BBL paper presented two schemes: a basic and a batched construction. Since the decryption of the batched construction is a generalisation of the basic one, we present the basic scheme here.
The scheme has public parameters (γ, ρ, η, τ), all dependent on the security parameter λ. The parameter γ is the bit-length of a component of the public key, and alongside ρ and the secret key p, it defines the noise distribution χ γ,ρ used during key generation. For the parameters γ, ρ, p, the noise distribution is defined as follows: draw integers q ← Z ∩ [0, 2 γ ), r ← Z ∩ (−2 ρ , 2 ρ ), and output pq + r. Additionally, τ defines the number of components in the public key, and finally, η defines the bit-length of the secret key p. Recall that g T is the γ-length gadget row vector, and g −1 : Z → {0, 1} γ produces a column vector: KeyGen: Sample an η-bit integer p, and sample an integer

Per
The schemes defined over the integers presented so far only encrypt single bits, although BBL may be batched. To remedy this, Pereira proposed a scheme that operates natively on vectors and matrices [54]. Furthermore, the size of the message space is a separate parameter that can be made as large as required.
The parameters of the scheme are similar to those of vDGHV and BBL: η is the bitlength of the secret prime p, and γ is the bit-length of the integer x 0 used for modular reductions of ciphertexts. There is also the noise distribution χ and noise parameter ρ. In addition, the scheme relies on the dimension n of vectors and matrices being encrypted and the bound B on message size: for any integer m being encrypted, we have |m| ≤ B, which naturally extends to vectors and matrices. Finally, we also have the parameter b, which is the base for the gadget matrix/vector, and the gadget decomposition function G −1 . We note that the scheme is designed so that the matrix and vector encryption and decryption use the same secret key material and that the scheme only allows for matrix-matrix and vector-matrix multiplications: KeyGen(λ, B, n, η, ρ, ρ 0 , γ): Draw an η-bit prime p, then sample x 0 from χ ρ 0 ,p such that the bit-length of x 0 is γ and EncMat(sk, M): Construct the matrix X = pQ + R by sampling each matrix element from χ <x 0 , which only outputting elements smaller than x 0 . Compute C = (X + GKM)K −1 mod x 0 , and output C; DecMat(sk, C): Compute C = G −1 (αK −1 )CK mod x 0 , then C * = C mod p, and finally, output C * /α ; EncVec(sk, m): Construct an n-length vector x = pq + r, again by sampling every vector element from χ <x 0 . Compute and output c = (x + αm)K −1 ; DecVec(sk, c): Compute c = cK mod x 0 , then c * = c mod p. Return c * /α .
The indistinguishability of ciphertexts is based on AGCD, as the hardness of AGCD ensures that the distribution from which X and x are drawn is indistinguishable from the uniform distribution over Z x 0 (Lemma 3 of [54]). Using this indistinguishability, security is proven by a hybrid argument.

NTRU
There are three schemes that closely resemble NTRU: LATV [50], RC [51], and BLLN [49]. Despite great similarities, they are based on different problems: BLLN is based on RLWE, whilst LATV and RC are based on the decisional small polynomial ratio (DSPR) problem (defined in [50]), which may be regarded as the standard NTRU problem restricted to a specific set of parameters.
Albrecht et al. [64] found an attack on LATV that recovered the secret key using only the public material, and the same attack was later shown to apply to the RC scheme [65]. The attack takes advantage of precisely the specific parameters of the DSPR problem, implying that neither LATV nor RC are IND-CPA-secure, and we therefore do not discuss these schemes further.
Despite the similarities between the schemes, BLLN is not affected by the Albrecht et al. attack, and we present the scheme below. BLLN is based on the version of NTRU proven by Stehlé and Steinfeld to be as secure as RLWE [66]. The size of the parameters chosen for BLLN ensures that the proof of the security of Stehlé and Steinfeld extends to BLLN as well. This is not the case for LATV or RC, which is why these schemes reduce to the DSPR.

BLLN
The BLLN scheme is defined over the ring Despite this general definition, we present the case where the ciphertext ring is R = Z[x]/(x n + 1) for n a power of two, as this is the parameter the authors mentioned specifically.
The plaintext space is defined as R p = R/pR and the ciphertext space as R q = R/qR, for integers p q, where we also require that gcd(p, q) = 1. In addition, BLLN uses a bounded noise distribution χ k defined over R q for key generation and a separate noise distribution, χ e , for encryption. Both of these noise distributions are typically some truncated discrete Gaussian, with bounds B k and B e , respectively: ParamsGen(λ): Given λ, fix n to determine the ring Z[x]/(x n + 1). The security parameter also determines the moduli q and p, as well as the noise distributions χ k and χ e ; Enc(pk, m ∈ [−p/2, p/2)): Draw r, e ← χ e , and compute c = q/p m + r + he mod q as an element of R; Dec(sk, c): Compute and output m = p q ( f c mod q) mod p ∈ R.
3.5. Miscellaneous Schemes 3.5.1. AFFHP Albrecht et al. [57] proposed AFFHP, a scheme whose security relies on the hardness of computing Gröbner bases for ideals of multivariate polynomial rings and the ideal membership (IM) problem. The scheme works over the polynomial ring F q [x 0 , . . . , x n−1 ] for a prime q.
The IM problem states that for a general ideal I ⊂ F q [x 0 , . . . , x n−1 ], it is hard to determine if a random polynomial from F q [x 0 , . . . , x n−1 ] lies in I or not. AFFHP is designed with respect to general Gröbner bases for ideals in F q [x 0 , . . . , x n−1 ]. However, homomorphic multiplication only works when a particular parameter d is equal to one, resulting in the reduced Gröbner basis always having the form G = {x 0 − a 0 , x 1 − a 1 , . . . , x n−1 − a n−1 } for a i ∈ F q . Since we were only concerned with schemes that are *HE, we only considered this case. Note that for any f ∈ F q [x 0 , . . . , x n−1 ], we will always have f mod G ∈ F q for Gröbner bases of the mentioned form.
The secret key of the scheme is G, and the message space is {0, 1}. A distribution of "small" polynomials e is used for noise. Encryption and decryption of the symmetric key variant of AFFHP then work as follows: Dec(C): Compute and return (C mod G) mod 2.

