ckks

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 16, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

README

CKKS

The package CKKS is an RNS-accelerated version of the Homomorphic Encryption for Arithmetic of Approximate Numbers (HEAAN, a.k.a. CKKS) scheme originally proposed by Cheon, Kim, Kim and Song. The package supports two variants of the scheme: the standard one that encrypts vectors of complex numbers, and the conjugate-invariant one that encrypts vectors of real numbers, as proposed by Kim and Song.The RingType field of the Parameter struct controls which variant is instantiated:

For RingType: ring.Standard, the standard variant of CKKS is used. This requires that all moduli in the chain are congruent to 1 modulo 2N for N the ring degree. This variant supports packing of up to N/2 plaintext complex values into a single ciphertext.

For RingType: ring.ConjugateInvariant, the conjugate-invariant variant of CKKS is used. This requires that all moduli in the chain are congruent to 1 modulo 4N for N the ring degree. This variant supports packing of up to N plaintext real values into a single ciphertext.

Brief description of the Standard variant

This scheme can be used to do arithmetic over equation. The plaintext space and the ciphertext space share the same domain

,

with a power of 2.

The batch encoding of this scheme

.

maps an array of complex numbers to a polynomial with the property:

,

where represents a component-wise product, and represents a nega-cyclic convolution.

Security parameters

equation: the ring dimension, which defines the degree of the cyclotomic polynomial, and the number of coefficients of the plaintext/ciphertext polynomials; it should always be a power of two. This parameter has an impact on both security and performance (security increases with N and performance decreases with N). It should be chosen carefully to suit the intended use of the scheme.

equation: the ciphertext modulus. In Lattigo, it is chosen to be the product of a chain of small coprime moduli equation that verify equation in order to enable both the RNS and NTT representation. The used moduli equation are chosen to be of size 30 to 60 bits for the best performance. This parameter has an impact on both security and performance (for a fixed equation, a larger equation implies both lower security and lower performance). It is closely related to equation and should be carefully chosen to suit the intended use of the scheme.

equation: the variance used for the error polynomials. This parameter is closely tied to the security of the scheme (a larger equation implies higher security).

Other parameters

equation: the plaintext scale. Since complex numbers are encoded on polynomials with integer coefficients, the original values must be scaled during the encoding, before being rounded to the nearest integer. The equation parameter is the power of two by which the values are multiplied during the encoding. It has an impact on the precision of the output and on the amount of operations a fresh encryption can undergo before overflowing.

Choosing the right parameters for a given application

There are 3 application-dependent parameters:

  • LogN: it determines (a) how many values can be encoded (batched) at once (maximum N/2) in one plaintext, and (b) the maximum total modulus bit size (the product of all the moduli) for a given security parameter.
  • Modulichain: it determines how many consecutive scalar and non-scalar multiplications (the depth of the arithmetic circuit) can be evaluated before requiring decryption. Since Lattigo features an RNS implementation, this parameter requires careful fine-tuning depending on the application; i.e., the rescaling procedure can only rescale by one of the RNS modulus at a time, whose size has to be chosen when creating the CKKS context. Additionally, the individual size of each of the moduli also has an effect on the error introduced during the rescaling, since they cannot be powers of 2, so they should be chosen as NTT primes as close as possible to a power of 2 instead.
  • Logscale: it determines the scale of the plaintext, affecting both the precision and the maximum allowed depth for a given security parameter.

Configuring parameters for CKKS is very application dependent, requiring a prior analysis of the circuit to be executed under encryption. The following example illustrates how this parametrization can be done, showing that it is possible to come up with different parameter sets for a given circuit, each set having pros and cons.

Let us define the evaluation of an arbitrary smooth function f(x) on an array of ~4000 complex elements contained in a square of side 2 centered at the complex origin (with values ranging between -1-1i and 1+1i). We first need to find a good polynomial approximation for the given range. Lattigo provides an automatic Chebyshev approximation for any given polynomial degree, which can be used for this purpose (it is also possible to define a different polynomial approximation of lower degree with an acceptable error).

Let us assume that we find an approximation of degree 5, i.e., a + bx + cx^3 + dx^5. This function can be evaluated with 3 scalar multiplications, 3 additions and 3 non-scalar multiplications, consuming a total of 4 levels (one for the scalar multiplications and 3 for the non-scalar multiplications).

We then need to chose a scale for the plaintext, that will influence both the bit consumption for the rescaling, and the precision of the computation. If we choose a scale of 2^40, we need to consume at least 160 bits (4 levels) during the evaluation, and we still need some bits left to store the final result with an acceptable precision. Let us assume that the output of the approximation lies always in the square between -20-20i and 20+20i; then, the final modulus must be at least 5 bits larger than the final scale (to preserve the integer precision).

The following parameters will work for the posed example:

  • LogN = 13
  • Modulichain = [45, 40, 40, 40, 40], for a logQ <= 205
  • LogScale = 40

But it is also possible to use less levels to have ciphertexts of smaller size and, therefore, a faster evaluation, at the expense of less precision. This can be achieved by using a scale of 30 bits and squeezing two multiplications in a single level, while pre-computing the last scalar multiplication already in the plaintext. Instead of evaluating a + bx + cx^3 + dx^5, we pre-multiply the plaintext by d^(1/5) and evaluate a + b/(d^(1/5))x + c/(d^(3/5)) + x^5.

The following parameters are enough to evaluate this modified function:

  • LogN = 13
  • Modulichain = [35, 60, 60], for a logQ <= 155
  • LogScale = 30

To summarize, several parameter sets can be used to evaluate a given function, achieving different trade-offs for space and time versus precision.

Choosing secure parameters

The CKKS scheme supports the standard recommended parameters chosen to offer a security of 128 bits for a secret key with uniform ternary distribution equation, according to the Homomorphic Encryption Standards group (https://homomorphicencryption.org/standard/).

Each set of security parameters is defined by the tuple equation :

  • {12, 109, 3.2}
  • {13, 218, 3.2}
  • {14, 438, 3.2}
  • {15, 881, 3.2}

As mentioned, setting parameters for CKKS involves not only choosing this tuple, but also defining the actual moduli chain depending on the application at hand, which is why the provided default parameter sets have to be fine-tuned, preserving the values of the aforementioned tuples, in order to maintain the required security level of 128 bits. That is, Lattigo provides a set of default parameters for CKKS, including example moduli chains, ensuring 128 bit security. The user might want to choose different values in the moduli chain optimized for a specific application. As long as the total modulus is equal or below the above values for a given logN, the scheme will still provide a security of at least 128 bits against the current best known attacks.

