This is a WIP.
Some materials we use for below notes:
Summary of FHE Slides [1]
Summary of FHE Blog [2]
FHE survey paper 2022 [3]
Intro to FHE Video [4]
CHIMERA [5]
KPZ22 [6] shows concretely many important formula in the Appendix
TFHE-Tech and TFHE-Overview
Number can be presented in "whole", radix, rns, or tower form:
radix form is more general than the "whole" where we can say that is the base and we only count to
we can do additions in parallel but we have to accumulate the carries
we can do comparison fast by going from most significant "bit" to least significant "bit"
if all ' s are different then we have advantage when doing additions in parallel as there is no carry
we have to convert to radix form or "whole" for comparison
Nevertheless, when we have bases (radix or rns) we can do SIMD (packing).
Polynomial can be presented in coefficient or evaluation form:
Coefficient of polynomials are numbers represented in forms above;
Polynomial also has bases ():
When dealing with polynomial we rely on FFT (NTT) for fast computation (as opposed to radix or rns parallelization of numbers computation).
1st, 2nd, 3rd ([1]):
4th ([1]):
2nd has efficient packing than 3rd so better for depth 1 or depth 2 computation!
4th is not directly usable because it is on approximate numbers, however its idea should be useful for tweaks (later schemes)
Encapsulation of numbers (e.g. encryption) can carry noises, e.g. an encapsulation of 16 "bits" (think in radix or rns form) can have actual value of upto 4 bits and noises upto 12 bits, and we can always recover the actual value if the noises do not exceed that 12 bits threshold.
noises increase "a bit" when adding two encapsulations, in our example if noise is 11 bits and adding two of that we still have only 12 bits and still good, but not beyond that
noises increase a lot when multiplying an encapsulation with a number, e.g. multiply an encapsulation with 8 bit noise and a 4 bit number still get good encapsulation of 12 bits noise
noises increase a lot lot when multiplying two encapsulations, e.g. multiply two encapsulations of 4 bits value and 2 bits noise is safe with 12 bits noise afterwards, but not beyond that
Its all about noise growth management when handling encapsulation.
If we trivially make something like 8 bits value with 1.000.000 bits of noise we can have a lot of multiplication depth but this is expansive in terms of both storage and computation.
quite circular and we need to keep the "degree" of the relinearization polynomial low below the noise threshold
3rd gen is faster but requires more communication (ciphertext size) –> we encrypt (and pack) with 2nd gen for communication and then switch (and unpack) to 3rd gen for computation! (ONLY WHEN BOOSTRAPPING IS NEEDED, OTHERWISE NO NEED CONVERSION)!
For non-binary we use 2nd gen and binary we use 3rd gen
Plaintext messages are vector size of elements (coefficients) modulo (prime but in general coprime to for packing)
Keygen: ; ; ; ;
Enc becomes ;
Dec (remember, all arithmetic below)
Add: just add!
Mul: just mul (element wise) but look at decryption, now need refresh:
Enc of can be scaled with in BFV
If represented as RNS, can also do hybrid key switching, GHS method is efficient but need to double N or do q/2
No noise reset but can switch to a new (can be smaller) key
Can reset noise and switch to a smaller modulus
Pack and unpack, think about sending a packed ciphertext (not possible to do mult) that can be unpacked (using some big key) into several ciphertexts (that can do mult)
Doing things in a batch so that it cost less in average (caution: may not parallelizable)
Cyclic rotation
Beyond multiplication, basically a lookup table
This is similar to PB?, think about doing a specific hash like SHA256?
CHIMERA on LWE/RLWE schemes, think about switching from non-binary to binary and maybe just extraction of some bits:
All convenient things may require a BIG one time setup (but may be it is fine we do that and we are free next time)
A whole number modulo p can fit "natively" into an FHE ciphertext prime p base but can be expansive depending on p.
A whole number modulo p can fit "non-natively" into an FHE ciphertext composite n in rns form resulting in many ciphertexts, cheaper in computation but has to do modulo reduction on p and this is expansive.
A byte array can fit "natively" into a binary ciphertext.