Bot releases are hidden (Show)
Published by qantik 2 months ago
The sixth major release of Lattigo marks a departure from some of the abstractions
introduced in version five by refocusing the library onto the scheme level meaning the
implemented RLWE- and RGSW-based cryptosystems. This pivot comes at the expense of the
he
package introduced in the previous version. In short, he
provided abstractions of
the CKKS
and BGV
schemes from the schemes
package with the intended goal of offering
a quick access to homomorphic encryption functionalities without requiring an extensive
amount of background knowledge of RLWE/RGSW-based cryptography and its accompanying
literature. Under the hood the he
package was merely a thin wrapper around important
objects from schemes/ckks
and schemes/bgv
, which effectively constituted an elaborate
renaming/aliasing of structures such a parameters, encoders and evaluators. However,
the core focus of Lattigo has always been the implementation of common homomorphic
cryptosystems. Writing as well as utilizing circuits without at least a surface
knowledge of the underlying schemes is not a realistic goal at this stage in the life
cycle of homomorphic encryption. Unlike other cryptographic fields such a symmetric
cryptographic whose primitives can be safely utilized without domain knowledge, the
lacking maturity of homomorphic encryption does not permit a similar level of
abstraction. Moreover, the abstraction in he
was leaky, e.g., schemes had to be
instantiated using the parameters objects from schemes/*
, which basically voided the
raison d'être of the package.
circuits
PackageThe removal of the he
package has consequences for the homomorphic circuits such as CKKS
bootstrapping that were also part of he
. All of them have been moved to a newly created
package termed circuits
organized by scheme resulting in the following directory
structure.
circuits
├── bgv
│ ├── lintrans
│ └── polynomial
├── ckks
│ ├── bootstrapping
│ ├── comparison
│ ├── dft
│ ├── inverse
│ ├── lintrans
│ ├── minimax
│ ├── mod1
│ └── polynomial
└── common
├── lintrans
└── polynomial
Note that both linear transformations and the polynomial evaluator support both the BGV
and CKKS schemes and thus scheme-generic structures are found in the circuits/common
sub-directory.
All supported circuits in the new circuits
package are instantiated with an
evaluator. In Lattigo-v5, such an evaluator had to conform to a circuit-specific interface
that for certain circuits appeared dauntingly complex (see e.g.,
EvaluatorForLinearTransformation
). It is not clear how a user (layman and expert) was
supposed to make use of such interfaces without total knowledge of the entire Lattigo code
base down to the ring level. It is more likely, if a custom evaluator was required for a
particular circuit, then a user would simply adapt an existing scheme evaluator from
schemes
to his needs. With the refocus of the sixth version of Lattigo onto the scheme
level, we tend to this use case by removing all EvaluatorFor[*]
interfaces in the
circuit
package and replacing them with a scheme-agnostic evaluator interface in
schemes/scheme.go
. This design choice should streamline the creation of custom
evaluators based on existing ones making the hacking of new and existing circuits simpler.
Aa fresh ring packing routine based on the
HERMES work by Bae et al. (https://eprint.iacr.org/2023/1244) has been added which improves the time and
memory by a significant margin compared to the existing baseline packing implementation.
This operation adds to new operations to the packing facilities:
Extraction. Recursively split the ciphertexts into left and right part of half
the ring degree until the minimum ring degree defined by the user is reached before
applying the extraction procedure.
Repacking. Apply the sample repacking procedure in the small ring over multiple
ciphertexts before merging them recursively back to the larger ring.
The new ring packing implementation has been moved from the removed he
package into the
existing core/rlwe
package and can be invoked through an updated API:
rlwe.RingPackingEvaluator
:
NewRingPackingEvaluator(evk *RingPackingEvaluationKey)
Extract(ct *rlwe.Ciphertext, idx []int, naive bool) (cts map[int]*rlwe.Ciphertext, err error)
Repack(cts map[int]*rlwe.Ciphertext, naive bool) (ct *rlwe.Ciphertext, err error)
Split(ctN, ctEvenNHalf, ctOddNHalf *rlwe.Ciphertext) (err error)
Merge(ctEvenNHalf, ctOddNHalf, ctN *rlwe.Ciphertext) (err error)
ShallowCopy() *RingPackingEvaluator
rlwe.RingPackingEvaluationKey
A second new feature are slot-wise permutations to
the linear transformation circuits in circuits/*/lintrans
. Permutations provide the
ability to arbitrarily reorder ciphertext slots through a linear transformation. The exact
nature of the permutation is determined via the new lintrans.PermtuationMapping
and
lintrans.Permutation
objects:
type PermutationMapping[T bgv.Integer | ckks.Float] struct {
From int
To int
Scaling T
}
type Permutation[T bgv.Integer | ckks.Float] []PermutationMapping[T]
func (p Permutation[T]) GetDiagonals(logSlots int) Diagonals[T] {}
Here, PermutationMapping
specify the origin and destination index of a single ciphertext
slot. A slice of permutations mapping then yields a Permutation
from which the diagonals
can be extracted to be passed to the initializer of the linear transformation.
The implementation of the BFV cryptosystem simply wraps the BGV scheme by redefining
the multiplication methods of the evaluator. This introduced a significant amount of code
duplication. The new way of instantiating BFV is through the BGV evaluator by setting the
scaleInvariant
flag. See the READMEs of schemes/bfv
and schemes/bgv
for more information.
bfvEvaluator := bgv.NewEvaluator(params, evaluationKeys, true)
Lattigo-v6 provides an improved unit test context generations skeleton that reduces the amount of
boilerplate code duplication for the creation of Lattigo objects such as parameters and
evaluators for the usage in unit tests. The files schemes/*/test_utils.go
now contain
scheme-specific functions to be reused in unit tests of all packages that depend on
schemes
.
lintrans.Parameters
struct now allows for a fine-grained instantiation of the bothlintrans.Parameters.LevelQ
andlintrans.Parameters.LevelP
fields.rlwe.Evaluator.gadgetProductSinglePAndBitDecompLazy
godoc
[*]
operator. This allows for a quick navigation of themhe
package has been renamed to multiparty
containing packagesmultiparty/mpbgv
and multiparty/mpckks
to better reflect the removal of thehe
package.core/rlwe
leading the complete deletion ofhe/bin
package.Lattigo-v6 now requires a minimum Golang version of 1.21
. The support for earlier
versions has been deprecate. The principal reason for this change is the usage of the
newly introduces slices
package in the standard library whose functions replace some of
the procedures in utils/slices.go
.
