Poly/Math Dialects #55
Replies: 4 comments 9 replies
-
I can start by collecting a list of operations needed for the CGGI scheme. Thankfully it is relatively short:
The last one is to limit noise growth, and it corresponds to a naive application of a base-B decomposition on integers, but mapped across a tensor of polynomials and "reshaped" to be consistent with the intended layout of the polynomial's coefficients. Then, of course, polynomial multiplication is often implemented using FFT (not NTT for CGGI, because CGGI needs power-of-two moduli), and so it seems likely that we might want the implementation of a Then there is the other question about how (I believe) some CGGI implementations like Zama's actually have the polynomials kept in FFT form so that repeated conversions to and from the frequency domain are not required. Perhaps someone from Zama can chime in here, about how that impacts the list of operations above, since I'm not clear on how, say, sample extraction works with polynomials in FFT form. |
Beta Was this translation helpful? Give feedback.
-
Jumping in to see how we can help from Galois. Our ISA for hardware acceleration most closely matches this level of abstraction. What's on the agenda? |
Beta Was this translation helpful? Give feedback.
-
@AlexanderViand-Intel roughly how big are the parameters in the HECO parameter sets? I'm working on the Poly dialect right now and I want to know whether I should use 64-bit integers or an arbitrary-precision integer for the polynomial's coefficients and exponents. I think it will need to be arbitrary precision, but I just want to explicitly confirm that the polynomial schemes need >> 64 bits. I noticed the CKKS paper uses large ciphertext coefficient modulus, and reports the modulus in a table using |
Beta Was this translation helpful? Give feedback.
-
Including the Batteries: Poly-to-LLVMI think it makes sense to (rather than re-implementing a bunch of polynomial math in C++ and going via library calls) that we follow the HEaan.MLIR approach and implement a lowering to the MLIR LLVM-IR dialect via other MLIR dialects such as linalg, memref, etc that in turn provide their own lowering to LLVM IR. The reason I bring this up now already is that we should make sure that our design for the |
Beta Was this translation helpful? Give feedback.
-
As discussed in the MLIR Dialects Session, I'm setting up three discussions topics, corresponding to the three streams identified.
This is the Poly/Math Dialects discussion, you can find the High-Level FHE Dialect and Scheme Dialects discussions at the links.
The goal of this abstraction/dialect is to allow the underlying math operations of modern FHE schemes to be efficiently represented, and computations at this level to be easily retargeted to different backends
Technical/MLIR Challenges
As this is a relatively low-level dialect, FHE programs will most likely consist of many thousands, if not millions, of instructions at this level. As a result, efficiency considerations become significantly more important than for higher-level dialects. As a result, we should closely coordinate with MLIR experts to ensure we are designing the dialect and its implementation/batteries in keeping with "MLIR performance folklore". One of the main challenges will be the parameters, including moduli/primes, and how to track them. HECO (in an internal PoC) and HEaaN.MLIR (closed source) already propose
poly
dialects, and snippets of these have been shared and can act as a starting point for the design of a dialect.Conceptual Challenges
FHE schemes require a wide range of operations, and even "RLWE-only" schemes such as CKKS, B/FV, and BGV require a variety of operations that are not technically "ring operations" (e.g. Rounding, Arbitrary permutation of coefficients, Coefficient extraction, NTT (not strictly within the ring), Polynomial Evaluation, and CRT/RNS style decompositions of ring coefficients). In addition, DM/CGGI style schemes that also use a variety of other ciphertext types include even more variety in their operations. As a result, it is not clear how to (a) combine both into a single dialect and (b) ensure that this dialect is generic enough to have uses besides expressing FHE computations.
Next Steps
We need to collect a full list of "necessary" operations in order to cover all relevant variants of the mainstream schemes. In addition, we should try to define clear semantics for these operations, in order to avoid ambiguities when these operations need to be lowered to different backends. The timeline for this is roughly 1 month, after which progress should be reported back to the main Working Group. Looking beyond this, a possible timeline for a draft RFC to MLIR might be 3 months after that.
Tasks
Beta Was this translation helpful? Give feedback.
All reactions