Tune Insight Transfer PR and v3.0.0 release (#175)

CHANGELOG.md

@@ -3,7 +3,7 @@
 All notable changes to this project will be documented in this file. 
 
 
-## Unreleased
+## [3.0.0] - 2022-02-21
 
 - RING: renamed `FastBasisExtender` to `BasisExtender`.
 - RING: `.PolyToBigint[...](*)` now take as input `gap` which defines the multiples of `X^{i*gap}` to reconstruct.

NOTICE

@@ -1,13 +1,21 @@
-Copyright 2020 EPFL
+Copyright 2022 EPFL, Tune Insight SA
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+The Lattigo library was originally exclusively developed by the EPFL Laboratory
+for Data Security until its version 2.4.0.
+
+Starting with the release of version 3.0.0, Lattigo is maintained and supported
+by [Tune Insight SA](https://tuneinsight.com).
+
+Active development of new features in Lattigo is still carried out both at the
+EPFL Laboratory for Data Security and at Tune Insight SA.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
 
    http://www.apache.org/licenses/LICENSE-2.0
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the 
+specific language governing permissions and limitations under the License.

README.md

@@ -4,82 +4,116 @@
 	<img src="logo.png" />
 </p>
 
-![Go tests](https://github.com/ldsec/lattigo/actions/workflows/ci.yml/badge.svg)
+![Go tests](https://github.com/tuneinsight/lattigo/actions/workflows/ci.yml/badge.svg)
 
-Lattigo is a Go module that implements Ring-Learning-With-Errors-based homomorphic-encryption primitives and Multiparty-Homomorphic-Encryption-based secure protocols.
-The library features:
+Lattigo is a Go module that implements Ring-Learning-With-Errors-based homomorphic-encryption
+primitives and Multiparty-Homomorphic-Encryption-based secure protocols. The library features:
 - An implementation of the full-RNS BFV and CKKS schemes and their respective multiparty versions.
 - Comparable performance to state-of-the-art C++ libraries.
 - Dense-key and sparse-key efficient and high-precision bootstrapping procedures for full-RNS CKKS.
-- A pure Go implementation that enables cross-platform builds, including WASM compilation for browser clients.
+- A pure Go implementation that enables cross-platform builds, including WASM compilation for
+  browser clients.
 
-Lattigo is meant to support HE in distributed systems and microservices architectures, for which Go is a common choice thanks to its natural concurrency model and portability.
+Lattigo is meant to support HE in distributed systems and microservices architectures, for which Go
+is a common choice thanks to its natural concurrency model and portability.
 
 ## Library overview
 
 The library exposes the following packages:
 
-- `lattigo/ring`: Modular arithmetic operations for polynomials in the RNS basis, including: RNS basis extension; RNS rescaling; number theoretic transform (NTT); uniform, Gaussian and ternary sampling.
+- `lattigo/ring`: Modular arithmetic operations for polynomials in the RNS basis, including: RNS
+  basis extension; RNS rescaling; number theoretic transform (NTT); uniform, Gaussian and ternary
+  sampling.
 
-- `lattigo/bfv`: The Full-RNS variant of the Brakerski-Fan-Vercauteren scale-invariant homomorphic encryption scheme. It provides modular arithmetic over the integers.
+- `lattigo/bfv`: The Full-RNS variant of the Brakerski-Fan-Vercauteren scale-invariant homomorphic
+  encryption scheme. It provides modular arithmetic over the integers.
 
-- `lattigo/ckks`: The Full-RNS Homomorphic Encryption for Arithmetic for Approximate Numbers (HEAAN, a.k.a. CKKS) scheme. It provides approximate arithmetic over the complex numbers (in its classic variant) and over the real numbers (in its conjugate-invariant variant).
+- `lattigo/ckks`: The Full-RNS Homomorphic Encryption for Arithmetic for Approximate Numbers (HEAAN,
+  a.k.a. CKKS) scheme. It provides approximate arithmetic over the complex numbers (in its classic
+  variant) and over the real numbers (in its conjugate-invariant variant).
 