The removal of the he
package necessitate some changes in projects that relied
on Lattigo-v5. However, since he
was only renaming key structures from schemes/*
the
required changes are straightforward.
hefloat
. Any code that used the he/hefloat
package needs to rename the imports toschemes/ckks
with the exception of code that made us of circuits that formerly werehe/hefloat
. This circuits now have to be imported separately, forcircuits/ckks/lintrans
.heint
. Any code that used the he/heint
package needs to rename the imports toschemes/ckks
with the exception of code that made us of circuits that formerly werehe/heint
. This circuits now have to be imported separately, forcircuits/bgv/polynomial
.The Lattigo team would like to thank Christian Mouchet @ChristianMct for his insightful reviews
and comments during the development phase.
staticcheck
by @romainbou in https://github.com/tuneinsight/lattigo/pull/462
he
package by @qantik (c2c6f716 to e2e37218)bfv
package by @qantik (1487afa1)bfv.Evaluator.ShallowCopy()
that wasn't shallowcopying the basis extender, which would result in correctness error when using multiple shallowcopied evaluators concurrently and the scale invariant tensoring (BFV-style multiplication).Published by Pro7ech 11 months ago
lattigo/ring
benchmarkslattigo/schemes
lattigo/he/hebin
, lattigo/he/heint
and lattigo/he/hefloat
Published by Pro7ech 11 months ago
The following sections give an overview of the main changes brought by the v5. This list is not exhaustive and we recommend taking a look at the CHANGELOG.md for the full list of changes.
The library has been fully reorganized to provide a better user experience tailored around plaintext spaces and functionalities rather than schemes. The new organization of the packages is as follows, from highest to lowest level:
he
: The highest level package, intended to be the user-facing part of the library for most applications. It contains three sub-packages which provide homomorphic encryption functionalities based on the plaintext domain:
hefloat
: Homomorphic encryption with fixed-point approximate encrypted arithmetic over the real or complex numbers. This package is intended to be used for encrypted arithmetic with floating point numbers and is implemented as a wrapper over the schemes/ckks
package, with additional functionalities.
bootstrapping
: Bootstrapping for fixed-point approximate arithmetic over the real and complex numbers.heint
: Homomorphic encryption for modular encrypted arithmetic over the integers. This package is intended to be used for encrypted arithmetic over integers and is implemented as wrapper of the schemes/bgv
package, with additional functionalities.hebin
: Homomorphic encryption for binary arithmetic. It currently implements blind rotations (a.k.a Lookup Tables) (previously rgsw/lut
).mhe
: This package implements scheme-agnostic RLWE-based multiparty key-generation and proxy re-encryption (previously drlwe
).
mhefloat
: Homomorphic decryption from RLWE to Linear-Secret-Sharing-Shares (LSSS) and homomorphic re-encryption from LSSS to RLWE, as well as interactive bootstrapping for he/hefloat
(previously dckks
).mheint
: Homomorphic decryption from RLWE to Linear-Secret-Sharing-Shares (LSSS) and homomorphic re-encryption from LSSS to RLWE, as well as interactive bootstrapping for he/heint
(previously dbfv
and dbgv
).schemes
: This package regroups all the homomorphic encryption schemes implemented in the library, which are the backend of the he
package. It currently contains the following schemes:
bgv
: A Full-RNS generalization of the Brakerski-Fan-Vercauteren scale-invariant (BFV) and Brakerski-Gentry-Vaikuntanathan (BGV) homomorphic encryption schemes.bfv
: A Full-RNS variant of the Brakerski-Fan-Vercauteren scale-invariant homomorphic encryption scheme. This scheme is instantiated via a wrapper of the bgv scheme.ckks
: A Full-RNS variant of the Homomorphic Encryption for Arithmetic for Approximate Numbers (HEAAN, a.k.a. CKKS) scheme.core
: This package implements the core homomorphic cryptographic functionalities of the library which are common to all the RLWE and LWE schemes.
rlwe
: A package that implements the generic cryptographic functionalities and operations that are common to all RLWE-based homomorphic encryption schemes.rgsw
: A package that provides support for Ring-GSW encryption and the external product.ring
: A package implementing arithmetic for power-of-two cyclotomic rings.utils
: A package implementing various utility functions, secure sampling, serialization, and linear algebra.The package lattigo/he
provides scheme agnostic interfaces for basic encoding, homomorphic operations and generic implementations for higher level operations such as polynomial evaluation and linear transformations. These are used to implement scheme specific functionalities in he/hebin
, he/heint
and he/hefloat
in a way that enables user to easily provide custom implementations of sub-routines (e.g. adding concurrency).
The bfv
, bgv
and ckks
encoders and evaluators have had their API reduced, simplified and uniformized across schemes. This enables the definition of scheme-agnostic interfaces in the he
package. The API reduction mostly consolidates redundant methods into a single one. For example, the ckks.Evaluator
used to have the methods
MultByConst(ctIn *rlwe.Ciphertext, constant interface{}, ctOut *rlwe.Ciphertext)
MultByGaussianInteger(ctIn *rlwe.Ciphertext, cReal, cImag interface{}, ctOut *rlwe.Ciphertext)
MultByi(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)
DivByi(ctIn *rlwe.Ciphertext, ctOut *rlwe.Ciphertext)
Mul/MulRelin(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
.These have been consolidated into the single method Mul/MulRelin(ctIn *rlwe.Ciphertext, op1 rlwe.Operand, ctOut *rlwe.Ciphertext)
.
This change renders scheme-specific interfaces such as bgv.Encoder
or ckks.Evaluator
obsolete, so they have been removed. Their functionality is now covered by the scheme-agnostic interfaces he.Encoder
and he.Evaluator
.
The previous implementation did only allow a ternary distribution for the secret, and a Gaussian distribution for the error. We have removed this restriction and it is now possible to use custom distributions for the secret and error, as long as they satisfy the ring.DistributionParameters
interface. Available distributions are ring.DiscreteGaussian
, ring.Ternary
, and ring.Uniform
.
Additionally, the sampling and related interfaces have been improved. Notably, the interface ring.Sampler
has been added and it is possible to instantiate a sampler directly from a ring.DistributionParameters
.
Finally, the ring.GaussianSampler
has been extended to support large-norm Gaussian sampling, enabling proper smudging.
ring.Ring
ObjectThe ring.Ring
object was previously a single struct storing all the pre-computed constants (e.g. NTT Tables) as double slices, indexed by their respective prime. This required a large struct that was difficult to re-slice and didn't represent well the underlying mathematical object of an RNS decomposed large ring. The new ring.Ring
object is now much closer to the mathematical definition and is composed of ring.SubRing
, one per prime. These ring.SubRing
define all the pre-computed constants for their respective prime and they operate on slices modulo this prime.
