arnaucube
/
phantom-zone
mirror of https://github.com/arnaucube/phantom-zone.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

make enc and dec variant specific

par-agg-key-shares
Janmajaya Mall 10 months ago
parent
691995f1c3
commit
88fdc6ac5c
9 changed files with 930 additions and 872 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +335
    -443
      src/bool/evaluator.rs
  2. +97
    -93
      src/bool/keys.rs
  3. +3
    -7
      src/bool/mod.rs
  4. +94
    -2
      src/bool/mp_api.rs
  5. +66
    -0
      src/bool/ni_mp_api.rs
  6. +25
    -30
      src/bool/noise.rs
  7. +297
    -292
      src/noise.rs
  8. +2
    -5
      src/shortint/mod.rs
  9. +11
    -0
      src/utils.rs

+ 335
- 443
src/bool/evaluator.rs
File diff suppressed because it is too large
View File


+ 97
- 93
src/bool/keys.rs
View File

@ -10,112 +10,130 @@ use crate::{
Decryptor, Encryptor, Matrix, MatrixEntity, MatrixMut, MultiPartyDecryptor, RowEntity, RowMut,
};
use super::{parameters, BoolEvaluator, BoolParameters, CiphertextModulus};
use super::{
evaluator::BoolEvaluator,
parameters::{BoolParameters, CiphertextModulus},
};
trait SinglePartyClientKey {
pub(crate) trait SinglePartyClientKey {
type Element;
fn sk_rlwe(&self) -> &[Self::Element];
fn sk_lwe(&self) -> &[Self::Element];
fn sk_rlwe(&self) -> Vec<Self::Element>;
fn sk_lwe(&self) -> Vec<Self::Element>;
}
trait InteractiveMultiPartyClientKey {
pub(crate) trait InteractiveMultiPartyClientKey {
type Element;
fn sk_rlwe(&self) -> &[Self::Element];
fn sk_lwe(&self) -> &[Self::Element];
fn sk_rlwe(&self) -> Vec<Self::Element>;
fn sk_lwe(&self) -> Vec<Self::Element>;
}
trait NonInteractiveMultiPartyClientKey {
pub(crate) trait NonInteractiveMultiPartyClientKey {
type Element;
fn sk_rlwe(&self) -> &[Self::Element];
fn sk_u_rlwe(&self) -> &[Self::Element];
fn sk_lwe(&self) -> &[Self::Element];
fn sk_rlwe(&self) -> Vec<Self::Element>;
fn sk_u_rlwe(&self) -> Vec<Self::Element>;
fn sk_lwe(&self) -> Vec<Self::Element>;
}
/// Client key with RLWE and LWE secrets
/// Client key
///
/// Key is used for all parameter varians - Single party, interactive
/// multi-party, and non-interactive multi-party. The only stored the main seed
/// and seeds of the Rlwe/Lwe secrets are derived at puncturing the seed desired
/// number of times.
///
/// ### Punctures required:
///
/// Puncture 1 -> Seed of RLWE secret used as main RLWE secret for
/// single-party, interactive/non-interactive multi-party
///
/// Puncture 2 -> Seed of LWE secret used main LWE secret for single-party,
/// interactive/non-interactive multi-party
///
/// Puncture 3 -> Seed of RLWE secret used as `u` in
/// interactive/non-interactive multi-party.
#[derive(Clone)]
pub struct ClientKey {
sk_rlwe: RlweSecret,
sk_lwe: LweSecret,
}
/// Client key with RLWE and LWE secrets
#[derive(Clone)]
pub struct ThrowMeAwayKey {
sk_rlwe: RlweSecret,
sk_u_rlwe: RlweSecret,
sk_lwe: LweSecret,
pub struct ClientKey<S, E> {
seed: S,
parameters: BoolParameters<E>,
}
mod impl_ck {
use super::*;
// Client key
impl ClientKey {
pub(in super::super) fn new(sk_rlwe: RlweSecret, sk_lwe: LweSecret) -> Self {
Self { sk_rlwe, sk_lwe }
}
use crate::{
random::DefaultSecureRng,
utils::{fill_random_ternary_secret_with_hamming_weight, puncture_p_rng},
};
pub(in super::super) fn sk_rlwe(&self) -> &RlweSecret {
&self.sk_rlwe
}
use super::*;
pub(in super::super) fn sk_lwe(&self) -> &LweSecret {
&self.sk_lwe
impl<E> ClientKey<[u8; 32], E> {
pub(in super::super) fn new(parameters: BoolParameters<E>) -> ClientKey<[u8; 32], E> {
let mut rng = DefaultSecureRng::new();
let mut seed = [0u8; 32];
rng.fill_bytes(&mut seed);
Self { seed, parameters }
}
}
// Client key
impl ThrowMeAwayKey {
pub(in super::super) fn new(
sk_rlwe: RlweSecret,
sk_u_rlwe: RlweSecret,
sk_lwe: LweSecret,
) -> Self {
Self {
sk_rlwe,
sk_u_rlwe,
sk_lwe,
}
}
pub(in super::super) fn sk_rlwe(&self) -> &RlweSecret {
&self.sk_rlwe
}
pub(in super::super) fn sk_u_rlwe(&self) -> &RlweSecret {
&self.sk_u_rlwe
impl<E> SinglePartyClientKey for ClientKey<[u8; 32], E> {
type Element = i32;
fn sk_lwe(&self) -> Vec<Self::Element> {
let mut p_rng = DefaultSecureRng::new_seeded(self.seed);
let lwe_seed = puncture_p_rng::<[u8; 32], DefaultSecureRng>(&mut p_rng, 2);
let mut lwe_prng = DefaultSecureRng::new_seeded(lwe_seed);
let mut out = vec![0i32; self.parameters.lwe_n().0];
fill_random_ternary_secret_with_hamming_weight(
&mut out,
self.parameters.lwe_n().0 >> 1,
&mut lwe_prng,
);
out
}
pub(in super::super) fn sk_lwe(&self) -> &LweSecret {
&self.sk_lwe
fn sk_rlwe(&self) -> Vec<Self::Element> {
let mut p_rng = DefaultSecureRng::new_seeded(self.seed);
let rlwe_seed = puncture_p_rng::<[u8; 32], DefaultSecureRng>(&mut p_rng, 1);
let mut rlwe_prng = DefaultSecureRng::new_seeded(rlwe_seed);
let mut out = vec![0i32; self.parameters.rlwe_n().0];
fill_random_ternary_secret_with_hamming_weight(
&mut out,
self.parameters.rlwe_n().0 >> 1,
&mut rlwe_prng,
);
out
}
}
impl Encryptor<bool, Vec<u64>> for ClientKey {
fn encrypt(&self, m: &bool) -> Vec<u64> {
BoolEvaluator::with_local(|e| e.sk_encrypt(*m, self))
impl<E> InteractiveMultiPartyClientKey for ClientKey<[u8; 32], E> {
type Element = i32;
fn sk_lwe(&self) -> Vec<Self::Element> {
<Self as SinglePartyClientKey>::sk_lwe(&self)
}
}
impl Decryptor<bool, Vec<u64>> for ClientKey {
fn decrypt(&self, c: &Vec<u64>) -> bool {
BoolEvaluator::with_local(|e| e.sk_decrypt(c, self))
fn sk_rlwe(&self) -> Vec<Self::Element> {
<Self as SinglePartyClientKey>::sk_rlwe(&self)
}
}
impl MultiPartyDecryptor<bool, Vec<u64>> for ClientKey {
type DecryptionShare = u64;
fn gen_decryption_share(&self, c: &Vec<u64>) -> Self::DecryptionShare {
BoolEvaluator::with_local(|e| e.multi_party_decryption_share(c, &self))
impl<E> NonInteractiveMultiPartyClientKey for ClientKey<[u8; 32], E> {
type Element = i32;
fn sk_lwe(&self) -> Vec<Self::Element> {
<Self as SinglePartyClientKey>::sk_lwe(&self)
}
fn aggregate_decryption_shares(
&self,
c: &Vec<u64>,
shares: &[Self::DecryptionShare],
) -> bool {
BoolEvaluator::with_local(|e| e.multi_party_decrypt(shares, c))
fn sk_rlwe(&self) -> Vec<Self::Element> {
<Self as SinglePartyClientKey>::sk_rlwe(&self)
}
fn sk_u_rlwe(&self) -> Vec<Self::Element> {
let mut p_rng = DefaultSecureRng::new_seeded(self.seed);
let rlwe_seed = puncture_p_rng::<[u8; 32], DefaultSecureRng>(&mut p_rng, 3);
let mut rlwe_prng = DefaultSecureRng::new_seeded(rlwe_seed);
let mut out = vec![0i32; self.parameters.rlwe_n().0];
fill_random_ternary_secret_with_hamming_weight(
&mut out,
self.parameters.rlwe_n().0 >> 1,
&mut rlwe_prng,
);
out
}
}
}
@ -135,18 +153,6 @@ pub(super) mod impl_pk {
}
}
impl<Rng, ModOp> Encryptor<bool, Vec<u64>> for PublicKey<Vec<Vec<u64>>, Rng, ModOp> {
fn encrypt(&self, m: &bool) -> Vec<u64> {
BoolEvaluator::with_local(|e| e.pk_encrypt(&self.key, *m))
}
}
impl<Rng, ModOp> Encryptor<[bool], Vec<Vec<u64>>> for PublicKey<Vec<Vec<u64>>, Rng, ModOp> {
fn encrypt(&self, m: &[bool]) -> Vec<Vec<u64>> {
BoolEvaluator::with_local(|e| e.pk_encrypt_batched(&self.key, m))
}
}
impl<
M: MatrixMut + MatrixEntity,
Rng: NewWithSeed
@ -456,8 +462,6 @@ pub(super) mod impl_server_key_eval_domain {
use itertools::{izip, Itertools};
use crate::{
backend::Modulus,
bool::{NonInteractiveMultiPartyCrs, SeededNonInteractiveMultiPartyServerKey},
ntt::{Ntt, NttInit},
pbs::PbsKey,
};
@ -736,7 +740,7 @@ pub(crate) struct NonInteractiveServerKeyEvaluationDomain {
pub(super) mod impl_non_interactive_server_key_eval_domain {
use itertools::{izip, Itertools};
use crate::{bool::NonInteractiveMultiPartyCrs, random::RandomFill, Ntt, NttInit};
use crate::{bool::evaluator::NonInteractiveMultiPartyCrs, random::RandomFill, Ntt, NttInit};
use super::*;