DHPSSWZ
The SHE scheme DHPSSWZ was proposed by Doröz et al. [56], where the security is based on the finite-field isomorphism (FFI) problem. Informally, the FFI problem states that for a prime q, elements chosen from a particular distribution in one representation of the field F q n are distributed uniformly at random when mapped to a different representation of F q n .
Let f and F be two monic irreducible polynomials of degree n over F q . The message space of the scheme is elements m( To stunt the growth of the noise when performing operations on the ciphertexts, f has to be sparse and have small coefficients, typically from {−1, 0, 1}. The ciphertext space is Y = F q [y]/(F(y)). The private key consists of f , as well as explicit isomorphisms between X and Y. More specifically, φ(y) is the particular element of Y, written as a polynomial in y of degree at most n − 1, which is the root of f denoted by x in X. Likewise, ψ(x) is the specific element of X isomorphic to the root of F labelled y in Y. Both φ(y) and ψ(x) are therefore understood as fixed, known polynomials in the description of the encryption and decryption. The encryption and decryption of the symmetric key variant of the scheme are performed as follows: Enc(m(x)): Draw r(x) from a distribution giving small polynomials. Output C(y) = 2r(φ(y)) + m(φ(y)) mod F(y); Dec(C(y)): Replace y by ψ(x) in the polynomial C, and output (C(ψ(x)) mod f (x)) mod 2.

LGM
As we will see in Section 4.1, schemes based on LWE (e.g., GSW) can leak one bit of the secret key from a small number of decryption queries. Essentially, they have public keys of the form (A, As + e) with secret key s, and key recovery attacks either compute s or compute the noise e and use Gaussian elimination to derive s. Li, Galbraith, and Ma (LGM) [67] proposed a technique to circumvent such attacks. Firstly, they started with a dual version of GSW, where the public key is of the form (A, As), and the secret key s has a small norm; security then depends on the hardness of the inhomogeneous short integer solution (ISIS) problem. Secondly, instead of having one secret key vector s, they had t of them; decryption works by using a different random linear combination of the secret keys s = ∑ t i=1 λ i s i for each decryption query. Hence, a decryption query leaks, at best, one bit of s : an unknown linear combination of secret key vectors that with high probability will not be reused in other decryption queries. Li et al. argued that this would prevent adaptive key recovery attacks, however, such an attack was later found by Fauzi et al. [52].
The attack does not extend to any other scheme, as the LGM is the only scheme that employs the strategy of using "ephemeral" secret keys to thwart adaptive key recovery attacks. We present the LGM scheme and provide the intuition of the attack in Section 4.4 for completeness and refer to Fauzi et al. [52] for further details. Note that, here, κ is the security parameter, whilst λ is a sampled variable: Setup(1 κ , 1 L ): Let n = n(κ, L) and m = m(κ, L), and choose a modulus q and bounded noise distribution χ = χ(κ, L) on Z such that at least 2 κ security against known attacks is achieved. Choose the number of secret keys t = O(log n). Let l = log q + Dec(s, C): Sample (λ 1 , . . . , λ t ) ∈ Z t q \ {0} t until the generated s = ∑ t i=1 λ i s i has a sufficiently small norm. Let i ∈ [1, t], j, I = (i − 1)l + j be integers such that λ i = 0, 2 j−1 ∈ (q/4, q/2] and I ∈ [1, tl]. Compute u = C I , s mod q, where C I is the Ith column of the ciphertext matrix C. Finally, output | u/2 j−1 | ∈ {0, 1}.

Noise-Free Attempts
All known *HE schemes have a non-constant ciphertext expansion. Gjøsteen and Strand [68] went further and conjectured that the security of a *HE scheme either depends on a massive ciphertext expansion or a weak or strange algebraic structure, limiting the applicability of the scheme. To support their conjecture, they showed that no noise-free and secure schemes can exist in vector spaces or fields; however, there were no final conclusions in the case of rings.
Nuida [69] proposed a generic construction of noise-free FHE based on surjective group homomorphisms π : C → M. The generic construction is secure if elements in the kernel of π are indistinguishable from elements in the ciphertext space C, which is a variant of the subgroup hiding assumption. Nuida provided a candidate construction using combinatorial group theory; however, it is non-compact (i.e., the ciphertext size can be unbounded) and does not have an explicit proof of IND-CPA security. Since other existing candidate constructions have similar issues, we disregarded noise-free *HE constructions in our work.

(R)LWE Attacks
Chenal and Tang [11] presented attacks on several schemes based on (R)LWE, for example BGV [15] and GSW [20]; see Table 1 for a full overview. The attacks recover the secret key bit by bit, and coefficient by coefficient (wherever this applies), by using the result of the decryption queries to perform a binary search on secret values.
Recall from Section 3.1 that schemes based on LWE have ciphertexts of the form c = (a, b) where a ∈ R n and b ∈ R, for the ring R = Z q . The private key is a vector s ∈ R n , and decryption is computed as m = ρ( a, s − b), where ρ is some rounding function that maps elements from R into the plaintext space. In fact, any scheme with this type of decryption function is vulnerable to the following adaptive key recovery attack.
In the LWE case, the adversary asks for decryptions of c = (e i , b), where e i ∈ R n is the unit vector with one at position i and zero everywhere else, which leaks information on s i . Performing a binary search with different values for b allows the adversary to find a b 0 such that: for an arbitrarily "small" value of . Note that is an element in a general ring R, but for the homomorphic properties to work with the correct decryption, the elements of R need to have the notions of size and distance. Knowing exactly where the border b 0 is, where ρ(s i − b 0 ) is rounded to either m 0 or m 1 , allows the adversary to determine s i to any degree of accuracy. Repeating for all positions 1 ≤ i ≤ n gives an adaptive key recovery attack on these schemes.
In the RLWE case, the general attack is equally simple. allows one to perform a binary search on the coefficients of s(x) in the same way as in the LWE case.

