lattigo icon indicating copy to clipboard operation
lattigo copied to clipboard

Published 20 hours ago verified publisher icon tuneinsight

params meaning

Open macknight opened this issue 3 years ago • 2 comments

Hi, image

I've seen CKKS parameters: logN = 14, logSlots = 13, logQP = 425, levels = 8, scale= 1099511627776.000000, sigma = 3.200000. What do they mean in detail, e.g. any comments for them? Do they have any relations? Like logN is a fixed 2 times logSlots? Do logQP and scale have any relations? or just ramdom value?

BR

macknight avatar Aug 16 '22 12:08 macknight

@macknight These are the standard cryptographic parameters of the Ring Learning with Error based CKKS scheme. The ring is Z_{QP}[X]/(X^{N}+1), and the parameters affecting the security are LogN (the log in base 2 of the ring degree), LogQP (the log in base 2 of the modulus), the distribution of the secret (by default uniform ternary) and the standard deviation of the error (here sigma). The other parameters, LogSlots (the log in base 2 of the number of plaintext slots) and scale (the integer by which values are scaled during encoding) do not affect the security but will affect, mostly, the precision of your computation.

I cannot go into more details because the security and parameterization of R-LWE schemes is a non trivial topic that requires deep knowledge of the scheme.

For more information about the parameterization of R-LWE based schemes and its security, I will refer you to the homomorphic standard

If you want to know more about the CKKS scheme specifically you can take a lookt at the original paper and its full-RNS variant, which is the one on which Lattigo is based.

In the mean time, you can use the default parameters as they ensure a security of 128-bit.

Pro7ech avatar Aug 16 '22 22:08 Pro7ech

Thank you for your excellent answer.

macknight avatar Aug 17 '22 02:08 macknight

How to change the default uniform ternary "the distribution of the secret" param?

And is it the param "levels"? It should be a different param from "the distribution of the secret", right? Then How to set the "levels" param? Simply by setting Q or LogQ to imply "levels" param?

BR

macknight avatar Aug 18 '22 12:08 macknight

By default H=0 and this will generate the secret with coefficients uniformly distributed in [-1, 0, 1]. So the expected Hamming Weight will be 2N/3. You can change H to a fixed value, for example H=256, this will instead generate a secret that has exactly 256 non zero coefficients [-1, 1]. But this will change the security. Only do that if you are perfectly aware of the implications. If you want to estimate the security of a R-LWE instance, you can go there -> https://github.com/malb/lattice-estimator

Pro7ech avatar Aug 18 '22 13:08 Pro7ech