+ 3
- 7
src/bool/mod.rs
View File

@ -1,16 +1,12 @@
pub(crate) mod evaluator;
pub(crate) mod keys;
mod keys;
mod mp_api;
mod ni_mp_api;
mod noise;
pub(crate) mod parameters;
pub use mp_api::*;
pub(crate) use keys::PublicKey;
pub type FheBool = Vec<u64>;
use std::{cell::RefCell, sync::OnceLock};
use evaluator::*;
use keys::*;
use parameters::*;
pub use mp_api::*;

+ 94
- 2
src/bool/mp_api.rs
View File

@ -1,3 +1,5 @@
use std::{cell::RefCell, sync::OnceLock};
use crate::{
backend::{ModularOpsU64, ModulusPowerOf2},
ntt::NttBackendU64,
@ -5,7 +7,7 @@ use crate::{
utils::{Global, WithLocal},
};
use super::*;
use super::{evaluator::*, keys::*, parameters::*};
thread_local! {
static BOOL_EVALUATOR: RefCell<Option<BoolEvaluator<Vec<Vec<u64>>, NttBackendU64, ModularOpsU64<CiphertextModulus<u64>>, ModulusPowerOf2<CiphertextModulus<u64>>, ShoupServerKeyEvaluationDomain<Vec<Vec<u64>>>>>> = RefCell::new(None);
@ -15,6 +17,8 @@ static BOOL_SERVER_KEY: OnceLock>>>
static MULTI_PARTY_CRS: OnceLock<MultiPartyCrs<[u8; 32]>> = OnceLock::new();
pub type ClientKey = super::keys::ClientKey<[u8; 32], u64>;
pub enum ParameterSelector {
MultiPartyLessThanOrEqualTo16,
}
@ -62,7 +66,7 @@ pub fn gen_mp_keys_phase1(
) -> CommonReferenceSeededCollectivePublicKeyShare<Vec<u64>, [u8; 32], BoolParameters<u64>> {
let seed = MultiPartyCrs::global().public_key_share_seed::<DefaultSecureRng>();
BoolEvaluator::with_local(|e| {
let pk_share = e.multi_party_public_key_share(seed, &ck);
let pk_share = e.multi_party_public_key_share(seed, ck);
pk_share
})
}
@ -167,3 +171,91 @@ impl Global for RuntimeServerKey {
BOOL_SERVER_KEY.get().expect("Server key not set!")
}
}
mod impl_enc_dec {
use crate::{
pbs::{sample_extract, PbsInfo},
rgsw::public_key_encrypt_rlwe,
Decryptor, Encryptor, Matrix, MatrixEntity, MultiPartyDecryptor, RowEntity,
};
use num_traits::Zero;
use super::*;
type Mat = Vec<Vec<u64>>;
impl<E> Encryptor<bool, Vec<u64>> for super::super::keys::ClientKey<[u8; 32], E> {
fn encrypt(&self, m: &bool) -> Vec<u64> {
BoolEvaluator::with_local(|e| e.sk_encrypt(*m, self))
}
}
impl<E> Decryptor<bool, Vec<u64>> for super::super::keys::ClientKey<[u8; 32], E> {
fn decrypt(&self, c: &Vec<u64>) -> bool {
BoolEvaluator::with_local(|e| e.sk_decrypt(c, self))
}
}
impl<E> MultiPartyDecryptor<bool, <Mat as Matrix>::R>
for super::super::keys::ClientKey<[u8; 32], E>
{
type DecryptionShare = <Mat as Matrix>::MatElement;
fn gen_decryption_share(&self, c: &<Mat as Matrix>::R) -> Self::DecryptionShare {
BoolEvaluator::with_local(|e| e.multi_party_decryption_share(c, self))
}
fn aggregate_decryption_shares(
&self,
c: &<Mat as Matrix>::R,
shares: &[Self::DecryptionShare],
) -> bool {
BoolEvaluator::with_local(|e| e.multi_party_decrypt(shares, c))
}
}
impl<Rng, ModOp> Encryptor<[bool], Mat> for PublicKey<Mat, Rng, ModOp> {
fn encrypt(&self, m: &[bool]) -> Mat {
BoolEvaluator::with_local(|e| {
DefaultSecureRng::with_local_mut(|rng| {
let parameters = e.parameters();
let mut rlwe_out = <Mat as MatrixEntity>::zeros(2, parameters.rlwe_n().0);
assert!(m.len() <= parameters.rlwe_n().0);
let mut message =
vec![<Mat as Matrix>::MatElement::zero(); parameters.rlwe_n().0];
m.iter().enumerate().for_each(|(i, v)| {
if *v {
message[i] = parameters.rlwe_q().true_el()
} else {
message[i] = parameters.rlwe_q().false_el()
}
});
// e.pk_encrypt_batched(self.key(), m)
public_key_encrypt_rlwe::<_, _, _, _, i32, _>(
&mut rlwe_out,
self.key(),
&message,
e.pbs_info().modop_rlweq(),
e.pbs_info().nttop_rlweq(),
rng,
);
rlwe_out
})
})
}
}
impl<Rng, ModOp> Encryptor<bool, <Mat as Matrix>::R> for PublicKey<Mat, Rng, ModOp> {
fn encrypt(&self, m: &bool) -> <Mat as Matrix>::R {
let m = vec![*m];
let rlwe = self.encrypt(m.as_slice());
BoolEvaluator::with_local(|e| {
let mut lwe = <Mat as Matrix>::R::zeros(e.parameters().rlwe_n().0 + 1);
sample_extract(&mut lwe, &rlwe, e.pbs_info().modop_rlweq(), 0);
lwe
})
}
}
}

+ 66
- 0
src/bool/ni_mp_api.rs
View File

@ -0,0 +1,66 @@
mod impl_enc_dec {
use crate::{
bool::{
evaluator::{BoolEncoding, BoolEvaluator},
keys::NonInteractiveMultiPartyClientKey,
parameters::CiphertextModulus,
},
pbs::PbsInfo,
random::{DefaultSecureRng, NewWithSeed},
rgsw::secret_key_encrypt_rlwe,
utils::{TryConvertFrom1, WithLocal},
Encryptor, Matrix, RowEntity,
};
use num_traits::Zero;
trait SeededCiphertext<M, S> {
fn new_with_seed(data: M, seed: S) -> Self;
}
type Mat = Vec<Vec<u64>>;
impl<K, C> Encryptor<[bool], C> for K
where
K: NonInteractiveMultiPartyClientKey,
C: SeededCiphertext<<Mat as Matrix>::R, <DefaultSecureRng as NewWithSeed>::Seed>,
<Mat as Matrix>::R:
TryConvertFrom1<[K::Element], CiphertextModulus<<Mat as Matrix>::MatElement>>,
{
fn encrypt(&self, m: &[bool]) -> C {
BoolEvaluator::with_local(|e| {
let parameters = e.parameters();
assert!(m.len() <= parameters.rlwe_n().0);
let mut message = vec![<Mat as Matrix>::MatElement::zero(); parameters.rlwe_n().0];
m.iter().enumerate().for_each(|(i, v)| {
if *v {
message[i] = parameters.rlwe_q().true_el()
} else {
message[i] = parameters.rlwe_q().false_el()
}
});
DefaultSecureRng::with_local_mut(|rng| {
let mut seed = <DefaultSecureRng as NewWithSeed>::Seed::default();
rng.fill_bytes(&mut seed);
let mut prng = DefaultSecureRng::new_seeded(seed);
let mut rlwe_out =
<<Mat as Matrix>::R as RowEntity>::zeros(parameters.rlwe_n().0);
secret_key_encrypt_rlwe(
&message,
&mut rlwe_out,
&self.sk_u_rlwe(),
e.pbs_info().modop_rlweq(),
e.pbs_info().nttop_rlweq(),
&mut prng,
rng,
);
C::new_with_seed(rlwe_out, seed)
})
})
}
}
}

