// Apply a permutation network to a ciphertext
// FIXME: Do we need to also give an EncryptedArray object as paramter?
void PermNetwork::applyToCtxt(Ctxt& c) const
{
const PAlgebra& al = c.getContext().zMStar;
EncryptedArray ea(c.getContext());
// Use G(X)=X for this ea object, this works since we only have 0/1 entries
// Apply the layers, one at a time
for (long i=0; i<layers.length(); i++) {
const PermNetLayer& lyr = layers[i];
if (lyr.isID) continue; // this layer is the identity permutation
// This layer is shifted via powers of g^e mod m
long g2e = PowerMod(al.ZmStarGen(lyr.genIdx), lyr.e, al.getM());
Vec<long> unused = lyr.shifts; // copy to a new vector
vector<long> mask(lyr.shifts.length()); // buffer to hold masks
Ctxt sum(c.getPubKey(), c.getPtxtSpace()); // an empty ciphertext
long shamt = 0;
bool frst = true;
while (true) {
pair<long,bool> ret=makeMask(mask, unused, shamt); // compute mask
if (ret.second) { // non-empty mask
Ctxt tmp = c;
ZZX maskPoly;
ea.encode(maskPoly, mask); // encode mask as polynomial
tmp.multByConstant(maskPoly); // multiply by mask
if (shamt!=0) // rotate if the shift amount is nonzero
tmp.smartAutomorph(PowerMod(g2e, shamt, al.getM()));
if (frst) {
sum = tmp;
frst = false;
}
else
sum += tmp;
}
if (ret.first >= 0)
shamt = unused[ret.first]; // next shift amount to use
else break; // unused is all-zero, done with this layer
}
c = sum; // update the cipehrtext c before the next layer
}
}
void extractDigits(vector<Ctxt>& digits, const Ctxt& c, long r)
{
const FHEcontext& context = c.getContext();
long rr = c.effectiveR();
if (r<=0 || r>rr) r = rr; // how many digits to extract
long p = context.zMStar.getP();
ZZX x2p;
if (p>3) {
buildDigitPolynomial(x2p, p, r);
}
Ctxt tmp(c.getPubKey(), c.getPtxtSpace());
digits.resize(r, tmp); // allocate space
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "***\n");
#endif
for (long i=0; i<r; i++) {
tmp = c;
for (long j=0; j<i; j++) {
if (p==2) digits[j].square();
else if (p==3) digits[j].cube();
else polyEval(digits[j], x2p, digits[j]);
// "in spirit" digits[j] = digits[j]^p
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "%5ld", digits[j].bitCapacity());
#endif
tmp -= digits[j];
tmp.divideByP();
}
digits[i] = tmp; // needed in the next round
#ifdef DEBUG_PRINTOUT
if (dbgKey) {
double ratio =
log(embeddingLargestCoeff(digits[i], *dbgKey)/digits[i].getNoiseBound())/log(2.0);
fprintf(stderr, "%5ld [%f]", digits[i].bitCapacity(), ratio);
if (ratio > 0) fprintf(stderr, " BAD-BOUND");
fprintf(stderr, "\n");
}
else {
fprintf(stderr, "%5ld\n", digits[i].bitCapacity());
}
#endif
}
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "***\n");
#endif
}
void EncryptedArrayDerived<type>::rotate1D(Ctxt& ctxt, long i, long amt, bool dc) const
{
FHE_TIMER_START;
const PAlgebra& al = context.zMStar;
const vector< vector< RX > >& maskTable = tab.getMaskTable();
RBak bak; bak.save(); tab.restoreContext();
assert(&context == &ctxt.getContext());
assert(i >= 0 && i < (long)al.numOfGens());
// Make sure amt is in the range [1,ord-1]
long ord = al.OrderOf(i);
amt %= ord;
if (amt == 0) return;
long signed_amt = amt;
if (amt < 0) amt += ord;
// DIRT: the above assumes division with remainder
// follows C++11 and C99 rules
if (al.SameOrd(i)) { // a "native" rotation
long val = PowerMod(al.ZmStarGen(i), amt, al.getM());
ctxt.smartAutomorph(val);
}
else if (dc) {
// the "don't care" case...it is presumed that any shifts
// "off the end" are zero. For this, we have to use
// the "signed" version of amt.
long val = PowerMod(al.ZmStarGen(i), signed_amt, al.getM());
ctxt.smartAutomorph(val);
}
else {
// more expensive "non-native" rotation
assert(maskTable[i].size() > 0);
long val = PowerMod(al.ZmStarGen(i), amt, al.getM());
long ival = PowerMod(al.ZmStarGen(i), amt-ord, al.getM());
const RX& mask = maskTable[i][ord-amt];
DoubleCRT m1(conv<ZZX>(mask), context, ctxt.getPrimeSet());
Ctxt tmp(ctxt); // a copy of the ciphertext
tmp.multByConstant(m1); // only the slots in which m1=1
ctxt -= tmp; // only the slots in which m1=0
ctxt.smartAutomorph(val); // shift left by val
tmp.smartAutomorph(ival); // shift right by ord-val
ctxt += tmp; // combine the two parts
}
FHE_TIMER_STOP;
}
// Apply the same linear transformation to all the slots.
