def example_rotation_ckks():
print("Example: Rotation / Rotation in CKKS");
#Rotations in the CKKS scheme work very similarly to rotations in BFV.
parms = EncryptionParameters(scheme_type.CKKS)
poly_modulus_degree = 8192
parms.set_poly_modulus_degree(poly_modulus_degree)
parms.set_coeff_modulus(CoeffModulus.Create(
poly_modulus_degree, IntVector([40, 40, 40, 40, 40])))
context = SEALContext.Create(parms)
print_parameters(context)
keygen = KeyGenerator(context)
public_key = keygen.public_key()
secret_key = keygen.secret_key()
relin_keys = keygen.relin_keys()
gal_keys = keygen.galois_keys()
encryptor = Encryptor(context, public_key)
evaluator = Evaluator(context)
decryptor = Decryptor(context, secret_key)
ckks_encoder = CKKSEncoder(context)
slot_count = ckks_encoder.slot_count()
print("Number of slots: {}".format(slot_count))
step_size = 1.0 / (slot_count - 1)
input = DoubleVector(list(map(lambda x: x*step_size, range(0, slot_count))))
print_vector(input)
scale = 2.0**50
print("Encode and encrypt.")
plain = Plaintext()
ckks_encoder.encode(input, scale, plain)
encrypted = Ciphertext()
encryptor.encrypt(plain, encrypted)
rotated = Ciphertext()
print("Rotate 2 steps left.")
evaluator.rotate_vector(encrypted, 2, gal_keys, rotated)
print(" + Decrypt and decode ...... Correct.")
decryptor.decrypt(rotated, plain)
result = DoubleVector()
ckks_encoder.decode(plain, result)
print_vector(result)
def with_env(cls):
parms = EncryptionParameters(scheme_type.CKKS)
parms.set_poly_modulus_degree(POLY_MODULUS_DEGREE)
parms.set_coeff_modulus(
CoeffModulus.Create(POLY_MODULUS_DEGREE, PRIME_SIZE_LIST))
context = SEALContext.Create(parms)
keygen = KeyGenerator(context)
public_key = keygen.public_key()
secret_key = keygen.secret_key()
relin_keys = keygen.relin_keys()
galois_keys = keygen.galois_keys()
return cls(context=context,
public_key=public_key,
secret_key=secret_key,
relin_keys=relin_keys,
galois_keys=galois_keys,
poly_modulus_degree=POLY_MODULUS_DEGREE,
scale=SCALE)
def example_rotation_bfv():
print("Example: Rotation / Rotation in BFV")
parms = EncryptionParameters(scheme_type.BFV)
poly_modulus_degree = 8192
parms.set_poly_modulus_degree(poly_modulus_degree)
parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree))
parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20))
context = SEALContext.Create(parms)
print_parameters(context)
keygen = KeyGenerator(context)
public_key = keygen.public_key()
secret_key = keygen.secret_key()
relin_keys = keygen.relin_keys()
encryptor = Encryptor(context, public_key)
evaluator = Evaluator(context)
decryptor = Decryptor(context, secret_key)
batch_encoder = BatchEncoder(context)
slot_count = batch_encoder.slot_count()
row_size = int(slot_count / 2)
print("Plaintext matrix row size: {}".format(row_size))
pod_matrix = UInt64Vector([0]*slot_count)
pod_matrix[0] = 0
pod_matrix[1] = 1
pod_matrix[2] = 2
pod_matrix[3] = 3
pod_matrix[row_size] = 4
pod_matrix[row_size + 1] = 5
pod_matrix[row_size + 2] = 6
pod_matrix[row_size + 3] = 7
print("Input plaintext matrix:")
print_matrix(pod_matrix, row_size)
#First we use BatchEncoder to encode the matrix into a plaintext. We encrypt
#the plaintext as usual.
plain_matrix = Plaintext()
print("Encode and encrypt.")
