Package 'openfhe'

Description

Provides an R interface to the OpenFHE C++ library for fully homomorphic encryption (FHE). Supports BFV, BGV, and CKKS schemes for computation on encrypted data, as well as FHEW/TFHE for Boolean circuit evaluation.

Author(s)

Maintainer: Balasubramanian Narasimhan [email protected] (ORCID)

Authors:

• Balasubramanian Narasimhan [email protected] (ORCID)

See Also

Useful links:

• https://bnaras.github.io/openfhe

• https://github.com/bnaras/fhe

• Report bugs at https://github.com/bnaras/fhe/issues

Description

Constructor for the BFV scheme's CCParams surface. Every argument maps 1:1 to an upstream ⁠CCParams<CryptoContextBFVRNS>::Set*⁠ method whose override is not disabled in the BFV specialization. The 13 setters that BFV explicitly disables (SetScalingTechnique, SetFirstModSize, SetPRENumHops, SetExecutionMode, …) are not exposed here; see discovery D013.

Usage

BFVParams(
  plaintext_modulus = NULL,
  multiplicative_depth = NULL,
  scaling_mod_size = NULL,
  batch_size = NULL,
  security_level = NULL,
  secret_key_dist = NULL,
  key_switch_technique = NULL,
  ring_dim = NULL,
  digit_size = NULL,
  num_large_digits = NULL,
  standard_deviation = NULL,
  multiparty_mode = NULL,
  threshold_num_of_parties = NULL,
  multiplication_technique = NULL,
  max_relin_sk_deg = NULL,
  pre_mode = NULL,
  eval_add_count = NULL,
  key_switch_count = NULL,
  encryption_technique = NULL
)

Arguments

Value

A BFVParams S7 object.

Description

Constructor for the BGV scheme's CCParams surface. Every argument maps 1:1 to an enabled ⁠CCParams<CryptoContextBGVRNS>::Set*⁠ method. The 10 BGV-disabled setters (SetEncryptionTechnique, SetMultiplicationTechnique, SetExecutionMode, …) are not exposed; see discovery D013.

Usage

BGVParams(
  plaintext_modulus = NULL,
  multiplicative_depth = NULL,
  scaling_mod_size = NULL,
  scaling_technique = NULL,
  batch_size = NULL,
  first_mod_size = NULL,
  security_level = NULL,
  secret_key_dist = NULL,
  key_switch_technique = NULL,
  ring_dim = NULL,
  digit_size = NULL,
  num_large_digits = NULL,
  standard_deviation = NULL,
  multiparty_mode = NULL,
  threshold_num_of_parties = NULL,
  max_relin_sk_deg = NULL,
  pre_mode = NULL,
  statistical_security = NULL,
  num_adversarial_queries = NULL,
  eval_add_count = NULL,
  key_switch_count = NULL,
  pre_num_hops = NULL
)

Arguments

Value

A BGVParams S7 object.

Description

Generate BinFHE bootstrapping keys

Usage

bin_bt_key_gen(ctx, sk, keygen_mode = KeygenMode$SYM_ENCRYPT)

Arguments

Description

Decrypt a Binary FHE ciphertext

Usage

bin_decrypt(ctx, sk, ct, p = 4L)

Arguments

Value

Integer value

Description

Encrypt a value for Binary FHE

Usage

bin_encrypt(ctx, sk, message, output = 2L, p = 4L, mod = NULL)

Arguments

Value

An LWECiphertext

Description

Create a Binary FHE context

Usage

bin_fhe_context(
  paramset = BinFHEParamSet$STD128,
  method = BinFHEMethod$GINX,
  arb_func = FALSE,
  log_q = 11L,
  n = 0L,
  time_optimization = FALSE
)

Arguments

Value

A BinFHEContext (stored as OpenFHEObject)

Description

Generate BinFHE secret key

Usage

bin_key_gen(ctx)

Arguments

Value

An LWEPrivateKey

Description

Binary FHE Methods Source: binfhe/binfhe-constants.h enum BINFHE_METHOD

Usage

BinFHEMethod

Description

Binary FHE Output Types Source: binfhe/binfhe-constants.h enum BINFHE_OUTPUT

Usage

BinFHEOutput

Description

Binary FHE Parameter Sets Source: binfhe/binfhe-constants.h enum BINFHE_PARAMSET (sequential from 0)

Usage

BinFHEParamSet

Description

Binary Gate Types Source: binfhe/binfhe-constants.h enum BINGATE (sequential from 0)

Usage

BinGate

Description

Retrieve a parameter from a BFVParams, BGVParams, or CKKSParams object. Each getter wraps the corresponding upstream ⁠CCParams<T>::Get*⁠ method and returns its value unchanged.

Usage

get_ring_dim(params, ...)

get_plaintext_modulus(params, ...)

get_digit_size(params, ...)

get_composite_degree(params, ...)

get_scheme(params, ...)

get_standard_deviation(params, ...)

get_secret_key_dist(params, ...)

get_max_relin_sk_deg(params, ...)

get_pre_mode(params, ...)

get_multiparty_mode(params, ...)

get_execution_mode(params, ...)

get_decryption_noise_mode(params, ...)

get_noise_estimate(params, ...)

get_desired_precision(params, ...)

get_statistical_security(params, ...)

get_num_adversarial_queries(params, ...)

get_threshold_num_of_parties(params, ...)

get_key_switch_technique(params, ...)

get_scaling_technique(params, ...)

get_batch_size(params, ...)

get_first_mod_size(params, ...)

get_num_large_digits(params, ...)

get_multiplicative_depth(params, ...)

get_scaling_mod_size(params, ...)

get_security_level(params, ...)

get_eval_add_count(params, ...)

get_key_switch_count(params, ...)

get_encryption_technique(params, ...)

get_multiplication_technique(params, ...)

get_pre_num_hops(params, ...)

get_interactive_boot_compression_level(params, ...)

get_register_word_size(params, ...)

get_ckks_data_type(params, ...)

Arguments

Details

Per discovery D013, several parameters are "disabled" on specific schemes (their setters throw at runtime). For a disabled scheme/parameter combination the getter returns the default value of the underlying field (typically 0L for uint32_t, 0 for double, or the enum's zero sentinel) rather than throwing. This is benign — the field was never set so its default is all the information available — but it means e.g. calling get_plaintext_modulus(params) on a CKKSParams object returns 0 rather than a meaningful modulus.

Value

The underlying parameter value. Types vary per getter.

Functions

• get_ring_dim: Ring dimension n of the lattice the scheme operates over. For RLWE schemes this is the cyclotomic ring's degree n = phi(m) (Euler's totient of the cyclotomic order) and must be a power of two. The ring dimension is the load-bearing cryptographic parameter — security level and multiplicative depth together pin the minimum n, and most runtime costs scale as ⁠O(n log n)⁠ per homomorphic operation.

• get_plaintext_modulus: Plaintext modulus t for the BFV and BGV plaintext spaces. BFV/BGV plaintexts are elements of Z_t[x]/Phi_m(x) and every homomorphic operation is performed modulo t. On a CKKSParams object this returns the default field value (0) because CKKS does not use a plaintext modulus — see discovery D013.

• get_digit_size: Digit size r for BV key-switching: the base-2^r digit decomposition of the ciphertext during a key-switch. Larger values decrease the number of digit multiplications at the cost of larger per-digit noise.

• get_composite_degree: Composite-scaling degree for the CKKS COMPOSITESCALINGAUTO/COMPOSITESCALINGMANUAL scaling techniques. Only meaningful when ⁠scaling_technique = ScalingTechnique$COMPOSITESCALING*⁠; 0 under the default FLEXIBLEAUTO path.

• get_scheme: ⁠parity-deferred:⁠ integer scheme identifier (see SchemeId for the enum values).

• get_standard_deviation: ⁠parity-deferred:⁠ standard deviation of the Gaussian error distribution.

• get_secret_key_dist: ⁠parity-deferred:⁠ secret-key distribution (see SecretKeyDist).

