Allow up to 32 coefficient moduli (#199)

Author: fboemer

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ env:
   SWIFTFORMAT_VERSION: 0.54.0
 jobs:
   swift-tests:
-    timeout-minutes: 15
+    timeout-minutes: 30
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

Benchmarks/RlweBenchmark/RlweBenchmark.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -115,6 +115,59 @@ enum StaticRlweBenchmarkContext {
     }
 }
 
+struct EncryptionParametersConfig {
+    let polyDegree: Int
+    let plaintextModulusBits: [Int]
+    let coefficientModulusBits: [Int]
+}
+
+extension EncryptionParametersConfig: CustomStringConvertible {
+    var description: String {
+        "N=\(polyDegree)/logt=\(plaintextModulusBits)/logq=\(coefficientModulusBits.description)"
+    }
+}
+
+extension EncryptionParameters {
+    init(config: EncryptionParametersConfig) throws {
+        let plaintextModuli = try Scheme.Scalar.generatePrimes(
+            significantBitCounts: config.plaintextModulusBits,
+            preferringSmall: true,
+            nttDegree: config.polyDegree)
+        let coefficientModuli = try Scheme.Scalar.generatePrimes(
+            significantBitCounts: config.coefficientModulusBits,
+            preferringSmall: false,
+            nttDegree: config.polyDegree)
+        self = try EncryptionParameters<Scheme>(
+            polyDegree: config.polyDegree,
+            plaintextModulus: plaintextModuli[0],
+            coefficientModuli: coefficientModuli,
+            errorStdDev: ErrorStdDev.stdDev32,
+            securityLevel: SecurityLevel.quantum128)
+    }
+}
+
+let contextCreationConfig32 = EncryptionParametersConfig(
+    polyDegree: 8192,
+    plaintextModulusBits: [18],
+    coefficientModulusBits: Array(repeating: 28, count: 5))
+let contextCreationConfig64 = EncryptionParametersConfig(
+    polyDegree: 8192,
+    plaintextModulusBits: [18],
+    coefficientModulusBits: Array(repeating: 33, count: 5))
+
+func contextInitBenchmark<Scheme: HeScheme>(_: Scheme.Type, config: EncryptionParametersConfig) -> () -> Void {
+    {
+        let benchmarkName = ["ContextInit", String(describing: Scheme.self), config.description].joined(separator: "/")
+        Benchmark(benchmarkName, configuration: benchmarkConfiguration) { benchmark in
+            let encryptionParameters = try EncryptionParameters<Scheme>(config: config)
+            benchmark.startMeasurement()
+            for _ in benchmark.scaledIterations {
+                try blackHole(_ = Context(encryptionParameters: encryptionParameters))
+            }
+        }
+    }
+}
+
 func encodeCoefficientBenchmark<Scheme: HeScheme>(_: Scheme.Type) -> () -> Void {
     {
         benchmark("EncodeCoefficient", Scheme.self) { benchmark in
@@ -235,8 +288,7 @@ func noiseBudgetBenchmark<Scheme: HeScheme>(_: Scheme.Type) -> () -> Void {
             benchmark.startMeasurement()
             for _ in benchmark.scaledIterations {
                 try blackHole(
-                    benchmarkContext.ciphertext
-                        .noiseBudget(using: benchmarkContext.secretKey, variableTime: true))
+                    benchmarkContext.ciphertext.noiseBudget(using: benchmarkContext.secretKey, variableTime: true))
             }
         }
     }
@@ -548,6 +600,10 @@ func evaluationKeyDeserializeSeedBenchmark<Scheme: HeScheme>(_: Scheme.Type) ->
 
 // swiftlint:disable:next closure_body_length
 nonisolated(unsafe) let benchmarks: () -> Void = {
+    // Context
+    contextInitBenchmark(Bfv<UInt32>.self, config: contextCreationConfig32)()
+    contextInitBenchmark(Bfv<UInt64>.self, config: contextCreationConfig64)()
+
     // Encode/decode
     encodeSimdBenchmark(Bfv<UInt32>.self)()
     encodeSimdBenchmark(Bfv<UInt64>.self)()

Sources/HomomorphicEncryption/Bfv/Bfv+Decrypt.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -82,12 +82,18 @@ extension Bfv {
         case tMax..<pow(tMax, 2):
             precondition(variableTime)
             return try computeNoiseBudget(of: vTimesT, T.DoubleWidth.self)
-        case tMax..<pow(tMax, 4):
+        case pow(tMax, 2)..<pow(tMax, 4):
             precondition(variableTime)
             return try computeNoiseBudget(of: vTimesT, QuadWidth<T>.self)
-        case tMax..<pow(tMax, 8):
+        case pow(tMax, 4)..<pow(tMax, 8):
             precondition(variableTime)
             return try computeNoiseBudget(of: vTimesT, OctoWidth<T>.self)
+        case pow(tMax, 8)..<pow(tMax, 16):
+            precondition(variableTime)
+            return try computeNoiseBudget(of: vTimesT, Width16<T>.self)
+        case pow(tMax, 16)..<pow(tMax, 32):
+            precondition(variableTime)
+            return try computeNoiseBudget(of: vTimesT, Width32<T>.self)
         default:
             preconditionFailure("crtMaxIntermediateValue \(crtMaxIntermediateValue) too large")
         }