// C is the output of ea.buildLinPolyCoeffs
void applyLinPoly1(const EncryptedArray& ea, Ctxt& ctxt, const vector<ZZX>& C)
{
assert(&ea.getContext() == &ctxt.getContext());
long d = ea.getDegree();
assert(d == lsize(C));
long nslots = ea.size();
vector<ZZX> encodedC(d);
for (long j = 0; j < d; j++) {
vector<ZZX> v(nslots);
for (long i = 0; i < nslots; i++) v[i] = C[j];
ea.encode(encodedC[j], v);
}
applyLinPolyLL(ctxt, encodedC, ea.getDegree());
}
void decryptAndPrint(ostream& s, const Ctxt& ctxt, const FHESecKey& sk,
const EncryptedArray& ea, long flags)
{
const FHEcontext& context = ctxt.getContext();
xdouble noiseEst = sqrt(ctxt.getNoiseVar());
xdouble modulus = xexp(context.logOfProduct(ctxt.getPrimeSet()));
vector<ZZX> ptxt;
ZZX p, pp;
sk.Decrypt(p, ctxt, pp);
s << "plaintext space mod "<<ctxt.getPtxtSpace()
<< ", level="<<ctxt.findBaseLevel()
<< ", \n |noise|=q*" << (coeffsL2Norm(pp)/modulus)
<< ", |noiseEst|=q*" << (noiseEst/modulus)
<<endl;
if (flags & FLAG_PRINT_ZZX) {
s << " before mod-p reduction=";
printZZX(s,pp) <<endl;
}
if (flags & FLAG_PRINT_POLY) {
s << " after mod-p reduction=";
printZZX(s,p) <<endl;
}
if (flags & FLAG_PRINT_VEC) {
ea.decode(ptxt, p);
if (ea.getAlMod().getTag() == PA_zz_p_tag
&& ctxt.getPtxtSpace() != ea.getAlMod().getPPowR()) {
long g = GCD(ctxt.getPtxtSpace(), ea.getAlMod().getPPowR());
for (long i=0; i<ea.size(); i++)
PolyRed(ptxt[i], g, true);
}
s << " decoded to ";
if (deg(p) < 40) // just pring the whole thing
s << ptxt << endl;
else if (ptxt.size()==1) // a single slot
printZZX(s, ptxt[0]) <<endl;
else { // print first and last slots
printZZX(s, ptxt[0],20) << "--";
printZZX(s, ptxt[ptxt.size()-1], 20) <<endl;
}
}
}
void checkCiphertext(const Ctxt& ctxt, const ZZX& ptxt, const FHESecKey& sk)
{
const FHEcontext& context = ctxt.getContext();
/*
IndexSet base = baseSetOf(ctxt);
double addedNoise = log(ctxt.modSwitchAddedNoiseVar());
Ctxt tmp = ctxt;
tmp.modDownToSet(base);
double totalNoise = log(tmp.getNoiseVar());
cout << " @@@ log(added-noise)="<<addedNoise
<< ", log(total-noise)="<<totalNoise<<endl;
*/
cout << " ln(q)="<< context.logOfProduct(ctxt.getPrimeSet())
<< ", ln(nVar)/2="<< log(ctxt.getNoiseVar())/2;
// << ", ln(nMag)="<< log(ctxt.getNoiseMag());
ZZX res;
// sk.Decrypt(res, ctxt);
ZZX f;
sk.Decrypt(res, ctxt, f);
cout << ", ln(mxPtxtCoef)=" << log(largestCoeff(f));
// ensure we reduce the same way on both
PolyRed((ZZX&)res,res,ctxt.getPtxtSpace(),true);
PolyRed((ZZX&)ptxt,ptxt,ctxt.getPtxtSpace(),true);
if (res != ptxt) {
cout << ", failed\n";
for (long i=0; i<=deg(ptxt); i++) if (coeff(res,i)!=coeff(ptxt,i)) {
cout << "first mismatch in coeff "<<i<<": "
<< coeff(res,i)<<"!="<<coeff(ptxt,i)<<"\n";
break;
}
cout << "Timing information:\n";
printAllTimers();
cout << "\n";
exit(0);
}
else cout << ", succeeded\n";
}
void EncryptedArrayDerived<type>::shift1D(Ctxt& ctxt, long i, long k) const
{
FHE_TIMER_START;
const PAlgebra& al = context.zMStar;
const vector< vector< RX > >& maskTable = tab.getMaskTable();
RBak bak; bak.save(); tab.restoreContext();
assert(&context == &ctxt.getContext());
assert(i >= 0 && i < (long)al.numOfGens());
long ord = al.OrderOf(i);
if (k <= -ord || k >= ord) {
ctxt.multByConstant(to_ZZX(0));
return;
}
// Make sure amt is in the range [1,ord-1]
long amt = k % ord;
if (amt == 0) return;
if (amt < 0) amt += ord;
RX mask = maskTable[i][ord-amt];
long val;
if (k < 0)
val = PowerMod(al.ZmStarGen(i), amt-ord, al.getM());
else {
mask = 1 - mask;
val = PowerMod(al.ZmStarGen(i), amt, al.getM());
}
DoubleCRT m1(conv<ZZX>(mask), context, ctxt.getPrimeSet());
ctxt.multByConstant(m1); // zero out slots where mask=0
ctxt.smartAutomorph(val); // shift left by val
FHE_TIMER_STOP;
}
void adjustLevelForMult(Ctxt& c1, const char name1[], const ZZX& p1,
Ctxt& c2, const char name2[], const ZZX& p2,
const FHESecKey& sk)
{
const FHEcontext& context = c1.getContext();
// The highest possible level for this multiplication is the
// intersection of the two primeSets, without the special primes.
