`apply_galois` produces wrong output for small modulus / poly degree

[ttttonyhe]

Hi @D4rkCrypto,

It seems like apply_galois (more specifically apply_galois_ntt for CKKS ciphertexts) sometimes may not produce the right output when the coefficient modulus chain is short or the poly_modulus_degree is small. Here's a quick demo:

EncryptionParameters parms(scheme_type::ckks);

parms.set_poly_modulus_degree(1 << 13);
parms.set_coeff_modulus(CoeffModulus::Create(1 << 13, {60, 40, 60}));

PhantomContext context(parms);
PhantomCKKSEncoder encoder(context);

PhantomSecretKey secret_key(context);
PhantomPublicKey public_key = secret_key.gen_publickey(context);
PhantomGaloisKey galois_keys = secret_key.create_galois_keys(context);

vector<double> output;
vector<double> input(encoder.slot_count(), 1.0);
PhantomPlaintext plain;
PhantomCiphertext cipher;
encoder.encode(context, input, pow(2.0, 40), plain);
public_key.encrypt_asymmetric(context, plain, cipher);

apply_galois_inplace(context, cipher, 0, galois_keys);

secret_key.decrypt(context, cipher, plain);
encoder.decode(context, plain, output);

for (auto i = 0; i < 5; i++) {
  cout << output[i] << " ";
}
cout << endl;

Instead of producing 1 1 1 1 1, it outputs something like 7.50071e+29 -5.51248e+27 -3.51746e+28 -3.04196e+28 -1.01832e+27 for me.

Using the following combinations of mod chains and $\log{N}$ s will produce the correct output:

• At least {60, 40, 40, 40, 40, 40, 40, 40, 60} with $\log{N} = 13$
• {60, 40, 40, 60} with at least $\log{N} = 16$

Let me know if you can reproduce this, thank you!

[D4rkCrypto]

I can't reproduce this bug. You code works on my 30-series laptop. Can you provide more information of you test environment? I think it may be a compatibility bug.

[D4rkCrypto]

I'm trying to figure out the bug itself. I think it occurs at apply_galois_ntt_permutation kernel as you said.

[D4rkCrypto]

I have figured out a way to fix this, please try the latest version.

[ttttonyhe]

I can't reproduce this bug. You code works in my 30-series laptop. Can you provide more information of you test environment? I think it may be a compatibility bug.

Unfortunately it's still not working on my end. I'm using an A100 GPU compiled with CMAKE_CUDA_ARCHITECTURES=native and CUDA version 11.7.

[D4rkCrypto]

I have reproduced the bug on A100. Stay tuned for the fix.

[D4rkCrypto]

I have fixed this bug on A100. It seems that it's NVIDIA's issue. Other cards can pass the test, and A100 passes the test in debug mode. Anyway it has been fixed. I also update apply_galois_inplace and rotate_inplace.

[ttttonyhe]

Works perfectly, thank you!