def example_rotation_ckks(): print("Example: Rotation / Rotation in CKKS"); #Rotations in the CKKS scheme work very similarly to rotations in BFV. parms = EncryptionParameters(scheme_type.CKKS) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.Create( poly_modulus_degree, IntVector([40, 40, 40, 40, 40]))) context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() gal_keys = keygen.galois_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) ckks_encoder = CKKSEncoder(context) slot_count = ckks_encoder.slot_count() print("Number of slots: {}".format(slot_count)) step_size = 1.0 / (slot_count - 1) input = DoubleVector(list(map(lambda x: x*step_size, range(0, slot_count)))) print_vector(input) scale = 2.0**50 print("Encode and encrypt.") plain = Plaintext() ckks_encoder.encode(input, scale, plain) encrypted = Ciphertext() encryptor.encrypt(plain, encrypted) rotated = Ciphertext() print("Rotate 2 steps left.") evaluator.rotate_vector(encrypted, 2, gal_keys, rotated) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(rotated, plain) result = DoubleVector() ckks_encoder.decode(plain, result) print_vector(result)
def with_env(cls): parms = EncryptionParameters(scheme_type.CKKS) parms.set_poly_modulus_degree(POLY_MODULUS_DEGREE) parms.set_coeff_modulus( CoeffModulus.Create(POLY_MODULUS_DEGREE, PRIME_SIZE_LIST)) context = SEALContext.Create(parms) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() galois_keys = keygen.galois_keys() return cls(context=context, public_key=public_key, secret_key=secret_key, relin_keys=relin_keys, galois_keys=galois_keys, poly_modulus_degree=POLY_MODULUS_DEGREE, scale=SCALE)
def example_rotation_bfv(): print("Example: Rotation / Rotation in BFV") parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree)) parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20)) context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) batch_encoder = BatchEncoder(context) slot_count = batch_encoder.slot_count() row_size = int(slot_count / 2) print("Plaintext matrix row size: {}".format(row_size)) pod_matrix = UInt64Vector([0]*slot_count) pod_matrix[0] = 0 pod_matrix[1] = 1 pod_matrix[2] = 2 pod_matrix[3] = 3 pod_matrix[row_size] = 4 pod_matrix[row_size + 1] = 5 pod_matrix[row_size + 2] = 6 pod_matrix[row_size + 3] = 7 print("Input plaintext matrix:") print_matrix(pod_matrix, row_size) #First we use BatchEncoder to encode the matrix into a plaintext. We encrypt #the plaintext as usual. plain_matrix = Plaintext() print("Encode and encrypt.") batch_encoder.encode(pod_matrix, plain_matrix) encrypted_matrix = Ciphertext() encryptor.encrypt(plain_matrix, encrypted_matrix) print(" + Noise budget in fresh encryption: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) #Rotations require yet another type of special key called `Galois keys'. These #are easily obtained from the KeyGenerator. gal_keys = keygen.galois_keys() #Now rotate both matrix rows 3 steps to the left, decrypt, decode, and print. print("Rotate rows 3 steps left.") evaluator.rotate_rows_inplace(encrypted_matrix, 3, gal_keys) plain_result = Plaintext() print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size) #We can also rotate the columns, i.e., swap the rows. print("Rotate columns.") evaluator.rotate_columns_inplace(encrypted_matrix, gal_keys) print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size) #Finally, we rotate the rows 4 steps to the right, decrypt, decode, and print. print("Rotate rows 4 steps right.") evaluator.rotate_rows_inplace(encrypted_matrix, -4, gal_keys) print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size)
def example_levels(): print("Example: Levels") #In this examples we describe the concept of `levels' in BFV and CKKS and the #related objects that represent them in Microsoft SEAL. # #In Microsoft SEAL a set of encryption parameters (excluding the random number #generator) is identified uniquely by a 256-bit hash of the parameters. This #hash is called the `parms_id' and can be easily accessed and printed at any #time. The hash will change as soon as any of the parameters is changed. # #When a SEALContext is created from a given EncryptionParameters instance, #Microsoft SEAL automatically creates a so-called `modulus switching chain', #which is a chain of other encryption parameters