+ 25
- 30
src/bool/noise.rs
View File

@ -2,19 +2,17 @@ mod test {
use itertools::{izip, Itertools};
use crate::{
backend::{ArithmeticOps, ModularOpsU64, Modulus, ModulusPowerOf2},
backend::{ModularOpsU64, ModulusPowerOf2},
bool::{
BoolEncoding, BoolEvaluator, BooleanGates, CiphertextModulus, ClientKey, PublicKey,
ServerKeyEvaluationDomain, ShoupServerKeyEvaluationDomain, MP_BOOL_PARAMS,
SMALL_MP_BOOL_PARAMS,
evaluator::{BoolEncoding, BoolEvaluator, BooleanGates},
keys::{
InteractiveMultiPartyClientKey, PublicKey, ServerKeyEvaluationDomain,
ShoupServerKeyEvaluationDomain,
},
parameters::{CiphertextModulus, SMALL_MP_BOOL_PARAMS},
},
lwe::{decrypt_lwe, LweSecret},
ntt::NttBackendU64,
pbs::PbsInfo,
random::DefaultSecureRng,
rgsw::RlweSecret,
utils::Stats,
Ntt, Secret,
};
#[test]
@ -42,29 +40,26 @@ mod test {
.collect_vec();
// construct ideal rlwe sk for meauring noise
let ideal_client_key = {
let mut ideal_rlwe_sk = vec![0i32; evaluator.parameters().rlwe_n().0];
cks.iter().for_each(|k| {
izip!(ideal_rlwe_sk.iter_mut(), k.sk_rlwe().values()).for_each(|(ideal_i, s_i)| {
*ideal_i = *ideal_i + s_i;
});
});
let mut ideal_lwe_sk = vec![0i32; evaluator.parameters().lwe_n().0];
cks.iter().for_each(|k| {
izip!(ideal_lwe_sk.iter_mut(), k.sk_lwe().values()).for_each(|(ideal_i, s_i)| {
*ideal_i = *ideal_i + s_i;
});
let mut ideal_rlwe_sk = vec![0i32; evaluator.parameters().rlwe_n().0];
cks.iter().for_each(|k| {
izip!(
ideal_rlwe_sk.iter_mut(),
InteractiveMultiPartyClientKey::sk_rlwe(k)
)
.for_each(|(ideal_i, s_i)| {
*ideal_i = *ideal_i + s_i;
});
ClientKey::new(
RlweSecret {
values: ideal_rlwe_sk,
},
LweSecret {
values: ideal_lwe_sk,
},
});
let mut ideal_lwe_sk = vec![0i32; evaluator.parameters().lwe_n().0];
cks.iter().for_each(|k| {
izip!(
ideal_lwe_sk.iter_mut(),
InteractiveMultiPartyClientKey::sk_lwe(k)
)
};
.for_each(|(ideal_i, s_i)| {
*ideal_i = *ideal_i + s_i;
});
});
// round 1
let pk_shares = cks

