use itertools::{izip, Itertools}; use num_traits::{PrimInt, Signed, ToPrimitive, Zero}; use std::{ clone, fmt::Debug, iter, marker::PhantomData, ops::{Div, Neg, Sub}, }; use crate::{ backend::{ArithmeticOps, GetModulus, Modulus, VectorOps}, decomposer::{self, Decomposer, RlweDecomposer}, ntt::{self, Ntt, NttInit}, random::{ DefaultSecureRng, NewWithSeed, RandomElementInModulus, RandomFill, RandomFillGaussianInModulus, RandomFillUniformInModulus, }, utils::{fill_random_ternary_secret_with_hamming_weight, ToShoup, TryConvertFrom1, WithLocal}, Matrix, MatrixEntity, MatrixMut, Row, RowEntity, RowMut, Secret, }; mod keygen; mod runtime; pub(crate) use keygen::*; pub(crate) use runtime::*; pub struct SeededAutoKey where M: Matrix, { data: M, seed: S, modulus: Mod, } impl> SeededAutoKey { fn empty(ring_size: usize, auto_decomposer: &D, seed: S, modulus: Mod) -> Self { SeededAutoKey { data: M::zeros(auto_decomposer.decomposition_count(), ring_size), seed, modulus, } } } pub struct AutoKeyEvaluationDomain { data: M, _phantom: PhantomData<(R, N)>, modulus: Mod, } impl< M: MatrixMut + MatrixEntity, Mod: Modulus + Clone, R: RandomFillUniformInModulus<[M::MatElement], Mod> + NewWithSeed, N: NttInit + Ntt, > From<&SeededAutoKey> for AutoKeyEvaluationDomain where ::R: RowMut, M::MatElement: Copy, R::Seed: Clone, { fn from(value: &SeededAutoKey) -> Self { let (d, ring_size) = value.data.dimension(); let mut data = M::zeros(2 * d, ring_size); // sample RLWE'_A(-s(X^k)) let mut p_rng = R::new_with_seed(value.seed.clone()); data.iter_rows_mut().take(d).for_each(|r| { RandomFillUniformInModulus::random_fill(&mut p_rng, &value.modulus, r.as_mut()); }); // copy over RLWE'_B(-s(X^k)) izip!(data.iter_rows_mut().skip(d), value.data.iter_rows()).for_each(|(to_r, from_r)| { to_r.as_mut().copy_from_slice(from_r.as_ref()); }); // send RLWE'(-s(X^k)) polynomials to evaluation domain let ntt_op = N::new(&value.modulus, ring_size); data.iter_rows_mut() .for_each(|r| ntt_op.forward(r.as_mut())); AutoKeyEvaluationDomain { data, _phantom: PhantomData, modulus: value.modulus.clone(), } } } pub struct ShoupAutoKeyEvaluationDomain { data: M, } impl, Mod: Modulus, R, N> From<&AutoKeyEvaluationDomain> for ShoupAutoKeyEvaluationDomain { fn from(value: &AutoKeyEvaluationDomain) -> Self { Self { data: M::to_shoup(&value.data, value.modulus.q().unwrap()), } } } pub struct RgswCiphertext { /// Rgsw ciphertext polynomials pub(crate) data: M, modulus: Mod, /// Decomposition for RLWE part A d_a: usize, /// Decomposition for RLWE part B d_b: usize, } impl> RgswCiphertext { pub(crate) fn empty( ring_size: usize, decomposer: &D, modulus: Mod, ) -> RgswCiphertext { RgswCiphertext { data: M::zeros( decomposer.a().decomposition_count() * 2 + decomposer.b().decomposition_count() * 2, ring_size, ), d_a: decomposer.a().decomposition_count(), d_b: decomposer.b().decomposition_count(), modulus, } } } pub struct SeededRgswCiphertext where M: Matrix, { pub(crate) data: M, seed: S, modulus: Mod, /// Decomposition for RLWE part A d_a: usize, /// Decomposition for RLWE part B d_b: usize, } impl SeededRgswCiphertext { pub(crate) fn empty( ring_size: usize, decomposer: &D, seed: S, modulus: Mod, ) -> SeededRgswCiphertext { SeededRgswCiphertext { data: M::zeros( decomposer.a().decomposition_count() * 2 + decomposer.b().decomposition_count(), ring_size, ), seed, modulus, d_a: decomposer.a().decomposition_count(), d_b: decomposer.b().decomposition_count(), } } } impl Debug for SeededRgswCiphertext where M::MatElement: Debug, { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { f.debug_struct("SeededRgswCiphertext") .field("data", &self.data) .field("seed", &self.seed) .field("modulus", &self.modulus) .finish() } } pub struct RgswCiphertextEvaluationDomain { pub(crate) data: M, modulus: Mod, _phantom: PhantomData<(R, N)>, } impl< M: MatrixMut + MatrixEntity, Mod: Modulus + Clone, R: NewWithSeed + RandomFillUniformInModulus<[M::MatElement], Mod>, N: NttInit + Ntt + Debug, > From<&SeededRgswCiphertext> for RgswCiphertextEvaluationDomain where ::R: RowMut, M::MatElement: Copy, R::Seed: Clone, M: Debug, { fn from(value: &SeededRgswCiphertext) -> Self { let mut data = M::zeros(value.d_a * 2 + value.d_b * 2, value.data.dimension().1); // copy RLWE'(-sm) izip!( data.iter_rows_mut().take(value.d_a * 2), value.data.iter_rows().take(value.d_a * 2) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // sample A polynomials of RLWE'(m) - RLWE'A(m) // TODO(Jay): Do we want to be generic over RandomGenerator used here? I think // not. let mut p_rng = R::new_with_seed(value.seed.clone()); izip!(data.iter_rows_mut().skip(value.d_a * 2).take(value.d_b * 1)) .for_each(|ri| p_rng.random_fill(&value.modulus, ri.as_mut())); // RLWE'_B(m) izip!( data.iter_rows_mut().skip(value.d_a * 2 + value.d_b), value.data.iter_rows().skip(value.d_a * 2) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // Send polynomials to evaluation domain let ring_size = data.dimension().1; let nttop = N::new(&value.modulus, ring_size); data.iter_rows_mut() .for_each(|ri| nttop.forward(ri.as_mut())); Self { data: data, modulus: value.modulus.clone(), _phantom: PhantomData, } } } impl< M: MatrixMut + MatrixEntity, Mod: Modulus + Clone, R, N: NttInit + Ntt, > From<&RgswCiphertext> for RgswCiphertextEvaluationDomain where ::R: RowMut, M::MatElement: Copy, M: Debug, { fn from(value: &RgswCiphertext) -> Self { let mut data = M::zeros(value.d_a * 2 + value.d_b * 2, value.data.dimension().1); // copy RLWE'(-sm) izip!( data.iter_rows_mut().take(value.d_a * 2), value.data.iter_rows().take(value.d_a * 2) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // copy RLWE'(m) izip!( data.iter_rows_mut().skip(value.d_a * 2), value.data.iter_rows().skip(value.d_a * 2) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // Send polynomials to evaluation domain let ring_size = data.dimension().1; let nttop = N::new(&value.modulus, ring_size); data.iter_rows_mut() .for_each(|ri| nttop.forward(ri.as_mut())); Self { data: data, modulus: value.modulus.clone(), _phantom: PhantomData, } } } impl Debug for RgswCiphertextEvaluationDomain { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { f.debug_struct("RgswCiphertextEvaluationDomain") .field("data", &self.data) .field("modulus", &self.modulus) .field("_phantom", &self._phantom) .finish() } } impl Matrix for RgswCiphertextEvaluationDomain { type MatElement = M::MatElement; type R = M::R; fn dimension(&self) -> (usize, usize) { self.data.dimension() } fn fits(&self, row: usize, col: usize) -> bool { self.data.fits(row, col) } } impl AsRef<[M::R]> for RgswCiphertextEvaluationDomain { fn as_ref(&self) -> &[M::R] { self.data.as_ref() } } pub struct ShoupRgswCiphertextEvaluationDomain { pub(crate) data: M, } impl, Mod: Modulus, R, N> From<&RgswCiphertextEvaluationDomain> for ShoupRgswCiphertextEvaluationDomain { fn from(value: &RgswCiphertextEvaluationDomain) -> Self { Self { data: M::to_shoup(&value.data, value.modulus.q().unwrap()), } } } pub struct SeededRlweCiphertext { pub(crate) data: R, pub(crate) seed: S, pub(crate) modulus: Mod, } impl SeededRlweCiphertext { pub(crate) fn empty(ring_size: usize, seed: S, modulus: Mod) -> Self { SeededRlweCiphertext { data: R::zeros(ring_size), seed, modulus, } } } pub struct RlweCiphertext { pub(crate) data: M, pub(crate) is_trivial: bool, pub(crate) _phatom: PhantomData, } impl RlweCiphertext { pub(crate) fn new_trivial(data: M) -> Self { RlweCiphertext { data, is_trivial: true, _phatom: PhantomData, } } } impl Matrix for RlweCiphertext { type MatElement = M::MatElement; type R = M::R; fn dimension(&self) -> (usize, usize) { self.data.dimension() } fn fits(&self, row: usize, col: usize) -> bool { self.data.fits(row, col) } } impl MatrixMut for RlweCiphertext where ::R: RowMut {} impl AsRef<[::R]> for RlweCiphertext { fn as_ref(&self) -> &[::R] { self.data.as_ref() } } impl AsMut<[::R]> for RlweCiphertext where ::R: RowMut, { fn as_mut(&mut self) -> &mut [::R] { self.data.as_mut() } } impl IsTrivial for RlweCiphertext { fn is_trivial(&self) -> bool { self.is_trivial } fn set_not_trivial(&mut self) { self.is_trivial = false; } } impl< R: Row, M: MatrixEntity + MatrixMut, Rng: NewWithSeed + RandomFillUniformInModulus<[M::MatElement], Mod>, Mod: Modulus, > From<&SeededRlweCiphertext> for RlweCiphertext where Rng::Seed: Clone, ::R: RowMut, R::Element: Copy, { fn from(value: &SeededRlweCiphertext) -> Self { let mut data = M::zeros(2, value.data.as_ref().len()); // sample a let mut p_rng = Rng::new_with_seed(value.seed.clone()); RandomFillUniformInModulus::random_fill(&mut p_rng, &value.modulus, data.get_row_mut(0)); data.get_row_mut(1).copy_from_slice(value.data.as_ref()); RlweCiphertext { data, is_trivial: false, _phatom: PhantomData, } } } pub trait IsTrivial { fn is_trivial(&self) -> bool; fn set_not_trivial(&mut self); } pub struct SeededRlwePublicKey { data: Ro, seed: S, modulus: Ro::Element, } impl SeededRlwePublicKey { pub(crate) fn empty(ring_size: usize, seed: S, modulus: Ro::Element) -> Self { Self { data: Ro::zeros(ring_size), seed, modulus, } } } pub struct RlwePublicKey { data: M, _phantom: PhantomData, } impl< M: MatrixMut + MatrixEntity, Rng: NewWithSeed + RandomFillUniformInModulus<[M::MatElement], M::MatElement>, > From<&SeededRlwePublicKey> for RlwePublicKey where ::R: RowMut, M::MatElement: Copy, Rng::Seed: Copy, { fn from(value: &SeededRlwePublicKey) -> Self { let mut data = M::zeros(2, value.data.as_ref().len()); // sample a let mut p_rng = Rng::new_with_seed(value.seed); RandomFillUniformInModulus::random_fill(&mut p_rng, &value.modulus, data.get_row_mut(0)); // copy over b data.get_row_mut(1).copy_from_slice(value.data.as_ref()); Self { data, _phantom: PhantomData, } } } #[derive(Clone)] pub struct RlweSecret { pub(crate) values: Vec, } impl Secret for RlweSecret { type Element = i32; fn values(&self) -> &[Self::Element] { &self.values } } impl RlweSecret { pub fn random(hw: usize, n: usize) -> RlweSecret { DefaultSecureRng::with_local_mut(|rng| { let mut out = vec![0i32; n]; fill_random_ternary_secret_with_hamming_weight(&mut out, hw, rng); RlweSecret { values: out } }) } } #[cfg(test)] pub(crate) mod tests { use std::{clone, marker::PhantomData, ops::Mul, vec}; use itertools::{izip, Itertools}; use rand::{thread_rng, Rng}; use crate::{ backend::{GetModulus, ModInit, ModularOpsU64, Modulus, VectorOps}, decomposer::{Decomposer, DefaultDecomposer, RlweDecomposer}, ntt::{Ntt, NttBackendU64, NttInit}, random::{DefaultSecureRng, RandomFillGaussianInModulus, RandomFillUniformInModulus}, rgsw::{ galois_auto_shoup, rlwe_by_rgsw_shoup, ShoupAutoKeyEvaluationDomain, ShoupRgswCiphertextEvaluationDomain, }, utils::{generate_prime, negacyclic_mul, tests::Stats, TryConvertFrom1}, Matrix, MatrixMut, Secret, }; use