derived from the original set. #The parameters in the modulus switching chain are the same as the original #parameters with the exception that size of the coefficient modulus is #decreasing going down the chain. More precisely, each parameter set in the #chain attempts to remove the last coefficient modulus prime from the #previous set; this continues until the parameter set is no longer valid #(e.g., plain_modulus is larger than the remaining coeff_modulus). It is easy #to walk through the chain and access all the parameter sets. Additionally, #each parameter set in the chain has a `chain index' that indicates its #position in the chain so that the last set has index 0. We say that a set #of encryption parameters, or an object carrying those encryption parameters, #is at a higher level in the chain than another set of parameters if its the #chain index is bigger, i.e., it is earlier in the chain. # #Each set of parameters in the chain involves unique pre-computations performed #when the SEALContext is created, and stored in a SEALContext::ContextData #object. The chain is basically a linked list of SEALContext::ContextData #objects, and can easily be accessed through the SEALContext at any time. Each #node can be identified by the parms_id of its specific encryption parameters #(poly_modulus_degree remains the same but coeff_modulus varies). parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) #In this example we use a custom coeff_modulus, consisting of 5 primes of #sizes 50, 30, 30, 50, and 50 bits. Note that this is still OK according to #the explanation in `1_bfv_basics.cpp'. Indeed, # # CoeffModulus::MaxBitCount(poly_modulus_degree) # #returns 218 (greater than 50+30+30+50+50=210). # #Due to the modulus switching chain, the order of the 5 primes is significant. #The last prime has a special meaning and we call it the `special prime'. Thus, #the first parameter set in the modulus switching chain is the only one that #involves the special prime. All key objects, such as SecretKey, are created #at this highest level. All data objects, such as Ciphertext, can be only at #lower levels. The special prime should be as large as the largest of the #other primes in the coeff_modulus, although this is not a strict requirement. # # special prime +---------+ # | # v #coeff_modulus: { 50, 30, 30, 50, 50 } +---+ Level 4 (all keys; `key level') # | # | # coeff_modulus: { 50, 30, 30, 50 } +---+ Level 3 (highest `data level') # | # | # coeff_modulus: { 50, 30, 30 } +---+ Level 2 # | # | # coeff_modulus: { 50, 30 } +---+ Level 1 # | # | # coeff_modulus: { 50 } +---+ Level 0 (lowest level) parms.set_coeff_modulus( CoeffModulus.Create(poly_modulus_degree, IntVector([50, 30, 30, 50, 50]))) #In this example the plain_modulus does not play much of a role; we choose #some reasonable value. parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20)) context = SEALContext.Create(parms) print_parameters(context) #There are convenience method for accessing the SEALContext::ContextData for #some of the most important levels: # # SEALContext::key_context_data(): access to key level ContextData # SEALContext::first_context_data(): access to highest data level ContextData # SEALContext::last_context_data(): access to lowest level ContextData # #We iterate over the chain and print the parms_id for each set of parameters. print("Print the modulus switching chain.") #First print the key level parameter information. context_data = context.key_context_data() print("----> Level (chain index): {} ...... key_context_data()".format( context_data.chain_index())) print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") #Next iterate over the remaining (data) levels. context_data = context.first_context_data() while (context_data): print(" Level (chain index): {} ".format(context_data.chain_index()), end='') if context_data.parms_id() == context.first_parms_id(): print(" ...... first_context_data()") elif context_data.parms_id() == context.last_parms_id(): print(" ...... last_context_data()") else: print("") print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") #Step forward in the chain. context_data = context_data.next_context_data() print(" End of chain reached") #We create some keys and check that indeed they appear at the highest level. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() galois_keys = keygen.galois_keys() print("Print the parameter IDs of generated elements.") print(" + public_key: {}".format(list2hex(public_key.parms_id()))) print(" + secret_key: {}".format(list2hex(secret_key.parms_id()))) print(" + relin_keys: {}".format(list2hex(relin_keys.parms_id()))) print(" + galois_keys: {}".format(list2hex(galois_keys.parms_id()))) encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) #In the BFV scheme plaintexts do not carry a parms_id, but ciphertexts do. Note #how the freshly encrypted ciphertext is at the highest data level. plain = Plaintext("1x^3 + 2x^2 + 3x^1 + 4") encrypted = Ciphertext() encryptor.encrypt(plain, encrypted) print(" + plain: {} (not set in BFV)".format( list2hex(plain.parms_id()))) print(" + encrypted: {}".format(list2hex(encrypted.parms_id()))) #`Modulus switching' is a technique of changing the ciphertext parameters down #in the chain. The function Evaluator::mod_switch_to_next always switches to #the next level down the chain, whereas Evaluator::mod_switch_to switches to #a parameter set down the chain corresponding to a given parms_id. However, it #is impossible to switch up in the chain. print("Perform modulus switching on encrypted and print.") context_data = context.first_context_data() print("---->") while (context_data.next_context_data()): print(" Level (chain index): {} ".format(context_data.chain_index())) print(" parms_id of encrypted: {}".format( list2hex(encrypted.parms_id()))) print(" Noise budget at this level: {} bits".format( decryptor.invariant_noise_budget(encrypted))) print("\\") print(" \\-->") evaluator.mod_switch_to_next_inplace(encrypted) context_data = context_data.next_context_data() print(" Level (chain index): {}".format(context_data.chain_index())) print(" parms_id of encrypted: {}".format(encrypted.parms_id())) print(" Noise budget at this level: {} bits".format( decryptor.invariant_noise_budget(encrypted))) print("\\") print(" \\-->") print(" End of chain reached") #At this point it is hard to see any benefit in doing this: we lost a huge #amount of noise budget (i.e., computational power) at each switch and seemed #to get nothing in return. Decryption still works. print("Decrypt still works after modulus switching.") decryptor.decrypt(encrypted, plain) print(" + Decryption of encrypted: {} ...... Correct.".format( plain.to_string())) #However, there is a hidden benefit: the size of the ciphertext depends #linearly on the number of primes in the coefficient modulus. Thus, if there #is no need or intention to perform any further computations on a given #ciphertext, we might as well switch it down to the smallest (last) set of #parameters in the chain before sending it back to the secret key holder for #decryption. # #Also the lost noise budget is actually not an issue at all, if we do things #right, as we will see below. # #First we recreate the original ciphertext and perform some computations. print("Computation is more efficient with modulus switching.") print("Compute the 8th power.") encryptor.encrypt(plain, encrypted) print(" + Noise budget fresh: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 2nd power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 4th power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #Surprisingly, in this case modulus switching has no effect at all on the #noise budget. evaluator.mod_switch_to_next_inplace(encrypted) print(" + Noise budget after modulus switching: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #This means that there is no harm at all in dropping some of the coefficient #modulus after doing enough computations. In some cases one might want to #switch to a lower level slightly earlier, actually sacrificing some of the #noise budget in the process, to gain computational performance from having #smaller parameters. We see from the print-out that the next modulus switch #should be done ideally when the noise budget is down to around 25 bits. evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 8th power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.mod_switch_to_next_inplace(encrypted) print(" + Noise budget after modulus switching: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #At this point the ciphertext still decrypts correctly, has very small size, #and the computation was as efficient as possible. Note that the decryptor #can be used to decrypt a ciphertext at any level in the modulus switching #chain. decryptor.decrypt(encrypted, plain) print(" + Decryption of the 8th power (hexadecimal) ...... Correct.") print(" {}".format(plain.to_string())) #In BFV modulus switching is not necessary and in some cases the user might #not want to create the modulus switching chain, except for the highest two #levels. This can be done by passing a bool `false' to SEALContext::Create. context = SEALContext.Create(parms, False) #We can check that indeed the modulus switching chain has been created only #for the highest two levels (key level and highest data level). The following #loop should execute only once. print("Optionally disable modulus switching chain expansion.") print("Print the modulus switching chain.") print("---->") context_data = context.key_context_data() while (context_data): print(" Level (chain index): {}".format(context_data.chain_index())) print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") context_data = context_data.next_context_data() print(" End of chain reached")
class FheBuilder(object): secret_key = None public_key = None galois_keys = None encryptor = None decryptor = None def __init__(self, modulus, degree): self.modulus = modulus self.degree = degree self.acceptable_degree = [1024, 2048, 4096, 8192, 16384] if self.degree not in self.acceptable_degree: raise Exception(f"Get {self.degree}, but expect degree {self.acceptable_degree}") self.parms = EncryptionParameters(scheme_type.BFV) self.parms.set_poly_modulus_degree(self.degree) self.parms.set_coeff_modulus(CoeffModulus.BFVDefault(self.degree)) # self.parms.set_coeff_modulus(CoeffModulus.Create(self.degree, [60])) self.parms.set_plain_modulus(self.modulus) # print(self.parms.coeff_modulus()[0].value()) self.context = SEALContext.Create(self.parms) self.keygen = KeyGenerator(self.context) self.evaluator = Evaluator(self.context) self.batch_encoder = BatchEncoder(self.context) def generate_keys(self): self.secret_key = self.keygen.secret_key() self.public_key = self.keygen.public_key() self.encryptor = Encryptor(self.context, self.public_key) self.decryptor = Decryptor(self.context, self.secret_key) def generate_galois_keys(self): self.galois_keys = self.keygen.galois_keys() def get_public_key_buffer(self) -> torch.Tensor: if self.public_key is None: self.public_key = self.keygen.public_key() return torch_from_buffer(self.public_key) def build_from_loaded_public_key(self): self.encryptor = Encryptor(self.context, self.public_key) def get_secret_key_buffer(self) -> torch.Tensor: if self.secret_key is None: self.secret_key = self.keygen.secret_key() return torch_from_buffer(self.secret_key) def build_from_loaded_secret_key(self): self.decryptor = Decryptor(self.context, self.secret_key) def build_enc(self, num_elem, is_cheap_init=False) -> FheEncTensor: return FheEncTensor(num_elem, self.modulus, self.degree, self.context, self.evaluator, self.batch_encoder, self.encryptor, is_cheap_init=is_cheap_init) def build_enc_from_torch(self, torch_tensor) -> FheEncTensor: res = self.build_enc(get_prod(torch_tensor.size())) res.encrypt_additive(torch_tensor) return res def build_plain(self, num_elem) -> FhePlainTensor: return FhePlainTensor(num_elem, self.modulus, self.degree, self.context, self.evaluator, self.batch_encoder) def build_plain_from_torch(self, torch_tensor) -> FhePlainTensor: res = self.build_plain(get_prod(torch_tensor.size())) res.load_from_torch(torch_tensor) return res def decrypt_to_torch(self, fhe_enc_tensor: FheEncTensor, dst=None, to="gpu") -> torch.Tensor: def sub_decrypt(enc): return enc.decrypt(self.decryptor, dst=dst, to=to) if isinstance(fhe_enc_tensor, FheEncTensor): return sub_decrypt(fhe_enc_tensor) elif isinstance(fhe_enc_tensor, list): return torch.stack(list(map(sub_decrypt, fhe_enc_tensor))) else: raise Exception(f"Unexpected type of fhe_enc_tensor: {fhe_enc_tensor}") def noise_budget(self, fhe_enc_tensor: FheEncTensor, name=None): noise_bits = self.decryptor.invariant_noise_budget(fhe_enc_tensor.cts[0]) if name is not None: print(f"{name} noise budget {noise_bits} bits") return noise_bits