batch_encoder.encode(pod_matrix, plain_matrix)
encrypted_matrix = Ciphertext()
encryptor.encrypt(plain_matrix, encrypted_matrix)
print(" + Noise budget in fresh encryption: {} bits".format(
decryptor.invariant_noise_budget(encrypted_matrix)))
#Rotations require yet another type of special key called `Galois keys'. These
#are easily obtained from the KeyGenerator.
gal_keys = keygen.galois_keys()
#Now rotate both matrix rows 3 steps to the left, decrypt, decode, and print.
print("Rotate rows 3 steps left.")
evaluator.rotate_rows_inplace(encrypted_matrix, 3, gal_keys)
plain_result = Plaintext()
print(" + Noise budget after rotation: {} bits".format(
decryptor.invariant_noise_budget(encrypted_matrix)))
print(" + Decrypt and decode ...... Correct.")
decryptor.decrypt(encrypted_matrix, plain_result)
batch_encoder.decode(plain_result, pod_matrix)
print_matrix(pod_matrix, row_size)
#We can also rotate the columns, i.e., swap the rows.
print("Rotate columns.")
evaluator.rotate_columns_inplace(encrypted_matrix, gal_keys)
print(" + Noise budget after rotation: {} bits".format(
decryptor.invariant_noise_budget(encrypted_matrix)))
print(" + Decrypt and decode ...... Correct.")
decryptor.decrypt(encrypted_matrix, plain_result)
batch_encoder.decode(plain_result, pod_matrix)
print_matrix(pod_matrix, row_size)
#Finally, we rotate the rows 4 steps to the right, decrypt, decode, and print.
print("Rotate rows 4 steps right.")
evaluator.rotate_rows_inplace(encrypted_matrix, -4, gal_keys)
print(" + Noise budget after rotation: {} bits".format(
decryptor.invariant_noise_budget(encrypted_matrix)))
print(" + Decrypt and decode ...... Correct.")
decryptor.decrypt(encrypted_matrix, plain_result)
batch_encoder.decode(plain_result, pod_matrix)
print_matrix(pod_matrix, row_size)
def example_levels():
print("Example: Levels")
#In this examples we describe the concept of `levels' in BFV and CKKS and the
#related objects that represent them in Microsoft SEAL.
#
#In Microsoft SEAL a set of encryption parameters (excluding the random number
#generator) is identified uniquely by a 256-bit hash of the parameters. This
#hash is called the `parms_id' and can be easily accessed and printed at any
#time. The hash will change as soon as any of the parameters is changed.
#
#When a SEALContext is created from a given EncryptionParameters instance,
#Microsoft SEAL automatically creates a so-called `modulus switching chain',
#which is a chain of other encryption parameters derived from the original set.
#The parameters in the modulus switching chain are the same as the original
#parameters with the exception that size of the coefficient modulus is
#decreasing going down the chain. More precisely, each parameter set in the
#chain attempts to remove the last coefficient modulus prime from the
#previous set; this continues until the parameter set is no longer valid
#(e.g., plain_modulus is larger than the remaining coeff_modulus). It is easy
#to walk through the chain and access all the parameter sets. Additionally,
#each parameter set in the chain has a `chain index' that indicates its
#position in the chain so that the last set has index 0. We say that a set
#of encryption parameters, or an object carrying those encryption parameters,
#is at a higher level in the chain than another set of parameters if its the
#chain index is bigger, i.e., it is earlier in the chain.
#
#Each set of parameters in the chain involves unique pre-computations performed
#when the SEALContext is created, and stored in a SEALContext::ContextData
#object. The chain is basically a linked list of SEALContext::ContextData
#objects, and can easily be accessed through the SEALContext at any time. Each
#node can be identified by the parms_id of its specific encryption parameters
#(poly_modulus_degree remains the same but coeff_modulus varies).
parms = EncryptionParameters(scheme_type.BFV)
poly_modulus_degree = 8192
parms.set_poly_modulus_degree(poly_modulus_degree)
#In this example we use a custom coeff_modulus, consisting of 5 primes of
#sizes 50, 30, 30, 50, and 50 bits. Note that this is still OK according to
#the explanation in `1_bfv_basics.cpp'. Indeed,
#
# CoeffModulus::MaxBitCount(poly_modulus_degree)
#
#returns 218 (greater than 50+30+30+50+50=210).
