use std::{ borrow::BorrowMut, cell::{OnceCell, RefCell}, clone, collections::HashMap, fmt::{Debug, Display}, iter::Once, marker::PhantomData, ops::Shr, sync::OnceLock, }; use itertools::{izip, partition, Itertools}; use num_traits::{FromPrimitive, Num, One, Pow, PrimInt, ToPrimitive, WrappingSub, Zero}; use rand_distr::uniform::SampleUniform; use crate::{ backend::{ArithmeticOps, GetModulus, ModInit, ModularOpsU64, Modulus, VectorOps}, decomposer::{Decomposer, DefaultDecomposer, NumInfo, RlweDecomposer}, lwe::{decrypt_lwe, encrypt_lwe, lwe_key_switch, lwe_ksk_keygen, measure_noise_lwe, LweSecret}, multi_party::public_key_share, ntt::{self, Ntt, NttBackendU64, NttInit}, pbs::{pbs, sample_extract, PbsInfo, PbsKey}, random::{ DefaultSecureRng, NewWithSeed, RandomFill, RandomFillGaussianInModulus, RandomFillUniformInModulus, RandomGaussianElementInModulus, }, rgsw::{ decrypt_rlwe, galois_auto, galois_key_gen, generate_auto_map, public_key_encrypt_rgsw, rgsw_by_rgsw_inplace, rlwe_by_rgsw, secret_key_encrypt_rgsw, IsTrivial, RgswCiphertext, RlweCiphertext, RlweSecret, }, utils::{ fill_random_ternary_secret_with_hamming_weight, generate_prime, mod_exponent, Global, TryConvertFrom1, WithLocal, }, Decryptor, Encryptor, Matrix, MatrixEntity, MatrixMut, MultiPartyDecryptor, Row, RowEntity, RowMut, Secret, }; use super::{ keys::ClientKey, parameters::{BoolParameters, CiphertextModulus}, CommonReferenceSeededCollectivePublicKeyShare, CommonReferenceSeededMultiPartyServerKeyShare, SeededMultiPartyServerKey, SeededServerKey, ServerKeyEvaluationDomain, }; pub struct MultiPartyCrs { pub(super) seed: S, } impl MultiPartyCrs { /// Seed to generate public key share using MultiPartyCrs as the main seed. /// /// Public key seed equals the 1st seed extracted from PRNG Seeded with /// MiltiPartyCrs's seed. pub(super) fn public_key_share_seed + RandomFill>(&self) -> S { let mut prng = Rng::new_with_seed(self.seed); let mut seed = S::default(); RandomFill::::random_fill(&mut prng, &mut seed); seed } /// Seed to generate server key share using MultiPartyCrs as the main seed. /// /// Server key seed equals the 2nd seed extracted from PRNG Seeded with /// MiltiPartyCrs's seed. pub(super) fn server_key_share_seed + RandomFill>(&self) -> S { let mut prng = Rng::new_with_seed(self.seed); let mut seed = S::default(); RandomFill::::random_fill(&mut prng, &mut seed); RandomFill::::random_fill(&mut prng, &mut seed); seed } } pub(crate) trait BooleanGates { type Ciphertext: RowEntity; type Key; fn and_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn nand_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn or_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn nor_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn xor_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn xnor_inplace(&mut self, c0: &mut Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key); fn not_inplace(&mut self, c: &mut Self::Ciphertext); fn and( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn nand( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn or( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn nor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn xor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn xnor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext; fn not(&mut self, c: &Self::Ciphertext) -> Self::Ciphertext; } struct ScratchMemory where M: Matrix, { lwe_vector: M::R, decomposition_matrix: M, } impl ScratchMemory where M::R: RowEntity, { fn new(parameters: &BoolParameters) -> Self { // Vector to store LWE ciphertext with LWE dimesnion n let lwe_vector = M::R::zeros(parameters.lwe_n().0 + 1); // Matrix to store decomposed polynomials // Max decompistion count + space for temporary RLWE let d = std::cmp::max( parameters.auto_decomposition_count().0, std::cmp::max( parameters.rlwe_rgsw_decomposition_count().0 .0, parameters.rlwe_rgsw_decomposition_count().1 .0, ), ) + 2; let decomposition_matrix = M::zeros(d, parameters.rlwe_n().0); Self { lwe_vector, decomposition_matrix, } } } pub(super) trait BoolEncoding { type Element; fn true_el(&self) -> Self::Element; fn false_el(&self) -> Self::Element; fn qby4(&self) -> Self::Element; fn decode(&self, m: Self::Element) -> bool; } impl BoolEncoding for CiphertextModulus where CiphertextModulus: Modulus, T: PrimInt, { type Element = T; fn qby4(&self) -> Self::Element { if self.is_native() { T::one() << (CiphertextModulus::::_bits() - 2) } else { self.q().unwrap() >> 2 } } /// Q/8 fn true_el(&self) -> Self::Element { if self.is_native() { T::one() << (CiphertextModulus::::_bits() - 3) } else { self.q().unwrap() >> 3 } } /// -Q/8 fn false_el(&self) -> Self::Element { self.largest_unsigned_value() - self.true_el() + T::one() } fn decode(&self, m: Self::Element) -> bool { let qby8 = self.true_el(); let m = (((m + qby8).to_f64().unwrap() * 4.0f64) / self.q_as_f64().unwrap()).round() as usize % 4usize; if m == 0 { return false; } else if m == 1 { return true; } else { panic!("Incorrect bool decryption. Got m={m} but expected m to be 0 or 1") } } } pub(super) struct BoolPbsInfo { auto_decomposer: DefaultDecomposer, rlwe_rgsw_decomposer: ( DefaultDecomposer, DefaultDecomposer, ), lwe_decomposer: DefaultDecomposer, g_k_dlog_map: Vec, rlwe_nttop: Ntt, rlwe_modop: RlweModOp, lwe_modop: LweModOp, embedding_factor: usize, rlwe_qby4: M::MatElement, rlwe_auto_maps: Vec<(Vec, Vec)>, parameters: BoolParameters, } impl PbsInfo for BoolPbsInfo where M::MatElement: PrimInt + WrappingSub + NumInfo + FromPrimitive + From + Display, RlweModOp: ArithmeticOps + VectorOps, LweModOp: ArithmeticOps + VectorOps, NttOp: Ntt, { type Modulus = CiphertextModulus; type Element = M::MatElement; type D = DefaultDecomposer; type RlweModOp = RlweModOp; type LweModOp = LweModOp; type NttOp = NttOp; fn rlwe_auto_map(&self, k: usize) -> &(Vec, Vec) { &self.rlwe_auto_maps[k] } fn br_q(&self) -> usize { *self.parameters.br_q() } fn lwe_decomposer(&self) -> &Self::D { &self.lwe_decomposer } fn rlwe_rgsw_decomposer(&self) -> &(Self::D, Self::D) { &self.rlwe_rgsw_decomposer } fn auto_decomposer(&self) -> &Self::D { &self.auto_decomposer } fn embedding_factor(&self) -> usize { self.embedding_factor } fn g(&self) -> isize { self.parameters.g() as isize } fn w(&self) -> usize { self.parameters.w() } fn g_k_dlog_map(&self) -> &[usize] { &self.g_k_dlog_map } fn lwe_n(&self) -> usize { self.parameters.lwe_n().0 } fn lwe_q(&self) -> &Self::Modulus { self.parameters.lwe_q() } fn rlwe_n(&self) -> usize { self.parameters.rlwe_n().0 } fn rlwe_q(&self) -> &Self::Modulus { self.parameters.rlwe_q() } fn modop_lweq(&self) -> &Self::LweModOp { &self.lwe_modop } fn modop_rlweq(&self) -> &Self::RlweModOp { &self.rlwe_modop } fn nttop_rlweq(&self) -> &Self::NttOp { &self.rlwe_nttop } } pub(crate) struct BoolEvaluator where M: Matrix, { pbs_info: BoolPbsInfo, scratch_memory: ScratchMemory, nand_test_vec: M::R, and_test_vec: M::R, or_test_vec: M::R, nor_test_vec: M::R, xor_test_vec: M::R, xnor_test_vec: M::R, _phantom: PhantomData, } impl BoolEvaluator { pub(super) fn parameters(&self) -> &BoolParameters { &self.pbs_info.parameters } pub(super) fn pbs_info(&self) -> &BoolPbsInfo { &self.pbs_info } } impl BoolEvaluator where M: MatrixEntity + MatrixMut, M::MatElement: PrimInt + Debug + Display + NumInfo + FromPrimitive + WrappingSub + SampleUniform + From, NttOp: Ntt, RlweModOp: ArithmeticOps + VectorOps + GetModulus>, LweModOp: ArithmeticOps + VectorOps + GetModulus>, M::R: TryConvertFrom1<[i32], CiphertextModulus> + RowEntity + Debug, ::R: RowMut, { pub(super) fn new(parameters: BoolParameters) -> Self where RlweModOp: ModInit>, LweModOp: ModInit>, NttOp: NttInit>, { //TODO(Jay): Run sanity checks for modulus values in parameters // generates dlog map s.t. (+/-)g^{k} % q = a, for all a \in Z*_{q} and k \in // [0, q/4). We store the dlog `k` at index `a`. This makes it easier to // simply look up `k` at runtime as vec[a]. If a = g^{k} then dlog is // stored as k. If a = -g^{k} then dlog is stored as k = q/4. This is done to // differentiate sign. let g = parameters.g(); let q = *parameters.br_q(); let mut g_k_dlog_map = vec![0usize; q]; for i in 0..q / 4 { let v = mod_exponent(g as u64, i as u64, q as u64) as usize; // g^i g_k_dlog_map[v] = i; // -(g^i) g_k_dlog_map[q - v] = i + (q / 4); } let embedding_factor = (2 * parameters.rlwe_n().0) / q; let rlwe_nttop = NttOp::new(parameters.rlwe_q(), parameters.rlwe_n().0); let rlwe_modop = RlweModOp::new(*parameters.rlwe_q()); let lwe_modop = LweModOp::new(*parameters.lwe_q()); let q = *parameters.br_q(); let qby2 = q >> 1; let qby8 = q >> 3; // Q/8 (Q: rlwe_q) let true_m_el = parameters.rlwe_q().true_el(); // -Q/8 let false_m_el = parameters.rlwe_q().false_el(); let (auto_map_index, auto_map_sign) = generate_auto_map(qby2, -(g as isize)); let init_test_vec = |partition_el: usize, before_partition_el: M::MatElement, after_partition_el: M::MatElement| { let mut test_vec = M::R::zeros(qby2); for i in 0..qby2 { if i < partition_el { test_vec.as_mut()[i] = before_partition_el; } else { test_vec.as_mut()[i] = after_partition_el; } } // v(X) -> v(X^{-g}) let mut test_vec_autog = M::R::zeros(qby2); izip!( test_vec.as_ref().iter(), auto_map_index.iter(), auto_map_sign.iter() ) .for_each(|(v, to_index, to_sign)| { if !to_sign { // negate test_vec_autog.as_mut()[*to_index] = rlwe_modop.neg(v); } else { test_vec_autog.as_mut()[*to_index] = *v; } }); return test_vec_autog; }; let nand_test_vec = init_test_vec(3 * qby8, true_m_el, false_m_el); let and_test_vec = init_test_vec(3 * qby8, false_m_el, true_m_el); let or_test_vec = init_test_vec(qby8, false_m_el, true_m_el); let nor_test_vec = init_test_vec(qby8, true_m_el, false_m_el); let xor_test_vec = init_test_vec(qby8, false_m_el, true_m_el); let xnor_test_vec = init_test_vec(qby8, true_m_el, false_m_el); // auto map indices and sign // Auto maps are stored as [-g, g^{1}, g^{2}, ..., g^{w}] let mut rlwe_auto_maps = vec![]; let ring_size = parameters.rlwe_n().0; let g = parameters.g(); let br_q = parameters.br_q(); let auto_element_dlogs = parameters.auto_element_dlogs(); assert!(auto_element_dlogs[0] == 0); for i in auto_element_dlogs.into_iter() { let el = if i == 0 { -(g as isize) } else { (g.pow(i as u32) % br_q) as isize }; rlwe_auto_maps.push(generate_auto_map(ring_size, el)) } let rlwe_qby4 = parameters.rlwe_q().qby4(); let scratch_memory = ScratchMemory::new(¶meters); let pbs_info = BoolPbsInfo { auto_decomposer: parameters.auto_decomposer(), lwe_decomposer: parameters.lwe_decomposer(), rlwe_rgsw_decomposer: parameters.rlwe_rgsw_decomposer(), g_k_dlog_map, embedding_factor, lwe_modop, rlwe_modop, rlwe_nttop, rlwe_qby4, rlwe_auto_maps, parameters: parameters, }; BoolEvaluator { pbs_info, scratch_memory, nand_test_vec, and_test_vec, or_test_vec, nor_test_vec, xnor_test_vec, xor_test_vec, _phantom: PhantomData, } } pub(super) fn client_key(&self) -> ClientKey { let sk_lwe = LweSecret::random( self.pbs_info.parameters.lwe_n().0 >> 1, self.pbs_info.parameters.lwe_n().0, ); let sk_rlwe = RlweSecret::random( self.pbs_info.parameters.rlwe_n().0 >> 1, self.pbs_info.parameters.rlwe_n().0, ); ClientKey::new(sk_rlwe, sk_lwe) } pub(super) fn server_key( &self, client_key: &ClientKey, ) -> SeededServerKey, [u8; 32]> { DefaultSecureRng::with_local_mut(|rng| { let mut main_seed = [0u8; 32]; rng.fill_bytes(&mut main_seed); let mut main_prng = DefaultSecureRng::new_seeded(main_seed); let rlwe_n = self.pbs_info.parameters.rlwe_n().0; let sk_rlwe = client_key.sk_rlwe(); let sk_lwe = client_key.sk_lwe(); // generate auto keys let mut auto_keys = HashMap::new(); let auto_gadget = self.pbs_info.auto_decomposer.gadget_vector(); let g = self.pbs_info.parameters.g(); let br_q = self.pbs_info.parameters.br_q(); let auto_els = self.pbs_info.parameters.auto_element_dlogs(); for i in auto_els.into_iter() { let g_pow = if i == 0 { -(g as isize) } else { (g.pow(i as u32) % br_q) as isize }; let mut gk = M::zeros(self.pbs_info.auto_decomposer.decomposition_count(), rlwe_n); galois_key_gen( &mut gk, sk_rlwe.values(), g_pow, &auto_gadget, &self.pbs_info.rlwe_modop, &self.pbs_info.rlwe_nttop, &mut main_prng, rng, ); auto_keys.insert(i, gk); } // generate rgsw ciphertexts RGSW(si) where si is i^th LWE secret element let ring_size = self.pbs_info.parameters.rlwe_n().0; let rlwe_q = self.pbs_info.parameters.rlwe_q(); let (rlrg_d_a, rlrg_d_b) = ( self.pbs_info.rlwe_rgsw_decomposer.0.decomposition_count(), self.pbs_info.rlwe_rgsw_decomposer.1.decomposition_count(), ); let rlrg_gadget_a = self.pbs_info.rlwe_rgsw_decomposer.0.gadget_vector(); let rlrg_gadget_b = self.pbs_info.rlwe_rgsw_decomposer.1.gadget_vector(); let rgsw_cts = sk_lwe .values() .iter() .map(|si| { // X^{si}; assume |emebedding_factor * si| < N let mut m = M::R::zeros(ring_size); let si = (self.pbs_info.embedding_factor as i32) * si; // dbg!(si); if si < 0 { // X^{-i} = X^{2N - i} = -X^{N-i} m.as_mut()[ring_size - (si.abs() as usize)] = rlwe_q.neg_one(); } else { // X^{i} m.as_mut()[si.abs() as usize] = M::MatElement::one(); } let mut rgsw_si = M::zeros(rlrg_d_a * 2 + rlrg_d_b, ring_size); secret_key_encrypt_rgsw( &mut rgsw_si, m.as_ref(), &rlrg_gadget_a, &rlrg_gadget_b, sk_rlwe.values(), &self.pbs_info.rlwe_modop, &self.pbs_info.rlwe_nttop, &mut main_prng, rng, ); rgsw_si }) .collect_vec(); // LWE KSK from RLWE secret s -> LWE secret z let d_lwe_gadget = self.pbs_info.lwe_decomposer.gadget_vector(); let mut lwe_ksk = M::R::zeros(self.pbs_info.lwe_decomposer.decomposition_count() * ring_size); lwe_ksk_keygen( &sk_rlwe.values(), &sk_lwe.values(), &mut lwe_ksk, &d_lwe_gadget, &self.pbs_info.lwe_modop, &mut main_prng, rng, ); SeededServerKey::from_raw( auto_keys, rgsw_cts, lwe_ksk, self.pbs_info.parameters.clone(), main_seed, ) }) } pub(super) fn multi_party_server_key_share( &self, cr_seed: [u8; 32], collective_pk: &M, client_key: &ClientKey, ) -> CommonReferenceSeededMultiPartyServerKeyShare, [u8; 32]> { DefaultSecureRng::with_local_mut(|rng| { let mut main_prng = DefaultSecureRng::new_seeded(cr_seed); let sk_rlwe = client_key.sk_rlwe(); let sk_lwe = client_key.sk_lwe(); let g = self.pbs_info.parameters.g(); let ring_size = self.pbs_info.parameters.rlwe_n().0; let rlwe_q = self.pbs_info.parameters.rlwe_q(); let lwe_q = self.pbs_info.parameters.lwe_q(); let rlweq_modop = &self.pbs_info.rlwe_modop; let rlweq_nttop = &self.pbs_info.rlwe_nttop; // sanity check assert!