• get_max_relin_sk_deg: ⁠parity-deferred:⁠ maximum relinearization secret-key degree.

• get_pre_mode: ⁠parity-deferred:⁠ proxy re-encryption mode (see PREMode).

• get_multiparty_mode: ⁠parity-deferred:⁠ multiparty mode (see MultipartyMode).

• get_execution_mode: ⁠parity-deferred:⁠ execution mode (see ExecutionMode).

• get_decryption_noise_mode: ⁠parity-deferred:⁠ decryption noise mode (see DecryptionNoiseMode).

• get_noise_estimate: ⁠parity-deferred:⁠ noise-flooding noise estimate (double).

• get_desired_precision: ⁠parity-deferred:⁠ noise-flooding target precision (double, bits).

• get_statistical_security: ⁠parity-deferred:⁠ statistical security parameter. Return type is double per header inconsistency; see the Return-type note.

• get_num_adversarial_queries: ⁠parity-deferred:⁠ upper bound on adversarial queries. Return type is double per header inconsistency; see the Return-type note.

• get_threshold_num_of_parties: ⁠parity-deferred:⁠ threshold-FHE party count.

• get_key_switch_technique: ⁠parity-deferred:⁠ key-switching technique (see KeySwitchTechnique).

• get_scaling_technique: ⁠parity-deferred:⁠ scaling technique (see ScalingTechnique).

• get_batch_size: ⁠parity-deferred:⁠ SIMD batch size.

• get_first_mod_size: ⁠parity-deferred:⁠ bit size of the first (largest) prime in the CKKS modulus chain.

• get_num_large_digits: ⁠parity-deferred:⁠ number of large digits for HYBRID key switching.

• get_multiplicative_depth: ⁠parity-deferred:⁠ configured multiplicative depth. Note: this is the depth the context was constructed to support, not the current depth budget after operations.

• get_scaling_mod_size: ⁠parity-deferred:⁠ bit size of each CKKS scaling modulus.

• get_security_level: ⁠parity-deferred:⁠ target security level (see SecurityLevel).

• get_eval_add_count: ⁠parity-deferred:⁠ BFV/BGV noise-flooding hint: maximum additions between multiplications.

• get_key_switch_count: ⁠parity-deferred:⁠ BFV/BGV noise-flooding hint: maximum key-switch count.

• get_encryption_technique: ⁠parity-deferred:⁠ BFV encryption technique (see EncryptionTechnique).

• get_multiplication_technique: ⁠parity-deferred:⁠ BFV multiplication technique (see MultiplicationTechnique).

• get_pre_num_hops: ⁠parity-deferred:⁠ PRE hop count.

• get_interactive_boot_compression_level: ⁠parity-deferred:⁠ CKKS interactive bootstrap compression level (see CompressionLevel).

• get_register_word_size: ⁠parity-deferred:⁠ register word size for multi-precision arithmetic.

• get_ckks_data_type: ⁠parity-deferred:⁠ CKKS data type (see CKKSDataType).

Return-type note

get_statistical_security and get_num_adversarial_queries return double rather than integer. This matches an inconsistency in the upstream Params base class: the corresponding setters take uint32_t but the getters return double. The underlying field is a double — R binds per the header, not per the setter signature.

get_plaintext_modulus returns an R integer on 32-bit-safe values; for moduli that exceed the 32-bit signed integer range the return value is a numeric (double) carrying a losslessly rounded 53-bit integer, per the design.md §7 return-type convention.

Description

Wraps an encrypted OpenFHE ciphertext. Supports arithmetic operators +, -, * which dispatch to homomorphic operations.

Usage

Ciphertext(ptr = NULL)

Arguments

Description

Reads the real-valued scaling factor at level 0 from cc via get_scaling_factor_real() and returns its log2 rounded to the nearest integer. For a CKKS context constructed with set_scaling_mod_size(50L) this returns 50L.

Usage

ckks_scaling_factor_bits(cc)

Arguments

Details

Used by the Stage 2 form of fhe_ckks_tolerance().

Value

Integer.

Description

CKKS Data Type Source: pke/constants-defs.h enum CKKSDataType

Usage

CKKSDataType

Description

Constructor for the CKKS scheme's CCParams surface. Every argument maps 1:1 to an enabled ⁠CCParams<CryptoContextCKKSRNS>::Set*⁠ method. The 8 CKKS-disabled setters (SetPlaintextModulus, SetEvalAddCount, SetKeySwitchCount, SetEncryptionTechnique, SetMultiplicationTechnique, SetPRENumHops, SetMultipartyMode, SetThresholdNumOfParties) are not exposed; see discovery D013. CKKS is a fixed-point scheme over the complex numbers and has no plaintext modulus; threshold_num_of_parties is currently CKKS-disabled upstream even though the scheme supports threshold variants via a separate code path.

Usage

CKKSParams(
  multiplicative_depth = NULL,
  scaling_mod_size = NULL,
  scaling_technique = NULL,
  batch_size = NULL,
  first_mod_size = NULL,
  security_level = NULL,
  secret_key_dist = NULL,
  key_switch_technique = NULL,
  ring_dim = NULL,
  digit_size = NULL,
  num_large_digits = NULL,
  interactive_boot_compression_level = NULL,
  standard_deviation = NULL,
  register_word_size = NULL,
  ckks_data_type = NULL,
  max_relin_sk_deg = NULL,
  pre_mode = NULL,
  execution_mode = NULL,
  decryption_noise_mode = NULL,
  noise_estimate = NULL,
  desired_precision = NULL,
  statistical_security = NULL,
  num_adversarial_queries = NULL,
  composite_degree = NULL
)

Arguments

Value

A CKKSParams S7 object.

Description

Companion to clear_eval_mult_keys() for the EvalAutomorphism key map (used by rotation and sum operations). key_tag = NULL clears everything (same as clear_fhe_state()'s "automorphism_keys" branch); a character scalar clears only that tag's entries.

Usage

clear_eval_automorphism_keys(key_tag = NULL)

Arguments

Value

NULL, invisibly.

See Also

clear_fhe_state(), clear_eval_mult_keys()

Description

Clears the CryptoContextImpl internal EvalMult key map. With key_tag = NULL (the default), clears the entire cache — equivalent to the no-arg ClearEvalMultKeys() form used by clear_fhe_state(). With a non-NULL key_tag, clears only the entries registered under that tag, preserving everything else. Useful in checkpoint workflows where a single party's keys need to be evicted without wiping the whole registry.

Usage

clear_eval_mult_keys(key_tag = NULL)

Arguments

Value

NULL, invisibly.

See Also

clear_fhe_state(), clear_eval_automorphism_keys()

Description

Clear cached evaluation keys and contexts

Usage

clear_fhe_state(what = c("mult_keys", "automorphism_keys", "contexts"))

Arguments

Description

Releases memory held in the upstream static eval-key maps and related global caches. Useful in long-running R sessions where repeated context construction accumulates static state. The call is idempotent; calling it when no static state is held is a no-op.

Usage

clear_static_maps_and_vectors()

Value

invisible(NULL).

Description

Truncates the ciphertext's RNS modulus representation to towers_left towers and sets its noise-scale-degree to noise_scale_deg. Used by the interactive multi-party bootstrapping protocol to shrink a ciphertext before sending it across the network (see notes/blocks/E-bindings-rewrite/ gap-matrix.md §21 for the bootstrap-side context).

Usage

compress(x, ...)

Arguments

Value

A compressed Ciphertext.

Description

Compression Level (interactive multi-party bootstrap) Source: pke/constants-defs.h enum CompressionLevel NOTE: values start at 2, not 0. The header comment explains that compression levels 0 and 1 are not supported and the values are not renumbered.

Usage

CompressionLevel

Description

Crypto Context

Usage

CryptoContext(ptr = NULL)

Arguments

Description

Wraps ⁠std::shared_ptr<CryptoParametersBase<DCRTPoly>>⁠ on the C++ side. Returned by get_crypto_parameters(cc) and used as an opaque token for RNS-level parameter accessors such as get_scaling_factor_real, get_key_switch_technique, etc. This class ships as scaffolding only: the S7 class definition is in place so that the getter wiring can treat it as already defined, but there is no constructor path from R.