IndexSet primes = c1.getPrimeSet() & c2.getPrimeSet();
primes.remove(context.specialPrimes);
assert (!empty(primes));
// double phim = (double) context.zMstar.phiM();
// double factor = c_m*sqrt(log(phim))*4;
xdouble n1,n2,d1,d2;
xdouble dvar1 = c1.modSwitchAddedNoiseVar();
xdouble dvar2 = c2.modSwitchAddedNoiseVar();
// xdouble dmag1 = c1.modSwitchAddedNoiseMag(c_m);
// xdouble dmag2 = c2.modSwitchAddedNoiseMag(c_m);
// cout << " ** log(dvar1)=" << log(dvar1)
// << ", log(dvar2)=" << log(dvar2) <<endl;
double logF1, logF2;
xdouble n1var, n2var, modSize; // n1mag, n2mag,
// init to large number
xdouble noiseVarRatio=xexp(2*(context.logOfProduct(context.ctxtPrimes)
+ context.logOfProduct(context.specialPrimes)));
// xdouble noiseMagRatio=noiseVarRatio;
// Find the level that minimizes the noise-to-modulus ratio
bool oneLevelMore = false;
for (IndexSet levelDown = primes;
!empty(levelDown); levelDown.remove(levelDown.last())) {
// compute noise variane/magnitude after mod-switchign to this level
logF1 = context.logOfProduct(c1.getPrimeSet() / levelDown);
n1var = c1.getNoiseVar()/xexp(2*logF1);
logF2 = context.logOfProduct(c2.getPrimeSet() / levelDown);
n2var = c2.getNoiseVar()/xexp(2*logF2);
// compute modulus/noise ratio at this level
modSize = xexp(context.logOfProduct(levelDown));
xdouble nextNoiseVarRatio = sqrt((n1var+dvar1)*(n2var+dvar2))/modSize;
if (nextNoiseVarRatio < 2*noiseVarRatio || oneLevelMore) {
noiseVarRatio = nextNoiseVarRatio;
primes = levelDown; // record the currently best prime set
n1 = n1var; d1=dvar1; n2 = n2var; d2=dvar2;
}
oneLevelMore = (n1var > dvar1 || n2var > dvar2);
}
if (primes < c1.getPrimeSet()) {
cout << " ** " << c1.getPrimeSet()<<"=>"<<primes << endl;
cout << " n1var="<<n1<<", d1var="<<d1<<endl;;
c1.modDownToSet(primes);
cout << name1 << ".mDown:"; checkCiphertext(c1, p1, sk);
}
if (primes < c2.getPrimeSet()) {
cout << " ** " << c2.getPrimeSet()<<"=>"<<primes << endl;
cout << " n2var="<<n2<<", d2var="<<d2<<endl;;
c2.modDownToSet(primes);
cout << name2 << ".mDown:"; checkCiphertext(c2, p2, sk);
}
}
void extendExtractDigits(vector<Ctxt>& digits, const Ctxt& c, long r, long e)
{
const FHEcontext& context = c.getContext();
long p = context.zMStar.getP();
ZZX x2p;
if (p>3) {
buildDigitPolynomial(x2p, p, r);
}
// we should pre-compute this table
// for i = 0..r-1, entry i is G_{e+r-i} in Chen and Han
Vec<ZZX> G;
G.SetLength(r);
for (long i: range(r)) {
compute_magic_poly(G[i], p, e+r-i);
}
vector<Ctxt> digits0;
Ctxt tmp(c.getPubKey(), c.getPtxtSpace());
digits.resize(r, tmp); // allocate space
digits0.resize(r, tmp);
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "***\n");
#endif
for (long i: range(r)) {
tmp = c;
for (long j: range(i)) {
if (digits[j].capacity() >= digits0[j].capacity()) {
// optimization: digits[j] is better than digits0[j],
// so just use it
tmp -= digits[j];
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "%5ld*", digits[j].bitCapacity());
#endif
}
else {
if (p==2) digits0[j].square();
else if (p==3) digits0[j].cube();
else polyEval(digits0[j], x2p, digits0[j]); // "in spirit" digits0[j] = digits0[j]^p
tmp -= digits0[j];
#ifdef DEBUG_PRINTOUT
fprintf(stderr, "%5ld ", digits0[j].bitCapacity());
#endif
}
tmp.divideByP();
}
digits0[i] = tmp; // needed in the next round
polyEval(digits[i], G[i], tmp);
#ifdef DEBUG_PRINTOUT
if (dbgKey) {
double ratio =
log(embeddingLargestCoeff(digits[i], *dbgKey)/digits[i].getNoiseBound())/log(2.0);
fprintf(stderr, "%5ld --- %5ld", digits0[i].bitCapacity(), digits[i].bitCapacity());
fprintf(stderr, " [%f]", ratio);
if (ratio > 0) fprintf(stderr, " BAD-BOUND");
fprintf(stderr, "\n");
}
else {
fprintf(stderr, "%5ld --- %5ld\n", digits0[i].bitCapacity(), digits[i].bitCapacity());
}
#endif
}
}
// Extract digits from fully packed slots
void extractDigitsPacked(Ctxt& ctxt, long botHigh, long r, long ePrime,
const vector<ZZX>& unpackSlotEncoding)
{
FHE_TIMER_START;
// Step 1: unpack the slots of ctxt
FHE_NTIMER_START(unpack);
ctxt.cleanUp();
// Apply the d automorphisms and store them in scratch area
long d = ctxt.getContext().zMStar.getOrdP();
vector<Ctxt> scratch; // used below
vector<Ctxt> unpacked(d, Ctxt(ZeroCtxtLike, ctxt));
{ // explicit scope to force all temporaries to be released
vector< shared_ptr<DoubleCRT> > coeff_vector;
coeff_vector.resize(d);
for (long i = 0; i < d; i++)
coeff_vector[i] = shared_ptr<DoubleCRT>(new
DoubleCRT(unpackSlotEncoding[i], ctxt.getContext(), ctxt.getPrimeSet()) );
Ctxt tmp1(ZeroCtxtLike, ctxt);
Ctxt tmp2(ZeroCtxtLike, ctxt);
// FIXME: implement using hoisting!