Finally, it is worth noting that these security parameters are computed for fully entropic ternary keys (with probability distribution {1/3,1/3,1/3} for values {-1,0,1}). Lattigo uses this fully-entropic key configuration by default. It is possible, though, to generate keys with lower entropy, by modifying their distribution to {(1-p)/2, p, (1-p)/2}, for any p between 0 and 1, which for p>>1/3 can result in low Hamming weight keys (sparse keys). We recall that it has been shown that the security of sparse keys can be considerably lower than that of fully entropic keys, and the CKKS security parameters should be re-evaluated if sparse keys are used.

Documentation

Overview

Package ckks implements a RNS-accelerated version of the Homomorphic Encryption for Arithmetic for Approximate Numbers (HEAAN, a.k.a. CKKS) scheme. It provides approximate arithmetic over the complex numbers.package ckks

Index

Constants

View Source 
const (
	// Monomial : x^(a+b) = x^a * x^b
	Monomial = BasisType(0)
	// Chebyshev : T_(a+b) = 2 * T_a * T_b - T_(|a-b|)
	Chebyshev = BasisType(1)
)
View Source 
const (
	DefaultNTTFlag = true
)
View Source 
const GaloisGen uint64 = ring.GaloisGen

GaloisGen is an integer of order N/2 modulo M and that spans Z_M with the integer -1. The j-th ring automorphism takes the root zeta to zeta^(5j).

View Source 
const IsNegligibleThreshold float64 = 1e-14

IsNegligibleThreshold : threshold under which a coefficient of a polynomial is ignored.

Variables

View Source 
var (

	// PN12QP109 is a default parameter set for logN=12 and logQP=109
	PN12QP109 = ParametersLiteral{
		LogN:         12,
		Q:            []uint64{0x200000e001, 0x100006001},
		P:            []uint64{0x3ffffea001},
		LogSlots:     11,
		DefaultScale: 1 << 32,
	}

	// PN13QP218 is a default parameter set for logN=13 and logQP=218
	PN13QP218 = ParametersLiteral{
		LogN: 13,
		Q: []uint64{0x1fffec001,
			0x3fff4001,
			0x3ffe8001,
			0x40020001,
			0x40038001,
			0x3ffc0001},
		P:            []uint64{0x800004001},
		LogSlots:     12,
		DefaultScale: 1 << 30,
	}
	// PN14QP438 is a default parameter set for logN=14 and logQP=438
	PN14QP438 = ParametersLiteral{
		LogN: 14,
		Q: []uint64{0x200000008001, 0x400018001,
			0x3fffd0001, 0x400060001,
			0x400068001, 0x3fff90001,
			0x400080001, 0x4000a8001,
			0x400108001, 0x3ffeb8001},
		P:            []uint64{0x7fffffd8001, 0x7fffffc8001},
		LogSlots:     13,
		DefaultScale: 1 << 34,
	}

	// PN15QP880 is a default parameter set for logN=15 and logQP=880
	PN15QP880 = ParametersLiteral{
		LogN: 15,
		Q: []uint64{0x4000000120001, 0x10000140001, 0xffffe80001,
			0x10000290001, 0xffffc40001, 0x100003e0001,
			0x10000470001, 0x100004b0001, 0xffffb20001,
			0x10000500001, 0x10000650001, 0xffff940001,
			0xffff8a0001, 0xffff820001, 0xffff780001,
			0x10000890001, 0xffff750001, 0x10000960001},
		P:            []uint64{0x40000001b0001, 0x3ffffffdf0001, 0x4000000270001},
		LogSlots:     14,
		DefaultScale: 1 << 40,
	}
	// PN16QP1761 is a default parameter set for logN=16 and logQP = 1761
	PN16QP1761 = ParametersLiteral{
		LogN: 16,
		Q: []uint64{0x80000000080001, 0x2000000a0001, 0x2000000e0001, 0x1fffffc20001,
			0x200000440001, 0x200000500001, 0x200000620001, 0x1fffff980001,
			0x2000006a0001, 0x1fffff7e0001, 0x200000860001, 0x200000a60001,
			0x200000aa0001, 0x200000b20001, 0x200000c80001, 0x1fffff360001,
			0x200000e20001, 0x1fffff060001, 0x200000fe0001, 0x1ffffede0001,
			0x1ffffeca0001, 0x1ffffeb40001, 0x200001520001, 0x1ffffe760001,
			0x2000019a0001, 0x1ffffe640001, 0x200001a00001, 0x1ffffe520001,
			0x200001e80001, 0x1ffffe0c0001, 0x1ffffdee0001, 0x200002480001,
			0x1ffffdb60001, 0x200002560001},
		P:            []uint64{0x80000000440001, 0x7fffffffba0001, 0x80000000500001, 0x7fffffffaa0001},
		LogSlots:     15,
		DefaultScale: 1 << 45,
	}

	// PN12QP109CI is a default parameter set for logN=12 and logQP=109
	PN12QP109CI = ParametersLiteral{
		LogN:         12,
		Q:            []uint64{0x1ffffe0001, 0x100014001},
		P:            []uint64{0x4000038001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     12,
		DefaultScale: 1 << 32,
	}

	// PN13QP218CI is a default parameter set for logN=13 and logQP=218
	PN13QP218CI = ParametersLiteral{
		LogN: 13,
		Q: []uint64{0x200038001,
			0x3ffe8001,
			0x40020001,
			0x40038001,
			0x3ffc0001,
			0x40080001},
		P:            []uint64{0x800008001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     13,
		DefaultScale: 1 << 30,
	}
	// PN14QP438CI is a default parameter set for logN=14 and logQP=438
	PN14QP438CI = ParametersLiteral{
		LogN: 14,
		Q: []uint64{0x2000000a0001, 0x3fffd0001,
			0x400060001, 0x3fff90001,
			0x400080001, 0x400180001,
			0x3ffd20001, 0x400300001,
			0x400360001, 0x4003e0001},
		P:            []uint64{0x80000050001, 0x7ffffdb0001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     14,
		DefaultScale: 1 << 34,
	}

