def test2(): img_path = '00001.jpg' img = cv2.imread(img_path, cv2.IMREAD_GRAYSCALE) print("Original image dimensions {}".format(img.shape)) sift = cv2.xfeatures2d.SIFT_create() (kps, desc) = sift.detectAndCompute(img, None) desc = preprocessing.normalize(np.array( desc.flatten()[:DESC_SIZE]).reshape(1, DESC_SIZE), norm='l2') descriptor_vec1 = desc descriptor_vec2 = descriptor_vec1 context = config() public_key, secret_key = keygen(context) encoder = IntegerEncoder(context.plain_modulus()) encryptor = Encryptor(context, public_key) crtbuilder = PolyCRTBuilder(context) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) slot_count = (int)(crtbuilder.slot_count()) print("slot count {}".format(slot_count)) print("Plaintext shape", descriptor_vec1.shape) plain_matrix = decompose_plain(slot_count, descriptor_vec1, crtbuilder) for i in range(10000): encrypted_matrix = Ciphertext() print("Encrypting: ") time_start = time.time() encryptor.encrypt(plain_matrix, encrypted_matrix) time_end = time.time() print("Done in time {}".format((str)(1000 * (time_end - time_start)))) print("Square:") time_start = time.time() evaluator.square(encrypted_matrix) time_end = time.time() print("Square is done in {} miliseconds".format( (str)(1000 * (time_end - time_start)))) plain_result = Plaintext() print("Decryption plain: ") time_start = time.time() decryptor.decrypt(encrypted_matrix, plain_result) time_end = time.time() print("Decryption is done in {} miliseconds".format( (str)(1000 * (time_end - time_start)))) # print("Plaintext polynomial: {}".format(plain_result.to_string())) # print("Decoded integer: {}".format(encoder.decode_int32(plain_result))) print("Noise budget {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix)))
def example_rotation_ckks(): print("Example: Rotation / Rotation in CKKS"); #Rotations in the CKKS scheme work very similarly to rotations in BFV. parms = EncryptionParameters(scheme_type.CKKS) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.Create( poly_modulus_degree, IntVector([40, 40, 40, 40, 40]))) context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() gal_keys = keygen.galois_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) ckks_encoder = CKKSEncoder(context) slot_count = ckks_encoder.slot_count() print("Number of slots: {}".format(slot_count)) step_size = 1.0 / (slot_count - 1) input = DoubleVector(list(map(lambda x: x*step_size, range(0, slot_count)))) print_vector(input) scale = 2.0**50 print("Encode and encrypt.") plain = Plaintext() ckks_encoder.encode(input, scale, plain) encrypted = Ciphertext() encryptor.encrypt(plain, encrypted) rotated = Ciphertext() print("Rotate 2 steps left.") evaluator.rotate_vector(encrypted, 2, gal_keys, rotated) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(rotated, plain) result = DoubleVector() ckks_encoder.decode(plain, result) print_vector(result)
class FractionalDecryptorUtils: def __init__(self, context): """ Class providing decryption operation :param context: Context initialising HE parameters """ self.context = context.context self.secret_key = context.secret_key self.decryptor = Decryptor(self.context, self.secret_key) self.encoder = FractionalEncoder(self.context.plain_modulus(), self.context.poly_modulus(), 64, 32, 3) self.evaluator = context.evaluator def decrypt(self, encrypted_res): plain_result = Plaintext() self.decryptor.decrypt(encrypted_res, plain_result) result = self.encoder.decode(plain_result) return result
def decryptMatrix(cm): r, c = len(cm), len(cm[0]) m = [[0] * c for i in range(r)] decryptor = Decryptor(context, secret_key) plain_result = Plaintext() for i in range(r): for j in range(c): decryptor.decrypt(cm[i][j], plain_result) m[i][j] = encoder.decode(plain_result) return m # m1 = [[1,3,2],[4,3,1]] # m2 = [[2,2,1]] # cm1, cm2 = encryptMatrix(m1), encryptMatrix(m2) # cm = matrixProduct(cm1, cm2) # print(decryptMatrix(cm)) # need to multiply encrypted matrix by encrypted vector
def do_per_amount(amount, subtract_from=15): """ Called on every message in the stream """ print("Transaction amount ", amount) parms = EncryptionParameters() parms.set_poly_modulus("1x^2048 + 1") parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) parms.set_plain_modulus(1 << 8) context = SEALContext(parms) # Encode encoder = FractionalEncoder(context.plain_modulus(), context.poly_modulus(), 64, 32, 3) # To create a fresh pair of keys one can call KeyGenerator::generate() at any time. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() encryptor = Encryptor(context, public_key) plain1 = encoder.encode(amount) encoded2 = encoder.encode(subtract_from) # Encrypt encrypted1 = Ciphertext(parms) encryptor.encrypt(plain1, encrypted1) # Evaluate evaluator = Evaluator(context) evaluated = evaluate_subtraction_from_plain(evaluator, encrypted1, encoded2) # Decrypt and decode decryptor = Decryptor(context, secret_key) plain_result = Plaintext() decryptor.decrypt(evaluated, plain_result) result = encoder.decode(plain_result) str_result = "Amount left = " + str(result) print(str_result) return str_result
def encryption(value): # IntegerEncoder with base 2 encoder = IntegerEncoder(context.plain_modulus()) # generate public/private keys keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() # encrypts public key encryptor = Encryptor(context, public_key) # perform computations on ciphertexts evaluator = Evaluator(context) # decrypts secret key decryptor = Decryptor(context, secret_key) # perform encryptions plaintext = encoder.encode(value) # convert into encrypted ciphertext encrypt = Ciphertext() encryptor.encrypt(plaintext, encrypt) print("Encryption successful!") print("Encrypted ciphertext: " + (str)(value) + " as " + plaintext.to_string()) # noise budget of fresh encryptions print("Noise budget: " + (str)(decryptor.invariant_noise_budget(encrypt)) + " bits") # decrypts result result = Plaintext() decryptor.decrypt(encrypt, result) print("Decryption successful!") print("Plaintext: " + result.to_string()) # decode for original integer print("Original node: " + (str)(encoder.decode_int32(result)) + "\n")
def example_rotation_bfv(): print("Example: Rotation / Rotation in BFV") parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree)) parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20)) context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) batch_encoder = BatchEncoder(context) slot_count = batch_encoder.slot_count() row_size = int(slot_count / 2) print("Plaintext matrix row size: {}".format(row_size)) pod_matrix = UInt64Vector([0]*slot_count) pod_matrix[0] = 0 pod_matrix[1] = 1 pod_matrix[2] = 2 pod_matrix[3] = 3 pod_matrix[row_size] = 4 pod_matrix[row_size + 1] = 5 pod_matrix[row_size + 2] = 6 pod_matrix[row_size + 3] = 7 print("Input plaintext matrix:") print_matrix(pod_matrix, row_size) #First we use BatchEncoder to encode the matrix into a plaintext. We encrypt #the plaintext as usual. plain_matrix = Plaintext() print("Encode and encrypt.") batch_encoder.encode(pod_matrix, plain_matrix) encrypted_matrix = Ciphertext() encryptor.encrypt(plain_matrix, encrypted_matrix) print(" + Noise budget in fresh encryption: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) #Rotations require yet another type of special key called `Galois keys'. These #are easily obtained from the KeyGenerator. gal_keys = keygen.galois_keys() #Now rotate both matrix rows 3 steps to the left, decrypt, decode, and print. print("Rotate rows 3 steps left.") evaluator.rotate_rows_inplace(encrypted_matrix, 3, gal_keys) plain_result = Plaintext() print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size) #We can also rotate the columns, i.e., swap the rows. print("Rotate columns.") evaluator.rotate_columns_inplace(encrypted_matrix, gal_keys) print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size) #Finally, we rotate the rows 4 steps to the right, decrypt, decode, and print. print("Rotate rows 4 steps right.") evaluator.rotate_rows_inplace(encrypted_matrix, -4, gal_keys) print(" + Noise budget after rotation: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) print(" + Decrypt and decode ...... Correct.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_matrix) print_matrix(pod_matrix, row_size)
def example_basics_ii(): print_example_banner("Example: Basics II") # In this example we explain what relinearization is, how to use it, and how # it affects noise budget consumption. # First we set the parameters, create a SEALContext, and generate the public # and secret keys. We use slightly larger parameters than be fore to be able # to do more homomorphic multiplications. parms = EncryptionParameters() parms.set_poly_modulus("1x^8192 + 1") # The default coefficient modulus consists of the following primes: # 0x7fffffffba0001, # 0x7fffffffaa0001, # 0x7fffffff7e0001, # 0x3fffffffd60001. # The total size is 219 bits. parms.set_coeff_modulus(seal.coeff_modulus_128(8192)) parms.set_plain_modulus(1 << 10) context = SEALContext(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() # We also set up an Encryptor, Evaluator, and Decryptor here. We will # encrypt polynomials directly in this example, so there is no need for # an encoder. encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) # There are actually two more types of keys in SEAL: `evaluation keys' and # `Galois keys'. Here we will discuss evaluation keys, and Galois keys will # be discussed later in example_batching(). # In SEAL, a valid ciphertext consists of two or more polynomials with # coefficients integers modulo the product of the primes in coeff_modulus. # The current size of a ciphertext can be found using Ciphertext::size(). # A freshly encrypted ciphertext always has size 2. #plain1 = Plaintext("1x^2 + 2x^1 + 3") plain1 = Plaintext("1x^2 + 2x^1 + 3") encrypted = Ciphertext() print("") print("Encrypting " + plain1.to_string() + ": ") encryptor.encrypt(plain1, encrypted) print("Done") print("Size of a fresh encryption: " + (str)(encrypted.size())) print("Noise budget in fresh encryption: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") # Homomorphic multiplication results in the output ciphertext growing in size. # More precisely, if the input ciphertexts have size M and N, then the output # ciphertext after homomorphic multiplication will have size M+N-1. In this # case we square encrypted twice to observe this growth (also observe noise # budget consumption). evaluator.square(encrypted) print("Size after squaring: " + (str)(encrypted.size())) print("Noise budget after squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") plain2 = Plaintext() decryptor.decrypt(encrypted, plain2) print("Second power: " + plain2.to_string()) evaluator.square(encrypted) print("Size after squaring: " + (str)(encrypted.size())) print("Noise budget after squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") # It does not matter that the size has grown -- decryption works as usual. # Observe from the print-out that the coefficients in the plaintext have # grown quite large. One more squaring would cause some of them to wrap # around plain_modulus (0x400), and as a result we would no longer obtain # the expected result as an integer-coefficient polynomial. We can fix this # problem to some extent by increasing plain_modulus. This would make sense, # since we still have plenty of noise budget left. plain2 = Plaintext() decryptor.decrypt(encrypted, plain2) print("Fourth power: " + plain2.to_string()) # The problem here is that homomorphic operations on large ciphertexts are # computationally much more costly than on small ciphertexts. Specifically, # homomorphic multiplication on input ciphertexts of size M and N will require # O(M*N) polynomial multiplications to be performed, and an addition will # require O(M+N) additions. Relinearization reduces the size of the ciphertexts # after multiplication back to the initial size (2). Thus, relinearizing one # or both inputs before the next multiplication, or e.g. before serializing the # ciphertexts, can have a huge positive impact on performance. # Another problem is that the noise budget consumption in multiplication is # bigger when the input ciphertexts sizes are bigger. In a complicated # computation the contribution of the sizes to the noise budget consumption # can actually become the dominant term. We will point this out again below # once we get to our example. # Relinearization itself has both a computational cost and a noise budget cost. # These both depend on a parameter called `decomposition bit count', which can # be any integer at least 1 [dbc_min()] and at most 60 [dbc_max()]. A large # decomposition bit count makes relinearization fast, but consumes more noise # budget. A small decomposition bit count can make relinearization slower, but # might not change the noise budget by any observable amount. # Relinearization requires a special type of key called `evaluation keys'. # These can be created by the KeyGenerator for any decomposition bit count. # To relinearize a ciphertext of size M >= 2 back to size 2, we actually need # M-2 evaluation keys. Attempting to relinearize a too large ciphertext with # too few evaluation keys will result in an exception being thrown. # We repeat our computation, but this time relinearize after both squarings. # Since our ciphertext never grows past size 3 (we relinearize after every # multiplication), it suffices to generate only one evaluation key. # First, we need to create evaluation keys. We use a decomposition bit count # of 16 here, which can be thought of as quite small. ev_keys16 = EvaluationKeys() # This function generates one single evaluation key. Another overload takes # the number of keys to be generated as an argument, but one is all we need # in this example (see above). keygen.generate_evaluation_keys(16, ev_keys16) print("") print("Encrypting " + plain1.to_string() + ": ") encryptor.encrypt(plain1, encrypted) print("Done") print("Size of a fresh encryption: " + (str)(encrypted.size())) print("Noise budget in fresh encryption: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.square(encrypted) print("Size after squaring: " + (str)(encrypted.size())) print("Noise budget after squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.relinearize(encrypted, ev_keys16) print("Size after relinearization: " + (str)(encrypted.size())) print("Noise budget after relinearizing (dbs = " + (str)(ev_keys16.decomposition_bit_count()) + "): " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.square(encrypted) print("Size after second squaring: " + (str)(encrypted.size()) + " bits") print("Noise budget after second squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.relinearize(encrypted, ev_keys16) print("Size after relinearization: " + (str)(encrypted.size())) print("Noise budget after relinearizing (dbs = " + (str)(ev_keys16.decomposition_bit_count()) + "): " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") decryptor.decrypt(encrypted, plain2) print("Fourth power: " + plain2.to_string()) # Of course the result is still the same, but this time we actually # used less of our noise budget. This is not surprising for two reasons: # - We used a very small decomposition bit count, which is why # relinearization itself did not consume the noise budget by any # observable amount; # - Since our ciphertext sizes remain small throughout the two # squarings, the noise budget consumption rate in multiplication # remains as small as possible. Recall from above that operations # on larger ciphertexts actually cause more noise growth. # To make matters even more clear, we repeat the computation a third time, # now using the largest possible decomposition bit count (60). We are not # measuring the time here, but relinearization with these evaluation keys # is significantly faster than with ev_keys16. ev_keys60 = EvaluationKeys() keygen.generate_evaluation_keys(seal.dbc_max(), ev_keys60) print("") print("Encrypting " + plain1.to_string() + ": ") encryptor.encrypt(plain1, encrypted) print("Done") print("Size of a fresh encryption: " + (str)(encrypted.size())) print("Noise