github/zk-fhe
1
1
Fork 0
mirror of https://github.com/enricobottazzi/zk-fhe.git synced 2026-01-09 05:08:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix: bug on range of coefficients of pk0_u and pk1_u

Browse Source
This commit is contained in:
Enrico Bottazzi
2023-10-05 17:39:54 +02:00
parent f0d266533f
commit 696226c99f
2 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
data/bfv.in
View File

@@ -1 +1 @@
{"pk0": [1319, 4146, 2474, 1173], "pk1": [1404, 3568, 2401, 3721], "m": [2, 4634, 3, 4635], "u": [4636, 0, 1, 0], "e0": [7, 6, 5, 3], "e1": [1, 4636, 2, 4634], "c0": [4304, 1813, 2673, 4471], "c1": [4485, 3804, 2654, 994]}
{"pk0": [2959, 1905, 3146, 4426], "pk1": [3940, 2749, 562, 3096], "m": [4635, 1, 4634, 0], "u": [1, 1, 4636, 4636], "e0": [4, 1, 1, 4636], "e1": [4636, 4635, 4636, 4], "c0": [1388, 1716, 4127, 2755], "c1": [1605, 480, 3563, 2174]}

29
examples/bfv.rs
View File

@@ -201,17 +201,21 @@ fn bfv_encryption_circuit<F: ScalarField>(
// OVERFLOW ANALYSIS
// The coefficients of pk0 are in the range [0, Q) according to the check to be performed outside the circuit.
// The coefficients of u are either [0, 1, Q-1] according to the constraints set above.
// The maximum value of the coffiecient of pk0_u is (Q-1) * (Q-1) = Q^2 - 2Q + 1.
// Q needs to be chosen such that Q^2 - 2Q + 1 < p where p is the prime field of the circuit in order to avoid overflow during the multiplication.
// The coefficients of pk0_u are calcualted as $c_k = \sum_{i=0}^{k} pk0[i] * u[k - i]$. Where k is the index of the coefficient of pk0_u.
// Given that the input polynomials are of degree DEG - 1, the maximum number of multiplications in the sum is for k = DEG - 1.
// In that case there are DEG multiplications in the sum.
// For that particular coefficient, the maximum value of the coffiecient of pk0_u is (Q-1) * (Q-1) * DEG.
// The maximum value of the coffiecient of pk0_u is (Q-1) * (Q-1) * DEG.
// Q needs to be chosen such that (Q-1) * (Q-1) * DEG < p where p is the prime field of the circuit in order to avoid overflow during the multiplication.
let pk0_u = poly_mul_equal_deg::<{ DEG - 1 }, F>(ctx, pk0.clone(), u.clone(), &range.gate());
// pk0_u is a polynomial of degree (DEG - 1) * 2 = 2*DEG - 2
// pk0_u has coefficients in the [0, Q^2 - 2Q + 1] range
// pk0_u has coefficients in the [0, (Q-1) * (Q-1) * DEG] range
// Reduce the coefficients by modulo `Q`
// get the number of bits needed to represent the value of Q^2 - 2Q + 1
let binary_representation = format!("{:b}", (Q.pow(2) - (2 * Q) + 1));
// get the number of bits needed to represent the value of (Q-1) * (Q-1) * DEG
let binary_representation = format!("{:b}", ((Q - 1) * (Q - 1) * (DEG as u64)));
let num_bits_1 = binary_representation.len();
let pk0_u = poly_reduce::<{ 2 * DEG - 2 }, Q, F>(ctx, pk0_u, &range, num_bits_1);
@@ -308,14 +312,17 @@ fn bfv_encryption_circuit<F: ScalarField>(
// OVERFLOW ANALYSIS
// The coefficients of pk1 are in the range [0, Q) according to the check to be performed outside the circuit.
// The coefficients of u are either [0, 1, Q-1] according to the constraints set above.
// The maximum value of the coffiecient of pk1_u is (Q-1) * (Q-1) = Q^2 - 2Q + 1.
// If the previous condition (Q^2 - 2Q + 1 < p) is satisfied there is no risk of overflow during the multiplication.
// The coefficients of pk1_u are calcualted as $c_k = \sum_{i=0}^{k} pk1[i] * u[k - i]$. Where k is the index of the coefficient of pk1_u.
// Given that the input polynomials are of degree DEG - 1, the maximum number of multiplications in the sum is for k = DEG - 1.
// In that case there are DEG multiplications in the sum.
// For that particular coefficient, the maximum value of the coffiecient of pk1_u is (Q-1) * (Q-1) * DEG.
// The maximum value of the coffiecient of pk1_u is (Q-1) * (Q-1) * DEG.
// Q needs to be chosen such that (Q-1) * (Q-1) * DEG < p where p is the prime field of the circuit in order to avoid overflow during the multiplication.
let pk1_u = poly_mul_equal_deg::<{ DEG - 1 }, F>(ctx, pk1.clone(), u, range.gate());
// // pk1_u is a polynomial of degree (DEG - 1) * 2 = 2*DEG - 2
// // pk1_u has coefficients in the [0, Q^2 - 2Q + 1] range
// // Reduce the coefficients by modulo `Q`
// pk1_u is a polynomial of degree (DEG - 1) * 2 = 2*DEG - 2
// pk1_u has coefficients in the [0, (Q-1) * (Q-1) * DEG] range
// Reduce the coefficients by modulo `Q`
let pk1_u = poly_reduce::<{ 2 * DEG - 2 }, Q, F>(ctx, pk1_u, &range, num_bits_1);
// pk1_u is a polynomial of degree (DEG - 1) * 2 = 2*DEG - 2