A library for lattice-based multiparty homomorphic encryption in Go
NumberTheoreticTransformer
interface.encoding.BinaryMarshaler
implementation for rlwe.Ciphertext
types.Scale
to DefaultScale
in Parameters
and ParametersLiteral
.Evaluator.Average
method.DomainSwitcher
type for conversion between Standard and Conjugate Invariant variants of CKKS.[]complex128
and []float64
as input to Encoder.Encode*
methods.[]float64
as input to GetPrecisionStats
.func(float64)float64
and func(complex128)complex128
as input to Approximate
.Encoder
interface.Encoder.EncodeNTT/New
to Encoder.Encode/New
and added Encoder.EncodeSlots
, Encoder.DecodeSlots
and Encoder.DecodeSlotsPublic
.EncodeSlotsQP
to encode on rlwe.PolyQP
to support the new LinearTransform
interface.Encoder
implementation; it is now much faster when encoding sparse plaintexts.complex128
to float64
.PtDiagMatrix
to LinearTransform
.LinearTransform.Rotations()
to get the required rotation for the reciever plaintext linear tranform.Parameters.RotationsForLinearTransform
to get the required rotation for the given plaintext linear tranform.NewLinearTransform
, EncodeNewLinearTransform
, GenLinearTransform
and GenLinearTransformBSGS
to allocate and initialize plaintext linear transforms.PtDiagMatrix
) constructors and initializers from Encoder
.Evaluator.EvaluatePolyVector
to enable efficient evaluation of multiple different polynomials on the same ciphertext.Q[0]
or MessageRatio
.MaskedTransformProtocol
correctness for sparse plaintexts.ckks/sigmoid
example to ckks/polyeval
example, that now showcases the use of PolynomialVector
.MapSmallDimensionToLargerDimensionNTT
method which maps from Y = X^{N/n} to X in the NTT domain.FastBasisExtender
type can now extend the basis of polynomials of any level in base Q to polynomials of any level in base P.Div[floor/round]BylastModulus[NTT]
to Div[floor/round]BylastModulus[NTT]Lvl
(the level of the last modulus must always be provided).MFormVector
, which switches a slice of uint64
into the Montgomery domain.GenSwitchingKey
now accepts secret-keys of different dimensions and level as input to enable re-encryption between different ciphertext degrees.SwitchCiphertextRingDegreeNTT
and SwitchCiphertextRingDegree
to switch ciphertext ring degrees.rlwe.RingQP
type to represent the extended ring R_qp.rlwe.PolyQP
type to represent polynomials in the extended ring R_qp.CKGCRP
, RKGCRP
, RTGCRP
and CKSCRP
types to represent the common reference polynomials in these protocols.CRS
interface for PRNGs that implement a common reference string among the parties.SampleCRP(crs CRS)
method to each protocol types to sample their respective CRP type.floor(Q/T)*m
to round((Q*m)/T)
to reduce the initial ciphertext noise.ckks/advanced
sub-package and moved the homomorphic encoding, decoding and modular reduction into it.ckks/bootstrapping
sub-package and moved the CKKS bootstrapping into it. This package now mostly relies on the ckks/advanced
package.ChebyshevInterpolation
type to Polynomial
.EvaluateCheby
method that was redundant with the EvaluatePoly
one.EvaluatePoly
to account for odd/even polynomials and fixed some small imprecisions in scale management occurring for some specific polynomial degrees.[..]New
methods.NewCiphertextAtLevelFromPoly
, which creates a ciphertext at a specific level from two polynomials.MultiplyByDiagMatrixBSGS
and updated the bootstrapping parameters accordingly.PermuteNTTHoistedNoModDown
now returns [phi(P*c0 + c0'), phi(c1')]
instead of [phi(c0'), phi(c1')]
.RotateHoistedNoModDown
to RotateHoistedNoModDownNew
for consistency.ckks/advanced
sub-package: a bridge between CKKS and FHEW ciphertexts using homomorphic decoding, ring dimension switching, homomorphic matrix multiplication and homomorphic modular reduction.int
instead of uint64
as parameters and return values.ring.Ring
are not instantiated once in the parameters and read only. They are then accessed by other structs, like the encryptor or evaluator.MulPoly
and its related tests.ring.Ring
is now read-only and thread-safe.ReadFromDistLvl
and ReadAndAddFromDistLvl
to Gaussian sampler API.IsNTT
and IsMForm
flags in the ring.Poly
type. For now, these flags are never checked or changed by the ring
package.rlwe
package as common implementation base package for the Lattigo RLWE schemes.rlwe.Parameters
type as common base struct for BFV and CKKS parameters.rlwe.KeyGenerator