budget in fresh encryption: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.square(encrypted) print("Size after squaring: " + (str)(encrypted.size())) print("Noise budget after squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.relinearize(encrypted, ev_keys60) print("Size after relinearization: " + (str)(encrypted.size())) print("Noise budget after relinearizing (dbc = " + (str)(ev_keys60.decomposition_bit_count()) + "): " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.square(encrypted) print("Size after second squaring: " + (str)(encrypted.size())) print("Noise budget after second squaring: " + (str)(decryptor.invariant_noise_budget) + " bits") evaluator.relinearize(encrypted, ev_keys60) print("Size after relinearization: " + (str)(encrypted.size())) print("Noise budget after relinearizing (dbc = " + (str)(ev_keys60.decomposition_bit_count()) + "): " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") decryptor.decrypt(encrypted, plain2) print("Fourth power: " + plain2.to_string()) # Observe from the print-out that we have now used significantly more of our # noise budget than in the two previous runs. This is again not surprising, # since the first relinearization chops off a huge part of the noise budget. # However, note that the second relinearization does not change the noise # budget by any observable amount. This is very important to understand when # optimal performance is desired: relinearization always drops the noise # budget from the maximum (freshly encrypted ciphertext) down to a fixed # amount depending on the encryption parameters and the decomposition bit # count. On the other hand, homomorphic multiplication always consumes the # noise budget from its current level. This is why the second relinearization # does not change the noise budget anymore: it is already consumed past the # fixed amount determinted by the decomposition bit count and the encryption # parameters. # We now perform a third squaring and observe an even further compounded # decrease in the noise budget. Again, relinearization does not consume the # noise budget at this point by any observable amount, even with the largest # possible decomposition bit count. evaluator.square(encrypted) print("Size after third squaring " + (str)(encrypted.size())) print("Noise budget after third squaring: " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") evaluator.relinearize(encrypted, ev_keys60) print("Size after relinearization: " + (str)(encrypted.size())) print("Noise budget after relinearizing (dbc = " + (str)(ev_keys60.decomposition_bit_count()) + "): " + (str)(decryptor.invariant_noise_budget(encrypted)) + " bits") decryptor.decrypt(encrypted, plain2) print("Eighth power: " + plain2.to_string())
def example_basics_i(): print_example_banner("Example: Basics I") # In this example we demonstrate setting up encryption parameters and other # relevant objects for performing simple computations on encrypted integers. # SEAL uses the Fan-Vercauteren (FV) homomorphic encryption scheme. We refer to # https://eprint.iacr.org/2012/144 for full details on how the FV scheme works. # For better performance, SEAL implements the "FullRNS" optimization of FV, as # described in https://eprint.iacr.org/2016/510. # The first task is to set up an instance of the EncryptionParameters class. # It is critical to understand how these different parameters behave, how they # affect the encryption scheme, performance, and the security level. There are # three encryption parameters that are necessary to set: # - poly_modulus (polynomial modulus); # - coeff_modulus ([ciphertext] coefficient modulus); # - plain_modulus (plaintext modulus). # A fourth parameter -- noise_standard_deviation -- has a default value of 3.19 # and should not be necessary to modify unless the user has a specific reason # to and knows what they are doing. # The encryption scheme implemented in SEAL cannot perform arbitrary computations # on encrypted data. Instead, each ciphertext has a specific quantity called the # `invariant noise budget' -- or `noise budget' for short -- measured in bits. # The noise budget of a freshly encrypted ciphertext (initial noise budget) is # determined by the encryption parameters. Homomorphic operations consume the # noise budget at a rate also determined by the encryption parameters. In SEAL # the two basic homomorphic operations are additions and multiplications, of # which additions can generally be thought of as being nearly free in terms of # noise budget consumption compared to multiplications. Since noise budget # consumption is compounding in sequential multiplications, the most significant # factor in choosing appropriate encryption parameters is the multiplicative # depth of the arithmetic circuit that needs to be evaluated. Once the noise # budget in a ciphertext reaches zero, it becomes too corrupted to be decrypted. # Thus, it is essential to choose the parameters to be large enough to support # the desired computation; otherwise the result is impossible to make sense of # even with the secret key. parms = EncryptionParameters() # We first set the polynomial modulus. This must be a power-of-2 cyclotomic # polynomial, i.e. a polynomial of the form "1x^(power-of-2) + 1". The polynomial # modulus should be thought of mainly affecting the security level of the scheme; # larger polynomial modulus makes the scheme more secure. At the same time, it # makes ciphertext sizes larger, and consequently all operations slower. # Recommended degrees for poly_modulus are 1024, 2048, 4096, 8192, 16384, 32768, # but it is also possible to go beyond this. Since we perform only a very small # computation in this example, it suffices to use a very small polynomial modulus parms.set_poly_modulus("1x^2048 + 1") # Next we choose the [ciphertext] coefficient modulus (coeff_modulus). The size # of the coefficient modulus should be thought of as the most significant factor # in determining the noise budget in a freshly encrypted ciphertext: bigger means # more noise budget. Unfortunately, a larger coefficient modulus also lowers the # security level of the scheme. Thus, if a large noise budget is required for # complicated computations, a large coefficient modulus needs to be used, and the # reduction in the security level must be countered by simultaneously increasing # the polynomial modulus. # To make parameter selection easier for the user, we have constructed sets of # largest allowed coefficient moduli for 128-bit and 192-bit security levels # for different choices of the polynomial modulus. These recommended parameters # follow the Security white paper at http://HomomorphicEncryption.org. However, # due to the complexity of this topic, we highly recommend the user to directly # consult an expert in homomorphic encryption and RLWE-based encryption schemes # to determine the security of their parameter choices. # Our recommended values for the coefficient modulus can be easily accessed # through the functions # coeff_modulus_128bit(int) # coeff_modulus_192bit(int) # for 128-bit and 192-bit security levels. The integer parameter is the degree # of the polynomial modulus. # In SEAL the coefficient modulus is a positive composite number -- a product # of distinct primes of size up to 60 bits. When we talk about the size of the # coefficient modulus we mean the bit length of the product of the small primes. # The small primes are represented by instances of the SmallModulus class; for # example coeff_modulus_128bit(int) returns a vector of SmallModulus instances. # It is possible for the user to select their own small primes. Since SEAL uses # the Number Theoretic Transform (NTT) for polynomial multiplications modulo the # factors of the coefficient modulus, the factors need to be prime numbers # congruent to 1 modulo 2*degree(poly_modulus). We have generated a list of such # prime numbers of various sizes, that the user can easily access through the # functions # small_mods_60bit(int) # small_mods_50bit(int) # small_mods_40bit(int) # small_mods_30bit(int) # each of which gives access to an array of primes of the denoted size. These # primes are located in the source file util/globals.cpp. # Performance is mainly affected by the size of the polynomial modulus, and the # number of prime factors in the coefficient modulus. Thus, it is important to # use as few factors in the coefficient modulus as possible. # In this example we use the default coefficient modulus for a 128-bit security # level. Concretely, this coefficient modulus consists of only one 56-bit prime # factor: 0xfffffffff00001. parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) # The plaintext modulus can be any positive integer, even though here we take # it to be a power of two. In fact, in many cases one might instead want it to # be a prime number; we will see this in example_batching(). The plaintext # modulus determines the size of the plaintext data type, but it also affects # the noise budget in a freshly encrypted ciphertext, and the consumption of # the noise budget in homomorphic multiplication. Thus, it is essential to try # to keep the plaintext data type as small as possible for good performance. # The noise budget in a freshly encrypted ciphertext is # ~ log2(coeff_modulus/plain_modulus) (bits) # and the noise budget consumption in a homomorphic multiplication is of the # form log2(plain_modulus) + (other terms). parms.set_plain_modulus(1 << 8) # Now that all parameters are set, we are ready to construct a SEALContext # object. This is a heavy class that checks the validity and properties of # the parameters we just set, and performs and stores several important # pre-computations. context = SEALContext(parms) # Print the parameters that we have chosen print_parameters(context) # Plaintexts in the FV scheme are polynomials with coefficients integers modulo # plain_modulus. To encrypt for example integers instead, one can use an # `encoding scheme' to represent the integers as such polynomials. SEAL comes # with a few basic encoders: # [IntegerEncoder] # Given an integer base b, encodes integers as plaintext polynomials as follows. # First, a base-b expansion of the integer is computed. This expansion uses # a `balanced' set of representatives of integers modulo b as the coefficients. # Namely, when b is odd the coefficients are integers between -(b-1)/2 and # (b-1)/2. When b is even, the integers are between -b/2 and (b-1)/2, except # when b is two and the usual binary expansion is used (coefficients 0 and 1). # Decoding amounts to evaluating the polynomial at x=b. For example, if b=2, # the integer # 26 = 2^4 + 2^3 + 2^1 # is encoded as the polynomial 1x^4 + 1x^3 + 1x^1. When b=3, # 26 = 3^3 - 3^0 # is encoded as the polynomial 1x^3 - 1. In memory polynomial coefficients are # always stored as unsigned integers by storing their smallest non-negative # representatives modulo plain_modulus. To create a base-b integer encoder, # use the constructor IntegerEncoder(plain_modulus, b). If no b is given, b=2 # is used. # [FractionalEncoder] # The FractionalEncoder encodes fixed-precision rational numbers as follows. # It expands the number in a given base b, possibly truncating an infinite # fractional part to finite precision, e.g. # 26.75 = 2^4 + 2^3 + 2^1 + 2^(-1) + 2^(-2) # when b=2. For the sake of the example, suppose poly_modulus is 1x^1024 + 1. # It then represents the integer part of the number in the same way as in # IntegerEncoder (with b=2 here), and moves the fractional part instead to the # highest degree part of the polynomial, but with signs of the coefficients # changed. In this example we would represent 26.75 as the polynomial # -1x^1023 - 1x^1022 + 1x^4 + 1x^3 + 1x^1. # In memory the negative coefficients of the polynomial will be represented as # their negatives modulo plain_modulus. # [PolyCRTBuilder] # If plain_modulus is a prime congruent to 1 modulo 2*degree(poly_modulus), the # plaintext elements can be viewed as 2-by-(degree(poly_modulus) / 2) matrices # with elements integers modulo plain_modulus. When a desired computation can be # vectorized, using PolyCRTBuilder can result in massive performance improvements # over naively encrypting and operating on each input number separately. Thus, # in more complicated computations this is likely to be by far the most important # and useful encoder. In example_batching() we show how to use and operate on # encrypted matrix plaintexts. # For performance reasons, in homomorphic encryption one typically wants to keep # the plaintext data types as small as possible, which can make it challenging to # prevent data type overflow in more complicated computations, especially when # operating on rational numbers that have been scaled to integers. When using # PolyCRTBuilder estimating whether an overflow occurs is a fairly standard task, # as the matrix slots are integers modulo plain_modulus, and each slot is operated # on independently of the others. When using IntegerEncoder or FractionalEncoder # it is substantially more difficult to estimate when an overflow occurs in the # plaintext, and choosing the plaintext modulus very carefully to be large enough # is critical to avoid unexpected results. Specifically, one needs to estimate how # large the largest coefficient in the polynomial view of all of the plaintext # elements becomes, and choose the plaintext modulus to be larger than this value. # SEAL comes with an automatic parameter selection tool that can help with this # task, as is demonstrated in example_parameter_selection(). # Here we choose to create an IntegerEncoder with base b=2. encoder = IntegerEncoder(context.plain_modulus()) # We are now ready to generate the secret and public keys. For this purpose we need # an instance of the KeyGenerator class. Constructing a KeyGenerator automatically # generates the public and secret key, which can then be read to local variables. # To create a fresh pair of keys one can call KeyGenerator::generate() at any time. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() # To be able to encrypt, we need to construct an instance of Encryptor. Note that # the Encryptor only requires the public key. encryptor = Encryptor(context, public_key) # Computations on the ciphertexts are performed with the Evaluator class. evaluator = Evaluator(context) # We will of course want to decrypt our results to verify that everything worked, # so we need to also construct an instance of Decryptor. Note that the Decryptor # requires the secret key. decryptor = Decryptor(context, secret_key) # We start by encoding two integers as plaintext polynomials. value1 = 5 plain1 = encoder.encode(value1) print("Encoded " + (str)(value1) + " as polynomial " + plain1.to_string() + " (plain1)") value2 = -7 plain2 = encoder.encode(value2) print("Encoded " + (str)(value2) + " as polynomial " + plain2.to_string() + " (plain2)") # Encrypting the values is easy. encrypted1 = Ciphertext() encrypted2 = Ciphertext() print("Encrypting plain1: ") encryptor.encrypt(plain1, encrypted1) print("Done (encrypted1)") print("Encrypting plain2: ") encryptor.encrypt(plain2, encrypted2) print("Done (encrypted2)") # To illustrate the concept of noise budget, we print the budgets in the fresh # encryptions. print("Noise budget in encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") print("Noise budget in encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted2)) + " bits") # As a simple example, we compute (-encrypted1 + encrypted2) * encrypted2. # Negation is a unary operation. evaluator.negate(encrypted1) # Negation does not consume any noise budget. print("Noise budget in -encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Addition can be done in-place (overwriting the first argument with the result, # or alternatively a three-argument overload with a separate destination variable # can be used. The in-place variants are always more efficient. Here we overwrite # encrypted1 with the sum. evaluator.add(encrypted1, encrypted2) # It is instructive to think that addition sets the noise budget to the minimum # of the input noise budgets. In this case both inputs had roughly the same # budget going on, and the output (in encrypted1) has just slightly lower budget. # Depending on probabilistic effects, the noise growth consumption may or may # not be visible when measured in whole bits. print("Noise budget in -encrypted1 + encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Finally multiply with encrypted2. Again, we use the in-place version of the # function, overwriting encrypted1 with the product. evaluator.multiply(encrypted1, encrypted2) # Multiplication consumes a lot of noise budget. This is clearly seen in the # print-out. The user can change the plain_modulus to see its effect on the # rate of noise budget consumption. print("Noise budget in (-encrypted1 + encrypted2) * encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Now we decrypt and decode our result. plain_result = Plaintext() print("Decrypting result: ") decryptor.decrypt(encrypted1, plain_result) print("Done") # Print the result plaintext polynomial. print("Plaintext polynomial: " + plain_result.to_string()) # Decode to obtain an integer result. print("Decoded integer: " + (str)(encoder.decode_int32(plain_result)))