-- `lattigo/dbfv` and `lattigo/dckks`: Multiparty (a.k.a. distributed or threshold) versions of the BFV and CKKS schemes that enable secure multiparty computation solutions with secret-shared secret keys.
+- `lattigo/dbfv` and `lattigo/dckks`: Multiparty (a.k.a. distributed or threshold) versions of the
+  BFV and CKKS schemes that enable secure multiparty computation solutions with secret-shared secret
+  keys.
 
-- `lattigo/rlwe` and `lattigo/drlwe`: common base for generic RLWE-based multiparty homomorphic encryption. It is imported by the `lattigo/bfv` and `lattigo/ckks` packages.
+- `lattigo/rlwe` and `lattigo/drlwe`: common base for generic RLWE-based multiparty homomorphic
+  encryption. It is imported by the `lattigo/bfv` and `lattigo/ckks` packages.
 
-- `lattigo/examples`: Executable Go programs that demonstrate the use of the Lattigo library.
-                      Each subpackage includes test files that further demonstrate the use of Lattigo primitives.
+- `lattigo/examples`: Executable Go programs that demonstrate the use of the Lattigo library. Each
+                      subpackage includes test files that further demonstrate the use of Lattigo
+                      primitives.
 
 - `lattigo/utils`: Supporting structures and functions.
 
 ## Versions and Roadmap
 
-This version of Lattigo, (v2.x.x) is meant to be a working prototype.
-Hence, there will be backward-incompatible changes within this version. 
+The Lattigo library was originally exclusively developed by the EPFL Laboratory for Data Security
+until its version 2.4.0.
 
-See CHANGELOG.md for the current and past versions.
+Starting with the release of version 3.0.0, Lattigo is maintained and supported by [Tune Insight
+SA](https://tuneinsight.com).
+
+Also starting with from version 3.0.0, the module name has changed to
+github.com/tuneinsight/lattigo/v3, and the official repository has been moved to
+https://github.com/tuneinsight/lattigo. This has the following implications for modules that depend
+on Lattigo:
+- Modules that require `github.com/ldsec/lattigo/v2` will still build correctly.
+- To upgrade to a version >= 3.0.0, depending modules must require `github.com/tuneinsight/lattigo/v3/`,
+  for example by changing the imports to `github.com/tuneinsight/lattigo/v3/[package]` and by
+  running `go mod tidy`.
 
-## Disclaimer
 
-This library is still at an experimental stage and should be used for research purposes only.
+The current version of Lattigo, (v3.x.x) is fast-evolving and in constant development. Consequently,
+there will still be backward-incompatible changes within this major version, in addition to many bug
+fixes and new features. Hence, we encourage all Lattigo users to update to the latest Lattigo
+version.
+
+
+See CHANGELOG.md for the current and past versions.
 
 ## License
 
 Lattigo is licensed under the Apache 2.0 License. See LICENSE.
 
 ## Contact
 
-If you want to contribute to Lattigo or you have any suggestion, do not hesitate to contact us at [lattigo@listes.epfl.ch](mailto:lattigo@listes.epfl.ch).
+If you want to contribute to Lattigo or you have any suggestion, do not hesitate to contact us at
+[lattigo@tuneinsight.com](mailto:lattigo@tuneinsight.com).
 
 ## Citing
 
 Please use the following BibTex entry for citing Lattigo:
 
     @misc{lattigo,
-	    title = {Lattigo v2.4.0},
-	    howpublished = {Online: \url{https://github.com/ldsec/lattigo}},
-	    month = Jan,
+	    title = {Lattigo v3.0.0},
+	    howpublished = {Online: \url{https://github.com/tuneinsight/lattigo}},
+	    month = Feb,
 	    year = 2022,
-	    note = {EPFL-LDS}
+	    note = {EPFL-LDS, Tune Insight SA}
     }
 