type as common key-generator for BFV and CKKS.rlwe.Ciphertext
type as common base struct for BFV and CKKS ciphertexts.rlwe.Plaintext
type as common base struct for BFV and CKKS plaintext.rlwe.Encryptor
type as common base interface for BFV and CKKS encryptors.rlwe.Decryptor
type as common base interface for BFV and CKKS decryptors.rlwe.KeySwitcher
type as a common key-switching implementation for BFV and CKKS evaluators.Parameters.Copy()
method to Parameters.CopyNew()
for consistency.Parameter
struct, that stores the relevant ring.Ring
instances and has getter methods to access them.rlwe.RotatationKeySet
type.bfv
and ckks
packages the rlwe
package.drlwe
package as a common implementation base for the lattigo multiparty RLWE schemes.dbfv
and dckks
packages to the drlwe
package.Evaluator
interface now has a single method for all column rotations and one method for the row-rotation/conjugate.Evaluator
constructor methods (and no longer to the operations methods).Moduli
and LogModuli
types and their associated Parameters
constructors.Parameters
types are now passed by value in most situations.encoding/json
-compatible JSON serializers and deserializers for the Parameters
types.-params=[params json]
flag for all test and bench suites for specifying parameters from the command line.E2SProtocol
) and Shares-To-Encryption (S2EProtocol
) protocols for domain switching between encryptions and secret-shares.MaskedTransformProtocol
that accepts an arbitrary linear function.ringQMul
are now generated based on N
andQ
.Parameter
methods that compute the required rotations for relevant Evaluator
operations.CoeffsToSlots
and SlotsToCoeffs
.CoeffsToSlots
and SlotsToCoeffs
are now standalone public functions.RotateHoisted
: evaluates several rotations on a single ciphertext.LinearTransform
: evaluates one or more PtDiagMatrix
on a ciphertext using MultiplyByDiagMatrix
or MultiplyByDiagMatrixBSGS
according to the encoding of PtDiagMatrix
.MultiplyByDiagMatrix
: multiplies a ciphertext with a PtDiagMatrix
using n rotations with single hoisting.MultiplyByDiagMatrixBSGS
: multiplies a ciphertext with a PtDiagMatrix
using 2sqrt(n) rotations with double-hoisting.InnerSumLog
: optimal log approach that works for any value (not only powers of two) and can be parameterized to inner sum batches of values (sub-vectors).InnerSum
: naive approach that is faster for small values but needs more keys.ReplicateLog
: optimal log approach that works for any value (not only powers of two) and can be parameterized to replicate batches of values (sub-vectors).Replicate
: naive approach that is faster for small values but needs more keys.PtDiagMatrix
: struct that represents a linear transformation.EncodeDiagMatrixBSGSAtLvl
: encodes a PtDiagMatrix
at a given level, with a given scale for the BSGS algorithm.EncodeDiagMatrixAtLvl
: encodes a PtDiagMatrix
at a given level, with a given scale for a naive evaluation.DecodePublic
: adds Gaussian noise of variance floor(sigma * sqrt(2*pi)) before the decoding step (see SECURITY.md).DecodeCoeffsPublic
: adds Gaussian noise of variance floor(sigma * sqrt(2*pi)) before the decoding step (see SECURITY.md).GetErrSTDFreqDom
: get the error standard deviation in the frequency domain (slots).GetErrSTDTimeDom
: get the error standard deviation in the time domain (coefficients).MultByi
now correctly sets the output ciphertext scale.Relinearize
now correctly sets the output ciphertext level.bfv.Element.Level
method.SetRelinKeys
to Set
BootstrappParams
into BootstrappingParameters
Evaluator.DropLevel
, Parameters.SetLogSlots
and Element.Copy
methods no longer return errorsPlaintextRingT
or PlaintextMul
) for optimized ct-pt operations. See bfv/encoder.go and bfv/plaintext.go.Encoder
methodsGenNTTPrimes
now takes the value Nth
(for Nth primitive root) as input rather than logN
.Encoder.DecodeUint64
and Encoder.DecodeInt64
methods now take the output slice as argument.Evaluator.RotateColumns
becomes Evaluator.Rotate
Evaluator.EvaluateCheby
isn't done automatically anymore and the user must do it before calling the function to ensure correctness.EncodeAtLvlNew
and EncodeNTTAtLvlNew
, which allow a user to encode a plaintext at a specific level.Evaluator.EvaluateChebySpecial
QiMul
field from bfv.Parameters
. It is now automatically generated.Added
All schemes : new switching-keys and key-switching algorithm based on the concept presented in https://eprint.iacr.org/2019/688.pdf.