(sk_rlwe.values().len() == ring_size); assert!(sk_lwe.values().len() == self.pbs_info.parameters.lwe_n().0); // auto keys let mut auto_keys = HashMap::new(); let auto_gadget = self.pbs_info.auto_decomposer.gadget_vector(); let auto_element_dlogs = self.pbs_info.parameters.auto_element_dlogs(); let br_q = self.pbs_info.parameters.br_q(); for i in auto_element_dlogs.into_iter() { let g_pow = if i == 0 { -(g as isize) } else { (g.pow(i as u32) % br_q) as isize }; let mut ksk_out = M::zeros( self.pbs_info.auto_decomposer.decomposition_count(), ring_size, ); galois_key_gen( &mut ksk_out, sk_rlwe.values(), g_pow, &auto_gadget, rlweq_modop, rlweq_nttop, &mut main_prng, rng, ); auto_keys.insert(i, ksk_out); } // rgsw ciphertexts of lwe secret elements let rgsw_rgsw_decomposer = self .pbs_info .parameters .rgsw_rgsw_decomposer::>(); let (rgrg_d_a, rgrg_d_b) = ( rgsw_rgsw_decomposer.0.decomposition_count(), rgsw_rgsw_decomposer.1.decomposition_count(), ); let (rgrg_gadget_a, rgrg_gadget_b) = ( rgsw_rgsw_decomposer.0.gadget_vector(), rgsw_rgsw_decomposer.1.gadget_vector(), ); let rgsw_cts = sk_lwe .values() .iter() .map(|si| { let mut m = M::R::zeros(ring_size); //TODO(Jay): It will be nice to have a function that returns polynomial // (monomial infact!) corresponding to secret element embedded in ring X^{2N+1}. // Save lots of mistakes where one forgest to emebed si in bigger ring. let si = *si * (self.pbs_info.embedding_factor as i32); if si < 0 { // X^{-si} = X^{2N-si} = -X^{N-si}, assuming abs(si) < N // (which it is given si is secret element) m.as_mut()[ring_size - (si.abs() as usize)] = rlwe_q.neg_one(); } else { m.as_mut()[si as usize] = M::MatElement::one(); } // public key RGSW encryption has no part that can be seeded, unlike secret key // RGSW encryption where RLWE'_A(m) is seeded let mut out_rgsw = M::zeros(rgrg_d_a * 2 + rgrg_d_b * 2, ring_size); public_key_encrypt_rgsw( &mut out_rgsw, &m.as_ref(), collective_pk, &rgrg_gadget_a, &rgrg_gadget_b, rlweq_modop, rlweq_nttop, rng, ); out_rgsw }) .collect_vec(); // LWE ksk let mut lwe_ksk = M::R::zeros(self.pbs_info.lwe_decomposer.decomposition_count() * ring_size); let lwe_modop = &self.pbs_info.lwe_modop; let d_lwe_gadget_vec = self.pbs_info.lwe_decomposer.gadget_vector(); lwe_ksk_keygen( sk_rlwe.values(), sk_lwe.values(), &mut lwe_ksk, &d_lwe_gadget_vec, lwe_modop, &mut main_prng, rng, ); CommonReferenceSeededMultiPartyServerKeyShare::new( rgsw_cts, auto_keys, lwe_ksk, cr_seed, self.pbs_info.parameters.clone(), ) }) } pub(super) fn multi_party_public_key_share( &self, cr_seed: [u8; 32], client_key: &ClientKey, ) -> CommonReferenceSeededCollectivePublicKeyShare< ::R, [u8; 32], BoolParameters<::MatElement>, > { DefaultSecureRng::with_local_mut(|rng| { let mut share_out = M::R::zeros(self.pbs_info.parameters.rlwe_n().0); let modop = &self.pbs_info.rlwe_modop; let nttop = &self.pbs_info.rlwe_nttop; let mut main_prng = DefaultSecureRng::new_seeded(cr_seed); public_key_share( &mut share_out, client_key.sk_rlwe().values(), modop, nttop, &mut main_prng, rng, ); CommonReferenceSeededCollectivePublicKeyShare::new( share_out, cr_seed, self.pbs_info.parameters.clone(), ) }) } pub(super) fn multi_party_decryption_share( &self, lwe_ct: &M::R, client_key: &ClientKey, ) -> ::MatElement { assert!(lwe_ct.as_ref().len() == self.pbs_info.parameters.rlwe_n().0 + 1); let modop = &self.pbs_info.rlwe_modop; let mut neg_s = M::R::try_convert_from( client_key.sk_rlwe().values(), &self.pbs_info.parameters.rlwe_q(), ); modop.elwise_neg_mut(neg_s.as_mut()); let mut neg_sa = M::MatElement::zero(); izip!(lwe_ct.as_ref().iter().skip(1), neg_s.as_ref().iter()).for_each(|(ai, nsi)| { neg_sa = modop.add(&neg_sa, &modop.mul(ai, nsi)); }); let e = DefaultSecureRng::with_local_mut(|rng| { let mut e = RandomGaussianElementInModulus::random(rng, self.pbs_info.parameters.rlwe_q()); e }); let share = modop.add(&neg_sa, &e); share } pub(crate) fn multi_party_decrypt(&self, shares: &[M::MatElement], lwe_ct: &M::R) -> bool { let modop = &self.pbs_info.rlwe_modop; let mut sum_a = M::MatElement::zero(); shares .iter() .for_each(|share_i| sum_a = modop.add(&sum_a, &share_i)); let encoded_m = modop.add(&lwe_ct.as_ref()[0], &sum_a); self.pbs_info.parameters.rlwe_q().decode(encoded_m) } pub(crate) fn pk_encrypt(&self, pk: &M, m: bool) -> M::R { self.pk_encrypt_batched(pk, &vec![m]).remove(0) } /// Encrypts a batch booleans as multiple LWE ciphertexts. /// /// For public key encryption we first encrypt `m` as a RLWE ciphertext and /// then sample extract LWE samples at required indices. /// /// - TODO(Jay:) Communication can be improved by not sample exctracting and /// instead just truncate degree 0 values (part Bs) pub(crate) fn pk_encrypt_batched(&self, pk: &M, m: &[bool]) -> Vec { DefaultSecureRng::with_local_mut(|rng| { let ring_size = self.pbs_info.parameters.rlwe_n().0; assert!( m.len() <= ring_size, "Cannot batch encrypt > ring_size{ring_size} elements at once" ); let modop = &self.pbs_info.rlwe_modop; let nttop = &self.pbs_info.rlwe_nttop; // RLWE(0) // sample ephemeral key u let mut u = vec![0i32; ring_size]; fill_random_ternary_secret_with_hamming_weight(u.as_mut(), ring_size >> 1, rng); let mut u = M::R::try_convert_from(&u, &self.pbs_info.parameters.rlwe_q()); nttop.forward(u.as_mut()); let mut ua = M::R::zeros(ring_size); ua.as_mut().copy_from_slice(pk.get_row_slice(0)); let mut ub = M::R::zeros(ring_size); ub.as_mut().copy_from_slice(pk.get_row_slice(1)); // a*u nttop.forward(ua.as_mut()); modop.elwise_mul_mut(ua.as_mut(), u.as_ref()); nttop.backward(ua.as_mut()); // b*u nttop.forward(ub.as_mut()); modop.elwise_mul_mut(ub.as_mut(), u.as_ref()); nttop.backward(ub.as_mut()); let mut rlwe = M::zeros(2, ring_size); // sample error rlwe.iter_rows_mut().for_each(|ri| { RandomFillGaussianInModulus::<[M::MatElement], CiphertextModulus>::random_fill( rng, &self.pbs_info.parameters.rlwe_q(), ri.as_mut(), ); }); // a*u + e0 modop.elwise_add_mut(rlwe.get_row_mut(0), ua.as_ref()); // b*u + e1 modop.elwise_add_mut(rlwe.get_row_mut(1), ub.as_ref()); //FIXME(Jay): Figure out a way to get Q/8 form modulus let mut m_vec = M::R::zeros(ring_size); izip!