parsHelp: Encryption parameter selection
In iamtrask/R-Homomorphic-Encryption-Package: Fully Homomorphic Encryption

Description Usage Arguments Details Author(s) References See Also Examples

View source: R/parsHelp.R

Use this function to help choose encryption parameters for your scheme.

1	parsHelp(scheme, ...)

`scheme`	the scheme for which to get parameter help. Currently only Fan and Vercauteren's scheme is supported by specifying `"FandV"`.
`...`	pass the specific options for the chosen scheme as named arguments. See the details section for options for encryption schemes currently implemented.

This function provides assistance with selecting parameter values for the encryption scheme you wish to use.

Currently only the scheme of Fan and Vercauteren ("FandV") is implemented.

For "FandV" you may specify:

lambda: the security level required (bits), default is 80;
max: the largest absolute value you will need to store encrypted, default is 1000;
L: the deepest multiplication depth you need to be able to evaluate encrypted, default is 4.

The security level in bits relates to the approximate number of operations which would be required to break the cipher text, i.e. O(2^λ) operations.

Ensuring the depth of multiplication operations you require is based on an overwhelming probability of being able to correctly decrypt after so many operations by roughly bounding the possible noise growth. In most situations it is very conservative and additional multiplications are possible, so this should be considered only a lower bound on the number of multiplies required. If computational performance is a concern this should be treated only as a good starting point from which the relevant parameters can be eased off, testing more thoroughly by simulation.

For the scheme of Fan and Vercauteren ("FandV"): the security level is based on the analysis of Lindner and Peikert (2011) which is known to be quite conservative; and the multiplicative depth bound is based on the analysis of Lepoint and Naehrig (2014). If the multiplicative depth lower bound is too conservative, then for computational performance reduce the qpow parameter from this recommended starting point.

Louis Aslett

Fan, J., & Vercauteren, F. (2012). Somewhat Practical Fully Homomorphic Encryption. IACR ePrint. Retrieved from https://eprint.iacr.org/2012/144

Lepoint, T., & Naehrig, M. (2014). A comparison of the homomorphic encryption schemes FV and YASHE. In Progress in Cryptology<e2><80><93>AFRICACRYPT 2014 (pp. 318-335).

Lindner, R., & Peikert, C. (2011). Better key sizes (and attacks) for LWE-based encryption. In Topics in Cryptology<e2><80><93>CT-RSA 2011 (pp. 319-339).

pars to manually choose parameters.

keygen to generate encryption keys using these parameters.

# Want 128-bit security with 6 multiplies deep
# to evaluate 7 factorial
p <- parsHelp("FandV", lambda=128, L=6)
keys <- keygen(p)
ct <- enc(keys$pk, 1:7)
dec(keys$sk, prod(ct))
factorial(7)

# But notice this is quite conservative
# This will usually give the right answer too
ct <- enc(keys$pk, 1:8)
dec(keys$sk, prod(ct))
factorial(8)