AGCD Attacks
There are two attacks on homomorphic encryption schemes defined over the integers. The attack by Zhang et al. [41] recovers the secret key of the vDGHV scheme, an attack the authors themselves pointed out is directly transferable to CMNT [42]. Chenal and Tang later gave a more efficient key recovery attack against vDGHV [11]. The two attacks differ in strategy, and we therefore present both approaches. We remind the reader that a ciphertext in vDGHV is of the form c = m + 2r + qp, where the odd integer p ∈ [2 η−1 , 2 η − 1] is the secret key. Decryption first reduces the ciphertext modulo the secret key p, then modulo two.
Zhang et al. constructed several encryptions of zero, which they then altered so that all the different ciphertexts had a fixed noise. Given a ciphertext c encrypting zero, this construction is achieved by performing a binary search for an added noise term ρ such that Dec(c + ρ) = 0, but Dec(c + ρ + 1) = 1, and defining the new ciphertext c i = c + ρ + 1. Given the constructed ciphertexts c 0 , c 1 , . . . , c k , they computed gcd(c 0 − c 1 , c 1 − c 2 , . . . , c k−1 − c k ), which will be p with overwhelming probability. The attack requires O(λ 2 ) operations, where λ is the security parameter of the scheme.
Whereas Zhang et al. attacked the scheme by essentially constructing ciphertexts such that the underlying problem was easy, Chenal and Tang proposed a more direct search for the secret key. Initially, an adversary has both a lower and upper bound for p, namely l p = 2 η−1 + 1 and u p = 2 η − 1, respectively. She/he then takes advantage of the following: if she/he queries the decryption oracle with an even number c ∈ (l p , u p ), it will return zero if c < p and one if c > p, as Dec(c) = (c mod p) mod 2 and c < 2p. Therefore, if she/he finds the even integer c such that Dec(c) = 0 and Dec(c + 2) = 1, she/he knows that p = c + 1. The attack requires roughly η oracle queries, which is more efficient than the Zhang et al. attack.

NTRU Attack
An adaptive key recovery attack against the NTRU-based scheme BLLN was presented by Dahab, Galbraith, and Morais [18]; we give the main idea of the attack and its complexity and refer to the original article for further details. The attack is not applied to other schemes later, and we state it for completeness.
The attack itself is fairly simple. It takes advantage of the fact that the decryption of BLLN involves multiplying the ciphertext with the secret key and then performing two modular reductions: first modulo q, then p. The idea is to query the decryption oracle with rounded fractions divisible by p. The fractions are also designed so that as long as the denominator is large compared to the secret key f , the fraction is not reduced modulo q, and the decryption algorithm will therefore output zero. However, as the denominator of the queried fraction becomes just smaller than f , the fraction becomes large enough to be reduced modulo q when multiplied with the secret key. This will cause the second modular reduction to result in something nonzero, making it easy to detect when the denominator became smaller than f , and hence calculate the secret key.
For BLLN, the complexity of the attack depends on the parameters of the scheme. If p > 2 and the coefficients of f , g are all in {−1, 0, 1}, it takes a single query to recover the secret key. In the more general case where p ≥ 2 and no restrictions are placed on the polynomials, the complexity is O(n log(B k )), where n is the order of the polynomial defining the ciphertext space and B k is a bound on the largest coefficient of f .

LGM Attack
Recall that the LGM scheme has a secret key vector consisting of t secret keys (s 1 , . . . , s t ), where each key is of the form s i = (e i r i ) for some noise vector e i and that an ephemeral secret key s = ∑ t i=0 λ i s i is generated for each decryption procedure.
Although Li et al. discussed several possible distributions to sample λ i from, their main focus was λ i drawn uniformly from {0, 1}. We therefore present the attack for this scenario and refer to Fauzi et al. [52] for details on the attack for more general λ distributions. The attack recovers a vector e i one component e k,i at a time, and each vector and component is recovered independently of each other. In particular, it is possible to calculate a single vector e i to recover s i and use it for decryption, and we therefore only discuss how to recover e 1 .
Note that we can construct a ciphertext matrix C such that the inner product during decryption always results in α + ∑ t i=0 λ i e i,1 , by ensuring that for each possible index I, the column C I has α in position i and one in position t + 1. By repeated queries of this "diagonal" matrix, one obtains an estimate of 1/2 ∑ t i=0 e i,1 by observing how often the decryption oracle returns zero and one for a specific value of α, as the decryption results in zero if α + ∑ t i=0 λ i e i,1 < 2 j−2 , and one otherwise. Essentially, the attack searches for the value of α where the resulting ciphertext decrypts as often to zero as one, as this indicates that the average value α + ∑ t i=0 e i,1 is very close to 2 j−2 , and the adversary can now estimate ∑ t i=0 e i,1 After this estimation of 1/2 ∑ t i=0 e i,1 is obtained, the decryption oracle is repeatedly queried with ciphertext matrices where every column is identical and has a value a in position i and a one in position t + 1. Decryption of such a matrix will always result in λ i a + λe i,1 + ∑ k =i λ k e k,1 , which will provide an estimate of e i,1 + 1/2 ∑ k =i λ k e k,1 , again by observing how often the decryption oracle returns zero and one for different values of a. Combining these two estimations provides an estimation of e i,1 , and repeating this for the other indices of e 1 allows the adversary to recover the secret key s 1 = (r 1 −e T 1 ) T .

Attacking Other Schemes
We now discuss how to apply known attacks to other schemes, as the susceptibility of an adaptive key recovery attack is inherited from a parent scheme to a child. Because the schemes over ideal lattices and those based on NTRU are, with a few exceptions, not IND-CPA-secure, we limit this discussion to schemes based on (R)LWE and AGCD. We also present novel attacks against schemes that are not affected by the attacks presented in Section 4.

