Limited number of/accuracy of multiplications.

[allanhungria]

Question

I notice that there's a limitation on the number and accuracy of multiplications that TenSEAL can perform on encrypted data, and I notice that this depends on the coeff_mod_bit_sizes vector as well as the global_scale parameter, but I don't understand this dependence. Could someone please provide a general idea of this dependence? Or at least point me to a good source on the matter?

Further Information

I take a dataframe, encrypt it as a ckks_tensor, and multiply the original dataframe and the ckks_tensor by, say, 0.7. Then I decrypt it and check it against the original, and it's quite close. Then I multiply the encrypted and originals by, say, 0.5, decrypt the encrypted one, and check them, and they're quite close, again, if a little different. But then when I multiply-and-check them again they're now orders of magnitude different. I notice that the number of multiplications I'm allowed to do is the size of coeff_mod_bit_sizes; that part is fine. But how do the global_scale parameter and the first and last entries of the coeff_mod_bit_sizes vector affect the homomorphic multiplication process?

Screenshots

If applicable, add screenshots to help explain your question.

System Information

• OS: macOS Catalina
• OS Version: 10.15.3
• Language Version: Python 3.7.4
• Package Manager Version: pip 21.2.2, conda 4.9.2

Additional Context

Add any other context about the problem here.

[youben11]

In Tutorial 4 under the Encrypted Evaluation section, you should find intuitions on how to choose parameters for your computation

[allanhungria]

@youben11 Thanks, I assume you mean the following:

" Choosing the parameters isn't easy, so we list some intuition here for why we have chosen these parameters exactly:

1. For a given security level (e.g. 128-bits security) and a polynomial modulus degree (e.g. 8192) there is an upper bound for the bit count of the coefficient modulus (sum(coeff_mod_bit_sizes)). If the upper bound is surpassed, there is a need to use a higher polynomial modulus degree (e.g. 16384) in order to make sure we still have the required security level.
2. The multiplicative depth is controlled by the number of primes constituting our coefficient modulus. All elements of coeff_mod_bit_sizes[1: -1] should be equal in TenSEAL, since it takes care of rescaling ciphertexts. And we also want to use the same number of bits (e.g. 2 ^ 26) for the scale during encryption.
3. The scale is what controls the precision of the fractional part, since it's the value that plaintexts are multiplied with before being encoded into a polynomial of integer coefficients. Starting with a scale of more than 20 bits, we need to choose the number of bits of all the middle primes equal to that, so we are already over 120 bits. With this lower bound of coefficient modulus and a security level of 128-bits, we will need a polynomial modulus degree of at least 8192. The upper bound for choosing a higher degree is at 218. Trying different values for the precision and adjusting the coefficient modulus, while studying the loss and accuracy, we end up with 26-bits of scale and primes.
4. We also have 5 bits (31 - 26) for the integer part in the last coefficient modulus, which should be enough for our use case, since output values aren't that big. "

I was looking for a more detailed analysis, rather than an intuition on why these parameters were chosen for this particular example. The thing is, I won't necessarily know ahead of time how many multiplications have to occur.

[youben11]

The current implementation of CKKS in SEAL doesn't allow bootstrapping, which makes it leveled, which means that for a given set of parameters, you can only perform n multiplication. If you don't know in advance the number of multiplications, then you can't choose the right parameters. You might need to look into solutions that gives you the ability to perform unlimited multiplications for your use case, mainly schemes that implements bootstrapping.