Plaintext and ciphertexts are now wrappers of the rlwe.Element
generic type, which contains a pointer to the rlwe.MetaData
struct. This struct comprises the fields rlwe.CiphertextMetaData
and rlwe.PlaintextMetaData
, which contain metadata about the state of the ciphertext and plaintext.
The implementation of the BGV scheme has been entirely rewritten to provide a unified variant of the BFV and BGV schemes. The proposed implementation provides all the functionalities of the BFV and BGV schemes under a unified framework. This is enabled by the equivalence between the LSB and MSB encodings when the plaintext modulus $t$ is coprime with the ciphertext modulus $Q$. In other words, if $t$ is coprime with $Q$, then the BFV and BGV schemes are indistinguishable up to a factor of $t^{-1} \mod Q$.
In this hybrid implementation, the BGV plaintext is scaled by $t^{-1} \mod Q$ (MSB encoding) instead of the error being scaled by $t$ (LSB encoding). This approach enables an implementation that behaves exactly like both schemes in terms of noise growth and performance depending on which multiplication is used: the regular tensoring (BGV/CKKS) or the scale-invariant tensoring (BFV).
For backwards compatibility, the standalone implementation of the BFV scheme still exists, but it is now instantiated as a wrapper of the new hybrid BGV scheme which essentially restricts the multiplication to only the scale invariant tensoring. The functionalities and noise growth are identical to the original BFV implementation, except that the plaintext modulus must be coprime with the ciphertext modulus.
The implementation of the CKKS scheme now supports a scaling factor of up to 120 bits, enabling high precision fixed-point approximate arithmetic. Additionally the following advanced arithmetic operations have been improved/added in the package he/hefloat
:
The generic interface he.Bootstrapper[CiphertextType any]
has been added to the package he
, enabling easy plug-and-play black-box bootstrapping in any implementation defining the bootstrapping via this interface.
The usability and range of parameterization of the bootstrapping for fixed-point approximate homomorphic encryption over real and complex numbers has been substantially improved:
Examples for the bootstrapping can be found in examples/he/hefloat/bootstrapping
.
Up to v4, the evaluation keys were defined by the struct rlwe.SwitchingKey
. Although applying an evaluation key on a ciphertext does indeed serve the purpose of public re-encryption, user feedback has shown that this naming approach can lead to confusion and lacks an intuitive hierarchy among the different objects which are derived from the rlwe.SwitchingKey
struct (and it does not provide a direct mapping with the literature). This is notably caused by the fact that public re-encryption is hardly ever used to change the access structure of a ciphertext, but as a means to ensure ciphertext compactness and decryption correctness during the different evaluation phases of a circuit.
To remedy to this issue, the struct rlwe.SwitchingKey
has been renamed rlwe.EvaluationKey
, and a comprehensive documentation on the generation, usage, and all capabilities of this object, as well as code comments, have been added. Additionally, the method SwitchKeys
has been renamed ApplyEvaluationKey
.
The goal is to better convey that rlwe.EvaluationKey
is a special type of public key that is used during the evaluation phase of a circuit with different purposes (relinearization, automorphisms, etc...).
The struct rlwe.RotationKeySet
has been removed. It is now replaced by the type rlwe.GaloisKey
, which is a wrapper of rlwe.EvaluationKey
and stores a single rlwe.EvaluationKey
along with some meta data to help identify which automorphism it enables.
There is now a simple and much more intuitive hierarchy among rlwe.EvaluationKeys
:
rlwe.EvaluationKey
|
|-> rlwe.RelinearizationKey
└-> rlwe.GaloisKey
To be able to manage multiple rlwe.EvaluationKeys
, the rlwe.EvaluationKeySet
interface has been added. The (bfv/bgv/ckks).Evaluator
types now use this interface to access evaluation keys when required, which enables the users to define their own loading/saving/persistence policies for rlwe.RelinearizationKey
and rlwe.GaloisKeys
. The rlwe.MemEvaluationKeySet
struct was added as a simple, memory-backed implementation of the rlwe.EvaluationKeySet
interface.
Additionally, it is now possible to generate evaluation keys with specific levels for the moduli Q
and P
, as well as specific power of two decomposition, by passing the optional struct rlwe.EvaluationKeyParameters
to the key-generator. This also means that the power of two decomposition for the evaluation keys is not a field of the cryptographic parameters anymore.
Many tests and benchmarks located in the bfv
, bgv
and ckks
packages were merely wrappers of methods of the package rlwe
, and thus didn't serve any meaningful purpose. Additionally, many methods in the rlwe
package were not comprehensively tested.
To remedy to this issue, all tests and benchmarks in the bfv
, bgv
and ckks
packages that were solely wrappers of a method located in rlwe
have been removed. The test coverage of the rlwe
package has been substantially increased by adding tests and expanding the range of parameters for which those methods are tested.
An example is the tests for automorphisms. These were tested in each of the schemes by checking that applying a specific automorphism on a ciphertext encrypting an encoded plaintext would result in specific rotations in the plaintext decoded domain. Although such test does ensure the functionality full pipeline behaves as expected, it made its debugging difficult by not being able to easily pinpoint where the correctness error could come from.
Instead, these kind of functionalities have been broken down into their elementary operations, testing each of them separately. Going back to the tests for the automorphisms, the rlwe
package will now test that a Galois key is correctly generated, that the homomorphic automorphism applies the correct Galois automorphism on the polynomial coefficients, and that it produces the expected noise; and the schemes will only test that an automorphism on an encoded plaintext results in the correct rotation on the decoded plaintext.
Finally, all relevant methods of rlwe
now have a benchmark function and the noise bounds for the tests in the packages rlwe
and mhe
have been substantially improved.
A new package utils/bignum
has been added. It provides arbitrary precision arithmetic and polynomial interpolation (Chebyshev & Multi-Interval Remez) over the real and complex numbers.
The CGGI algorithm has been replaced by LMKCDEY's algorithm, enabling faster blind-rotations, smaller keys, and arbitrary key-distribution.
In addition to the previously available encoding.BinaryMarshaler
and encoding.BinaryUnmarshaler
interfaces, relevant Lattigo objects now implement the io.ReaderFrom
and io.WriterTo
interfaces to read/write objects directly from/to io.Reader
and io.Writer
. Moreover, the new methods have been optimized for buffers that provide transient access to their internal buffer (through the buffer.Writer
interface, see below).