 
 ## References
 
-1. Efficient Bootstrapping for ApproximateHomomorphic Encryption with Non-Sparse Keys (<https://eprint.iacr.org/2020/1203>)
+1. Efficient Bootstrapping for ApproximateHomomorphic Encryption with Non-Sparse Keys
+   (<https://eprint.iacr.org/2020/1203>)
 1. Somewhat Practical Fully Homomorphic Encryption (<https://eprint.iacr.org/2012/144>)
 1. Multiparty Homomorphic Encryption: From Theory to Practice (<https://eprint.iacr.org/2020/304>)
-1. A Full RNS Variant of FV Like Somewhat Homomorphic Encryption Schemes (<https://eprint.iacr.org/2016/510>)
-1. An Improved RNS Variant of the BFV Homomorphic Encryption Scheme (<https://eprint.iacr.org/2018/117>)
+1. A Full RNS Variant of FV Like Somewhat Homomorphic Encryption Schemes
+   (<https://eprint.iacr.org/2016/510>)
+1. An Improved RNS Variant of the BFV Homomorphic Encryption Scheme
+   (<https://eprint.iacr.org/2018/117>)
 1. Homomorphic Encryption for Arithmetic of Approximate Numbers (<https://eprint.iacr.org/2016/421>)
 1. A Full RNS Variant of Approximate Homomorphic Encryption (<https://eprint.iacr.org/2018/931>)
-1. Improved Bootstrapping for Approximate Homomorphic Encryption (<https://eprint.iacr.org/2018/1043>)
+1. Improved Bootstrapping for Approximate Homomorphic Encryption
+   (<https://eprint.iacr.org/2018/1043>)
 1. Better Bootstrapping for Approximate Homomorphic Encryption (<https://epring.iacr.org/2019/688>)
 1. Post-quantum key exchange - a new hope (<https://eprint.iacr.org/2015/1092>)
 1. Faster arithmetic for number-theoretic transforms (<https://arxiv.org/abs/1205.2926>)
-1. Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography (<https://eprint.iacr.org/2016/504>)
-1. Gaussian sampling in lattice-based cryptography (<https://tel.archives-ouvertes.fr/tel-01245066v2>)
+1. Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography
+   (<https://eprint.iacr.org/2016/504>)
+1. Gaussian sampling in lattice-based cryptography
+   (<https://tel.archives-ouvertes.fr/tel-01245066v2>)
 
-The Lattigo logo is a lattice-based version of the original Golang mascot by [Renee French](http://reneefrench.blogspot.com/).
+The Lattigo logo is a lattice-based version of the original Golang mascot by [Renee
+French](http://reneefrench.blogspot.com/).

bfv/README.md

@@ -1,10 +1,12 @@
 # BFV
 
-The BFV package is an RNS-accelerated implementation of the Fan-Vercauteren version of Brakerski's scale-invariant homomorphic encryption scheme. It provides modular arithmetic over the integers.
+The BFV package is an RNS-accelerated implementation of the Fan-Vercauteren version of Brakerski's
+scale-invariant homomorphic encryption scheme. It provides modular arithmetic over the integers.
 
 ## Brief description
 
-This scheme can be used to do arithmetic over   ![equation](https://latex.codecogs.com/gif.latex?%5Cmathbb%7BZ%7D_t%5EN).
+This scheme can be used to do arithmetic over  
+![equation](https://latex.codecogs.com/gif.latex?%5Cmathbb%7BZ%7D_t%5EN).
 
 The plaintext space and the ciphertext space share the same domain
 
@@ -28,29 +30,69 @@ where  represents   ![equation](https://latex.codecogs.com/gif.latex?%24%5C
 