+ 297
- 292
src/noise.rs
View File

@ -1,292 +1,297 @@
#[cfg(test)]
mod tests {
use itertools::{izip, Itertools};
use num_traits::zero;
use rand::{thread_rng, Rng};
use crate::{
bool::keys::ClientKey,
ntt,
random::{
DefaultSecureRng, RandomFill, RandomFillGaussianInModulus, RandomFillUniformInModulus,
},
utils::{
fill_random_ternary_secret_with_hamming_weight, generate_prime, Stats, TryConvertFrom1,
},
ArithmeticOps, Decomposer, DefaultDecomposer, ModInit, ModularOpsU64, Ntt, NttBackendU64,
NttInit, VectorOps,
};
#[test]
fn non_interactive_multi_party() {
let logq = 56;
let ring_size = 1usize << 11;
let q = generate_prime(logq, 2 * ring_size as u64, 1 << logq).unwrap();
let logb = 1;
let d = 56;
let decomposer = DefaultDecomposer::new(q, logb, d);
let gadget_vec = decomposer.gadget_vector();
let mut rng = DefaultSecureRng::new();
let modop = ModularOpsU64::new(q);
let nttop = NttBackendU64::new(&q, ring_size);
let no_of_parties = 16;
let client_secrets = (0..no_of_parties)
.into_iter()
.map(|_| {
let mut sk = vec![0i64; ring_size];
fill_random_ternary_secret_with_hamming_weight(&mut sk, ring_size >> 1, &mut rng);
sk
})
.collect_vec();
let mut s_ideal = vec![0i64; ring_size];
client_secrets.iter().for_each(|s| {
izip!(s_ideal.iter_mut(), s.iter()).for_each(|(add_to, v)| {
*add_to = *add_to + *v;
});
});
let sk_poly_ideal = Vec::<u64>::try_convert_from(s_ideal.as_slice(), &q);
let mut sk_poly_ideal_eval = sk_poly_ideal.clone();
nttop.forward(&mut sk_poly_ideal_eval);
let mut ksk_seed = [0u8; 32];
rng.fill_bytes(&mut ksk_seed);
// zero encryptions for each party for ksk(u)
let client_zero_encs = {
client_secrets
.iter()
.map(|sk| {
let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(), &q);
let mut sk_poly_eval = sk_poly.clone();
nttop.forward(sk_poly_eval.as_mut_slice());
let mut zero_encs =
vec![vec![0u64; ring_size]; decomposer.decomposition_count()];
let mut ksk_prng = DefaultSecureRng::new_seeded(ksk_seed);
zero_encs.iter_mut().for_each(|out| {
RandomFillUniformInModulus::random_fill(
&mut ksk_prng,
&q,
out.as_mut_slice(),
);
nttop.forward(out.as_mut_slice());
modop.elwise_mul_mut(out.as_mut_slice(), &sk_poly_eval);
nttop.backward(out.as_mut_slice());
let mut error = vec![0u64; ring_size];
RandomFillGaussianInModulus::random_fill(&mut rng, &q, &mut error);
modop.elwise_add_mut(out.as_mut_slice(), &error);
});
zero_encs
})
.collect_vec()
};
// main values
let main_a = {
let mut a = vec![0u64; ring_size];
RandomFillUniformInModulus::random_fill(&mut rng, &q, &mut a);
a
};
let main_m = {
let mut main_m = vec![0u64; ring_size];
RandomFillUniformInModulus::random_fill(&mut rng, &q, &mut main_m);
main_m
};
let mut main_u = vec![0i64; ring_size];
fill_random_ternary_secret_with_hamming_weight(&mut main_u, ring_size >> 1, &mut rng);
let u_main_poly = Vec::<u64>::try_convert_from(main_u.as_slice(), &q);
let mut u_main_poly_eval = u_main_poly.clone();
nttop.forward(u_main_poly_eval.as_mut_slice());
// party 0
let (mut party0_ksk_u, mut rlwe_main_m_parta) = {
// party 0's secret
let sk = client_secrets[0].clone();
let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(), &q);
let mut sk_poly_eval = sk_poly.clone();
nttop.forward(sk_poly_eval.as_mut_slice());
// `main_a*u + main_m` with ephemeral key u
let mut rlwe_main_m = main_a.clone();
nttop.forward(&mut rlwe_main_m);
modop.elwise_mul_mut(&mut rlwe_main_m, &u_main_poly_eval);
nttop.backward(&mut rlwe_main_m);
let mut error = vec![0u64; ring_size];
RandomFillGaussianInModulus::random_fill(&mut rng, &q, &mut error);
modop.elwise_add_mut(&mut rlwe_main_m, &error);
modop.elwise_add_mut(&mut rlwe_main_m, &main_m);
// Generate KSK(u)
let mut ksk_prng = DefaultSecureRng::new_seeded(ksk_seed);
let mut ksk_u = vec![vec![0u64; ring_size]; 2 * decomposer.decomposition_count()];
let (ksk_u_a, ksk_u_b) = ksk_u.split_at_mut(decomposer.decomposition_count());
izip!(ksk_u_b.iter_mut(), ksk_u_a.iter_mut(), gadget_vec.iter()).for_each(
|(row_b, row_a, beta_i)| {
// sample a
RandomFillUniformInModulus::random_fill(&mut ksk_prng, &q, row_a.as_mut());
// s_i * a
let mut s_i_a = row_a.clone();
nttop.forward(&mut s_i_a);
modop.elwise_mul_mut(&mut s_i_a, &sk_poly_eval);
nttop.backward(&mut s_i_a);
// \beta * u
let mut beta_u = u_main_poly.clone();
modop.elwise_scalar_mul_mut(beta_u.as_mut_slice(), beta_i);
// e
RandomFillGaussianInModulus::random_fill(&mut rng, &q, row_b.as_mut_slice());
// e + \beta * u