Usage

CryptoParameters(ptr = NULL)

Arguments

Description

Decrypt a ciphertext

Usage

decrypt(ct, key, ...)

Arguments

Value

A Plaintext

Description

Decryption Noise Mode Source: pke/constants-defs.h enum DecryptionNoiseMode

Usage

DecryptionNoiseMode

Description

Deserialize evaluation keys from file

Usage

deserialize_eval_keys(
  filename,
  type = c("mult", "automorphism", "sum"),
  format = "binary"
)

Arguments

Value

TRUE on success (invisibly)

Description

Distribution Type (lattice parameters) Source: core/lattice/stdlatticeparms.h enum DistributionType

Usage

DistributionType

Description

Wraps ⁠std::shared_ptr<typename DCRTPoly::Params>⁠ on the C++ side. Used by the params argument of CKKS plaintext factories and returned by get_element_params(). This class ships as scaffolding only: no constructor surface other than wrapping an existing external pointer.

Usage

ElementParams(ptr = NULL)

Arguments

Description

Accepts either a single PKESchemeFeature enum value or a uint32_t bitwise-OR mask of PKESchemeFeature values (for surface parity with the C++ Enable(uint32_t) overload). The two paths dispatch on the value itself: a mask is detected by being strictly larger than the largest single-feature value (Feature$SCHEMESWITCH = 0x80 = 128) or by having more than one bit set.

Usage

enable_feature(cc, ...)

Arguments

Value

cc invisibly.

Description

Wraps ⁠std::shared_ptr<EncodingParamsImpl>⁠ on the C++ side. Returned by get_encoding_params(cc) and by Plaintext::GetEncodingParams() once the corresponding Plaintext accessor lands. This class ships as scaffolding only: the S7 class definition is in place so that the getter wiring can treat it as already defined, but there is no constructor path from R.

Usage

EncodingParams(ptr = NULL)

Arguments

Description

encrypt dispatches on both the key type and the plaintext. The ⁠(PublicKey, Plaintext)⁠ method performs public-key encryption and is the canonical path used by every vignette. The ⁠(PrivateKey, Plaintext)⁠ method performs symmetric / secret-key encryption using the private key directly; it is useful in protocols that want the secret key to serve as both encryption and decryption key (e.g. one-party tests, single-user benchmarks).

Usage

encrypt(key, pt, ...)

Arguments

Value

A Ciphertext.

Description

Encryption Technique Source: pke/constants-defs.h enum EncryptionTechnique

Usage

EncryptionTechnique

Description

Homomorphic addition

Usage

eval_add(x, y, ...)

Arguments

Value

A Ciphertext

Description

Modifies the first argument in place to hold the result of adding the second argument. Avoids allocating a new Ciphertext, which matters in tight loops or when ciphertext memory footprint is a concern.

Usage

eval_add_in_place(x, ...)

Arguments

Value

x invisibly.

Description

The Mutable* family exists so that operations that can safely mutate their inputs during evaluation (e.g. a temporary intermediate in a longer circuit) can do so without forcing a defensive copy. Semantically equivalent to the non-Mutable counterpart from the user's perspective; the difference is performance under specific workloads.

Usage

eval_add_mutable(x, ...)

Arguments

Value

A new Ciphertext holding x + y.

Description

Standalone wrapper around the CryptoContext::EvalAtIndexKeyGen(privateKey, indexList) C++ method. Functionally identical to eval_rotate_key_gen() (the C++ EvalRotateKeyGen is a thin inline wrapper around EvalAtIndexKeyGen) and provided for surface parity with the C++ header and openfhe-python, both of which bind the two names separately.

Usage

eval_at_index_key_gen(cc, sk, index_list)

Arguments

Value

NULL, invisibly.

Description

Evaluates the automorphism at the given index on ct using the eval-key map returned by eval_automorphism_key_gen(). The result is a new ciphertext whose decrypted slot vector is a permutation of ct's slot vector (the permutation determined by the automorphism group element).

Usage

eval_automorphism(ct, index, eval_key_map)

Arguments

Value

A transformed Ciphertext.

See Also

eval_automorphism_key_gen(), eval_rotate()

Description

Generates the eval-key map needed to apply eval_automorphism() at the given set of slot indices. The generated keys are both inserted into the CryptoContext's internal eval-automorphism-key registry (keyed by sk's tag) and returned as an EvalKeyMap handle that the caller can pass directly to eval_automorphism().

Usage

eval_automorphism_key_gen(cc, sk, indices)

Arguments

Details

On the C++ side this is equivalent to calling EvalAutomorphismKeyGen(sk, indices) which internally calls CryptoContextImpl::InsertEvalAutomorphismKey with the generated map (cryptocontext.h line 2237). The dual return / registry-insert pattern matches the openfhe-python behavior at the equivalent entry point.

Companion to eval_rotate_key_gen() (reached via key_gen()'s rotations argument): both populate the same cc-internal storage. The automorphism form gives raw access to the automorphism group element (bypassing the rotate-to-automorphism slot mapping that eval_rotate_key_gen performs internally).

Value

An EvalKeyMap with one entry per input index.

See Also

eval_automorphism(), find_automorphism_indices()

Description

Evaluate a binary gate on encrypted values

Usage

eval_bin_gate(ctx, gate, ct1, ct2 = NULL)

Arguments

Value

An LWECiphertext

Description

Refreshes the ciphertext to allow further computation.

Usage

eval_bootstrap(ct, num_iterations = 1L, precision = 0L)

Arguments

Value

A refreshed Ciphertext

Description

Generate bootstrapping keys

Usage

eval_bootstrap_key_gen(cc, sk, slots)

Arguments

Description

Set up CKKS bootstrapping

Usage

eval_bootstrap_setup(
  cc,
  level_budget = c(5L, 4L),
  dim1 = c(0L, 0L),
  slots = 0L,
  correction_factor = 0L,
  precompute = TRUE,
  bt_slots_encoding = FALSE
)

Arguments

Description

Uses OpenFHE's default algorithm selector, which routes to eval_chebyshev_linear() for degree < 5 and eval_chebyshev_ps() (Paterson-Stockmeyer) for higher degrees. Call the variants directly to force one algorithm or the other.

Usage

eval_chebyshev(ct, coefficients, a, b)

Arguments

Value

A Ciphertext

See Also

eval_chebyshev_coefficients() and eval_chebyshev_function() for constructing the coefficient vector from a user-supplied function; eval_chebyshev_linear() / eval_chebyshev_ps() for forcing the algorithm.

Description

Computes the Chebyshev (first-kind) coefficients that approximate a univariate function func on the interval $[a, b]$ using the discrete orthogonality formula at degree + 1 Chebyshev nodes. This is a direct port of the upstream routine EvalChebyshevCoefficients() in core/lib/math/chebyshev.cpp of openfhe-development, and the returned vector is in exactly the form that eval_chebyshev() (and the upstream EvalChebyshevSeries) expect — the zeroth coefficient is not halved.

Usage

eval_chebyshev_coefficients(func, a, b, degree)

Arguments

Value

Numeric vector of length degree + 1.

See Also

eval_chebyshev(), eval_chebyshev_function().

Description

Computes the Chebyshev coefficients for func on ⁠[a, b]⁠ via eval_chebyshev_coefficients() and applies the resulting series to ct via eval_chebyshev(). This mirrors the upstream CryptoContext::EvalChebyshevFunction helper, which is a thin wrapper around EvalChebyshevCoefficients followed by EvalChebyshevSeries on the C++ side.

Usage

eval_chebyshev_function(ct, func, a, b, degree)

Arguments

Value

A Ciphertext holding the elementwise approximation of func applied to the plaintext slots of ct.

See Also

eval_chebyshev(), eval_chebyshev_coefficients(), eval_logistic(), eval_sin(), eval_cos(), eval_divide().

Description

Forces the "linear" Chebyshev evaluator regardless of degree. Shallower circuit depth than Paterson-Stockmeyer but uses more multiplications at high degree.

