Hello,
In section 4.1 of the paper about generalized bootstrapping for CKKS, the following is mentioned:
In scenarios where the IND-CPAD security model needs to be satisfied, the decryption failure probability must be made negligible [LM21, ABMP24]. To do so, the parameters have to be chosen using the accumulated noise from BFV encryption, modulus switching when switching to CKKS, CKKS approximation errors, the modulus switching when going back to BFV, and rounding during decryption.
However, I could not find any specific computation as to how to keep track of the errors to compute the actual failure probability of decryption of CKKS given a particular circuit to be evaluated. I’m aware that I can extract bounds regarding the CKKS approximation errors from this paper. Nonetheless, the bounds are theoretical and hard to use in practice.
Therefore, when it comes to parameter setting for OpenFHE when using generalized bootstrapping, how is the user expected to set parameters such us dcrtBits and firstMod in a secure manner without a way to compute the failure probability? The rest of the parameters (ring dimension and depth for example) I understand will be set respecting the 128-bits standard and the application requirements.
Maybe there are already works giving explicit formulas for the computation of the error probability of CKKS which I have missed or some specific check regarding the failure probability is already included in the library and I have also missed it. I would appreciate if you could point me towards those resources if that is the case.