super::{ keygen::{ decrypt_rlwe, galois_key_gen, gen_rlwe_public_key, generate_auto_map, measure_noise, public_key_encrypt_rgsw, secret_key_encrypt_rgsw, secret_key_encrypt_rlwe, }, runtime::{galois_auto, rgsw_by_rgsw_inplace, rlwe_by_rgsw}, AutoKeyEvaluationDomain, RgswCiphertext, RgswCiphertextEvaluationDomain, RlweCiphertext, RlwePublicKey, RlweSecret, SeededAutoKey, SeededRgswCiphertext, SeededRlweCiphertext, SeededRlwePublicKey, }; pub(crate) fn _sk_encrypt_rlwe + Clone>( m: &[u64], s: &[i32], ntt_op: &NttBackendU64, mod_op: &ModularOpsU64, ) -> RlweCiphertext>, DefaultSecureRng> { let ring_size = m.len(); let q = mod_op.modulus(); assert!(s.len() == ring_size); let mut rng = DefaultSecureRng::new(); let mut rlwe_seed = [0u8; 32]; rng.fill_bytes(&mut rlwe_seed); let mut seeded_rlwe_ct = SeededRlweCiphertext::<_, [u8; 32], _>::empty(ring_size as usize, rlwe_seed, q.clone()); let mut p_rng = DefaultSecureRng::new_seeded(rlwe_seed); secret_key_encrypt_rlwe( &m, &mut seeded_rlwe_ct.data, s, mod_op, ntt_op, &mut p_rng, &mut rng, ); RlweCiphertext::>, DefaultSecureRng>::from(&seeded_rlwe_ct) } // Encrypt m as RGSW ciphertext RGSW(m) using supplied public key pub(crate) fn _pk_encrypt_rgsw + Clone>( m: &[u64], public_key: &RlwePublicKey>, DefaultSecureRng>, decomposer: &(DefaultDecomposer, DefaultDecomposer), mod_op: &ModularOpsU64, ntt_op: &NttBackendU64, ) -> RgswCiphertext>, T> { let (_, ring_size) = Matrix::dimension(&public_key.data); let gadget_vector_a = decomposer.a().gadget_vector(); let gadget_vector_b = decomposer.b().gadget_vector(); let mut rng = DefaultSecureRng::new(); assert!(m.len() == ring_size); // public key encrypt RGSW(m1) let mut rgsw_ct = RgswCiphertext::empty(ring_size, decomposer, mod_op.modulus().clone()); public_key_encrypt_rgsw( &mut rgsw_ct.data, m, &public_key.data, &gadget_vector_a, &gadget_vector_b, mod_op, ntt_op, &mut rng, ); rgsw_ct } /// Encrypts m as RGSW ciphertext RGSW(m) using supplied secret key. Returns /// unseeded RGSW ciphertext in coefficient domain pub(crate) fn _sk_encrypt_rgsw + Clone>( m: &[u64], s: &[i32], decomposer: &(DefaultDecomposer, DefaultDecomposer), mod_op: &ModularOpsU64, ntt_op: &NttBackendU64, ) -> SeededRgswCiphertext>, [u8; 32], T> { let ring_size = s.len(); assert!(m.len() == s.len()); let q = mod_op.modulus(); let gadget_vector_a = decomposer.a().gadget_vector(); let gadget_vector_b = decomposer.b().gadget_vector(); let mut rng = DefaultSecureRng::new(); let mut rgsw_seed = [0u8; 32]; rng.fill_bytes(&mut rgsw_seed); let mut seeded_rgsw_ct = SeededRgswCiphertext::>, [u8; 32], T>::empty( ring_size as usize, decomposer, rgsw_seed, q.clone(), ); let mut p_rng = DefaultSecureRng::new_seeded(rgsw_seed); secret_key_encrypt_rgsw( &mut seeded_rgsw_ct.data, m, &gadget_vector_a, &gadget_vector_b, s, mod_op, ntt_op, &mut p_rng, &mut rng, ); seeded_rgsw_ct } /// Prints noise in RGSW ciphertext RGSW(m). /// /// - rgsw_ct: RGSW ciphertext in coefficient domain pub(crate) fn _measure_noise_rgsw + Clone>( rgsw_ct: &[Vec], m: &[u64], s: &[i32], decomposer: &(DefaultDecomposer, DefaultDecomposer), q: &T, ) { let gadget_vector_a = decomposer.a().gadget_vector(); let gadget_vector_b = decomposer.b().gadget_vector(); let d_a = gadget_vector_a.len(); let d_b = gadget_vector_b.len(); let ring_size = s.len(); assert!(Matrix::dimension(&rgsw_ct) == (d_a * 2 + d_b * 2, ring_size)); assert!