Sources/HomomorphicEncryption/DoubleWidthUInt.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -307,6 +307,7 @@ extension DoubleWidthUInt: FixedWidthInteger {
         return (result, didCarry)
     }
 
+    @inlinable
     public func quotientAndRemainder(
         dividingBy other: DoubleWidthUInt) -> (quotient: DoubleWidthUInt, remainder: DoubleWidthUInt)
     {
@@ -720,3 +721,5 @@ extension DoubleWidthUInt: UnsignedInteger where Base: FixedWidthInteger & Unsig
 @usableFromInline typealias DWUInt128 = DoubleWidthUInt<UInt64>
 @usableFromInline typealias QuadWidth<T: FixedWidthInteger & UnsignedInteger> = DoubleWidthUInt<DoubleWidthUInt<T>>
 @usableFromInline typealias OctoWidth<T: FixedWidthInteger & UnsignedInteger> = DoubleWidthUInt<QuadWidth<T>>
+@usableFromInline typealias Width16<T: FixedWidthInteger & UnsignedInteger> = DoubleWidthUInt<OctoWidth<T>>
+@usableFromInline typealias Width32<T: FixedWidthInteger & UnsignedInteger> = DoubleWidthUInt<Width16<T>>

Sources/HomomorphicEncryption/EncryptionParameters.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -136,8 +136,8 @@ public struct EncryptionParameters<Scheme: HeScheme>: Hashable, Codable, Sendabl
         else {
             throw HeError.insecureEncryptionParameters(self)
         }
-        // Due to some usage of OctoWidth
-        guard coefficientModuli.count <= 8 else {
+        // Due to some usage of `Width32`
+        guard coefficientModuli.count <= 32 else {
             throw HeError.invalidEncryptionParameters(self)
         }
         for coefficientModulus in coefficientModuli {

Sources/HomomorphicEncryption/PolyRq/PolyContext.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -19,6 +19,8 @@ public final class PolyContext<T: ScalarType>: Sendable {
     public let degree: Int
     /// CRT-representation of the modulus `Q = product_{i=0}^{L-1} q_i`.
     public let moduli: [T]
+    /// The modulus `Q = product_{i=0}^{L-1} q_i`.
+    @usableFromInline let modulus: Width32<T>
     /// Next context, typically formed by dropping `q_{L-1}`.
     @usableFromInline let next: PolyContext<T>?
     /// Operations mod `q_0` up to `q_{L-1}`.
@@ -41,11 +43,12 @@ public final class PolyContext<T: ScalarType>: Sendable {
         guard degree.isPowerOfTwo else {
             throw HeError.invalidDegree(degree)
         }
-        // For CRT correctness, we require all moduli to be co-prime.
-        // For convenience, we instead check a slightly stronger condition, that
-        // additionally restricts an even modulus to be a power of two. This unnecessarily forbids,
-        // 6, e.g., from being in the RNS base.
-        for modulus in moduli {
+
+        func validate(modulus: T) throws {
+            // For CRT correctness, we require all moduli to be co-prime.
+            // For convenience, we instead check a slightly stronger condition, that
+            // additionally restricts an even modulus to be a power of two. This unnecessarily forbids,
+            // 6, e.g., from being in the RNS base.
             guard modulus.isPrime(variableTime: true) || modulus.isPowerOfTwo else {
                 throw HeError.invalidModulus(Int64(modulus))
             }
@@ -62,6 +65,19 @@ public final class PolyContext<T: ScalarType>: Sendable {
         guard moduli.allUnique() else {
             throw HeError.coprimeModuli(moduli: moduli.map { Int64($0) })
         }
+        guard let lastModulus = moduli.last else {
+            throw HeError.emptyModulus
+        }
+        if let next {
+            precondition(next.moduli[...] == moduli.prefix(moduli.count - 1))
+            try validate(modulus: lastModulus)
+            self.modulus = next.modulus &* Width32<T>(lastModulus)
+        } else {
+            for modulus in moduli {
+                try validate(modulus: modulus)
+            }
+            self.modulus = moduli.product()
+        }
 
         self.degree = degree
         self.moduli = moduli

Sources/HomomorphicEncryption/RnsTool.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -108,15 +108,13 @@ package struct RnsTool<T: ScalarType>: Sendable {
         self.qModT = inputContext.qRemainder(dividingBy: t)
         self.tIncrement = inputContext.moduli.map { qi in qi - t.modulus }
         self.t = t
+        let composedQ = inputContext.modulus
+        let composedT = outputContext.modulus
+        let qDivTComposed = composedQ / composedT
 
