WeiDaiWD
commented
4 years ago SEAL never had a non-RNS variant of CKKS. Other libraries like HEANN, HElib, or PALISADE might have a non-RNS variant but probably not over an extension field.
Closed jon-chuang closed 4 years ago
WeiDaiWD
commented
4 years ago SEAL never had a non-RNS variant of CKKS. Other libraries like HEANN, HElib, or PALISADE might have a non-RNS variant but probably not over an extension field.
jon-chuang
commented
4 years ago I see, I understand. Am I right to say that pre-RNS, CKKS relied on big integer operations performed over q_0 . q^l?
KyoohyungHan
commented
4 years ago @jon-chuang If you are talking about the original CKKS paper, it is right. It uses polynomial operations over modulo big integer Q = q^L * q_0.
Is there a non-RNS implementation of CKKS that was reasonably performant, that used arithmetic over field extensions for finite fields (p^l) rather than RNS decomposition? Perhaps one of the previous SEAL versions? I would appreciate some additional references. I am confused by the original CKKS paper which uses some sort of bit decomposition.
I am asking because I would like to integrate zero-knowledge proofs for multiparty homomorphic encryption protocols. I am pursuing this idea because in a multi-party scenario, all the parties should only agree to jointly decrypt the ciphertexts, which would mean that they should each be able to verify that the ciphertext they are decrypting is the result of a computation that has been performed correctly and for which the correct data has been fed. This would accomodate a stronger malicious security model.
This accomodates the setting where a model provider, a cloud server, and data providers cannot trust one another. The goal is to accomodate a small number of data providers (~10-20?) and a single model provider. The trust model is trust-free for the server, and for correctness, trusting that the decryptions of the other stakeholders occur correctly. However, there is no risk of any data being revealed to any party except that which is agreed upon (the output of the computation).
I have a technique that allows for a secret key to be jointly owned by all stakeholders, by utilising BFV to perform homomorphic encryption and decryption, decreasing the rate of error growth that would result from independent encrpytions, or the computational costs of maintaining multiple secret keys. Nonetheless the additive error term (added during encryption) absolute value will scale as n in the number of stakeholders. This is not a bad result as if instead, |s| <= n instead of |s| <= 1, the error looks more like n^2 rather than n to begin with. So we can accomodate more stakeholders.\ Zero knowledge proofs in general require arithmetic to be performed over a fixed prime field, hence my question.
Differential privacy could possibly also be achieved by generating randomness through a hash of the resulting ciphertext and transforming appropriately (how to do this properly is also a research question).