lattigo icon indicating copy to clipboard operation
lattigo copied to clipboard

Published 20 hours ago verified publisher icon tuneinsight

More Questions

Open macknight opened this issue 1 year ago • 0 comments

Hi,

Is there any online channel or community for lattigo users to communiate?

And I have some other questions:

  1. How about the param "levels"? Is it a security param or precision param?
  2. What is "the distribution of the secret" param? Is it the param "levels"?
  3. Does these params(3 secrutiy params and 2 precision params) have relations when setting them? like do LogN and LogSlots have this fixed relation of "LogN=LogSlots + 1"? could I set LogN=14 while LogSlots=10? Or could I set LogN=10, LogSlots=15? Or just LogN and LogSlots are random integers between (1, 100)? And why lib like MS SEAL doesn't have this logSlots param?
  4. For the default parameters, how to compute out the a security bit is 128-bit? And if I want to use default params, I just don't set them so that they use default params?
  5. in this link, https://github.com/tuneinsight/lattigo/tree/master/ckks there seems to only have 4 params: LogN, LogQ, sigma and scale. Why the example have more params? image
  6. For logN, https://github.com/tuneinsight/lattigo/tree/master/ckks, it says "security increases with N and performance decreases with N", so why? Any simple and intuitive answer?
  7. For logQ, https://github.com/tuneinsight/lattigo/tree/master/ckks, it says "(for a fixed N, a larger Q implies both lower security and lower performance)." Why is it? Any simple and intuitive answer?
  8. https://github.com/tuneinsight/lattigo/tree/master/ckks , why here are 3 non-scalar multiplications? Shouldn't it be 4 non-scalar multiplications? bx, cx, dx are 3 scalar mulitiplications, i could understand that. But for non-scalar multiplications, xx, x^2 * x^2, cx * x^2, dx * x^4 should be 4 non-scalar multiplications, correct? And also for 4 levels, does all scalar multiplications consume 1 level no mater how many scalar multiplications are? And additions consume 0 level? And each non-scalar multiplication consume one level?

image

  1. https://github.com/tuneinsight/lattigo/tree/master/ckks , Instead of evaluating a + bx + cx^3 + dx^5, we pre-multiply the plaintext by d^(1/5) and evaluate a + b/(d^(1/5))x + c/(d^(3/5)) + x^5. Is this wrong? (a + bx + cx^3 + dx^5) * d^(1/5) seems not equal to a + b/(d^(1/5))x + c/(d^(3/5)) + x^5

  2. https://github.com/tuneinsight/lattigo/tree/master/ckks, "LogN: it determines (a) how many values can be encoded (batched) at once (maximum N/2) in one plaintext, and (b) the maximum total modulus bit size (the product of all the moduli) for a given security parameter." How to understand LogN is "the maximum total modulus bit size (the product of all the moduli) for a given security parameter" for below example? 45+40+40+40+40 should be less than logN=13? Obviously it's wrong....

    LogN = 13 Modulichain = [45, 40, 40, 40, 40], for a logQ <= 205 LogScale = 40

  3. https://github.com/tuneinsight/lattigo/tree/master/ckks, how to decide logN=13 for example below: Modulichain = [45, 40, 40, 40, 40], for a logQ <= 205 LogScale = 40

  4. the code and output: the code of https://github.com/tuneinsight/lattigo/blob/master/examples/ckks/euler/main.go params, err := ckks.NewParametersFromLiteral( ckks.ParametersLiteral{ LogN: 14, LogQ: []int{55, 40, 40, 40, 40, 40, 40, 40}, LogP: []int{45, 45}, LogSlots: 13, DefaultScale: 1 << 40, })

output of the above code: CKKS parameters: logN = 14, logSlots = 13, logQP = 425, levels = 8, scale= 1099511627776.000000, sigma = 3.200000

From the code, how do you comput levels=8? Is it because LogQ has 8 elements? And I could get logQP = 425 =sum of elements of LogQ and LogP. That's OK, but why when setting in code, I need to set LogQ and LogP separately? What is LogP's meaning? I could understand there need to be LogQ []int{55, 40, 40, 40, 40, 40, 40, 40}, but why I need LogP?

  1. here https://github.com/tuneinsight/lattigo/tree/master/ckks , it says Each set of security parameters is defined by the tuple equation : {12, 109, 3.2} {13, 218, 3.2} {14, 438, 3.2} {15, 881, 3.2} As mentioned, setting parameters for CKKS involves not only choosing this tuple, but also defining the actual moduli chain depending on the application at hand, which is why the provided default parameter sets have to be fine-tuned, preserving the values of the aforementioned tuples, in order to maintain the required security level of 128 bits. That is, Lattigo provides a set of default parameters for CKKS, including example moduli chains, ensuring 128 bit security. The user might want to choose different values in the moduli chain optimized for a specific application. As long as the total modulus is equal or below the above values for a given logN, the scheme will still provide a security of at least 128 bits against the current best known attacks. for this example, LogN = 13 Modulichain = [45, 40, 40, 40, 40], for a logQ <= 205 LogScale = 40 we know a security tuple is {13, 218, 3.2} for logN, logQ and sigma, in example, the given logN is 13, then the total modulus means 45+40+40+40+40=205, and 205 is smaller than 218, so the scheme will still provide a security of at least 128 bits against the current best known attacks.?

  2. here https://github.com/tuneinsight/lattigo/blob/master/ckks/README.md, image image Does it mean each bit of the secret key is one choice of the three {-1, 0, 1}? And why it has a "N" on the top right corner? Does it mean the secret key has bits number which is N(N is the ring degree)?

  3. Does each of these security tuple have the same security of 128 bits for a secret key ? {12, 109, 3.2} {13, 218, 3.2} {14, 438, 3.2} {15, 881, 3.2} BR

macknight avatar Aug 17 '22 10:08 macknight