(m_vec.as_mut().iter_mut(), m.iter()).for_each(|(m_el, m_bool)| { if *m_bool { // Q/8 *m_el = self.pbs_info.rlwe_q().true_el() } else { // -Q/8 *m_el = self.pbs_info.rlwe_q().false_el() } }); // b*u + e1 + m modop.elwise_add_mut(rlwe.get_row_mut(1), m_vec.as_ref()); // rlwe.set(1, 0, modop.add(rlwe.get(1, 0), &m)); // sample extract index required indices let samples = m.len(); (0..samples) .into_iter() .map(|i| { let mut lwe_out = M::R::zeros(ring_size + 1); sample_extract(&mut lwe_out, &rlwe, modop, i); lwe_out }) .collect_vec() }) } /// TODO(Jay): Fetch client key from thread local pub fn sk_encrypt(&self, m: bool, client_key: &ClientKey) -> M::R { //FIXME(Jay): Figure out a way to get Q/8 form modulus let m = if m { // Q/8 self.pbs_info.rlwe_q().true_el() } else { // -Q/8 self.pbs_info.rlwe_q().false_el() }; DefaultSecureRng::with_local_mut(|rng| { let mut lwe_out = M::R::zeros(self.pbs_info.parameters.rlwe_n().0 + 1); encrypt_lwe( &mut lwe_out, &m, client_key.sk_rlwe().values(), &self.pbs_info.rlwe_modop, rng, ); lwe_out }) } pub fn sk_decrypt(&self, lwe_ct: &M::R, client_key: &ClientKey) -> bool { let m = decrypt_lwe( lwe_ct, client_key.sk_rlwe().values(), &self.pbs_info.rlwe_modop, ); self.pbs_info.rlwe_q().decode(m) } pub(super) fn aggregate_multi_party_server_key_shares( &self, shares: &[CommonReferenceSeededMultiPartyServerKeyShare< M, BoolParameters, S, >], ) -> SeededMultiPartyServerKey> where S: PartialEq + Clone, M: Clone, { assert!(shares.len() > 0); let parameters = shares[0].parameters().clone(); let cr_seed = shares[0].cr_seed(); let rlwe_n = parameters.rlwe_n().0; let g = parameters.g() as isize; let rlwe_q = parameters.rlwe_q(); let lwe_q = parameters.lwe_q(); // sanity checks shares.iter().skip(1).for_each(|s| { assert!(s.parameters() == ¶meters); assert!(s.cr_seed() == cr_seed); }); let rlweq_modop = &self.pbs_info.rlwe_modop; let rlweq_nttop = &self.pbs_info.rlwe_nttop; // auto keys let mut auto_keys = HashMap::new(); let auto_elements_dlog = parameters.auto_element_dlogs(); for i in auto_elements_dlog.into_iter() { let mut key = M::zeros(parameters.auto_decomposition_count().0, rlwe_n); shares.iter().for_each(|s| { let auto_key_share_i = s.auto_keys().get(&i).expect("Auto key {i} missing"); assert!( auto_key_share_i.dimension() == (parameters.auto_decomposition_count().0, rlwe_n) ); izip!(key.iter_rows_mut(), auto_key_share_i.iter_rows()).for_each( |(partb_out, partb_share)| { rlweq_modop.elwise_add_mut(partb_out.as_mut(), partb_share.as_ref()); }, ); }); auto_keys.insert(i, key); } // rgsw ciphertext (most expensive part!) let lwe_n = parameters.lwe_n().0; let rgsw_by_rgsw_decomposer = parameters.rgsw_rgsw_decomposer::>(); let mut scratch_matrix = M::zeros( std::cmp::max( rgsw_by_rgsw_decomposer.a().decomposition_count(), rgsw_by_rgsw_decomposer.b().decomposition_count(), ) + (rgsw_by_rgsw_decomposer.a().decomposition_count() * 2 + rgsw_by_rgsw_decomposer.b().decomposition_count() * 2), rlwe_n, ); let mut tmp_rgsw = RgswCiphertext::::empty(rlwe_n, &rgsw_by_rgsw_decomposer, rlwe_q.clone()).data; let rgsw_cts = (0..lwe_n).into_iter().map(|index| { // copy over rgsw ciphertext for index^th secret element from first share and // treat it as accumulating rgsw ciphertext let mut rgsw_i = shares[0].rgsw_cts()[index].clone(); shares.iter().skip(1).for_each(|si| { // copy over si's RGSW[index] ciphertext and send to evaluation domain izip!(tmp_rgsw.iter_rows_mut(), si.rgsw_cts()[index].iter_rows()).for_each( |(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); rlweq_nttop.forward(to_ri.as_mut()) }, ); rgsw_by_rgsw_inplace( &mut rgsw_i, &tmp_rgsw, &rgsw_by_rgsw_decomposer, &mut scratch_matrix, rlweq_nttop, rlweq_modop, ); }); rgsw_i }); // d_a and d_b may differ for RGSWxRGSW multiplication and RLWExRGSW // multiplication. After this point RGSW ciphertexts will only be used for // RLWExRGSW multiplication (in blind rotation). Thus we drop any additional // RLWE ciphertexts in RGSW ciphertexts after RGSw x RGSW multiplication let (rgswrgsw_d_a, rgswrgsw_d_b) = self.pbs_info.parameters.rgsw_rgsw_decomposition_count(); let (rlrg_d_a, rlrg_d_b) = self.pbs_info.parameters.rlwe_rgsw_decomposition_count(); let rgsw_ct_rows_in = rgswrgsw_d_a.0 * 2 + rgswrgsw_d_b.0 * 2; let rgsw_ct_rows_out = rlrg_d_a.0 * 2 + rlrg_d_b.0 * 2; assert!(rgswrgsw_d_a.0 >= rlrg_d_a.0, "RGSWxRGSW part A decomposition count {} must be >= RLWExRGSW part A decomposition count {}", rgswrgsw_d_a.0 , rlrg_d_a.0); assert!(rgswrgsw_d_b.0 >= rlrg_d_b.0, "RGSWxRGSW part B decomposition count {} must be >= RLWExRGSW part B decomposition count {}", rgswrgsw_d_b.0 , rlrg_d_b.0); let rgsw_cts = rgsw_cts .map(|ct_i_in| { assert!(ct_i_in.dimension() == (rgsw_ct_rows_in, rlwe_n)); let mut reduced_ct_i_out = M::zeros(rgsw_ct_rows_out, rlwe_n); // RLWE'(-sm) part A izip!( reduced_ct_i_out.iter_rows_mut().take(rlrg_d_a.0), ct_i_in .iter_rows() .skip(rgswrgsw_d_a.0 - rlrg_d_a.0) .take(rlrg_d_a.0) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // RLWE'(-sm) part B izip!( reduced_ct_i_out .iter_rows_mut() .skip(rlrg_d_a.0) .take(rlrg_d_a.0), ct_i_in .iter_rows() .skip(rgswrgsw_d_a.0 + (rgswrgsw_d_a.0 - rlrg_d_a.0)) .take(rlrg_d_a.0) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // RLWE'(m) Part A izip!( reduced_ct_i_out .iter_rows_mut() .skip(rlrg_d_a.0 * 2) .take(rlrg_d_b.0), ct_i_in .iter_rows() .skip(rgswrgsw_d_a.0 * 2 + (rgswrgsw_d_b.0 - rlrg_d_b.0)) .take(rlrg_d_b.0) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); // RLWE'(m) Part B izip!( reduced_ct_i_out .iter_rows_mut() .skip(rlrg_d_a.0 * 2 + rlrg_d_b.0) .take(rlrg_d_b.0), ct_i_in .iter_rows() .skip(rgswrgsw_d_a.0 * 2 + rgswrgsw_d_b.0 + (rgswrgsw_d_b.0 - rlrg_d_b.0)) .take(rlrg_d_b.0) ) .for_each(|(to_ri, from_ri)| { to_ri.as_mut().copy_from_slice(from_ri.as_ref()); }); reduced_ct_i_out }) .collect_vec(); // LWE ksks let mut lwe_ksk = M::R::zeros(rlwe_n * parameters.lwe_decomposition_count().0); let lweq_modop = &self.pbs_info.lwe_modop; shares.iter().for_each(|si| { assert!(si.lwe_ksk().as_ref().len() == rlwe_n * parameters.lwe_decomposition_count().0); lweq_modop.elwise_add_mut(lwe_ksk.as_mut(), si.lwe_ksk().as_ref()) }); SeededMultiPartyServerKey::new(rgsw_cts, auto_keys, lwe_ksk, cr_seed.clone(), parameters) } } impl BoolEvaluator where M: MatrixMut + MatrixEntity, M::R: RowMut + RowEntity, M::MatElement: PrimInt + FromPrimitive + One + Copy + Zero + Display + WrappingSub + NumInfo, RlweModOp: VectorOps + ArithmeticOps + GetModulus>, LweModOp: VectorOps + ArithmeticOps + GetModulus>, NttOp: Ntt, { /// Returns c0 + c1 + Q/4 fn _add_and_shift_lwe_cts(&self, c0: &mut M::R, c1: &M::R) { let modop = &self.pbs_info.rlwe_modop; modop.elwise_add_mut(c0.as_mut(), c1.as_ref()); // +Q/4 c0.as_mut()[0] = modop.add(&c0.as_ref()[0], &self.pbs_info.rlwe_qby4); } /// Returns 2(c0 - c1) + Q/4 fn _subtract_double_lwe_cts(&self, c0: &mut M::R, c1: &M::R) { let modop = &self.pbs_info.rlwe_modop; // c0 - c1 modop.elwise_sub_mut(c0.as_mut(), c1.as_ref()); // double c0.as_mut().iter_mut().for_each(|v| *v = modop.add(v, v)); } } impl BooleanGates for BoolEvaluator where M: MatrixMut + MatrixEntity, M::R: RowMut + RowEntity + Clone, M::MatElement: PrimInt + FromPrimitive + One + Copy + Zero + Display + WrappingSub + NumInfo + From, RlweModOp: VectorOps + ArithmeticOps + GetModulus>, LweModOp: VectorOps + ArithmeticOps + GetModulus>, NttOp: Ntt, { type Ciphertext = M::R; type Key = ServerKeyEvaluationDomain; fn nand_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._add_and_shift_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.nand_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ); } fn