	// PN15QP880CI is a default parameter set for logN=15 and logQP=880
	PN15QP880CI = ParametersLiteral{
		LogN: 15,
		Q: []uint64{0x4000000120001,
			0x10000140001, 0xffffe80001, 0xffffc40001,
			0x100003e0001, 0xffffb20001, 0x10000500001,
			0xffff940001, 0xffff8a0001, 0xffff820001,
			0xffff780001, 0x10000960001, 0x10000a40001,
			0xffff580001, 0x10000b60001, 0xffff480001,
			0xffff420001, 0xffff340001},
		P:            []uint64{0x3ffffffd20001, 0x4000000420001, 0x3ffffffb80001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     15,
		DefaultScale: 1 << 40,
	}
	// PN16QP1761CI is a default parameter set for logN=16 and logQP = 1761
	PN16QP1761CI = ParametersLiteral{
		LogN: 16,
		Q: []uint64{0x80000000080001,
			0x200000440001, 0x200000500001, 0x1fffff980001, 0x200000c80001,
			0x1ffffeb40001, 0x1ffffe640001, 0x200001a00001, 0x200001e80001,
			0x1ffffe0c0001, 0x200002480001, 0x200002800001, 0x1ffffd800001,
			0x200002900001, 0x1ffffd700001, 0x2000029c0001, 0x1ffffcf00001,
			0x200003140001, 0x1ffffcc80001, 0x1ffffcb40001, 0x1ffffc980001,
			0x200003740001, 0x200003800001, 0x200003d40001, 0x1ffffc200001,
			0x1ffffc140001, 0x200004100001, 0x200004180001, 0x1ffffbc40001,
			0x200004700001, 0x1ffffb900001, 0x200004cc0001, 0x1ffffb240001,
			0x200004e80001},
		P:            []uint64{0x80000000440001, 0x80000000500001, 0x7fffffff380001, 0x80000000e00001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     16,
		DefaultScale: 1 << 45,
	}

	// PN12QP101pq is a default (post quantum) parameter set for logN=12 and logQP=101
	PN12QP101pq = ParametersLiteral{
		LogN:         12,
		Q:            []uint64{0x800004001, 0x40002001},
		P:            []uint64{0x1000002001},
		LogSlots:     11,
		DefaultScale: 1 << 30,
	}
	// PN13QP202pq is a default (post quantum) parameter set for logN=13 and logQP=202
	PN13QP202pq = ParametersLiteral{
		LogN:         13,
		Q:            []uint64{0x1fffec001, 0x8008001, 0x8020001, 0x802c001, 0x7fa8001, 0x7f74001},
		P:            []uint64{0x400018001},
		LogSlots:     12,
		DefaultScale: 1 << 27,
	}

	// PN14QP411pq is a default (post quantum) parameter set for logN=14 and logQP=411
	PN14QP411pq = ParametersLiteral{
		LogN: 14,
		Q: []uint64{0x10000048001, 0x200038001, 0x1fff90001, 0x200080001, 0x1fff60001,
			0x2000b8001, 0x200100001, 0x1fff00001, 0x1ffef0001, 0x200128001},
		P:            []uint64{0x1ffffe0001, 0x1ffffc0001},
		LogSlots:     13,
		DefaultScale: 1 << 33,
	}

	// PN15QP827pq is a default (post quantum) parameter set for logN=15 and logQP=827
	PN15QP827pq = ParametersLiteral{
		LogN: 15,
		Q: []uint64{0x400000060001, 0x4000170001, 0x3fffe80001, 0x40002f0001, 0x4000300001,
			0x3fffcf0001, 0x40003f0001, 0x3fffc10001, 0x4000450001, 0x3fffb80001,
			0x3fffb70001, 0x40004a0001, 0x3fffb20001, 0x4000510001, 0x3fffaf0001,
			0x4000540001, 0x4000560001, 0x4000590001},
		P:            []uint64{0x2000000a0001, 0x2000000e0001, 0x2000001d0001},
		LogSlots:     14,
		DefaultScale: 1 << 38,
	}
	// PN16QP1654pq is a default (post quantum) parameter set for logN=16 and logQP=1654
	PN16QP1654pq = ParametersLiteral{
		LogN: 16,
		Q: []uint64{0x80000000080001, 0x2000000a0001, 0x2000000e0001, 0x1fffffc20001, 0x200000440001,
			0x200000500001, 0x200000620001, 0x1fffff980001, 0x2000006a0001, 0x1fffff7e0001,
			0x200000860001, 0x200000a60001, 0x200000aa0001, 0x200000b20001, 0x200000c80001,
			0x1fffff360001, 0x200000e20001, 0x1fffff060001, 0x200000fe0001, 0x1ffffede0001,
			0x1ffffeca0001, 0x1ffffeb40001, 0x200001520001, 0x1ffffe760001, 0x2000019a0001,
			0x1ffffe640001, 0x200001a00001, 0x1ffffe520001, 0x200001e80001, 0x1ffffe0c0001,
			0x1ffffdee0001, 0x200002480001},
		P:            []uint64{0x7fffffffe0001, 0x80000001c0001, 0x80000002c0001, 0x7ffffffd20001},
		LogSlots:     15,
		DefaultScale: 1 << 45,
	}

	// PN12QP101pq is a default (post quantum) parameter set for logN=12 and logQP=101
	PN12QP101CIpq = ParametersLiteral{
		LogN:         12,
		Q:            []uint64{0x800004001, 0x3fff4001},
		P:            []uint64{0xffffc4001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     12,
		DefaultScale: 1 << 30,
	}
	// PN13QP202CIpq is a default (post quantum) parameter set for logN=13 and logQP=202
	PN13QP202CIpq = ParametersLiteral{
		LogN:         13,
		Q:            []uint64{0x1ffffe0001, 0x100050001, 0xfff88001, 0x100098001, 0x1000b0001},
		P:            []uint64{0x1ffffc0001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     13,
		DefaultScale: 1 << 32,
	}

	// PN14QP411CIpq is a default (post quantum) parameter set for logN=14 and logQP=411
	PN14QP411CIpq = ParametersLiteral{
		LogN: 14,
		Q: []uint64{0x10000140001, 0x1fff90001, 0x200080001,
			0x1fff60001, 0x200100001, 0x1fff00001,
			0x1ffef0001, 0x1ffe60001, 0x2001d0001,
			0x2002e0001},

		P:            []uint64{0x1ffffe0001, 0x1ffffc0001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     14,
		DefaultScale: 1 << 33,
	}