for (long j = 0; j < d; j++) { // process jth Frobenius
tmp1 = ctxt;
tmp1.frobeniusAutomorph(j);
tmp1.cleanUp();
// FIXME: not clear if we should call cleanUp here
for (long i = 0; i < d; i++) {
tmp2 = tmp1;
tmp2.multByConstant(*coeff_vector[mcMod(i+j, d)]);
unpacked[i] += tmp2;
}
}
}
FHE_NTIMER_STOP(unpack);
// Step 2: extract the digits top-1,...,0 from the slots of unpacked[i]
long p = ctxt.getContext().zMStar.getP();
long p2r = power_long(p,r);
long topHigh = botHigh + r-1;
#ifdef DEBUG_PRINTOUT
cerr << "+ After unpack ";
decryptAndPrint(cerr, unpacked[0], *dbgKey, *dbgEa, printFlag);
cerr << " extracting "<<(topHigh+1)<<" digits\n";
#endif
if (p==2 && r>2)
topHigh--; // For p==2 we sometime get a bit for free
FHE_NTIMER_START(extractDigits);
for (long i=0; i<(long)unpacked.size(); i++) {
if (topHigh<=0) { // extracting LSB = no-op
scratch.assign(1,unpacked[i]);
} else { // extract digits topHigh...0, store them in scratch
extractDigits(scratch, unpacked[i], topHigh+1);
}
// set upacked[i] = -\sum_{j=botHigh}^{topHigh} scratch[j] * p^{j-botHigh}
if (topHigh >= (long)scratch.size()) {
topHigh = scratch.size() -1;
cerr << " @ suspect: not enough digits in extractDigitsPacked\n";
}
unpacked[i] = scratch[topHigh];
for (long j=topHigh-1; j>=botHigh; --j) {
unpacked[i].multByP();
unpacked[i] += scratch[j];
}
if (p==2 && botHigh>0) // For p==2, subtract also the previous bit
unpacked[i] += scratch[botHigh-1];
unpacked[i].negate();
if (r>ePrime) { // Add in digits from the bottom part, if any
long topLow = r-1 - ePrime;
Ctxt tmp = scratch[topLow];
for (long j=topLow-1; j>=0; --j) {
tmp.multByP();
tmp += scratch[j];
}
if (ePrime>0)
tmp.multByP(ePrime); // multiply by p^e'
unpacked[i] += tmp;
}
unpacked[i].reducePtxtSpace(p2r); // Our plaintext space is now mod p^r
}
FHE_NTIMER_STOP(extractDigits);
#ifdef DEBUG_PRINTOUT
cerr << "+ Before repack ";
decryptAndPrint(cerr, unpacked[0], *dbgKey, *dbgEa, printFlag);
#endif
// Step 3: re-pack the slots
FHE_NTIMER_START(repack);
const EncryptedArray& ea2 = *ctxt.getContext().ea;
ZZX xInSlots;
vector<ZZX> xVec(ea2.size());
ctxt = unpacked[0];
for (long i=1; i<d; i++) {
x2iInSlots(xInSlots, i, xVec, ea2);
unpacked[i].multByConstant(xInSlots);
ctxt += unpacked[i];
}
FHE_NTIMER_STOP(repack);
}
// Extract digits from thinly packed slots
void extractDigitsThin(Ctxt& ctxt, long botHigh, long r, long ePrime)
{
FHE_TIMER_START;
Ctxt unpacked(ctxt);
unpacked.cleanUp();
vector<Ctxt> scratch;
// Step 2: extract the digits top-1,...,0 from the slots of unpacked[i]
long p = ctxt.getContext().zMStar.getP();
long p2r = power_long(p,r);
long topHigh = botHigh + r-1;
#ifdef DEBUG_PRINTOUT
cerr << "+ After unpack ";
decryptAndPrint(cerr, unpacked, *dbgKey, *dbgEa, printFlag);
cerr << " extracting "<<(topHigh+1)<<" digits\n";
#endif
if (p==2 && r>2)
topHigh--; // For p==2 we sometime get a bit for free
if (topHigh<=0) { // extracting LSB = no-op
scratch.assign(1, unpacked);
} else { // extract digits topHigh...0, store them in scratch
extractDigits(scratch, unpacked, topHigh+1);
}
// set upacked = -\sum_{j=botHigh}^{topHigh} scratch[j] * p^{j-botHigh}
if (topHigh >= LONG(scratch.size())) {
topHigh = scratch.size() -1;
cerr << " @ suspect: not enough digits in extractDigitsPacked\n";
}
unpacked = scratch[topHigh];
for (long j=topHigh-1; j>=botHigh; --j) {
unpacked.multByP();
unpacked += scratch[j];
}
if (p==2 && botHigh>0) // For p==2, subtract also the previous bit
unpacked += scratch[botHigh-1];
unpacked.negate();
if (r>ePrime) { // Add in digits from the bottom part, if any
long topLow = r-1 - ePrime;
Ctxt tmp = scratch[topLow];
for (long j=topLow-1; j>=0; --j) {
tmp.multByP();
tmp += scratch[j];
}
if (ePrime>0)
tmp.multByP(ePrime); // multiply by p^e'
unpacked += tmp;
}
unpacked.reducePtxtSpace(p2r); // Our plaintext space is now mod p^r
#ifdef DEBUG_PRINTOUT
cerr << "+ Before repack ";