and_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._add_and_shift_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.and_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ); } fn or_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._add_and_shift_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.or_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ); } fn nor_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._add_and_shift_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.nor_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ) } fn xor_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._subtract_double_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.xor_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ); } fn xnor_inplace( &mut self, c0: &mut M::R, c1: &M::R, server_key: &ServerKeyEvaluationDomain, ) { self._subtract_double_lwe_cts(c0, c1); // PBS pbs( &self.pbs_info, &self.xnor_test_vec, c0, server_key, &mut self.scratch_memory.lwe_vector, &mut self.scratch_memory.decomposition_matrix, ); } fn not_inplace(&mut self, c0: &mut M::R) { let modop = &self.pbs_info.rlwe_modop; c0.as_mut().iter_mut().for_each(|v| *v = modop.neg(v)); } fn and( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.and_inplace(&mut out, c1, key); out } fn nand( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.nand_inplace(&mut out, c1, key); out } fn or( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.or_inplace(&mut out, c1, key); out } fn nor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.nor_inplace(&mut out, c1, key); out } fn xnor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.xnor_inplace(&mut out, c1, key); out } fn xor( &mut self, c0: &Self::Ciphertext, c1: &Self::Ciphertext, key: &Self::Key, ) -> Self::Ciphertext { let mut out = c0.clone(); self.xor_inplace(&mut out, c1, key); out } fn not(&mut self, c: &Self::Ciphertext) -> Self::Ciphertext { let mut out = c.clone(); self.not_inplace(&mut out); out } } #[cfg(test)] mod tests { use bool::parameters::{MP_BOOL_PARAMS, SP_BOOL_PARAMS}; use rand::{thread_rng, Rng}; use rand_distr::Uniform; use crate::{ backend::{GetModulus, ModInit, ModularOpsU64, WordSizeModulus}, bool::{ self, CommonReferenceSeededMultiPartyServerKeyShare, PublicKey, SeededMultiPartyServerKey, }, ntt::NttBackendU64, random::{RandomElementInModulus, DEFAULT_RNG}, rgsw::{ self, measure_noise, public_key_encrypt_rlwe, secret_key_encrypt_rlwe, tests::{_measure_noise_rgsw, _sk_encrypt_rlwe}, RgswCiphertext, RgswCiphertextEvaluationDomain, SeededRgswCiphertext, SeededRlweCiphertext, }, utils::{negacyclic_mul, Stats}, }; use super::*; #[test] fn bool_encrypt_decrypt_works() { let bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(SP_BOOL_PARAMS); let client_key = bool_evaluator.client_key(); let mut m = true; for _ in 0..1000 { let lwe_ct = bool_evaluator.sk_encrypt(m, &client_key); let m_back = bool_evaluator.sk_decrypt(&lwe_ct, &client_key); assert_eq!(m, m_back); m = !m; } } #[test] fn bool_nand() { let mut bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(SP_BOOL_PARAMS); // println!("{:?}", bool_evaluator.nand_test_vec); let client_key = bool_evaluator.client_key(); let seeded_server_key = bool_evaluator.server_key(&client_key); let server_key_eval_domain = ServerKeyEvaluationDomain::<_, DefaultSecureRng, NttBackendU64>::from( &seeded_server_key, ); let mut m0 = false; let mut m1 = true; let mut ct0 = bool_evaluator.sk_encrypt(m0, &client_key); let mut ct1 = bool_evaluator.sk_encrypt(m1, &client_key); for _ in 0..500 { let ct_back = bool_evaluator.nand(&ct0, &ct1, &server_key_eval_domain); let m_out = !(m0 && m1); let m_back = bool_evaluator.sk_decrypt(&ct_back, &client_key); assert!(m_out == m_back, "Expected {m_out}, got {m_back}"); m1 = m0; m0 = m_out; ct1 = ct0; ct0 = ct_back; } } #[test] fn bool_xor() { let mut bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(SP_BOOL_PARAMS); // println!("{:?}", bool_evaluator.nand_test_vec); let client_key = bool_evaluator.client_key(); let seeded_server_key = bool_evaluator.server_key(&client_key); let server_key_eval_domain = ServerKeyEvaluationDomain::<_, DefaultSecureRng, NttBackendU64>::from( &seeded_server_key, ); let mut m0 = false; let mut m1 = true; let mut ct0 = bool_evaluator.sk_encrypt(m0, &client_key); let mut ct1 = bool_evaluator.sk_encrypt(m1, &client_key); for _ in 0..1000 { let ct_back = bool_evaluator.xor(&ct0, &ct1, &server_key_eval_domain); let m_out = (m0 ^ m1); let m_back = bool_evaluator.sk_decrypt(&ct_back, &client_key); assert!(m_out == m_back, "Expected {m_out}, got {m_back}"); m1 = m0; m0 = m_out; ct1 = ct0; ct0 = ct_back; } } #[test] fn multi_party_encryption_decryption() { let bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(MP_BOOL_PARAMS); let no_of_parties = 500; let parties = (0..no_of_parties) .map(|_| bool_evaluator.client_key()) .collect_vec(); let mut ideal_rlwe_sk = vec![0i32; bool_evaluator.pbs_info.rlwe_n()]; parties.iter().for_each(|k| { izip!(ideal_rlwe_sk.iter_mut(), k.sk_rlwe().values()).for_each(|(ideal_i, s_i)| { *ideal_i = *ideal_i + s_i; }); }); let mut m = true; for i in 0..100 { let pk_cr_seed = [0u8; 32]; let public_key_share = parties .iter() .map(|k| bool_evaluator.multi_party_public_key_share(pk_cr_seed, k)) .collect_vec(); let collective_pk = PublicKey::< Vec>, DefaultSecureRng, ModularOpsU64>, >::from(public_key_share.as_slice()); let lwe_ct = bool_evaluator.pk_encrypt(collective_pk.key(), m); let decryption_shares = parties .iter() .map(|k| bool_evaluator.multi_party_decryption_share(&lwe_ct, k)) .collect_vec(); let m_back = bool_evaluator.multi_party_decrypt(&decryption_shares, &lwe_ct); { let ideal_m = if m { bool_evaluator.pbs_info.parameters.rlwe_q().true_el() } else { bool_evaluator.pbs_info.parameters.rlwe_q().false_el() }; let noise = measure_noise_lwe( &lwe_ct, &ideal_rlwe_sk, &bool_evaluator.pbs_info.rlwe_modop, &ideal_m, ); println!("Noise: {noise}"); } assert_eq!(m_back, m); m = !m; } } fn _collecitve_public_key_gen(rlwe_q: u64, parties_rlwe_sk: &[RlweSecret]) -> Vec> { let ring_size = parties_rlwe_sk[0].values.len(); assert!