	// PN15QP827CIpq is a default (post quantum) parameter set for logN=15 and logQP=827
	PN15QP827CIpq = ParametersLiteral{
		LogN: 15,
		Q: []uint64{0x400000060001, 0x3fffe80001, 0x4000300001, 0x3fffb80001,
			0x40004a0001, 0x3fffb20001, 0x4000540001, 0x4000560001,
			0x3fff900001, 0x4000720001, 0x3fff8e0001, 0x4000800001,
			0x40008a0001, 0x3fff6c0001, 0x40009e0001, 0x3fff300001,
			0x3fff1c0001, 0x4000fc0001},
		P:            []uint64{0x2000000a0001, 0x2000000e0001, 0x1fffffc20001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     15,
		DefaultScale: 1 << 38,
	}
	// PN16QP1654CIpq is a default (post quantum) parameter set for logN=16 and logQP=1654
	PN16QP1654CIpq = ParametersLiteral{
		LogN: 16,
		Q: []uint64{0x80000000080001, 0x200000440001, 0x200000500001, 0x1fffff980001,
			0x200000c80001, 0x1ffffeb40001, 0x1ffffe640001, 0x200001a00001,
			0x200001e80001, 0x1ffffe0c0001, 0x200002480001, 0x200002800001,
			0x1ffffd800001, 0x200002900001, 0x1ffffd700001, 0x2000029c0001,
			0x1ffffcf00001, 0x200003140001, 0x1ffffcc80001, 0x1ffffcb40001,
			0x1ffffc980001, 0x200003740001, 0x200003800001, 0x200003d40001,
			0x1ffffc200001, 0x1ffffc140001, 0x200004100001, 0x200004180001,
			0x1ffffbc40001, 0x200004700001, 0x1ffffb900001, 0x200004cc0001},
		P:            []uint64{0x80000001c0001, 0x80000002c0001, 0x8000000500001, 0x7ffffff9c0001},
		RingType:     ring.ConjugateInvariant,
		LogSlots:     16,
		DefaultScale: 1 << 45,
	}
)

Name of the different default parameter sets

View Source 
var DefaultConjugateInvariantParams = []ParametersLiteral{PN12QP109CI, PN13QP218CI, PN14QP438CI, PN15QP880CI, PN16QP1761CI}

DefaultConjugateInvariantParams is a set of default conjugate invariant parameters for encrypting real values and ensuring 128 bit security in a classic setting.

View Source 
var DefaultParams = []ParametersLiteral{PN12QP109, PN13QP218, PN14QP438, PN15QP880, PN16QP1761}

DefaultParams is a set of default CKKS parameters ensuring 128 bit security in a classic setting.

View Source 
var DefaultPostQuantumConjugateInvariantParams = []ParametersLiteral{PN12QP101CIpq, PN13QP202CIpq, PN14QP411CIpq, PN15QP827CIpq, PN16QP1654CIpq}

DefaultPostQuantumConjugateInvariantParams is a set of default conjugate invariant parameters for encrypting real values and ensuring 128 bit security in a post-quantum setting.

View Source 
var DefaultPostQuantumParams = []ParametersLiteral{PN12QP101pq, PN13QP202pq, PN14QP411pq, PN15QP827pq, PN16QP1654pq}

DefaultPostQuantumParams is a set of default CKKS parameters ensuring 128 bit security in a post-quantum setting.

Functions

func BsgsIndex 

func BsgsIndex(el interface{}, slots, N1 int) (index map[int][]int, rotN1, rotN2 []int)

BsgsIndex returns the index map and needed rotation for the BSGS matrix-vector multiplication algorithm.

func DivideComplex128SliceVec 

func DivideComplex128SliceVec(values []complex128, scaleVal complex128)

DivideComplex128SliceVec divides the entries in values by scaleVal in place.

func FindBestBSGSSplit 

func FindBestBSGSSplit(diagMatrix interface{}, maxN int, maxRatio float64) (minN int)

FindBestBSGSSplit finds the best N1*N2 = N for the baby-step giant-step algorithm for matrix multiplication.

func GenSwitchkeysRescalingParams 

func GenSwitchkeysRescalingParams(Q, P []uint64) (params []uint64)

GenSwitchkeysRescalingParams generates the parameters for rescaling the switching keys

func GetRootsFloat64 

func GetRootsFloat64(NthRoot int) (roots []complex128)

GetRootsFloat64 returns the roots e^{2*pi*i/m *j} for 0 <= j <= NthRoot.

func GetRootsbigFloat 

func GetRootsbigFloat(NthRoot int, prec uint) (roots []*ring.Complex)

GetRootsbigFloat returns the roots e^{2*pi*i/m *j} for 0 <= j <= NthRoot with prec bits of precision.

func NewCiphertext 

func NewCiphertext(params Parameters, degree, level int) (ct *rlwe.Ciphertext)

func NewDecryptor 

func NewDecryptor(params Parameters, key *rlwe.SecretKey) rlwe.Decryptor

func NewEncryptor 

func NewEncryptor(params Parameters, key interface{}) rlwe.Encryptor

func NewKeyGenerator 

func NewKeyGenerator(params Parameters) rlwe.KeyGenerator

func NewPRNGEncryptor 

func NewPRNGEncryptor(params Parameters, key *rlwe.SecretKey) rlwe.PRNGEncryptor

func NewPlaintext 

func NewPlaintext(params Parameters, level int) (pt *rlwe.Plaintext)

func NttAndMontgomeryLvl 

func NttAndMontgomeryLvl(level int, logSlots int, ringQ *ring.Ring, montgomery bool, pol *ring.Poly)

NttAndMontgomeryLvl takes the polynomial polIn Z[Y] outside of the NTT domain to the polynomial Z[X] in the NTT domain where Y = X^(gap). This method is used to accelerate the NTT of polynomials that encode sparse plaintexts.

func SliceBitReverseInPlaceComplex128 

func SliceBitReverseInPlaceComplex128(slice []complex128, N int)

SliceBitReverseInPlaceComplex128 applies an in-place bit-reverse permuation on the input slice.

func SliceBitReverseInPlaceFloat64 

func SliceBitReverseInPlaceFloat64(slice []float64, N int)

SliceBitReverseInPlaceFloat64 applies an in-place bit-reverse permuation on the input slice.

func SliceBitReverseInPlaceRingComplex 

func SliceBitReverseInPlaceRingComplex(slice []*ring.Complex, N int)

SliceBitReverseInPlaceRingComplex applies an in-place bit-reverse permuation on the input slice.

func SpecialFFTUL8Vec 

func SpecialFFTUL8Vec(values []complex128, N, M int, rotGroup []int, roots []complex128)

SpecialFFTUL8Vec performs the CKKS special FFT transform in place with unrolled loops of size 8.

func SpecialFFTVec 

func SpecialFFTVec(values []complex128, N, M int, rotGroup []int, roots []complex128)

SpecialFFTVec performs the CKKS special FFT transform in place.

func SpecialiFFTUL8Vec 

func SpecialiFFTUL8Vec(values []complex128, N, M int, rotGroup []int, roots []complex128)

SpecialiFFTUL8Vec performs the CKKS special inverse FFT transform in place with unrolled loops of size 8.

func SpecialiFFTVec 

func SpecialiFFTVec(values []complex128, N, M int, rotGroup []int, roots []complex128)

SpecialiFFTVec performs the CKKS special inverse FFT transform in place.

func StandardDeviation 

func StandardDeviation(vec []float64, scale float64) (std float64)

StandardDeviation computes the scaled standard deviation of the input vector.

