bool ChooserEvaluator::select_parameters(const std::vector<ChooserPoly> &operands, double noise_standard_deviation, double noise_max_deviation, const std::map<int, BigUInt> ¶meter_options, EncryptionParameters &destination) { if (noise_standard_deviation < 0) { throw invalid_argument("noise_standard_deviation can not be negative"); } if (noise_max_deviation < 0) { throw invalid_argument("noise_max_deviation can not be negative"); } if (parameter_options.size() == 0) { throw invalid_argument("parameter_options must contain at least one entry"); } if (operands.empty()) { throw invalid_argument("operands cannot be empty"); } int largest_bit_count = 0; int largest_coeff_count = 0; for (vector<ChooserPoly>::size_type i = 0; i < operands.size(); ++i) { if (operands[i].comp_ == nullptr) { throw logic_error("no operation history to simulate"); } int current_bit_count = operands[i].max_abs_value_.significant_bit_count(); largest_bit_count = (current_bit_count > largest_bit_count) ? current_bit_count : largest_bit_count; int current_coeff_count = operands[i].max_coeff_count_; largest_coeff_count = (current_coeff_count > largest_coeff_count) ? current_coeff_count : largest_coeff_count; } // We restrict to plain moduli that are powers of two. Here largest_bit_count is the largest positive // coefficient that we can expect to appear. Thus, we need one more bit. destination.plain_modulus() = 1; destination.plain_modulus() <<= largest_bit_count; bool found_good_parms = false; map<int, BigUInt>::const_iterator iter = parameter_options.begin(); while (iter != parameter_options.end() && !found_good_parms) { int dimension = iter->first; if (dimension < 512 || (dimension & (dimension - 1)) != 0) { throw invalid_argument("parameter_options keys invalid"); } if (dimension > largest_coeff_count && destination.plain_modulus() < iter->second) { // Set the polynomial destination.coeff_modulus() = iter->second; destination.poly_modulus().resize(dimension + 1, 1); destination.poly_modulus().set_zero(); destination.poly_modulus()[0] = 1; destination.poly_modulus()[dimension] = 1; // The bound needed for GapSVP->search-LWE reduction //parms.noise_standard_deviation() = round(sqrt(dimension / (2 * 3.1415)) + 0.5); // Use constant (small) standard deviation. destination.noise_standard_deviation() = noise_standard_deviation; // We truncate the gaussian at noise_max_deviation. destination.noise_max_deviation() = noise_max_deviation; // Start initially with the maximum decomposition_bit_count, then decrement until decrypts(). destination.decomposition_bit_count() = destination.coeff_modulus().significant_bit_count(); // We bound the decomposition bit count value by 1/8 of the maximum. A too small // decomposition bit count slows down multiplication significantly. This is not an // issue when the user wants to use multiply_norelin() instead of multiply(), as it // only affects the relinearization step. The fraction 1/8 is not an optimal choice // in any sense, but was rather arbitrarily chosen. An expert user might want to tweak this // value to be smaller or larger depending on their use case. // To do: Figure out a somewhat optimal bound. int min_decomposition_bit_count = destination.coeff_modulus().significant_bit_count() / 8; while (!found_good_parms && destination.decomposition_bit_count() > min_decomposition_bit_count) { found_good_parms = true; for (vector<ChooserPoly>::size_type i = 0; i < operands.size(); ++i) { // If one of the operands does not decrypt, set found_good_parms to false. found_good_parms = operands[i].simulate(destination).decrypts() ? found_good_parms : false; } if (!found_good_parms) { --destination.decomposition_bit_count(); } else { // We found some good parameters. But in fact we can still decrease the decomposition count // a little bit without hurting performance at all. int old_dbc = destination.decomposition_bit_count(); int num_parts = destination.coeff_modulus().significant_bit_count() / old_dbc + (destination.coeff_modulus().significant_bit_count() % old_dbc != 0); destination.decomposition_bit_count() = destination.coeff_modulus().significant_bit_count() / num_parts + (destination.coeff_modulus().significant_bit_count() % num_parts != 0); } } } // This dimension/coeff_modulus are to small. Move on to the next pair. ++iter; } if (!found_good_parms) { destination = EncryptionParameters(); } return found_good_parms; }
bool ChooserEvaluator::select_parameters( const std::vector<ChooserPoly> &operands, int budget_gap, double noise_standard_deviation, const map<int, vector<SmallModulus> > &coeff_modulus_options, EncryptionParameters &destination) { if (budget_gap < 0) { throw std::invalid_argument("budget_gap cannot be negative"); } if (noise_standard_deviation < 0) { throw invalid_argument("noise_standard_deviation can not be negative"); } if (coeff_modulus_options.size() == 0) { throw invalid_argument("parameter_options must contain at least one entry"); } if (operands.empty()) { throw invalid_argument("operands cannot be empty"); } int largest_bit_count = 0; int largest_coeff_count = 0; for (size_t i = 0; i < operands.size(); i++) { if (operands[i].comp_ == nullptr) { throw logic_error("no operation history to simulate"); } int current_bit_count = get_significant_bit_count(operands[i].max_abs_value_); largest_bit_count = (current_bit_count > largest_bit_count) ? current_bit_count : largest_bit_count; int current_coeff_count = operands[i].max_coeff_count_; largest_coeff_count = (current_coeff_count > largest_coeff_count) ? current_coeff_count : largest_coeff_count; } // We restrict to plain moduli that are powers of two. Here largest_bit_count // is the largest positive coefficient that we can expect to appear. Thus, we // need one more bit. uint64_t new_plain_modulus; if (largest_bit_count >= SEAL_USER_MODULO_BIT_BOUND) { // The plain_modulus needed is too big return false; } new_plain_modulus = 1ULL << largest_bit_count; destination.set_plain_modulus(new_plain_modulus); bool found_good_parms = false; map<int, vector<SmallModulus> >::const_iterator iter = coeff_modulus_options.begin(); while (iter != coeff_modulus_options.end() && !found_good_parms) { int dimension = iter->first; if (dimension < 512 || (dimension & (dimension - 1)) != 0) { throw invalid_argument("coeff_modulus_options keys invalid"); } int coeff_bit_count = 0; for(auto mod : iter->second) { coeff_bit_count += mod.bit_count(); } if (dimension > largest_coeff_count && coeff_bit_count > destination.plain_modulus().bit_count()) { // Set the polynomial destination.set_coeff_modulus(iter->second); BigPoly new_poly_modulus(dimension + 1, 1); new_poly_modulus.set_zero(); new_poly_modulus[0] = 1; new_poly_modulus[dimension] = 1; destination.set_poly_modulus(new_poly_modulus); // The bound needed for GapSVP->search-LWE reduction //parms.noise_standard_deviation() = round(sqrt(dimension / (2 * 3.1415)) + 0.5); // Use constant (small) standard deviation. destination.set_noise_standard_deviation(noise_standard_deviation); found_good_parms = true; for (size_t i = 0; i < operands.size(); i++) { // If one of the operands does not decrypt, set found_good_parms to false. found_good_parms = operands[i].simulate(destination).decrypts(budget_gap) ? found_good_parms : false; } } // This dimension/coeff_modulus are to small. Move on to the next pair. iter++; } if (!found_good_parms) { destination = EncryptionParameters(); } return found_good_parms; }