modop.elwise_add_mut(row_b.as_mut_slice(), &beta_u);
// b = e + \beta * u + a * s_i
modop.elwise_add_mut(row_b.as_mut_slice(), &s_i_a);
},
);
// send ksk u from s_0 to s_{ideal}
ksk_u_b.iter_mut().enumerate().for_each(|(index, out_b)| {
// note: skip zero encryption of party 0
client_zero_encs.iter().skip(1).for_each(|encs| {
modop.elwise_add_mut(out_b, &encs[index]);
});
});
// // put ksk in fourier domain
// ksk_u
// .iter_mut()
// .for_each(|r| nttop.forward(r.as_mut_slice()));
(ksk_u, rlwe_main_m)
};
// Check ksk_u is correct
// {
// let (ksk_a, ksk_b) =
// party0_ksk_u.split_at_mut(decomposer.decomposition_count());
// izip!(
// ksk_a.iter(),
// ksk_b.iter(),
// decomposer.gadget_vector().iter()
// )
// .for_each(|(row_a, row_b, beta_i)| {
// // a * s
// let mut sa = row_a.clone();
// nttop.forward(&mut sa);
// modop.elwise_mul_mut(&mut sa, &sk_poly_ideal_eval);
// nttop.backward(&mut sa);
// // b - a*s
// let mut out = sa;
// modop.elwise_neg_mut(&mut out);
// modop.elwise_add_mut(&mut out, row_b);
// // beta * u
// let mut expected = u_main_poly.clone();
// modop.elwise_scalar_mul_mut(&mut expected, beta_i);
// assert_eq!(expected, out);
// });
// }
// RLWE(0) = main_a * s + e = \sum main_a*s_i + e_i
let rlwe_to_switch = {
let mut sum = vec![0u64; ring_size];
client_secrets.iter().for_each(|sk| {
let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(), &q);
let mut sk_poly_eval = sk_poly.clone();
nttop.forward(sk_poly_eval.as_mut_slice());
// a * s
let mut rlwe = main_a.clone();
nttop.forward(&mut rlwe);
modop.elwise_mul_mut(rlwe.as_mut_slice(), &sk_poly_eval);
nttop.backward(&mut rlwe);
// a * s + e
let mut error = vec![0u64; ring_size];
RandomFillGaussianInModulus::random_fill(&mut rng, &q, &mut error);
modop.elwise_add_mut(&mut rlwe, &error);
modop.elwise_add_mut(&mut sum, &rlwe);
});
sum
};
// {
// let mut tmp = main_a.clone();
// nttop.forward(&mut tmp);
// modop.elwise_mul_mut(&mut tmp, &sk_poly_ideal_eval);
// nttop.backward(&mut tmp);
// assert_eq!(&rlwe_to_switch, &tmp);
// }
// Key switch \sum decomp<RLWE(0)> * KSK(i)
let mut decomp_rlwe = vec![vec![0u64; ring_size]; decomposer.decomposition_count()];
rlwe_to_switch.iter().enumerate().for_each(|(ri, el)| {
decomposer
.decompose_iter(el)
.enumerate()
.for_each(|(j, d_el)| {
decomp_rlwe[j][ri] = d_el;
});
});
// put ksk_u and decomp<RLWE(main_a*s_ideal + e)> in fourier domain
decomp_rlwe
.iter_mut()
.for_each(|r| nttop.forward(r.as_mut_slice()));
party0_ksk_u
.iter_mut()
.for_each(|r| nttop.forward(r.as_mut_slice()));
let (ksk_u_a, ksk_u_b) = party0_ksk_u.split_at(decomposer.decomposition_count());
let mut rlwe_main_m_partb_eval = vec![vec![0u64; ring_size]; 2];
izip!(decomp_rlwe.iter(), ksk_u_a.iter(), ksk_u_b.iter()).for_each(|(o, a, b)| {
// A part
// rlwe[0] += o*a
izip!(rlwe_main_m_partb_eval[0].iter_mut(), o.iter(), a.iter()).for_each(
|(r, o, a)| {
*r = modop.add(r, &modop.mul(o, a));
},
);
// B part
// rlwe[1] += o*b
izip!(rlwe_main_m_partb_eval[1].iter_mut(), o.iter(), b.iter()).for_each(
|(r, o, b)| {
*r = modop.add(r, &modop.mul(o, b));
},
);
});
// construct RLWE_{s_{ideal}}(-sm)
nttop.forward(rlwe_main_m_parta.as_mut_slice());
modop.elwise_add_mut(&mut rlwe_main_m_partb_eval[0], &rlwe_main_m_parta);
let rlwe_main_m_eval = rlwe_main_m_partb_eval;
// decrypt RLWE_{s_{ideal}}(m) and check
let mut neg_s_m_main_out = rlwe_main_m_eval[0].clone();
modop.elwise_mul_mut(&mut neg_s_m_main_out, &sk_poly_ideal_eval);
modop.elwise_neg_mut(&mut neg_s_m_main_out);
modop.elwise_add_mut(&mut neg_s_m_main_out, &rlwe_main_m_eval[1]);
nttop.backward(&mut neg_s_m_main_out);
let mut neg_s_main_m = main_m.clone();
nttop.forward(&mut neg_s_main_m);
modop.elwise_mul_mut(&mut neg_s_main_m, &sk_poly_ideal_eval);
modop.elwise_neg_mut(&mut neg_s_main_m);
nttop.backward(&mut neg_s_main_m);
let mut diff = neg_s_m_main_out.clone();
modop.elwise_sub_mut(&mut diff, &neg_s_main_m);
let mut stat = Stats::new();
stat.add_more(&Vec::<i64>::try_convert_from(&diff, &q));
println!("Log2 Std: {}", stat.std_dev().abs().log2());
}
}
// #[cfg(test)]
// mod tests {
// use itertools::{izip, Itertools};
// use num_traits::zero;
// use rand::{thread_rng, Rng};
// use crate::{
// bool::keys::ClientKey,
// ntt,
// random::{
// DefaultSecureRng, RandomFill, RandomFillGaussianInModulus,
// RandomFillUniformInModulus, },
// utils::{
// fill_random_ternary_secret_with_hamming_weight, generate_prime,
