Detecting anomalies directly in LWE-encrypted signals is challenging due to the absence of efficient, decryption-free statistical methods operating solely in the ciphertext domain. Method: We propose the first ciphertext-domain statistical anomaly detection framework for LWE encryption that requires neither decryption nor a secure communication channel. Leveraging LWE’s additive homomorphism, we construct computable hypothesis-testing statistics over ciphertexts and design a lattice-basis-reduction-based ciphertext transformation to ensure detection feasibility. Contribution/Results: We theoretically prove that detection sensitivity decays polynomially with security parameters—fundamentally distinct from the exponential decay characteristic of cryptanalysis—thereby establishing an adjustable trade-off between security and detectability. Experiments demonstrate the framework’s effectiveness in identifying injection attacks in encrypted control signals, offering a novel pathway for privacy-preserving real-time anomaly monitoring.

Detecting attacks using encrypted signals is challenging since encryption hides its information content. We present a novel mechanism for anomaly detection over Learning with Errors (LWE) encrypted signals without using decryption, secure channels, nor complex communication schemes. Instead, the detector exploits the homomorphic property of LWE encryption to perform hypothesis tests on transformations of the encrypted samples. The specific transformations are determined by solutions to a hard lattice-based minimization problem. While the test's sensitivity deteriorates with suboptimal solutions, similar to the exponential deterioration of the (related) test that breaks the cryptosystem, we show that the deterioration is polynomial for our test. This rate gap can be exploited to pick parameters that lead to somewhat weaker encryption but large gains in detection capability. Finally, we conclude the paper by presenting a numerical example that simulates anomaly detection, demonstrating the effectiveness of our method in identifying attacks.