def example_ckks_basics(): print("Example: CKKS Basics"); #In this example we demonstrate evaluating a polynomial function # # PI*x^3 + 0.4*x + 1 # #on encrypted floating-point input data x for a set of 4096 equidistant points #in the interval [0, 1]. This example demonstrates many of the main features #of the CKKS scheme, but also the challenges in using it. # # We start by setting up the CKKS scheme. parms = EncryptionParameters(scheme_type.CKKS) #We saw in `2_encoders.cpp' that multiplication in CKKS causes scales #in ciphertexts to grow. The scale of any ciphertext must not get too close #to the total size of coeff_modulus, or else the ciphertext simply runs out of #room to store the scaled-up plaintext. The CKKS scheme provides a `rescale' #functionality that can reduce the scale, and stabilize the scale expansion. # #Rescaling is a kind of modulus switch operation (recall `3_levels.cpp'). #As modulus switching, it removes the last of the primes from coeff_modulus, #but as a side-effect it scales down the ciphertext by the removed prime. #Usually we want to have perfect control over how the scales are changed, #which is why for the CKKS scheme it is more common to use carefully selected #primes for the coeff_modulus. # #More precisely, suppose that the scale in a CKKS ciphertext is S, and the #last prime in the current coeff_modulus (for the ciphertext) is P. Rescaling #to the next level changes the scale to S/P, and removes the prime P from the #coeff_modulus, as usual in modulus switching. The number of primes limits #how many rescalings can be done, and thus limits the multiplicative depth of #the computation. # #It is possible to choose the initial scale freely. One good strategy can be #to is to set the initial scale S and primes P_i in the coeff_modulus to be #very close to each other. If ciphertexts have scale S before multiplication, #they have scale S^2 after multiplication, and S^2/P_i after rescaling. If all #P_i are close to S, then S^2/P_i is close to S again. This way we stabilize the #scales to be close to S throughout the computation. Generally, for a circuit #of depth D, we need to rescale D times, i.e., we need to be able to remove D #primes from the coefficient modulus. Once we have only one prime left in the #coeff_modulus, the remaining prime must be larger than S by a few bits to #preserve the pre-decimal-point value of the plaintext. # #Therefore, a generally good strategy is to choose parameters for the CKKS #scheme as follows: # # (1) Choose a 60-bit prime as the first prime in coeff_modulus. This will # give the highest precision when decrypting; # (2) Choose another 60-bit prime as the last element of coeff_modulus, as # this will be used as the special prime and should be as large as the # largest of the other primes; # (3) Choose the intermediate primes to be close to each other. # #We use CoeffModulus::Create to generate primes of the appropriate size. Note #that our coeff_modulus is 200 bits total, which is below the bound for our #poly_modulus_degree: CoeffModulus::MaxBitCount(8192) returns 218. poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.Create( poly_modulus_degree, IntVector([60, 40, 40, 60]))) #We choose the initial scale to be 2^40. At the last level, this leaves us #60-40=20 bits of precision before the decimal point, and enough (roughly #10-20 bits) of precision after the decimal point. Since our intermediate #primes are 40 bits (in fact, they are very close to 2^40), we can achieve #scale stabilization as described above. scale = 2.0**40 context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) encoder = CKKSEncoder(context) slot_count = encoder.slot_count() print("Number of slots: {}".format(slot_count)) step_size = 1.0 / (slot_count - 1) input = DoubleVector(list(map(lambda x: x*step_size, range(0, slot_count)))) print("Input vector: ") print_vector(input) print("Evaluating polynomial PI*x^3 + 0.4x + 1 ...") #We create plaintexts for PI, 0.4, and 1 using an overload of CKKSEncoder::encode #that encodes the given floating-point value to every slot in the vector. plain_coeff3 = Plaintext() plain_coeff1 = Plaintext() plain_coeff0 = Plaintext() encoder.encode(3.14159265, scale, plain_coeff3) encoder.encode(0.4, scale, plain_coeff1) encoder.encode(1.0, scale, plain_coeff0) x_plain = Plaintext() print("Encode input vectors.") encoder.encode(input, scale, x_plain) x1_encrypted = Ciphertext() encryptor.encrypt(x_plain, x1_encrypted) #To compute x^3 we first compute x^2 and relinearize. However, the scale has #now grown to 2^80. x3_encrypted = Ciphertext() print("Compute x^2 and relinearize:") evaluator.square(x1_encrypted, x3_encrypted) evaluator.relinearize_inplace(x3_encrypted, relin_keys) print(" + Scale of x^2 before rescale: {} bits".format(log2(x3_encrypted.scale()))) #Now rescale; in addition to a modulus switch, the scale is reduced down by #a factor equal to the prime that was switched away (40-bit prime). Hence, the #new scale should be close to 2^40. Note, however, that the scale is not equal #to 2^40: this is because the 40-bit prime is only close to 2^40. print("Rescale x^2.") evaluator.rescale_to_next_inplace(x3_encrypted) print(" + Scale of x^2 after rescale: {} bits".format(log2(x3_encrypted.scale()))) #Now x3_encrypted is at a different level than x1_encrypted, which prevents us #from multiplying them to compute x^3. We could simply switch x1_encrypted to #the next parameters in the modulus switching chain. However, since we still #need to multiply the x^3 term with PI (plain_coeff3), we instead compute PI*x #first and multiply that with x^2 to obtain PI*x^3. To this end, we compute #PI*x and rescale it back from scale 2^80 to something close to 2^40. print("Compute and rescale PI*x.") x1_encrypted_coeff3 = Ciphertext() evaluator.multiply_plain(x1_encrypted, plain_coeff3, x1_encrypted_coeff3) print(" + Scale of PI*x before rescale: {} bits".format(log2(x1_encrypted_coeff3.scale()))) evaluator.rescale_to_next_inplace(x1_encrypted_coeff3) print(" + Scale of PI*x after rescale: {} bits".format(log2(x1_encrypted_coeff3.scale()))) #Since x3_encrypted and x1_encrypted_coeff3 have the same exact scale and use #the same encryption parameters, we can multiply them together. We write the #result to x3_encrypted, relinearize, and rescale. Note that again the scale #is something close to 2^40, but not exactly 2^40 due to yet another scaling #by a prime. We are down to the last level in the modulus switching chain. print("Compute, relinearize, and rescale (PI*x)*x^2.") evaluator.multiply_inplace(x3_encrypted, x1_encrypted_coeff3) evaluator.relinearize_inplace(x3_encrypted, relin_keys) print(" + Scale of PI*x^3 before rescale: {} bits".format(log2(x3_encrypted.scale()))) evaluator.rescale_to_next_inplace(x3_encrypted) print(" + Scale of PI*x^3 after rescale: {} bits".format(log2(x3_encrypted.scale()))) #Next we compute the degree one term. All this requires is one multiply_plain #with plain_coeff1. We overwrite x1_encrypted with the result. print("Compute and rescale 0.4*x.") evaluator.multiply_plain_inplace(x1_encrypted, plain_coeff1) print(" + Scale of 0.4*x before rescale: {} bits".format(log2(x1_encrypted.scale()))) evaluator.rescale_to_next_inplace(x1_encrypted) print(" + Scale of 0.4*x after rescale: {} bits".format(log2(x1_encrypted.scale()))) #Now we would hope to compute the sum of all three terms. However, there is #a serious problem: the encryption parameters used by all three terms are #different due to modulus switching from rescaling. # #Encrypted addition and subtraction require that the scales of the inputs are #the same, and also that the encryption parameters (parms_id) match. If there #is a mismatch, Evaluator will throw an exception. print("Parameters used by all three terms are different.") print(" + Modulus chain index for x3_encrypted: {}".format( context.get_context_data(x3_encrypted.parms_id()).chain_index())) print(" + Modulus chain index for x1_encrypted: {}".format( context.get_context_data(x1_encrypted.parms_id()).chain_index())) print(" + Modulus chain index for plain_coeff0: {}".format( context.get_context_data(plain_coeff0.parms_id()).chain_index())) #Let us carefully consider what the scales are at this point. We denote the #primes in coeff_modulus as P_0, P_1, P_2, P_3, in this order. P_3 is used as #the special modulus and is not involved in rescalings. After the computations #above the scales in ciphertexts are: # # - Product x^2 has scale 2^80 and is at level 2; # - Product PI*x has scale 2^80 and is at level 2; # - We rescaled both down to scale 2^80/P_2 and level 1; # - Product PI*x^3 has scale (2^80/P_2)^2; # - We rescaled it down to scale (2^80/P_2)^2/P_1 and level 0; # - Product 0.4*x has scale 2^80; # - We rescaled it down to scale 2^80/P_2 and level 1; # - The contant term 1 has scale 2^40 and is at level 2. # #Although the scales of all three terms are approximately 2^40, their exact #values are different, hence they cannot be added together. print("The exact scales of all three terms are different:") print(" + Exact scale in PI*x^3: {0:0.10f}".format(x3_encrypted.scale())) print(" + Exact scale in 0.4*x: {0:0.10f}".format(x1_encrypted.scale())) print(" + Exact scale in 1: {0:0.10f}".format(plain_coeff0.scale())) #There are many ways to fix this problem. Since P_2 and P_1 are really close #to 2^40, we can simply "lie" to Microsoft SEAL and set the scales to be the #same. For example, changing the scale of PI*x^3 to 2^40 simply means that we #scale the value of PI*x^3 by 2^120/(P_2^2*P_1), which is very close to 1. #This should not result in any noticeable error. # #Another option would be to encode 1 with scale 2^80/P_2, do a multiply_plain #with 0.4*x, and finally rescale. In this case we would need to additionally #make sure to encode 1 with appropriate encryption parameters (parms_id). # #In this example we will use the first (simplest) approach and simply change #the scale of PI*x^3 and 0.4*x to 2^40. print("Normalize scales to 2^40.") x3_encrypted.set_scale(2.0**40) x1_encrypted.set_scale(2.0**40) #We still have a problem with mismatching encryption parameters. This is easy #to fix by using traditional modulus switching (no rescaling). CKKS supports #modulus switching just like the BFV scheme, allowing us to switch away parts #of the coefficient modulus when it is simply not needed. print("Normalize encryption parameters to the lowest level.") last_parms_id = x3_encrypted.parms_id() evaluator.mod_switch_to_inplace(x1_encrypted, last_parms_id) evaluator.mod_switch_to_inplace(plain_coeff0, last_parms_id) #All three ciphertexts are now compatible and can be added. print("Compute PI*x^3 + 0.4*x + 1.") encrypted_result = Ciphertext() evaluator.add(x3_encrypted, x1_encrypted, encrypted_result) evaluator.add_plain_inplace(encrypted_result, plain_coeff0) #First print the true result. plain_result = Plaintext() print("Decrypt and decode PI*x^3 + 0.4x + 1.") print(" + Expected result:") true_result = DoubleVector(list(map(lambda x: (3.14159265 * x * x + 0.4)* x + 1, input))) print_vector(true_result) #Decrypt, decode, and print the result. decryptor.decrypt(encrypted_result, plain_result) result = DoubleVector() encoder.decode(plain_result, result) print(" + Computed result ...... Correct.") print_vector(result)
# As a simple example, we compute (-encrypted1 + encrypted2) * encrypted2. # Negation is a unary operation. evaluator.negate(encrypted1) # Negation does not consume any noise budget. print("Noise budget in -encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") evaluator.add(encrypted1, encrypted2) print("Noise budget in -encrypted1 + encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") #evaluator.multiply(encrypted1, encrypted2) #print("Noise budget in (-encrypted1 + encrypted2) * encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Now we decrypt and decode our result. plain_result = Plaintext() print("Decrypting result: ") decryptor.decrypt(encrypted1, plain_result) print("Done") # Print the result plaintext polynomial. print("Plaintext polynomial: " + plain_result.to_string()) # Decode to obtain an integer result. print("Decoded integer: " + (str)(encoder.decode_int32(plain_result)))
def dot_product(): print("Example: Weighted Average") # In this example we demonstrate the FractionalEncoder, and use it to compute # a weighted average of 10 encrypted rational numbers. In this computation we # perform homomorphic multiplications of ciphertexts by plaintexts, which is # much faster than regular multiplications of ciphertexts by ciphertexts. # Moreover, such `plain multiplications' never increase the ciphertext size, # which is why we have no need for evaluation keys in this example. # We start by creating encryption parameters, setting up the SEALContext, keys, # and other relevant objects. Since our computation has multiplicative depth of # only two, it suffices to use a small poly_modulus. parms = EncryptionParameters() parms.set_poly_modulus("1x^2048 + 1") parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) parms.set_plain_modulus(1 << 8) context = SEALContext(parms) print_parameters(context) keygen = KeyGenerator(context) keygen2 = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() secret_key2 = keygen.secret_key() # We also set up an Encryptor, Evaluator, and Decryptor here. encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key2) # Create a vector of 10 rational numbers (as doubles). # rational_numbers = [3.1, 4.159, 2.65, 3.5897, 9.3, 2.3, 8.46, 2.64, 3.383, 2.795] rational_numbers = np.random.rand(10) # Create a vector of weights. # coefficients = [0.1, 0.05, 0.05, 0.2, 0.05, 0.3, 0.1, 0.025, 0.075, 0.05] coefficients = np.random.rand(10) my_result = np.dot(rational_numbers, coefficients) # We need a FractionalEncoder to encode the rational numbers into plaintext # polynomials. In this case we decide to reserve 64 coefficients of the # polynomial for the integral part (low-degree terms) and expand the fractional # part to 32 digits of precision (in base 3) (high-degree terms). These numbers # can be changed according to the precision that is needed; note that these # choices leave a lot of unused space in the 2048-coefficient polynomials. encoder = FractionalEncoder(context.plain_modulus(), context.poly_modulus(), 64, 32, 3) # We create a vector of ciphertexts for encrypting the rational numbers. encrypted_rationals = [] rational_numbers_string = "Encoding and encrypting: " for i in range(10): # We create our Ciphertext objects into the vector by passing the # encryption parameters as an argument to the constructor. This ensures # that enough memory is allocated for a size 2 ciphertext. In this example # our ciphertexts never grow in size (plain multiplication does not cause # ciphertext growth), so we can expect the ciphertexts to remain