Add multi-party homomorphic encryption scheme (#21)

* Add multi-party homomorphic encryption scheme

Also includes various improvements and updated dependencies.

* Fix copyright year for new files

Author: schoppmp

.bazelversion

@@ -3,11 +3,11 @@ module(
 )
 
 bazel_dep(name = "tink_cc", version = "2.1.3", repo_name = "com_github_tink_crypto_tink_cc")
-bazel_dep(name = "rules_cc", version = "0.1.0")
+bazel_dep(name = "rules_cc", version = "0.1.1")
 bazel_dep(name = "rules_proto", version = "7.0.2")
-bazel_dep(name = "protobuf", version = "27.3", repo_name = "com_google_protobuf")
+bazel_dep(name = "protobuf", version = "30.0-rc2", repo_name = "com_google_protobuf")
 bazel_dep(name = "googletest", version = "1.15.2", repo_name = "com_github_google_googletest")
-bazel_dep(name = "abseil-cpp", version = "20240116.2", repo_name = "com_google_absl")
+bazel_dep(name = "abseil-cpp", version = "20250127.0", repo_name = "com_google_absl")
 bazel_dep(name = "boringssl", version = "0.20241209.0")
 bazel_dep(name = "glog", version = "0.5.0", repo_name = "com_github_google_glog")
 bazel_dep(name = "rules_license", version = "1.0.0")

MODULE.bazel

@@ -243,6 +243,7 @@ cc_test(
 
 cc_library(
     name = "dft_transformations",
+    srcs = ["dft_transformations.cc"],
     hdrs = ["dft_transformations.h"],
     deps = [
         ":ntt_parameters",
@@ -259,16 +260,54 @@ cc_test(
     ],
     deps = [
         ":context",
+        ":dft_transformations",
+        ":statusor_fork",
+        "//shell_encryption/testing:parameters",
+        "//shell_encryption/testing:status_is_fork",
+        "//shell_encryption/testing:status_testing",
+        "//shell_encryption/testing:testing_prng",
+        "@com_github_google_googletest//:gtest_main",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
+cc_library(
+    name = "dft_transformations_hwy",
+    srcs = ["dft_transformations_hwy.cc"],
+    hdrs = [
+        "dft_transformations_hwy.h",
+    ],
+    deps = [
         ":dft_transformations",
         ":montgomery",
         ":ntt_parameters",
         ":statusor_fork",
+        "@com_github_google_highway//:hwy",
+        "@com_google_absl//absl/numeric:int128",
+        "@com_google_absl//absl/status",
+    ],
+)
+
+cc_test(
+    name = "dft_transformations_hwy_test",
+    size = "small",
+    srcs = [
+        "dft_transformations_hwy_test.cc",
+    ],
+    deps = [
+        ":context",
+        ":dft_transformations",
+        ":dft_transformations_hwy",
+        ":statusor_fork",
         "//shell_encryption/testing:parameters",
         "//shell_encryption/testing:status_is_fork",
         "//shell_encryption/testing:status_testing",
         "//shell_encryption/testing:testing_prng",
         "@com_github_google_googletest//:gtest_main",
-        "@com_google_absl//absl/numeric:int128",
+        "@com_github_google_highway//:hwy",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/strings",
     ],
 )
 
@@ -280,6 +319,7 @@ cc_library(
     deps = [
         ":constants",
         ":dft_transformations",
+        ":dft_transformations_hwy",
         ":ntt_parameters",
         ":serialization_cc_proto",
         ":statusor_fork",

MODULE.bazel.lock

@@ -34,6 +34,11 @@ constexpr Uint64 kNewhopeModulus = 12289;
 constexpr Uint64 kNewhopeLogDegreeBound = 10;
 constexpr Uint64 kNewhopeDegreeBound = 1 << kNewhopeLogDegreeBound;
 
+// RLWE parameters for a 62 bit modulus.
+constexpr Uint64 kModulus62 = 4611686018427322369;
+constexpr Uint64 kLogDegreeBound62 = 11;
+constexpr Uint64 kDegreeBound62 = 1L << kLogDegreeBound62;
+
 // Montgomery parameters for a 59-bit modulus.
 constexpr Uint64 kModulus59 = 332366567264636929;
 constexpr Uint64 kInvModulus59 = 7124357790306815999;
@@ -55,6 +60,11 @@ constexpr Uint64 kModulus25 = 33538049;
 constexpr Uint64 kLogDegreeBound25 = 10;
 constexpr Uint64 kDegreeBound25 = 1L << kLogDegreeBound25;
 