decryptAndPrint(cerr, unpacked[0], *dbgKey, *dbgEa, printFlag);
#endif
ctxt = unpacked;
}
void EncryptedArrayDerived<type>::mat_mul(Ctxt& ctxt, const PlaintextBlockMatrixBaseInterface& mat) const
{
FHE_TIMER_START;
assert(this == &mat.getEA().getDerived(type()));
assert(&context == &ctxt.getContext());
RBak bak; bak.save(); tab.restoreContext();
const PlaintextBlockMatrixInterface<type>& mat1 =
dynamic_cast< const PlaintextBlockMatrixInterface<type>& >( mat );
ctxt.cleanUp(); // not sure, but this may be a good idea
Ctxt res(ctxt.getPubKey(), ctxt.getPtxtSpace());
// a new ciphertext, encrypting zero
long nslots = size();
long d = getDegree();
mat_R entry;
entry.SetDims(d, d);
vector<RX> entry1;
entry1.resize(d);
vector< vector<RX> > diag;
diag.resize(nslots);
for (long j = 0; j < nslots; j++) diag[j].resize(d);
for (long i = 0; i < nslots; i++) {
// process diagonal i
bool zDiag = true;
long nzLast = -1;
for (long j = 0; j < nslots; j++) {
bool zEntry = mat1.get(entry, mcMod(j-i, nslots), j);
assert(zEntry || (entry.NumRows() == d && entry.NumCols() == d));
// get(...) returns true if the entry is empty, false otherwise
if (!zEntry && IsZero(entry)) zEntry=true; // zero is an empty entry too
if (!zEntry) { // non-empty entry
zDiag = false; // mark diagonal as non-empty
// clear entries between last nonzero entry and this one
for (long jj = nzLast+1; jj < j; jj++) {
for (long k = 0; k < d; k++)
clear(diag[jj][k]);
}
nzLast = j;
// recode entry as a vector of polynomials
for (long k = 0; k < d; k++) conv(entry1[k], entry[k]);
// compute the lin poly coeffs
buildLinPolyCoeffs(diag[j], entry1);
}
}
if (zDiag) continue; // zero diagonal, continue
// clear trailing zero entries
for (long jj = nzLast+1; jj < nslots; jj++) {
for (long k = 0; k < d; k++)
clear(diag[jj][k]);
}
// now diag[j] contains the lin poly coeffs
Ctxt shCtxt = ctxt;
rotate(shCtxt, i);
// apply the linearlized polynomial
for (long k = 0; k < d; k++) {
// compute the constant
bool zConst = true;
vector<RX> cvec;
cvec.resize(nslots);
for (long j = 0; j < nslots; j++) {
cvec[j] = diag[j][k];
if (!IsZero(cvec[j])) zConst = false;
}
if (zConst) continue;
ZZX cpoly;
encode(cpoly, cvec);
// FIXME: record the encoded polynomial for future use
Ctxt shCtxt1 = shCtxt;
shCtxt1.frobeniusAutomorph(k);
shCtxt1.multByConstant(cpoly);
res += shCtxt1;
}
}
ctxt = res;
}
void EncryptedArrayDerived<type>::shift(Ctxt& ctxt, long k) const
{
FHE_TIMER_START;
const PAlgebra& al = context.zMStar;
const vector< vector< RX > >& maskTable = tab.getMaskTable();
RBak bak; bak.save(); tab.restoreContext();
assert(&context == &ctxt.getContext());
// Simple case: just one generator
if (al.numOfGens()==1) {
shift1D(ctxt, 0, k);
return;
}
long nSlots = al.getNSlots();
// Shifting by more than the number of slots gives an all-zero cipehrtext
if (k <= -nSlots || k >= nSlots) {
ctxt.multByConstant(to_ZZX(0));
return;
}
// Make sure that amt is in [1,nslots-1]
long amt = k % nSlots;
if (amt == 0) return;
if (amt < 0) amt += nSlots;
// rotate the ciphertext, one dimension at a time
long i = al.numOfGens()-1;
long v = al.coordinate(i, amt);
RX mask = maskTable[i][v];
Ctxt tmp(ctxt.getPubKey());
const RXModulus& PhimXmod = tab.getPhimXMod();
rotate1D(ctxt, i, v);
for (i--; i >= 0; i--) {
v = al.coordinate(i, amt);
DoubleCRT m1(conv<ZZX>(mask), context, ctxt.getPrimeSet());
tmp = ctxt;
tmp.multByConstant(m1); // only the slots in which mask=1
ctxt -= tmp; // only the slots in which mask=0
if (i>0) {
rotate1D(ctxt, i, v+1);
rotate1D(tmp, i, v);
ctxt += tmp; // combine the two parts
mask = ((mask * (maskTable[i][v] - maskTable[i][v+1])) % PhimXmod)
+ maskTable[i][v+1]; // update the mask before next iteration
}
else { // i == 0
if (k < 0) v -= al.OrderOf(0);
shift1D(tmp, 0, v);
shift1D(ctxt, 0, v+1);
ctxt += tmp;
}
}
FHE_TIMER_STOP;
}