Usage

eval_chebyshev_linear(ct, coefficients, a, b)

Arguments

Value

A Ciphertext

See Also

eval_chebyshev(), eval_chebyshev_ps()

Description

Forces the Paterson-Stockmeyer Chebyshev evaluator regardless of degree. Efficient for high-degree polynomials.

Usage

eval_chebyshev_ps(ct, coefficients, a, b)

Arguments

Value

A Ciphertext

See Also

eval_chebyshev(), eval_chebyshev_linear()

Description

Evaluate cosine on a ciphertext

Usage

eval_cos(ct, a, b, degree)

Arguments

Description

Evaluate division approximation on a ciphertext

Usage

eval_divide(ct, a, b, degree)

Arguments

Description

Hoisted slot rotation using precomputed digits

Usage

eval_fast_rotation(ct, ...)

Arguments

Value

A Ciphertext

Description

Applies a rotation using precomputed digit decomposition like eval_fast_rotation(), but with the extension that the first digit of the decomposition can be folded into the output before the rotation is applied (controlled by add_first). Used inside the CKKS bootstrap fast-rotation inner loop per openfhe-development's scheme/base-scheme.cpp. The eval-key map is pulled from the CryptoContext internal registry via the ciphertext's key tag, so there is no EvalKeyMap argument at the R boundary — the automorphism keys must already be resident on the cc (call key_gen(cc, rotations = ...) to populate them, then reuse the ct here).

Usage

eval_fast_rotation_ext(ct, ...)

Arguments

Value

A Ciphertext.

See Also

eval_fast_rotation()

Description

Computes the digit decomposition of a ciphertext once so that multiple eval_fast_rotation() calls against the same ciphertext avoid redoing it. The cyclotomic order m (typically 2 * N, where N is the ring dimension) is required by eval_fast_rotation().

Usage

eval_fast_rotation_precompute(ct, ...)

Arguments

Value

A FastRotationPrecomputation

Description

Performs the LWE equivalent of floor(ct / 2^roundbits) via functional bootstrapping. Used as a primitive in arbitrary- function evaluation pipelines where the bit-level rounding operation is needed separately from eval_func()'s LUT path.

Usage

eval_floor(ctx, ct, roundbits)

Arguments

Details

Binding-level note: the underlying BinFHEContext__EvalFloor cpp11 binding has been present since the earliest BinFHE work; the R wrapper was added later to close the latent gap (cpp11-only entry with no R path).

Value

A new LWECiphertext holding the rounded value.

See Also

eval_func(), eval_sign()

Description

Functional bootstrapping with a precomputed lookup table. The context must have been created with arb_func = TRUE.

Usage

eval_func(ctx, ct, lut)

Arguments

Value

An LWECiphertext encrypting lut[plaintext(ct) + 1]

Description

Evaluate logistic function on a ciphertext

Usage

eval_logistic(ct, a, b, degree)

Arguments

Description

Homomorphic multiplication

Usage

eval_mult(x, y, ...)

Arguments

Value

A Ciphertext

Description

Equivalent to relinearize(eval_mult_no_relin(x, y)) but slightly more efficient in OpenFHE's implementation. Use this at the end of a multiplication chain.

Usage

eval_mult_and_relinearize(x, ...)

Arguments

Value

A relinearized Ciphertext.

Description

Modifies the first argument in place to hold the result of multiplying by a numeric scalar. CryptoContextImpl only declares EvalMultInPlace scalar overloads in the v1.5.1.0 header surface — the ct/ct and ct/pt variants that upstream-defects P1 refers to live on SchemeBase and are not exposed on CryptoContextImpl, so R's eval_mult_in_place supports only the scalar case. The ct/ct multiplication continues to work via the non-in-place eval_mult() generic.

Usage

eval_mult_in_place(x, ...)

Arguments

Value

x invisibly.

Description

Standalone wrapper around the CryptoContext::EvalMultKeyGen(privateKey) C++ method. Populates the CryptoContext's internal eval-mult registry (keyed by the secret key's tag) so that ciphertext × ciphertext multiplication can be relinearized.

Usage

eval_mult_key_gen(cc, sk)

Arguments

Details

key_gen() folds this into its eval_mult = TRUE branch as a convenience for fresh keypairs. The standalone wrapper is the right entry point when the secret key already exists — for example in any threshold or multi-party flow that holds a secret-key share but did not generate it through key_gen().

Value

NULL, invisibly.

Description

Homomorphic multiply, mutable variant

Usage

eval_mult_mutable(x, ...)

Arguments

Value

A new Ciphertext holding x * y.

Description

Returns the raw product of two ciphertexts as a higher-degree ciphertext (the result has n1 + n2 - 1 polynomial components where the inputs had n1 and n2). The standard eval_mult() automatically relinearizes the result back to 2 components; this variant skips the relinearization step so that multiple multiplications can be chained at higher polynomial degree before a single relinearize() call at the end. Used by the EvalMultAndRelinearize fused variant and by EvalPolyWithPrecomp for noise-optimal polynomial evaluation.

Usage

eval_mult_no_relin(x, ...)

Arguments

Value

A Ciphertext at higher polynomial degree.

Description

Homomorphic negation

Usage

eval_negate(x, ...)

Arguments

Value

A Ciphertext

Description

Homomorphic negation in place

Usage

eval_negate_in_place(x, ...)

Arguments

Value

x invisibly.

Description

Evaluate NOT on an encrypted value

Usage

eval_not(ctx, ct)

Arguments

Value

An LWECiphertext

Description

Evaluates p(x) = c0 + c1x + c2x^2 + ... on encrypted x. Uses OpenFHE's default algorithm selector, which routes to eval_poly_linear() for degree < 5 and eval_poly_ps() (Paterson-Stockmeyer) for higher degrees. Call the variants directly to force one algorithm or the other — Linear is shallower for low-degree polynomials; PS has fewer multiplications for high-degree polynomials.

Usage

eval_poly(ct, coefficients)

Arguments

Value

A Ciphertext

See Also

eval_poly_linear(), eval_poly_ps()

Description

Forces the "linear" Horner-style polynomial evaluator regardless of degree. Shallower circuit depth than the Paterson-Stockmeyer variant but uses more multiplications at high degree. Cheaper for degree < 5; fall over to eval_poly_ps() above that.

Usage

eval_poly_linear(ct, coefficients)

Arguments

Value

A Ciphertext

See Also

eval_poly(), eval_poly_ps()

Description

Forces the Paterson-Stockmeyer polynomial evaluator regardless of degree. Efficient for high-degree polynomials (fewer multiplications at the cost of more additions and a deeper circuit); for degree < 5 prefer eval_poly_linear().

Usage

eval_poly_ps(ct, coefficients)

Arguments

Value

A Ciphertext

See Also

eval_poly(), eval_poly_linear()

Description

Rotate ciphertext slots

Usage

eval_rotate(ct, ...)

Arguments

Value

A Ciphertext

Description

Standalone wrapper around the CryptoContext::EvalRotateKeyGen(privateKey, indexList) C++ method. Populates the CryptoContext's internal automorphism key registry for the supplied rotation indices so that eval_rotate() can consume them.

Usage

eval_rotate_key_gen(cc, sk, index_list)

Arguments

Details

key_gen() folds this into its rotations = ... argument as a convenience for fresh keypairs. The standalone wrapper is the right entry point when the secret key already exists — for example as the lead-party rotation-key generation step in a multi-party rotation protocol, where subsequent parties contribute via multi_eval_at_index_key_gen().

Value

NULL, invisibly.

Description

Extracts the most-significant bit of an LWE ciphertext encrypted under the large modulus Q. The context must have been created with arb_func = TRUE.

Usage

eval_sign(ctx, ct, scheme_switch = FALSE)

Arguments

Value

An LWECiphertext encrypting 0 if the input was negative (i.e. lay in the upper half of [0, Q)), 1 otherwise

Description

Evaluate sine on a ciphertext (Chebyshev approximation)

Usage

eval_sin(ct, a, b, degree)

Arguments

Value

A Ciphertext

Description

Homomorphic squaring

Usage

eval_square(x, ...)