Types

type BasisType 

type BasisType int

BasisType is a type for the polynomials basis

type DomainSwitcher 

type DomainSwitcher struct {
	// contains filtered or unexported fields
}

DomainSwitcher is a type for switching between the standard CKKS domain (which encrypts vectors of complex numbers) and the conjugate invariant variant of CKKS (which encrypts vectors of real numbers).

func NewDomainSwitcher 

func NewDomainSwitcher(params Parameters, comlexToRealSwk, RealToComplexSwk *rlwe.SwitchingKey) (DomainSwitcher, error)

NewDomainSwitcher instantiate a new DomainSwitcher type. It may be instantiated from parameters from either RingType. The method returns an error if the parameters cannot support the switching (e.g., the NTTs are undefined for either of the two ring types).

func (*DomainSwitcher) ComplexToReal 

func (switcher *DomainSwitcher) ComplexToReal(eval Evaluator, ctIn, ctOut *rlwe.Ciphertext)

ComplexToReal switches the provided ciphertext `ctIn` from the standard domain to the conjugate invariant domain and writes the result into `ctOut`. Given ctInCKKS = enc(real(m) + imag(m)) in Z[X](X^N + 1), returns ctOutCI = enc(real(m)) in Z[X+X^-1]/(X^N + 1) in compressed form (N/2 coefficients). The scale of the output ciphertext is twice the scale of the input one. Requires the ring degree of ctOut to be half the ring degree of ctIn. The security is changed from Z[X]/(X^N+1) to Z[X]/(X^N/2+1). The method panics if the DomainSwitcher was not initialized with a SwkComplexToReal key.

func (*DomainSwitcher) RealToComplex 

func (switcher *DomainSwitcher) RealToComplex(eval Evaluator, ctIn, ctOut *rlwe.Ciphertext)

RealToComplex switches the provided ciphertext `ctIn` from the conjugate invariant domain to the standard domain and writes the result into `ctOut`. Given ctInCI = enc(real(m)) in Z[X+X^-1]/(X^2N+1) in compressed form (N coefficients), returns ctOutCKKS = enc(real(m) + imag(0)) in Z[X]/(X^2N+1). Requires the ring degree of ctOut to be twice the ring degree of ctIn. The security is changed from Z[X]/(X^N+1) to Z[X]/(X^2N+1). The method panics if the DomainSwitcher was not initialized with a SwkRealToComplex key.

type Encoder 

type Encoder interface {

	// Slots Encoding
	Encode(values interface{}, plaintext *rlwe.Plaintext, logSlots int)
	EncodeNew(values interface{}, level int, scale rlwe.Scale, logSlots int) (plaintext *rlwe.Plaintext)
	EncodeSlots(values interface{}, plaintext *rlwe.Plaintext, logSlots int)
	EncodeSlotsNew(values interface{}, level int, scale rlwe.Scale, logSlots int) (plaintext *rlwe.Plaintext)
	Decode(plaintext *rlwe.Plaintext, logSlots int) (res []complex128)
	DecodeSlots(plaintext *rlwe.Plaintext, logSlots int) (res []complex128)
	DecodePublic(plaintext *rlwe.Plaintext, logSlots int, sigma float64) []complex128
	DecodeSlotsPublic(plaintext *rlwe.Plaintext, logSlots int, sigma float64) []complex128

	// Coeffs Encoding
	EncodeCoeffs(values []float64, plaintext *rlwe.Plaintext)
	EncodeCoeffsNew(values []float64, level int, scale rlwe.Scale) (plaintext *rlwe.Plaintext)
	DecodeCoeffs(plaintext *rlwe.Plaintext) (res []float64)
	DecodeCoeffsPublic(plaintext *rlwe.Plaintext, bound float64) (res []float64)

	// Utility
	Embed(values interface{}, logSlots int, scale rlwe.Scale, montgomery bool, polyOut interface{})
	GetErrSTDCoeffDomain(valuesWant, valuesHave []complex128, scale rlwe.Scale) (std float64)
	GetErrSTDSlotDomain(valuesWant, valuesHave []complex128, scale rlwe.Scale) (std float64)
	ShallowCopy() Encoder
}

Encoder is an interface that implements the encoding and decoding operations. It provides methods to encode/decode []complex128 and []float64 types into/from Plaintext types. Two different encodings are provided:

  • Coeffs: The coefficients are directly embedded on the plaintext. This encoding only allows to encode []float64 slices, but of size up to N (N being the ring degree) and does not preserve the point-wise multiplication. A ciphertext multiplication will result in a nega- cyclic polynomial convolution in the plaintext domain. This encoding does not provide native slot cyclic rotation. Other operations, like addition or constant multiplication, behave as usual.

  • Slots: The coefficients are first subjected to a special Fourier transform before being embedded in the plaintext by using Coeffs encoding. This encoding can embed []complex128 and []float64 slices of size at most N/2 (N being the ring degree) and leverages the convolution property of the DFT to preserve point-wise complex multiplication in the plaintext domain, i.e. a ciphertext multiplication will result in an element-wise multiplication in the plaintext domain. It also enables cyclic rotations on plaintext slots. Other operations, like constant multiplication, behave as usual. It is considered the default encoding method for CKKS.

The figure bellow illustrates the relationship between these two encodings: 

                                             Real^{N}          Z_Q[X]/(X^N+1)
	EncodeCoeffs: ----------------------------->[]float64 ---------> Plaintext
                                                |
                   Complex^{N/2}                |
	EncodeSlots:  []complex128/[]float64 -> iDFT ---┘

func NewEncoder 

func NewEncoder(params Parameters) Encoder

NewEncoder creates a new Encoder that is used to encode a slice of complex values of size at most N/2 (the number of slots) on a Plaintext.

type EncoderBigComplex 

type EncoderBigComplex interface {
	Encode(values []*ring.Complex, plaintext *rlwe.Plaintext, logSlots int)
	EncodeNew(values []*ring.Complex, level int, scale rlwe.Scale, logSlots int) (plaintext *rlwe.Plaintext)
	Decode(plaintext *rlwe.Plaintext, logSlots int) (res []*ring.Complex)
	DecodePublic(plaintext *rlwe.Plaintext, logSlots int, sigma float64) (res []*ring.Complex)
	FFT(values []*ring.Complex, N int)
	InvFFT(values []*ring.Complex, N int)
	ShallowCopy() EncoderBigComplex
}

EncoderBigComplex is an interface that implements the encoding algorithms with arbitrary precision.

