Homomorphic encryption using Palisade library

Question

To all homomorphic encryption experts out there:

I'm using the PALISADE library:

int plaintextModulus = 65537;
float sigma = 3.2;
SecurityLevel securityLevel = HEStd_128_classic;
uint32_t depth = 2;

//Instantiate the crypto context
CryptoContext<DCRTPoly> cc = CryptoContextFactory<DCRTPoly>::genCryptoContextBFVrns(
            plaintextModulus, securityLevel, sigma, 0, depth, 0, OPTIMIZED);

could you please explain (all) the parameters especially intrested in ptm, depth and sigma.

Secondly I am trying to make a Packed Plaintext with the cc above.

cc->MakePackedPlaintext(array);

What is the maximum size of the array? On my local machine (8GB RAM) when the array is larger than ~8000 int64 I get an free(): invalid next size (normal) error

"could you please explain (all) the parameters especially intrested in ptm, depth and sigma." It's your responsibility to look up that information, and pushes your question towards being off-topic because you're asking us to locate documentation or tutorials for you. — the Tin Man, Jan 29 '22 at 20:09

score 3 · Accepted Answer · answered Aug 04 '20 at 13:57

Thank you for asking the question.

Plaintext modulus t (denoted as t here) is a critical parameter for BFV as all operations are performed mod t. In other words, when you choose t, you have to make sure that all computations do not wrap around, i.e., do not exceed t. Otherwise you will get an incorrect answer unless your goal is to compute something mod t.

sigma is the distribution parameter (used for the underlying Learning with Errors problem). You can just set to 3.2. No need to change it.

Depth is the multiplicative depth of the circuit you are trying to compute. It has nothing to with the size of vectors. Basically, if you have AxBxCxD, you have a depth 3 with a naive approach. BFV also supports more efficient binary tree evaluation, i.e., (AxB)x(CxD) - this option will reduce the depth to 2.

BFV is a scheme that supports packing. By default, the size of packed ciphertext is equal to the ring dimension (something like 8192 for the example you mentioned). This means you can pack up to 8192 integers in your case. To support larger arrays/vectors, you would need to break them into batches of 8192 each and encrypt each one separately.

Regarding your application, the CKKS scheme would probably be a much better option (I will respond on the application in more detail in the other thread).

score 2 · Answer 2 · answered Aug 03 '20 at 11:52

2

I have some experience with the SEAL library which also uses the BFV encryption scheme. The BFV scheme uses modular arithmetic and is able to encrypt integers (not real numbers).

For the parameters you're asking about:

The Plaintext Modulus is an upper bound for the input integers. If this parameter is too low, it might cause your integers to overflow (depending on how large they are of course)
The Sigma is the distribution parameter for Gaussian noise generation
The Depth is the circuit depth which is the maximum number of multiplications on a path

Also for the Packed Plaintext, you should use vectors not arrays. Maybe that will fix your problem. If not, try lowering the size and make several vectors if necessary.

answered Aug 03 '20 at 11:52

Marwan N

531
6
20

1

Thank you very much for the answer! 1. In the source code I am using vectors and not arrays, sry for the confusion! 2. I have an follow up question: currently I am able to execute he operations like multiplication, addition etc using vectors (SIMD) and scalars. In my special use case I want to execute a multiplication with a Vector of the size (~600000 int64_t) when I try this on my local machine the input is too large. I can increase the depth to 16 (2^16 = 65536) which is far away from 600000 and is very inefficient and memory intensive. Recommendations? – Cowas Aug 04 '20 at 07:32
1

Unless you have a very powerful machine, having large depth and plaintext modulus will significantly slow down your computation and there is a high chance you will run out of memory. I would recommend splitting the vector into several smaller vectors. You'll have to try and find the size that works for you best without running out of memory by simply testing for different input sizes. I used to do that in SEAL whenever I had large vectors and wrote functions to handle them. – Marwan N Aug 04 '20 at 12:20
Thanks again for the response! Yeah I tried something like that, splitting the large vector into smaller chunks to the computation on them and aggregate them back somehow. Do you how I can calculate the actual size of the plaintext and ciphertext for example having a a vector of 1000 int64 values as the message? – Cowas Aug 04 '20 at 13:35

score -2 · Answer 3 · edited Aug 04 '20 at 14:39

-2

You can determine the ring dimension (generated by the crypto context based on your parameter settings) by using cc->GetRingDimension() as shown in line 113 of https://gitlab.com/palisade/palisade-development/blob/master/src/pke/examples/simple-real-numbers.cpp

edited Aug 04 '20 at 14:39

David Buck

3,752
35
31
35

answered Aug 04 '20 at 14:28

Dave Cousins

32
2

I don't think that's possible in this case. The CKKS encryption scheme is different from the BFV scheme. – Marwan N Aug 28 '20 at 12:59
Both CKKS and BFV are based on polynomials (mod x^n + 1, mod q), where n is the ring dimension (ciphertext dimension) and q is the ciphertext modulus. So, the ring dimension concept is used the same way. The main differences between BFV and CKKS are in the encoding of the message and the packing procedure used during the encoding. The rest (related to polynomials and Ring LWE encryption) is basically the same. – Yuriy Polyakov Aug 31 '20 at 13:29
Apologies, I gave an example that used CKKS instead of BFV and that may have confused the issue. As Yuriy says, the method to get the resulting ring dimension is applicable to several of our lattice schemes. In all cases, the max size of a vector that can be encoded in a ciphertext is based on some function of the ring dimension. Generally, you get a given ring dimension based on security, depth and platintext modulus. You don't manipulate ring dimension to accommodate larger input vector sizes. Vectors larger than the encoding max need to be processed in multiple ciphertexts. – Dave Cousins Aug 31 '20 at 15:13
Please read "[Link-only answers](https://meta.stackoverflow.com/tags/link-only-answers/info)" and "[…barely more than a link to an external site](https://stackoverflow.com/help/deleted-answers)" – the Tin Man Jan 29 '22 at 20:10

Homomorphic encryption using Palisade library

3 Answers3