Arguments

Value

A Ciphertext

Description

Homomorphic square, mutable variant

Usage

eval_square_mutable(x, ...)

Arguments

Value

A new Ciphertext holding x * x.

Description

Homomorphic subtraction

Usage

eval_sub(x, y, ...)

Arguments

Value

A Ciphertext

Description

Modifies the first argument in place to hold the result of subtracting the second argument.

Usage

eval_sub_in_place(x, ...)

Arguments

Value

x invisibly.

Description

Homomorphic subtract, mutable variant

Usage

eval_sub_mutable(x, ...)

Arguments

Value

A new Ciphertext holding x - y.

Description

Sum all slots in a ciphertext

Usage

eval_sum(ct, ...)

Arguments

Value

A Ciphertext

Description

Populates the CryptoContext's internal sum-key registry (keyed by the secret key's tag) so that eval_sum() and the multi-party sum-key protocol can consume the generated entries. Closes a long-standing gap: the underlying CryptoContext__EvalSumKeyGen cpp11 binding has been present since the early phases but had no standalone R wrapper — users had to go through key_gen()'s side-effects only. The wrapper lands so that the multi-party sum-key flow (which needs to call this on each party's secret share) has a direct R-level entry point.

Usage

eval_sum_key_gen(cc, sk)

Arguments

Value

NULL, invisibly.

Description

EvalKey class for multi-party key operations

Usage

EvalKey(ptr = NULL)

Arguments

Description

Opaque S7 wrapper around a ⁠shared_ptr<std::map<uint32_t, EvalKey<DCRTPoly>>>⁠. Produced by the ⁠multi_eval_*_key_gen()⁠ family and by get_eval_sum_key_map() / get_eval_automorphism_key_map(); consumed by multi_add_eval_sum_keys(), multi_add_eval_automorphism_keys(), insert_eval_sum_key(), and insert_eval_automorphism_key(). The map is keyed by a rotation/automorphism index and carries one EvalKey per index.

Usage

EvalKeyMap(ptr = NULL)

Arguments

Details

Users do not construct or index into an EvalKeyMap directly — it is a transport format for the multi-party eval-key protocols. In a single-user protocol the same data is tracked inside the CryptoContext's internal key registry (populated by EvalSumKeyGen() / EvalRotateKeyGen()) and is only exposed as an EvalKeyMap when the distributed-party flow needs to exchange it.

Description

Execution Mode Source: pke/constants-defs.h enum ExecutionMode

Usage

ExecutionMode

Description

Returned by eval_fast_rotation_precompute() and consumed by eval_fast_rotation(). Hoisting amortizes the per-rotation decomposition over many rotations of the same source ciphertext.

Usage

FastRotationPrecomputation(ptr = NULL)

Arguments

Description

PKE Scheme Features (bitmask) Source: pke/constants-defs.h enum PKESchemeFeature

Usage

Feature

Description

Computes a tolerance value suitable for comparing the cleartext result of a CKKS circuit against a decrypted ciphertext. The value is a function of the scheme's scaling factor, the circuit's multiplicative depth at the point of decryption, and the ScalingTechnique-specific precision loss per level.

Usage

fhe_ckks_tolerance(x, ...)

Arguments

Details

Two dispatch forms:

• Stage 1 (numeric): pass parameters as direct arguments. Useful when the ciphertext isn't yet constructed — e.g. in a fixture setup block that has to produce a tolerance before calling encrypt().

• Stage 2 (Ciphertext): pass a Ciphertext directly. The helper reads the associated CryptoContext via get_crypto_context(), pulls the multiplicative depth (from context) minus the ciphertext's current level, computes the scaling factor bits via ckks_scaling_factor_bits(), and looks up the scaling technique. This form is preferred at test sites where a ciphertext exists.

Value

Numeric scalar — the tolerance value to use as tolerance in tinytest::expect_equal() or as atol in a manual diff.

Examples

# Stage 1 — pass parameters directly:
tol1 <- fhe_ckks_tolerance(4L, 50L, "FLEXIBLEAUTO")

# Stage 2 — pass a ciphertext (requires a live CKKS context):
# cc <- fhe_context("CKKS", multiplicative_depth = 4L, scaling_mod_size = 50L)
# kp <- key_gen(cc, eval_mult = TRUE)
# pt <- make_ckks_packed_plaintext(cc, c(0.1, 0.2, 0.3, 0.4))
# ct <- encrypt(kp@public, pt, cc)
# tol2 <- fhe_ckks_tolerance(ct)

Description

High-level constructor that creates a CryptoContext with sensible defaults. PKE, KEYSWITCH, and LEVELEDSHE features are enabled automatically.

Usage

fhe_context(scheme = c("BFV", "BGV", "CKKS"), ..., features = NULL)

Arguments

Details

All scheme-specific CCParams setter arguments are accepted via ... and forwarded to the appropriate per-scheme constructor (BFVParams(), BGVParams(), or CKKSParams()). See those functions' argument lists for the valid per-scheme setter surface — each scheme accepts only the setters that are not disabled in its upstream ⁠CCParams<T>⁠ specialization (see discovery D013). Passing an invalid scheme-specific argument produces an R-level "unused argument" error at the underlying ⁠*Params()⁠ call site.

Value

A CryptoContext object.

See Also

BFVParams(), BGVParams(), CKKSParams()

Description

Deserialize an OpenFHE object from file

Usage

fhe_deserialize(
  filename,
  type = c("CryptoContext", "PublicKey", "PrivateKey", "Ciphertext"),
  format = "binary"
)

Arguments

Value

The deserialized object

Description

Serialize an OpenFHE object to file

Usage

fhe_serialize(x, ...)

Arguments

Value

TRUE on success (invisibly)

Description

Maps a CKKS slot index to the corresponding automorphism index in the cyclotomic ring Z[X]/(X^N + 1). The automorphism group of the ring is isomorphic to the multiplicative group ⁠(Z/2N)*⁠; this function returns the representative of that group that corresponds to rotating the plaintext slots by the given amount.

Usage

find_automorphism_index(cc, index)

Arguments

Details

Used as a primitive by find_automorphism_indices() and by code that needs to address automorphism keys directly (for example, selectively generating eval keys for a sparse set of rotation amounts).

R-first binding: openfhe-python does not bind FindAutomorphismIndex. Logged in notes/upstream-defects.md under R-only surface.

Value

Integer; the automorphism group element corresponding to that rotation.

See Also

find_automorphism_indices() for the vector form.

Description

Vector form of find_automorphism_index(). Takes a vector of slot indices and returns the corresponding automorphism indices in the same order. R-first binding — openfhe-python does not bind FindAutomorphismIndices.

Usage

find_automorphism_indices(cc, indices)

Arguments

Value

Integer vector of automorphism indices.

See Also

find_automorphism_index()

Description

Computes f(0:(p-1), p) and returns it as a numeric vector suitable for eval_func(). This is the R-side analogue of OpenFHE's GenerateLUTviaFunction — we don't bind the C++ helper because its signature takes a raw function pointer that can't capture an R closure, and R is natively vectorised so a pure-R helper is both simpler and faster than wiring an R callback through cpp11.

Usage

generate_lut_via_function(f, p)

Arguments

Value

A length-p numeric vector of LUT entries

Description

Reads the entire CryptoContextImpl internal EvalAutomorphism key map — a named R list keyed by secret-key tag, where each element is an EvalKeyMap (the rotation/automorphism key map for that party). Used for rotation and EvalAtIndex under the EvalKeyMap wire format.

Usage

get_all_eval_automorphism_keys()

Value

A named list keyed by key-tag string. Each element is an EvalKeyMap (opaque wrapper around ⁠shared_ptr<map<uint32_t, EvalKey<DCRTPoly>>>⁠).

See Also

get_eval_automorphism_key_map() for per-tag lookup, insert_eval_automorphism_key() for the write path.