-        // At least 8 moduli supported, more when their product is far from `T.max`.
-        let octoModuli = inputContext.moduli.map { modulus in OctoWidth<T>(integerLiteral: Int(modulus)) }
-        let q: OctoWidth<T> = inputContext.moduli.product()
-        let qDivT = q / OctoWidth<T>(integerLiteral: Int(t.modulus))
-
-        self.qDivT = octoModuli.map { qi in MultiplyConstantModulus(
-            multiplicand: T(qDivT % qi),
-            modulus: T(qi),
+        self.qDivT = inputContext.moduli.map { qi in MultiplyConstantModulus(
+            multiplicand: T(qDivTComposed % Width32<T>(qi)),
+            modulus: qi,
             variableTime: true)
         }
 

Sources/HomomorphicEncryption/Util.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -73,3 +73,38 @@ extension Array where Element: FixedWidthInteger {
         reduce(V(0)) { V($0) + V($1) }
     }
 }
+
+extension Array where Element: ScalarType {
+    @inlinable
+    func product() -> Width32<Self.Element> {
+        func wideningProduct<Prod: FixedWidthInteger>(of elements: [some FixedWidthInteger]) -> [Prod] {
+            stride(from: 0, to: elements.count, by: 2).map { index in
+                var product = Prod(elements[index])
+                if index < elements.count - 1 {
+                    product &*= Prod(elements[index + 1])
+                }
+                return product
+            }
+        }
+
+        let doubleWidth: [Self.Element.DoubleWidth] = wideningProduct(of: self)
+        if doubleWidth.count == 1 {
+            return Width32<Self.Element>(doubleWidth[0])
+        }
+        let quadWidth: [QuadWidth<Self.Element>] = wideningProduct(of: doubleWidth)
+        if quadWidth.count == 1 {
+            return Width32<Self.Element>(quadWidth[0])
+        }
+        let octoWidth: [OctoWidth<Self.Element>] = wideningProduct(of: quadWidth)
+        if octoWidth.count == 1 {
+            return Width32<Self.Element>(octoWidth[0])
+        }
+        let width16: [Width16<Self.Element>] = wideningProduct(of: octoWidth)
+        if width16.count == 1 {
+            return Width32<Self.Element>(width16[0])
+        }
+        let width32: [Width32<Self.Element>] = wideningProduct(of: width16)
+        precondition(width32.count == 1)
+        return width32[0]
+    }
+}

Tests/HomomorphicEncryptionTests/HeAPITests.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -1066,16 +1066,27 @@ class HeAPITests: XCTestCase {
             }
         let custom = try EncryptionParameters<Bfv<T>>(
             polyDegree: TestUtils.testPolyDegree,
-            plaintextModulus: T
-                .generatePrimes(
-                    significantBitCounts: [12],
-                    preferringSmall: true,
-                    nttDegree: TestUtils.testPolyDegree)[0],
+            plaintextModulus: T.generatePrimes(
+                significantBitCounts: [12],
+                preferringSmall: true,
+                nttDegree: TestUtils.testPolyDegree)[0],
             coefficientModuli: testCoefficientModuli(),
             errorStdDev: ErrorStdDev.stdDev32,
             securityLevel: SecurityLevel.unchecked)
+        let manyModuli = try EncryptionParameters<Bfv<T>>(
+            polyDegree: TestUtils.testPolyDegree,
+            plaintextModulus: T.generatePrimes(
+                significantBitCounts: [12],
+                preferringSmall: true,
+                nttDegree: TestUtils.testPolyDegree)[0],
+            coefficientModuli: T.generatePrimes(
+                significantBitCounts: Array(repeating: T.bitWidth - 4, count: 32),
+                preferringSmall: false,
+                nttDegree: TestUtils.testPolyDegree),
+            errorStdDev: ErrorStdDev.stdDev32,
+            securityLevel: SecurityLevel.unchecked)
 
-        for encryptionParameters in predefined + [custom] {
+        for encryptionParameters in predefined + [custom, manyModuli] {
             let context = try Context<Bfv<T>>(encryptionParameters: encryptionParameters)
             try schemeEncodeDecodeTest(context: context)
             try schemeEncryptDecryptTest(context: context)

Tests/HomomorphicEncryptionTests/PolyRqTests/PolyContextTests.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -48,6 +48,7 @@ final class PolyContextTests: XCTestCase {
         let context1 = try PolyContext<UInt32>(degree: 4, moduli: [2])
 
         XCTAssertEqual(context3.moduli, [2, 3, 5])
+        XCTAssertEqual(context3.modulus, Width32<UInt32>(30))
         XCTAssertEqual(context3.degree, 4)
         XCTAssertEqual(context3.next, context2)
         if let context3Next = context3.next {

Tests/HomomorphicEncryptionTests/UtilTests.swift

@@ -1,4 +1,4 @@
-// Copyright 2024 Apple Inc. and the Swift Homomorphic Encryption project authors
+// Copyright 2024-2025 Apple Inc. and the Swift Homomorphic Encryption project authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -51,6 +51,8 @@ class UtilTests: XCTestCase {
         XCTAssertEqual([7].product(), 7)
         XCTAssertEqual([1, 2, 3].product(), 6)
         XCTAssertEqual([UInt8(255), UInt8(2)].product(), UInt16(510))
+
+        XCTAssertEqual([UInt32(1 << 17), UInt32(1 << 17)].product(), Width32<UInt32>(1 << 34))
     }
 
     func testSum() {