Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitepaper #39

Closed
jayavanth opened this issue Jul 31, 2024 · 4 comments
Closed

Whitepaper #39

jayavanth opened this issue Jul 31, 2024 · 4 comments

Comments

@jayavanth
Copy link

Hello, is there a whitepaper for the HE and PIR implementation? I was wondering why BFV was chosen. Also wondering in what circumstances to use aclsPir and mulPir specified here. How do those two protocols differ from simplePIR or hintlessPIR?
@bwesterb
Copy link

bwesterb commented Aug 2, 2024

Would also love to learn the number of entries per shard.

@fboemer fboemer mentioned this issue Aug 2, 2024
Merged
@fboemer
Copy link
Contributor

fboemer commented Aug 2, 2024

Hello, is there a whitepaper for the HE and PIR implementation?

Hi! There's no comprehensive whitepaper for Swift Homomorphic Encryption, but Section 6 in https://arxiv.org/pdf/2406.06761 has some optimizations implemented here. https://eprint.iacr.org/2019/1483.pdf also has some details on MulPir.

I was wondering why BFV was chosen.

BFV is well-studied and a good fit for PIR. Table 5 from https://eprint.iacr.org/2019/1483.pdf shows it's better suited for PIR than ElGamal, for instance. CKKS uses approximate arithmetic, so it's not a great fit for PIR. BGV is also a possibility.

Also wondering in what circumstances to use aclsPir and mulPir specified here.

AclsPir is actually unimplemented at the moment; #43 adds some checks to make this more clear. To answer the question though, AclsPir would be expected to have larger response size, but faster server runtime than MulPir. The introduction from https://eprint.iacr.org/2019/1483.pdf has some more details.

How do those two protocols differ from simplePIR or hintlessPIR?
From a practical perspective, SimplePir offers faster runtime, but requires the client to download and maintain a large offline hint. MulPir/AclsPir require only a very small client state, essentially just the database size.
HintlessPir removes the need for the hint, making it a similar scheme as MulPir/AclsPir in that sense.
The mechanics of the schemes differ, e.g. HintlessPir uses a fresh RLWE secret polynomial, and sends the evaluation key with each query, leading to larger query size than MulPir.

The ideal PIR scheme will depend on the problem setting, including tradeoffs between client/server, state/compute, online vs offline, bandwidth vs runtime, etc.

@fboemer
Copy link
Contributor

fboemer commented Aug 2, 2024

Would also love to learn the number of entries per shard.

In Swift Homomorphic Encryption, the sharding can be set as desired, e.g. in PirShardDatabase.

@jayavanth
Copy link
Author

thank you that's very helpful

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bwesterb @jayavanth @fboemer