(ring_size.is_power_of_two()); let mut rng = DefaultSecureRng::new(); let nttop = NttBackendU64::new(&rlwe_q, ring_size); let modop = ModularOpsU64::new(rlwe_q); // Generate Pk shares let pk_seed = [0u8; 32]; let pk_shares = parties_rlwe_sk.iter().map(|sk| { let mut p_rng = DefaultSecureRng::new_seeded(pk_seed); let mut share_out = vec![0u64; ring_size]; public_key_share( &mut share_out, sk.values(), &modop, &nttop, &mut p_rng, &mut rng, ); share_out }); let mut pk_part_b = vec![0u64; ring_size]; pk_shares.for_each(|share| modop.elwise_add_mut(&mut pk_part_b, &share)); let mut pk_part_a = vec![0u64; ring_size]; let mut p_rng = DefaultSecureRng::new_seeded(pk_seed); RandomFillUniformInModulus::random_fill(&mut p_rng, &rlwe_q, pk_part_a.as_mut_slice()); vec![pk_part_a, pk_part_b] } fn _multi_party_all_keygen( bool_evaluator: &BoolEvaluator< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >, no_of_parties: usize, ) -> ( Vec, PublicKey>, DefaultSecureRng, ModularOpsU64>>, Vec< CommonReferenceSeededMultiPartyServerKeyShare< Vec>, BoolParameters, [u8; 32], >, >, SeededMultiPartyServerKey>, [u8; 32], BoolParameters>, ServerKeyEvaluationDomain>, DefaultSecureRng, NttBackendU64>, ClientKey, ) { let parties = (0..no_of_parties) .map(|_| bool_evaluator.client_key()) .collect_vec(); let mut rng = DefaultSecureRng::new(); // Collective public key let mut pk_cr_seed = [0u8; 32]; rng.fill_bytes(&mut pk_cr_seed); let public_key_share = parties .iter() .map(|k| bool_evaluator.multi_party_public_key_share(pk_cr_seed, k)) .collect_vec(); let collective_pk = PublicKey::>, DefaultSecureRng, _>::from(public_key_share.as_slice()); // Server key let mut pbs_cr_seed = [0u8; 32]; rng.fill_bytes(&mut pbs_cr_seed); let server_key_shares = parties .iter() .map(|k| { bool_evaluator.multi_party_server_key_share(pbs_cr_seed, &collective_pk.key(), k) }) .collect_vec(); let seeded_server_key = bool_evaluator.aggregate_multi_party_server_key_shares(&server_key_shares); let server_key_eval = ServerKeyEvaluationDomain::<_, DefaultSecureRng, NttBackendU64>::from( &seeded_server_key, ); // construct ideal rlwe sk for meauring noise let ideal_client_key = { let mut ideal_rlwe_sk = vec![0i32; bool_evaluator.pbs_info.rlwe_n()]; parties.iter().for_each(|k| { izip!(ideal_rlwe_sk.iter_mut(), k.sk_rlwe().values()).for_each(|(ideal_i, s_i)| { *ideal_i = *ideal_i + s_i; }); }); let mut ideal_lwe_sk = vec![0i32; bool_evaluator.pbs_info.lwe_n()]; parties.iter().for_each(|k| { izip!(ideal_lwe_sk.iter_mut(), k.sk_lwe().values()).for_each(|(ideal_i, s_i)| { *ideal_i = *ideal_i + s_i; }); }); ClientKey::new( RlweSecret { values: ideal_rlwe_sk, }, LweSecret { values: ideal_lwe_sk, }, ) }; ( parties, collective_pk, server_key_shares, seeded_server_key, server_key_eval, ideal_client_key, ) } #[test] fn multi_party_nand() { let mut bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(MP_BOOL_PARAMS); let (parties, collective_pk, _, _, server_key_eval, ideal_client_key) = _multi_party_all_keygen(&bool_evaluator, 2); let mut m0 = true; let mut m1 = false; let mut lwe0 = bool_evaluator.pk_encrypt(collective_pk.key(), m0); let mut lwe1 = bool_evaluator.pk_encrypt(collective_pk.key(), m1); for _ in 0..2000 { let lwe_out = bool_evaluator.nand(&lwe0, &lwe1, &server_key_eval); let m_expected = !(m0 & m1); // multi-party decrypt let decryption_shares = parties .iter() .map(|k| bool_evaluator.multi_party_decryption_share(&lwe_out, k)) .collect_vec(); let m_back = bool_evaluator.multi_party_decrypt(&decryption_shares, &lwe_out); // let m_back = bool_evaluator.sk_decrypt(&lwe_out, &ideal_client_key); assert!(m_expected == m_back, "Expected {m_expected}, got {m_back}"); m1 = m0; m0 = m_expected; lwe1 = lwe0; lwe0 = lwe_out; } } #[test] fn noise_tester() { let bool_evaluator = BoolEvaluator::< Vec>, NttBackendU64, ModularOpsU64>, ModularOpsU64>, >::new(SP_BOOL_PARAMS); // let (_, collective_pk, _, _, server_key_eval, ideal_client_key) = // _multi_party_all_keygen(&bool_evaluator, 20); let no_of_parties = 2; let lwe_q = bool_evaluator.pbs_info.parameters.lwe_q(); let rlwe_q = bool_evaluator.pbs_info.parameters.rlwe_q(); let lwe_n = bool_evaluator.pbs_info.parameters.lwe_n().0; let rlwe_n = bool_evaluator.pbs_info.parameters.rlwe_n().0; let lwe_modop = &bool_evaluator.pbs_info.lwe_modop; let rlwe_nttop = &bool_evaluator.pbs_info.rlwe_nttop; let rlwe_modop = &bool_evaluator.pbs_info.rlwe_modop; // let rgsw_rgsw_decomposer = &bool_evaluator // .pbs_info // .parameters // .rgsw_rgsw_decomposer::>(); // let rgsw_rgsw_gadget_a = rgsw_rgsw_decomposer.0.gadget_vector(); // let rgsw_rgsw_gadget_b = rgsw_rgsw_decomposer.1.gadget_vector(); let rlwe_rgsw_decomposer = &bool_evaluator.pbs_info.rlwe_rgsw_decomposer; let rlwe_rgsw_gadget_a = rlwe_rgsw_decomposer.0.gadget_vector(); let rlwe_rgsw_gadget_b = rlwe_rgsw_decomposer.1.gadget_vector(); let auto_decomposer = &bool_evaluator.pbs_info.auto_decomposer; let auto_gadget = auto_decomposer.gadget_vector(); let parties = (0..no_of_parties) .map(|_| bool_evaluator.client_key()) .collect_vec(); let ideal_client_key = { let mut ideal_rlwe_sk = vec![0i32; bool_evaluator.pbs_info.rlwe_n()]; parties.iter().for_each(|k| { izip!(ideal_rlwe_sk.iter_mut(), k.sk_rlwe().values()).for_each(|(ideal_i, s_i)| { *ideal_i = *ideal_i + s_i; }); }); let mut ideal_lwe_sk = vec![0i32; bool_evaluator.pbs_info.lwe_n()]; parties.iter().for_each(|k| { izip!(ideal_lwe_sk.iter_mut(), k.sk_lwe().values()).for_each(|(ideal_i, s_i)| { *ideal_i = *ideal_i + s_i; }); }); ClientKey::new( RlweSecret { values: ideal_rlwe_sk, }, LweSecret { values: ideal_lwe_sk, }, ) }; // check noise in freshly encrypted RLWE ciphertext (ie var_fresh) if true { let mut rng = DefaultSecureRng::new(); let mut check = Stats { samples: vec![] }; for _ in 0..10 { // generate a new collective public key let mut pk_cr_seed = [0u8; 32]; rng.fill_bytes(&mut pk_cr_seed); let public_key_share = parties .iter() .map(|k| bool_evaluator.multi_party_public_key_share(pk_cr_seed, k)) .collect_vec(); let collective_pk = PublicKey::< Vec>, DefaultSecureRng, ModularOpsU64>, >::from(public_key_share.as_slice()); let mut m = vec![0u64; rlwe_n]; RandomFillUniformInModulus::random_fill(&mut rng, rlwe_q, m.as_mut_slice()); let mut rlwe_ct = vec![vec![0u64; rlwe_n]; 2]; public_key_encrypt_rlwe::<_, _, _, _, i32, _>( &mut rlwe_ct, collective_pk.key(), &m, rlwe_modop, rlwe_nttop, &mut rng, ); let mut m_back = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_back, rlwe_nttop, rlwe_modop, ); rlwe_modop.elwise_sub_mut(m_back.as_mut_slice(), m.as_slice()); check.add_more(Vec::::try_convert_from(&m_back, rlwe_q).as_slice()); } println!("Public key Std: {}", check.std_dev().abs().log2()); } if true { // Generate server key shares let mut rng = DefaultSecureRng::new(); let mut pk_cr_seed = [0u8; 32]; rng.fill_bytes(&mut pk_cr_seed); let public_key_share = parties .iter() .map(|k| bool_evaluator.multi_party_public_key_share(pk_cr_seed, k)) .collect_vec(); let collective_pk = PublicKey::< Vec>, DefaultSecureRng, ModularOpsU64>, >::from(public_key_share.as_slice()); let pbs_cr_seed = [0u8; 32]; rng.fill_bytes(&mut pk_cr_seed); let server_key_shares = parties .iter() .map(|k| { bool_evaluator.multi_party_server_key_share(pbs_cr_seed, collective_pk.key(), k) }) .collect_vec(); let seeded_server_key = bool_evaluator.aggregate_multi_party_server_key_shares(&server_key_shares); // Check noise in RGSW ciphertexts of ideal LWE secret elements if false { let mut check = Stats { samples: vec![] }; izip!