 ## Security parameters
 
-![equation](https://latex.codecogs.com/gif.latex?N%20%3D%202%5E%7BlogN%7D): the ring dimension, which defines the degree of the cyclotomic polynomial, and the number of coefficients of the plaintext/ciphertext polynomials; it should always be a power of two. This parameter has an impact on both security and performance (security increases with N and performance decreases with N). It should be carefully chosen to suit the intended use of the scheme.
-
-![equation](https://latex.codecogs.com/gif.latex?Q): the ciphertext modulus. In Lattigo, it is chosen to be the product of small coprime moduli ![equation](https://latex.codecogs.com/gif.latex?q_i) that verify ![equation](https://latex.codecogs.com/gif.latex?q_i%20%5Cequiv%201%20%5Cmod%202N) in order to enable both the RNS and NTT representation. The used moduli ![equation](https://latex.codecogs.com/gif.latex?q_i) are chosen to be of size 50 to 60 bits for the best performance. This parameter has an impact on both security and performance (for a fixed ![equation](https://latex.codecogs.com/gif.latex?N), a larger ![equation](https://latex.codecogs.com/gif.latex?Q) implies both lower security and lower performance). It is closely related to ![equation](https://latex.codecogs.com/gif.latex?N) and should be chosen carefully to suit the intended use of the scheme.
-
-![equation](https://latex.codecogs.com/gif.latex?%5Csigma): the variance used for the error polynomials. This parameter is closely tied to the security of the scheme (a larger ![equation](https://latex.codecogs.com/gif.latex?%5Csigma) implies higher security).
+![equation](https://latex.codecogs.com/gif.latex?N%20%3D%202%5E%7BlogN%7D): the ring dimension,
+which defines the degree of the cyclotomic polynomial, and the number of coefficients of the
+plaintext/ciphertext polynomials; it should always be a power of two. This parameter has an impact
+on both security and performance (security increases with N and performance decreases with N). It
+should be carefully chosen to suit the intended use of the scheme.
+
+![equation](https://latex.codecogs.com/gif.latex?Q): the ciphertext modulus. In Lattigo, it is
+chosen to be the product of small coprime moduli
+![equation](https://latex.codecogs.com/gif.latex?q_i) that verify
+![equation](https://latex.codecogs.com/gif.latex?q_i%20%5Cequiv%201%20%5Cmod%202N) in order to
+enable both the RNS and NTT representation. The used moduli
+![equation](https://latex.codecogs.com/gif.latex?q_i) are chosen to be of size 50 to 60 bits for the
+best performance. This parameter has an impact on both security and performance (for a fixed
+![equation](https://latex.codecogs.com/gif.latex?N), a larger
+![equation](https://latex.codecogs.com/gif.latex?Q) implies both lower security and lower
+performance). It is closely related to ![equation](https://latex.codecogs.com/gif.latex?N) and
+should be chosen carefully to suit the intended use of the scheme.
+
+![equation](https://latex.codecogs.com/gif.latex?%5Csigma): the variance used for the error
+polynomials. This parameter is closely tied to the security of the scheme (a larger
+![equation](https://latex.codecogs.com/gif.latex?%5Csigma) implies higher security).
 
 ## Other parameters
 
-![equation](https://latex.codecogs.com/gif.latex?P): the extended ciphertext modulus. This modulus is used during the multiplication, and it has no impact on the security. It is also defined as the product of small coprime moduli ![equation](https://latex.codecogs.com/gif.latex?p_j) and should be chosen such that ![equation](https://latex.codecogs.com/gif.latex?Q%5Ccdot%20P%20%3E%20Q%5E2) by a small margin (~20 bits). This can be done by using one more small coprime modulus than ![equation](https://latex.codecogs.com/gif.latex?Q).
+![equation](https://latex.codecogs.com/gif.latex?P): the extended ciphertext modulus. This modulus
+is used during the multiplication, and it has no impact on the security. It is also defined as the
+product of small coprime moduli ![equation](https://latex.codecogs.com/gif.latex?p_j) and should be
+chosen such that ![equation](https://latex.codecogs.com/gif.latex?Q%5Ccdot%20P%20%3E%20Q%5E2) by a
+small margin (~20 bits). This can be done by using one more small coprime modulus than
+![equation](https://latex.codecogs.com/gif.latex?Q).
 