This is supported by two new packages devoted to serialization: utils/buffer
and utils/structs
. The package utils/buffer
features low-level custom methods to efficiently write and read slices on any writer or reader that also expose their internal buffer. The package utils/structs
implements generic map, vector and matrix structs of any type, as well as their serialization.
lattigo/v4/ckks
-> lattigo/v5/he/hefloat
lattigo/v4/[bfv/bgv]
-> lattigo/v5/he/heint
lattigo/v4/rgsw/lut
-> lattigo/v5/he/hebin
lattigo/v4/drlwe
-> lattigo/v5/mhe
lattigo/v4/dckks
-> lattigo/v5/mhe/mhefloat
lattigo/v4/[dbfv/dbgv]
-> lattigo/v5/mhe/mheint
lattigo/v4/rlwe
-> lattigo/v5/core/rlwe
lattigo/v4/rgsw
-> lattigo/v5/core/rgsw
lattigo/v4/ring
-> lattigo/v5/ring
If needed, the bfv
, bgv
and ckks
standalone schemes are still available, although they are not intended to be the front-end of the library:
lattigo/v4/ckks
-> lattigo/v5/schemes/ckks
lattigo/v4/bfv
-> lattigo/v5/schemes/bfv
lattigo/v4/bgv
-> lattigo/v5/schemes/bgv
Published by Pro7ech 12 months ago
The following sections give an overview of the main changes brought by the v5. This list is not exhaustive and we recommend taking a look at the CHANGELOG.md for the full list of changes.
The library has been fully reorganized to provide a better user experience. The new organization of the packages is as follow, from the highest level to the lowest level:
he
: The highest level package which is intended to be the user facing part of the library for most applications. It contains three sub-packages which provide homomorphic encryption functionalities based on the plaintext domain:
hefloat
: Homomorphic encryption for fixed-point approximate encrypted arithmetic over the complex or real numbers. This package is implemented as a wrapper over the schemes/ckks
package.
bootstrapping
: State-of-the-Art bootstrapping for fixed-point approximate arithmetic over the realheint
: Homomorphic encryption for modular encrypted arithmetic over the integers. This package is implemented as wrapper of the schemes/bgv
package.hebin
: Blind rotations (a.k.a Lookup Tables).mhe
: This package implements scheme agnostic RLWE-based multiparty key-generation and proxy re-encryption.
mhefloat
: Homomorphic decryption from RLWE to Linear-Secret-Sharing-Shares (LSSS) and homomorphic re-encryption from LSSS to RLWE, as well as interactive bootstrapping for he/hefloat
.mheint
: Homomorphic decryption from RLWE to Linear-Secret-Sharing-Shares (LSSS) and homomorphic re-encryption from LSSS to RLWE, as well as interactive bootstrapping for he/heint
.schemes
: This package regroups all the homomorphic encryption schemes implemented in the library. It currently contains the following schemes:
bgv
: A Full-RNS generalization of the Brakerski-Fan-Vercauteren scale-invariant (BFV) and Brakerski-Gentry-Vaikuntanathan (BGV) homomorphic encryption schemes.bfv
: A Full-RNS variant of the Brakerski-Fan-Vercauteren scale-invariant homomorphic encryption scheme. This scheme is instantiated via a wrapper of the bgv scheme.ckks
: A Full-RNS variant of Homomorphic Encryption for Arithmetic for Approximate Numbers (HEAAN, a.k.a. CKKS) scheme.core
: This package implements the core homomorphic cryptographic functionalities of the library which are common to all the RLWE and LWE schemes.
rlwe
: A package that implements the generic cryptographic functionalities and operations that are common to all RLWE-based homomorphic encryption schemes.rgsw
: A package that provides support for Ring-GSW encryption and the external product.ring
: A package implementing arithmetic for power-of-two cyclotomic rings.utils
: A package implementing various utility functions, secure sampling, serialization and linear algebra.The package lattigo/he
provides scheme agnostic interfaces for basic homomorphic operations and generic implementations for higher level operations such as polynomial evaluation and linear transformations. These are used to implement scheme specific functionalities in he/hebin
, he/heint
and he/hefloat
in a way that enables user to easily provide custom implementations of sub-routines (e.g. adding concurrency).
The implementation of the BGV scheme has been entirely rewritten to provide a unified variant of the BFV and BGV schemes. The proposed implementation provides all the functionalities of the BFV and BGV schemes under a unified framework. This is enabled by the equivalency between the LSB and MSB encodings when the plaintext modulus $t$ is coprime with the ciphertext modulus $Q$. In other words, if $t$ is coprime with $Q$, then the BFV and BGV schemes are indistinguishable up to a factor of $t^{-1} \mod Q$.
In this hybrid implementation, the BGV plaintext is scaled by $t^{-1} \mod Q$ (MSB encoding) instead of the error being scaled by $t$ (LSB encoding). This approach enables an implementation that behaves exactly like both schemes in terms of noise growth and performance depending on which multiplication is used: the regular tensoring (BGV/CKKS) or the scale-invariant tensoring (BFV).
For backward compatibility, the standalone implementation of the BFV scheme still exists, but is now instantiated as a wrapper of the new hybrid BGV scheme which essentially restricts the multiplication to only the scale invariant tensoring. The functionalities and noise growth are identical to the original BFV implementation, except that the plaintext modulus must be coprime with the ciphertext modulus.
The implementation of the CKKS scheme now supports a scaling factor of up to 120 bits, enabling high precision fixed-point approximate arithmetic. Additionally the following advanced arithmetic operations have been improved/added in the package he/hefloat
:
The generic interface he.Bootstrapper[CiphertextType any]
has been added to the package he
, enabling easy plug-and-play black-box bootstrapping in any implementation defining the bootstrapping via this interface.
The usability and range of parameterization of the bootstrapping for fixed-point approximate homomorphic encryption over complex and real numbers has been substantially improved:
Examples for the bootstrapping can be found in examples/he/hefloat/bootstrapping
.
Up to v4 the evaluation keys were defined by the struct rlwe.SwitchingKey
. Although applying an evaluation key on a ciphertext does indeed serves the purpose of public re-encryption, user feedback has shown that this naming approach can lead to confusion and lacks an intuitive hierarchy among the different objects which are derived from the rlwe.SwitchingKey
struct (and does not provide a comprehensive mapping with the literature). This is notably caused by the fact that public re-encryption is hardly ever used to change the access structure of a ciphertext, but as a mean to ensure ciphertext compactness and decryption correctness during the different evaluation phases of a circuit.