#
#Due to the modulus switching chain, the order of the 5 primes is significant.
#The last prime has a special meaning and we call it the `special prime'. Thus,
#the first parameter set in the modulus switching chain is the only one that
#involves the special prime. All key objects, such as SecretKey, are created
#at this highest level. All data objects, such as Ciphertext, can be only at
#lower levels. The special prime should be as large as the largest of the
#other primes in the coeff_modulus, although this is not a strict requirement.
#
# special prime +---------+
# |
# v
#coeff_modulus: { 50, 30, 30, 50, 50 } +---+ Level 4 (all keys; `key level')
# |
# |
# coeff_modulus: { 50, 30, 30, 50 } +---+ Level 3 (highest `data level')
# |
# |
# coeff_modulus: { 50, 30, 30 } +---+ Level 2
# |
# |
# coeff_modulus: { 50, 30 } +---+ Level 1
# |
# |
# coeff_modulus: { 50 } +---+ Level 0 (lowest level)
parms.set_coeff_modulus(
CoeffModulus.Create(poly_modulus_degree,
IntVector([50, 30, 30, 50, 50])))
#In this example the plain_modulus does not play much of a role; we choose
#some reasonable value.
parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20))
context = SEALContext.Create(parms)
print_parameters(context)
#There are convenience method for accessing the SEALContext::ContextData for
#some of the most important levels:
#
# SEALContext::key_context_data(): access to key level ContextData
# SEALContext::first_context_data(): access to highest data level ContextData
# SEALContext::last_context_data(): access to lowest level ContextData
#
#We iterate over the chain and print the parms_id for each set of parameters.
print("Print the modulus switching chain.")
#First print the key level parameter information.
context_data = context.key_context_data()
print("----> Level (chain index): {} ...... key_context_data()".format(
context_data.chain_index()))
print(" parms_id: {}".format(list2hex(context_data.parms_id())))
print("coeff_modulus primes:", end=' ')
for prime in context_data.parms().coeff_modulus():
print(hex(prime.value()), end=' ')
print("")
print("\\")
print(" \\-->")
#Next iterate over the remaining (data) levels.
context_data = context.first_context_data()
while (context_data):
print(" Level (chain index): {} ".format(context_data.chain_index()),
end='')
if context_data.parms_id() == context.first_parms_id():
print(" ...... first_context_data()")
elif context_data.parms_id() == context.last_parms_id():
print(" ...... last_context_data()")
else:
print("")
print(" parms_id: {}".format(list2hex(context_data.parms_id())))
print("coeff_modulus primes:", end=' ')
for prime in context_data.parms().coeff_modulus():
print(hex(prime.value()), end=' ')
print("")
print("\\")
print(" \\-->")
#Step forward in the chain.
context_data = context_data.next_context_data()
print(" End of chain reached")
#We create some keys and check that indeed they appear at the highest level.
keygen = KeyGenerator(context)
public_key = keygen.public_key()
secret_key = keygen.secret_key()
relin_keys = keygen.relin_keys()
galois_keys = keygen.galois_keys()
print("Print the parameter IDs of generated elements.")
print(" + public_key: {}".format(list2hex(public_key.parms_id())))
print(" + secret_key: {}".format(list2hex(secret_key.parms_id())))
print(" + relin_keys: {}".format(list2hex(relin_keys.parms_id())))
print(" + galois_keys: {}".format(list2hex(galois_keys.parms_id())))
encryptor = Encryptor(context, public_key)
evaluator = Evaluator(context)
decryptor = Decryptor(context, secret_key)
#In the BFV scheme plaintexts do not carry a parms_id, but ciphertexts do. Note
#how the freshly encrypted ciphertext is at the highest data level.
