microsoft / SEAL

Microsoft SEAL is an easy-to-use and powerful homomorphic encryption library.
https://www.microsoft.com/en-us/research/group/cryptography-research/
MIT License
3.59k stars 709 forks source link

Question about Galois #555

Closed RdWeirdo981 closed 2 years ago

RdWeirdo981 commented 2 years ago

Hello,

I'm learning rotation part of SEAL, and I have 2 questions about Galois.

1) I've read the discussion in #440 and the HElib paper mentioned in that thread, but I'm still confused about Line 181 to Line 187.

You suggested in #440 :

and the coefficient is negated if modulo x^N+1 is performed for an odd number of times (lines 181-186).

What I understand from the code is that: for index_raw lies in range [odd*N, (odd+1)*N), result_value will be -operand mod modulus_value. For example, if N=8192, then negation will apply on index_raw which are in [8192, 8192*2), [8192*3, 8192*4), ... Since index_raw is i * glt, it basically means when (2k-1)N/glt<= i <(2k)N/glt, this operation will apply.

So what does it mean by "an odd number of times"? And why do we want this -operand mod modulus_value? I've read the HElib paper but I have no idea which part does this negation operation refer to.

2) I also have a question about apply_galois_inplace. From Line 2279 to Line 2286, and also Line 2308, we have 2 iters encrypted_iter[0] and encrypted_iter[1], and 2 polynomials encrypted.data(0) and encrypted.data(1). I don't get it why encrypted.data(1) is wiped to zero and why the result iter (temp) from applying galois to encrypted_iter[1] is only used for switch_key_inplace, instead of doing the same thing as in Line 2283. Does it have anything to do with masking out the influence of Frobenius automorphis?

Many thanks! :)

WeiDaiWD commented 2 years ago

"an odd number of times"

This was a poor choice of words on my side. You have understood it correctly. All that I was trying to say was: operand x^8192 = - operand mod x^8192+1 operand x^16384 = operand mod x^8192+1 operand * x^24576 = - operand mod x^8192+1

Regarding apply_galois_inplace, line 2313 explains the algorithm. We first get a ciphertext decryptable with a different key, thanks to the automorphism. Then we switch the underlying key back to the original secret key. Key switching is similar to a homomorphic evaluation of decryption. You take ct[1] which is stored in temp, multiply it with an encryption of secret key which is the galois_keys, then add it to ct[0].

RdWeirdo981 commented 2 years ago

Thanks for your kind reply! Got it now.