To remedy to this issue, the struct rlwe.SwitchingKey
has been renamed rlwe.EvaluationKey
, and a comprehensive documentation on the generation, usage and all capabilities of this object, as well as code comments, have been added. Additionally, the method SwitchKeys
has been renamed ApplyEvaluationKey
.
The goal is to better convey that rlwe.EvaluationKey
is a special type of public key that is used during the evaluation phase of a circuit, with different purposes (relinearization, automorphisms, etc...).
The struct rlwe.RotationKeySet
has been removed. It is now replaced by the type rlwe.GaloisKey
, which is a wrapper of rlwe.EvaluationKey
and stores a single rlwe.EvaluationKey
along with some meta data to help identify which automorphism it enables.
There is now a simple and much more intuitive hierarchy among rlwe.EvaluationKeys
:
rlwe.EvaluationKey
|
|-> rlwe.RelinearizationKey
└-> rlwe.GaloisKey
To be able to manage multiple rlwe.EvaluationKeys
, the rlwe.EvaluationKeySet
interface has been added. The (bfv/bgv/ckks).Evaluator
types are now using this interface to access evaluation keys when required, which enables the users to define their own loading/saving/persistence policies for rlwe.RelinearizationKey
and rlwe.GaloisKeys
. The rlwe.MemEvaluationKeySet
struct was added as a simple, memory-backed implementation of the rlwe.EvaluationKeySet
interface .
Many tests and benchmarks located in the bfv
, bgv
and ckks
packages were merely wrappers of methods of the package rlwe
, and thus didn't serve any meaningful purpose. Additionally, many methods in the rlwe
package where not fully tested or not tested at all.
To remedy to this issue, all tests and benchmarks in the bfv
, bgv
and ckks
packages that were solely wrappers of a method located in rlwe
have been removed. The test coverage of the rlwe
package has been substantially increased by adding tests and expanding the range of parameters for which those methods are tested.
An example is the tests for automorphisms. These were tested in each of the schemes by checking that applying a specific automorphism on a ciphertext encrypting an encoded plaintext would result in a specific rotations in the plaintext decoded domain. Although such test does ensure the functionality full pipeline behaves as expected, it was making its debugging difficult by not being able to easily pin-point where the correctness error could come from.
Instead these kind of functionalities have been broken down in their elementary operations, testing each of them separately. Going back to the tests for the automorphisms, the rlwe
package will now test that a Galois key is correctly generated, that the homomorphic automorphism applies the correct Galois automorphism on the polynomial coefficients and that it produces the expected noise; and the schemes will only test that an automorphism on an encoded plaintext results in the correct rotation on the decoded plaintext.
Finally, all relevant methods of rlwe
now have a benchmark function and the noise bounds for the tests in the packages rlwe
and mhe
have been substantially improved.
A new package utils/bignum
has been added. It provides arbitrary precision arithmetic and polynomial interpolation (Chebyshev & Multi-Interval Remez) over the real and complex numbers.
In addition to the previously available encoding.BinaryMarshaler
and encoding.BinaryUnmarshaler
interfaces, relevant Lattigo objects now implement the io.ReaderFrom
and io.WriterTo
interfaces to read/write object directly from/to io.Reader
and io.Writer
. Moreover, the new methods have been optimized for buffers that provide transient access to their internal buffer (through the buffer.Writer
interface, see below).
This is supported by two new packages dedicated to serialization: utils/buffer
and utils/structs
. The package utils/buffer
provides low-level custom methods to efficiently write and read slices on any writer or reader that also expose their internal buffer. The package utils/structs
implements generic map, vector and matrix structs of any type, as well as their serialization.
Published by Pro7ech almost 2 years ago
Published by ChristianMct about 2 years ago
ring.Poly
object. The new available methods are:
ring.Poly
now has a .Buff
1-dimensional slice which is the only heavy allocation of a ring.Poly
. The .Coeffs
2-dimensional slice is a re-slicing of .Buff
.GetDataLen64
and GetDataLen32
: gets the length in bytes of an encoded ring.Poly
object.WriteTo64
and WriteTo32
: encodes a ring.Poly
object on a pre-allocated slice of bytes.WriteCoeffsTo64
and WriteCoeffsTo32
: encodes a slice of coefficients on a pre-allocated slice of bytes.DecodeCoeffs64
and DecodeCoeffs32
: decodes a slice of bytes on a slice of coefficients.DecodePoly64
and DecodePoly32
: decodes a slice of bytes on a pre-allocated ring.Poly
object.ring.Poly.Degree()
to ring.Poly.N()
for consistency.ring.Poly.LenModuli()
deprecated method.ring.NewPoly
to take the level
as argument instead of the number of moduli, for consistency.rlwe.CiphertextQP
represents a ciphertext that is encrypted in the extended ring R_QP.rlwe.GadgetCiphertext
represents an encryption in the extended ring R_QP of a plaintext that is decomposed in the CRT and power-of-two basis (e.g., plublic switching keys).rlwe.PublicKey
types which are now stored in Montgomerry form, consistently with all other key types.rlwe.SwitchingKey
type to use rlwe.GadgetCiphertext
internally.rlwe.KeySwitcher
into rlwe.Evaluator
, which provides new functionalities:
DecomposeNTT
: decomposes a polynomial modulo the special RNS basis and extends its basis from Q to QP.DecomposeSingleNTT
: decomposes a polynomial modulo a single power of the special RNS basis and extends its basis from Q to QP.ExpandRLWE
: extracts each coefficient of a RLWE sample to the degree-0 coefficient of multiple RLWE samples.MergeRLWE
: merges the degree-0 coefficient of multiple RLWE samples into a single RLWE sample.GadgetProduct
: evaluates ring.Poly x gadget.Ciphertext -> RLWE
, where gadget.Ciphertext
is a matrix of RLWE samples encrypting scaled plaintext by the special RNS basis and a modulus P.GadgetProductNoModDown
: evaluates ring.Poly x gadget.Ciphertext -> RLWE
but without the division by P (the result is given mod QP).GadgetProductSinglePAndBitDecompNoModDown
: evaluates ring.Poly x gadget.Ciphertext -> RLWE
, where gadget.Ciphertext
is a matrix of RLWE samples encrypting scaled plaintext by the special RNS basis along with a base-2 basis and an optional prime P.Relinearize
: reduces the degree of a rlwe.Ciphertext
to one by homomorphically evaluating the decryption of the higher-degree terms.KeySwitch
: homomorphically re-encrypts a rlwe.Ciphertext
under a new secret.KeyswitchHoisted
: homomorphically re-encrypts a rlwe.Ciphertext
under a series of new secrets, returning a new ciphertext for each secret.KeyswitchHoistedNoModDown
: homomorphically re-encrypts a rlwe.Ciphertext
under a series of new secrets, returning a new ciphertext for each secret, but without the division by P (the result is given mod QP).Automorphism
: homomorphically evaluates the map X -> X^k
.AutomorphismHoisted
: homomorphically evaluates multiple maps of the type X -> X^k
, returning a new ciphertext for each map.AutomorphismHoistedNoModDown
: homomorphically evaluates multiple maps of the type X -> X^k
, returning a new ciphertext for each map, but without the division by P (result is given mod QP).Trace
: homomorphically evaluates the map X -> sum((-1)^i * X^{i*n+1}) for n <= i < N
.ExternalProduct
: evaluates rlwe.Ciphertext x rgsw.Ciphertext -> rlwe.Ciphertext
.rlwe.Ciphertext
and gadget.Ciphertext
.