plain = Plaintext("1x^3 + 2x^2 + 3x^1 + 4")
encrypted = Ciphertext()
encryptor.encrypt(plain, encrypted)
print(" + plain: {} (not set in BFV)".format(
list2hex(plain.parms_id())))
print(" + encrypted: {}".format(list2hex(encrypted.parms_id())))
#`Modulus switching' is a technique of changing the ciphertext parameters down
#in the chain. The function Evaluator::mod_switch_to_next always switches to
#the next level down the chain, whereas Evaluator::mod_switch_to switches to
#a parameter set down the chain corresponding to a given parms_id. However, it
#is impossible to switch up in the chain.
print("Perform modulus switching on encrypted and print.")
context_data = context.first_context_data()
print("---->")
while (context_data.next_context_data()):
print(" Level (chain index): {} ".format(context_data.chain_index()))
print(" parms_id of encrypted: {}".format(
list2hex(encrypted.parms_id())))
print(" Noise budget at this level: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
print("\\")
print(" \\-->")
evaluator.mod_switch_to_next_inplace(encrypted)
context_data = context_data.next_context_data()
print(" Level (chain index): {}".format(context_data.chain_index()))
print(" parms_id of encrypted: {}".format(encrypted.parms_id()))
print(" Noise budget at this level: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
print("\\")
print(" \\-->")
print(" End of chain reached")
#At this point it is hard to see any benefit in doing this: we lost a huge
#amount of noise budget (i.e., computational power) at each switch and seemed
#to get nothing in return. Decryption still works.
print("Decrypt still works after modulus switching.")
decryptor.decrypt(encrypted, plain)
print(" + Decryption of encrypted: {} ...... Correct.".format(
plain.to_string()))
#However, there is a hidden benefit: the size of the ciphertext depends
#linearly on the number of primes in the coefficient modulus. Thus, if there
#is no need or intention to perform any further computations on a given
#ciphertext, we might as well switch it down to the smallest (last) set of
#parameters in the chain before sending it back to the secret key holder for
#decryption.
#
#Also the lost noise budget is actually not an issue at all, if we do things
#right, as we will see below.
#
#First we recreate the original ciphertext and perform some computations.
print("Computation is more efficient with modulus switching.")
print("Compute the 8th power.")
encryptor.encrypt(plain, encrypted)
print(" + Noise budget fresh: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
evaluator.square_inplace(encrypted)
evaluator.relinearize_inplace(encrypted, relin_keys)
print(" + Noise budget of the 2nd power: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
evaluator.square_inplace(encrypted)
evaluator.relinearize_inplace(encrypted, relin_keys)
print(" + Noise budget of the 4th power: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
#Surprisingly, in this case modulus switching has no effect at all on the
#noise budget.
evaluator.mod_switch_to_next_inplace(encrypted)
print(" + Noise budget after modulus switching: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
#This means that there is no harm at all in dropping some of the coefficient
#modulus after doing enough computations. In some cases one might want to
#switch to a lower level slightly earlier, actually sacrificing some of the
#noise budget in the process, to gain computational performance from having
#smaller parameters. We see from the print-out that the next modulus switch
#should be done ideally when the noise budget is down to around 25 bits.
evaluator.square_inplace(encrypted)
evaluator.relinearize_inplace(encrypted, relin_keys)
print(" + Noise budget of the 8th power: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
evaluator.mod_switch_to_next_inplace(encrypted)
print(" + Noise budget after modulus switching: {} bits".format(
decryptor.invariant_noise_budget(encrypted)))
#At this point the ciphertext still decrypts correctly, has very small size,
#and the computation was as efficient as possible. Note that the decryptor
#can be used to decrypt a ciphertext at any level in the modulus switching
#chain.
decryptor.decrypt(encrypted, plain)
print(" + Decryption of the 8th power (hexadecimal) ...... Correct.")
print(" {}".format(plain.to_string()))
#In BFV modulus switching is not necessary and in some cases the user might
#not want to create the modulus switching chain, except for the highest two
#levels. This can be done by passing a bool `false' to SEALContext::Create.
context = SEALContext.Create(parms, False)
#We can check that indeed the modulus switching chain has been created only
#for the highest two levels (key level and highest data level). The following
#loop should execute only once.
print("Optionally disable modulus switching chain expansion.")
print("Print the modulus switching chain.")