Applying the (R)LWE Attack on Other Schemes
Many schemes based on (R)LWE are built on or slightly adapted from earlier schemes, as is clear from Table 2 in Section 3. For example, the CKKS scheme [21] is the result of a general framework being applied to the BGV scheme. The framework allows for the recovery of the message by computing the MSB of a ciphertext, modulo some modulus. Because the structure of the BGV scheme is intact, the key recovery attack on BGV described in [11] is directly applicable to CKKS. The Chenal and Tang (R)LWE attack also works on all children of GSW mentioned in Table 2. For most of these, the structure and decryption functions are almost identical; hence, the attack trivially extends. A special case is CGGI [31], where the plaintext space is a subset of a torus (the torus is defined as the set of real numbers modulo one, which can be identified with the half-open interval [0, 1) on the number line), but the decryption function is otherwise very similar to GSW and CKKS: it takes the inner product of a ciphertext with the private key, subtracts an element, and rounds the result to the nearest element in the plaintext space. Hence, the attack in Section 4.1 can still be adapted to CGGI.
Similarly, the attack also works on FV [22] and its children, found in Table 2. First, observe that FV itself is essentially an RLWE variant of the LWE-based Bra12 [19], where in particular, the decryption function is the same formula, but in the ring setting. Moreover, all the children follow FV's structure, including almost identical decryption functions; the differences in specific message spaces and algorithms for homomorphic evaluations do not affect the success rate of the Chenal and Tang attack.
The CS17 [36] scheme is a bit different from other (R)LWE schemes in that it relies on the learning with rounding (LWR) problem, which is closely related to (R)LWE. We verified that the attack procedure from Section 4.1 still applies to the CS17 scheme; the decryption oracle can be made to return the secret key plus a scalable term, rounded into the plaintext space. A binary search on the scalable term allows the adversary to determine each component of the secret key to any degree of accuracy.

Applying the Known Attack on Other Schemes
The adaptive key recovery attack by Chenal and Tang [11] on vDGHV described in Section 4.2 is applicable to all the children of vDGHV listed in Table 2, as well as CS15 [45]. The attack is either directly transferable or requires a trivial generalisation to account for vectors of messages and/or a larger message space than {0, 1}.

BBL
The BBL scheme presented in Section 3.3 is not immediately affected by any of the attacks presented in Section 4.2 We therefore present a novel adaptive key recovery attack against the scheme.
We note that the bit-length η of p is part of the public parameters, so the adversary has both a lower and an upper bound on p: 2 η−1 and 2 η − 1, respectively. She/he therefore also has the lower bound 2 η−2 for p/2, and we emphasise that 2 η−2 is not reduced mod p, for any value of p.
The attack proceeds as follows: The adversary will recover the ith element of g −1 (p/2) by querying the decryption oracle with the ciphertext with 2 η−2 in position i, and zero elsewhere. If the ith component of g −1 (p/2) is one, the decryption oracle returns one, and zero otherwise. The vector g −1 (p/2) is then completely recovered after η − 1 queries, after which the adversary may simply multiply with the corresponding gadget vector g to recover p/2.

Per
As for the BBL scheme, the Per scheme is not broken by any of the attacks presented in Section 4.2, and we therefore provide a novel adaptive key recovery attack against it. Although the Per scheme is defined for ciphertexts in both matrix and vector form, we only used the matrix version of the scheme to recover the secret key sk = (p, K). We explain how to recover the secret integer p first, then how to recover the secret matrix K. Recall that the decryption works as follows: for an input C, compute C = G −1 (αK −1 )CK mod x 0 , then C * = C mod p, and finally, output C * /α . We denote the greatest common divisor of α and x 0 as d, and note that 1 ≤ d ≤ α. Since α ≤ p 2B+1 < p 2 , we also have that d mod p = d. Irrespective of the value of d, we let α −1 denote the integer such that α −1 α ≡ d mod x 0 .
Step 1: Recovering p Our first observation is that, using G −1 (αK −1 )G = αK −1 over Z x 0 (see [54] (Section 3.3)), the decryption of C = α −1 G proceeds as follows: where I n is the n × n identity matrix. Then, C * = (d · I n ) mod p = d · I n and M = d/α I n .
We use the ciphertext α −1 G as a starting point to perform a binary search for a factor t such that td < p/2, but (t + 1)d ≥ p/2. If td ≤ p/2, the decryption of tα −1 G will return approximately td/αI n , which has positive entries when td < p/2. If td ≥ p/2, then the decryption of tα −1 G will return a matrix with negative entries, or zero if the entries have a too small absolute value. It is therefore easy to detect the exact t that produces td < p/2 ≤ (t + 1)d.
For d = 1, p = 2t + 1 is now recovered. For d ≥ 2, note that the inequality td < p/2 ≤ (t + 1)d implies 3td < 3p/2 ≤ 3(t + 1)d and that we can narrow the interval by querying to see if (3t + 1)d < 3p/2 or (3t + 2)d < 3p/2. During decryption of (3t + i)α −1 G (i = 1, 2), we know that one whole multiple of p will be subtracted from (3t + i)d when reducing modulo p. If such a subtraction happens, it is because (3t + i)d ≥ 3p/2, and the decryption result will be negative. If there is no such subtraction, the decryption result will be positive, and we know that (3t + i)d < 3p/2. Hence, we can narrow down the search interval for p by a factor of three, e.g., if it was determined that (3t + 1)d > 3p/2, then 2td < p < 2(3t + 1)d/3. We continue multiplying the inequalities by three and narrowing down the interval for p by a factor of three in each iteration. After log 3 d iterations, i.e., O(η + log 3 (d)) decryption queries, the interval contains a single digit and p is recovered.
Step 2: Recovering K Successfully recovering p already displays a serious weakness of the scheme, but for a full key recovery attack, we also need to recover the secret matrix K. We show how to find K for b = 2 here and sketch an attack procedure for a general b.
We took advantage of the decryption procedure including G −1 (αK −1 ) and, rather, attempted to reconstruct this matrix instead of K directly. Note that the elements of Let E i,j denote the matrix with one in position (i, j), and zero elsewhere. Querying E i,j from the decryption oracle will produce: where b u,v is the (u, v)-th element of G −1 (αK −1 ) and k u,v is the (u, v)-th element of K. We note that 1 ≤ u ≤ nl and 1 ≤ v ≤ n, where l = log b (2 γ ) . We query the decryption oracle for all possible matrices E i,j . If b = 2, G −1 (αK −1 ) is a binary matrix. We then use the decryption results to determine if a particular element b i,j is non-zero by checking whether the vector of the form b i,j k i,1 · · · k i,n /α , obtained from the i-th row of the decryption query on E j,i , is nonzero. If it is, we set b i,j = 1, else we set it to zero. We can thus obtain G −1 (αK −1 ), and hence also αK −1 . It is then easy to reconstruct K.
We now sketch how an attack for a general b can work, but leave out the rigorous procedure. First, we note the sizes of various parameters as recommended by [54]: x 0 ≈ 2 160 , p ≈ 2 80 , 2 60 ≤ α ≤ 2 78 , b ≈ 2 7 , and r ≈ 2 40 , where x 0 = qp + r.
The secret elements k i,j are random in Z x 0 and are multiplied with b i ,j where b i ,j < b. Since r and b are relatively small compared to the other parameters, we found that first reducing b i ,j k i,j modulo x 0 and then reducing the result modulo p are approximately the same as just reducing modulo p directly: With b ≈ 2 7 and r ≈ 2 40 , this difference will be mostly negligible when dividing by α ≥ 2 60 before the output. The result will be the same with a high probability, or just one off if not the same. Hence, we simplified the analysis further by just reducing modulo p.
The adversary gets to see the values (b i ,j k i,j mod p)/α for all choices of i, j, i , j . Looking at C , we see that all elements in one column share the same k i,j . Assume for concreteness that α = 2 70 , and that (b 1,1 k 1,1 mod p)/α is the smallest positive value among the values (b i,1 k 1,1 mod p)/α that the attacker sees, which will be in the range [−511, 512].
We then know that (ab 1,1 k 1,1 mod p)/α ≈ a (b 1,1 k 1,1 mod p)/α for some small values of a, since they will not lead to new reductions modulo p. We can estimate when b i,1 = ab 1,1 by looking at the ratio: Repeating with different k j,1 produces n different estimates of this ratio, which should give approximately the same value for all cases where (b 1,1 k j,1 mod p)/α is smaller than 512/a. We then learn the linear relation b 1,1 = ab 1,i . Repeating for different b i,j -elements allows the adversary to create a linear system between them, which can either be solved or whose solution space is small enough to be exhaustively searched as b is only of size 2 7 .