void EncryptedArrayDerived<type>::rotate(Ctxt& ctxt, long amt) const
{
FHE_TIMER_START;
const PAlgebra& al = context.zMStar;
const vector< vector< RX > >& maskTable = tab.getMaskTable();
RBak bak; bak.save(); tab.restoreContext();
assert(&context == &ctxt.getContext());
// Simple case: just one generator
if (al.numOfGens()==1) { // VJS: bug fix: <= must be ==
rotate1D(ctxt, 0, amt);
return;
}
// Make sure that amt is in [1,nslots-1]
amt %= (long) al.getNSlots();
if (amt == 0) { return; }
if (amt < 0) amt += al.getNSlots();
// rotate the ciphertext, one dimension at a time
long i = al.numOfGens()-1;
long v = al.coordinate(i, amt);
RX mask = maskTable[i][v];
Ctxt tmp(ctxt.getPubKey());
const RXModulus& PhimXmod = tab.getPhimXMod();
// optimize for the common case where the last generator has order in
// Zm*/(p) different than its order in Zm*. In this case we can combine
// the rotate1D relative to this generator with the masking after the
// rotation. This saves one mult-by-constant, since we use the same mask
// inside rotate1D as in the loop below.
if (al.SameOrd(i) || v==0) rotate1D(ctxt, i, v); // no need to optimize
else {
long ord = al.OrderOf(i);
long val = PowerMod(al.ZmStarGen(i), v, al.getM());
long ival = PowerMod(al.ZmStarGen(i), v-ord, al.getM());
DoubleCRT m1(conv<ZZX>(maskTable[i][ord-v]), context, ctxt.getPrimeSet());
tmp = ctxt; // a copy of the ciphertext
tmp.multByConstant(m1); // only the slots in which m1=1
ctxt -= tmp; // only the slots in which m1=0
ctxt.smartAutomorph(val); // shift left by val
tmp.smartAutomorph(ival); // shift right by ord-val
// apply rotation relative to next generator before combining the parts
--i;
v = al.coordinate(i, amt);
rotate1D(ctxt, i, v);
rotate1D(tmp, i, v+1);
ctxt += tmp; // combine the two parts
if (i <= 0) { return; } // no more generators
mask = ((mask * (maskTable[i][v] - maskTable[i][v+1])) % PhimXmod)
+ maskTable[i][v+1]; // update the mask for next iteration
}
// Handle rotation relative to all the other generators (if any)
for (i--; i >= 0; i--) {
v = al.coordinate(i, amt);
DoubleCRT m1(conv<ZZX>(mask), context, ctxt.getPrimeSet());
tmp = ctxt;
tmp.multByConstant(m1); // only the slots in which mask=1
ctxt -= tmp; // only the slots in which mask=0
rotate1D(tmp, i, v);
rotate1D(ctxt, i, v+1);
ctxt += tmp;
if (i>0) {
mask = ((mask * (maskTable[i][v] - maskTable[i][v+1])) % PhimXmod)
+ maskTable[i][v+1]; // update the mask for next iteration
}
}
FHE_TIMER_STOP;
}
static void apply(const EncryptedArrayDerived<type>& ea, Ctxt& ctxt,
const PlaintextBlockMatrixBaseInterface& mat)
{
assert(&ea == &mat.getEA().getDerived(type()));
assert(&ea.getContext() == &ctxt.getContext());
const PAlgebra& zMStar = ea.getContext().zMStar;
long p = zMStar.getP();
long m = zMStar.getM();
const RXModulus& F = ea.getTab().getPhimXMod();
RBak bak; bak.save(); ea.getTab().restoreContext();
const PlaintextBlockMatrixInterface<type>& mat1 =
dynamic_cast< const PlaintextBlockMatrixInterface<type>& >( mat );
ctxt.cleanUp(); // not sure, but this may be a good idea
long nslots = ea.size();
long d = ea.getDegree();
Vec< shared_ptr<Ctxt> > acc;
acc.SetLength(d);
for (long k = 0; k < d; k++)
acc[k] = shared_ptr<Ctxt>(new Ctxt(ZeroCtxtLike, ctxt));
mat_R entry;
entry.SetDims(d, d);
vector<RX> entry1;
entry1.resize(d);
vector< vector<RX> > diag;
diag.resize(nslots);
for (long j = 0; j < nslots; j++) diag[j].resize(d);
for (long i = 0; i < nslots; i++) { // process diagonal i
bool zDiag = true;
long nzLast = -1;
for (long j = 0; j < nslots; j++) {
bool zEntry = mat1.get(entry, mcMod(j-i, nslots), j);
assert(zEntry || (entry.NumRows() == d && entry.NumCols() == d));
// get(...) returns true if the entry is empty, false otherwise
if (!zEntry && IsZero(entry)) zEntry=true; // zero is an empty entry too
if (!zEntry) { // non-empty entry
zDiag = false; // mark diagonal as non-empty
