Hello, could you, please, provide any information / references (papers) if your implementation of the CKKS scheme can resist CCA attacks. Best, Svetlana
The implementation of CKKS in OpenFHE can only resist IND-CPA^D attacks. No FHE scheme can be CCA2-secure. There are some preliminary works (see the papers and references within) for incorporating verifiable computation for CKKS https://eprint.iacr.org/2025/286.pdf and discussing CCA-style security for FHE https://eprint.iacr.org/2024/202.pdf.
1 Like
Thank you for your answer and the provided links. I have a brief follow-up question: do you have a rough estimate of how many queries a CCA attacker would need to recover the secret key? Has anyone already done such tests for the CKKS scheme?
Without verification of well-formedness (notions like vCCA), a CCA attacker can recover the secret key with a single request of the trivial ciphertext.
This is a direct consequence of the linear algebraic structure of the CKKS decryption mechanism. The attacker can submit a malformed ciphertext that would never be generated by the encryption algorithm, but that the decryption oracle will still process, and that would leak the secret key.
More concretely, for an input ciphertext \textsf{ct} = (c_0,c_1), the decryption function returns [c_0 + c_1s]_q. For the trivial ciphertext \textsf{ct}_{\text{trivial}} = (0, 1), we get \textsf{Dec}(\textsf{ct}_{\text{trivial}}) = [s]_q = s (given that s has small coefficients).
I guess it’s not that trivial in practice.
CCA is a theoretical security notion, so a CCA attacker, as defined in the formal security game, only needs one query for the specific attack discussed previously.
In practice, there are many ways to attack a cryptosystem’s implementation (such as side-channel attacks), but the purpose of security notions is to formally define a threat model and mathematically prove a scheme’s security under those assumptions. Therefore, it’s impossible to say how easy an attack would be “in practice” without a concrete model for the attacker and the system.
A good example of such a concrete model is in this paper, which details a CPAD attack against FHE schemes and provides in Table 2 the number of ciphertexts needed to perform the attack.
Moreover, the IND-CCA1 definition extended to homomorphic schemes (i.e., publish not just the public key but the evaluation keys as well) is incompatible with FHE schemes with circular security. In such schemes, the evaluation keys are roughly encryptions of functions of the secret key. Thus, an attacker can submit to the decryption oracle a (malleated version) of an evaluation key, which will decrypt to the respective function of the secret key.
Thanks for your inputs.