Attacks on AFFHP and DHPSSWZ
We now present new attacks on AFFHP and DHPSSWZ using a variant of binary search. Consider the value of (ka mod q) mod p for an unknown a and chosen multiple k, where q is prime and q p. We show how to recover a in this scenario. In the following, we identify F q with [0, q − 1], and to ease notation, we let D(ka) ∈ F p denote the oracle that returns (ka mod q) mod p.
First, query D(a). As a < q, this will simply give us the value of a mod p. As long as ka < q, we know that D(ka) = (k mod p)(a mod p), and we can check how long this property holds by asking for D(ka) for k ∈ N. For some k, we reach the point where D(ka) = ka mod p, but D((k + 1)a) = ((k + 1)a mod p) − (q mod p). Note that q mod p = 0 as q is prime. We are therefore able to determine the exact value k = k 0 such that k 0 a < q ≤ (k 0 + 1)a. Since a is uniformly distributed over F q , we expect O(1) queries to determine k 0 .
We now have the following inequalities: Multiplying through by two, we obtain 2k 0 a < 2q ≤ (2k 0 + 2)a. Ask for D((2k 0 + 1)a). Knowing the value of a mod p, we can determine if the reduction of (2k 0 + 1)a modulo q subtracted q or 2q before reducing modulo p. This determines whether 2k 0 a ≤ 2q ≤ (2k 0 + 1)a or (2k 0 + 1)a ≤ 2q ≤ (2k 0 + 2)a. In other words, we can find k 1 such that k 1 a 0 < 2q ≤ (k 1 + 1)a 0 . This gives the following inequalities: We continue this way, multiplying through with two and asking the oracle D((2k 1 + 1)a) to determine the value k 2 such that k 2 a < 4q ≤ (k 2 + 1)a, etc. After t iterations, we have the following inequalities: We now show that the interval where a can be found shrinks exponentially fast with increasing t, and only O(log q) queries are needed to determine a exactly.
First note that k 0 ≥ 1, and by induction, k t ≥ 2 t for all t ≥ 0. Define d(t) to be the size of the interval where a can be found after t iterations. We then obtain: Hence, after O(log q) queries, the attacker is able to determine a.

CCA Key Recovery Attack on AFFHP
Recall that the secret key of AFFHP is a Gröbner basis G = {x 0 − a 0 , . . . , x n−1 − a n−1 } ⊂ F q [x 0 , . . . , x n−1 ], where the a i are unknown coefficients from F q . For a given ciphertext C ∈ F q [x 0 , . . . , x n−1 ], the decryption function returns (C mod G) mod 2. Setting C = x i will then yield x i mod G = a i , so the decryption oracle will output a i mod 2. More generally, the decryption of C = kx i for some k ∈ F q will return ka i mod 2. The attacker can therefore recover all the unknown a i by using the method described above. The complexity for this attack is O(n log q) decryption queries.

