Export components used in encryption, prove encryption is valid as ZKP

[ryanorendorff]

Exposes the components used in performing the BFV encryption so that the encryption method can be proved in the SDLP.

Microsoft SEAL implements the BFV encryption scheme in a manner slightly different than how it is defined in textbook BFV. One change not mentioned in the SEAL manual is that the encryption equation is different.

For the following:

• $n$ is the polynomial modulus degree.
• $q$ is the ciphertext modulus.
• $p$ is the plaintext modulus.
• $c$ is a ciphertext consisting of $m$ components $c_0, c_1, \ldots, c_{m - 1}$, each $\mathbb{Z}[X]_q/(x^n + 1)$.
• $m$ is a plaintext polynomial $\mathbb{Z}[X]_p/(x^n + 1)$.
• $p$ is a public key consisting of two components $p_0$ and $p_1$.
• $u$ is a noise term drawn from $\mathcal{R}_3^n$ (i.e coefficients in ${-1, 0, 1}$)
• $e$ is a set of noise terms drawn from the centered binomial distribution with a standard deviation of 3.2 and with degree $n$. In practice this polynomial has coefficients in the range of $[-32, 32]$. To match textbook BFV, this is numbered from $e_1, e_2, \ldots, e_m$.
• $\Delta$ is the floored ratio of the ciphertext to plaintext modulus, or
  $\mathrm{floor}(q/t)$.

The textbook BFV equation for a fresh encryption of a message is as follows.

$$ \begin{aligned} c_0 =& \Delta m + p_0 u + e_1 \\ c_1 =& p_1 u + e_2 \end{aligned} $$

Instead of using $\Delta$, SEAL performs the following operation for encrypting the first component of the ciphertext.

$$ c_0 = \left \lfloor \frac{qm + \left \lfloor \frac{t + 1}{2} \right \rfloor }{t} \right \rfloor + p_0 u + e_1 $$

This is equivalent to the following operation (the operation actually performed by SEAL)

$$ c_0 = \Delta m + \lfloor \frac{q}{t} m \rceil + p_0 + e_1 $$

where $\mathrm{frac}$ is the fractional left over from $q/t$ and can be defined as $\mathrm{frac}(y) = y - \mathrm{floor}(y)$ for non-negative $y$. For convenience we often call this remainder $r = \lfloor \mathrm{frac}(q/t) m \rceil$. Note that $0 \leq r < t$.

This PR exposes $u$, $e$, and $r$ by using the encrypt_return_components function. The special modulus is disabled when exporting the components, otherwise the result does not form linear equations that can be converted into a matrix equality.

seal-remainder-pub.pdf

[ryanorendorff]

Both of these PRs in the sunscreen SEAL repository will need to be merged first:

• Polyarrays created from ciphertexts/public keys are converted out of NTT on creation SEAL#4
• Export remainder component from SEAL encryption SEAL#6