Is key-switch used in HEAAN?
DylanWangWQF opened this issue · 6 comments
Hi, @swanhong
I have a question about reducing the noise in the ciphertexts.
We know, in HElib, they use key-switch matrix to scale the noise.
How does HEAAN address this? Also use similar key-switch techniques in HElib?
To my knowledge, key-switch matrix in HElib is not for reducing the noise, but for "key switching" that changes the modified secret key to the right secret key. Are you asking about noise reduction in HEAAN?
@swanhong Many thanks for your reply! My question is about the noise cost for each operation (e.g., multiplication, rotation), compared to HElib.
I have this question is because: I run an application that implemented with HEAAN, it performs well. But when I re-implement it with HElib, its depth is not enough although using the same parameters (i.e., same slots, precision, etc..). So I guess this is because the noise cost in HEAAN is smaller than that in HElib?
In your explanation, I'm wondering if the important parameters are not the same. Depth depends on the parameters related to security, including ring degree(N or logn) and modulus(Q or logq). Can you check these parameters and tell me if they are still the same?
Depth depends on the parameters related to security, including ring degree(N or logn) and modulus(Q or logq).
For the HEAAN-based implementation, the parameters are:
the lower bound on the bit length of a fresh ciphertext modulus is
5 logp +2 logpc +logq0
. In our implementation, we assume that all the inputs hadlogp = 24
bits of precision and set the bit length of the output ciphertext modulus aslogq0 = logp + 8
. In addition, we setlogpc = 15
for the bit precision of constant values. We could actually obtain the bit length of the largest ciphertext modulus around182
and took the ring dimensionN = 2^13
to ensure80
bits of security.
P.S. the paper link is : https://dl.acm.org/doi/pdf/10.1145/3243734.3243837
To get the same number of slots (4096
, slots = m / 4
), we use the parameters in HElib: /*m=*/16 * 1024, /*bits=*/358, /*precision=*/25, /*c=*/6
, the security level is only around 54
although the depth is enough.
If I use the paramters /*m=*/16 * 1024, /*bits=*/235, /*precision=*/20, /*c=*/4
, the security is around 87
but depth is not enough
It is because you decreased the bits
parameter, which is matched to logq0
in HEAAN you cited. In CKKS scheme, bits
is proportional to the number of depths, so if you decrease bits
, then you can get enough security but you will lose depths. You have to strike a balance between depth and security.
Yes, I understand the balance between depth and security. In HElib, to get a ciphertext with 4096
slots and enough depths, I have to increase the bits
, finally get the lower security. Maybe it's due to the settings that I cannot get both slots
and enough depths
, just like in HEAAN.