CCA Key Recovery Attack on DHPSSWZ
Recall that the decryption function of DHPSSWZ for a ciphertext C(y) is given as Dec(C(y))= (C(ψ(x)) mod f (x)) mod 2, where ψ(x) and f (x) are part of the secret key. We first show that the attacker can determine ψ(x) by asking for polynomially many decryptions of some chosen ciphertexts. All ciphertexts will take the form C(y) = ky, for selected choices of k ∈ F q . Note that if the attacker only asks for decryptions of linear polynomials, i.e., C(ψ(x)) = kψ(x), no reduction modulo f (x) will occur. Hence, we can disregard f (x) in the decryption function, and the decryption oracle will simply output kψ(x) mod 2 for all ciphertexts for which the attacker asks.
Let ψ(x) = a n−1 x n−1 + . . . + a 1 x + a 0 with a i ∈ F q . The decryption oracle will output (ka n−1 mod 2)x n−1 + . . . + (ka 0 mod 2) for the chosen ciphertexts C(y) = ky. By focusing on one coefficient a i at a time, we can now use the method described at the start of this subsection to recover all a 0 , . . . , a n−1 , and hence the exact ψ(x), by asking for O(n log q) decryptions.
Finally, given ψ(x) and the public polynomial F(y), the secret polynomial f (x) can easily be recovered as follows. We know that y ∈ Y and ψ(x) ∈ X are two different representations of the same element of F q . This element is defined by being a root of the polynomial F. Hence, we have G(x) := F(ψ(x)) = 0, where deg(G(x)) ≤ n(n − 1) and x is the element of X defined by being a root of f . Therefore, f (x)|G(x), and we can find f (x) by factoring G(x) and seeing which of the irreducible factors has the particular property of having degree n and only small coefficients. Factoring a univariate polynomial of degree d over F q has complexity O(d 2 log q) (or even smaller; see [70]), so the complexity of recovering f (x) in this step is at most O(n 4 log q).

Generic Constructions of IND-CCA1-Secure *HE
We present here the various more generic approaches for constructing an IND-CCA1secure *HE scheme; see Table 3 for a summary. The constructions apply existing generic constructions from group-homomorphic cryptosystems to the *HE setting and provide novel (generic) instantiations. The main problem with these constructions is that the resulting schemes are typically not compact and are rather impractical. Therefore, none of the generic constructions have, to the best of our knowledge, been implemented. Table 3. Generic constructions of IND-CCA1 *HE. The first construction has an insecure instantiation, while the other constructions only have a generic instantiation. Hence, none of these generic strategies provide a concrete instantiation.

LMSV
The SHE scheme presented by Loftus et al. [37] was for a long time the only *HE scheme thought to be IND-CCA1-secure, but it has since been broken.
The strategy was to construct an SHE scheme that achieves both IND-CPA and plaintext awareness (PA-1), which is known to result in an IND-CCA1-secure scheme [71]. Informally, plaintext awareness states that if an adversary is able to construct a valid ciphertext, she/he already knows the plaintext it encrypts. Then, intuitively, the decryption oracle is of no use to the adversary in an IND-CCA1 game, as she/he must already know the plaintext of any ciphertext she/he queries. In particular, the adversary is unable to query the decryption oracle with adulterine ciphertexts designed specifically to reveal information about the secret key, seeing as she/he must already know the secret key to be able to construct such valid ciphertexts. Hence, IND-CPA results in IND-CCA1 security. We state the formal definition of the PA-1 notion in Appendix B and refer to [71] for further details on both PA-1 and the construction IND-CPA + PA-1 → IND-CCA1.
The LMSV scheme added a ciphertext check to the decryption procedure of an IND-CPA-secure *HE scheme. The check aims to ensure that only honestly generated ciphertexts are decrypted, as this ensures that the scheme also achieves PA-1 security. The ciphertext check is based on a novel lattice knowledge assumption. Informally, this lattice knowledge assumption states that if an adversary is able to produce a vector c suitably close to a lattice point p when given only the basis of the lattice, then there is an extractor able to output p, given c and the random coins of the adversary. In other words, if an adversary is able to construct a vector sufficiently close to a lattice point, she/he must already know that lattice point. In the security proof, ciphertexts are likened to the vector c output by an adversary against the lattice knowledge assumption.
The starting scheme of LMSV, SV [38], based its IND-CPA security on SPIP, which was later broken [61][62][63], meaning that LMSV is not IND-CPA and hence not IND-CCA1-secure. Note, however, that the lattice knowledge assumption is unaffected by the attacks on SPIP. Therefore, it is conceivable to rely on this assumption to create a different IND-CCA1-secure scheme, but such a scheme would have to avoid relying on SPIP for IND-CPA security. It should also be noted that the lattice knowledge assumption is highly nonstandard and not well studied.
Despite these drawbacks, the approach of "adding" PA-1 security to an SHE scheme that is IND-CPA-secure is in and of itself both sound and interesting. However, it appears to be challenging to achieve both of these notions for SHE schemes, in particular PA-1, seeing as the LMSV scheme is the only one to suggest such a construction.

Constructions from Multi-Key Identity-Based Encryption
Canetti et al. [73] gave a construction for IND-CCA1-secure *HE schemes based on multi-key identity-based homomorphic encryption (IBHE) schemes. The construction is a simple transformation as follows: KeyGen: Same as for the multi-key IBHE scheme. The secret key is the master secret key msk, and the public key is the master public key mpk; Enc(mpk, m): Sample a random identity id; compute c = Enc IBHE (mpk, id, m); output (c, id); Dec(msk, (c, id)): Parse c = (c, id); compute sk id = Ext(id, msk); output m = Dec IBHE (sk id , id, c); Eval: Uses the IBHE evaluation function.
The IND-CCA1 security of the encryption scheme rests on the selective security for random identities of the multi-key IBHE scheme, which, informally, ensures that an adversary has a negligible advantage of distinguishing between encryptions of two messages of her/his choosing under a random identity, even if she/he has access to an oracle that provides her/him with the decryption key of any identity of her/his choosing. For a formal definition of the security notion, the interested reader is referred to Canetti et al. [73].
It is important to note that for an evaluated ciphertext to be decrypted, it will need to contain the identities of all the ciphertexts used in the evaluation. This means that the length of an evaluated ciphertext depends on the number of input ciphertexts, so the resulting scheme is not compact. We stress that this entails that the construction results in a scheme that, technically speaking, does not satisfy the definition of *HE schemes.
The authors also gave a generic instantiation that achieves multi-key IBHE by combining a multi-key FHE scheme and an identity-based encryption scheme and also suggested concrete schemes as building blocks. They also provided a generic instantiation that achieves multi-key IBHE in the random oracle model using sub-exponentially secure LWE.
In a concurrent work, Yasuda et al. [77] used the same generic construction based on multi-key IBHE to achieve a non-compact IND-CCA1-secure SHE scheme, with a similar proof for IND-CCA1 security as the one described above. A concrete instantiation for this construction was not suggested.