func NewEncoderBigComplex 

func NewEncoderBigComplex(params Parameters, prec uint) EncoderBigComplex

NewEncoderBigComplex creates a new encoder using arbitrary precision complex arithmetic.

type Evaluator 

type Evaluator interface {

	// Addition
	Add(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
	AddNew(ctIn *rlwe.Ciphertext, op1 rlwe.Operand) (ctOut *rlwe.Ciphertext)

	// Subtraction
	Sub(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
	SubNew(ctIn *rlwe.Ciphertext, op1 rlwe.Operand) (ctOut *rlwe.Ciphertext)

	// Negation
	Neg(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)
	NegNew(ctIn *rlwe.Ciphertext) (ctOut *rlwe.Ciphertext)

	// Constant Addition
	AddConstNew(ctIn *rlwe.Ciphertext, constant interface{}) (ctOut *rlwe.Ciphertext)
	AddConst(ctIn *rlwe.Ciphertext, constant interface{}, ctOut *rlwe.Ciphertext)

	// Constant Multiplication
	MultByConstNew(ctIn *rlwe.Ciphertext, constant interface{}) (ctOut *rlwe.Ciphertext)
	MultByConst(ctIn *rlwe.Ciphertext, constant interface{}, ctOut *rlwe.Ciphertext)
	MultByGaussianInteger(ctIn *rlwe.Ciphertext, cReal, cImag interface{}, ctOut *rlwe.Ciphertext)

	// Constant Multiplication with Addition
	MultByConstAndAdd(ctIn *rlwe.Ciphertext, constant interface{}, ctOut *rlwe.Ciphertext)
	MultByGaussianIntegerAndAdd(ctIn *rlwe.Ciphertext, cReal, cImag interface{}, ctOut *rlwe.Ciphertext)

	// Multiplication by the imaginary unit
	MultByiNew(ctIn *rlwe.Ciphertext) (ctOut *rlwe.Ciphertext)
	MultByi(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)
	DivByiNew(ctIn *rlwe.Ciphertext) (ctOut *rlwe.Ciphertext)
	DivByi(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)

	// Conjugation
	ConjugateNew(ctIn *rlwe.Ciphertext) (ctOut *rlwe.Ciphertext)
	Conjugate(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)

	// Multiplication
	Mul(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
	MulNew(ctIn *rlwe.Ciphertext, op1 rlwe.Operand) (ctOut *rlwe.Ciphertext)
	MulRelin(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
	MulRelinNew(ctIn *rlwe.Ciphertext, op1 rlwe.Operand) (ctOut *rlwe.Ciphertext)

	MulAndAdd(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
	MulRelinAndAdd(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)

	// Slot Rotations
	RotateNew(ctIn *rlwe.Ciphertext, k int) (ctOut *rlwe.Ciphertext)
	Rotate(ctIn *rlwe.Ciphertext, k int, ctOut *rlwe.Ciphertext)
	RotateHoistedNew(ctIn *rlwe.Ciphertext, rotations []int) (ctOut map[int]*rlwe.Ciphertext)
	RotateHoisted(ctIn *rlwe.Ciphertext, rotations []int, ctOut map[int]*rlwe.Ciphertext)
	RotateHoistedNoModDownNew(level int, rotations []int, c0 *ring.Poly, c2DecompQP []ringqp.Poly) (cOut map[int]rlwe.CiphertextQP)

	// Polynomial evaluation
	EvaluatePoly(input interface{}, pol *Polynomial, targetScale rlwe.Scale) (ctOut *rlwe.Ciphertext, err error)
	EvaluatePolyVector(input interface{}, pols []*Polynomial, encoder Encoder, slotIndex map[int][]int, targetScale rlwe.Scale) (ctOut *rlwe.Ciphertext, err error)

	// Inversion
	InverseNew(ctIn *rlwe.Ciphertext, steps int) (ctOut *rlwe.Ciphertext, err error)

	// Linear Transformations
	LinearTransformNew(ctIn *rlwe.Ciphertext, linearTransform interface{}) (ctOut []*rlwe.Ciphertext)
	LinearTransform(ctIn *rlwe.Ciphertext, linearTransform interface{}, ctOut []*rlwe.Ciphertext)
	MultiplyByDiagMatrix(ctIn *rlwe.Ciphertext, matrix LinearTransform, c2DecompQP []ringqp.Poly, ctOut *rlwe.Ciphertext)
	MultiplyByDiagMatrixBSGS(ctIn *rlwe.Ciphertext, matrix LinearTransform, c2DecompQP []ringqp.Poly, ctOut *rlwe.Ciphertext)

	// Inner sum
	InnerSum(ctIn *rlwe.Ciphertext, batch, n int, ctOut *rlwe.Ciphertext)
	Average(ctIn *rlwe.Ciphertext, batch int, ctOut *rlwe.Ciphertext)

	// Replication (inverse of Inner sum)
	Replicate(ctIn *rlwe.Ciphertext, batch, n int, ctOut *rlwe.Ciphertext)

	// Trace
	Trace(ctIn *rlwe.Ciphertext, logSlots int, ctOut *rlwe.Ciphertext)
	TraceNew(ctIn *rlwe.Ciphertext, logSlots int) (ctOut *rlwe.Ciphertext)

	// Key-Switching
	SwitchKeysNew(ctIn *rlwe.Ciphertext, switchingKey *rlwe.SwitchingKey) (ctOut *rlwe.Ciphertext)
	SwitchKeys(ctIn *rlwe.Ciphertext, switchingKey *rlwe.SwitchingKey, ctOut *rlwe.Ciphertext)

	// Degree Management
	RelinearizeNew(ctIn *rlwe.Ciphertext) (ctOut *rlwe.Ciphertext)
	Relinearize(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)

	// Scale Management
	ScaleUpNew(ctIn *rlwe.Ciphertext, scale rlwe.Scale) (ctOut *rlwe.Ciphertext)
	ScaleUp(ctIn *rlwe.Ciphertext, scale rlwe.Scale, ctOut *rlwe.Ciphertext)
	SetScale(ctIn *rlwe.Ciphertext, scale rlwe.Scale)
	Rescale(ctIn *rlwe.Ciphertext, minScale rlwe.Scale, ctOut *rlwe.Ciphertext) (err error)

	// Level Management
	DropLevelNew(ctIn *rlwe.Ciphertext, levels int) (ctOut *rlwe.Ciphertext)
	DropLevel(ctIn *rlwe.Ciphertext, levels int)

	// ==============
	// === Others ===
	// ==============
	GetRLWEEvaluator() *rlwe.Evaluator
	BuffQ() [3]*ring.Poly
	BuffCt() *rlwe.Ciphertext
	ShallowCopy() Evaluator
	WithKey(rlwe.EvaluationKey) Evaluator
}