print("---->")
context_data = context.key_context_data()
while (context_data):
print(" Level (chain index): {}".format(context_data.chain_index()))
print(" parms_id: {}".format(list2hex(context_data.parms_id())))
print("coeff_modulus primes:", end=' ')
for prime in context_data.parms().coeff_modulus():
print(hex(prime.value()), end=' ')
print("")
print("\\")
print(" \\-->")
context_data = context_data.next_context_data()
print(" End of chain reached")
class FheBuilder(object):
secret_key = None
public_key = None
galois_keys = None
encryptor = None
decryptor = None
def __init__(self, modulus, degree):
self.modulus = modulus
self.degree = degree
self.acceptable_degree = [1024, 2048, 4096, 8192, 16384]
if self.degree not in self.acceptable_degree:
raise Exception(f"Get {self.degree}, but expect degree {self.acceptable_degree}")
self.parms = EncryptionParameters(scheme_type.BFV)
self.parms.set_poly_modulus_degree(self.degree)
self.parms.set_coeff_modulus(CoeffModulus.BFVDefault(self.degree))
# self.parms.set_coeff_modulus(CoeffModulus.Create(self.degree, [60]))
self.parms.set_plain_modulus(self.modulus)
# print(self.parms.coeff_modulus()[0].value())
self.context = SEALContext.Create(self.parms)
self.keygen = KeyGenerator(self.context)
self.evaluator = Evaluator(self.context)
self.batch_encoder = BatchEncoder(self.context)
def generate_keys(self):
self.secret_key = self.keygen.secret_key()
self.public_key = self.keygen.public_key()
self.encryptor = Encryptor(self.context, self.public_key)
self.decryptor = Decryptor(self.context, self.secret_key)
def generate_galois_keys(self):
self.galois_keys = self.keygen.galois_keys()
def get_public_key_buffer(self) -> torch.Tensor:
if self.public_key is None:
self.public_key = self.keygen.public_key()
return torch_from_buffer(self.public_key)
def build_from_loaded_public_key(self):
self.encryptor = Encryptor(self.context, self.public_key)
def get_secret_key_buffer(self) -> torch.Tensor:
if self.secret_key is None:
self.secret_key = self.keygen.secret_key()
return torch_from_buffer(self.secret_key)
def build_from_loaded_secret_key(self):
self.decryptor = Decryptor(self.context, self.secret_key)
def build_enc(self, num_elem, is_cheap_init=False) -> FheEncTensor:
return FheEncTensor(num_elem, self.modulus, self.degree,
self.context, self.evaluator, self.batch_encoder, self.encryptor,
is_cheap_init=is_cheap_init)
def build_enc_from_torch(self, torch_tensor) -> FheEncTensor:
res = self.build_enc(get_prod(torch_tensor.size()))
res.encrypt_additive(torch_tensor)
return res
def build_plain(self, num_elem) -> FhePlainTensor:
return FhePlainTensor(num_elem, self.modulus, self.degree, self.context, self.evaluator, self.batch_encoder)
def build_plain_from_torch(self, torch_tensor) -> FhePlainTensor:
res = self.build_plain(get_prod(torch_tensor.size()))
res.load_from_torch(torch_tensor)
return res
def decrypt_to_torch(self, fhe_enc_tensor: FheEncTensor, dst=None, to="gpu") -> torch.Tensor:
def sub_decrypt(enc):
return enc.decrypt(self.decryptor, dst=dst, to=to)
if isinstance(fhe_enc_tensor, FheEncTensor):
return sub_decrypt(fhe_enc_tensor)
elif isinstance(fhe_enc_tensor, list):
return torch.stack(list(map(sub_decrypt, fhe_enc_tensor)))
else:
raise Exception(f"Unexpected type of fhe_enc_tensor: {fhe_enc_tensor}")
def noise_budget(self, fhe_enc_tensor: FheEncTensor, name=None):
noise_bits = self.decryptor.invariant_noise_budget(fhe_enc_tensor.cts[0])
if name is not None:
print(f"{name} noise budget {noise_bits} bits")
return noise_bits