(Probabilistic) iO-Based
As discussed previously, Canetti et al. [73] showed that it is possible to construct a (non-compact) *HE scheme from a multi-key IBHE scheme. In the same article, the authors also suggested constructing a multi-key IBHE from a sub-exponentially secure iO (from which a probabilistic iO is constructed) and sub-exponentially secure lossy encryption (which can be based on DDH).
We note that Wang et al. found a technical weakness regarding how identities were handled in the evaluations, which enabled an attack on the PiO-based construction. However, Wang et al. also provided a patched version of the construction and proved that their construction achieved IND-CCA1 security [75].
The constructions differ in certain aspects, such as the setup and generation of keys for identities. Still, there are also important similarities, such as both constructions using a trapdoor encryption scheme during the encryption procedure of the IB *HE scheme. The most important common factor is that the evaluation hinges on PiO: the circuit given as the input is parsed as an algebraic circuit with separate addition and multiplication gates, which are then evaluated using obfuscations of different probabilistic programs. For further details on either construction, we refer to the respective article. Neither construction currently has a concrete instantiation.

zk-SNARK Construction
Canetti et al. [73] also gave a generic construction of IND-CCA1-secure FHE from IND-CPA-secure FHE using the Naor-Yung paradigm [76]. Essentially, the public key consists of two different public keys pk 1 , pk 2 of the same FHE scheme along with a common reference string crs for the zk-SNARK. An encryption of a message m is then of the form (Enc(pk 1 , m), Enc(pk 2 , m), π), where π is a proof of knowledge that the first two elements encrypt the same message m. Intuitively, this construction ensures IND-CCA1 security because the only way an adversary would be able to construct a ciphertext of a message the decryption oracle accepts is to actually encrypt the message, as she/he should not be able to construct a valid proof π otherwise. Thus, the decryption oracle cannot reveal to the adversary anything that she/he does not already know.
Note here that the Canetti et al. construction requires a zk-SNARK, instead of the usual NIZK used in the general Naor-Yung paradigm, to ensure π stays compact and hence preserves the compactness of the resulting IND-CCA1-secure FHE. However, due to the blackbox separation of SNARKs and falsifiable assumptions [78], IND-CCA1 security would then require a non-falsifiable assumption. Furthermore, note that the construction requires an IND-CPA-secure FHE scheme without bootstrapping or key publication. It is not known whether or not a scheme with such properties is possible under standard assumptions.

