c++seal

Reading the remaining noise budget of Ciphertexts without the Secret Key


I use SEAL 2.3.1 and this is my parameter setting:

seal::EncryptionParameters parms;
parms.set_poly_modulus("1x^2048 + 1"); // n = 2048
parms.set_coeff_modulus(coeff_modulus_128(2048)); // q = 54-bit prime
parms.set_plain_modulus(1 << 8); // t = 256

seal::SEALContext context(parms);

And some Ciphertext encrypted1; holding the number 5. The manual say that one can use the seal::Simulator class for reading the noise budget without the secret key. The only thing that I've found was this in the simulator.h file.

/**
Creates a simulation of a ciphertext encrypted with the specified encryption 
parameters and given invariant noise budget. The given noise budget must be 
at least zero, and at most the significant bit count of the coefficient 
modulus minus two.

@param[in] parms The encryption parameters
@param[in] noise_budget The invariant noise budget of the created ciphertext
@param[in] ciphertext_size The size of the created ciphertext
@throws std::invalid_argument if ciphertext_size is less than 2
@throws std::invalid_argument if noise_budget is not in the valid range
*/
Simulation(const EncryptionParameters &parms, int ciphertext_size, 
            int noise_budget);

I can set it with some other Ciphertext encrypted2:

seal::Simulation(parms, encrypted2.size(), (context.total_coeff_modulus().significant_bit_count() - log2(context.poly_modulus().coeff_count() - 1) - log2(context.plain_modulus().value()));

But using this will only create a simulated Ciphertext without any real connection to the actual encrypted1 Ciphertext noise budget.

Is there a way to approximate the noise budget of encrypted1 without the secret key? This situations is important when I or someone else does some computation on externally stored Ciphertexts, e.g. in a cloud database and needs to check the noise budget server side without revealing the secret key.


Solution

  • The Simulation class is meant to estimate the noise budget consumption in various operations so that those operations don't actually have to be executed on real data. Moreover, it uses heuristic upper bounds estimate for the noise consumption, i.e. most likely it overestimates the noise consumption and this effect becomes more pronounced when the computation is more complicated, sometimes resulting in huge overestimates of the noise consumption. Of course, the idea is that the computation is guaranteed to work if it works according to the simulator. A typical use of Simulation would be through the ChooserPoly (and related) classes; this is demonstrated in one of the examples in SEALExamples/main.cpp for SEAL versions < 3.0.

    It is impossible to know or estimate the noise in a ciphertext without knowing how that ciphertext was produced. So if I give you a ciphertext without telling you anything else (except encryption parameter), then you should not be able to know anything about the noise budget unless you know the secret key. I agree that in some cases it could be important for someone to know right away if a ciphertext is still valid for further computations, but it's not possible without some external mechanism.