Evaluator is an interface implementing the methods to conduct homomorphic operations between ciphertext and/or plaintexts.

func NewEvaluator 

func NewEvaluator(params Parameters, evaluationKey rlwe.EvaluationKey) Evaluator

NewEvaluator creates a new Evaluator, that can be used to do homomorphic operations on the Ciphertexts and/or Plaintexts. It stores a memory buffer and Ciphertexts that will be used for intermediate values.

type LinearTransform 

type LinearTransform struct {
	LogSlots int                 // Log of the number of slots of the plaintext (needed to compute the appropriate rotation keys)
	N1       int                 // N1 is the number of inner loops of the baby-step giant-step algorithm used in the evaluation (if N1 == 0, BSGS is not used).
	Level    int                 // Level is the level at which the matrix is encoded (can be circuit dependent)
	Scale    rlwe.Scale          // Scale is the scale at which the matrix is encoded (can be circuit dependent)
	Vec      map[int]ringqp.Poly // Vec is the matrix, in diagonal form, where each entry of vec is an indexed non-zero diagonal.
}

LinearTransform is a type for linear transformations on ciphertexts. It stores a plaintext matrix diagonalized in diagonal form and can be evaluated on a ciphertext by using the evaluator.LinearTransform method.

func GenLinearTransform 

func GenLinearTransform(encoder Encoder, value interface{}, level int, scale rlwe.Scale, logslots int) LinearTransform

GenLinearTransform allocates and encode a new LinearTransform struct from the linear transforms' matrix in diagonal form `value`. values.(type) can be either map[int][]complex128 or map[int][]float64. User must ensure that 1 <= len([]complex128\[]float64) <= 2^logSlots < 2^logN. It can then be evaluated on a ciphertext using evaluator.LinearTransform. Evaluation will use the naive approach (single hoisting and no baby-step giant-step). Faster if there is only a few non-zero diagonals but uses more keys.

func GenLinearTransformBSGS 

func GenLinearTransformBSGS(encoder Encoder, value interface{}, level int, scale rlwe.Scale, BSGSRatio float64, logSlots int) (LT LinearTransform)

GenLinearTransformBSGS allocates and encodes a new LinearTransform struct from the linear transforms' matrix in diagonal form `value` for evaluation with a baby-step giant-step approach. values.(type) can be either map[int][]complex128 or map[int][]float64. User must ensure that 1 <= len([]complex128\[]float64) <= 2^logSlots < 2^logN. LinearTransform types can be be evaluated on a ciphertext using evaluator.LinearTransform. Evaluation will use the optimized approach (double hoisting and baby-step giant-step). Faster if there is more than a few non-zero diagonals. BSGSRatio is the maximum ratio between the inner and outer loop of the baby-step giant-step algorithm used in evaluator.LinearTransform. Optimal BSGSRatio value is between 4 and 16 depending on the sparsity of the matrix.

func NewLinearTransform 

func NewLinearTransform(params Parameters, nonZeroDiags []int, level, logSlots int, BSGSRatio float64) LinearTransform

NewLinearTransform allocates a new LinearTransform with zero plaintexts at the specified level. If BSGSRatio == 0, the LinearTransform is set to not use the BSGS approach. Method will panic if BSGSRatio < 0.

func (*LinearTransform) Encode 

func (LT *LinearTransform) Encode(encoder Encoder, value interface{}, scale rlwe.Scale)

Encode encodes on a pre-allocated LinearTransform the linear transforms' matrix in diagonal form `value`. values.(type) can be either map[int][]complex128 or map[int][]float64. User must ensure that 1 <= len([]complex128\[]float64) <= 2^logSlots < 2^logN. It can then be evaluated on a ciphertext using evaluator.LinearTransform. Evaluation will use the naive approach (single hoisting and no baby-step giant-step). Faster if there is only a few non-zero diagonals but uses more keys.

func (*LinearTransform) Rotations 

func (LT *LinearTransform) Rotations() (rotations []int)

Rotations returns the list of rotations needed for the evaluation of the linear transform.

type Parameters 

type Parameters struct {
	rlwe.Parameters
	// contains filtered or unexported fields
}

Parameters represents a parameter set for the CKKS cryptosystem. Its fields are private and immutable. See ParametersLiteral for user-specified parameters.

func NewParameters 

func NewParameters(rlweParams rlwe.Parameters, logSlots int) (p Parameters, err error)

NewParameters instantiate a set of CKKS parameters from the generic RLWE parameters and the CKKS-specific ones. It returns the empty parameters Parameters{} and a non-nil error if the specified parameters are invalid.

func NewParametersFromLiteral 

func NewParametersFromLiteral(pl ParametersLiteral) (Parameters, error)

NewParametersFromLiteral instantiate a set of CKKS parameters from a ParametersLiteral specification. It returns the empty parameters Parameters{} and a non-nil error if the specified parameters are invalid.

If the `LogSlots` field is left unset, its value is set to `LogN-1` for the Standard ring and to `LogN` for the conjugate-invariant ring.

See `rlwe.NewParametersFromLiteral` for default values of the other optional fields.

func (Parameters) Equals 

func (p Parameters) Equals(other Parameters) bool

Equals compares two sets of parameters for equality.

func (Parameters) LogQLvl 

func (p Parameters) LogQLvl(level int) int

LogQLvl returns the size of the modulus Q in bits at a specific level

func (Parameters) LogSlots 

func (p Parameters) LogSlots() int

LogSlots returns the log of the number of slots

func (Parameters) MarshalBinary 

func (p Parameters) MarshalBinary() ([]byte, error)

MarshalBinary returns a []byte representation of the parameter set.

func (Parameters) MarshalBinarySize 

func (p Parameters) MarshalBinarySize() int

MarshalBinarySize returns the length of the []byte encoding of the receiver.

func (Parameters) MarshalJSON 

func (p Parameters) MarshalJSON() ([]byte, error)

MarshalJSON returns a JSON representation of this parameter set. See `Marshal` from the `encoding/json` package.

func (Parameters) MaxLevel 

func (p Parameters) MaxLevel() int

MaxLevel returns the maximum ciphertext level

func (Parameters) MaxLogSlots 

func (p Parameters) MaxLogSlots() int

MaxLogSlots returns the log of the maximum number of slots enabled by the parameters

func (Parameters) MaxSlots 

func (p Parameters) MaxSlots() int

MaxSlots returns the theoretical maximum of plaintext slots allowed by the ring degree

func (Parameters) ParametersLiteral 

func (p Parameters) ParametersLiteral() (pLit ParametersLiteral)

ParametersLiteral returns the ParametersLiteral of the target Parameters.