(m.len() == ring_size); let mod_op = ModularOpsU64::new(q.clone()); let ntt_op = NttBackendU64::new(q, ring_size); let mul_mod = |a: &u64, b: &u64| ((*a as u128 * *b as u128) % q.q().unwrap() as u128) as u64; let s_poly = Vec::::try_convert_from(s, q); let mut neg_s = s_poly.clone(); mod_op.elwise_neg_mut(neg_s.as_mut()); let neg_sm0m1 = negacyclic_mul(&neg_s, &m, mul_mod, q.q().unwrap()); // RLWE(\beta^j -s * m) for j in 0..d_a { let ideal_m = { // RLWE(\beta^j -s * m) let mut beta_neg_sm0m1 = vec![0u64; ring_size as usize]; mod_op.elwise_scalar_mul(beta_neg_sm0m1.as_mut(), &neg_sm0m1, &gadget_vector_a[j]); beta_neg_sm0m1 }; let mut rlwe = vec![vec![0u64; ring_size as usize]; 2]; rlwe[0].copy_from_slice(rgsw_ct.get_row_slice(j)); rlwe[1].copy_from_slice(rgsw_ct.get_row_slice(d_a + j)); let noise = measure_noise(&rlwe, &ideal_m, &ntt_op, &mod_op, s); println!(r"Noise RLWE(\beta^{j} -sm0m1): {noise}"); } // RLWE(\beta^j m) for j in 0..d_b { let ideal_m = { // RLWE(\beta^j m) let mut beta_m0m1 = vec![0u64; ring_size as usize]; mod_op.elwise_scalar_mul(beta_m0m1.as_mut(), &m, &gadget_vector_b[j]); beta_m0m1 }; let mut rlwe = vec![vec![0u64; ring_size as usize]; 2]; rlwe[0].copy_from_slice(rgsw_ct.get_row_slice(d_a * 2 + j)); rlwe[1].copy_from_slice(rgsw_ct.get_row_slice(d_a * 2 + d_b + j)); let noise = measure_noise(&rlwe, &ideal_m, &ntt_op, &mod_op, s); println!(r"Noise RLWE(\beta^{j} m0m1): {noise}"); } } #[test] fn rlwe_encrypt_decryption() { let logq = 50; let logp = 2; let ring_size = 1 << 4; let q = generate_prime(logq, ring_size, 1u64 << logq).unwrap(); let p = 1u64 << logp; let mut rng = DefaultSecureRng::new(); let s = RlweSecret::random((ring_size >> 1) as usize, ring_size as usize); // sample m0 let mut m0 = vec![0u64; ring_size as usize]; RandomFillUniformInModulus::<[u64], u64>::random_fill( &mut rng, &(1u64 << logp), m0.as_mut_slice(), ); let ntt_op = NttBackendU64::new(&q, ring_size as usize); let mod_op = ModularOpsU64::new(q); // encrypt m0 let encoded_m = m0 .iter() .map(|v| (((*v as f64) * q as f64) / (p as f64)).round() as u64) .collect_vec(); let rlwe_in_ct = _sk_encrypt_rlwe(&encoded_m, s.values(), &ntt_op, &mod_op); let mut encoded_m_back = vec![0u64; ring_size as usize]; decrypt_rlwe( &rlwe_in_ct, s.values(), &mut encoded_m_back, &ntt_op, &mod_op, ); let m_back = encoded_m_back .iter() .map(|v| (((*v as f64 * p as f64) / q as f64).round() as u64) % p) .collect_vec(); assert_eq!(m0, m_back); // let noise = measure_noise(&rlwe_in_ct, &encoded_m, &ntt_op, &mod_op, // s.values()); println!("Noise: {noise}"); } #[test] fn rlwe_by_rgsw_works() { let logq = 50; let logp = 2; let ring_size = 1 << 9; let q = generate_prime(logq, ring_size, 1u64 << logq).unwrap(); let p: u64 = 1u64 << logp; let mut rng = DefaultSecureRng::new_seeded([0u8; 32]); let s = RlweSecret::random((ring_size >> 1) as usize, ring_size as usize); let mut m0 = vec![0u64; ring_size as usize]; RandomFillUniformInModulus::<[u64], _>::random_fill( &mut rng, &(1u64 << logp), m0.as_mut_slice(), ); let mut m1 = vec![0u64; ring_size as usize]; m1[thread_rng().gen_range(0..ring_size) as usize] = 1; let ntt_op = NttBackendU64::new(&q, ring_size as usize); let mod_op = ModularOpsU64::new(q); let d_rgsw = 10; let logb = 5; let decomposer = ( DefaultDecomposer::new(q, logb, d_rgsw), DefaultDecomposer::new(q, logb, d_rgsw), ); // create public key let mut pk_seed = [0u8; 32]; rng.fill_bytes(&mut pk_seed); let mut pk_prng = DefaultSecureRng::new_seeded(pk_seed); let mut seeded_pk = SeededRlwePublicKey::, _>::empty(ring_size as usize, pk_seed, q); gen_rlwe_public_key( &mut seeded_pk.data, s.values(), &ntt_op, &mod_op, &mut pk_prng, &mut rng, ); let pk = RlwePublicKey::>, DefaultSecureRng>::from(&seeded_pk); // Encrypt