Is key-switch used in HEAAN?

[DylanWangWQF]

Hi, @swanhong I have a question about reducing the noise in the ciphertexts. We know, in HElib, they use key-switch matrix to scale the noise. How does HEAAN address this? Also use similar key-switch techniques in HElib?

[swanhong]

To my knowledge, key-switch matrix in HElib is not for reducing the noise, but for "key switching" that changes the modified secret key to the right secret key. Are you asking about noise reduction in HEAAN?

[DylanWangWQF]

@swanhong Many thanks for your reply! My question is about the noise cost for each operation (e.g., multiplication, rotation), compared to HElib. I have this question is because: I run an application that implemented with HEAAN, it performs well. But when I re-implement it with HElib, its depth is not enough although using the same parameters (i.e., same slots, precision, etc..). So I guess this is because the noise cost in HEAAN is smaller than that in HElib?

[swanhong]

In your explanation, I'm wondering if the important parameters are not the same. Depth depends on the parameters related to security, including ring degree(N or logn) and modulus(Q or logq). Can you check these parameters and tell me if they are still the same?

[DylanWangWQF]

@swanhong

Depth depends on the parameters related to security, including ring degree(N or logn) and modulus(Q or logq).

For the HEAAN-based implementation, the parameters are:

the lower bound on the bit length of a fresh ciphertext modulus is 5 logp +2 logpc +logq0. In our implementation, we assume that all the inputs had logp = 24 bits of precision and set the bit length of the output ciphertext modulus as logq0 = logp + 8. In addition, we setlogpc = 15 for the bit precision of constant values. We could actually obtain the bit length of the largest ciphertext modulus around 182 and took the ring dimension N = 2^13 to ensure 80 bits of security.

P.S. the paper link is : https://dl.acm.org/doi/pdf/10.1145/3243734.3243837

To get the same number of slots (4096, slots = m / 4), we use the parameters in HElib: /*m=*/16 * 1024, /*bits=*/358, /*precision=*/25, /*c=*/6, the security level is only around 54 although the depth is enough. If I use the paramters /*m=*/16 * 1024, /*bits=*/235, /*precision=*/20, /*c=*/4, the security is around 87 but depth is not enough

[swanhong]

It is because you decreased the bits parameter, which is matched to logq0 in HEAAN you cited. In CKKS scheme, bits is proportional to the number of depths, so if you decrease bits, then you can get enough security but you will lose depths. You have to strike a balance between depth and security.

[DylanWangWQF]

Yes, I understand the balance between depth and security. In HElib, to get a ciphertext with 4096 slots and enough depths, I have to increase the bits, finally get the lower security. Maybe it's due to the settings that I cannot get both slots and enough depths, just like in HEAAN.