# Known CKKS security vulnerability Given a ciphertext $(b=as+m+e,a)\bmod q$ and its decryption $m+e$. One can decrease it from $b$ and learn $as$. $a$ is public (it might not be invertible) but looking at $s$ as a polynomial where its coefficients are variable - we get a linear equation modulo $q$ with $n$ variables (where $n$ is the CKKS's ring dimension). Having $n$ pairs of ciphertexts and their plaintext will result in a system of $n$ linear equation modulo which can be solved to recover $s$. Reference: - [[@On the Security of Homomorphic Encryption on Approximate Numbers]] - [Presentation - CKKS Key Recovery Attack](https://overleaf.sl.cloud9.ibm.com/project/5fb4d7e7f4809b007de1f3ae) ## Created 2024-01-23 07:18