m1 as RGSW(m1) let rgsw_ct = { //TODO(Jay): Figure out better way to test secret key and public key variant of // RGSW ciphertext encryption within the same test if true { // Encryption m1 as RGSW(m1) using secret key let seeded_rgsw_ct = _sk_encrypt_rgsw(&m1, s.values(), &decomposer, &mod_op, &ntt_op); RgswCiphertextEvaluationDomain::>, _,DefaultSecureRng, NttBackendU64>::from(&seeded_rgsw_ct) } else { // Encrypt m1 as RGSW(m1) using public key let rgsw_ct = _pk_encrypt_rgsw(&m1, &pk, &decomposer, &mod_op, &ntt_op); RgswCiphertextEvaluationDomain::<_, _, DefaultSecureRng, NttBackendU64>::from( &rgsw_ct, ) } }; // Encrypt m0 as RLWE(m0) let mut rlwe_in_ct = { let encoded_m = m0 .iter() .map(|v| (((*v as f64) * q as f64) / (p as f64)).round() as u64) .collect_vec(); _sk_encrypt_rlwe(&encoded_m, s.values(), &ntt_op, &mod_op) }; // RLWE(m0m1) = RLWE(m0) x RGSW(m1) let mut scratch_space = vec![ vec![0u64; ring_size as usize]; std::cmp::max( decomposer.a().decomposition_count(), decomposer.b().decomposition_count() ) + 2 ]; // rlwe x rgsw with additional RGSW ciphertexts in shoup repr let rlwe_in_ct_shoup = { let mut rlwe_in_ct_shoup = RlweCiphertext::<_, DefaultSecureRng> { data: rlwe_in_ct.data.clone(), is_trivial: rlwe_in_ct.is_trivial, _phatom: PhantomData::default(), }; let rgsw_ct_shoup = ShoupRgswCiphertextEvaluationDomain::from(&rgsw_ct); rlwe_by_rgsw_shoup( &mut rlwe_in_ct_shoup, &rgsw_ct.data, &rgsw_ct_shoup.data, &mut scratch_space, &decomposer, &ntt_op, &mod_op, ); rlwe_in_ct_shoup }; // rlwe x rgsw normal { rlwe_by_rgsw( &mut rlwe_in_ct, &rgsw_ct.data, &mut scratch_space, &decomposer, &ntt_op, &mod_op, ); } // output from both functions must be equal { assert_eq!(rlwe_in_ct.data, rlwe_in_ct_shoup.data); } // Decrypt RLWE(m0m1) let mut encoded_m0m1_back = vec![0u64; ring_size as usize]; decrypt_rlwe( &rlwe_in_ct, s.values(), &mut encoded_m0m1_back, &ntt_op, &mod_op, ); let m0m1_back = encoded_m0m1_back .iter() .map(|v| (((*v as f64 * p as f64) / (q as f64)).round() as u64) % p) .collect_vec(); let mul_mod = |v0: &u64, v1: &u64| (v0 * v1) % p; let m0m1 = negacyclic_mul(&m0, &m1, mul_mod, p); // { // // measure noise // let encoded_m_ideal = m0m1 // .iter() // .map(|v| (((*v as f64) * q as f64) / (p as f64)).round() as u64) // .collect_vec(); // let noise = measure_noise(&rlwe_in_ct, &encoded_m_ideal, &ntt_op, // &mod_op, s.values()); println!("Noise RLWE(m0m1)(= // RLWE(m0)xRGSW(m1)) : {noise}"); } assert!( m0m1 == m0m1_back, "Expected {:?} \n Got {:?}", m0m1, m0m1_back ); } #[test] fn galois_auto_works() { let logq = 55; let ring_size = 1 << 11; let q = generate_prime(logq, 2 * ring_size, 1u64 << logq).unwrap(); let logp = 3; let p = 1u64 << logp; let d_rgsw = 5; let logb = 11; let mut rng = DefaultSecureRng::new(); let s = RlweSecret::random((ring_size >> 1) as usize, ring_size as usize); let mut m = vec![0u64; ring_size as usize]; RandomFillUniformInModulus::random_fill(&mut rng, &p, m.as_mut_slice()); let encoded_m = m .iter() .map(|v| (((*v as f64 * q as f64) / (p as f64)).round() as u64)) .collect_vec(); let ntt_op = NttBackendU64::new(&q, ring_size as usize); let mod_op = ModularOpsU64::new(q); // RLWE_{s}(m) let mut seed_rlwe = [0u8; 32]; rng.fill_bytes(&mut seed_rlwe); let mut seeded_rlwe_m = SeededRlweCiphertext::empty(ring_size as usize, seed_rlwe, q); let mut p_rng = DefaultSecureRng::new_seeded(seed_rlwe); secret_key_encrypt_rlwe( &encoded_m, &mut seeded_rlwe_m.data, s.values(), &mod_op, &ntt_op, &mut p_rng, &mut rng, ); let mut rlwe_m = RlweCiphertext::>, DefaultSecureRng>::from(&seeded_rlwe_m); let