Description

Reads the entire CryptoContextImpl internal EvalMult key map — a named R list keyed by secret-key tag, where each element is itself a list of EvalKey objects (the vector of multiplication-eval keys registered under that tag).

Usage

get_all_eval_mult_keys()

Details

The returned list is a snapshot: each EvalKey wraps a fresh shared_ptr copy, so retained references survive subsequent clear_eval_mult_keys() calls. The underlying keys are still shared with the cc registry — modifications through other paths remain visible.

Primary consumer: checkpoint/resume workflows that need to audit which parties have keys registered before serializing the cc.

Value

A named list keyed by key-tag string. Each element is a list of EvalKey objects.

See Also

get_eval_mult_key_vector() for per-tag lookup, insert_eval_mult_key() for the write path.

Description

Reads the entire CryptoContextImpl internal EvalSum key map. Structurally identical to get_all_eval_automorphism_keys(): both share backing storage on the C++ side, but the two accessors are exposed separately so that fixture authors can match whichever OpenFHE doc they are reading.

Usage

get_all_eval_sum_keys()

Value

A named list keyed by key-tag string. Each element is an EvalKeyMap.

See Also

get_eval_sum_key_map(), insert_eval_sum_key()

Description

Get the required multiplicative depth for CKKS bootstrapping

Usage

get_bootstrap_depth(level_budget, secret_key_dist = 1L)

Arguments

Value

Integer: required depth

Description

Reads the current correction factor the scheme uses during the bootstrap EvalModReduceInternal step. Companion of set_ckks_boot_correction_factor(). Changes here affect all subsequent bootstrap operations on this CryptoContext until another call to set_ckks_boot_correction_factor().

Usage

get_ckks_boot_correction_factor(cc)

Arguments

Value

Integer; the current correction factor.

See Also

set_ckks_boot_correction_factor(), eval_bootstrap_setup()

Description

Reads the CKKS plaintext's internal slot vector as complex numbers. Every CKKS plaintext slot carries a ⁠std::complex<double>⁠ internally; when a plaintext was constructed from a real-valued vector via make_ckks_packed_plaintext(), the imaginary parts are all zero (up to CKKS encoding noise). When a plaintext was constructed from a complex vector (the is-complex dispatch path), both real and imaginary parts carry information.

Usage

get_complex_packed_value(pt)

Arguments

Value

A native R complex vector.

See Also

get_real_packed_value() for the real-only view, make_ckks_packed_plaintext() for the matching constructor.

Description

Returns the CryptoContext that was used to construct ct. OpenFHE ciphertexts carry a back-pointer to their context so that homomorphic operations can dispatch to the correct scheme implementation without requiring the user to pass the context explicitly.

Usage

get_crypto_context(ct, ...)

Arguments

Details

Naming note: get_crypto_context is distinct from get_crypto_parameters. The former returns the high-level CryptoContext S7 wrapper; the latter returns the opaque CryptoParameters S7 wrapper.

Value

A CryptoContext S7 object.

Description

Returns the CryptoParameters S7 object carrying the opaque ⁠std::shared_ptr<CryptoParametersBase<DCRTPoly>>⁠ at the C++ level. Useful for introspection; most R users will prefer to call the individual lambda-routed getters (e.g. get_scaling_technique(cc), get_batch_size(cc)) directly instead of going through the CryptoParameters object.

Usage

get_crypto_parameters(cc, ...)

Arguments

Value

A CryptoParameters S7 object.

Description

Integer m such that the underlying polynomial ring is Z[x]/(x^n + 1) with n = m/2 (the ring dimension). Always 2 * ring_dimension(cc) for power-of-two cyclotomics.

Usage

get_cyclotomic_order(cc, ...)

Arguments

Value

Integer.

Description

Returns the ElementParams S7 object wrapping ⁠std::shared_ptr<typename DCRTPoly::Params>⁠. This is the object that can be passed as the params argument to make_ckks_packed_plaintext() to build a plaintext against a specific parameter set rather than the context default.

Usage

get_element_params(cc, ...)

Arguments

Details

This is the first R-side way to obtain a non-default ElementParams (the class itself has existed as a scaffold but had no constructor path until now).

Value

An ElementParams S7 object.

Description

Returns the EncodingParams S7 object wrapping ⁠std::shared_ptr<EncodingParamsImpl>⁠. Holds the plaintext modulus, batch size, and other encoding-level parameters.

Usage

get_encoding_params(cc, ...)

Arguments

Value

An EncodingParams S7 object.

Description

Accessor for the cc-internal static automorphism-key map. The underlying C++ call returns a shared_ptr directly (no copy), so the returned EvalKeyMap is a live view of the cc registry.

Usage

get_eval_automorphism_key_map(key_tag)

Arguments

Value

An EvalKeyMap.

Description

Reads the vector of EvalMult keys registered under key_tag. Errors (via catch_openfhe) if the tag is not present in the registry.

Usage

get_eval_mult_key_vector(key_tag)

Arguments

Value

A list of EvalKey objects.

See Also

get_all_eval_mult_keys(), insert_eval_mult_key()

Description

Accessor for the cc-internal static map populated by eval_sum_key_gen(). Used by the multi-party sum protocol to pull the lead party's initial eval-sum map so other parties can produce their shares.

Usage

get_eval_sum_key_map(key_tag)

Arguments

Details

The underlying C++ call returns a ⁠const std::map&⁠; the R wrapper copies the map into a fresh shared_ptr to give the returned EvalKeyMap owning semantics. The returned map is a snapshot: subsequent modifications to the cc registry are not reflected.

Value

An EvalKeyMap.

Description

Integer level at which subsequent key_gen() calls will generate keys. Defaults to 0L. Useful when generating keys at a non-fresh level for deep circuit protocols.

Usage

get_key_gen_level(cc, ...)

Arguments

Value

Integer.

Description

Maximum supported plaintext space for functional bootstrapping

Usage

get_max_plaintext_space(ctx)

Arguments

Value

A numeric scalar (q / (2 * beta))

Description

Returns 64 or 128 depending on how OpenFHE was compiled.

Usage

get_native_int()

Value

integer

Description

Get packed integer values from a plaintext

Usage

get_packed_value(pt)

Arguments

Value

Integer vector

Description

Get real values from a CKKS plaintext

Usage

get_real_packed_value(pt)

Arguments

Value

Numeric vector

See Also

get_complex_packed_value() for the complex-view accessor on the same underlying plaintext (each slot internally carries a complex pair — this function returns only the real parts).

Description

Returns cryptoParams->GetScalingFactorReal(level) — the double-valued scaling factor at the given level of the CKKS modulus chain. Meaningful only for CKKS contexts; BFV/BGV contexts return the default field value (effectively 1.0).

Usage

get_scaling_factor_real(cc, ...)

Arguments

Details

Used by ckks_scaling_factor_bits() (which takes log2 of the level-0 value to recover the bit size originally set via set_scaling_mod_size()) and by the Stage 2 form of fhe_ckks_tolerance().

Value

Numeric scalar.

Description

After combining multi-party automorphism-key shares via multi_add_eval_automorphism_keys(), insert the joined map into the cc-internal registry so that eval_rotate() / eval_fast_rotation() can consume it.

Usage

insert_eval_automorphism_key(eval_key_map, key_tag = "")

Arguments

Value

NULL, invisibly.

Description

Adds a vector of EvalKey objects to the CryptoContext's internal EvalMult-key map under key_tag. Silently replaces any existing matching keys. If key_tag is the empty string ("", the default), the tag is retrieved from the eval-key vector itself (each EvalKey carries its own tag).

Usage

insert_eval_mult_key(eval_keys, key_tag = "")

Arguments

Details

Used in checkpoint/resume workflows: after fhe_deserialize_eval_keys() or multi_add_eval_mult_keys() produces a combined eval-mult key vector, this function registers it into the cc's internal storage so that subsequent eval_mult() calls on ciphertexts encrypted under the associated party's key can consume it.

Value

NULL, invisibly.