-![equation](https://latex.codecogs.com/gif.latex?t): the plaintext modulus. This parameter defines the maximum value that a plaintext coefficient can take. If a computation leads to a higher value, this value will be reduced modulo the plaintext modulus. It can be initialized with any value, but in order to enable batching, it must be prime and verify ![equation](https://latex.codecogs.com/gif.latex?t%20%5Cequiv%201%20%5Cmod%202N). It has no impact on the security.
+![equation](https://latex.codecogs.com/gif.latex?t): the plaintext modulus. This parameter defines
+the maximum value that a plaintext coefficient can take. If a computation leads to a higher value,
+this value will be reduced modulo the plaintext modulus. It can be initialized with any value, but
+in order to enable batching, it must be prime and verify
+![equation](https://latex.codecogs.com/gif.latex?t%20%5Cequiv%201%20%5Cmod%202N). It has no impact
+on the security.
 
 ## Choosing security parameters
 
-The BFV scheme supports the standard recommended parameters chosen to offer a security of 128 bits for a secret key with uniform ternary distribution ![equation](https://latex.codecogs.com/gif.latex?s%20%5Cin_u%20%5C%7B-1%2C%200%2C%201%5C%7D%5EN), according to the Homomorphic Encryption Standards group (https://homomorphicencryption.org/standard/).  
+The BFV scheme supports the standard recommended parameters chosen to offer a security of 128 bits
+for a secret key with uniform ternary distribution
+![equation](https://latex.codecogs.com/gif.latex?s%20%5Cin_u%20%5C%7B-1%2C%200%2C%201%5C%7D%5EN),
+according to the Homomorphic Encryption Standards group
+(https://homomorphicencryption.org/standard/).  
 
-Each set of parameters is defined by the tuple ![equation](https://latex.codecogs.com/gif.latex?%5C%7Blog_2%28N%29%2C%20log_2%28Q%29%2C%20%5Csigma%5C%7D):
+Each set of parameters is defined by the tuple
+![equation](https://latex.codecogs.com/gif.latex?%5C%7Blog_2%28N%29%2C%20log_2%28Q%29%2C%20%5Csigma%5C%7D):
 
 - **{12, 109, 3.2}**
 - **{13, 218, 3.2}**
 - **{14, 438, 3.2}**
 - **{15, 881, 3.2}**
 
-These parameter sets are hard-coded in the file [params.go](https://github.com/ldsec/lattigo/blob/master/bfv/params.go). By default the variance should always be set to 3.2 unless the user is perfectly aware of the security implications of changing this parameter.
-
-Finally, it is worth noting that these security parameters are computed for fully entropic ternary keys (with probability distribution {1/3,1/3,1/3} for values {-1,0,1}). Lattigo uses this fully-entropic key configuration by default. It is possible, though, to generate keys with lower entropy, by modifying their distribution to {(1-p)/2, p, (1-p)/2}, for any p between 0 and 1, which for p>>1/3 can result in low Hamming weight keys (*sparse* keys). *We recall that it has been shown that the security of sparse keys can be considerably lower than that of fully entropic keys, and the BFV security parameters should be re-evaluated if sparse keys are used*.
+These parameter sets are hard-coded in the file
+[params.go](https://github.com/tuneinsight/lattigo/blob/master/bfv/params.go). By default the
+variance should always be set to 3.2 unless the user is perfectly aware of the security implications
+of changing this parameter.
+
+Finally, it is worth noting that these security parameters are computed for fully entropic ternary
+keys (with probability distribution {1/3,1/3,1/3} for values {-1,0,1}). Lattigo uses this
+fully-entropic key configuration by default. It is possible, though, to generate keys with lower
+entropy, by modifying their distribution to {(1-p)/2, p, (1-p)/2}, for any p between 0 and 1, which
+for p>>1/3 can result in low Hamming weight keys (*sparse* keys). *We recall that it has been shown
+that the security of sparse keys can be considerably lower than that of fully entropic keys, and the
+BFV security parameters should be re-evaluated if sparse keys are used*.

bfv/bfv_benchmark_test.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"testing"
 
-	"github.com/ldsec/lattigo/v2/rlwe"
+	"github.com/tuneinsight/lattigo/v3/rlwe"
 )
 
 func BenchmarkBFV(b *testing.B) {