in the same # location in memory throughout the computation. In more complicated examples # one might want to call a constructor that reserves enough memory for the # ciphertext to grow to a specified size to avoid costly memory moves when # multiplications and relinearizations are performed. encrypted_rationals.append(Ciphertext(parms)) encryptor.encrypt(encoder.encode(rational_numbers[i]), encrypted_rationals[i]) rational_numbers_string += (str)(rational_numbers[i])[:6] if i < 9: rational_numbers_string += ", " print(rational_numbers_string) # Next we encode the coefficients. There is no reason to encrypt these since they # are not private data. encoded_coefficients = [] encoded_coefficients_string = "Encoding plaintext coefficients: " encrypted_coefficients =[] for i in range(10): encoded_coefficients.append(encoder.encode(coefficients[i])) encrypted_coefficients.append(Ciphertext(parms)) encryptor.encrypt(encoded_coefficients[i], encrypted_coefficients[i]) encoded_coefficients_string += (str)(coefficients[i])[:6] if i < 9: encoded_coefficients_string += ", " print(encoded_coefficients_string) # We also need to encode 0.1. Multiplication by this plaintext will have the # effect of dividing by 10. Note that in SEAL it is impossible to divide # ciphertext by another ciphertext, but in this way division by a plaintext is # possible. div_by_ten = encoder.encode(0.1) # Now compute each multiplication. prod_result = [Ciphertext() for i in range(10)] prod_result2 = [Ciphertext() for i in range(10)] print("Computing products: ") for i in range(10): # Note how we use plain multiplication instead of usual multiplication. The # result overwrites the first argument in the function call. evaluator.multiply_plain(encrypted_rationals[i], encoded_coefficients[i], prod_result[i]) evaluator.multiply(encrypted_rationals[i], encrypted_coefficients[i], prod_result2[i]) print("Done") # To obtain the linear sum we need to still compute the sum of the ciphertexts # in encrypted_rationals. There is an easy way to add together a vector of # Ciphertexts. encrypted_result = Ciphertext() encrypted_result2 = Ciphertext() print("Adding up all 10 ciphertexts: ") evaluator.add_many(prod_result, encrypted_result) evaluator.add_many(prod_result2, encrypted_result2) print("Done") # Perform division by 10 by plain multiplication with div_by_ten. # print("Dividing by 10: ") # evaluator.multiply_plain(encrypted_result, div_by_ten) # print("Done") # How much noise budget do we have left? print("Noise budget in result: " + (str)(decryptor.invariant_noise_budget(encrypted_result)) + " bits") # Decrypt, decode, and print result. plain_result = Plaintext() plain_result2 = Plaintext() print("Decrypting result: ") decryptor.decrypt(encrypted_result, plain_result) decryptor.decrypt(encrypted_result2, plain_result2) print("Done") result = encoder.decode(plain_result) print("Weighted average: " + (str)(result)[:8]) result2 = encoder.decode(plain_result2) print("Weighted average: " + (str)(result2)[:8]) print('\n\n', my_result)
def example_batch_encoder(): print("Example: Encoders / Batch Encoder") #[BatchEncoder] (For BFV scheme only) # #Let N denote the poly_modulus_degree and T denote the plain_modulus. Batching #allows the BFV plaintext polynomials to be viewed as 2-by-(N/2) matrices, with #each element an integer modulo T. In the matrix view, encrypted operations act #element-wise on encrypted matrices, allowing the user to obtain speeds-ups of #several orders of magnitude in fully vectorizable computations. Thus, in all #but the simplest computations, batching should be the preferred method to use #with BFV, and when used properly will result in implementations outperforming #anything done with the IntegerEncoder. parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree)) #To enable batching, we need to set the plain_modulus to be a prime number #congruent to 1 modulo 2*poly_modulus_degree. Microsoft SEAL provides a helper #method for finding such a prime. In this example we create a 20-bit prime #that supports batching. parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20)) context = SEALContext.Create(parms) print_parameters(context) #We can verify that batching is indeed enabled by looking at the encryption #parameter qualifiers created by SEALContext. ##HERE qualifiers = context.qualifiers() print("Batching enabled: {}".format(qualifiers.using_batching)) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) #Batching is done through an instance of the BatchEncoder class. batch_encoder = BatchEncoder(context) #The total number of batching `slots' equals the poly_modulus_degree, N, and #these slots are organized into 2-by-(N/2) matrices that can be encrypted and #computed on. Each slot contains an integer modulo plain_modulus. slot_count = batch_encoder.slot_count() row_size = int(slot_count / 2) print("Plaintext matrix row size: {}".format(row_size)) #The matrix plaintext is simply given to BatchEncoder as a flattened vector #of numbers. The first `row_size' many numbers form the first row, and the #rest form the second row. Here we create the following matrix: # # [ 0, 1, 2, 3, 0, 0, ..., 0 ] # [ 4, 5, 6, 7, 0, 0, ..., 0 ] pod_matrix = Int64Vector([0] * slot_count) pod_matrix[0] = 0 pod_matrix[1] = 1 pod_matrix[2] = 2 pod_matrix[3] = 3 pod_matrix[row_size] = 4 pod_matrix[row_size + 1] = 5 pod_matrix[row_size + 2] = 6 pod_matrix[row_size + 3] = 7 print("Input plaintext matrix:") print_matrix(pod_matrix, row_size) #First we use BatchEncoder to encode the matrix into a plaintext polynomial. plain_matrix = Plaintext() print("Encode plaintext matrix:") batch_encoder.encode(pod_matrix, plain_matrix) #We can instantly decode to verify correctness of the encoding. Note that no #encryption or decryption has yet taken place. print(" + Decode plaintext matrix ...... Correct.") pod_result = Int64Vector([0] * slot_count) batch_encoder.decode(plain_matrix, pod_result) print_matrix(pod_result, row_size) #Next we encrypt the encoded plaintext. encrypted_matrix = Ciphertext() print("Encrypt plain_matrix to encrypted_matrix.") encryptor.encrypt(plain_matrix, encrypted_matrix) print(" + Noise budget in encrypted_matrix: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) #Operating on the ciphertext results in homomorphic operations being performed #simultaneously in all 8192 slots (matrix elements). To illustrate this, we #form another plaintext matrix # # [ 1, 2, 1, 2, 1, 2, ..., 2 ] # [ 1, 2, 1, 2, 1, 2, ..., 2 ] # #and encode it into a plaintext. pod_matrix2 = UInt64Vector([1, 2] * row_size) plain_matrix2 = Plaintext() batch_encoder.encode(pod_matrix2, plain_matrix2) print("Second input plaintext matrix:") print_matrix(pod_matrix2, row_size) #We now add the second (plaintext) matrix to the encrypted matrix, and square #the sum. print("Sum, square, and relinearize.") evaluator.add_plain_inplace(encrypted_matrix, plain_matrix2) evaluator.square_inplace(encrypted_matrix) evaluator.relinearize_inplace(encrypted_matrix, relin_keys) #How much noise budget do we have left? print(" + Noise budget in result: {} bits".format( decryptor.invariant_noise_budget(encrypted_matrix))) #We decrypt and decompose the plaintext to recover the result as a matrix. plain_result = Plaintext() print("Decrypt and decode result.") decryptor.decrypt(encrypted_matrix, plain_result) batch_encoder.decode(plain_result, pod_result) print(" + Result plaintext matrix ...... Correct.") print_matrix(pod_result, row_size)
def test1(): #TODO make the function taking dir name, iterating through all the descriptors, encrypting #TODO add progress bar - the videos are decrypted #TODO make a function taking a query and passing it to the sklearn function KNN with custom similarity funtion #TODO add progress bar - the search is performed (calculate distance between encrypted vectors) #TODO return results #TODO Vlad Display. The results are true. The same as we would compute similarity between ncrypted vectors. # In the same time we did not have to decrypt vectors stored in 3rd parity service to perform a search. #TODO get the metrics #TODO how to opimize a = np.ones((1, DESC_SIZE)) b = np.ones((1, DESC_SIZE)) for i in range(a.shape[1]): a[0, i] = random.uniform(0.0, 1.0) b[0, i] = random.uniform(0.0, 1.0) print("Descriptors for images a and b are: ") print("a ", a) print("b ", b) context, params = config() public_key, secret_key = keygen(context) frac_encoder = FractionalEncoder(context.plain_modulus(), context.poly_modulus(), 64, 32, 3) encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) e1 = encrypt_vec(params, encryptor, frac_encoder, a) e3 = encrypt_vec(params, encryptor, frac_encoder, b) print("Calculate distance between plain a and b:") sim = euclidean_dist(a, b) print("Similarity between a and b: {}".format(sim)) print("Calculating distance between encrypted a and b:") time_start = time.time() enc_res = euclidean_dist_enc(evaluator, e1, e3) time_end = time.time() print("Done. Time: {} miliseconds".format( (str)(1000 * (time_end - time_start)))) plain_result = Plaintext() print("Decrypting result: ") time_start = time.time() decryptor.decrypt(enc_res, plain_result) res = frac_encoder.encode(plain_result) time_end = time.time() print("Done. Time: {} miliseconds".format( (str)(1000 * (time_end - time_start)))) print( "........................................................................" ) print("Noise budget {} bits".format( decryptor.invariant_noise_budget(enc_res))) print("Decrypted result {}, original result {}".format(res, sim)) print("Calculate distance between plain a and a:") sim = euclidean_dist(a, a.copy()) print("Similarity between a and b: {}".format(sim)) print("Calculating distance between encrypted a and a:") time_start = time.time() enc_res = euclidean_dist_enc(evaluator, e1, e1) time_end = time.time() print("Done. Time: {} miliseconds".format( (str)(1000 * (time_end - time_start)))) plain_result = Plaintext() print("Decrypting result: ") time_start = time.time() decryptor.decrypt(enc_res, plain_result) res = frac_encoder.encode(plain_result) time_end = time.time() print("Done. Time: {} miliseconds".format( (str)(1000 * (time_end - time_start)))) print( "........................................................................." ) print("Noise budget {} bits".format( decryptor.invariant_noise_budget(enc_res))) print("Decrypted result {}, original result {}".format(res, sim))
class Client(Participant): def __init__(self): super().__init__() self._public_key = None self._secret_key = None self._encryptor = None self._decryptor = None self.set_parms_from_dict() # instantiate with default parameters def get_parms(self): return self._parms def set_parms(self, parms: EncryptionParameters, print_parms=False): super().set_parms(parms, print_parms) keygen = KeyGenerator(self._context) self.public_key = keygen.public_key() self.secret_key = keygen.secret_key() self._encryptor = Encryptor(self._context, self._public_key) self._decryptor = Decryptor(self._context, self._secret_key) # noinspection PyArgumentList def set_parms_from_dict(self, **parms_dict): default_parms_dict = {"poly": 4096, "coeff": 4096, "plain": (1 << 8)} if parms_dict: for key, value in parms_dict.items(): assert key in parms_dict, "Accepted parameters are poly, coeff, plain, and print_parms" default_parms_dict[key] = parms_dict[key] self._parms.set_poly_modulus_degree(default_parms_dict['poly']) self._parms.set_coeff_modulus( CoeffModulus.BFVDefault(default_parms_dict['coeff'])) self._parms.set_plain_modulus(default_parms_dict['plain']) self.set_parms(self._parms) @property def public_key(self): return self._public_key @public_key.setter def public_key(self, pk: PublicKey): self._public_key = pk @property def secret_key(self): return self._secret_key @secret_key.setter def secret_key(self, sk: SecretKey): self._secret_key = sk def enc(self, arr): n = len(arr) cipher_arr = np.empty(n, Ciphertext) for i in range(n): c = Ciphertext() self._encryptor.encrypt(self._encoder.encode(arr[i]), c) cipher_arr[i] = c return cipher_arr def dec(self, cipher_arr): n = len(cipher_arr) arr = np.empty(n, int) for i in range(n): p = Plaintext() self._decryptor.decrypt(cipher_arr[i], p) arr[i] = self._encoder.decode_int64(p) return arr def masking(self, arr): assert isinstance(arr, np.ndarray), "Only numpy arrays are accepted" return np.sign(arr)
def example_levels(): print("Example: Levels") #In this examples we describe the concept of `levels' in BFV and CKKS and the #related objects that represent them in Microsoft SEAL. # #In Microsoft SEAL a set of encryption parameters (excluding the random number #generator) is identified uniquely by a 256-bit hash of the parameters. This #hash is called the `parms_id' and can be easily accessed and printed at any #time. The hash will change as soon as any of the parameters is changed. # #When a SEALContext is created from a given EncryptionParameters instance, #Microsoft SEAL automatically creates a so-called `modulus switching chain', #which is a chain of other encryption parameters derived from the original set. #The parameters in the modulus switching chain are the same as the original #parameters with the exception that size of the coefficient modulus is #decreasing going down the chain. More precisely, each parameter set in the #chain attempts to remove the last coefficient modulus prime from the #previous set; this continues until the parameter set is no longer valid #(e.g., plain_modulus is larger than the remaining coeff_modulus). It is easy #to walk through the chain and access all the parameter sets. Additionally, #each parameter set in the chain has a `chain index' that indicates its #position in the chain so that the last set has index 0. We say that a set #of encryption parameters, or an object carrying those encryption parameters, #is at a higher level in the chain than another set of parameters if its the #chain index is bigger, i.e., it is earlier in the chain. # #Each set of parameters in the chain involves unique pre-computations performed #when the SEALContext is created, and stored in a SEALContext::ContextData #object. The chain is basically a linked list of SEALContext::ContextData #objects, and can easily be accessed through the SEALContext at any time. Each #node can be identified by the parms_id of its specific encryption parameters #(poly_modulus_degree remains the same but coeff_modulus varies). parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) #In this example we use a custom coeff_modulus, consisting of 5 primes of #sizes 50, 30, 30, 50, and 50 bits. Note that this is still OK according to #the explanation in `1_bfv_basics.cpp'. Indeed, # # CoeffModulus::MaxBitCount(poly_modulus_degree) # #returns 218 (greater than 50+30+30+50+50=210). # #Due to the modulus switching chain, the order of the 5 primes is significant. #The last prime has a special meaning and we call it the `special prime'. Thus, #the first parameter set in the modulus switching chain is the only one that #involves the special prime. All key objects, such as SecretKey, are created #at this highest level. All data objects, such as Ciphertext, can be only at #lower levels. The special prime should be as large as the largest of the #other primes in the coeff_modulus, although this is not a strict requirement. # # special prime +---------+ # | # v #coeff_modulus: { 50, 30, 30, 50, 50 } +---+ Level 4 (all keys; `key level') # | # | # coeff_modulus: { 50, 30, 30, 50 } +---+ Level 3 (highest `data level') # | # | # coeff_modulus: { 50, 30, 30 } +---+ Level 2 # | # | # coeff_modulus: { 50, 30 } +---+ Level 1 # | # | # coeff_modulus: { 50 } +---+ Level 0 (lowest level) parms.set_coeff_modulus( CoeffModulus.Create(poly_modulus_degree, IntVector([50, 30, 30, 50, 50]))) #In this example the plain_modulus does not play much of a role; we choose #some reasonable value. parms.set_plain_modulus(PlainModulus.Batching(poly_modulus_degree, 20)) context = SEALContext.Create(parms) print_parameters(context) #There are convenience method for accessing the SEALContext::ContextData for #some of the most important levels: # # SEALContext::key_context_data(): access to key level ContextData # SEALContext::first_context_data(): access to highest data level ContextData # SEALContext::last_context_data(): access to lowest level ContextData # #We iterate over the chain and print the parms_id for each set of parameters. print("Print the modulus switching chain.") #First print the key level parameter information. context_data = context.key_context_data() print("----> Level (chain index): {} ...... key_context_data()".format( context_data.chain_index())) print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") #Next iterate over the remaining (data) levels. context_data = context.first_context_data() while (context_data): print(" Level (chain index): {} ".format(context_data.chain_index()), end='') if context_data.parms_id() == context.first_parms_id(): print(" ...... first_context_data()") elif context_data.parms_id() == context.last_parms_id(): print(" ...... last_context_data()") else: print("") print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") #Step forward in the chain. context_data = context_data.next_context_data() print(" End of chain reached") #We create some keys and check that indeed they appear at the highest level. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() galois_keys = keygen.galois_keys() print("Print the parameter IDs of generated elements.") print(" + public_key: {}".format(list2hex(public_key.parms_id()))) print(" + secret_key: {}".format(list2hex(secret_key.parms_id()))) print(" + relin_keys: {}".format(list2hex(relin_keys.parms_id()))) print(" + galois_keys: {}".format(list2hex(galois_keys.parms_id()))) encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) #In the BFV scheme plaintexts do not carry a parms_id, but ciphertexts do. Note #how the freshly encrypted ciphertext is at the highest data level. plain = Plaintext("1x^3 + 2x^2 + 3x^1 + 4") encrypted = Ciphertext() encryptor.encrypt(plain, encrypted) print(" + plain: {} (not set in BFV)".format( list2hex(plain.parms_id()))) print(" + encrypted: {}".format(list2hex(encrypted.parms_id()))) #`Modulus switching' is a technique of changing the ciphertext parameters down #in the chain. The function Evaluator::mod_switch_to_next always switches to #the next level down the chain, whereas Evaluator::mod_switch_to switches to #a parameter set down the chain corresponding to a given parms_id. However, it #is impossible to switch up in the chain. print("Perform modulus switching on encrypted and print.") context_data = context.first_context_data() print("---->") while (context_data.next_context_data()): print(" Level (chain index): {} ".format(context_data.chain_index())) print(" parms_id of encrypted: {}".format( list2hex(encrypted.parms_id()))) print(" Noise budget at this level: {} bits".format( decryptor.invariant_noise_budget(encrypted))) print("\\") print(" \\-->") evaluator.mod_switch_to_next_inplace(encrypted) context_data = context_data.next_context_data() print(" Level (chain index): {}".format(context_data.chain_index())) print(" parms_id of encrypted: {}".format(encrypted.parms_id())) print(" Noise budget at this level: {} bits".format( decryptor.invariant_noise_budget(encrypted))) print("\\") print(" \\-->") print(" End of chain reached") #At this point it is hard to see any benefit in doing this: we lost a huge #amount of noise budget (i.e., computational power) at each switch and seemed #to get nothing in return. Decryption still works. print("Decrypt still works after modulus switching.") decryptor.decrypt(encrypted, plain) print(" + Decryption of encrypted: {} ...... Correct.".format( plain.to_string())) #However, there is a hidden benefit: the size of the ciphertext depends #linearly on the number of primes in the coefficient modulus. Thus, if there #is no need or intention to perform any further computations on a given #ciphertext, we might as well switch it down to the smallest (last) set of #parameters in the chain before sending it back to the secret key holder for #decryption. # #Also the lost noise budget is actually not an issue at all, if we do things #right, as we will see below. # #First we recreate the original ciphertext and perform some computations. print("Computation is more efficient with modulus switching.") print("Compute the 8th power.") encryptor.encrypt(plain, encrypted) print(" + Noise budget fresh: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 2nd power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 4th power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #Surprisingly, in this case modulus switching has no effect at all on the #noise budget. evaluator.mod_switch_to_next_inplace(encrypted) print(" + Noise budget after modulus switching: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #This means that there is no harm at all in dropping some of the coefficient #modulus after doing enough computations. In some cases one might want to #switch to a lower level slightly earlier, actually sacrificing some of the #noise budget in the process, to gain computational performance from having #smaller parameters. We see from the print-out that the next modulus switch #should be done ideally when the noise budget is down to around 25 bits. evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) print(" + Noise budget of the 8th power: {} bits".format( decryptor.invariant_noise_budget(encrypted))) evaluator.mod_switch_to_next_inplace(encrypted) print(" + Noise budget after modulus switching: {} bits".format( decryptor.invariant_noise_budget(encrypted))) #At this point the ciphertext still decrypts correctly, has very small size, #and the computation was as efficient as possible. Note that the decryptor #can be used to decrypt a ciphertext at any level in the modulus switching #chain. decryptor.decrypt(encrypted, plain) print(" + Decryption of the 8th power (hexadecimal) ...... Correct.") print(" {}".format(plain.to_string())) #In BFV modulus switching is not necessary and in some cases the user might #not want to create the modulus switching chain, except for the highest two #levels. This can be done by passing a bool `false' to SEALContext::Create. context = SEALContext.Create(parms, False) #We can check that indeed the modulus switching chain has been created only #for the highest two levels (key level and highest data level). The following #loop should execute only once. print("Optionally disable modulus switching chain expansion.") print("Print the modulus switching chain.") print("---->") context_data = context.key_context_data() while (context_data): print(" Level (chain index): {}".format(context_data.chain_index())) print(" parms_id: {}".format(list2hex(context_data.parms_id()))) print("coeff_modulus primes:", end=' ') for prime in context_data.parms().coeff_modulus(): print(hex(prime.value()), end=' ') print("") print("\\") print(" \\-->") context_data = context_data.next_context_data() print(" End of chain reached")
# Adding the matrices multiplie by their coefficients for i in range(len(matrixPower_vector) - 1): for j in range(len(c)): if (i + j == n - 1): mult(c[j], matrixPower_vector[i]) for t in range(n): for s in range(n): evaluator.add(A_inv[t][s], matrixPower_vector[i][t][s]) # decrypted inverse matrix A_i_dec = [] for x in A_inv: a_i = [] for y in x: p = Plaintext() decryptor.decrypt(y, p) a_i.append(encoderF.decode(p)) A_i_dec.append(a_i) decryptor.decrypt(c[n], p) # nth coefficient of characteristic equation of th determin = encoderF.decode(p) print("negative of co-factor matrix: ", A_i_dec) A_i_dec = [[(-1 / determin) * elem for elem in row] for row in A_i_dec] print("\nThe inverse matrix:\n", np.asarray(A_i_dec)) print('Time cost: {} seconds'.format(time.time() - t1)) t2 = time.time() np_A_inv = np.linalg.inv(np.asarray(plain_A)) print('Inverse computed by numpy: \n{}'.format(np_A_inv))
for i in range(len(A)): A_plain.append(encoder.encode(A[i])) A_cipherObject.append(Ciphertext()) encryptor.encrypt(A_plain[i],A_cipherObject[i]) print("Noise budget of "+ str(i)+" "+str((decryptor.invariant_noise_budget(A_cipherObject[i]))) + " bits") A_cipherObject=chunk(A_cipherObject) C=A_cipherObject #shallow copy # partial pivoting for i in range(3,-1,-1): evaluator.negate(C[i][0]) evaluator.add(C[i][0], C[i+1][0]) plain_result = Plaintext() decryptor.decrypt(C[i][0], plain_result) if (int(encoder.decode_int32(plain_result))>0): for j in range(8): # add code to combine appended matrix and normal matrix together D=A_cipherObject #shallow copy # reducing to diagnol matrix for i in range(4): for j in range (8): if (j!=i): plain_result = Plaintext() X=D[i][i] decryptor.decrypt(X, plain_result) E=1/int(encoder.decode_int32(plain_result))
def example_integer_encoder(): print("Example: Encoders / Integer Encoder") #[IntegerEncoder] (For BFV scheme only) # #The IntegerEncoder encodes integers to BFV plaintext polynomials as follows. #First, a binary expansion of the integer is computed. Next, a polynomial is #created with the bits as coefficients. For example, the integer # # 26 = 2^4 + 2^3 + 2^1 # #is encoded as the polynomial 1x^4 + 1x^3 + 1x^1. Conversely, plaintext #polynomials are decoded by evaluating them at x=2. For negative numbers the #IntegerEncoder simply stores all coefficients as either 0 or -1, where -1 is #represented by the unsigned integer plain_modulus - 1 in memory. # #Since encrypted computations operate on the polynomials rather than on the #encoded integers themselves, the polynomial coefficients will grow in the #course of such computations. For example, computing the sum of the encrypted #encoded integer 26 with itself will result in an encrypted polynomial with #larger coefficients: 2x^4 + 2x^3 + 2x^1. Squaring the encrypted encoded #integer 26 results also in increased coefficients due to cross-terms, namely, # # (2x^4 + 2x^3 + 2x^1)^2 = 1x^8 + 2x^7 + 1x^6 + 2x^5 + 2x^4 + 1x^2; # #further computations will quickly increase the coefficients much more. #Decoding will still work correctly in this case (evaluating the polynomial #at x=2), but since the coefficients of plaintext polynomials are really #integers modulo plain_modulus, implicit reduction modulo plain_modulus may #yield unexpected results. For example, adding 1x^4 + 1x^3 + 1x^1 to itself #plain_modulus many times will result in the constant polynomial 0, which is #clearly not equal to 26 * plain_modulus. It can be difficult to predict when #such overflow will take place especially when computing several sequential #multiplications. # #The IntegerEncoder is easy to understand and use for simple computations, #and can be a good tool to experiment with for users new to Microsoft SEAL. #However, advanced users will probably prefer more efficient approaches, #such as the BatchEncoder or the CKKSEncoder. parms = EncryptionParameters(scheme_type.BFV) poly_modulus_degree = 4096 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree)) #There is no hidden logic behind our choice of the plain_modulus. The only #thing that matters is that the plaintext polynomial coefficients will not #exceed this value at any point during our computation; otherwise the result #will be incorrect. parms.set_plain_modulus(512) context = SEALContext.Create(parms) print_parameters(context) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) #We create an IntegerEncoder. encoder = IntegerEncoder(context) #First, we encode two integers as plaintext polynomials. Note that encoding #is not encryption: at this point nothing is encrypted. value1 = 5 plain1 = encoder.encode(value1) print("Encode {} as polynomial {} (plain1), ".format( value1, plain1.to_string())) value2 = -7 plain2 = encoder.encode(value2) print(" encode {} as polynomial {} (plain2)".format( value2, plain2.to_string())) #Now we can encrypt the plaintext polynomials. encrypted1 = Ciphertext() encrypted2 = Ciphertext() print("Encrypt plain1 to encrypted1 and plain2 to encrypted2.") encryptor.encrypt(plain1, encrypted1) encryptor.encrypt(plain2, encrypted2) print(" + Noise budget in encrypted1: {} bits".format( decryptor.invariant_noise_budget(encrypted1))) print(" + Noise budget in encrypted2: {} bits".format( decryptor.invariant_noise_budget(encrypted2))) #As a simple example, we compute (-encrypted1 + encrypted2) * encrypted2. encryptor.encrypt(plain2, encrypted2) encrypted_result = Ciphertext() print( "Compute encrypted_result = (-encrypted1 + encrypted2) * encrypted2.") evaluator.negate(encrypted1, encrypted_result) evaluator.add_inplace(encrypted_result, encrypted2) evaluator.multiply_inplace(encrypted_result, encrypted2) print(" + Noise budget in encrypted_result: {} bits".format( decryptor.invariant_noise_budget(encrypted_result))) plain_result = Plaintext() print("Decrypt encrypted_result to plain_result.") decryptor.decrypt(encrypted_result, plain_result) #Print the result plaintext polynomial. The coefficients are not even close #to exceeding our plain_modulus, 512. print(" + Plaintext polynomial: {}".format(plain_result.to_string())) #Decode to obtain an integer result. print("Decode plain_result.") print(" + Decoded integer: {} ...... Correct.".format( encoder.decode_int32(plain_result)))
def example_ckks_encoder(): print("Example: Encoders / CKKS Encoder") #[CKKSEncoder] (For CKKS scheme only) # #In this example we demonstrate the Cheon-Kim-Kim-Song (CKKS) scheme for #computing on encrypted real or complex numbers. We start by creating #encryption parameters for the CKKS scheme. There are two important #differences compared to the BFV scheme: # # (1) CKKS does not use the plain_modulus encryption parameter; # (2) Selecting the coeff_modulus in a specific way can be very important # when using the CKKS scheme. We will explain this further in the file # `ckks_basics.cpp'. In this example we use CoeffModulus::Create to # generate 5 40-bit prime numbers. parms = EncryptionParameters(scheme_type.CKKS) poly_modulus_degree = 8192 parms.set_poly_modulus_degree(poly_modulus_degree) parms.set_coeff_modulus( CoeffModulus.Create(poly_modulus_degree, IntVector([40, 40, 40, 40, 40]))) #We create the SEALContext as usual and print the parameters. context = SEALContext.Create(parms) print_parameters(context) #Keys are created the same way as for the BFV scheme. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() #We also set up an Encryptor, Evaluator, and Decryptor as usual. encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) #To create CKKS plaintexts we need a special encoder: there is no other way #to create them. The IntegerEncoder and BatchEncoder cannot be used with the #CKKS scheme. The CKKSEncoder encodes vectors of real or complex numbers into #Plaintext objects, which can subsequently be encrypted. At a high level this #looks a lot like what BatchEncoder does for the BFV scheme, but the theory #behind it is completely different. encoder = CKKSEncoder(context) #In CKKS the number of slots is poly_modulus_degree / 2 and each slot encodes #one real or complex number. This should be contrasted with BatchEncoder in #the BFV scheme, where the number of slots is equal to poly_modulus_degree #and they are arranged into a matrix with two rows. slot_count = encoder.slot_count() print("Number of slots: {}".format(slot_count)) #We create a small vector to encode; the CKKSEncoder will implicitly pad it #with zeros to full size (poly_modulus_degree / 2) when encoding. input = DoubleVector([0.0, 1.1, 2.2, 3.3]) print("Input vector: ") print_vector(input) #Now we encode it with CKKSEncoder. The floating-point coefficients of `input' #will be scaled up by the parameter `scale'. This is necessary since even in #the CKKS scheme the plaintext elements are fundamentally polynomials with #integer coefficients. It is instructive to think of the scale as determining #the bit-precision of the encoding; naturally it will affect the precision of #the result. # #In CKKS the message is stored modulo coeff_modulus (in BFV it is stored modulo #plain_modulus), so the scaled message must not get too close to the total size #of coeff_modulus. In this case our coeff_modulus is quite large (200 bits) so #we have little to worry about in this regard. For this simple example a 30-bit #scale is more than enough. plain = Plaintext() scale = 2.0**30 print("Encode input vector.") encoder.encode(input, scale, plain) #We can instantly decode to check the correctness of encoding. output = DoubleVector() print(" + Decode input vector ...... Correct.") encoder.decode(plain, output) print_vector(output) #The vector is encrypted the same was as in BFV. encrypted = Ciphertext() print("Encrypt input vector, square, and relinearize.") encryptor.encrypt(plain, encrypted) #Basic operations on the ciphertexts are still easy to do. Here we square the #ciphertext, decrypt, decode, and print the result. We note also that decoding #returns a vector of full size (poly_modulus_degree / 2); this is because of #the implicit zero-padding mentioned above. evaluator.square_inplace(encrypted) evaluator.relinearize_inplace(encrypted, relin_keys) #We notice that the scale in the result has increased. In fact, it is now the #square of the original scale: 2^60. print(" + Scale in squared input: {} ( {} bits)".format( encrypted.scale(), log2(encrypted.scale()))) print("Decrypt and decode.") decryptor.decrypt(encrypted, plain) encoder.decode(plain, output) print(" + Result vector ...... Correct.") print_vector(output)
