v6.1.1

This patch fixes the following security issue:

Wrong level for DenseToSparse Evaluation Key

• Severity: Low
• Impact: A security of 128-bit is not guaranteed if the EvkDenseToSparse evaluation key, which is part of the CKKS bootstrapping keys, is used. With the bootstrapping parameters proposed in Lattigo, the security falls to $\approx$ 106 bits of security. This means the vulnerability does not lead to any practical attack. However, anyone using CKKS bootstrapping should update their version to go back to 128-bit security.
• Versions impacted: v5.0.0-v6.1.0
• Fixed in: v6.1.1
• Fix: EvkDenseToSparse is generated at the correct level.
• Reported by: Noam Kleinburd @NoamK-CR

Details

In the CKKS bootstrapping proposed by default in Lattigo (see Bossuat et al.), two secret keys are used: the "default" one that is used in the circuit, and a sparse key, that is used for one step of the bootstrapping (the ModRaise). In order to switch the ciphertext to use the sparse key before the ModRaise step, one must use the EvkDenseToSparse evaluation key. Now, the sparse key provides 128-bit security at the lowest level only (when we work modulo $pq$) and therefore should be generated modulo $pq$ only.
However, in Lattigo, EvkDenseToSparse was generated modulo larger primes $$PQ \gg pq $$ by default, making the mathematical problem underlying the security of CKKS (i.e. RLWE) slightly easier to solve.
For the bootstrapping parameters proposed in Lattigo, the security provided is still more than enough ($>106$-bit) in practice, but does not meet the golden standard of $>128$-bit security we aim for in cryptography.

Hence, we encourage all users to update their Lattigo version to v6.1.1 as soon as possible, especially users making use of the CKKS bootstrapping.