+// RLWE parameters for a 30 bit modulus.
+constexpr Uint64 kModulus30 = 1073707009;
+constexpr Uint64 kLogDegreeBound30 = 10;
+constexpr Uint64 kDegreeBound30 = 1L << kLogDegreeBound30;
+
 // RLWE parameters for an 80-bit modulus.
 // The modulus represented in decimal is 646119422561999443726337.
 constexpr absl::uint128 kModulus80 =

shell_encryption/BUILD

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2025 Google LLC.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "shell_encryption/dft_transformations.h"
+
+#include <cmath>
+#include <complex>
+#include <cstddef>
+#include <vector>
+
+#include "absl/status/status.h"
+
+namespace rlwe {
+
+namespace {
+
+// Returns true if n is a power of two.
+inline bool IsPowerOfTwo(size_t n) { return (n & (n - 1)) == 0; }
+
+}  // namespace
+
+absl::Status IterativeHalfCooleyTukey(
+    std::vector<std::complex<double>>& coeffs,
+    const std::vector<std::complex<double>>& psis_bitrev) {
+  if (!IsPowerOfTwo(coeffs.size())) {
+    return absl::InvalidArgumentError(
+        "The size of `coeffs` must be a power of two.");
+  }
+  int len = coeffs.size();
+  if (psis_bitrev.size() < len) {
+    return absl::InvalidArgumentError(
+        "Not enough primitive roots in `psis_bitrev`.");
+  }
+  int log_len = log2(len);
+  for (int i = log_len - 1; i >= 0; i--) {
+    // Layer i.
+    const int half_m = 1 << i;
+    const int m = half_m << 1;
+    for (int k = 0, index_psi = 1 << (log_len - i); k < coeffs.size();
+         k += m, ++index_psi) {
+      const std::complex<double> psi = psis_bitrev[index_psi];
+      for (int j = 0; j < half_m; j++) {
+        // The Cooley-Tukey butterfly operation.
+        std::complex<double> t = coeffs[k + j + half_m] * psi;
+        std::complex<double> u = coeffs[k + j];
+        coeffs[k + j] += t;
+        coeffs[k + j + half_m] = u - t;
+      }
+    }
+  }
+  return absl::OkStatus();
+}
+
+absl::Status IterativeHalfGentlemanSande(
+    std::vector<std::complex<double>>& coeffs,
+    const std::vector<std::complex<double>>& psis_bitrev_inv) {
+  if (!IsPowerOfTwo(coeffs.size())) {
+    return absl::InvalidArgumentError(
+        "The size of `coeffs` must be a power of two.");
+  }
+  int len = coeffs.size();
+  if (psis_bitrev_inv.size() < len * 2) {
+    return absl::InvalidArgumentError(
+        "Not enough primitive roots in `psis_bitrev_inv`.");
+  }
+  int log_len = log2(len);
+  int index_psi_base = 0;
+  for (int i = 0; i < log_len; i++) {
+    const int half_m = 1 << i;
+    const int m = half_m << 1;
+    for (int k = 0, index_psi_inv = index_psi_base; k < coeffs.size();
+         k += m, ++index_psi_inv) {
+      for (int j = 0; j < half_m; j++) {
+        // The Gentleman-Sande butterfly operation.
+        std::complex<double> t = coeffs[k + j + half_m];
+        std::complex<double> u = coeffs[k + j];
+        coeffs[k + j] += t;
+        coeffs[k + j + half_m] = (u - t) * psis_bitrev_inv[index_psi_inv];
+      }
+    }
+    index_psi_base += 1 << (log_len - i);
+  }
+  return absl::OkStatus();
+}
+
+}  // namespace rlwe

shell_encryption/constants.h

@@ -16,14 +16,15 @@
 #ifndef RLWE_DFT_TRANSFORMATIONS_H_
 #define RLWE_DFT_TRANSFORMATIONS_H_
 
+#include <complex>
 #include <utility>
 #include <vector>
 
 #include "absl/status/status.h"
 #include "shell_encryption/ntt_parameters.h"
 #include "shell_encryption/status_macros.h"
 
-// This file implements various discrete Fourier transformtions to be used by
+// This file implements various discrete Fourier transformations to be used by
 // arithmetic in polynomial rings.
 
 namespace rlwe {
@@ -199,6 +200,24 @@ absl::Status InverseNumberTheoreticTransform(
   return absl::OkStatus();
 }
 
+// Performs the special log_len iterations of the Cooley-Tukey butterfly on
+// `coeffs` in-place, which has length 2^log_len.
+// This computes the DFT transform phi: coeffs -> {coeffs(psi^(4k+1))}_j
+// where coeffs are coefficients of a polynomial of degree 2^log_len - 1, and
+// {psi_j}_j are primitive 2N'th roots of unity for N = 2^(log_len + 1), i.e.
+// psi = exp(PI * I / (2N)).
+absl::Status IterativeHalfCooleyTukey(
+    std::vector<std::complex<double>>& coeffs,
+    const std::vector<std::complex<double>>& psis_bitrev);
+
+// Performs the special log_len iterations of the Gentleman-Sande butterfly on
+// `coeffs` in-place, which has length 2^log_len.
+// This computes the inverse of the transform phi, where phi is the DFT
+// phi: coeffs -> {coeffs(psi_j)}_{j = 4*k+1}.
+absl::Status IterativeHalfGentlemanSande(
+    std::vector<std::complex<double>>& coeffs,
+    const std::vector<std::complex<double>>& psis_bitrev_inv);
+
 }  // namespace rlwe
 
 #endif  // RLWE_DFT_TRANSFORMATIONS_H_