All schemes : new marshaling interface for all structures.
BFV/CKKS : new Parameters structs and API enabling a better customization and fine tuning for specific applications.
CKKS : new API for hoisted rotations, which is faster than sequential rotations.
DBFV/DCKKS : added collective refresh of a ciphertext (decentralized bootstrapping).
RING : added Ziggurat sampling, available from the context.
RING : enabled dense and sparse ternary polynomials sampling directly from the context.
RING : new API enabling "level" wise polynomial arithmetic.
RING : new API for modulus switching with flooring and rounding.
UTILS : utils now regroups all the utility methods which were previously duplicated among packages.
Removed
BFV/CKKS/DBFV/DCKKS : removed their respective context. Ring context remains public.
All schemes : removed key-switching with bit decomposition. This option will however be re-introduced at a later stage since applications using small parameters can suffer from this change.
BFV/CKKS/RING : removed redudant/irrelevant tests and benchmarks.
BFV : removed context QP as it is not any more used in the multiplication.
BFV : removed int encoder, now only batch encoding is supported.
CKKS : modulus switching is now located in Ring.
RING : removed the algorithms that needed Float128 during the BFV multiplication.
RING : removed most wrapping methods for bigInt, which are now replaced by the native math/big package.
RING : removed ternary sampler, which is now part of the context.
Changed
All schemes : Encryptor, Decryptor, Encoder, Evaluator, KeyGenerator are now interface types.
All schemes : Improved Godoc and error strings.
ALl schemes : greatly reduced the number of methods that could return an error.
All schemes : new tests and benchmarks with fully supported regex.
All schemes : coefficient wise arithmetic using double slices is now substentially faster.
BFV/CKKS : changed the name of the underlying ring contexts. Q now represents the ciphertext modulus (with QMul being the extended ciphertext modulus for BFV) and QP represents modulus of the keys (P being the special primes used during the new key-switching).
BFV/CKKS/DBFV/DCKKS : structures are now created using the parameters instead of the context.
BFV : quantization during multiplication doesn't use Float128 any more, resulting in a substential speed improvement.
BFV : BatchEncoder has been renamed Encoder.
CKKS : the scale is now stored as a float64 instead of a power of 2.
CKKS : rounding is applied instead of flooring when a real value is converted to an integer value. This change affects the rescaling and the encoding.
CKKS : previously needed one ring context per level, now only uses one context for all levels.
CKKS : new baby-step giant-step algorithm for evaluating polynomials in standard and Chebyshev basis.
CKKS : reduced the number of NTT needed during the encryption.
CKKS : API for MultConst is now MultByConst.
BFV/CKKS : new API for the rotation-keys generation.
DBFV/DCKKS : complete revamp of the API and interfaces enabling a much easier integration into larger systems.
DBFV/DCKKS : improved PCKS and CKS using the concept of the new key-switching technique which enables to reduces the added noise.
DCKKS : all protocols work for ciphertexts at any levels.
RING : faster MulScalarBigint (now similar to MulScalar).
UTILS : PRNG must be keyed to be forward secure.
Fixes
All packages : typos, godoc and golint.
CKKS : ciphertext rotation now correctly sets the scale of the output ciphertext.
DBFV/DCKKS : correctness is now ensured when the same protocol instance is used to generate multiples shares.