High-Level FHE Dialect #53
Replies: 6 comments 18 replies
-
I think a good next step is to give a high-level sketch of what each of the possible implementations would look like (and where the challenges might occur), even including the supposedly-naive options like encoding noise in type attributes. I am happy to take a stab at this myself just to give me a chance to think about it. For the question of "fixing arith" so that it could work with a new container type like |
Beta Was this translation helpful? Give feedback.
-
I welcome this initiative as we just started take a look at the MLIR landscape for FHE. In our use-case we used Proxy Re-Encryption (PRE) to enable a secure computation of data encrypted under different keys from multiple parties. Re-encryption happened to another key (i.e., the key of the party that receives the result, but is not doing the computation and not colluding with the entity that does the computation) whenever two operands of an operation have been encrypted under different keys. We implemented our prototype with PALISADE (now OpenFHE) using the BFV scheme. At the high-level IR, this required to additionally tag private data with a label, i.e., |
Beta Was this translation helpful? Give feedback.
-
Thanks for pinging me on this. You may have realized already that there haven't been any updates to
While I have a working prototype integrating all of this, it has not been scrutinized by the community yet, and I expect changes to be necessary. Unfortunately, such is the way of moving from research to upstream. Therefore, should you determine that stronger integer semantics are necessary, I would be happy to move on this together during the RFC phase, and avoid waiting on implementation delays. |
Beta Was this translation helpful? Give feedback.
-
One of the key goals with this "High-Level FHE Abstraction" is to be able to represent complex programs pre "arithmetization" (i.e., truncation, approximation, LUT-ization, etc). However, while there are obvious ways to represent some "non arithmetic" operations in the IR (e.g., comparisons, divisions, and other "basic" operations), this gets a bit murkier for things such as commonly used activation functions (should there be an Here, I think we should follow an approach similar to what certain frontends already do (concrete comes to mind here), essentially offering an interface that accepts a function/lambda and a range and does the necessary work to figure out, e.g., a k-bit LUT. For this, the high-level dialect should probably just nest the function/lambda in a special region-based operation, to allow different compilers to apply different lowerings (e.g., polynomial approximation instead of LUTs). This raises a bunch of concrete questions about what information this operation needs to encode (in addition to the function) in order to allow this lowering to be done effectively by compilers following a variety of different approaches. Clearly, the expected input range seems pretty important, as maybe the acceptable error in bits? |
Beta Was this translation helpful? Give feedback.
-
In the last WG meeting, the idea of "core" and "non-core" operations came up, where "core" operations in a dialect/abstraction level. The non-core operations would come with default "lowerings" to core operations, so that tools only have to implement the core operations. While it might seem reasonable to use For example, we might have a (non-core) Alternatively, Note that this actually has implications for the information that I don't have a lot of experience with state-of-the-art polynomial approx/interp approaches for FHE, so it'd love to hear a (more) expert opinion on whether or not this is too much of a constraint. |
Beta Was this translation helpful? Give feedback.
-
FYI, I've started implementing I also read through the structured operations and transform dialects to see what |
Beta Was this translation helpful? Give feedback.
-
As discussed in the MLIR Dialects Session, I'm setting up three discussions topics, corresponding to the three streams identified.
This is the High-Level FHE Dialect discussion, you can find the Scheme Dialects and Poly/Math Dialects discussions at the links.
The goal of this abstraction/dialect is to enable high-level programs (DSLs, annotated Python, C/C++, etc) to be translated to a scheme/implementation agnostic intermediate representation.
Technical/MLIR Challenges
In addition to the ability to distinguish between "public" and "private" data (most likely via a wrapper-style type along the lines of
!fhe.secret<T>
, this requires the ability to express computations over encrypted data. Existing FHE MLIR compilers currently use their own "faux arith" dialects for this (e.g.,fhe.add(%a, %b)
) as the existingarith
dialect restricts the types which can be used with its operations. However, there is an opportunity here to suggest a more generic version ofarith
that is more accepting of different types/semantics, with something likebase2
(paper, code, spec) by @KFAFSP for use cases that need to precisely specify arithmetic semantics.Conceptual Challenges
The scheme/approach-agnostic nature of such an abstraction also requires solving a challenge not yet addressed by the existing tools: Expressing sufficient information to allow conversion to an efficient FHE "circuit", no matter which computational paradigm (binary emulation with gate bootstrapping, precise or approximate large integers, or small(ish) integers with LUTs/PBSs) is used. This in addition to the challenge of tracking encryption noise (the "error" in Learning with Errors), both in the precise setting and in the approximate setting (where noise and message are mixed). While encryption noise can most likely be handled via MLIR analysis tooling, rather than needing to be encoded into the IR, it is less clear how to do this for "program-to-circuit approximation error" that arises when one converts an existing computation to a more efficiently evaluatable form, e.g., by truncating bit width of data types and/or replacing non-arithmetic operations (e.g., comparisons, sigmoid, etc) with either LUTs or polynomial approximations. Especially for the latter, it seems unclear how to express the error introduced by a high-degree approximation as a clean "number of bits". However, this might be possible when combined with sufficient range analysis (i.e., "in [x,y], this approximation has at most b bits of error").
Next steps
We need to solve the conceptual issues around representing approximation tolerance in a scheme-agnostic way, and converge on a technical approach which we could bring back to the Working Group and, with their approval, pitch as an RFC to the MLIR upstream. The expected timeline for this is 1 month until we have a draft RFC ready to present back to the Working Group and, ideally shortly afterwards, the MLIR community.
Tasks
base2
and identifying prior discussions on the intended direction ofarith
Beta Was this translation helpful? Give feedback.
All reactions