I’m wondering whether it is possible to use arbitrarily large ciphertext moduli (q_i) in the BGV or BFV schemes.
In particular, I would like to set a large first modulus (q_0), up to about 800 bits. However, I found that even with NATIVEINT == 128, the maximum ciphertext modulus size seems to be around 120 bits. Specifically, using parameters.SetScalingModSize(500); or parameters.SetFirstModSize(500); results in exceptions.
Is there any way to use larger ciphertext moduli beyond this constraint?
In some cases, such as threshold settings using Shamir secret sharing, the Lagrange coefficients can significantly increase the noise term, making larger moduli desirable to compensate for this. I would like to know whether this can be implemented within the current OpenFHE framework.
I might be misunderstanding the details, but in the RNS-BFV implementation, does just using multiple RNS towers have a similar effect to using a larger ciphertext modulus?
(In this case, is there an effective way to manually choose the number of RNS limbs L so that the modulus size |q_0 · … · q_L| meets the requirement?)
In OpenFHE, the number of RNS moduli for BFV is selected automatically to meet the security specification for a specific depth for a computation, the multiplication technique and a specific plaintext size. The maximum bit size of the moduli is dictated by the native integer size, and cannot be arbitrarily large like 800.
I’m not completely certain of what you are asking, but here is my interpretation of your question. If you want to reconstruct a message using Shamir secret sharing under encryption, you need to make sure the plaintext modulus is sufficiently large. But you are probably not referring to the plaintext computation. If you want to reconstruct a threshold key using Lagragange coefficients such as x_j/(x_j - x_i) this computation will happen over modulus Q and the result might be very large compared to the plaintext modulus. Even if you increase Q', the division will happen over Q', so it can still be arbitrarily large.
The issue of using Shamir secret sharing for threshold key generation and threshold decryption for FHE is a well known problem. There is an active literature on this topic, so I suggest you search more about it. Some papers 1, 2 change the Lagrange coefficients in certain ways and use MPC techniques. Other recent papers 3, 4 discuss the issue with Lagrange interpolation and some of the (inefficient) solutions proposed to resolve it, and propose a way to decouple the Lagrange reconstruction.