Pow2Base
to the desired power of two basis.P
) only when P
is composed of a single prime.Pow2Base
is set to zero (default value).rlwe.Parameters
without the modulus P
.rlwe.Encryptor
interface and implementing structs:
.EncryptZero
method to generate encryptions of zeros..Encrypt
and .EncryptZero
now accept ct interface{}
as their ciphertext argument and determine the type of encryption to be performed according to the runtime type of ct
.PRNGEncryptor
type, which supports secret-key encryption from a user-specified PRNG.rlwe.KeyGenerator
now uses an rlwe.Encryptor
internally, to generate secret keys, encryption keys and evaluation keys.rlwe/ringqp
sub-package which provides the ringqp.Ring
and ringqp.Poly
types to respectively replace the former types rlwe.RingQP
and rlwe.PolyQP
.Thresholdizer
and Combiner
types for t-out-of-N-threshold schemes through Shamir secret-sharing.README.md
providing package overview and usage instructions.CollectivePublicKeyGenerator
, RelinearizationKeyGenerator
, RotationKeyGenerator
, PublicKeySwitchingProtocol
and KeySwitchingProtocol
interfaces.AggregateShare
methods to AggregateShares
.rgsw
, which provides a partial implementation of the RLWE-based RGSW encryption scheme. This incluides:
rgsw.Encryptor
and the rgsw.Ciphertext
types.rgsw.Evaluator
to support the external product RLWE x RGSW -> RLWE
.rgsw/lut
sub-package that provides evaluation of Look-Up-Tables (LUT) on rlwe.Ciphertext
types.Encoder.DecodeRingT
to Encoder.SwitchToRingT
to better reflect the purpose of the method.MulAndAdd
correctness for non-identical inputs.advanced.EncodingMatrixLiteral.RepackImag2Real
optional field to repack the imaginary part into the right n real slots.Trace
now only takes as input the logSlots
of the encrypted plaintext..Scale
with .scale
, it can now be accessed with .Scale()
and set to a new value with .SetScale()
.ScalingFactor
and SetScalingFactor
of the interface Operand
to Scale
and SetScale
respectively.Bootstrapp
to Bootstrap
.rlwe.Evaluator
.rlwe.Parameters
.EncryptFromCRP
and EncryptFromCRPNew
, users should now use the PRNGEncryptor
interface.dbfv/dckks.CKGProtocol
, dbfv/dckks.RKGProtocol
and dbfv/dckks.RTGProtocol
types. Users should use the corresponding drlwe
types instead.MaskedTransformFunc
is now a struct and takes as additional input to the linear transform two Boolean flags to parameterize if the decoding/encoding process must be done before/after the linear transform.refresh
and maskedTransform
protocols now allow the user to specify the output parameters, enabling parameter switching.dckks.RefreshProtocol
correctness when the output scale is different from the input scale.examples/ckks/advanced/lut
, which is an example that performs homomorphic decoding -> LUT -> homomorphic encoding on a ckks.Ciphertext
.examples/ckks/advanced/rlwe_lwe_bridge_LHHMQ20
, which is replaced by examples/ckks/advanced/lut
.examples/rlwe/lwe_bridge
since the code of this example is now part of rlwe.Evaluator
and showcased in examples/ckks/advanced/lut
.Published by Pro7ech over 2 years ago
PolynomialBasis
, a struct to generate powers of monomials. This struct can be marshalled.PolynomialBasis
enumerated type to BasisType
.EvaluatePoly
and EvaluatePolyVector
now both accept pre-computed PolynomialBasis
as input in addition to Ciphertext
.Mul
and MulAndAdd
.Published by Pro7ech over 2 years ago
Bootstrapping for Approximate Homomorphic Encryption with Negligible Failure-Probability by Using Sparse-Secret Encapsulation
. The previous bootstrapping circuit can be run by setting EphemeralSecretDensity=0
.Evaluator.Rescale
and Evaluator.RescaleTo
methods to switch BFV ciphertexts to lower levels.Evaluator
methods on ciphertext support all arithmetic operations at lower levels, but require that operands are at the same level.T
can now equal to the level-zero modulus Q[0] (i.e., be a factor of the ciphertext modulus Q
).NewCiphertextLvl
, NewPlaintextLvl
, NewPlaintextMulLvl
, Evaluator.AddScalar
and Evaluator.MulScalarAndAdd
.[]uint64
and []int64
plaintext encoding methods (e.g. EncodeUint
and EncodeInt
are replaced by Encode
) and added the respective [...]New
methods.EvaluatePoly
and EvaluatePolyVector
for homomorphic polynomial evaluation.RNSScaler
from ring
to bfv
.SimpleScaler
.Published by Pro7ech over 2 years ago
Published by ChristianMct over 2 years ago
H
field and HammingWeight
method in parameters-related structs, to specify distribution of all secrets in the schemes.Published by ChristianMct over 2 years ago
FastBasisExtender
to BasisExtender
..PolyToBigint[...](*)
now take as input gap
which defines the multiples of X^{i*gap}
to reconstruct.FastEncryptor
. Encryption without rescaling by P
is now automatically used by Encryptor
if no P
is specified in the parameters.NewAdditiveShareBigint
now takes as input the size of the share..ShallowCopy()
, .WithKey()
(shallow copy with new key) to Encryptor
and Decryptor
..ShallowCopy()
to Encoder
and EncoderBigComplex
(only CKKS)..ShallowCopy()
to all protocols.drlwe.CKSProtocol
and drlwe.PCKSProtocol
and sub-protocols based on these two protocols now only take a polynomial as input for the share generation instead of the full ciphertext..GenShare(*)
and .AggregateShare(*)
.Published by ChristianMct almost 3 years ago
NumberTheoreticTransformer
interface.encoding.BinaryMarshaler
implementation for rlwe.Ciphertext
types.Scale
to DefaultScale
in Parameters
and ParametersLiteral
.Evaluator.Average
method.DomainSwitcher
type for conversion between Standard and Conjugate Invariant variants of CKKS.[]complex128
and []float64
as input to Encoder.Encode*
methods.[]float64
as input to GetPrecisionStats
.func(float64)float64
and func(complex128)complex128
as input to Approximate
.Encoder
interface.Encoder.EncodeNTT/New
to Encoder.Encode/New
and added Encoder.EncodeSlots
, Encoder.DecodeSlots
and Encoder.DecodeSlotsPublic
.EncodeSlotsQP
to encode on rlwe.PolyQP
to support the new LinearTransform
interface.Encoder