See Also

insert_eval_sum_key(), insert_eval_automorphism_key()

Description

After combining multi-party shares via multi_add_eval_sum_keys(), the joined map has to be inserted back into the cc's internal static registry before eval_sum() can consume it. insert_eval_sum_key() routes the map through CryptoContextImpl::InsertEvalSumKey (which delegates internally to InsertEvalAutomorphismKey — the same static storage is shared between the two surfaces).

Usage

insert_eval_sum_key(eval_key_map, key_tag = "")

Arguments

Value

NULL, invisibly.

Description

Final step of the two-party interactive bootstrap protocol. Adds the server's masked decryption to the client's re-encryption to produce the refreshed ciphertext.

Usage

int_boot_add(ct1, ct2)

Arguments

Value

A refreshed Ciphertext.

Description

Adjusts a ciphertext's scale to meet the scheme's requirements before entering the interactive bootstrap protocol. Typically called before int_boot_decrypt().

Usage

int_boot_adjust_scale(ct)

Arguments

Value

A Ciphertext ready for int_boot_decrypt().

Description

First step of the single-party interactive bootstrap protocol. The server applies its secret key share to produce a "masked" partial decryption that the client can finish off-line. Pairs with int_boot_encrypt() / int_boot_add() / int_boot_adjust_scale() to complete the refresh.

Usage

int_boot_decrypt(sk, ct)

Arguments

Value

A Ciphertext holding the masked decryption.

See Also

int_boot_encrypt(), int_boot_add(), int_boot_adjust_scale()

Description

Encrypts the client's masked decryption result under the public key, raising the ciphertext modulus back to a fresh level.

Usage

int_boot_encrypt(pk, ct)

Arguments

Value

A refreshed Ciphertext.

See Also

int_boot_decrypt()

Description

Combines the shares-pair lists produced by each party's call to int_mp_boot_decrypt() into a single aggregated shares pair for use in int_mp_boot_encrypt(). The input is a list of per-party shares-pair lists (a list of lists of Ciphertext).

Usage

int_mp_boot_add(cc, shares_pair_list)

Arguments

Value

A list of Ciphertext objects — the aggregated shares pair.

Description

Multi-party analogue of int_boot_adjust_scale(). Adjusts the ciphertext's scale before entering the distributed bootstrap protocol.

Usage

int_mp_boot_adjust_scale(ct)

Arguments

Value

A Ciphertext ready for the multi-party bootstrap protocol.

Description

Each party calls this with their own secret share, the ciphertext being refreshed, and the common random element from int_mp_boot_random_element_gen(). Returns a list of two Ciphertext objects — the party's masked-decryption "shares pair". Each party's shares pair gets collected and fed into int_mp_boot_add().

Usage

int_mp_boot_decrypt(sk, ct, a)

Arguments

Value

A list of two Ciphertext objects (the party's shares pair).

Description

Lead party's final step in the multi-party interactive bootstrap. Takes the aggregated shares pair from int_mp_boot_add() plus the common random element and the original ciphertext, produces the refreshed ciphertext at a fresh modulus level.

Usage

int_mp_boot_encrypt(pk, shares_pair, a, ct)

Arguments

Value

A refreshed Ciphertext.

Description

Generates a common random polynomial used by all parties in a multi-party interactive bootstrap round. Two overloads:

Usage

int_mp_boot_random_element_gen(cc, source)

Arguments

Details

• When source is a PublicKey (the lead party's public key), routes to the (publicKey) C++ overload.

• When source is a Ciphertext, routes to the (ciphertext) overload which derives the cc and parameters from the ciphertext directly — convenient when a ciphertext is already in scope.

Value

A Ciphertext holding the common random element.

Description

Returns TRUE when both the public and secret keys of a KeyPair are non-null external pointers. The C++ KeyPair::good() predicate performs the same check on the C++ side; because R's KeyPair is a pure-R aggregate that wraps an already-constructed PublicKey and PrivateKey, the R-level check is equivalent.

Usage

is_good(kp, ...)

Arguments

Value

TRUE or FALSE.

Description

Generate key pair

Usage

key_gen(cc, ...)

Arguments

Value

A KeyPair

Description

Brings a ciphertext that lives in the extended PQ basis (for example, the output of eval_fast_rotation_ext() with hybrid key switching) back to the standard Q basis. Only supported when the scheme is configured with hybrid key switching — other key-switching techniques have no round-trip to extended PQ and therefore nothing to scale back from.

Usage

key_switch_down(ct)

Arguments

Details

R-first binding: openfhe-python v1.5.1.0 does not expose KeySwitchDown at all. See notes/upstream-defects.md for the R-only surface tracking.

Value

A Ciphertext in the Q basis.

See Also

eval_fast_rotation_ext()

Description

Every PublicKey / PrivateKey carries a string "key tag" identifying which key pair it belongs to. The tag is set at key-generation time by OpenFHE and can be inspected or overwritten via these accessors. In threshold / multiparty protocols the tag is used to associate a key with the party that owns it; in single-user protocols it is typically left at its default.

Usage

get_key_tag(key, ...)

set_key_tag(key, ...)

Arguments

Value

get_key_tag: character scalar. set_key_tag: the key invisibly.

Description

Key Generation Mode Source: binfhe/binfhe-constants.h enum KEYGEN_MODE

Usage

KeygenMode

Description

Contains a public key and a secret (private) key.

Usage

KeyPair(public = NULL, secret = NULL)

Arguments

Description

Key Switching Techniques Source: pke/constants-defs.h enum KeySwitchTechnique

Usage

KeySwitchTechnique

Description

Drops levels levels from x's modulus chain in a single operation. Useful when x is at a deeper level than the ciphertext it will interact with next; level-reducing brings them onto the same rung of the chain.

Usage

level_reduce(x, ...)

Arguments

Details

An evaluation key is required — supply it from key_gen(cc, eval_mult = TRUE).

Value

A Ciphertext at x$level + levels.

Description

Reduce the modulus chain by multiple levels, in place

Usage

level_reduce_in_place(x, ...)

Arguments

Value

x invisibly.

Description

LWE Ciphertext (Binary FHE)

Usage

LWECiphertext(ptr = NULL)

Arguments

Description

LWE Private Key (Binary FHE)

Usage

LWEPrivateKey(ptr = NULL)

Arguments

Description

Encode a real-valued numeric vector as a CKKS packed plaintext. The result is an unencrypted Plaintext object that can then be passed to encrypt().

Usage

make_ckks_packed_plaintext(
  cc,
  values,
  noise_scale_deg = 1L,
  level = 0L,
  params = NULL,
  slots = 0L
)

Arguments

Value

A Plaintext.

Description

Encode an integer vector as a coefficient-packed plaintext. Coefficient packing places each input value in a separate polynomial coefficient and is the alternative to the SIMD batched packing produced by make_packed_plaintext(). Used by the integer-modulus Ring-LWE vignettes where per-coefficient access is needed.

Usage

make_coef_packed_plaintext(cc, values, noise_scale_deg = 1L, level = 0L)

Arguments

Value

A Plaintext.

Description

Encode an integer vector as a BFV / BGV packed plaintext. The result is an unencrypted Plaintext object that can then be passed to encrypt().

Usage

make_packed_plaintext(cc, values, noise_scale_deg = 1L, level = 0L)

Arguments

Value

A Plaintext.

Description

Synonym for rescale(). Both names dispatch to the same C++ operation (CryptoContextImpl::Rescale delegates to ModReduce internally); the R binding keeps both so fixture and vignette authors can use whichever name matches the OpenFHE documentation they're following.

Usage

mod_reduce(x, ...)

Arguments

Value

A Ciphertext at one lower level.

See Also

rescale(), mod_reduce_in_place()

Description

Reduce the modulus chain by one level, in place

Usage

mod_reduce_in_place(x, ...)

Arguments

Value

x invisibly.

Description

Combine two automorphism-key map shares

Usage

multi_add_eval_automorphism_keys(
  cc,
  eval_key_map1,
  eval_key_map2,
  key_tag = ""
)

Arguments

Value

A combined EvalKeyMap suitable for insertion into the cc registry via insert_eval_automorphism_key().

