Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BDD / Hybrid-BDD speed improvement for FHE-sized parameters #97

Merged
merged 5 commits into from
Feb 6, 2024
Merged

BDD / Hybrid-BDD speed improvement for FHE-sized parameters #97

merged 5 commits into from
Feb 6, 2024

Conversation

bencrts
Copy link
Collaborator

@bencrts bencrts commented Feb 5, 2024
edited
Loading

For BDD
Before:

sage: %time LWE.primal_bdd(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 50min 50s, sys: 35.5 s, total: 51min 25s
Wall time: 51min 33s
rop: ≈2^186.3, red: ≈2^186.3, svp: ≈2^176.1, β: 531, η: 555, d: 127471, tag: bdd

After:

sage: sage: %time LWE.primal_bdd(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 36.4 s, sys: 633 ms, total: 37 s
Wall time: 37.3 s
rop: ≈2^186.3, red: ≈2^186.3, svp: ≈2^176.1, β: 531, η: 555, d: 127471, tag: bdd

The idea is that checking for the required SVP dimension from from 0 to n isn't needed, and we can check from 0 to some other value much smaller than n (arbitrarily chosen for now).

For Hybrid-BDD
Before:

sage: %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 14min 36s, sys: 1min 42s, total: 16min 19s
Wall time: 17min 4s
rop: ≈2^251.0, red: ≈2^250.1, svp: ≈2^249.9, β: 531, η: 2, ζ: 192, |S|: ≈2^304.3, d: 130945, prob: ≈2^-61.5, ↻: ≈2^63.7, tag: hybrid

After:

sage: %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
zeta_max = 236
CPU times: user 3min 57s, sys: 4.22 s, total: 4min 1s
Wall time: 4min 2s
rop: ≈2^251.0, red: ≈2^250.1, svp: ≈2^249.9, β: 531, η: 2, ζ: 192, |S|: ≈2^304.3, d: 130945, prob: ≈2^-61.5, ↻: ≈2^63.7, tag: hybrid

The idea here is that the number of secret co-efficients guessed, zeta, doesn't need to be checked between 0 and n and can instead be searched for in some range [0, zeta_max], where zeta_max is computed using a usvp estimate. A nice consequence of this change is that we can run hybrid attack estimates for very large values of n in a reasonable amount of time:

sage:  %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 132000, q = 2**(4*log(schemes.SEAL22_32768.q))))
CPU times: user 6min 53s, sys: 8.49 s, total: 7min 2s
Wall time: 7min 4s
rop: ≈2^441.0, red: ≈2^440.3, svp: ≈2^439.7, β: 535, η: 2, ζ: 239, |S|: ≈2^303.8, d: 263669, prob: ≈2^-249.6, ↻: ≈2^251.8, tag: hybrid

@bencrts bencrts marked this pull request as draft February 5, 2024 20:11
@bencrts bencrts changed the title BDD speed improvement for FHE-sized parameters BDD / Hybrid-BDD speed improvement for FHE-sized parameters Feb 6, 2024
@bencrts bencrts force-pushed the bdd-speed-fix branch 3 times, most recently from 9d2480f to b4d7ba8 Compare February 6, 2024 13:05
@bencrts bencrts marked this pull request as ready for review February 6, 2024 14:35
@bencrts bencrts requested a review from malb February 6, 2024 14:35
malb
malb reviewed Feb 6, 2024
View reviewed changes
estimator/lwe_primal.py Outdated
if d > 4096:
for i, _ in enumerate(r):
# chosen arbitrarily
j = d - 1024 + i
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is saying: start with block size 1024 max?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the final SVP call in size eta yes, so instead of looking for eta \in [n, n-1, ..., 2] it would be eta \in [1024, 1023,...2] -- I admit it's a bit unsatisfactory.

Maybe I can look at what the required eta would be for e.g RC.ADPS16(eta, 4096) > 2**512 or something, and use this as an upper bound instead?

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that:

sage: RC.ADPS16(1754, 1754).log(2.)
512.168000000000

Copy link
Collaborator Author

@bencrts bencrts Feb 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will update -- good point that it should be RC.ADPS16(eta,eta)!

@malb malb merged commit 49d8e4f into main Feb 6, 2024
4 checks passed
@bencrts bencrts deleted the bdd-speed-fix branch February 29, 2024 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@malb malb malb left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bencrts @malb