Parameter settings in BFV, BGV, and CKKS

Hi,

I’m trying to compare execution time of BFV, BGV, and CKKS scheme with OpenFHE Python wrapper, and I have some questions regarding to parameter settings. These schemes are set to have the same security level (128-bit) in Homomorphic Encryption Standard which gives log_2(Q) = 218. The same key switching techinique (KeySwitchTechnique.BV) and the same N are applied among these schemes.

From README.md, Q = q_0 * q_1 * … * q_n * q, where q_0 is set as firstModSize, qi is set as scalingModSize, q’ is not explicitly given. When setting keySwitchTechnique as BV, the security level only depends on ciphertext modulus Q for CKKS. Therefore, parameter settings in CKKS scheme are:

  • RingDim (N): 8192

  • ScalingModSize (Q_i): 50

  • FirstModSize(Q_0): 59

  • multiplication depth (L): 2

  • log_2(getModulus) = 178.977

Parameter settings in BFV scheme:

  • RingDim (N): 8192

  • plaintextModulus (t): 65537

  • multiplication depth (L): 2

  • log_2(getModulus) = 179.99

I have the following questions:

  1. For CKKS scheme, why is log_2(getModulus) equals to 178.977 instead of 218 as the HE standard shows? Do the parameter settings to ScalingModSize and FirstModSize cause this value?

  2. For BFV scheme in Seal, parameter poly_modulus_degree (Q) can be set with the corresponding N to a specific security level. For OpenFHE, how can I set Q for BFV scheme?

  3. For BGV scheme, when applyling keySwitchTechnique as BV, the ScalingModSize is required to be set and its value needs to be less than 60. However, the program stops at GenCryptoContext(parameters) without giving error message, my settings are:

  • RingDim (N): 8192

  • ScalingModSize: 57

  1. Under the same security level in CKKS scheme, as value of N increases, the corresponding Q also increases, and the execution time for encryption, decryption, and homomorphic operations also increase. For example:
  • N = 8192, Q = 218, security level = 128

  • N = 16384, Q = 438, security level = 128

  • N = 32768, Q = 881, security level = 128

May I ask what’s the benefit of increasing N under the same security level?

Thank you for your attention

I will go one by one

  • ScalingModSize (Q_i): 50

Based on the number you gave, it is probably 60 (not 50). Otherwise, log2 would be smaller (about 169).

For CKKS scheme, why is log_2(getModulus) equals to 178.977 instead of 218 as the HE standard shows? Do the parameter settings to ScalingModSize and FirstModSize cause this value?

\log Q is a functional parameter not a security parameter. It is determined by the circuit depth. 218 is the upper bound on \log Q to support N. As soon as \log Q higher, you need to get to the next ring dimension (16K).

For BFV scheme in Seal, parameter poly_modulus_degree (Q) can be set with the corresponding N to a specific security level. For OpenFHE, how can I set Q for BFV scheme?

Q is set based on the multiplicative depth. First, you determine what depth you need, and then enter it. OpenFHE automatically finds the right value of N by default.

  1. For BGV scheme, when applyling keySwitchTechnique as BV, the ScalingModSize is required to be set and its value needs to be less than 60. However, the program stops at GenCryptoContext(parameters) without giving error message, my settings are:

ScalingModSize is not used in BGV. It is computed automatically. We added some validators for this in the dev branch of OpenFHE. These changes will soon be merged to main as part of the v1.2.0 release.

May I ask what’s the benefit of increasing N under the same security level?

When Q is increased to support a larger depth, N needs to also increase to still satisfy the 128-bit security level.

I suggest watching the following webinars for a more comprehensive introduction to how parameters are set in FHE: