LWE
LWE attributes
PlaintextEncodingAttr
Syntax: #lwe.plaintext_encoding
ApplicationDataAttr
Syntax:
#lwe.application_data<
mlir::Type, # message_type
Attribute # overflow
>
An attribute describing the semantics of the underlying application data.
The messageType
parameter is used to describe the type and bits of the
original application data, e.g. i1, i32, f32. This type is later mapped
into the plaintext space of an FHE scheme by embedding, scaling, or other
techniques.
This attribute also contains information about the overflow semantics of the
data in the application. By default, we assume that the application program
was written so that the overflow is not expected and the overflow attribute
can can be no_overflow
. For LWE-based CGGI ciphertexts, the overflow
attribute will usually be preserve_overflow
, since messages will overflow
into padding bits.
Parameters:
Parameter | C++ type | Description |
---|---|---|
message_type | mlir::Type | |
overflow | Attribute |
BitFieldEncodingAttr
An attribute describing encoded LWE plaintexts using bit fields.
Syntax:
#lwe.bit_field_encoding<
unsigned, # cleartext_start
unsigned # cleartext_bitwidth
>
A bit field encoding of an integer describes which contiguous region of bits a small integer occupies within a larger integer.
The data describing the encoding consists of the starting bit positions of
the cleartext bit field and its width, where the LSB is bit 0 and the MSB
is bit bit_width-1
. So the above example would have starting bit 30
and
width 3
. The bits not specified for the message have semantics defined
by the scheme or lowering.
Note that this encoding does not specify the underlying bit width of the plaintext space. This is left for lowerings to decide.
The presence of this attribute as the encoding
attribute of a tensor
indicates that the tensor is an LWE ciphertext.
Example (CGGI):
#encoding = #lwe.bit_field_encoding<cleartext_start=30, cleartext_bitwidth=3>
!plaintext = !lwe.lwe_plaintext<encoding = #encoding>
%0 = arith.constant 4 : i3
%1 = lwe.encode %0 { encoding = #encoding }: i3 to !plaintext
The above represents an LWE plaintext encoding the 3-bit cleartext 4 as an
LWE ciphertext in a 32-bit integer, with a single bit of padding at the MSB.
This corresponds to the following, where 0 denotes a 0 bit, b
denotes a
bit of the cleartext, n
denotes a bit reserved for noise, and |
is a
visual aid to show where the bit fields begin and end.
0|bbb|nn...n
MSB^ ^LSB
Example (BGV):
Note: BGV uses the RLWE encodings, but they have the same bit-field encoding attributes as here. So this example serves mainly to show how this attribute can be used to specify storing bits in the LSB of a plaintext.
#encoding = #lwe.bit_field_encoding<cleartext_start=4, cleartext_bitwidth=4>
!plaintext = !lwe.lwe_plaintext<encoding = #encoding>
%0 = arith.constant 9 : i4
%1 = lwe.encode %0 { encoding = #encoding }: i4 to !plaintext
The above represents an LWE plaintext encoding a 4-bit cleartext as an LWE ciphertext in the least-significant bits of a larger integer. This corresponds to the following.
nn...n|bbbb
MSB^ ^LSB
Parameters:
Parameter | C++ type | Description |
---|---|---|
cleartext_start | unsigned | |
cleartext_bitwidth | unsigned |
CiphertextSpaceAttr
Syntax:
#lwe.ciphertext_space<
::mlir::polynomial::RingAttr, # ring
::mlir::heir::lwe::LweEncryptionType # encryption_type
>
An attribute describing the ciphertext space and the transformation from plaintext space to ciphertext space of an FHE scheme.
The ciphertext space information includes the ring structure, which contains the ciphertext modulus $q$. Ciphertexts using an RNS representation for $q$ will represent their ciphertext components in the ring attribute. Scalar LWE ciphertexts (as opposed to RLWE) use an ideal polynomial of degree 1, $x$. CGGI ciphertexts will typically use a power of two modulus.
The ciphertext encoding info is used to describe the way the plaintext data is encoded into the ciphertext (in the MSB, LSB, or mixed).
Parameters:
Parameter | C++ type | Description |
---|---|---|
ring | ::mlir::polynomial::RingAttr | |
encryption_type | ::mlir::heir::lwe::LweEncryptionType |
CoefficientEncodingAttr
An encoding of cleartexts directly as coefficients.
Syntax:
#lwe.coefficient_encoding<
unsigned # scaling_factor
>
A coefficient encoding of a list of integers asserts that the coefficients
of the polynomials contain the integers, with the same semantics as
constant_coefficient_encoding
for per-coefficient encodings.
A scaling_factor
is optionally applied on the scalar when converting from
a rounded floating point to an integer.
Example:
#coeff_encoding = #lwe.coefficient_encoding<scaling_factor=10000>
Parameters:
Parameter | C++ type | Description |
---|---|---|
scaling_factor | unsigned |
ConstantCoefficientEncodingAttr
An encoding of a scalar in the constant coefficient
Syntax:
#lwe.constant_coefficient_encoding<
unsigned # scaling_factor
>
An encoding of a single scalar into the constant coefficient of the plaintext.
All other coefficients of the plaintext are set to be zero. This encoding is
used to encode scalar LWE ciphertexts where the plaintext space is viewed
as a polynomial ring modulo x
.
The scalar is first multiplied by the scaling_factor
and then rounded to
the nearest integer before encoding into the plaintext coefficient.
Example:
#coeff_encoding = #lwe.constant_coefficient_encoding<scaling_factor=10000>
Parameters:
Parameter | C++ type | Description |
---|---|---|
scaling_factor | unsigned |
FullCRTPackingEncodingAttr
An encoding of cleartexts via CRT slots.
Syntax:
#lwe.full_crt_packing_encoding<
unsigned # scaling_factor
>
This encoding maps a list of integers via the Chinese Remainder Theorem (CRT) into the plaintext space.
Given a ring with irreducible ideal polynomial f(x)
and coefficient
modulus q
, f(x)
can be decomposed modulo q
into a direct product of
lower-degree polynomials. This allows full SIMD-style homomorphic operations
across the slots formed from each factor.
This attribute can only be used in the context of on full CRT packing, where
the polynomial f(x)
splits completely (into linear factors) and the number
of slots equals the degree of f(x)
. This happens when q
is prime and q = 1 mod n
.
A scaling_factor
is optionally applied on the scalar when converting from
a rounded floating point to an integer.
Example:
#coeff_encoding = #lwe.full_crt_packing_encoding<scaling_factor=10000>
Parameters:
Parameter | C++ type | Description |
---|---|---|
scaling_factor | unsigned |
InverseCanonicalEncodingAttr
An encoding of cleartexts via the inverse canonical embedding.
Syntax:
#lwe.inverse_canonical_encoding<
unsigned # scaling_factor
>
Let $n$ be the degree of the polynomials in the plaintext space. An “inverse_canonical_encoding” of a list of real or complex values $v_1, \dots, v_{n/2}$ is (almost) the inverse of the following decoding map.
Define a map $\tau_N$ that maps a polynomial $p \in \mathbb{Z}[x] / (x^N + 1) \to \mathbb{C}^{N/2}$ by evaluating it at the following $N/2$ points, where $\omega = e^{2 \pi i / 2N}$ is the primitive $2N$th root of unity:
[ \omega, \omega^3, \omega^5, \dots, \omega^{N-1} ]
Then the complete decoding operation is $\textup{Decode}(p) = (1/\Delta)\tau_N(p)$, where $\Delta$ is a scaling parameter and $\tau_N$ is the truncated canonical embedding above. The encoding operation is the inverse of the decoding operation, with some caveats explained below.
The map $\tau_N$ is derived from the so-called canonical embedding $\tau$, though in the standard canonical embedding, we evaluate at all odd powers of the root of unity, $\omega, \omega^3, \dots, \omega^{2N-1}$. For polynomials in the slightly larger space $\mathbb{R}[x] / (x^N + 1)$, the image of the canonical embedding is the subspace $H \subset \mathbb{C}^N$ defined by tuples $(z_1, \dots, z_N)$ such that $\overline{z_i} = \overline{z_{N-i+1}}$. Note that this property holds because polynomial evaluation commutes with complex conjugates, and the second half of the roots of unity evaluate are complex conjugates of the first half. The converse, that any such tuple with complex conjugate symmetry has an inverse under $\tau$ with all real coefficients, makes $\tau$ is a bijection onto $H$. $\tau$ and its inverse are explicitly computable as discrete Fourier Transforms.
Because of the symmetry in canonical embedding for real polynomials, inputs to this encoding can be represented as a list of $N/2$ complex points, with the extra symmetric structure left implicit. $\tau_N$ and its inverse can also be explicitly computed without need to expand the vectors to length $N$.
The rounding step is required to invert the decoding because, while cleartexts must be (implicitly) in the subspace $H$, they need not be the output of $\tau_N$ for an integer polynomial. The rounding step ensures we can use integer polynomial plaintexts for the FHE operations. There are multiple rounding mechanisms, and this attribute does not specify which is used, because in theory two ciphertexts that have used different roundings are still compatible, though they may have different noise growth patterns.
The scaling parameter $\Delta$ is specified by the scaling_factor
, which
are applied coefficient-wise using the same semantics as the
constant_coefficient_encoding
.
A typical flow for the CKKS scheme using this encoding would be to apply an inverse FFT operation to invert the canonical embedding to be a polynomial with real coefficients, then encrypt scale the resulting polynomial’s coefficients according to the scaling parameters, then round to get integer coefficients.
Example:
#canonical_encoding = #lwe.inverse_canonical_encoding<scaling_factor=10000>
Parameters:
Parameter | C++ type | Description |
---|---|---|
scaling_factor | unsigned |
KeyAttr
Syntax:
#lwe.key<
::mlir::StringAttr, # id
unsigned, # size
::llvm::ArrayRef<unsigned int> # basis
>
An attribute describing the key used for encrypting the ciphertext.
This attribute includes a key identifier for the original key used to encrypt the secret key.
The key_size
parameter is used to describe the number of polynomials of
the secret key. This is typically $1$ for RLWE ciphertexts and greater than
$1$ for LWE instances. A ciphertext encrypted with a key_size
of $k$ will
have size $k+1$.
The key basis describes the inner product used in the phase calculation in
decryption. This attribute is only supported for RLWE ciphertexts whose
key_size
is $1$. An RLWE ciphertext is canonically encrypted against key
basis (1, s)
. After a multiplication, its size will increase and the basis
will be (1, s, s^2)
. The array that represents the key basis is
constructed by listing the powers of s
at each position of the array. For
example, (1, s, s^2)
corresponds to [0, 1, 2]
, while (1, s^2)
corresponds to [0, 2]
.
Parameters:
Parameter | C++ type | Description |
---|---|---|
id | ::mlir::StringAttr | |
size | unsigned | |
basis | ::llvm::ArrayRef<unsigned int> |
LWEParamsAttr
Syntax:
#lwe.lwe_params<
IntegerAttr, # cmod
unsigned # dimension
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
cmod | IntegerAttr | |
dimension | unsigned |
ModulusChainAttr
Syntax:
#lwe.modulus_chain<
::llvm::ArrayRef<mlir::IntegerAttr>, # elements
int # current
>
An attribute describing the elements of the modulus chain of an RLWE scheme.
Parameters:
Parameter | C++ type | Description |
---|---|---|
elements | ::llvm::ArrayRef<mlir::IntegerAttr> | |
current | int |
NoOverflowAttr
An attribute informing that application data never overflows.
Syntax: #lwe.no_overflow
This attribute informs lowerings that a program is written so that the message data will never overflow beyond the message type.
// FIXME: Have a separate WraparoundOverflow, which lowers the same as NoOverflow?
PlaintextSpaceAttr
Syntax:
#lwe.plaintext_space<
::mlir::polynomial::RingAttr, # ring
Attribute # encoding
>
An attribute describing the plaintext space and the transformation from application data to plaintext space of an FHE scheme.
The plaintext space information is the ring structure, which contains the plaintext modulus $t$, which may be a power of two in the case of CGGI ciphertexts, or a prime power for RLWE. LWE ciphertexts use the ideal polynomial of degree 1 $x$. The plaintext modulus used in LWE-based CGGI plaintexts describes the full message space $\mathbb{Z}_p$ including the padding bits. The application data info attribute describes the space $\mathbb{Z}_p’$ where $p’ < p$ that the underlying message belongs to.
For RLWE schemes, this will include the type of encoding of application data
integers to a plaintext space Z_p[X]/X^N + 1
. This may be a constant
coefficient encoding, CRT-based packing for SIMD semantics, or other slot
packing. When using full CRT packing, the ring must split into linear
factors. The CKKS scheme will also include attributes describing the complex
encoding, including the scaling factor, which will change after
multiplication and rescaling.
Parameters:
Parameter | C++ type | Description |
---|---|---|
ring | ::mlir::polynomial::RingAttr | |
encoding | Attribute |
PreserveOverflowAttr
An attribute informing that application data overflows in the message type.
Syntax: #lwe.preserve_overflow
This attribute informs lowerings that a program is written so that the message data may overflow beyond the message type.
RLWEParamsAttr
Syntax:
#lwe.rlwe_params<
unsigned, # dimension
::mlir::polynomial::RingAttr # ring
>
An attribute describing classical RLWE parameters:
dimension
: the number of polynomials used in an RLWE sample, analogous to LWEParams.dimension.ring
: the polynomial ring to use.
Parameters:
Parameter | C++ type | Description |
---|---|---|
dimension | unsigned | |
ring | ::mlir::polynomial::RingAttr |
UnspecifiedBitFieldEncodingAttr
An attribute describing unspecified bit field encodings.
Syntax:
#lwe.unspecified_bit_field_encoding<
unsigned # cleartext_bitwidth
>
See LWE_BitFieldEncoding for a description of bit field encodings.
This attribute describes an unspecified bit field encoding; this is where the starting bit position of the cleartext bit field is unspecified, but its width is fixed. A noise growth analysis should be performed to determine the optimal amount of bits needed for noise and padding to specify the bit field encodings starting bit position.
Example:
#lwe_encoding = #lwe.unspecified_bit_field_encoding<cleartext_bitwidth=3>
%lwe_ciphertext = arith.constant <[1,2,3,4]> : tensor<4xi32, #lwe_encoding>
Parameters:
Parameter | C++ type | Description |
---|---|---|
cleartext_bitwidth | unsigned |
InverseCanonicalEmbeddingEncodingAttr
An attribute describing encoded RLWE plaintexts via the rounded inverse canonical embedding.
Syntax:
#lwe.inverse_canonical_embedding_encoding<
unsigned, # cleartext_start
unsigned # cleartext_bitwidth
>
Let $n$ be the degree of the polynomials in the plaintext space. An “inverse canonical embedding encoding” of a list of real or complex values $v_1, \dots, v_{n/2}$ is (almost) the inverse of the following decoding map.
Define a map $\tau_N$ that maps a polynomial $p \in \mathbb{Z}[x] / (x^N + 1) \to \mathbb{C}^{N/2}$ by evaluating it at the following $N/2$ points, where $\omega = e^{2 \pi i / 2N}$ is the primitive $2N$th root of unity:
[ \omega, \omega^3, \omega^5, \dots, \omega^{N-1} ]
Then the complete decoding operation is $\textup{Decode}(p) = (1/\Delta)\tau_N(p)$, where $\Delta$ is a scaling parameter and $\tau_N$ is the truncated canonical embedding above. The encoding operation is the inverse of the decoding operation, with some caveats explained below.
The map $\tau_N$ is derived from the so-called canonical embedding $\tau$, though in the standard canonical embedding, we evaluate at all odd powers of the root of unity, $\omega, \omega^3, \dots, \omega^{2N-1}$. For polynomials in the slightly larger space $\mathbb{R}[x] / (x^N + 1)$, the image of the canonical embedding is the subspace $H \subset \mathbb{C}^N$ defined by tuples $(z_1, \dots, z_N)$ such that $\overline{z_i} = \overline{z_{N-i+1}}$. Note that this property holds because polynomial evaluation commutes with complex conjugates, and the second half of the roots of unity evaluate are complex conjugates of the first half. The converse, that any such tuple with complex conjugate symmetry has an inverse under $\tau$ with all real coefficients, makes $\tau$ is a bijection onto $H$. $\tau$ and its inverse are explicitly computable as discrete Fourier Transforms.
Because of the symmetry in canonical embedding for real polynomials, inputs to this encoding can be represented as a list of $N/2$ complex points, with the extra symmetric structure left implicit. $\tau_N$ and its inverse can also be explicitly computed without need to expand the vectors to length $N$.
The rounding step is required to invert the decoding because, while cleartexts must be (implicitly) in the subspace $H$, they need not be the output of $\tau_N$ for an integer polynomial. The rounding step ensures we can use integer polynomial plaintexts for the FHE operations. There are multiple rounding mechanisms, and this attribute does not specify which is used, because in theory two ciphertexts that have used different roundings are still compatible, though they may have different noise growth patterns.
The scaling parameter $\Delta$ is specified by the cleartext_start
and
cleartext_bitwidth
parameters, which are applied coefficient-wise using
the same semantics as the bit_field_encoding
.
This attribute can be used in multiple ways:
- On a
poly.poly
, it asserts that the polynomial has been transformed from a coefficient list using the canonical embedding. - On a tensor of
poly.poly
, it asserts that the tensor is an RLWE ciphertext for some RLWE scheme that supports the approximate embedding encoding.
A typical flow for the CKKS scheme using this encoding would be to apply an inverse FFT operation to invert the canonical embedding to be a polynomial with real coefficients, then encrypt scale the resulting polynomial’s coefficients according to the scaling parameters, then round to get integer coefficients.
Example:
#generator = #poly.polynomial<1 + x**1024>
#ring = #poly.ring<cmod=65536, ideal=#generator>
#lwe_encoding = #lwe.polynomial_evaluation_encoding<cleartext_start=30, cleartext_bitwidth=3>
%evals = arith.constant <[1, 2, 4, 5]> : tensor<4xi16>
%poly1 = poly.intt %evals : tensor<4xi16, #ring> -> !poly.poly<#ring, #eval_encoding>
%poly2 = poly.intt %evals : tensor<4xi16, #ring> -> !poly.poly<#ring, #eval_encoding>
%rlwe_ciphertext = tensor.from_elements %poly1, %poly2 : tensor<2x!poly.poly<#ring, #eval_encoding>>
See bit_field_encoding
for the definition of the cleartext_start
and
cleartext_bitwidth
fields.
Parameters:
Parameter | C++ type | Description |
---|---|---|
cleartext_start | unsigned | |
cleartext_bitwidth | unsigned |
PolynomialCoefficientEncodingAttr
An attribute describing encoded RLWE plaintexts via coefficients.
Syntax:
#lwe.polynomial_coefficient_encoding<
unsigned, # cleartext_start
unsigned # cleartext_bitwidth
>
A coefficient encoding of a list of integers asserts that the coefficients
of the polynomials contain the cleartexts, with the same semantics as
bit_field_encoding
for per-coefficient encodings.
The presence of this attribute as the encoding
attribute of a tensor of
poly.poly
indicates that the tensor is an RLWE ciphertext for some RLWE
scheme that supports the coefficient encoding.
See bit_field_encoding
for the definition of the cleartext_start
and
cleartext_bitwidth
fields.
Example:
#generator = #poly.polynomial<1 + x**1024>
#ring = #poly.ring<cmod=65536, ideal=#generator>
#coeff_encoding = #lwe.polynomial_coefficient_encoding<cleartext_start=15, cleartext_bitwidth=4>
%poly1 = poly.from_tensor %coeffs1 : tensor<10xi16> -> !poly.poly<#ring>
%poly2 = poly.from_tensor %coeffs2 : tensor<10xi16> -> !poly.poly<#ring>
%rlwe_ciphertext = tensor.from_elements %poly1, %poly2 : tensor<2x!poly.poly<#ring>, #coeff_encoding>
Parameters:
Parameter | C++ type | Description |
---|---|---|
cleartext_start | unsigned | |
cleartext_bitwidth | unsigned |
PolynomialEvaluationEncodingAttr
An attribute describing encoded RLWE plaintexts via evaluations at fixed points.
Syntax:
#lwe.polynomial_evaluation_encoding<
unsigned, # cleartext_start
unsigned # cleartext_bitwidth
>
A “evaluation encoding” of a list of integers $(v_1, \dots, v_n)$ asserts
that $f(x_1 ) = v_1, \dots, f(x_n) = v_n$ for some implicit, but fixed and
distinct choice of inputs $x_i$. The encoded values are also scaled by a
scale factor, having the same semantics as bit_field_encoding
, but
applied entry-wise (to either the coefficient or evaluation representation).
This attribute can be used in multiple ways:
- On a
poly.poly
, it asserts that the polynomial has been transformed from an evaluation tensor. - On a tensor of
poly.poly
, it asserts that the tensor is an RLWE ciphertext for some RLWE scheme that supports the evaluation encoding.
A typical workflow for the BFV/BGV schemes using this encoding would be to apply a INTT operation to the input list of cleartexts to convert from evaluation form to coefficient form, then encrypt the resulting polynomial in coefficient form, then apply NTT back to the evaluation form for faster multiplication of ciphertexts.
The points chosen are fixed to be the powers of a primitive root of unity of the coefficient ring of the plaintext space, which allows one to use NTT/INTT to tansform quickly between the coefficient and evaluation forms.
Example:
#generator = #poly.polynomial<1 + x**1024>
// note that the cmod should be chosen so as to ensure a primitive root of
// unity exists in the multiplicative group (Z / cmod Z)^*
#ring = #poly.ring<cmod=65536, ideal=#generator>
#lwe_encoding = #lwe.polynomial_evaluation_encoding<cleartext_start=30, cleartext_bitwidth=3>
%evals = arith.constant <[1, 2, 4, 5]> : tensor<4xi16>
%poly1 = poly.intt %evals : tensor<4xi16, #ring> -> !poly.poly<#ring, #eval_encoding>
%poly2 = poly.intt %evals : tensor<4xi16, #ring> -> !poly.poly<#ring, #eval_encoding>
%rlwe_ciphertext = tensor.from_elements %poly1, %poly2 : tensor<2x!poly.poly<#ring, #eval_encoding>>
See bit_field_encoding
for the definition of the cleartext_start
and
cleartext_bitwidth
fields.
Parameters:
Parameter | C++ type | Description |
---|---|---|
cleartext_start | unsigned | |
cleartext_bitwidth | unsigned |
LWE types
LWECiphertextType
A type for LWE ciphertexts
Syntax:
!lwe.lwe_ciphertext<
::mlir::Attribute, # encoding
LWEParamsAttr # lwe_params
>
A type for LWE ciphertexts.
This type keeps track of the plaintext integer encoding for the LWE Ciphertext to ensure proper decoding after decryption. It also keeps track of the ring where the LWE ciphertext is defined, which provides information on the ciphertext shape and the ring operations used in LWE operations.
Parameters:
Parameter | C++ type | Description |
---|---|---|
encoding | ::mlir::Attribute | |
lwe_params | LWEParamsAttr |
LWEPlaintextType
A type for LWE plaintexts
Syntax:
!lwe.lwe_plaintext<
::mlir::Attribute # encoding
>
A type for LWE plaintexts.
This type keeps track of the plaintext integer encoding for the LWE plaintext before it is encrypted.
Parameters:
Parameter | C++ type | Description |
---|---|---|
encoding | ::mlir::Attribute |
NewLWECiphertextType
A ciphertext type
Syntax:
!lwe.new_lwe_ciphertext<
ApplicationDataAttr, # application_data
PlaintextSpaceAttr, # plaintext_space
CiphertextSpaceAttr, # ciphertext_space
KeyAttr, # key
ModulusChainAttr # modulus_chain
>
An LWE ciphertext will always contain the application data, plaintext space, ciphertext space, and key information.
A modulus chain is optionally specified for parameter choices in RLWE schemes that use more than one of modulus. When no modulus chain is specified, the ciphertext modulus is always the ciphertext ring’s coefficient modulus.
Parameters:
Parameter | C++ type | Description |
---|---|---|
application_data | ApplicationDataAttr | |
plaintext_space | PlaintextSpaceAttr | |
ciphertext_space | CiphertextSpaceAttr | |
key | KeyAttr | |
modulus_chain | ModulusChainAttr |
NewLWEPlaintextType
A plaintext type
Syntax:
!lwe.new_lwe_plaintext<
ApplicationDataAttr, # application_data
PlaintextSpaceAttr # plaintext_space
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
application_data | ApplicationDataAttr | |
plaintext_space | PlaintextSpaceAttr |
NewLWEPublicKeyType
A public key for LWE
Syntax:
!lwe.new_lwe_public_key<
KeyAttr, # key
::mlir::polynomial::RingAttr # ring
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
key | KeyAttr | |
ring | ::mlir::polynomial::RingAttr |
NewLWESecretKeyType
A secret key for LWE
Syntax:
!lwe.new_lwe_secret_key<
KeyAttr, # key
::mlir::polynomial::RingAttr # ring
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
key | KeyAttr | |
ring | ::mlir::polynomial::RingAttr |
RLWECiphertextType
A type for RLWE ciphertexts
Syntax:
!lwe.rlwe_ciphertext<
::mlir::Attribute, # encoding
RLWEParamsAttr, # rlwe_params
Type # underlying_type
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
encoding | ::mlir::Attribute | |
rlwe_params | RLWEParamsAttr | |
underlying_type | Type |
RLWEPlaintextType
A type for RLWE plaintexts
Syntax:
!lwe.rlwe_plaintext<
::mlir::Attribute, # encoding
::mlir::polynomial::RingAttr, # ring
Type # underlying_type
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
encoding | ::mlir::Attribute | |
ring | ::mlir::polynomial::RingAttr | |
underlying_type | Type |
RLWEPublicKeyType
A public key for RLWE
Syntax:
!lwe.rlwe_public_key<
RLWEParamsAttr # rlwe_params
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
rlwe_params | RLWEParamsAttr |
RLWESecretKeyType
A secret key for RLWE
Syntax:
!lwe.rlwe_secret_key<
RLWEParamsAttr # rlwe_params
>
Parameters:
Parameter | C++ type | Description |
---|---|---|
rlwe_params | RLWEParamsAttr |
LWE ops
lwe.add
(heir::lwe::AddOp)
Add two LWE ciphertexts
Syntax:
operation ::= `lwe.add` operands attr-dict `:` type($output)
Traits: AlwaysSpeculatableImplTrait
, Commutative
, Elementwise
, SameOperandsAndResultType
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
lhs | A type for LWE ciphertexts |
rhs | A type for LWE ciphertexts |
Results:
Result | Description |
---|---|
output | A type for LWE ciphertexts |
lwe.encode
(heir::lwe::EncodeOp)
Encode an integer to yield an LWE plaintext
Syntax:
operation ::= `lwe.encode` $plaintext attr-dict `:` qualified(type($plaintext)) `to` qualified(type($output))
Encode an integer to yield an LWE plaintext.
This op uses a an encoding attribute to encode the bits of the integer into an LWE plaintext value that can then be encrypted.
Examples:
%Y = lwe.encode %value {encoding = #enc}: i1 to !lwe.lwe_plaintext<encoding = #enc>
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Attributes:
Attribute | MLIR Type | Description |
---|---|---|
encoding | ::mlir::Attribute | An attribute describing encoded LWE plaintexts using bit fields. or An attribute describing unspecified bit field encodings. |
Operands:
Operand | Description |
---|---|
plaintext | signless-integer-like |
Results:
Result | Description |
---|---|
output | A type for LWE plaintexts |
lwe.mul_scalar
(heir::lwe::MulScalarOp)
Multiply an LWE ciphertext by a scalar
Syntax:
operation ::= `lwe.mul_scalar` operands attr-dict `:` functional-type(operands, results)
Traits: AlwaysSpeculatableImplTrait
, Elementwise
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
ciphertext | ciphertext-like |
scalar | integer |
Results:
Result | Description |
---|---|
output | ciphertext-like |
lwe.radd
(heir::lwe::RAddOp)
Add two RLWE ciphertexts
Syntax:
operation ::= `lwe.radd` operands attr-dict `:` type($output)
Traits: AlwaysSpeculatableImplTrait
, Commutative
, Elementwise
, SameOperandsAndResultType
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
lhs | A type for RLWE ciphertexts |
rhs | A type for RLWE ciphertexts |
Results:
Result | Description |
---|---|
output | A type for RLWE ciphertexts |
lwe.rlwe_decode
(heir::lwe::RLWEDecodeOp)
Decode an RLWE plaintext to an underlying type
Syntax:
operation ::= `lwe.rlwe_decode` $input attr-dict `:` qualified(type($input)) `->` qualified(type($output))
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Attributes:
Attribute | MLIR Type | Description |
---|---|---|
encoding | ::mlir::Attribute | An attribute describing encoded RLWE plaintexts via coefficients. or An attribute describing encoded RLWE plaintexts via evaluations at fixed points. or An attribute describing encoded RLWE plaintexts via the rounded inverse canonical embedding. |
ring | ::mlir::polynomial::RingAttr | an attribute specifying a polynomial ring |
Operands:
Operand | Description |
---|---|
input | A type for RLWE plaintexts |
Results:
Result | Description |
---|---|
output | signless-integer-like |
lwe.rlwe_decrypt
(heir::lwe::RLWEDecryptOp)
Decrypt an RLWE ciphertext to a RLWE plaintext
Syntax:
operation ::= `lwe.rlwe_decrypt` operands attr-dict `:` functional-type(operands, results)
Decrypt an RLWE ciphertext to yield a RLWE plaintext
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
input | A type for RLWE ciphertexts |
secret_key | A secret key for RLWE |
Results:
Result | Description |
---|---|
output | A type for RLWE plaintexts |
lwe.rlwe_encode
(heir::lwe::RLWEEncodeOp)
Encode an integer to yield an RLWE plaintext
Syntax:
operation ::= `lwe.rlwe_encode` $input attr-dict `:` qualified(type($input)) `->` qualified(type($output))
Encode an integer to yield an RLWE plaintext.
This op uses a an encoding attribute to encode the bits of the integer into an RLWE plaintext value that can then be encrypted. CKKS cleartext inputs may be floating points, and a scaling factor described by the encoding will be applied.
Examples:
%Y = lwe.rlwe_encode %value {encoding = #enc, ring = #ring}: i1 to !lwe.rlwe_plaintext<encoding = #enc, ring = #ring>
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Attributes:
Attribute | MLIR Type | Description |
---|---|---|
encoding | ::mlir::Attribute | An attribute describing encoded RLWE plaintexts via coefficients. or An attribute describing encoded RLWE plaintexts via evaluations at fixed points. or An attribute describing encoded RLWE plaintexts via the rounded inverse canonical embedding. |
ring | ::mlir::polynomial::RingAttr | an attribute specifying a polynomial ring |
Operands:
Operand | Description |
---|---|
input | signless-integer-like or floating-point-like |
Results:
Result | Description |
---|---|
output | A type for RLWE plaintexts |
lwe.rlwe_encrypt
(heir::lwe::RLWEEncryptOp)
Encrypt an RLWE plaintext to a RLWE ciphertext
Syntax:
operation ::= `lwe.rlwe_encrypt` operands attr-dict `:` functional-type(operands, results)
Encrypt an RLWE plaintext to yield a RLWE ciphertext.
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
input | A type for RLWE plaintexts |
key | A secret key for RLWE or A public key for RLWE |
Results:
Result | Description |
---|---|
output | A type for RLWE ciphertexts |
lwe.rmul
(heir::lwe::RMulOp)
Multiplies two RLWE ciphertexts
Syntax:
operation ::= `lwe.rmul` operands attr-dict `:` functional-type(operands, results)
Traits: AlwaysSpeculatableImplTrait
, Commutative
, Elementwise
, InferTypeOpAdaptor
, SameTypeOperands
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
lhs | A type for RLWE ciphertexts |
rhs | A type for RLWE ciphertexts |
Results:
Result | Description |
---|---|
output | A type for RLWE ciphertexts |
lwe.rnegate
(heir::lwe::RNegateOp)
Negate a RLWE ciphertexts
Syntax:
operation ::= `lwe.rnegate` operands attr-dict `:` type($output)
Traits: AlwaysSpeculatableImplTrait
, Elementwise
, SameOperandsAndResultType
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
input | ciphertext-like |
Results:
Result | Description |
---|---|
output | ciphertext-like |
lwe.rsub
(heir::lwe::RSubOp)
Subtract two RLWE ciphertexts
Syntax:
operation ::= `lwe.rsub` operands attr-dict `:` type($output)
Traits: AlwaysSpeculatableImplTrait
, Elementwise
, SameOperandsAndResultType
, Scalarizable
, Tensorizable
, Vectorizable
Interfaces: ConditionallySpeculatable
, InferTypeOpInterface
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
lhs | A type for RLWE ciphertexts |
rhs | A type for RLWE ciphertexts |
Results:
Result | Description |
---|---|
output | A type for RLWE ciphertexts |
lwe.trivial_encrypt
(heir::lwe::TrivialEncryptOp)
Create a trivial encryption of a plaintext.
Syntax:
operation ::= `lwe.trivial_encrypt` operands attr-dict `:` qualified(type(operands)) `to` qualified(type(results))
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Attributes:
Attribute | MLIR Type | Description |
---|---|---|
params | ::mlir::heir::lwe::LWEParamsAttr |
Operands:
Operand | Description |
---|---|
input | A type for LWE plaintexts |
Results:
Result | Description |
---|---|
output | A type for LWE ciphertexts |
lwe.reinterpret_underlying_type
(heir::lwe::ReinterpretUnderlyingTypeOp)
A placeholder cast from one ciphertext type to another
Syntax:
operation ::= `lwe.reinterpret_underlying_type` $input attr-dict `:` qualified(type($input)) `to` qualified(type($output))
The cast
op is thus used to translate underlying_type
between
ciphertexts in particular situations , such as when lowering to an API that
does not keep track of types for you.
Traits: AlwaysSpeculatableImplTrait
Interfaces: ConditionallySpeculatable
, NoMemoryEffect (MemoryEffectOpInterface)
Effects: MemoryEffects::Effect{}
Operands:
Operand | Description |
---|---|
input | A type for RLWE ciphertexts |
Results:
Result | Description |
---|---|
output | A type for RLWE ciphertexts |