j2kun
commented
1 month ago I want to reply in more detail later, but to try to help clear up any initial confusion, I'm convinced now that the encoding attributes I originally defined for RLWE are plain wrong.
In general, I consider "encoding" to be any and all preparation of the application data before encryption that does not require key material or ciphertext-specific random samples. I was mistaken in where that line was drawn for BGV/BFV when originally writing that.
On Wed, Jul 10, 2024, 1:57 PM Alexander Viand @.***> wrote:
In order to avoid cluttering up the discussion of #762 https://github.com/google/heir/issues/762 (Enc/Dec and Randomness handling), I figured I'd create a new issue to (a) help myself get my thoughts straight on the various mappings/encodings and (b) get some feedback, especially with regards to the TFHE perspective on RLWE.
- Application Data (e.g. i32) vs. "Cleartext" (e.g. $\mathbb{F}_p$) Semantics
Not sure if "Cleartext" is the right name here, but we usually have a disconnect between the semantics of the actual data type in the application (e.g., i32 or f32) and what we actually end up achieving under HE (usually finite field arithmetic with prime modulus). I know this isn't the case when we do bit-wise encryption (be it in TFHE or in BFV/BGV) but I'm not sure how 4-bit TFHE works here. Clearly, it's something to consider for "word-wise" FHE like BGV/BGV and especially CKKS, with its approximate nature.
Of course, for many applications, the difference between computation mod $2^{32}$ and a 32-bit prime is not important, but a compiler translation from i32 to mod p isn't technically "correct" and we should probably think about how to expose this to the developer/frontend. I guess this is conceptually similar to truncation and/or deciding approximation precision (e.g. LUT size) which are also relevant to TFHE, but in the mod p/polynomial approximation case we get with BFV/BGV and CKKS, "bits of precision" might not be sufficient as a metric/language to communicate the behavior.
- Cleartext (e.g. $\mathbb{F}_p$) -> Plaintext Encoding (e.g., $R_p = \mathbb{Z}_p[X] / X^N + 1$)
For RLWE, the plaintext space is a polynomial ring, and we're generally much more interested in encoding integers (at this point, usually implicitly already considered mod p?). There are lots of ways to do this, starting with the trivial solution of just setting the constant coefficient to your integer and all other coefficients to zero, to decomposing your integer and putting a digit into each coefficient, to various forms of CRT-based "packing" or "batching" that allows one to achieve SIMD-style semantics. By far the most common is "full" packing, but you can also trade off a lower number of "slots" for larger (i.e., $\mathbb{F}_{p^d}$ for $d > 1$) slots. CKKS has some extra complexity here as the message space is technically a vector of complex numbers but of course it's approximate and in fixed-(ish)-point representation, so basically just more SIMD integer vector stuff.
Question: What does TFHE use here? The first RLWE "plaintext" I think of in the context of TFHE is the blind rotation test vector, and that looks like a trivial (non-CRT) "packing" of a vector of integers (with lots of repetition) into the coefficients of the polynomial?
- Plaintext (e.g., $R_p = \mathbb{Z}_p[X] / X^N + 1$) -> Ciphertext (e.g., $R_q = \mathbb{Z}_p[X] / X^N + 1$) Encoding
In descriptions of BFV/BGV, this step is usually mixed in with encryption, but I've also seen this referred to as "MSB/LSB encoding", referring to how message and noise are arranged: image.png (view on web) https://github.com/google/heir/assets/88422715/12983074-150a-46a0-a0ae-59b5c1692321 (Image from https://pqcrypto2023.umiacs.io/slides/2.2.pdf)
- Representation
In addition to the above, we also need to consider how the polynomial itself is represented (e.g., coefficient-representation vs eval/NTT-form, RNS vs BigNum, etc) but that seems mostly orthogonal to the discussion above? In addition, most RLWE schemes actually don't juse use a single coefficient modulus but instead a "chain" (in RNS, the partial products of the RNS moduli usually make up the chain elements, in non-RNS, the chain could be built more freely but tends to be defined similarily). Note also, that the actual FHE scheme algorithms change depending on these representation choices (NTT stuff is pretty trivial, just iNTT if you need actual coefficients, but RNS versions are quite different and have different noise growth). Situation in HEIR
Right now, we have the following attributes:
-
lwe.bit_field_encoding which takes a start and width and describes where in a larger number of bits the "interesting" bits (i.e., message bits) are. This seems to be capturing Step 3, though I'm not sure how we'd express CKKS here? Maybe that's what lwe.unspecified_bit_field_encoding is for? Actually, I'm not even sure how to capture BFV/BGV with this, as they can (iirc) scale their noise or message by non-power-of-two numbers, so the "bits" idea breaks down a bit?
lwe.polynomial_coefficient_encoding which also has the start/width parameters and basically seems to indicate the "trivial coefficient packing" as used in TFHE's blind rotate? (i.e., Step 2)? Similarily, we have lwe.polynomial_evaluation_encoding and lwe.inverse_canonical_embedding_encoding (which actually already has a TODO comment wondering about how bitfield would work here, see #183 https://github.com/google/heir/issues/183)
polynomial.ring which encode things relevant to 4, but don't really give us a way to encode things such as as the modulus chain (which is needed independently of RNS).