// clear entries between last nonzero entry and this one
for (long jj = nzLast+1; jj < j; jj++) {
for (long k = 0; k < d; k++)
clear(diag[jj][k]);
}
nzLast = j;
// recode entry as a vector of polynomials
for (long k = 0; k < d; k++) conv(entry1[k], entry[k]);
// compute the lin poly coeffs
ea.buildLinPolyCoeffs(diag[j], entry1);
}
}
if (zDiag) continue; // zero diagonal, continue
// clear trailing zero entries
for (long jj = nzLast+1; jj < nslots; jj++) {
for (long k = 0; k < d; k++)
clear(diag[jj][k]);
}
// now diag[j] contains the lin poly coeffs
Ctxt shCtxt = ctxt;
ea.rotate(shCtxt, i);
shCtxt.cleanUp();
RX cpoly1, cpoly2;
ZZX cpoly;
// apply the linearlized polynomial
for (long k = 0; k < d; k++) {
// compute the constant
bool zConst = true;
vector<RX> cvec;
cvec.resize(nslots);
for (long j = 0; j < nslots; j++) {
cvec[j] = diag[j][k];
if (!IsZero(cvec[j])) zConst = false;
}
if (zConst) continue;
ea.encode(cpoly, cvec);
conv(cpoly1, cpoly);
// apply inverse automorphism to constant
plaintextAutomorph(cpoly2, cpoly1, PowerMod(p, mcMod(-k, d), m), zMStar, F);
conv(cpoly, cpoly2);
Ctxt shCtxt1 = shCtxt;
shCtxt1.multByConstant(cpoly);
*acc[k] += shCtxt1;
}
}
Ctxt res(ZeroCtxtLike, ctxt);
for (long k = 0; k < d; k++) {
acc[k]->frobeniusAutomorph(k);
res += *acc[k];
}
ctxt = res;
}
static void apply(const EncryptedArrayDerived<type>& ea,
Ctxt& ctxt, const PlaintextMatrixBaseInterface& mat)
{
assert(&ea == &mat.getEA().getDerived(type()));
assert(&ea.getContext() == &ctxt.getContext());
RBak bak; bak.save(); ea.getTab().restoreContext();
// Get the derived type
const PlaintextMatrixInterface<type>& mat1 =
dynamic_cast< const PlaintextMatrixInterface<type>& >( mat );
ctxt.cleanUp(); // not sure, but this may be a good idea
Ctxt res(ctxt.getPubKey(), ctxt.getPtxtSpace()); // fresh encryption of zero
long nslots = ea.size();
long d = ea.getDegree();
RX entry;
vector<RX> diag;
diag.resize(nslots);
// Process the diagonals one at a time
for (long i = 0; i < nslots; i++) { // process diagonal i
bool zDiag = true; // is this a zero diagonal?
long nzLast = -1; // index of last non-zero entry on this diagonal
// Compute constants for each entry on this diagonal
for (long j = 0; j < nslots; j++) { // process entry j
bool zEntry = mat1.get(entry, mcMod(j-i, nslots), j); // callback
assert(zEntry || deg(entry) < d);
if (!zEntry && IsZero(entry)) zEntry = true; // check for zero
if (!zEntry) { // non-zero diagonal entry
zDiag = false; // diagonal is non-zero
// clear entries between last nonzero entry and this one
for (long jj = nzLast+1; jj < j; jj++) clear(diag[jj]);
nzLast = j;
diag[j] = entry;
}
}
if (zDiag) continue; // zero diagonal, continue
// clear trailing zero entries
for (long jj = nzLast+1; jj < nslots; jj++) clear(diag[jj]);
// Now we have the constants for all the diagonal entries, encode the
// diagonal as a single polynomial with these constants in the slots
ZZX cpoly;
ea.encode(cpoly, diag);
// rotate by i, multiply by the polynomial, then add to the result
Ctxt shCtxt = ctxt;
ea.rotate(shCtxt, i); // rotate by i
shCtxt.multByConstant(cpoly);
res += shCtxt;
}
ctxt = res;
}
// bootstrap a ciphertext to reduce noise
void FHEPubKey::reCrypt(Ctxt &ctxt)
{
FHE_TIMER_START;
// Some sanity checks for dummy ciphertext
long ptxtSpace = ctxt.getPtxtSpace();
if (ctxt.isEmpty()) return;
if (ctxt.parts.size()==1 && ctxt.parts[0].skHandle.isOne()) {
// Dummy encryption, just ensure that it is reduced mod p
ZZX poly = to_ZZX(ctxt.parts[0]);
for (long i=0; i<poly.rep.length(); i++)
poly[i] = to_ZZ( rem(poly[i],ptxtSpace) );
poly.normalize();
ctxt.DummyEncrypt(poly);
return;
}
assert(recryptKeyID>=0); // check that we have bootstrapping data
long p = getContext().zMStar.getP();
long r = getContext().alMod.getR();
long p2r = getContext().alMod.getPPowR();
// the bootstrapping key is encrypted relative to plaintext space p^{e-e'+r}.
