Ciphertexts equality testing in CKKS

Hi,
As the CKKS scheme is using noise, is there a way to know if two ciphertexts are actually encrypting the same data (without having the private key obviously)? That is, if c1 and c2 are both encrypting an element m, both with the same public key and same scheme parameters, we have c1 != c2 but is there a operation allowing to detect that they are encrypting the same data? Or is there a security proof on that?

I have seen that by switching to TFHE there is a way to compare ciphertexts however the result is also encrypted, so an attacker without the private key would not know the result.

Any idea/pointers?

Thanks a lot in advance.

Most existing FHE schemes, including CKKS, are semantically secure cryptoschemes, that is: given access to the ciphertexts only, negligible information about the plaintext can be deduced, such as message length.

In other words, a cryptoscheme is deemed semantically secure if it satisfies the following: “for any two messages of equal length, the ciphertexts produced by the encryption algorithm are indistinguishable by any efficient adversary”.

Also, note that CKKS encryption is probabilistic, that is, encrypting the same message twice does not generate the same ciphertext with a fairly large probability.

To compare encrypted messages, you will need to evaluate a comparison circuit homomorphically, and by definition, the result will also be encrypted. Thus, adversaries who do not own the secret key should not be able to learn the result of the comparison.

1 Like

Thanks @Caesar , that is rather reassuring then.