And then we have the lwe.rlwe_ciphertext type which relies on the above attributes to describe the ciphertext.
Question: How can we best express the required information for an, e.g. BGV ciphertext, specifically moduli chains and/or RNS?
— Reply to this email directly, view it on GitHub https://github.com/google/heir/issues/785, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAS2PKW2JJSEY6NLUPMQSA3ZLWN2FAVCNFSM6AAAAABKVVMILSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQYDCNZRGU2DAMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
AlexanderViand-Intel
asraa
In order to avoid cluttering up the discussion of #762 (Enc/Dec and Randomness handling), I figured I'd create a new issue to (a) help myself get my thoughts straight on the various mappings/encodings and (b) get some feedback, especially with regards to the TFHE perspective on RLWE.
1. Application Data (e.g.
i32) vs. "Cleartext" (e.g. $\mathbb{F}_p$) SemanticsNot sure if "Cleartext" is the right name here, but we usually have a disconnect between the semantics of the actual data type in the application (e.g.,
i32orf32) and what we actually end up achieving under HE (usually finite field arithmetic with prime modulus). I know this isn't the case when we do bit-wise encryption (be it in TFHE or in BFV/BGV) but I'm not sure how 4-bit TFHE works here. Clearly, it's something to consider for "word-wise" FHE like BGV/BGV and especially CKKS, with its approximate nature.Of course, for many applications, the difference between computation mod $2^{32}$ and a 32-bit prime is not important, but a compiler translation from
i32tomod pisn't technically "correct" and we should probably think about how to expose this to the developer/frontend. I guess this is conceptually similar to truncation and/or deciding approximation precision (e.g. LUT size) which are also relevant to TFHE, but in the mod p/polynomial approximation case we get with BFV/BGV and CKKS, "bits of precision" might not be sufficient as a metric/language to communicate the behavior.2. Cleartext (e.g. $\mathbb{F}_p$) -> Plaintext Encoding (e.g., $R_p = \mathbb{Z}_p[X] / X^N + 1$)
For RLWE, the plaintext space is a polynomial ring, and we're generally much more interested in encoding integers (at this point, usually implicitly already considered mod p?). There are lots of ways to do this, starting with the trivial solution of just setting the constant coefficient to your integer and all other coefficients to zero, to decomposing your integer and putting a digit into each coefficient, to various forms of CRT-based "packing" or "batching" that allows one to achieve SIMD-style semantics. By far the most common is "full" packing, but you can also trade off a lower number of "slots" for larger (i.e., $\mathbb{F}_{p^d}$ for $d > 1$) slots. CKKS has some extra complexity here as the message space is technically a vector of complex numbers but of course it's approximate and in fixed-(ish)-point representation, so basically just more SIMD integer vector stuff.
Question: What does TFHE use here? The first RLWE "plaintext" I think of in the context of TFHE is the blind rotation test vector, and that looks like a trivial (non-CRT) "packing" of a vector of integers (with lots of repetition) into the coefficients of the polynomial?
3. Plaintext (e.g., $R_p = \mathbb{Z}_p[X] / X^N + 1$) -> Ciphertext (e.g., $R_q = \mathbb{Z}_p[X] / X^N + 1$) Encoding
In descriptions of BFV/BGV, this step is usually mixed in with encryption, but I've also seen this referred to as "MSB/LSB encoding", referring to how message and noise are arranged:
(Image from https://pqcrypto2023.umiacs.io/slides/2.2.pdf)
4. Representation
In addition to the above, we also need to consider how the polynomial itself is represented (e.g., coefficient-representation vs eval/NTT-form, RNS vs BigNum, etc) but that seems mostly orthogonal to the discussion above? In addition, most RLWE schemes actually don't juse use a single coefficient modulus but instead a "chain" (in RNS, the partial products of the RNS moduli usually make up the chain elements, in non-RNS, the chain could be built more freely but tends to be defined similarily). Note also, that the actual FHE scheme algorithms change depending on these representation choices (NTT stuff is pretty trivial, just iNTT if you need actual coefficients, but RNS versions are quite different and have different noise growth).
Situation in HEIR
Right now, we have the following attributes:
lwe.bit_field_encodingwhich takes a start and width and describes where in a larger number of bits the "interesting" bits (i.e., message bits) are. This seems to be capturing Step 3, though I'm not sure how we'd express CKKS here? Maybe that's whatlwe.unspecified_bit_field_encodingis for? Actually, I'm not even sure how to capture BFV/BGV with this, as they can (iirc) scale their noise or message by non-power-of-two numbers, so the "bits" idea breaks down a bit?lwe.polynomial_coefficient_encodingwhich also has the start/width parameters and basically seems to indicate the "trivial coefficient packing" as used in TFHE's blind rotate? (i.e., Step 2)? Similarily, we havelwe.polynomial_evaluation_encodingandlwe.inverse_canonical_embedding_encoding(which actually already has a TODO comment wondering about how bitfield would work here, see #183)polynomial.ringwhich encode things relevant to 4, but don't really give us a way to encode things such as as the modulus chain (which is needed independently of RNS).And then we have the
lwe.rlwe_ciphertexttype which relies on the above attributes to describe the ciphertext.Question: How can we best express the required information for an, e.g. BGV ciphertext, specifically moduli chains and/or RNS?