class SealOps: @classmethod def with_env(cls): parms = EncryptionParameters(scheme_type.CKKS) parms.set_poly_modulus_degree(POLY_MODULUS_DEGREE) parms.set_coeff_modulus( CoeffModulus.Create(POLY_MODULUS_DEGREE, PRIME_SIZE_LIST)) context = SEALContext.Create(parms) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() relin_keys = keygen.relin_keys() galois_keys = keygen.galois_keys() return cls(context=context, public_key=public_key, secret_key=secret_key, relin_keys=relin_keys, galois_keys=galois_keys, poly_modulus_degree=POLY_MODULUS_DEGREE, scale=SCALE) def __init__(self, context: SEALContext, scale: float, poly_modulus_degree: int, public_key: PublicKey = None, secret_key: SecretKey = None, relin_keys: RelinKeys = None, galois_keys: GaloisKeys = None): self.scale = scale self.context = context self.encoder = CKKSEncoder(context) self.evaluator = Evaluator(context) self.encryptor = Encryptor(context, public_key) self.decryptor = Decryptor(context, secret_key) self.relin_keys = relin_keys self.galois_keys = galois_keys self.poly_modulus_degree_log = np.log2(poly_modulus_degree) def encrypt(self, matrix: np.array): matrix = Matrix.from_numpy_array(array=matrix) cipher_matrix = CipherMatrix(rows=matrix.rows, cols=matrix.cols) for i in range(matrix.rows): encoded_row = Plaintext() self.encoder.encode(matrix[i], self.scale, encoded_row) self.encryptor.encrypt(encoded_row, cipher_matrix[i]) return cipher_matrix def decrypt(self, cipher_matrix: CipherMatrix) -> Matrix: matrix = Matrix(rows=cipher_matrix.rows, cols=cipher_matrix.cols) for i in range(matrix.rows): row = Vector() encoded_row = Plaintext() self.decryptor.decrypt(cipher_matrix[i], encoded_row) self.encoder.decode(encoded_row, row) matrix[i] = row return matrix def add(self, matrix_a: CipherMatrix, matrix_b: CipherMatrix) -> CipherMatrix: self.validate_same_dimension(matrix_a, matrix_b) result_matrix = CipherMatrix(rows=matrix_a.rows, cols=matrix_a.cols) for i in range(matrix_a.rows): a_tag, b_tag = self.get_matched_scale_vectors( matrix_a[i], matrix_b[i]) self.evaluator.add(a_tag, b_tag, result_matrix[i]) return result_matrix def add_plain(self, matrix_a: CipherMatrix, matrix_b: np.array) -> CipherMatrix: matrix_b = Matrix.from_numpy_array(matrix_b) self.validate_same_dimension(matrix_a, matrix_b) result_matrix = CipherMatrix(rows=matrix_a.rows, cols=matrix_a.cols) for i in range(matrix_a.rows): row = matrix_b[i] encoded_row = Plaintext() self.encoder.encode(row, self.scale, encoded_row) self.evaluator.mod_switch_to_inplace(encoded_row, matrix_a[i].parms_id()) self.evaluator.add_plain(matrix_a[i], encoded_row, result_matrix[i]) return result_matrix def multiply_plain(self, matrix_a: CipherMatrix, matrix_b: np.array) -> CipherMatrix: matrix_b = Matrix.from_numpy_array(matrix_b) self.validate_same_dimension(matrix_a, matrix_b) result_matrix = CipherMatrix(rows=matrix_a.rows, cols=matrix_a.cols) for i in range(matrix_a.rows): row = matrix_b[i] encoded_row = Plaintext() self.encoder.encode(row, self.scale, encoded_row) self.evaluator.mod_switch_to_inplace(encoded_row, matrix_a[i].parms_id()) self.evaluator.multiply_plain(matrix_a[i], encoded_row, result_matrix[i]) return result_matrix def dot_vector(self, a: Ciphertext, b: Ciphertext) -> Ciphertext: result = Ciphertext() self.evaluator.multiply(a, b, result) self.evaluator.relinearize_inplace(result, self.relin_keys) self.vector_sum_inplace(result) self.get_vector_first_element(result) self.evaluator.rescale_to_next_inplace(result) return result def dot_vector_with_plain(self, a: Ciphertext, b: DoubleVector) -> Ciphertext: result = Ciphertext() b_plain = Plaintext() self.encoder.encode(b, self.scale, b_plain) self.evaluator.multiply_plain(a, b_plain, result) self.vector_sum_inplace(result) self.get_vector_first_element(result) self.evaluator.rescale_to_next_inplace(result) return result def get_vector_range(self, vector_a: Ciphertext, i: int, j: int) -> Ciphertext: cipher_range = Ciphertext() one_and_zeros = DoubleVector([0.0 if x < i else 1.0 for x in range(j)]) plain = Plaintext() self.encoder.encode(one_and_zeros, self.scale, plain) self.evaluator.mod_switch_to_inplace(plain, vector_a.parms_id()) self.evaluator.multiply_plain(vector_a, plain, cipher_range) return cipher_range def dot_matrix_with_matrix_transpose(self, matrix_a: CipherMatrix, matrix_b: CipherMatrix): result_matrix = CipherMatrix(rows=matrix_a.rows, cols=matrix_a.cols) rows_a = matrix_a.rows cols_b = matrix_b.rows for i in range(rows_a): vector_dot_products = [] zeros = Plaintext() for j in range(cols_b): vector_dot_products += [ self.dot_vector(matrix_a[i], matrix_b[j]) ] if j == 0: zero = DoubleVector() self.encoder.encode(zero, vector_dot_products[j].scale(), zeros) self.evaluator.mod_switch_to_inplace( zeros, vector_dot_products[j].parms_id()) self.evaluator.add_plain(vector_dot_products[j], zeros, result_matrix[i]) else: self.evaluator.rotate_vector_inplace( vector_dot_products[j], -j, self.galois_keys) self.evaluator.add_inplace(result_matrix[i], vector_dot_products[j]) for vec in result_matrix: self.evaluator.relinearize_inplace(vec, self.relin_keys) self.evaluator.rescale_to_next_inplace(vec) return result_matrix def dot_matrix_with_plain_matrix_transpose(self, matrix_a: CipherMatrix, matrix_b: np.array): matrix_b = Matrix.from_numpy_array(matrix_b) result_matrix = CipherMatrix(rows=matrix_a.rows, cols=matrix_a.cols) rows_a = matrix_a.rows cols_b = matrix_b.rows for i in range(rows_a): vector_dot_products = [] zeros = Plaintext() for j in range(cols_b): vector_dot_products += [ self.dot_vector_with_plain(matrix_a[i], matrix_b[j]) ] if j == 0: zero = DoubleVector() self.encoder.encode(zero, vector_dot_products[j].scale(), zeros) self.evaluator.mod_switch_to_inplace( zeros, vector_dot_products[j].parms_id()) self.evaluator.add_plain(vector_dot_products[j], zeros, result_matrix[i]) else: self.evaluator.rotate_vector_inplace( vector_dot_products[j], -j, self.galois_keys) self.evaluator.add_inplace(result_matrix[i], vector_dot_products[j]) for vec in result_matrix: self.evaluator.relinearize_inplace(vec, self.relin_keys) self.evaluator.rescale_to_next_inplace(vec) return result_matrix @staticmethod def validate_same_dimension(matrix_a, matrix_b): if matrix_a.rows != matrix_b.rows or matrix_a.cols != matrix_b.cols: raise ArithmeticError("Matrices aren't of the same dimension") def vector_sum_inplace(self, cipher: Ciphertext): rotated = Ciphertext() for i in range(int(self.poly_modulus_degree_log - 1)): self.evaluator.rotate_vector(cipher, pow(2, i), self.galois_keys, rotated) self.evaluator.add_inplace(cipher, rotated) def get_vector_first_element(self, cipher: Ciphertext): one_and_zeros = DoubleVector([1.0]) plain = Plaintext() self.encoder.encode(one_and_zeros, self.scale, plain) self.evaluator.multiply_plain_inplace(cipher, plain) def get_matched_scale_vectors(self, a: Ciphertext, b: Ciphertext) -> (Ciphertext, Ciphertext): a_tag = Ciphertext(a) b_tag = Ciphertext(b) a_index = self.context.get_context_data(a.parms_id()).chain_index() b_index = self.context.get_context_data(b.parms_id()).chain_index() # Changing the mod if required, else just setting the scale if a_index < b_index: self.evaluator.mod_switch_to_inplace(b_tag, a.parms_id()) elif a_index > b_index: self.evaluator.mod_switch_to_inplace(a_tag, b.parms_id()) a_tag.set_scale(self.scale) b_tag.set_scale(self.scale) return a_tag, b_tag
class CipherMatrix: """ """ def __init__(self, matrix=None): """ :param matrix: numpy.ndarray to be encrypted. """ self.parms = EncryptionParameters() self.parms.set_poly_modulus("1x^2048 + 1") self.parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) self.parms.set_plain_modulus(1 << 8) self.context = SEALContext(self.parms) # self.encoder = IntegerEncoder(self.context.plain_modulus()) self.encoder = FractionalEncoder(self.context.plain_modulus(), self.context.poly_modulus(), 64, 32, 3) self.keygen = KeyGenerator(self.context) self.public_key = self.keygen.public_key() self.secret_key = self.keygen.secret_key() self.encryptor = Encryptor(self.context, self.public_key) self.decryptor = Decryptor(self.context, self.secret_key) self.evaluator = Evaluator(self.context) self._saved = False self._encrypted = False self._id = '{0:04d}'.format(np.random.randint(1000)) if matrix is not None: assert len( matrix.shape) == 2, "Only 2D numpy matrices accepted currently" self.matrix = np.copy(matrix) self.encrypted_matrix = np.empty(self.matrix.shape, dtype=object) for i in range(self.matrix.shape[0]): for j in range(self.matrix.shape[1]): self.encrypted_matrix[i, j] = Ciphertext() else: self.matrix = None self.encrypted_matrix = None print(self._id, "Created") def __repr__(self): """ :return: """ print("Encrypted:", self._encrypted) if not self._encrypted: print(self.matrix) return "" else: return '[]' def __str__(self): """ :return: """ print("| Encryption parameters:") print("| poly_modulus: " + self.context.poly_modulus().to_string()) # Print the size of the true (product) coefficient modulus print("| coeff_modulus_size: " + ( str)(self.context.total_coeff_modulus().significant_bit_count()) + " bits") print("| plain_modulus: " + (str)(self.context.plain_modulus().value())) print("| noise_standard_deviation: " + (str)(self.context.noise_standard_deviation())) if self.matrix is not None: print(self.matrix.shape) return str(type(self)) def __add__(self, other): """ :param other: :return: """ assert isinstance( other, CipherMatrix), "Can only be added with a CipherMatrix" A_enc = self._encrypted B_enc = other._encrypted if A_enc: A = self.encrypted_matrix else: A = self.matrix if B_enc: B = other.encrypted_matrix else: B = other.matrix assert A.shape == B.shape, "Dimension mismatch, Matrices must be of same shape. Got {} and {}".format( A.shape, B.shape) shape = A.shape result = CipherMatrix(np.zeros(shape, dtype=np.int32)) result._update_cryptors(self.get_keygen()) if A_enc: if B_enc: res_mat = result.encrypted_matrix for i in range(shape[0]): for j in range(shape[1]): self.evaluator.add(A[i, j], B[i, j], res_mat[i, j]) result._encrypted = True else: res_mat = result.encrypted_matrix for i in range(shape[0]): for j in range(shape[1]): self.evaluator.add_plain(A[i, j], self.encoder.encode(B[i, j]), res_mat[i, j]) result._encrypted = True else: if B_enc: res_mat = result.encrypted_matrix for i in range(shape[0]): for j in range(shape[1]): self.evaluator.add_plain(B[i, j], self.encoder.encode(A[i, j]), res_mat[i, j]) result._encrypted = True else: result.matrix = A + B result._encrypted = False return result def __sub__(self, other): """ :param other: :return: """ assert isinstance(other, CipherMatrix) if other._encrypted: shape = other.encrypted_matrix.shape for i in range(shape[0]): for j in range(shape[1]): self.evaluator.negate(other.encrypted_matrix[i, j]) else: other.matrix = -1 * other.matrix return self + other def __mul__(self, other): """ :param other: :return: """ assert isinstance( other, CipherMatrix), "Can only be multiplied with a CipherMatrix" # print("LHS", self._id, "RHS", other._id) A_enc = self._encrypted B_enc = other._encrypted if A_enc: A = self.encrypted_matrix else: A = self.matrix if B_enc: B = other.encrypted_matrix else: B = other.matrix Ashape = A.shape Bshape = B.shape assert Ashape[1] == Bshape[0], "Dimensionality mismatch" result_shape = [Ashape[0], Bshape[1]] result = CipherMatrix(np.zeros(shape=result_shape)) if A_enc: if B_enc: for i in range(Ashape[0]): for j in range(Bshape[1]): result_array = [] for k in range(Ashape[1]): res = Ciphertext() self.evaluator.multiply(A[i, k], B[k, j], res) result_array.append(res) self.evaluator.add_many(result_array, result.encrypted_matrix[i, j]) result._encrypted = True else: for i in range(Ashape[0]): for j in range(Bshape[1]): result_array = [] for k in range(Ashape[1]): res = Ciphertext() self.evaluator.multiply_plain( A[i, k], self.encoder.encode(B[k, j]), res) result_array.append(res) self.evaluator.add_many(result_array, result.encrypted_matrix[i, j]) result._encrypted = True else: if B_enc: for i in range(Ashape[0]): for j in range(Bshape[1]): result_array = [] for k in range(Ashape[1]): res = Ciphertext() self.evaluator.multiply_plain( B[i, k], self.encoder.encode(A[k, j]), res) result_array.append(res) self.evaluator.add_many(result_array, result.encrypted_matrix[i, j]) result._encrypted = True else: result.matrix = np.matmul(A, B) result._encrypted = False return result def save(self, path): """ :param path: :return: """ save_dir = os.path.join(path, self._id) if self._saved: print("CipherMatrix already saved") else: assert not os.path.isdir(save_dir), "Directory already exists" os.mkdir(save_dir) if not self._encrypted: self.encrypt() shape = self.encrypted_matrix.shape for i in range(shape[0]): for j in range(shape[1]): element_name = str(i) + '-' + str(j) + '.ahem' self.encrypted_matrix[i, j].save( os.path.join(save_dir, element_name)) self.secret_key.save("/keys/" + "." + self._id + '.wheskey') self._saved = True return save_dir def load(self, path, load_secret_key=False): """ :param path: :param load_secret_key: :return: """ self._id = path.split('/')[-1] print("Loading Matrix:", self._id) file_list = os.listdir(path) index_list = [[file.split('.')[0].split('-'), file] for file in file_list] M = int(max([int(ind[0][0]) for ind in index_list])) + 1 N = int(max([int(ind[0][1]) for ind in index_list])) + 1 del self.encrypted_matrix self.encrypted_matrix = np.empty([M, N], dtype=object) for index in index_list: i = int(index[0][0]) j = int(index[0][1]) self.encrypted_matrix[i, j] = Ciphertext() self.encrypted_matrix[i, j].load(os.path.join(path, index[1])) if load_secret_key: self.secret_key.load("/keys/" + "." + self._id + '.wheskey') self.matrix = np.empty(self.encrypted_matrix.shape) self._encrypted = True def encrypt(self, matrix=None, keygen=None): """ :param matrix: :return: """ assert not self._encrypted, "Matrix already encrypted" if matrix is not None: assert self.matrix is None, "matrix already exists" self.matrix = np.copy(matrix) shape = self.matrix.shape self.encrypted_matrix = np.empty(shape, dtype=object) if keygen is not None: self._update_cryptors(keygen) for i in range(shape[0]): for j in range(shape[1]): val = self.encoder.encode(self.matrix[i, j]) self.encrypted_matrix[i, j] = Ciphertext() self.encryptor.encrypt(val, self.encrypted_matrix[i, j]) self._encrypted = True def decrypt(self, encrypted_matrix=None, keygen=None): """ :return: """ if encrypted_matrix is not None: self.encrypted_matrix = encrypted_matrix assert self._encrypted, "No encrypted matrix" del self.matrix shape = self.encrypted_matrix.shape self.matrix = np.empty(shape) if keygen is not None: self._update_cryptors(keygen) for i in range(shape[0]): for j in range(shape[1]): plain_text = Plaintext() self.decryptor.decrypt(self.encrypted_matrix[i, j], plain_text) self.matrix[i, j] = self.encoder.decode(plain_text) self._encrypted = False return np.copy(self.matrix) def get_keygen(self): """ :return: """ return self.keygen def _update_cryptors(self, keygen): """ :param keygen: :return: """ self.keygen = keygen self.public_key = keygen.public_key() self.secret_key = keygen.secret_key() self.encryptor = Encryptor(self.context, self.public_key) self.decryptor = Decryptor(self.context, self.secret_key) return