implementation; it is now much faster when encoding sparse plaintexts.complex128
to float64
.PtDiagMatrix
to LinearTransform
.LinearTransform.Rotations()
to get the required rotation for the reciever plaintext linear tranform.Parameters.RotationsForLinearTransform
to get the required rotation for the given plaintext linear tranform.NewLinearTransform
, EncodeNewLinearTransform
, GenLinearTransform
and GenLinearTransformBSGS
to allocate and initialize plaintext linear transforms.PtDiagMatrix
) constructors and initializers from Encoder
.Evaluator.EvaluatePolyVector
to enable efficient evaluation of multiple different polynomials on the same ciphertext.Q[0]
or MessageRatio
.MaskedTransformProtocol
correctness for sparse plaintexts.ckks/sigmoid
example to ckks/polyeval
example, that now showcases the use of PolynomialVector
.Published by ChristianMct about 3 years ago
MapSmallDimensionToLargerDimensionNTT
method which maps from Y = X^{N/n} to X in the NTT domain.FastBasisExtender
type can now extend the basis of polynomials of any level in base Q to polynomials of any level in base P.Div[floor/round]BylastModulus[NTT]
to Div[floor/round]BylastModulus[NTT]Lvl
(the level of the last modulus must always be provided).MFormVector
, which switches a slice of uint64
into the Montgomery domain.GenSwitchingKey
now accepts secret-keys of different dimensions and level as input to enable re-encryption between different ciphertext degrees.SwitchCiphertextRingDegreeNTT
and SwitchCiphertextRingDegree
to switch ciphertext ring degrees.rlwe.RingQP
type to represent the extended ring R_qp.rlwe.PolyQP
type to represent polynomials in the extended ring R_qp.CKGCRP
, RKGCRP
, RTGCRP
and CKSCRP
types to represent the common reference polynomials in these protocols.CRS
interface for PRNGs that implement a common reference string among the parties.SampleCRP(crs CRS)
method to each protocol types to sample their respective CRP type.floor(Q/T)*m
to round((Q*m)/T)
to reduce the initial ciphertext noise.ckks/advanced
sub-package and moved the homomorphic encoding, decoding and modular reduction into it.ckks/bootstrapping
sub-package and moved the CKKS bootstrapping into it. This package now mostly relies on the ckks/advanced
package.ChebyshevInterpolation
type to Polynomial
.EvaluateCheby
method that was redundant with the EvaluatePoly
one.EvaluatePoly
to account for odd/even polynomials and fixed some small imprecisions in scale management occurring for some specific polynomial degrees.[..]New
methods.NewCiphertextAtLevelFromPoly
, which creates a ciphertext at a specific level from two polynomials.MultiplyByDiagMatrixBSGS
and updated the bootstrapping parameters accordingly.PermuteNTTHoistedNoModDown
now returns [phi(P*c0 + c0'), phi(c1')]
instead of [phi(c0'), phi(c1')]
.RotateHoistedNoModDown
to RotateHoistedNoModDownNew
for consistency.ckks/advanced
sub-package: a bridge between CKKS and FHEW ciphertexts using homomorphic decoding, ring dimension switching, homomorphic matrix multiplication and homomorphic modular reduction.Published by ChristianMct over 3 years ago
int
instead of uint64
as parameters and return values.ring.Ring
are not instantiated once in the parameters and read only. They are then accessed by other structs, like the encryptor or evaluator.MulPoly
and its related tests.ring.Ring
is now read-only and thread-safe.ReadFromDistLvl
and ReadAndAddFromDistLvl
to Gaussian sampler API.IsNTT
and IsMForm
flags in the ring.Poly
type. For now, these flags are never checked or changed by the ring
package.rlwe
package as common implementation base package for the Lattigo RLWE schemes.rlwe.Parameters
type as common base struct for BFV and CKKS parameters.rlwe.KeyGenerator
type as common key-generator for BFV and CKKS.rlwe.Ciphertext
type as common base struct for BFV and CKKS ciphertexts.rlwe.Plaintext
type as common base struct for BFV and CKKS plaintext.rlwe.Encryptor
type as common base interface for BFV and CKKS encryptors.rlwe.Decryptor
type as common base interface for BFV and CKKS decryptors.rlwe.KeySwitcher
type as a common key-switching implementation for BFV and CKKS evaluators.Parameters.Copy()
method to Parameters.CopyNew()
for consistency.Parameter
struct, that stores the relevant ring.Ring
instances and has getter methods to access them.rlwe.RotatationKeySet
type.bfv
and ckks
packages the rlwe
package.drlwe
package as a common implementation base for the lattigo multiparty RLWE schemes.dbfv
and dckks
packages to the drlwe
package.Evaluator
interface now has a single method for all column rotations and one method for the row-rotation/conjugate.Evaluator
constructor methods (and no longer to the operations methods).Moduli
and LogModuli
types and their associated Parameters
constructors.Parameters
types are now passed by value in most situations.encoding/json
-compatible JSON serializers and deserializers for the Parameters
types.-params=[params json]
flag for all test and bench suites for specifying parameters from the command line.E2SProtocol
) and Shares-To-Encryption (S2EProtocol
) protocols for domain switching between encryptions and secret-shares.MaskedTransformProtocol
that accepts an arbitrary linear function.ringQMul
are now generated based on N
andQ
.Parameter
methods that compute the required rotations for relevant Evaluator
operations.CoeffsToSlots
and SlotsToCoeffs
.CoeffsToSlots
and SlotsToCoeffs
are now standalone public functions.RotateHoisted
: evaluates several rotations on a single ciphertext.LinearTransform
: evaluates one or more PtDiagMatrix
on a ciphertext using MultiplyByDiagMatrix
or MultiplyByDiagMatrixBSGS
according to the encoding of PtDiagMatrix
.MultiplyByDiagMatrix
: multiplies a ciphertext with a PtDiagMatrix
using n rotations with single hoisting.MultiplyByDiagMatrixBSGS
: multiplies a ciphertext with a PtDiagMatrix
using 2sqrt(n) rotations with double-hoisting.InnerSumLog
: optimal log approach that works for any value (not only powers of two) and can be parameterized to inner sum batches of values (sub-vectors).InnerSum