long e = getContext().rcData.e;
long ePrime = getContext().rcData.ePrime;
long p2ePrime = power_long(p,ePrime);
long q = power_long(p,e)+1;
assert(e>=r);
#ifdef DEBUG_PRINTOUT
cerr << "reCrypt: p="<<p<<", r="<<r<<", e="<<e<<" ePrime="<<ePrime
<< ", q="<<q<<endl;
#endif
// can only bootstrap ciphertext with plaintext-space dividing p^r
assert(p2r % ptxtSpace == 0);
FHE_NTIMER_START(preProcess);
// Make sure that this ciphertxt is in canonical form
if (!ctxt.inCanonicalForm()) ctxt.reLinearize();
// Mod-switch down if needed
IndexSet s = ctxt.getPrimeSet() / getContext().specialPrimes; // set minus
if (s.card()>2) { // leave only bottom two primes
long frst = s.first();
long scnd = s.next(frst);
IndexSet s2(frst,scnd);
s.retain(s2); // retain only first two primes
}
ctxt.modDownToSet(s);
// key-switch to the bootstrapping key
ctxt.reLinearize(recryptKeyID);
// "raw mod-switch" to the bootstrapping mosulus q=p^e+1.
vector<ZZX> zzParts; // the mod-switched parts, in ZZX format
double noise = ctxt.rawModSwitch(zzParts, q);
noise = sqrt(noise);
// Add multiples of p2r and q to make the zzParts divisible by p^{e'}
long maxU=0;
for (long i=0; i<(long)zzParts.size(); i++) {
// make divisible by p^{e'}
long newMax = makeDivisible(zzParts[i].rep, p2ePrime, p2r, q,
getContext().rcData.alpha);
zzParts[i].normalize(); // normalize after working directly on the rep
if (maxU < newMax) maxU = newMax;
}
// Check that the estimated noise is still low
if (noise + maxU*p2r*(skHwts[recryptKeyID]+1) > q/2)
cerr << " * noise/q after makeDivisible = "
<< ((noise + maxU*p2r*(skHwts[recryptKeyID]+1))/q) << endl;
for (long i=0; i<(long)zzParts.size(); i++)
zzParts[i] /= p2ePrime; // divide by p^{e'}
// Multiply the post-processed cipehrtext by the encrypted sKey
#ifdef DEBUG_PRINTOUT
cerr << "+ Before recryption ";
decryptAndPrint(cerr, recryptEkey, *dbgKey, *dbgEa, printFlag);
#endif
double p0size = to_double(coeffsL2Norm(zzParts[0]));
double p1size = to_double(coeffsL2Norm(zzParts[1]));
ctxt = recryptEkey;
ctxt.multByConstant(zzParts[1], p1size*p1size);
ctxt.addConstant(zzParts[0], p0size*p0size);
#ifdef DEBUG_PRINTOUT
cerr << "+ Before linearTrans1 ";
decryptAndPrint(cerr, ctxt, *dbgKey, *dbgEa, printFlag);
#endif
FHE_NTIMER_STOP(preProcess);
// Move the powerful-basis coefficients to the plaintext slots
FHE_NTIMER_START(LinearTransform1);
ctxt.getContext().rcData.firstMap->apply(ctxt);
FHE_NTIMER_STOP(LinearTransform1);
#ifdef DEBUG_PRINTOUT
cerr << "+ After linearTrans1 ";
decryptAndPrint(cerr, ctxt, *dbgKey, *dbgEa, printFlag);
#endif
// Extract the digits e-e'+r-1,...,e-e' (from fully packed slots)
extractDigitsPacked(ctxt, e-ePrime, r, ePrime,
context.rcData.unpackSlotEncoding);
#ifdef DEBUG_PRINTOUT
cerr << "+ Before linearTrans2 ";
decryptAndPrint(cerr, ctxt, *dbgKey, *dbgEa, printFlag);
#endif
// Move the slots back to powerful-basis coefficients
FHE_NTIMER_START(LinearTransform2);
ctxt.getContext().rcData.secondMap->apply(ctxt);
FHE_NTIMER_STOP(LinearTransform2);
}