// Stats, TryConvertFrom1, },
// ArithmeticOps, Decomposer, DefaultDecomposer, ModInit, ModularOpsU64,
// Ntt, NttBackendU64, NttInit, VectorOps,
// };
// #[test]
// fn non_interactive_multi_party() {
// let logq = 56;
// let ring_size = 1usize << 11;
// let q = generate_prime(logq, 2 * ring_size as u64, 1 <<
// logq).unwrap(); let logb = 1;
// let d = 56;
// let decomposer = DefaultDecomposer::new(q, logb, d);
// let gadget_vec = decomposer.gadget_vector();
// let mut rng = DefaultSecureRng::new();
// let modop = ModularOpsU64::new(q);
// let nttop = NttBackendU64::new(&q, ring_size);
// let no_of_parties = 16;
// let client_secrets = (0..no_of_parties)
// .into_iter()
// .map(|_| {
// let mut sk = vec![0i64; ring_size];
// fill_random_ternary_secret_with_hamming_weight(&mut sk,
// ring_size >> 1, &mut rng); sk
// })
// .collect_vec();
// let mut s_ideal = vec![0i64; ring_size];
// client_secrets.iter().for_each(|s| {
// izip!(s_ideal.iter_mut(), s.iter()).for_each(|(add_to, v)| {
// *add_to = *add_to + *v;
// });
// });
// let sk_poly_ideal = Vec::<u64>::try_convert_from(s_ideal.as_slice(),
// &q); let mut sk_poly_ideal_eval = sk_poly_ideal.clone();
// nttop.forward(&mut sk_poly_ideal_eval);
// let mut ksk_seed = [0u8; 32];
// rng.fill_bytes(&mut ksk_seed);
// // zero encryptions for each party for ksk(u)
// let client_zero_encs = {
// client_secrets
// .iter()
// .map(|sk| {
// let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(),
// &q); let mut sk_poly_eval = sk_poly.clone();
// nttop.forward(sk_poly_eval.as_mut_slice());
// let mut zero_encs =
// vec![vec![0u64; ring_size];
// decomposer.decomposition_count()]; let mut ksk_prng =
// DefaultSecureRng::new_seeded(ksk_seed);
// zero_encs.iter_mut().for_each(|out| {
// RandomFillUniformInModulus::random_fill( &mut
// ksk_prng, &q,
// out.as_mut_slice(),
// );
// nttop.forward(out.as_mut_slice());
// modop.elwise_mul_mut(out.as_mut_slice(),
// &sk_poly_eval); nttop.backward(out.as_mut_slice());
// let mut error = vec![0u64; ring_size];
// RandomFillGaussianInModulus::random_fill(&mut rng,
// &q, &mut error);
// modop.elwise_add_mut(out.as_mut_slice(), &error);
// });
// zero_encs
// })
// .collect_vec()
// };
// // main values
// let main_a = {
// let mut a = vec![0u64; ring_size];
// RandomFillUniformInModulus::random_fill(&mut rng, &q, &mut a);
// a
// };
// let main_m = {
// let mut main_m = vec![0u64; ring_size];
// RandomFillUniformInModulus::random_fill(&mut rng, &q, &mut
// main_m); main_m
// };
// let mut main_u = vec![0i64; ring_size];
// fill_random_ternary_secret_with_hamming_weight(&mut main_u, ring_size
// >> 1, &mut rng); let u_main_poly =
// Vec::<u64>::try_convert_from(main_u.as_slice(), &q); let mut
// u_main_poly_eval = u_main_poly.clone(); nttop.
// forward(u_main_poly_eval.as_mut_slice());
// // party 0
// let (mut party0_ksk_u, mut rlwe_main_m_parta) = {
// // party 0's secret
// let sk = client_secrets[0].clone();
// let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(), &q);
// let mut sk_poly_eval = sk_poly.clone();
// nttop.forward(sk_poly_eval.as_mut_slice());
// // `main_a*u + main_m` with ephemeral key u
// let mut rlwe_main_m = main_a.clone();
// nttop.forward(&mut rlwe_main_m);
// modop.elwise_mul_mut(&mut rlwe_main_m, &u_main_poly_eval);
// nttop.backward(&mut rlwe_main_m);
// let mut error = vec![0u64; ring_size];
// RandomFillGaussianInModulus::random_fill(&mut rng, &q, &mut
// error); modop.elwise_add_mut(&mut rlwe_main_m, &error);
// modop.elwise_add_mut(&mut rlwe_main_m, &main_m);
// // Generate KSK(u)
// let mut ksk_prng = DefaultSecureRng::new_seeded(ksk_seed);
// let mut ksk_u = vec![vec![0u64; ring_size]; 2 *
// decomposer.decomposition_count()]; let (ksk_u_a, ksk_u_b) =
// ksk_u.split_at_mut(decomposer.decomposition_count());
// izip!(ksk_u_b.iter_mut(), ksk_u_a.iter_mut(), gadget_vec.iter()).for_each( |(row_b, row_a, beta_i)| {
// // sample a
// RandomFillUniformInModulus::random_fill(&mut ksk_prng,
// &q, row_a.as_mut());
// // s_i * a
// let mut s_i_a = row_a.clone();
// nttop.forward(&mut s_i_a);
// modop.elwise_mul_mut(&mut s_i_a, &sk_poly_eval);
// nttop.backward(&mut s_i_a);
// // \beta * u
// let mut beta_u = u_main_poly.clone();
// modop.elwise_scalar_mul_mut(beta_u.as_mut_slice(),
// beta_i);
// // e
// RandomFillGaussianInModulus::random_fill(&mut rng, &q,
// row_b.as_mut_slice()); // e + \beta * u
// modop.elwise_add_mut(row_b.as_mut_slice(), &beta_u);
// // b = e + \beta * u + a * s_i
// modop.elwise_add_mut(row_b.as_mut_slice(), &s_i_a);
// },
// );
// // send ksk u from s_0 to s_{ideal}
// ksk_u_b.iter_mut().enumerate().for_each(|(index, out_b)| {
// // note: skip zero encryption of party 0
// client_zero_encs.iter().skip(1).for_each(|encs| {
// modop.elwise_add_mut(out_b, &encs[index]);
// });
// });
// // // put ksk in fourier domain
// // ksk_u
// // .iter_mut()
// // .for_each(|r| nttop.forward(r.as_mut_slice()));
// (ksk_u, rlwe_main_m)
// };
// // Check ksk_u is correct
// // {
// // let (ksk_a, ksk_b) =
// // party0_ksk_u.split_at_mut(decomposer.decomposition_count());
// // izip!(
// // ksk_a.iter(),
// // ksk_b.iter(),
// // decomposer.gadget_vector().iter()
// // )
// // .for_each(|(row_a, row_b, beta_i)| {
// // // a * s
// // let mut sa = row_a.clone();
// // nttop.forward(&mut sa);
// // modop.elwise_mul_mut(&mut sa, &sk_poly_ideal_eval);
// // nttop.backward(&mut sa);
// // // b - a*s
// // let mut out = sa;
// // modop.elwise_neg_mut(&mut out);
// // modop.elwise_add_mut(&mut out, row_b);
// // // beta * u
// // let mut expected = u_main_poly.clone();
// // modop.elwise_scalar_mul_mut(&mut expected, beta_i);
// // assert_eq!(expected, out);
// // });
// // }
// // RLWE(0) = main_a * s + e = \sum main_a*s_i + e_i
// let rlwe_to_switch = {
// let mut sum = vec![0u64; ring_size];
// client_secrets.iter().for_each(|sk| {
// let sk_poly = Vec::<u64>::try_convert_from(sk.as_slice(),
// &q); let mut sk_poly_eval = sk_poly.clone();
// nttop.forward(sk_poly_eval.as_mut_slice());
// // a * s
// let mut rlwe = main_a.clone();
// nttop.forward(&mut rlwe);
// modop.elwise_mul_mut(rlwe.as_mut_slice(), &sk_poly_eval);
// nttop.backward(&mut rlwe);
// // a * s + e
// let mut error = vec![0u64; ring_size];
// RandomFillGaussianInModulus::random_fill(&mut rng, &q, &mut
// error); modop.elwise_add_mut(&mut rlwe, &error);
// modop.elwise_add_mut(&mut sum, &rlwe);
// });
// sum
// };
// // {
// // let mut tmp = main_a.clone();
// // nttop.forward(&mut tmp);
// // modop.elwise_mul_mut(&mut tmp, &sk_poly_ideal_eval);
// // nttop.backward(&mut tmp);
// // assert_eq!(&rlwe_to_switch, &tmp);
// // }
// // Key switch \sum decomp<RLWE(0)> * KSK(i)
// let mut decomp_rlwe = vec![vec![0u64; ring_size];
// decomposer.decomposition_count()]; rlwe_to_switch.iter().enumerate().
// for_each(|(ri, el)| { decomposer
// .decompose_iter(el)
// .enumerate()
// .for_each(|(j, d_el)| {
// decomp_rlwe[j][ri] = d_el;
// });
// });
// // put ksk_u and decomp<RLWE(main_a*s_ideal + e)> in fourier domain
// decomp_rlwe
// .iter_mut()
// .for_each(|r| nttop.forward(r.as_mut_slice()));
// party0_ksk_u
// .iter_mut()
// .for_each(|r| nttop.forward(r.as_mut_slice()));
// let (ksk_u_a, ksk_u_b) =
// party0_ksk_u.split_at(decomposer.decomposition_count()); let mut
// rlwe_main_m_partb_eval = vec![vec![0u64; ring_size]; 2]; izip!
// (decomp_rlwe.iter(), ksk_u_a.iter(), ksk_u_b.iter()).for_each(|(o, a, b)| {
// // A part
// // rlwe[0] += o*a
// izip!(rlwe_main_m_partb_eval[0].iter_mut(), o.iter(),
// a.iter()).for_each( |(r, o, a)| {
// *r = modop.add(r, &modop.mul(o, a));
// },
// );
// // B part
// // rlwe[1] += o*b
// izip!(rlwe_main_m_partb_eval[1].iter_mut(), o.iter(),
// b.iter()).for_each( |(r, o, b)| {
// *r = modop.add(r, &modop.mul(o, b));
// },
// );
// });
// // construct RLWE_{s_{ideal}}(-sm)
// nttop.forward(rlwe_main_m_parta.as_mut_slice());
// modop.elwise_add_mut(&mut rlwe_main_m_partb_eval[0],
// &rlwe_main_m_parta); let rlwe_main_m_eval = rlwe_main_m_partb_eval;
// // decrypt RLWE_{s_{ideal}}(m) and check
// let mut neg_s_m_main_out = rlwe_main_m_eval[0].clone();
// modop.elwise_mul_mut(&mut neg_s_m_main_out, &sk_poly_ideal_eval);
// modop.elwise_neg_mut(&mut neg_s_m_main_out);
// modop.elwise_add_mut(&mut neg_s_m_main_out, &rlwe_main_m_eval[1]);
// nttop.backward(&mut neg_s_m_main_out);
// let mut neg_s_main_m = main_m.clone();
// nttop.forward(&mut neg_s_main_m);
// modop.elwise_mul_mut(&mut neg_s_main_m, &sk_poly_ideal_eval);
// modop.elwise_neg_mut(&mut neg_s_main_m);
// nttop.backward(&mut neg_s_main_m);
// let mut diff = neg_s_m_main_out.clone();
// modop.elwise_sub_mut(&mut diff, &neg_s_main_m);
// let mut stat = Stats::new();
// stat.add_more(&Vec::<i64>::try_convert_from(&diff, &q));
// println!("Log2 Std: {}", stat.std_dev().abs().log2());
// }
// }