def pickle_ciphertext(): parms = EncryptionParameters() parms.set_poly_modulus("1x^2048 + 1") parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) parms.set_plain_modulus(1 << 8) context = SEALContext(parms) # Print the parameters that we have chosen print_parameters(context); encoder = IntegerEncoder(context.plain_modulus()) keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() # To be able to encrypt, we need to construct an instance of Encryptor. Note that # the Encryptor only requires the public key. encryptor = Encryptor(context, public_key) # Computations on the ciphertexts are performed with the Evaluator class. evaluator = Evaluator(context) # We will of course want to decrypt our results to verify that everything worked, # so we need to also construct an instance of Decryptor. Note that the Decryptor # requires the secret key. decryptor = Decryptor(context, secret_key) # We start by encoding two integers as plaintext polynomials. value1 = 5; plain1 = encoder.encode(value1); print("Encoded " + (str)(value1) + " as polynomial " + plain1.to_string() + " (plain1)") value2 = -7; plain2 = encoder.encode(value2); print("Encoded " + (str)(value2) + " as polynomial " + plain2.to_string() + " (plain2)") # Encrypting the values is easy. encrypted1 = Ciphertext() encrypted2 = Ciphertext() print("Encrypting plain1: ", encrypted1) encryptor.encrypt(plain1, encrypted1) print("Done (encrypted1)", encrypted1) print("Encrypting plain2: ") encryptor.encrypt(plain2, encrypted2) print("Done (encrypted2)") # output = open('ciphertest.pkl', 'wb') # dill.dumps(encrypted_save, output) # output.close() # encrypted1 = dill.load(open('ciphertest.pkl', 'rb')) output = open('session.pkl', 'wb') dill.dump_session('session.pkl') del encrypted1 sill.load_session('session.pkl') # To illustrate the concept of noise budget, we print the budgets in the fresh # encryptions. print("Noise budget in encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") print("Noise budget in encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted2)) + " bits") # As a simple example, we compute (-encrypted1 + encrypted2) * encrypted2. # Negation is a unary operation. evaluator.negate(encrypted1) # Negation does not consume any noise budget. print("Noise budget in -encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Addition can be done in-place (overwriting the first argument with the result, # or alternatively a three-argument overload with a separate destination variable # can be used. The in-place variants are always more efficient. Here we overwrite # encrypted1 with the sum. evaluator.add(encrypted1, encrypted2) # It is instructive to think that addition sets the noise budget to the minimum # of the input noise budgets. In this case both inputs had roughly the same # budget going on, and the output (in encrypted1) has just slightly lower budget. # Depending on probabilistic effects, the noise growth consumption may or may # not be visible when measured in whole bits. print("Noise budget in -encrypted1 + encrypted2: " + (str)(decryptor.invariant_noise_budget(encrypted1)) + " bits") # Finally multiply with encrypted2. Again, we use the in-place version of the # function, overwriting encrypted1 with the product. evaluator.multiply(encrypted1, encrypted2) # Multiplication consumes a lot of noise budget. This is clearly seen in the # print-out. The user can change the plain_modulus to see its effect on the # rate of noise budget consumption. print("Noise budget in (-encrypted1 + encrypted2) * encrypted2: " + (str)( decryptor.invariant_noise_budget(encrypted1)) + " bits") # Now we decrypt and decode our result. plain_result = Plaintext() print("Decrypting result: ") decryptor.decrypt(encrypted1, plain_result) print("Done") # Print the result plaintext polynomial. print("Plaintext polynomial: " + plain_result.to_string()) # Decode to obtain an integer result. print("Decoded integer: " + (str)(encoder.decode_int32(plain_result)))
def example_bfv_basics(): print("Example: BFV Basics") #In this example, we demonstrate performing simple computations (a polynomial #evaluation) on encrypted integers using the BFV encryption scheme. # #The first task is to set up an instance of the EncryptionParameters class. #It is critical to understand how the different parameters behave, how they #affect the encryption scheme, performance, and the security level. There are #three encryption parameters that are necessary to set: # # - poly_modulus_degree (degree of polynomial modulus); # - coeff_modulus ([ciphertext] coefficient modulus); # - plain_modulus (plaintext modulus; only for the BFV scheme). # #The BFV scheme cannot perform arbitrary computations on encrypted data. #Instead, each ciphertext has a specific quantity called the `invariant noise #budget' -- or `noise budget' for short -- measured in bits. The noise budget #in a freshly encrypted ciphertext (initial noise budget) is determined by #the encryption parameters. Homomorphic operations consume the noise budget #at a rate also determined by the encryption parameters. In BFV the two basic #operations allowed on encrypted data are additions and multiplications, of #which additions can generally be thought of as being nearly free in terms of #noise budget consumption compared to multiplications. Since noise budget #consumption compounds in sequential multiplications, the most significant #factor in choosing appropriate encryption parameters is the multiplicative #depth of the arithmetic circuit that the user wants to evaluate on encrypted #data. Once the noise budget of a ciphertext reaches zero it becomes too #corrupted to be decrypted. Thus, it is essential to choose the parameters to #be large enough to support the desired computation; otherwise the result is #impossible to make sense of even with the secret key. parms = EncryptionParameters(scheme_type.BFV) #The first parameter we set is the degree of the `polynomial modulus'. This #must be a positive power of 2, representing the degree of a power-of-two #cyclotomic polynomial; it is not necessary to understand what this means. # #Larger poly_modulus_degree makes ciphertext sizes larger and all operations #slower, but enables more complicated encrypted computations. Recommended #values are 1024, 2048, 4096, 8192, 16384, 32768, but it is also possible #to go beyond this range. # #In this example we use a relatively small polynomial modulus. Anything #smaller than this will enable only very restricted encrypted computations. poly_modulus_degree = 4096 parms.set_poly_modulus_degree(poly_modulus_degree) #Next we set the [ciphertext] `coefficient modulus' (coeff_modulus). This #parameter is a large integer, which is a product of distinct prime numbers, #each up to 60 bits in size. It is represented as a vector of these prime #numbers, each represented by an instance of the SmallModulus class. The #bit-length of coeff_modulus means the sum of the bit-lengths of its prime #factors. # #A larger coeff_modulus implies a larger noise budget, hence more encrypted #computation capabilities. However, an upper bound for the total bit-length #of the coeff_modulus is determined by the poly_modulus_degree, as follows: # # +----------------------------------------------------+ # | poly_modulus_degree | max coeff_modulus bit-length | # +---------------------+------------------------------+ # | 1024 | 27 | # | 2048 | 54 | # | 4096 | 109 | # | 8192 | 218 | # | 16384 | 438 | # | 32768 | 881 | # +---------------------+------------------------------+ # #These numbers can also be found in native/src/seal/util/hestdparms.h encoded #in the function SEAL_HE_STD_PARMS_128_TC, and can also be obtained from the #function # # CoeffModulus::MaxBitCount(poly_modulus_degree). # #For example, if poly_modulus_degree is 4096, the coeff_modulus could consist #of three 36-bit primes (108 bits). # #Microsoft SEAL comes with helper functions for selecting the coeff_modulus. #For new users the easiest way is to simply use # # CoeffModulus::BFVDefault(poly_modulus_degree), # #which returns std::vector<SmallModulus> consisting of a generally good choice #for the given poly_modulus_degree. parms.set_coeff_modulus(CoeffModulus.BFVDefault(poly_modulus_degree)) #The plaintext modulus can be any positive integer, even though here we take #it to be a power of two. In fact, in many cases one might instead want it #to be a prime number; we will see this in later examples. The plaintext #modulus determines the size of the plaintext data type and the consumption #of noise budget in multiplications. Thus, it is essential to try to keep the #plaintext data type as small as possible for best performance. The noise #budget in a freshly encrypted ciphertext is # # ~ log2(coeff_modulus/plain_modulus) (bits) # #and the noise budget consumption in a homomorphic multiplication is of the #form log2(plain_modulus) + (other terms). # #The plaintext modulus is specific to the BFV scheme, and cannot be set when #using the CKKS scheme. parms.set_plain_modulus(1024) #Now that all parameters are set, we are ready to construct a SEALContext #object. This is a heavy class that checks the validity and properties of the #parameters we just set. context = SEALContext.Create(parms) #Print the parameters that we have chosen. print("Set encryption parameters and print") print_parameters(context) print("~~~~~~ A naive way to calculate 4(x^2+1)(x+1)^2. ~~~~~~") #The encryption schemes in Microsoft SEAL are public key encryption schemes. #For users unfamiliar with this terminology, a public key encryption scheme #has a separate public key for encrypting data, and a separate secret key for #decrypting data. This way multiple parties can encrypt data using the same #shared public key, but only the proper recipient of the data can decrypt it #with the secret key. # #We are now ready to generate the secret and public keys. For this purpose #we need an instance of the KeyGenerator class. Constructing a KeyGenerator #automatically generates the public and secret key, which can immediately be #read to local variables. keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() #To be able to encrypt we need to construct an instance of Encryptor. Note #that the Encryptor only requires the public key, as expected. encryptor = Encryptor(context, public_key) #Computations on the ciphertexts are performed with the Evaluator class. In #a real use-case the Evaluator would not be constructed by the same party #that holds the secret key. evaluator = Evaluator(context) #We will of course want to decrypt our results to verify that everything worked, #so we need to also construct an instance of Decryptor. Note that the Decryptor #requires the secret key. decryptor = Decryptor(context, secret_key) #As an example, we evaluate the degree 4 polynomial # # 4x^4 + 8x^3 + 8x^2 + 8x + 4 # #over an encrypted x = 6. The coefficients of the polynomial can be considered #as plaintext inputs, as we will see below. The computation is done modulo the #plain_modulus 1024. # #While this examples is simple and easy to understand, it does not have much #practical value. In later examples we will demonstrate how to compute more #efficiently on encrypted integers and real or complex numbers. # #Plaintexts in the BFV scheme are polynomials of degree less than the degree #of the polynomial modulus, and coefficients integers modulo the plaintext #modulus. For readers with background in ring theory, the plaintext space is #the polynomial quotient ring Z_T[X]/(X^N + 1), where N is poly_modulus_degree #and T is plain_modulus. # #To get started, we create a plaintext containing the constant 6. For the #plaintext element we use a constructor that takes the desired polynomial as #a string with coefficients represented as hexadecimal numbers. x = 6 x_plain = Plaintext(str(x)) print("Express x = {} as a plaintext polynomial 0x{}.".format( x, x_plain.to_string())) #We then encrypt the plaintext, producing a ciphertext. x_encrypted = Ciphertext() print("Encrypt x_plain to x_encrypted.") encryptor.encrypt(x_plain, x_encrypted) #In Microsoft SEAL, a valid ciphertext consists of two or more polynomials #whose coefficients are integers modulo the product of the primes in the #coeff_modulus. The number of polynomials in a ciphertext is called its `size' #and is given by Ciphertext::size(). A freshly encrypted ciphertext always #has size 2. print(" + size of freshly encrypted x: {}".format(x_encrypted.size())) #There is plenty of noise budget left in this freshly encrypted ciphertext. print(" + noise budget in freshly encrypted x: {} bits".format( decryptor.invariant_noise_budget(x_encrypted))) #We decrypt the ciphertext and print the resulting plaintext in order to #demonstrate correctness of the encryption. x_decrypted = Plaintext() decryptor.decrypt(x_encrypted, x_decrypted) print(" + decryption of x_encrypted: 0x{} ...... Correct.".format( x_decrypted.to_string())) #When using Microsoft SEAL, it is typically advantageous to compute in a way #that minimizes the longest chain of sequential multiplications. In other #words, encrypted computations are best evaluated in a way that minimizes #the multiplicative depth of the computation, because the total noise budget #consumption is proportional to the multiplicative depth. For example, for #our example computation it is advantageous to factorize the polynomial as # # 4x^4 + 8x^3 + 8x^2 + 8x + 4 = 4(x + 1)^2 * (x^2 + 1) # #to obtain a simple depth 2 representation. Thus, we compute (x + 1)^2 and #(x^2 + 1) separately, before multiplying them, and multiplying by 4. # #First, we compute x^2 and add a plaintext "1". We can clearly see from the #print-out that multiplication has consumed a lot of noise budget. The user #can vary the plain_modulus parameter to see its effect on the rate of noise #budget consumption. print("Compute x_sq_plus_one (x^2+1).") x_sq_plus_one = Ciphertext() evaluator.square(x_encrypted, x_sq_plus_one) plain_one = Plaintext("1") evaluator.add_plain_inplace(x_sq_plus_one, plain_one) #Encrypted multiplication results in the output ciphertext growing in size. #More precisely, if the input ciphertexts have size M and N, then the output #ciphertext after homomorphic multiplication will have size M+N-1. In this #case we perform a squaring, and observe both size growth and noise budget #consumption. print(" + size of x_sq_plus_one: {}".format(x_sq_plus_one.size())) print(" + noise budget in x_sq_plus_one: {} bits".format( decryptor.invariant_noise_budget(x_sq_plus_one))) #Even though the size has grown, decryption works as usual as long as noise #budget has not reached 0. decrypted_result = Plaintext() decryptor.decrypt(x_sq_plus_one, decrypted_result) print(" + decryption of x_sq_plus_one: 0x{} ...... Correct.".format( decrypted_result.to_string())) #Next, we compute (x + 1)^2. print("Compute x_plus_one_sq ((x+1)^2).") x_plus_one_sq = Ciphertext() evaluator.add_plain(x_encrypted, plain_one, x_plus_one_sq) evaluator.square_inplace(x_plus_one_sq) print(" + size of x_plus_one_sq: {}".format(x_plus_one_sq.size())) print(" + noise budget in x_plus_one_sq: {} bits".format( decryptor.invariant_noise_budget(x_plus_one_sq))) decryptor.decrypt(x_plus_one_sq, decrypted_result) print(" + decryption of x_plus_one_sq: 0x{} ...... Correct.".format( decrypted_result.to_string())) #Finally, we multiply (x^2 + 1) * (x + 1)^2 * 4. print("Compute encrypted_result (4(x^2+1)(x+1)^2).") encrypted_result = Ciphertext() plain_four = Plaintext("4") evaluator.multiply_plain_inplace(x_sq_plus_one, plain_four) evaluator.multiply(x_sq_plus_one, x_plus_one_sq, encrypted_result) print(" + size of encrypted_result: {}".format(encrypted_result.size())) print(" + noise budget in encrypted_result: {} bits".format( decryptor.invariant_noise_budget(encrypted_result))) print("NOTE: Decryption can be incorrect if noise budget is zero.") print("~~~~~~ A better way to calculate 4(x^2+1)(x+1)^2. ~~~~~~") #Noise budget has reached 0, which means that decryption cannot be expected #to give the correct result. This is because both ciphertexts x_sq_plus_one #and x_plus_one_sq consist of 3 polynomials due to the previous squaring #operations, and homomorphic operations on large ciphertexts consume much more #noise budget than computations on small ciphertexts. Computing on smaller #ciphertexts is also computationally significantly cheaper. #`Relinearization' is an operation that reduces the size of a ciphertext after #multiplication back to the initial size, 2. Thus, relinearizing one or both #input ciphertexts before the next multiplication can have a huge positive #impact on both noise growth and performance, even though relinearization has #a significant computational cost itself. It is only possible to relinearize #size 3 ciphertexts down to size 2, so often the user would want to relinearize #after each multiplication to keep the ciphertext sizes at 2. #Relinearization requires special `relinearization keys', which can be thought #of as a kind of public key. Relinearization keys can easily be created with #the KeyGenerator. #Relinearization is used similarly in both the BFV and the CKKS schemes, but #in this example we continue using BFV. We repeat our computation from before, #but this time relinearize after every multiplication. #We use KeyGenerator::relin_keys() to create relinearization keys. print("Generate relinearization keys.") relin_keys = keygen.relin_keys() #We now repeat the computation relinearizing after each multiplication. print("Compute and relinearize x_squared (x^2),") print("then compute x_sq_plus_one (x^2+1)") x_squared = Ciphertext() evaluator.square(x_encrypted, x_squared) print(" + size of x_squared: {}".format(x_squared.size())) evaluator.relinearize_inplace(x_squared, relin_keys) print(" + size of x_squared (after relinearization): {}".format( x_squared.size())) evaluator.add_plain(x_squared, plain_one, x_sq_plus_one) print(" + noise budget in x_sq_plus_one: {} bits".format( decryptor.invariant_noise_budget(x_sq_plus_one))) decryptor.decrypt(x_sq_plus_one, decrypted_result) print(" + decryption of x_sq_plus_one: 0x{} ...... Correct.".format( decrypted_result.to_string())) x_plus_one = Ciphertext() print("Compute x_plus_one (x+1),") print("then compute and relinearize x_plus_one_sq ((x+1)^2).") evaluator.add_plain(x_encrypted, plain_one, x_plus_one) evaluator.square(x_plus_one, x_plus_one_sq) print(" + size of x_plus_one_sq: {}".format(x_plus_one_sq.size())) evaluator.relinearize_inplace(x_plus_one_sq, relin_keys) print(" + noise budget in x_plus_one_sq: {} bits".format( decryptor.invariant_noise_budget(x_plus_one_sq))) decryptor.decrypt(x_plus_one_sq, decrypted_result) print(" + decryption of x_plus_one_sq: 0x{} ...... Correct.".format( decrypted_result.to_string())) print("Compute and relinearize encrypted_result (4(x^2+1)(x+1)^2).") evaluator.multiply_plain_inplace(x_sq_plus_one, plain_four) evaluator.multiply(x_sq_plus_one, x_plus_one_sq, encrypted_result) print(" + size of encrypted_result: {}".format(encrypted_result.size())) evaluator.relinearize_inplace(encrypted_result, relin_keys) print(" + size of encrypted_result (after relinearization): {}".format( encrypted_result.size())) print(" + noise budget in encrypted_result: {} bits".format( decryptor.invariant_noise_budget(encrypted_result))) print("NOTE: Notice the increase in remaining noise budget.") #Relinearization clearly improved our noise consumption. We have still plenty #of noise budget left, so we can expect the correct answer when decrypting. print("Decrypt encrypted_result (4(x^2+1)(x+1)^2).") decryptor.decrypt(encrypted_result, decrypted_result) print(" + decryption of 4(x^2+1)(x+1)^2 = 0x{} ...... Correct.".format( decrypted_result.to_string()))
def example_batching(): print_example_banner("Example: Batching with PolyCRTBuilder"); parms = EncryptionParameters() parms.set_poly_modulus("1x^4096 + 1") parms.set_coeff_modulus(seal.coeff_modulus_128(4096)) parms.set_plain_modulus(40961) context = SEALContext(parms) print_parameters(context) qualifiers = context.qualifiers() keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() gal_keys = GaloisKeys() keygen.generate_galois_keys(30, gal_keys) #ev_keys = EvaluationKeys() #keygen.generate_evaluation_keys(30, ev_keys) encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) crtbuilder = PolyCRTBuilder(context) slot_count = (int)(crtbuilder.slot_count()) row_size = (int)(slot_count / 2) print("Plaintext matrix row size: " + (str)(row_size)) def print_matrix(matrix): print("") print_size = 5 current_line = " [" for i in range(print_size): current_line += ((str)(matrix[i]) + ", ") current_line += ("..., ") for i in range(row_size - print_size, row_size): current_line += ((str)(matrix[i])) if i != row_size-1: current_line += ", " else: current_line += "]" print(current_line) current_line = " [" for i in range(row_size, row_size + print_size): current_line += ((str)(matrix[i]) + ", ") current_line += ("..., ") for i in range(2*row_size - print_size, 2*row_size): current_line += ((str)(matrix[i])) if i != 2*row_size-1: current_line += ", " else: current_line += "]" print(current_line) print("") # [ 0, 1, 2, 3, 0, 0, ..., 0 ] # [ 4, 5, 6, 7, 0, 0, ..., 0 ] pod_matrix = [0]*slot_count pod_matrix[0] = 0 pod_matrix[1] = 1 pod_matrix[2] = 2 pod_matrix[3] = 3 pod_matrix[row_size] = 4 pod_matrix[row_size + 1] = 5 pod_matrix[row_size + 2] = 6 pod_matrix[row_size + 3] = 7 print("Input plaintext matrix:") print_matrix(pod_matrix) plain_matrix = Plaintext() crtbuilder.compose(pod_matrix, plain_matrix) encrypted_matrix = Ciphertext() print("Encrypting: ") encryptor.encrypt(plain_matrix, encrypted_matrix) print("Done") print("Noise budget in fresh encryption: " + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits") pod_matrix2 = [] for i in range(slot_count): pod_matrix2.append((i % 2) + 1) plain_matrix2 = Plaintext() crtbuilder.compose(pod_matrix2, plain_matrix2) print("Second input plaintext matrix:") print_matrix(pod_matrix2) print("Adding and squaring: ") evaluator.add_plain(encrypted_matrix, plain_matrix2) evaluator.square(encrypted_matrix) evaluator.relinearize(encrypted_matrix, ev_keys) print("Done") print("Noise budget in result: " + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits") plain_result = Plaintext() print("Decrypting result: ") decryptor.decrypt(encrypted_matrix, plain_result) print("Done") crtbuilder.decompose(plain_result) pod_result = [plain_result.coeff_at(i) for i in range(plain_result.coeff_count())] print("Result plaintext matrix:") print_matrix(pod_result) encryptor.encrypt(plain_matrix, encrypted_matrix) print("Unrotated matrix: ") print_matrix(pod_matrix) print("Noise budget in fresh encryption: " + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits") # Now rotate the rows to the left 3 steps, decrypt, decompose, and print. evaluator.rotate_rows(encrypted_matrix, 3, gal_keys) print("Rotated rows 3 steps left: ") decryptor.decrypt(encrypted_matrix, plain_result) crtbuilder.decompose(plain_result) pod_result = [plain_result.coeff_at(i) for i in range(plain_result.coeff_count())] print_matrix(pod_result) print("Noise budget after rotation" + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits") # Rotate columns (swap rows), decrypt, decompose, and print. evaluator.rotate_columns(encrypted_matrix, gal_keys) print("Rotated columns: ") decryptor.decrypt(encrypted_matrix, plain_result) crtbuilder.decompose(plain_result) pod_result = [plain_result.coeff_at(i) for i in range(plain_result.coeff_count())] print_matrix(pod_result) print("Noise budget after rotation: " + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits") # Rotate rows to the right 4 steps, decrypt, decompose, and print. evaluator.rotate_rows(encrypted_matrix, -4, gal_keys) print("Rotated rows 4 steps right: ") decryptor.decrypt(encrypted_matrix, plain_result) crtbuilder.decompose(plain_result) pod_result = [plain_result.coeff_at(i) for i in range(plain_result.coeff_count())] print_matrix(pod_result) print("Noise budget after rotation: " + (str)(decryptor.invariant_noise_budget(encrypted_matrix)) + " bits")
class Encryption: ''' Provides encryption / encoding methods to realize the homomorphic operations ''' def __init__(self): # set parameters for encryption parms = EncryptionParameters() parms.set_poly_modulus("1x^2048 + 1") parms.set_coeff_modulus(seal.coeff_modulus_128(2048)) parms.set_plain_modulus(1 << 8) self.context = SEALContext(parms) keygen = KeyGenerator(self.context) self.encoder = IntegerEncoder(self.context.plain_modulus()) public_key = keygen.public_key() self.encryptor = Encryptor(self.context, public_key) secret_key = keygen.secret_key() self.decryptor = Decryptor(self.context, secret_key) def encrypt_live_neighbours_grid(self, live_neighbours_grid, dim): ''' Encodes the live neighbor matrix by applying following rules. If the cell [i][j] has 2 neighbors with 0, 3 neighbors with 2, and otherwise with -2. Afterwards encrypt it using PySEAL and store in a list :param live_neighbours_grid: live neighbor matrix as np array :param dim: dimension of the board :return: List of encoded and encrypted neighbors ''' encrypted_live_neighbours_grid = [] # Loop through every element of the board and encrypt it for i in range(dim): for j in range(dim): # transformation / encoding rules if(live_neighbours_grid[i][j] == 2): value = 0 elif(live_neighbours_grid[i][j] == 3): value = 2 elif(live_neighbours_grid[i][j] > 3 or live_neighbours_grid[i][j] < 2): value = -2 # element-wise homomorphic encryption encrypted = Ciphertext() plain = self.encoder.encode(value) self.encryptor.encrypt(plain, encrypted) encrypted_live_neighbours_grid.append(encrypted) return encrypted_live_neighbours_grid def encrypt_old_grid(self, old_grid, dim): ''' Encrypts each element in the old board state using PySEAL and adds it to a list :param old_grid: :param dim: :return: ''' encrypted_old_grid = [] # Loop through every element of the board and encrypt it for i in range(dim): for j in range(dim): # element-wise homomorphic encryption encrypted = Ciphertext() value = old_grid[i][j] plain = self.encoder.encode(value) self.encryptor.encrypt(plain, encrypted) encrypted_old_grid.append(encrypted) return encrypted_old_grid def decrypt_new_grid(self, encrypted_new_grid, dim): ''' Decrypts a homomorphic-encrypted grid by looping through every element, decrypt it and then applying the decoding rules to get the new board state :param encrypted_new_grid: :param dim: :return: ''' new_grid = numpy.zeros(dim*dim, dtype='i').reshape(dim,dim) for i in range(dim): for j in range(dim): plain = Plaintext() encrypted = encrypted_new_grid[dim*i + j] self.decryptor.decrypt(encrypted, plain) value = self.encoder.decode_int32(plain) # transformation / decoding rules if(value <= 0): new_grid[i][j] = 0 elif(value > 0): new_grid[i][j] = 1 return new_grid
keygen = KeyGenerator(context) public_key = keygen.public_key() secret_key = keygen.secret_key() encryptor = Encryptor(context, public_key) evaluator = Evaluator(context) decryptor = Decryptor(context, secret_key) value=7 plain1 = encoder.encode(value1) print("Encoded " + (str)(value) + " as polynomial " + plain1.to_string() + " (plain1)") encrypted _data= Ciphertext() encryptor.encrypt(plain, encrypted_data) print("Noise budget in encrypted1: " + (str)(decryptor.invariant_noise_budget(encrypted_data)) + " bits") # operations that can be performed ---> # result stored in encrypted1 data evaluator.negate(encrypted1_data) # result stored in encrypted1 data, encrpyted1 is modified evaluator.add(encrypted1_data, encrypted2_data) # result stored in encrypted1 data, encrpyted1 is modified evaluator.multiply(encrypted1_data, encrypted2_data) plain_result = Plaintext() decryptor.decrypt(encrypted_data, plain_result) print("Plaintext polynomial: " + plain_result.to_string()) print("Decoded integer: " + (str)(encoder.decode_int32(plain_result)))
class FHECryptoEngine(CryptoEngine): def __init__(self): CryptoEngine.__init__(self, defs.ENC_MODE_FHE) self.log_id = 'FHECryptoEngine' self.encrypt_params = None self.context = None self.encryptor = None self.evaluator = None self.decryptor = None return def load_keys(self): self.private_key = SecretKey() self.private_key.load(defs.FN_FHE_PRIVATE_KEY) self.public_key = PublicKey() self.public_key.load(defs.FN_FHE_PUBLIC_KEY) return True def generate_keys(self): if self.encrypt_params == None or \ self.context == None: self.init_encrypt_params() keygen = KeyGenerator(self.context) # Generate the private key self.private_key = keygen.secret_key() self.private_key.save(defs.FN_FHE_PRIVATE_KEY) # Generate the public key self.public_key = keygen.public_key() self.public_key.save(defs.FN_FHE_PUBLIC_KEY) return True def init_encrypt_params(self): self.encrypt_params = EncryptionParameters() self.encrypt_params.set_poly_modulus("1x^2048 + 1") self.encrypt_params.set_coeff_modulus(seal.coeff_modulus_128(2048)) self.encrypt_params.set_plain_modulus(1 << 8) self.context = SEALContext(self.encrypt_params) return def initialize(self, use_old_keys=False): # Initialize encryption params self.init_encrypt_params() # Check if the public & private key files exist if os.path.isfile(defs.FN_FHE_PUBLIC_KEY) and \ os.path.isfile(defs.FN_FHE_PRIVATE_KEY) and \ use_old_keys == True: self.log("Keys already exist. Reusing them instead.") if not self.load_keys(): self.log("Failed to load keys") return False else: # If not, then attempt to generate new ones if not self.generate_keys(): self.log("Failed to generate keys") return False # Setup the rest of the crypto engine self.encryptor = Encryptor(self.context, self.public_key) self.evaluator = Evaluator(self.context) self.decryptor = Decryptor(self.context, self.private_key) # Set the initialized flag self.initialized = True return True def encrypt(self, data): if not self.initialized: self.log("Not initialized") return False # Setup the encoder encoder = FractionalEncoder(self.context.plain_modulus(), self.context.poly_modulus(), 64, 32, 3) # Create the array of encrypted data objects encrypted_data = [] for raw_data in data: encrypted_data.append(Ciphertext(self.encrypt_params)) self.encryptor.encrypt( encoder.encode(raw_data), encrypted_data[-1] ) # Pickle each Ciphertext, base64 encode it, and store it in the array for i in range(0, len(encrypted_data)): encrypted_data[i].save("fhe_enc.bin") encrypted_data[i] = base64.b64encode( pickle.dumps(encrypted_data[i]) ) return encrypted_data def evaluate(self, encrypted_data, lower_idx=0, higher_idx=-1): result = Ciphertext() # Setup the encoder encoder = FractionalEncoder(self.context.plain_modulus(), self.context.poly_modulus(), 64, 32, 3) # Unpack the data first unpacked_data = [] for d in encrypted_data[lower_idx:higher_idx]: unpacked_data.append(pickle.loads(base64.b64decode(d))) # Perform operations self.evaluator.add_many(unpacked_data, result) div = encoder.encode(1/len(unpacked_data)) self.evaluator.multiply_plain(result, div) # Pack the result result = base64.b64encode( pickle.dumps(result) ) return result def decrypt(self, raw_data): if not self.initialized: self.log("Not initialized") return False # Setup the encoder encoder = FractionalEncoder(self.context.plain_modulus(), self.context.poly_modulus(), 64, 32, 3) # Unpickle, base64 decode, and decrypt each ciphertext result decrypted_data = [] for d in raw_data: encrypted_data = pickle.loads( base64.b64decode(d) ) plain_data = Plaintext() self.decryptor.decrypt(encrypted_data, plain_data) decrypted_data.append( str(encoder.decode(plain_data)) ) return decrypted_data