Noise Flooding Stage Questions

malioboro · October 29, 2024, 4:16am

Hi, I am currently learning about Noise Flooding and how it is implemented in OpenFHE. Then, I saw this block in ckksrns-pke.cpp:

    DCRTPoly b                      = DecryptCore(cv, privateKey);
    if (cryptoParams->GetDecryptionNoiseMode() == NOISE_FLOODING_DECRYPT &&
        cryptoParams->GetExecutionMode() == EXEC_EVALUATION) {
        auto dgg = cryptoParams->GetFloodingDiscreteGaussianGenerator();
        DCRTPoly noise(dgg, cv[0].GetParams(), Format::EVALUATION);
        b += noise;
    }

if I understand correctly DecryptCore is implementing c_0 + s.c_1 part of the decryption and then the noise is added in b += noise.

I am really new to this topic, but when I first read about Noise Flooding, I thought the noise would be added before data was decrypted. Here, (again) if I understand correctly, the data is already decrypted when noise is added. My questions are:

is my understanding of the code and the noise flooding technique correct?
if the attacker can get b before noise is added, can the attacker do “Li and Micciancio’s CKKS attack” even when the noise flooding mode is activated?

andreea.alexandru · October 29, 2024, 3:19pm

The Li-Micciancio attack takes place only if the attacker gets both the ciphertext and the unflooded plaintext, from which it can extract the original error. An instance of this attack is when the client (owner of the secret key) shares the decrypted result with the party who performed the encrypted computations and generated the result ciphertext. Note that the attacker does not know the secret key; its goal is to extract the secret key. Therefore, after decryption (result of DecryptCore) and before sharing the plaintext (result of Decrypt) with other parties, the client should perform the noise flooding. The attacker cannot get b from the client, because b is not publicly shared (the same way the secret key is not publicly shared by the client).

For the client it does not matter whether it does the flooding over the ciphertext or over the decryption, because it has the secret key anyway. Note that the flooding cannot be done at the server (over the ciphertext), because then the server would know the value of the added noise and it could still extract the unflooded error after it receives the plaintext.

malioboro · October 29, 2024, 7:50pm

Oh, I see… I realized that I mixed up my understanding of the Li-Miccancio attack model. Thanks for the clarification!

Topic		Replies	Views
Security Guarantees and Best Practices for FIXED_NOISE_MULTIPARTY vs. NOISE_FLOODING_MULTIPARTY Library Questions	4	19	December 20, 2024
Appropriate error parameters for the noise flooding Library Questions questions	8	1056	November 17, 2022
Threshold CGGI Implementation Library Questions feature-requests , questions , openfhe-help	1	16	October 12, 2024
[CKKS] Relations between bootstrapping, noise and precision FHE Questions questions , openfhe-help	5	119	August 15, 2024
CKKS: Controling PRNG in encryption Library Questions	4	192	January 2, 2024

Noise Flooding Stage Questions

Related topics