( ideal_client_key.sk_lwe().values.iter(), seeded_server_key.rgsw_cts().iter() ) .for_each(|(s_i, rgsw_ct_i)| { // X^{s[i]} let mut m_si = vec![0u64; rlwe_n]; let s_i = *s_i * (bool_evaluator.pbs_info.embedding_factor as i32); if s_i < 0 { m_si[rlwe_n - (s_i.abs() as usize)] = rlwe_q.neg_one(); } else { m_si[s_i as usize] = 1; } // RLWE'(-sm) let mut neg_s_eval = Vec::::try_convert_from(ideal_client_key.sk_rlwe().values(), rlwe_q); rlwe_modop.elwise_neg_mut(&mut neg_s_eval); rlwe_nttop.forward(&mut neg_s_eval); for j in 0..rlwe_rgsw_decomposer.a().decomposition_count() { // RLWE(B^{j} * -s[X]*X^{s_lwe[i]}) // -s[X]*X^{s_lwe[i]}*B_j let mut m_ideal = m_si.clone(); rlwe_nttop.forward(m_ideal.as_mut_slice()); rlwe_modop.elwise_mul_mut(m_ideal.as_mut_slice(), neg_s_eval.as_slice()); rlwe_nttop.backward(m_ideal.as_mut_slice()); rlwe_modop .elwise_scalar_mul_mut(m_ideal.as_mut_slice(), &rlwe_rgsw_gadget_a[j]); // RLWE(-s*X^{s_lwe[i]}*B_j) let mut rlwe_ct = vec![vec![0u64; rlwe_n]; 2]; rlwe_ct[0].copy_from_slice(&rgsw_ct_i[j]); rlwe_ct[1].copy_from_slice( &rgsw_ct_i[j + rlwe_rgsw_decomposer.a().decomposition_count()], ); let mut m_back = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_back, rlwe_nttop, rlwe_modop, ); // diff rlwe_modop.elwise_sub_mut(&mut m_back, &m_ideal); check.add_more(&Vec::::try_convert_from(&m_back, rlwe_q)); } // RLWE'(m) for j in 0..rlwe_rgsw_decomposer.b().decomposition_count() { // RLWE(B^{j} * X^{s_lwe[i]}) // X^{s_lwe[i]}*B_j let mut m_ideal = m_si.clone(); rlwe_modop .elwise_scalar_mul_mut(m_ideal.as_mut_slice(), &rlwe_rgsw_gadget_b[j]); // RLWE(X^{s_lwe[i]}*B_j) let mut rlwe_ct = vec![vec![0u64; rlwe_n]; 2]; rlwe_ct[0].copy_from_slice( &rgsw_ct_i[j + (2 * rlwe_rgsw_decomposer.a().decomposition_count())], ); rlwe_ct[1].copy_from_slice( &rgsw_ct_i[j + (2 * rlwe_rgsw_decomposer.a().decomposition_count() + rlwe_rgsw_decomposer.b().decomposition_count())], ); let mut m_back = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_back, rlwe_nttop, rlwe_modop, ); // diff rlwe_modop.elwise_sub_mut(&mut m_back, &m_ideal); check.add_more(&Vec::::try_convert_from(&m_back, rlwe_q)); } }); println!( "RGSW Std: {} {} ;; max={}", check.mean(), check.std_dev().abs().log2(), check.samples.iter().max().unwrap() ); } // server key in Evaluation domain let server_key_eval_domain = ServerKeyEvaluationDomain::<_, DefaultSecureRng, NttBackendU64>::from( &seeded_server_key, ); // check noise in RLWE x RGSW(X^{s_i}) where RGSW is accunulated RGSW ciphertext if false { let mut check = Stats { samples: vec![] }; izip!( ideal_client_key.sk_lwe().values(), server_key_eval_domain.rgsw_cts().iter() ) .for_each(|(s_i, rgsw_ct_i)| { let mut m = vec![0u64; rlwe_n]; RandomFillUniformInModulus::random_fill(&mut rng, rlwe_q, m.as_mut_slice()); let mut rlwe_ct = vec![vec![0u64; rlwe_n]; 2]; public_key_encrypt_rlwe::<_, _, _, _, i32, _>( &mut rlwe_ct, collective_pk.key(), &m, rlwe_modop, rlwe_nttop, &mut rng, ); // RLWE(m*X^{s[i]}) = RLWE(m) x RGSW(X^{s[i]}) // let mut rlwe_after = RlweCiphertext::<_, DefaultSecureRng>::new_trivial(vec![ // vec![0u64; rlwe_n], // m.clone(), // ]); let mut rlwe_after = RlweCiphertext::<_, DefaultSecureRng> { data: rlwe_ct.clone(), is_trivial: false, _phatom: PhantomData, }; let mut scratch = vec![ vec![0u64; rlwe_n]; std::cmp::max( rlwe_rgsw_decomposer.0.decomposition_count(), rlwe_rgsw_decomposer.1.decomposition_count() ) + 2 ]; rlwe_by_rgsw( &mut rlwe_after, rgsw_ct_i, &mut scratch, rlwe_rgsw_decomposer, rlwe_nttop, rlwe_modop, ); // m1 = X^{s[i]} let mut m1 = vec![0u64; rlwe_n]; let s_i = *s_i * (bool_evaluator.pbs_info.embedding_factor as i32); if s_i < 0 { m1[rlwe_n - (s_i.abs() as usize)] = rlwe_q.neg_one() } else { m1[s_i as usize] = 1; } // (m+e) * m1 let mut m_plus_e_times_m1 = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_plus_e_times_m1, rlwe_nttop, rlwe_modop, ); rlwe_nttop.forward(m_plus_e_times_m1.as_mut_slice()); rlwe_nttop.forward(m1.as_mut_slice()); rlwe_modop.elwise_mul_mut(m_plus_e_times_m1.as_mut_slice(), m1.as_slice()); rlwe_nttop.backward(m_plus_e_times_m1.as_mut_slice()); // Resulting RLWE ciphertext will equal: (m0m1 + em1) + e_{rlsw x rgsw}. // Hence, resulting rlwe ciphertext will have error em1 + e_{rlwe x rgsw}. // Here we're only concerned with e_{rlwe x rgsw}, that is noise added by // RLWExRGSW. Also note in practice m1 is a monomial, for ex, X^{s_{i}}, for // some i and var(em1) = var(e). let mut m_plus_e_times_m1_more_e = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_after, ideal_client_key.sk_rlwe().values(), &mut m_plus_e_times_m1_more_e, rlwe_nttop, rlwe_modop, ); // diff rlwe_modop.elwise_sub_mut( m_plus_e_times_m1_more_e.as_mut_slice(), m_plus_e_times_m1.as_slice(), ); // let noise = measure_noise( // &rlwe_after, // &m_plus_e_times_m1, // rlwe_nttop, // rlwe_modop, // ideal_client_key.sk_rlwe.values(), // ); // print!("NOISE: {}", noise); check.add_more(&Vec::::try_convert_from( &m_plus_e_times_m1_more_e, rlwe_q, )); }); println!( "RLWE x RGSW, where RGSW has noise var_brk, std: {} {}", check.std_dev(), check.std_dev().abs().log2() ) } // check noise in Auto key if false { let mut check = Stats { samples: vec![] }; let mut neg_s_poly = Vec::::try_convert_from(ideal_client_key.sk_rlwe().values(), rlwe_q); rlwe_modop.elwise_neg_mut(neg_s_poly.as_mut_slice()); let g = bool_evaluator.pbs_info.g(); let br_q = bool_evaluator.pbs_info.br_q(); let auto_element_dlogs = bool_evaluator.pbs_info.parameters.auto_element_dlogs(); for i in auto_element_dlogs.into_iter() { let g_pow = if i == 0 { -g } else { (((g as usize).pow(i as u32)) % br_q) as isize }; // -s[X^k] let (auto_indices, auto_sign) = generate_auto_map(rlwe_n, g_pow); let mut neg_s_poly_auto_i = vec![0u64; rlwe_n]; izip!(neg_s_poly.iter(), auto_indices.iter(), auto_sign.iter()).for_each( |(v, to_i, to_sign)| { if !to_sign { neg_s_poly_auto_i[*to_i] = rlwe_modop.neg(v); } else { neg_s_poly_auto_i[*to_i] = *v; } }, ); let mut auto_key_i = server_key_eval_domain.galois_key_for_auto(i).clone(); // send i^th auto key to coefficient domain auto_key_i .iter_mut() .for_each(|r| rlwe_nttop.backward(r.as_mut_slice())); auto_gadget.iter().enumerate().for_each(|(i, b_i)| { // B^i * -s[X^k] let mut m_ideal = neg_s_poly_auto_i.clone(); rlwe_modop.elwise_scalar_mul_mut(m_ideal.as_mut_slice(), b_i); let mut m_out = vec![0u64; rlwe_n]; let mut rlwe_ct = vec![vec![0u64; rlwe_n]; 2]; rlwe_ct[0].copy_from_slice(&auto_key_i[i]); rlwe_ct[1].copy_from_slice( &auto_key_i[auto_decomposer.decomposition_count() + i], ); decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_out, rlwe_nttop, rlwe_modop, ); // diff rlwe_modop.elwise_sub_mut(m_out.as_mut_slice(), m_ideal.as_slice()); check.add_more(&Vec::::try_convert_from(&m_out, rlwe_q)); }); } println!("Auto key noise std dev: {}", check.std_dev().abs().log2()); } // check noise in RLWE(X^k) after sending RLWE(X) -> RLWE(X^k) using collective // auto key if true { let mut check = Stats { samples: vec![] }; let br_q = bool_evaluator.pbs_info.br_q(); let g = bool_evaluator.pbs_info.g(); let auto_element_dlogs = bool_evaluator.pbs_info.parameters.auto_element_dlogs(); for i in auto_element_dlogs.into_iter() { for _ in 0..10 { let mut m = vec![0u64; rlwe_n]; RandomFillUniformInModulus::random_fill(&mut rng, rlwe_q, m.as_mut_slice()); let mut rlwe_ct = RlweCiphertext::<_, DefaultSecureRng> { data: vec![vec![0u64; rlwe_n]; 2], is_trivial: false, _phatom: PhantomData, }; public_key_encrypt_rlwe::<_, _, _, _, i32, _>( &mut rlwe_ct, collective_pk.key(), &m, rlwe_modop, rlwe_nttop, &mut rng, ); // We're only interested in noise increased as a result of automorphism. // Hence, we take m+e as the bench. let mut m_plus_e = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_plus_e, rlwe_nttop, rlwe_modop, ); let auto_key = server_key_eval_domain.galois_key_for_auto(i); let (auto_map_index, auto_map_sign) = bool_evaluator.pbs_info.rlwe_auto_map(i); let mut scratch = vec![vec![0u64; rlwe_n]; auto_decomposer.decomposition_count() + 2]; galois_auto( &mut rlwe_ct, auto_key, &mut scratch, &auto_map_index, &auto_map_sign, rlwe_modop, rlwe_nttop, auto_decomposer, ); // send m+e from X to X^k let mut m_plus_e_auto = vec![0u64; rlwe_n]; izip!