auto_k = -125; // Generate galois key to key switch from s^k to s let decomposer = DefaultDecomposer::new(q, logb, d_rgsw); let mut seed_auto = [0u8; 32]; rng.fill_bytes(&mut seed_auto); let mut seeded_auto_key = SeededAutoKey::empty(ring_size as usize, &decomposer, seed_auto, q); let mut p_rng = DefaultSecureRng::new_seeded(seed_auto); let gadget_vector = decomposer.gadget_vector(); galois_key_gen( &mut seeded_auto_key.data, s.values(), auto_k, &gadget_vector, &mod_op, &ntt_op, &mut p_rng, &mut rng, ); let auto_key = AutoKeyEvaluationDomain::>, _, DefaultSecureRng, NttBackendU64>::from( &seeded_auto_key, ); // Send RLWE_{s}(m) -> RLWE_{s}(m^k) let mut scratch_space = vec![vec![0u64; ring_size as usize]; d_rgsw + 2]; let (auto_map_index, auto_map_sign) = generate_auto_map(ring_size as usize, auto_k); // galois auto with additional auto key in shoup repr let rlwe_m_shoup = { let auto_key_shoup = ShoupAutoKeyEvaluationDomain::from(&auto_key); let mut rlwe_m_shoup = RlweCiphertext::<_, DefaultSecureRng> { data: rlwe_m.data.clone(), is_trivial: rlwe_m.is_trivial, _phatom: PhantomData::default(), }; galois_auto_shoup( &mut rlwe_m_shoup, &auto_key.data, &auto_key_shoup.data, &mut scratch_space, &auto_map_index, &auto_map_sign, &mod_op, &ntt_op, &decomposer, ); rlwe_m_shoup }; // normal galois auto { galois_auto( &mut rlwe_m, &auto_key.data, &mut scratch_space, &auto_map_index, &auto_map_sign, &mod_op, &ntt_op, &decomposer, ); } // rlwe out from both functions must be same assert_eq!(rlwe_m.data, rlwe_m_shoup.data); let rlwe_m_k = rlwe_m; // Decrypt RLWE_{s}(m^k) and check let mut encoded_m_k_back = vec![0u64; ring_size as usize]; decrypt_rlwe( &rlwe_m_k, s.values(), &mut encoded_m_k_back, &ntt_op, &mod_op, ); let m_k_back = encoded_m_k_back .iter() .map(|v| (((*v as f64 * p as f64) / q as f64).round() as u64) % p) .collect_vec(); let mut m_k = vec![0u64; ring_size as usize]; // Send \delta m -> \delta m^k izip!(m.iter(), auto_map_index.iter(), auto_map_sign.iter()).for_each( |(v, to_index, sign)| { if !*sign { m_k[*to_index] = (p - *v) % p; } else { m_k[*to_index] = *v; } }, ); { let encoded_m_k = m_k .iter() .map(|v| ((*v as f64 * q as f64) / p as f64).round() as u64) .collect_vec(); let noise = measure_noise(&rlwe_m_k, &encoded_m_k, &ntt_op, &mod_op, s.values()); println!("Ksk noise: {noise}"); } assert_eq!(m_k_back, m_k); } #[test] fn sk_rgsw_by_rgsw() { let logq = 60; let logp = 2; let ring_size = 1 << 11; let q = generate_prime(logq, ring_size, 1u64 << logq).unwrap(); let p = 1u64 << logp; let d_rgsw = 12; let logb = 5; let s = RlweSecret::random((ring_size >> 1) as usize, ring_size as usize); let mut rng = DefaultSecureRng::new(); let ntt_op = NttBackendU64::new(&q, ring_size as usize); let mod_op = ModularOpsU64::new(q); let decomposer = ( DefaultDecomposer::new(q, logb, d_rgsw), DefaultDecomposer::new(q, logb, d_rgsw), ); let mul_mod = |a: &u64, b: &u64| ((*a as u128 * *b as u128) % q as u128) as u64; let mut carry_m = vec![0u64; ring_size as usize]; carry_m[thread_rng().gen_range(0..ring_size) as usize] = 1; // RGSW(carry_m) let mut rgsw_carrym = { let seeded_rgsw = _sk_encrypt_rgsw(&carry_m, s.values(), &decomposer, &mod_op, &ntt_op); let mut rgsw_eval = RgswCiphertextEvaluationDomain::<_, _, DefaultSecureRng, NttBackendU64>::from( &seeded_rgsw, ); rgsw_eval .data .iter_mut() .for_each(|ri| ntt_op.backward(ri.as_mut())); rgsw_eval.data }; let mut scratch_matrix = vec![ vec![0u64; ring_size as usize]; decomposer.a().decomposition_count() * 2 + decomposer.b().decomposition_count() * 2 + std::cmp::max( decomposer.a().decomposition_count(), decomposer.b().decomposition_count() ) ]; _measure_noise_rgsw(&rgsw_carrym, &carry_m, s.values(), &decomposer, &q); for i in 0..2 { let mut m = vec![0u64; ring_size as usize]; m[thread_rng().gen_range(0..ring_size) as usize] = if (i & 1) == 1 { q - 1 } else { 1 }; let rgsw_m = RgswCiphertextEvaluationDomain::<_, _, DefaultSecureRng, NttBackendU64>::from( &_sk_encrypt_rgsw(&m, s.values(), &decomposer, &mod_op, &ntt_op), ); rgsw_by_rgsw_inplace( &mut rgsw_carrym, &rgsw_m.data, &decomposer, &mut scratch_matrix, &ntt_op, &mod_op, ); // measure noise carry_m = negacyclic_mul(&carry_m, &m, mul_mod, q); println!("########### Noise RGSW(carrym) in {i}^th loop ###########"); _measure_noise_rgsw(&rgsw_carrym, &carry_m, s.values(), &decomposer, &q); } { // RLWE(m) x RGSW(carry_m) let mut m = vec![0u64; ring_size as usize]; RandomFillUniformInModulus::random_fill(&mut rng, &q, m.as_mut_slice()); let mut rlwe_ct = _sk_encrypt_rlwe(&m, s.values(), &ntt_op, &mod_op); // send rgsw to evaluation domain rgsw_carrym .iter_mut() .for_each(|ri| ntt_op.forward(ri.as_mut_slice())); rlwe_by_rgsw( &mut rlwe_ct, &rgsw_carrym, &mut scratch_matrix, &decomposer, &ntt_op, &mod_op, ); let m_expected = negacyclic_mul(&carry_m, &m, mul_mod, q); let noise = measure_noise(&rlwe_ct, &m_expected, &ntt_op, &mod_op, s.values()); println!("RLWE(m) x RGSW(carry_m): {noise}"); } } #[test] fn some_work() { let logq = 55; let ring_size = 1 << 11; let q = generate_prime(logq, ring_size as u64, 1u64 << logq).unwrap(); let d = 12; let logb = 4; let decomposer = DefaultDecomposer::new(q, logb, d); let ntt_op = NttBackendU64::new(&q, ring_size as usize); let mod_op = ModularOpsU64::new(q); let mut rng = DefaultSecureRng::new(); let mut stats = Stats::new(); for _ in 0..10 { let mut a = vec![0u64; ring_size]; RandomFillUniformInModulus::random_fill(&mut rng, &q, a.as_mut()); let mut e = vec![1u64; ring_size]; // RandomFillGaussianInModulus::random_fill(&mut rng, &q, e.as_mut()); let gadget_vector = decomposer.gadget_vector(); // ksk (beta e) let mut ksk = vec![vec![0u64; ring_size]; decomposer.decomposition_count()]; izip!(ksk.iter_rows_mut(), gadget_vector.iter()).for_each(|(row, beta)| { row.as_mut_slice().copy_from_slice(e.as_ref()); mod_op.elwise_scalar_mul_mut(row.as_mut_slice(), beta); }); // decompose a let mut decomposed_a = vec![vec![0u64; ring_size]; decomposer.decomposition_count()]; a.iter().enumerate().for_each(|(ri, el)| { decomposer .decompose_iter(el) .into_iter() .enumerate() .for_each(|(j, d_el)| { decomposed_a[j][ri] = d_el; }); }); // println!("Last limb"); // decomp_a * ksk(beta e) ksk.iter_mut() .for_each(|r| ntt_op.forward(r.as_mut_slice())); decomposed_a .iter_mut() .for_each(|r| ntt_op.forward(r.as_mut_slice())); let mut out = vec![0u64; ring_size]; izip!(decomposed_a.iter(), ksk.iter()).for_each(|(a, b)| { // out += a * b let mut a_clone = a.clone(); mod_op.elwise_mul_mut(a_clone.as_mut_slice(), b.as_ref()); mod_op.elwise_add_mut(out.as_mut_slice(), a_clone.as_ref()); }); ntt_op.backward(out.as_mut_slice()); let out_expected = { let mut a_clone = a.clone(); let mut e_clone = e.clone(); ntt_op.forward(a_clone.as_mut_slice()); ntt_op.forward(e_clone.as_mut_slice()); mod_op.elwise_mul_mut(a_clone.as_mut_slice(), e_clone.as_mut_slice()); ntt_op.backward(a_clone.as_mut_slice()); a_clone }; let mut diff = out_expected; mod_op.elwise_sub_mut(diff.as_mut_slice(), out.as_ref()); stats.add_more(&Vec::::try_convert_from(diff.as_ref(), &q)); } println!("Std: {}", stats.std_dev().abs().log2()); } }