: naive approach that is faster for small values but needs more keys.ReplicateLog
: optimal log approach that works for any value (not only powers of two) and can be parameterized to replicate batches of values (sub-vectors).Replicate
: naive approach that is faster for small values but needs more keys.PtDiagMatrix
: struct that represents a linear transformation.EncodeDiagMatrixBSGSAtLvl
: encodes a PtDiagMatrix
at a given level, with a given scale for the BSGS algorithm.EncodeDiagMatrixAtLvl
: encodes a PtDiagMatrix
at a given level, with a given scale for a naive evaluation.DecodePublic
: adds Gaussian noise of variance floor(sigma * sqrt(2*pi)) before the decoding step (see SECURITY.md).DecodeCoeffsPublic
: adds Gaussian noise of variance floor(sigma * sqrt(2*pi)) before the decoding step (see SECURITY.md).GetErrSTDFreqDom
: get the error standard deviation in the frequency domain (slots).GetErrSTDTimeDom
: get the error standard deviation in the time domain (coefficients).MultByi
now correctly sets the output ciphertext scale.Relinearize
now correctly sets the output ciphertext level.Published by Pro7ech almost 4 years ago
bfv.Element.Level
method.SetRelinKeys
to Set
BootstrappParams
into BootstrappingParameters
Evaluator.DropLevel
, Parameters.SetLogSlots
and Element.Copy
methods no longer return errorsPublished by ChristianMct almost 4 years ago
PlaintextRingT
or PlaintextMul
) for optimized ct-pt operations. See bfv/encoder.go and bfv/plaintext.go.Encoder
methodsGenNTTPrimes
now takes the value Nth
(for Nth primitive root) as input rather than logN
.Encoder.DecodeUint64
and Encoder.DecodeInt64
methods now take the output slice as argument.Evaluator.RotateColumns
becomes Evaluator.Rotate
Evaluator.EvaluateCheby
isn't done automatically anymore and the user must do it before calling the function to ensure correctness.EncodeAtLvlNew
and EncodeNTTAtLvlNew
, which allow a user to encode a plaintext at a specific level.Evaluator.EvaluateChebySpecial
QiMul
field from bfv.Parameters
. It is now automatically generated.Published by ChristianMct about 4 years ago
Published by ChristianMct almost 5 years ago
Added
All schemes : new switching-keys and key-switching algorithm based on the concept presented in https://eprint.iacr.org/2019/688.pdf.
All schemes : new marshaling interface for all structures.
BFV/CKKS : new Parameters structs and API enabling a better customization and fine tuning for specific applications.
CKKS : new API for hoisted rotations, which is faster than sequential rotations.
DBFV/DCKKS : added collective refresh of a ciphertext (decentralized bootstrapping).
RING : added Ziggurat sampling, available from the context.
RING : enabled dense and sparse ternary polynomials sampling directly from the context.
RING : new API enabling "level" wise polynomial arithmetic.
RING : new API for modulus switching with flooring and rounding.
UTILS : utils now regroups all the utility methods which were previously duplicated among packages.
Removed
BFV/CKKS/DBFV/DCKKS : removed their respective context. Ring context remains public.
All schemes : removed key-switching with bit decomposition. This option will however be re-introduced at a later stage since applications using small parameters can suffer from this change.
BFV/CKKS/RING : removed redudant/irrelevant tests and benchmarks.
BFV : removed context QP as it is not any more used in the multiplication.
BFV : removed int encoder, now only batch encoding is supported.
CKKS : modulus switching is now located in Ring.
RING : removed the algorithms that needed Float128 during the BFV multiplication.
RING : removed most wrapping methods for bigInt, which are now replaced by the native math/big package.
RING : removed ternary sampler, which is now part of the context.
Changed
All schemes : Encryptor, Decryptor, Encoder, Evaluator, KeyGenerator are now interface types.
All schemes : Improved Godoc and error strings.
ALl schemes : greatly reduced the number of methods that could return an error.
All schemes : new tests and benchmarks with fully supported regex.
All schemes : coefficient wise arithmetic using double slices is now substentially faster.
BFV/CKKS : changed the name of the underlying ring contexts. Q now represents the ciphertext modulus (with QMul being the extended ciphertext modulus for BFV) and QP represents modulus of the keys (P being the special primes used during the new key-switching).
BFV/CKKS/DBFV/DCKKS : structures are now created using the parameters instead of the context.
BFV : quantization during multiplication doesn't use Float128 any more, resulting in a substential speed improvement.
BFV : BatchEncoder has been renamed Encoder.
CKKS : the scale is now stored as a float64 instead of a power of 2.
CKKS : rounding is applied instead of flooring when a real value is converted to an integer value. This change affects the rescaling and the encoding.
CKKS : previously needed one ring context per level, now only uses one context for all levels.
CKKS : new baby-step giant-step algorithm for evaluating polynomials in standard and Chebyshev basis.
CKKS : reduced the number of NTT needed during the encryption.
CKKS : API for MultConst is now MultByConst.
BFV/CKKS : new API for the rotation-keys generation.
DBFV/DCKKS : complete revamp of the API and interfaces enabling a much easier integration into larger systems.
DBFV/DCKKS : improved PCKS and CKS using the concept of the new key-switching technique which enables to reduces the added noise.
DCKKS : all protocols work for ciphertexts at any levels.
RING : faster MulScalarBigint (now similar to MulScalar).
UTILS : PRNG must be keyed to be forward secure.
Fixes
All packages : typos, godoc and golint.
CKKS : ciphertext rotation now correctly sets the scale of the output ciphertext.
DBFV/DCKKS : correctness is now ensured when the same protocol instance is used to generate multiples shares.