Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The first time that ImportSecKey is called for a specific instance, it also generates a public<br />
encryption key relative to this first secret key. Namely, for the first secret key s it chooses at r<strong>and</strong>om<br />
a polynomial c ∗ 1 ∈ R A Qct (where Q ct is the product <strong>of</strong> all the ciphertext primes) as well as a low-norm<br />
error polynomial e ∗ ∈ A Qct (with Gaussian coefficients), then sets c ∗ 0 := [ptxtSpace · e∗ − s · c ∗ 1 ] Q ct<br />
.<br />
Clearly the resulting pair (c ∗ 0 , c∗ def<br />
1 ) satisfies m∗ = [c ∗ 0 + s · c∗ 1 ] Q ct<br />
= ptxtSpace · e ∗ , <strong>and</strong> the noise<br />
estimate for this public encryption key is noiseVar ∗ = E[|m ∗ (τ m )| 2 ] = p 2 σ 2 · φ(m).<br />
Decryption. The decryption process is rather straightforward. We go over all the ciphertext<br />
parts in the given ciphertext, multiply each part by the secret key that this part points to, <strong>and</strong> sum<br />
the result modulo the current BGV modulus. Then we reduce the result modulo the plaintext-space<br />
modulus, which gives us the plaintext. This is implemented in the method<br />
void Decrypt(ZZX& plaintxt, const Ctxt &ciphertxt) const;<br />
that returns the result in the plaintxt argument. For debugging purposes, we also provide the<br />
method void Decrypt(ZZX& plaintxt, const Ctxt &ciphertxt, ZZX& f) const, that returns<br />
also the polynomial before reduction modulo the plaintext space modulus. We stress that it would<br />
be insecure to use this method in a production system, it is provided only for testing <strong>and</strong> debugging<br />
purposes.<br />
Generating key-switching matrices.<br />
matrices, using the method:<br />
We also provide an interface for generating key-switching<br />
void GenKeySWmatrix(long fromSPower, long fromXPower, long fromKeyIdx=0,<br />
long toKeyIdx=0, long ptxtSpace=0);<br />
This method checks if the relevant key-switching matrix already exists, <strong>and</strong> if not then it generates<br />
it (as described in Section 3.2.1) <strong>and</strong> inserts into the list keySwitching. If left unspecified, the<br />
plaintext space defaults to 2 r , as defined by context.mod2r.<br />
Secret-key encryption. We also provide a secret-key encryption method, that produces ciphertexts<br />
with a slightly smaller noise than the public-key encryption method. Namely we have the<br />
method<br />
long FHESecKey::Encrypt(Ctxt &c, const ZZX& ptxt, long ptxtSpace, long skIdx) const;<br />
that encrypts the polynomial ptxt relative to plaintext-space modulus ptxtSpace, <strong>and</strong> the secret<br />
key whose index is skIdx. Similarly to the choise <strong>of</strong> the public encryption key, the Encrypt<br />
method chooses at r<strong>and</strong>om a polynomial c 1 ∈ R A Qct (where Q ct is the product <strong>of</strong> all the ciphertext<br />
primes) as well as a low-norm error polynomial e ∈ A Qct (with Gaussian coefficients), then sets<br />
c 0 := [ptxtSpace · e + ptxt − s · c 1 ] Qct . Clearly the resulting pair (c 0 , c 1 ) satisfies m def = [c 0 + s ·<br />
c 1 ] Qct = ptxtSpace · e + ptxt, <strong>and</strong> the noise estimate for this public encryption key is noiseVar ≈<br />
E[|m(τ m )| 2 ] = p 2 σ 2 · φ(m).<br />
3.3 The KeySwitching module: What matrices to generate<br />
This module implements a few useful strategies for deciding what key-switching matrices for automorphism<br />
to choose during key-generation. Specifically we have the following methods:<br />
28