+ 2
- 5
src/shortint/mod.rs
View File

@ -1,7 +1,7 @@
use itertools::Itertools;
use crate::{
bool::keys::{ClientKey, PublicKey},
bool::{ClientKey, PublicKey},
Decryptor, Encryptor, MultiPartyDecryptor,
};
@ -97,10 +97,7 @@ mod frontend {
eight_bit_mul,
};
use crate::{
bool::{
evaluator::{self, BoolEvaluator, BooleanGates},
keys::{ServerKeyEvaluationDomain, ShoupServerKeyEvaluationDomain},
},
bool::evaluator::{BoolEvaluator, BooleanGates},
utils::{Global, WithLocal},
};

+ 11
- 0
src/utils.rs
View File

@ -190,6 +190,17 @@ pub fn negacyclic_mul T>(
return r;
}
pub(crate) fn puncture_p_rng<S: Default + Copy, R: RandomFill<S>>(
p_rng: &mut R,
times: usize,
) -> S {
let mut out = S::default();
for _ in 0..times {
RandomFill::<S>::random_fill(p_rng, &mut out);
}
return out;
}
pub trait TryConvertFrom1<T: ?Sized, P> {
fn try_convert_from(value: &T, parameters: &P) -> Self;
}

Write Preview
Loading…
Cancel
Save