(m_plus_e.iter(), auto_map_index.iter(), auto_map_sign.iter()) .for_each(|(v, to_index, to_sign)| { if !to_sign { m_plus_e_auto[*to_index] = rlwe_modop.neg(v); } else { m_plus_e_auto[*to_index] = *v } }); let mut m_out = vec![0u64; rlwe_n]; decrypt_rlwe( &rlwe_ct, ideal_client_key.sk_rlwe().values(), &mut m_out, rlwe_nttop, rlwe_modop, ); // diff rlwe_modop.elwise_sub_mut(m_out.as_mut_slice(), m_plus_e_auto.as_slice()); check.add_more(&Vec::::try_convert_from(m_out.as_slice(), rlwe_q)); } } println!("Rlwe Auto Noise Std: {}", check.std_dev().abs().log2()); } // Check noise growth in ksk // TODO check in LWE key switching keys if true { // 1. encrypt LWE ciphertext // 2. Key switching // 3. let mut check = Stats { samples: vec![] }; for _ in 0..1024 { // Encrypt m \in Q_{ks} using RLWE sk let mut lwe_in_ct = vec![0u64; rlwe_n + 1]; let m = RandomElementInModulus::random(&mut rng, &lwe_q.q().unwrap()); encrypt_lwe( &mut lwe_in_ct, &m, ideal_client_key.sk_rlwe().values(), lwe_modop, &mut rng, ); // Key switch let mut lwe_out = vec![0u64; lwe_n + 1]; lwe_key_switch( &mut lwe_out, &lwe_in_ct, server_key_eval_domain.lwe_ksk(), lwe_modop, bool_evaluator.pbs_info.lwe_decomposer(), ); // We only care about noise added by LWE key switch // m+e let m_plus_e = decrypt_lwe(&lwe_in_ct, ideal_client_key.sk_rlwe().values(), lwe_modop); let m_plus_e_plus_lwe_ksk_noise = decrypt_lwe(&lwe_out, ideal_client_key.sk_lwe().values(), lwe_modop); let diff = lwe_modop.sub(&m_plus_e_plus_lwe_ksk_noise, &m_plus_e); check.add_more(&vec![lwe_q.map_element_to_i64(&diff)]); } println!("Lwe ksk std dev: {}", check.std_dev().abs().log2()); } } // Check noise in fresh RGSW ciphertexts, ie X^{s_j[i]}, must equal noise in // fresh RLWE ciphertext if true {} // test LWE ksk from RLWE -> LWE // if false { // let logp = 2; // let mut rng = DefaultSecureRng::new(); // let m = 1; // let encoded_m = m << (lwe_logq - logp); // // Encrypt // let mut lwe_ct = vec![0u64; rlwe_n + 1]; // encrypt_lwe( // &mut lwe_ct, // &encoded_m, // ideal_client_key.sk_rlwe.values(), // lwe_modop, // &mut rng, // ); // // key switch // let lwe_decomposer = &bool_evaluator.decomposer_lwe; // let mut lwe_out = vec![0u64; lwe_n + 1]; // lwe_key_switch( // &mut lwe_out, // &lwe_ct, // &server_key_eval.lwe_ksk, // lwe_modop, // lwe_decomposer, // ); // let encoded_m_back = decrypt_lwe(&lwe_out, // ideal_client_key.sk_lwe.values(), lwe_modop); let m_back // = ((encoded_m_back as f64 * (1 << logp) as f64) / // (lwe_q as f64)).round() as u64; dbg!(m_back, m); // let noise = measure_noise_lwe( // &lwe_out, // ideal_client_key.sk_lwe.values(), // lwe_modop, // &encoded_m, // ); // println!("Noise: {noise}"); // } // Measure noise in RGSW ciphertexts of ideal LWE secrets // if true { // let gadget_vec = gadget_vector( // bool_evaluator.parameters.rlwe_logq, // bool_evaluator.parameters.logb_rgsw, // bool_evaluator.parameters.d_rgsw, // ); // for i in 0..20 { // // measure noise in RGSW(s[i]) // let si = // ideal_client_key.sk_lwe.values[i] * // (bool_evaluator.embedding_factor as i32); let mut // si_poly = vec![0u64; rlwe_n]; if si < 0 { // si_poly[rlwe_n - (si.abs() as usize)] = rlwe_q - 1; // } else { // si_poly[(si.abs() as usize)] = 1; // } // let mut rgsw_si = server_key_eval.rgsw_cts[i].clone(); // rgsw_si // .iter_mut() // .for_each(|ri| rlwe_nttop.backward(ri.as_mut())); // println!("####### Noise in RGSW(X^s_{i}) #######"); // _measure_noise_rgsw( // &rgsw_si, // &si_poly, // ideal_client_key.sk_rlwe.values(), // &gadget_vec, // rlwe_q, // ); // println!("####### ##################### #######"); // } // } // // measure noise grwoth in RLWExRGSW // if true { // let mut rng = DefaultSecureRng::new(); // let mut carry_m = vec![0u64; rlwe_n]; // RandomUniformDist1::random_fill(&mut rng, &rlwe_q, // carry_m.as_mut_slice()); // // RGSW(carrym) // let trivial_rlwect = vec![vec![0u64; rlwe_n], carry_m.clone()]; // let mut rlwe_ct = RlweCiphertext::<_, // DefaultSecureRng>::from_raw(trivial_rlwect, true); // let mut scratch_matrix_dplus2_ring = vec![vec![0u64; rlwe_n]; // d_rgsw + 2]; let mul_mod = // |v0: &u64, v1: &u64| (((*v0 as u128 * *v1 as u128) % (rlwe_q as u128)) as u64); // for i in 0..bool_evaluator.parameters.lwe_n { // rlwe_by_rgsw( // &mut rlwe_ct, // server_key_eval.rgsw_ct_lwe_si(i), // &mut scratch_matrix_dplus2_ring, // rlwe_decomposer, // rlwe_nttop, // rlwe_modop, // ); // // carry_m[X] * s_i[X] // let si = // ideal_client_key.sk_lwe.values[i] * // (bool_evaluator.embedding_factor as i32); let mut // si_poly = vec![0u64; rlwe_n]; if si < 0 { // si_poly[rlwe_n - (si.abs() as usize)] = rlwe_q - 1; // } else { // si_poly[(si.abs() as usize)] = 1; // } // carry_m = negacyclic_mul(&carry_m, &si_poly, mul_mod, // rlwe_q); // let noise = measure_noise( // &rlwe_ct, // &carry_m, // rlwe_nttop, // rlwe_modop, // ideal_client_key.sk_rlwe.values(), // ); // println!("Noise RLWE(carry_m) accumulating {i}^th secret // monomial: {noise}"); } // } // // Check galois keys // if false { // let g = bool_evaluator.g() as isize; // let mut rng = DefaultSecureRng::new(); // let mut scratch_matrix_dplus2_ring = vec![vec![0u64; rlwe_n]; // d_rgsw + 2]; for i in [g, -g] { // let mut m = vec![0u64; rlwe_n]; // RandomUniformDist1::random_fill(&mut rng, &rlwe_q, // m.as_mut_slice()); let mut rlwe_ct = { // let mut data = vec![vec![0u64; rlwe_n]; 2]; // public_key_encrypt_rlwe( // &mut data, // &collective_pk.key, // &m, // rlwe_modop, // rlwe_nttop, // &mut rng, // ); // RlweCiphertext::<_, DefaultSecureRng>::from_raw(data, // false) }; // let auto_key = server_key_eval.galois_key_for_auto(i); // let (auto_map_index, auto_map_sign) = // generate_auto_map(rlwe_n, i); galois_auto( // &mut rlwe_ct, // auto_key, // &mut scratch_matrix_dplus2_ring, // &auto_map_index, // &auto_map_sign, // rlwe_modop, // rlwe_nttop, // rlwe_decomposer, // ); // // send m(X) -> m(X^i) // let mut m_k = vec![0u64; rlwe_n]; // izip!(m.iter(), auto_map_index.iter(), // auto_map_sign.iter()).for_each( |(mi, to_index, to_sign)| // { if !to_sign { // m_k[*to_index] = rlwe_q - *mi; // } else { // m_k[*to_index] = *mi; // } // }, // ); // // measure noise // let noise = measure_noise( // &rlwe_ct, // &m_k, // rlwe_nttop, // rlwe_modop, // ideal_client_key.sk_rlwe.values(), // ); // println!("Noise after auto k={i}: {noise}"); // } // } } }