Smudging variance is constant rather than ciphertext dependent

[samtay]

In the Multiparty Homomorphic Encryption from Ring-Learning-with-Errors paper, Section 4.E states that during decryption the smudging noise needs to be drawn from a Gaussian whose variance depends on the given ciphertext variance. That is, if a ciphertext's noise is not fresh, but has increased via homomorphic computation, the smudging variance needs to increase as well. A quote, for reference:

The smudging technique, as introduced by Asharov et al. [14], aims at making the ciphertext-noise inexploitable by flooding it with some freshly sampled noise terms in a distribution of larger-variance. In the MBFV scheme, this is achieved by sampling the relevant error terms in the key-switching protocols from a discrete Gaussian distribution $\chi{CKS}(\sigma{ct}^2)$ of variance $\sigma{smg}^2 = 2^{\lambda}\sigma{ct}^2$ where $\sigma_{ct}^2$ is the ciphertext’s noise variance (see Appendix A) and $\lambda$ the desired security level. Hence, this technique assumes that the system keeps track of the ciphertext noise-level and has access to this property.

However, I don't see any kind of noise model keeping track of ciphertext noise-level in lattigo. And when I search for usages of the sigmaSmudging parameter of NewCKSProtocol, I only ever see it being used to draw from a constant gaussian. Am I mistaken, or does lattigo just use a constant $\sigma{smg}$? If the latter, what are the security ramifications of this constant $\sigma{smg}$?

[Pro7ech]

Hi @samtay,

Noise tracking is difficult and still a subject or research. As far as I am aware, there exist no library or noise tracking approach for BFV/BGV/CKKS that provides accurate or realistic bounds over reasonably complex circuits and as of today, we do not plan to have such feature in the library.

An approach that works well is to derive empirical bounds by running the circuit many times.

Regarding the smudgning noise, it is not constant but drawn from the distribution sigmaSmudging which is specified by the user. I assume by that constant you meant that all ciphertexts going through the instantiated protocol will be smudged with the same noise. That is correct. If a user wants to define a new noise, the current instance has to be discarded and replaced by a new one with the updated noise.

[samtay]

I see, thank you for explaining. I guess the expectation would be that the library user would set sigmaSmudging to an appropriate value given the circuit being evaluated, using the exponential relationship in the paper as a guideline. I was expecting the library to draw from a gaussian whose variance depends on the provided sigmaSmudging and ciphertext.

Anyway, I'll close this issue then, since there's no immediate plans to change this.