func (Parameters) QLvl 

func (p Parameters) QLvl(level int) *big.Int

QLvl returns the product of the moduli at the given level as a big.Int

func (Parameters) RotationsForLinearTransform 

func (p Parameters) RotationsForLinearTransform(nonZeroDiags interface{}, logSlots int, BSGSratio float64) (rotations []int)

RotationsForLinearTransform generates the list of rotations needed for the evaluation of a linear transform with the provided list of non-zero diagonals, logSlots encoding and BSGSratio. If BSGSratio == 0, then provides the rotations needed for an evaluation without the BSGS approach.

func (Parameters) Slots 

func (p Parameters) Slots() int

Slots returns number of available plaintext slots

func (Parameters) StandardParameters 

func (p Parameters) StandardParameters() (pckks Parameters, err error)

StandardParameters returns the CKKS parameters corresponding to the receiver parameter set. If the receiver is already a standard parameter set (i.e., RingType==Standard), then the method returns the receiver.

func (*Parameters) UnmarshalBinary 

func (p *Parameters) UnmarshalBinary(data []byte) (err error)

UnmarshalBinary decodes a []byte into a parameter set struct

func (*Parameters) UnmarshalJSON 

func (p *Parameters) UnmarshalJSON(data []byte) (err error)

UnmarshalJSON reads a JSON representation of a parameter set into the receiver Parameter. See `Unmarshal` from the `encoding/json` package.

type ParametersLiteral 

type ParametersLiteral struct {
	LogN         int
	Q            []uint64
	P            []uint64
	LogQ         []int `json:",omitempty"`
	LogP         []int `json:",omitempty"`
	Pow2Base     int
	Sigma        float64
	H            int
	RingType     ring.Type
	LogSlots     int
	DefaultScale float64
}

ParametersLiteral is a literal representation of BFV parameters. It has public fields and is used to express unchecked user-defined parameters literally into Go programs. The NewParametersFromLiteral function is used to generate the actual checked parameters from the literal representation.

Users must set the polynomial degree (in log_2, LogN) and the coefficient modulus, by either setting the Q and P fields to the desired moduli chain, or by setting the LogQ and LogP fields to the desired moduli sizes (in log_2). Users must also specify a default initial scale for the plaintexts.

Optionally, users may specify the error variance (Sigma), the secrets' density (H), the ring type (RingType) and the number of slots (in log_2, LogSlots). If left unset, standard default values for these field are substituted at parameter creation (see NewParametersFromLiteral).

func (ParametersLiteral) RLWEParameters 

func (p ParametersLiteral) RLWEParameters() rlwe.ParametersLiteral

RLWEParameters returns the rlwe.ParametersLiteral from the target ckks.ParameterLiteral.

type Polynomial 

type Polynomial struct {
	BasisType
	MaxDeg int
	Coeffs []complex128
	Lead   bool
	A      float64
	B      float64
}

Polynomial is a struct storing the coefficients of a polynomial that then can be evaluated on the ciphertext

func Approximate 

func Approximate(function interface{}, a, b float64, degree int) (pol *Polynomial)

Approximate computes a Chebyshev approximation of the input function, for the range [-a, b] of degree degree. function.(type) can be either func(complex128)complex128 or func(float64)float64 To be used in conjunction with the function EvaluateCheby.

func NewPoly 

func NewPoly(coeffs []complex128) (p *Polynomial)

NewPoly creates a new Poly from the input coefficients

func (*Polynomial) Degree 

func (p *Polynomial) Degree() int

Degree returns the degree of the polynomial

func (*Polynomial) Depth 

func (p *Polynomial) Depth() int

Depth returns the number of levels needed to evaluate the polynomial.

type PolynomialBasis 

type PolynomialBasis struct {
	BasisType
	Value map[int]*rlwe.Ciphertext
}

PolynomialBasis is a struct storing powers of a ciphertext.

func NewPolynomialBasis 

func NewPolynomialBasis(ct *rlwe.Ciphertext, basistype BasisType) (p *PolynomialBasis)

NewPolynomialBasis creates a new PolynomialBasis. It takes as input a ciphertext and a basistype. The struct treats the input ciphertext as a monomial X and can be used to generates power of this monomial X^{n} in the given BasisType.

func (*PolynomialBasis) GenPower 

func (p *PolynomialBasis) GenPower(n int, lazy bool, scale rlwe.Scale, eval Evaluator) (err error)

GenPower recursively computes X^{n}. If lazy = true, the final X^{n} will not be relinearized. Previous non-relinearized X^{n} that are required to compute the target X^{n} are automatically relinearized. Scale sets the threshold for rescaling (ciphertext won't be rescaled if the rescaling operation would make the scale go under this threshold).

func (*PolynomialBasis) MarshalBinary 

func (p *PolynomialBasis) MarshalBinary() (data []byte, err error)

MarshalBinary encodes the target on a slice of bytes.

func (*PolynomialBasis) UnmarshalBinary 

func (p *PolynomialBasis) UnmarshalBinary(data []byte) (err error)

UnmarshalBinary decodes a slice of bytes on the target.

type PrecisionStats 

type PrecisionStats struct {
	MaxDelta        Stats
	MinDelta        Stats
	MaxPrecision    Stats
	MinPrecision    Stats
	MeanDelta       Stats
	MeanPrecision   Stats
	MedianDelta     Stats
	MedianPrecision Stats
	STDFreq         float64
	STDTime         float64

	RealDist, ImagDist, L2Dist []struct {
		Prec  float64
		Count int
	}
	// contains filtered or unexported fields
}

PrecisionStats is a struct storing statistic about the precision of a CKKS plaintext

func GetPrecisionStats 

func GetPrecisionStats(params Parameters, encoder Encoder, decryptor rlwe.Decryptor, vWant, element interface{}, logSlots int, sigma float64) (prec PrecisionStats)

GetPrecisionStats generates a PrecisionStats struct from the reference values and the decrypted values vWant.(type) must be either []complex128 or []float64 element.(type) must be either *Plaintext, *Ciphertext, []complex128 or []float64. If not *Ciphertext, then decryptor can be nil.

func (PrecisionStats) String 

func (prec PrecisionStats) String() string

type Stats 

type Stats struct {
	Real, Imag, L2 float64
}

Stats is a struct storing the real, imaginary and L2 norm (modulus) about the precision of a complex value.

Source Files

View all Source files

Directories

Path Synopsis
Package advanced implements advanced operations for the CKKS scheme.
 Package advanced implements advanced operations for the CKKS scheme.
Package bootstrapping implement the bootstrapping for the CKKS scheme.
 Package bootstrapping implement the bootstrapping for the CKKS scheme.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.