Discussion
We gave an overview of the state of IND-CCA1 security for *HE schemes, both for concrete schemes and generic constructions. We showed that several schemes are susceptible to the same adaptive key recovery attacks, mainly because many schemes are optimisations of earlier work, so attacks carry over more or less trivially. We also presented new adaptive key recovery attacks against schemes that had not been studied w.r.t. IND-CCA1 security before now.
It is worth discussing why chosen ciphertext attacks are so devastating against *HE schemes. We repeat a point made by Chillotti et al. [8], namely that if the proof of IND-CPA relies on a search-to-decision reduction of a problem, an adversary with access to a decryption oracle may simply follow the steps of this very reduction to recover the secret key. Most *HE schemes rely on such a reduction, in particular all schemes based on LWE and RLWE.
Moreover, the requirement of both addition and multiplication being homomorphic might make achieving IND-CCA1 harder, as there are few mathematical structures to define encryption schemes over that allow for a more or less natural homomorphic evaluation of ciphertexts. It could be the case that these structures themselves complicate achieving IND-CCA1 security. The result by Gjøsteen and Strand showing that secure noiseless schemes cannot exist in vector spaces or fields might suggest that this is the case [68]. Furthermore, there are group homomorphic schemes that achieve IND-CCA1 security, e.g., CS-lite [14], and although there is no proof that it cannot be homomorphic in both multiplication and addition, CS-lite is strongly believed to be strictly group homomorphic. It could be the case that requiring both operations to be homomorphic forces the message or secret key to be so "accessible" in the ciphertext that some information is always leaked once an adversary has access to a decryption oracle.
An important point in this discussion is that all the adaptive key recovery attacks we presented, both novel and prior work, take advantage of the fact that decryption is a relatively "easy" procedure, where the secret key is typically just multiplied with the ciphertext or it is applied in a modular reduction. This is a stark contrast to, e.g., block ciphers where the secret key is carefully scrambled, and changing one bit of the ciphertext will result in an avalanche effect so that several bits of the decrypted ciphertext are changed. A naive remedy would be to create a scheme with a more "convoluted" decryption procedure. However, bootstrapping a scheme hinges both on circular security and on the decryption circuit being as easy as possible: if this is not the case, the homomorphic evaluation of the decryption circuit will not reduce the noise in the ciphertext sufficiently to allow for further evaluations of it. In other words, the scheme would not be fully homomorphic. The easy decryption procedure is therefore inherent in all bootstrappable schemes. Furthermore, all suggested SHE and LHE schemes have been designed to be bootstrapped so that they may be expanded to an FHE scheme, meaning they all have a shallow decryption circuit. The overview we provided strongly suggests that this approach is not compatible with providing security against adaptive key recovery attacks or IND-CCA1 security.
We repeat the point from Zhang et al. [7], namely that as the use cases of *HE schemes increase the probability of the leakage of decrypted material, IND-CCA1 is an essential requirement for a secure homomorphic encryption scheme. We believe that a good starting point for creating an *HE scheme that achieves IND-CCA1 security would be the generic construction using zk-SNARKs by Canetti et al. [73]. As mentioned in Section 6.4, the construction relies on non-falsifiable assumptions. However, as the authors noted, one may use weaker primitives such as designated-verifier zk-SNARKs, and it is an interesting open problem to determine the minimum flavour of zero-knowledge that is needed to achieve IND-CCA1 security using the Canetti et al. construction. Alternatively, developing pure SHE or LHE schemes that are not designed to be bootstrappable might be a fruitful strategy, as this could allow for a decryption procedure "convoluted" enough to result in IND-CCA1 security or protection against adaptive key recovery attacks.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Background
We give a more thorough explanation of homomorphic encryption; for more details, see the guide to FHE by Armknecht et al. [60].
Group homomorphic encryption (GHE) refers to schemes that are homomorphic in a single group operation, i.e., Dec(Enc(m 1 ) · Enc(m 2 )) = m 1 • m 2 , where · is a binary operation in the ciphertext space and • is a binary operation in the plaintext space. If the operation is addition, the scheme is called additively homomorphic encryption (AHE), and similarly multiplicatively homomorphic encryption (MHE) if the operation is multiplication.
Examples of GHE schemes are RSA [79] and ElGamal [80]. It is worth noting that for these schemes, there is no limit to how much a ciphertext may be evaluated with respect to the homomorphic operation. The product of two (decryptable) RSA ciphertexts will always result in a decryptable ciphertext. This is not the case when the scheme is homomorphic with respect to both addition and multiplication, as these are typically limited in what circuits they are able to evaluate homomorphically. This is because all suggested *HE schemes employ noise to encrypt ciphertexts, which grows during evaluation. Typically, the growth is substantially bigger during multiplication than for addition. Unlike in the GHE case, there is a risk of decryption error if ciphertexts are processed too much, as the plaintext may "drown" in too much noise. At this point, there is no guarantee that the message output by the decryption is indeed the correct message, i.e., there is a non-negligible probability that Dec(C(Enc(m))) = C(m) for some circuit C and message m.
The key difference between the various types of homomorphic encryption is how much control they have over the noise growth, and the limits on the circuits they are able to evaluate correctly. We define an encryption scheme E = (KeyGen, Enc, Dec, Eval) to evaluate a circuit C correctly if: Pr[Dec(sk, Eval(evk, C, c 1 , . . . , c n )) = C(m 1 , . . . , m n )] = 1 − negl(λ), where (sk, pk, evk) ← KeyGen(λ), and c i ← Enc(pk, m i ). We allow for a negligible probability of decryption error.
Somewhat homomorphic encryption (SHE) refers to schemes that are homomorphic in both addition and multiplication, but may only perform a limited number of these operations before the noise becomes unmanageable. There is little to no means of reducing the noise in these schemes, only stunting the growth. Furthermore, the noise growth is not predictable enough to estimate precisely when the noise will become unmanageable. The number of operations performed on ciphertexts is therefore limited, but the limit may not be explicitly set. More formally, an SHE scheme correctly evaluates some circuits, though there is no formal requirement as to what schemes it is able to evaluate correctly.
Levelled homomorphic encryption (LHE) schemes are similar to SHE schemes in that these schemes also only allow for a limited amount of additions and multiplications. However, unlike SHEs, for levelled schemes, the number of operations that can be performed before decryption could fail may be explicitly set. The desired level is a separate parameter, L, in the key generation and corresponds to the maximum depth of an arithmetic circuit C the scheme is able to evaluate correctly.
Fully homomorphic encryption (FHE) schemes are able to evaluate any arithmetic circuit correctly.
So far, the only known way to achieve a scheme that is fully homomorphic is to apply bootstrapping to an SHE or LHE scheme. Bootstrapping entails evaluating the decryption circuit homomorphically. This removes all the "old noise" built up in the ciphertext during evaluation, but introduces more noise in the process of the homomorphic evaluation of the decryption circuit. However, as long as the noise introduced is small enough to still allow for just a single additional homomorphic operation, it is possible to perform any number of operations, and therefore evaluate any circuit correctly.
It is required that LHE and FHE schemes also achieve compactness, which we define as follows: Definition A1 (Compactness). A scheme is compact if there is a polynomial p such that for all ciphertexts c i and all circuits C, the scheme is able to evaluate correctly thatit is the case that |Eval(C, c 0 , c 1 , . . . , c n )| < p(λ).
In other words: the size of any evaluated ciphertext is independent of the size of the circuit. In the case of LHE, we also require that the length of the evaluation output is independent of the level parameter L [60].
Whilst compactness is a requirement for both LHE and FHE schemes, this is not necessarily the case for SHE schemes. However, it is preferable for these schemes to be compact as well, as it implies a somewhat stunted and controlled noise growth.

Appendix B. Plaintext Awareness
This section is based on Section 5 of [37]. Let the polynomial time adversary A be the ciphertext creator, which takes a public key as the input and may query ciphertexts from an oracle. Then, an algorithm A * is called a successful extractor for A if it can provide responses to A that are computationally indistinguishable from those provided by the decryption oracle. A scheme is said to be PA-1 if there exists a successful extractor for any ciphertext creator that makes a polynomial number of queries. The extractor A * obtains the same public key as A and also has access to the random coins used by A. The games Exp PA−1−d E ,A,D (λ) and Exp PA−1−x E ,A,D,A * (λ) are defined in Table A1. Definition A2 (PA-1). Let E be a public key encryption scheme and A be an algorithm with access to an oracle O taking input pk and returning a string. Let D be an algorithm that takes as the input a string and returns a single bit, and let A * be an algorithm that takes as the input a string and some state information and returns either a string or the symbol ⊥, plus a new state. We call A a ciphertext creator, A * a PA-1 extractor, and D a distinguisher. For security parameter λ, we define the (distinguishing and extracting) experiments below and define the PA-1 advantage as: We say A * is a successful PA-1 extractor for A if, for every polynomial time distinguisher, the above advantage is negligible.