Description

Combines two partial key-switching eval keys into a joint eval key. See multi_add_eval_mult_keys() for the eval-mult variant — the two functions consume keys produced by different generators and are not interchangeable.

Usage

multi_add_eval_keys(cc, ek1, ek2, key_tag = "")

Arguments

Value

A combined EvalKey

Description

The eval-mult flavor of multi_add_eval_keys(). Consumes keys produced by a multi-party eval-mult key generator rather than by multi_key_switch_gen(). Where the R generator is not yet exposed, the wrapper still lets downstream code exercise the add-keys flow against keys constructed through the underlying cpp11 binding.

Usage

multi_add_eval_mult_keys(cc, ek1, ek2, key_tag = "")

Arguments

Value

A combined EvalKey

Description

Combine two sum-key map shares into a joint sum-key map

Usage

multi_add_eval_sum_keys(cc, eval_key_map1, eval_key_map2, key_tag = "")

Arguments

Value

A combined EvalKeyMap suitable for insertion into the cc registry via insert_eval_sum_key().

Description

Combine public keys from multiple parties

Usage

multi_add_pub_keys(cc, pk1, pk2, key_tag = "")

Arguments

Value

A combined PublicKey

Description

The EvalAtIndex flavor of multi_eval_automorphism_key_gen(); takes signed rotation indices rather than automorphism indices. Semantically equivalent but lives on a distinct C++ entry point, matching the openfhe-python surface.

Usage

multi_eval_at_index_key_gen(cc, sk, eval_key_map, index_list, key_tag = "")

Arguments

Value

An EvalKeyMap.

Description

Produces this party's share of the joined automorphism eval key map for the supplied index_list. Each other party calls the same method with their own secret share, and the shares are combined via multi_add_eval_automorphism_keys() to produce the final joined map.

Usage

multi_eval_automorphism_key_gen(cc, sk, eval_key_map, index_list, key_tag = "")

Arguments

Value

An EvalKeyMap holding this party's joint share.

Description

Generate a joint sum-key share for multi-party EvalSum

Usage

multi_eval_sum_key_gen(cc, sk, eval_key_map, key_tag = "")

Arguments

Value

An EvalKeyMap.

Description

Generates an eval key that switches ciphertexts encrypted under sk_orig into a form decryptable by sk_new, starting from an existing eval key that carries the key-switch auxiliary information. Used by threshold protocols to route partial decryptions across a re-keyed party set.

Usage

multi_key_switch_gen(cc, sk_orig, sk_new, eval_key)

Arguments

Value

An EvalKey suitable for routing through multi_add_eval_keys() to combine with other parties' key-switch shares

Description

Combines partial decryptions from any number of parties (n >= 2). The lead party's partial decryption (from multiparty_decrypt_lead()) must be supplied first; subsequent partials (from multiparty_decrypt_main()) follow in any order.

Usage

multiparty_decrypt_fusion(cc, ...)

Arguments

Value

A Plaintext with the final decrypted result

Description

In threshold decryption, the lead party calls this first. Accepts either a single Ciphertext or a list of Ciphertext objects:

Usage

multiparty_decrypt_lead(cc, sk, ct)

Arguments

Details

• single Ciphertext: returns a single partially decrypted Ciphertext, matching the original single-ciphertext signature.

• list of Ciphertext: returns a list of partially decrypted Ciphertext objects of the same length, routed through the C++ ⁠MultipartyDecryptLead(vector<Ciphertext>, PrivateKey)⁠ overload (cryptocontext.h line 3115). Useful when a protocol round needs to partially decrypt a batch in one trip.

Value

A partially decrypted Ciphertext or list of Ciphertexts, mirroring the input shape.

Description

Other parties call this after the lead. Accepts either a single Ciphertext or a list of Ciphertext objects with the same semantics as multiparty_decrypt_lead().

Usage

multiparty_decrypt_main(cc, sk, ct)

Arguments

Value

A partially decrypted Ciphertext or list of Ciphertexts, mirroring the input shape.

Description

The lead party uses key_gen() to generate the initial keypair. Subsequent parties call this with the lead's public key.

Usage

multiparty_key_gen(cc, lead_pk, make_sparse = FALSE, fresh = FALSE)

Arguments

Value

A KeyPair for this party

Description

Multiparty Mode Source: pke/constants-defs.h enum MultipartyMode

Usage

MultipartyMode

Description

Multiplication Technique (BFV) Source: pke/constants-defs.h enum MultiplicationTechnique

Usage

MultiplicationTechnique

Description

All OpenFHE objects (CryptoContext, Ciphertext, Plaintext, Keys, etc.) inherit from this class. It holds an external pointer to a C++ shared_ptr.

Usage

OpenFHEObject(ptr = NULL)

Arguments

Description

Plaintext

Usage

Plaintext(ptr = NULL)

Arguments

Description

Retrieve or set fields on a Plaintext object. Each accessor wraps the corresponding upstream ⁠PlaintextImpl::Get*⁠/⁠Set*⁠ method and returns its value unchanged.

Usage

get_noise_scale_deg(x, ...)

get_length(x, ...)

get_level(x, ...)

get_scaling_factor(x, ...)

get_log_precision(x, ...)

get_formatted_values(x, ...)

set_ckks_data_type(x, ...)

get_encoding_type(x, ...)

get_scaling_factor_int(x, ...)

get_scheme_id(x, ...)

is_encoded(x, ...)

low_bound(x, ...)

high_bound(x, ...)

get_slots(x, ...)

get_log_error(x, ...)

get_coef_packed_value(x, ...)

get_string_value(x, ...)

get_element_ring_dimension(x, ...)

set_scaling_factor(x, ...)

set_scaling_factor_int(x, ...)

set_noise_scale_deg(x, ...)

set_level(x, ...)

set_slots(x, ...)

set_string_value(x, ...)

set_int_vector_value(x, ...)

Arguments

Details

Several base-class accessors are declared virtual and throw OPENFHE_THROW in the base implementation (e.g. get_string_value on a non-string plaintext, get_log_precision on a non-CKKS plaintext). Calling an accessor on the wrong kind of plaintext therefore raises an R error via cli::cli_abort, not a silent wrong value.

Value

The underlying field value. Types vary per accessor.

Functions

• get_noise_scale_deg: Integer noise-scale-degree of a CKKS plaintext. After construction the degree is the value passed to make_ckks_packed_plaintext(..., noise_scale_deg) under FIXEDMANUAL scaling; under FLEXIBLEAUTO the scheme overrides the user-supplied value at context-generation time (see discovery D011). Incremented by each multiplication before a rescale. The harness Signal 2 differential fixture for MakeCKKSPackedPlaintext reads this value to verify the noise_scale_deg argument reached the C++ call site.

• get_length: Integer effective length of a packed plaintext — the number of slots that hold user-supplied values. Defaults to the full batch size at construction; set_length() can shorten it for display or decryption purposes.

• get_level: Integer level of the plaintext in the RNS modulus chain. 0 for a fresh plaintext; incremented by each rescale() the plaintext survives. For CKKS-packed plaintexts the level must match the ciphertext level at every homomorphic operation, or the evaluator rejects the pair. The harness Signal 2 fixture reads this value to verify the level argument reached the C++ call site.

• get_scaling_factor: Numeric scaling factor for CKKS-based plaintexts — the multiplier the real vector is scaled by before encoding. Equals 2^scaling_mod_size for a freshly-encoded plaintext under FLEXIBLEAUTO; halves after each rescale. For BFV/BGV plaintexts this is returned as a default value (no rescaling applies).

• get_log_precision: Numeric log2 of the precision lost during CKKS encoding. Only meaningful for CKKS plaintexts; throws via OPENFHE_THROW for BFV/BGV and is surfaced as an R error by cli::cli_abort.

• get_formatted_values: String-format the plaintext's encoded values with precision decimal digits. Implemented on the concrete plaintext subclass (packed, CKKS, string, coefficient); throws on plaintexts whose subclass does not override.

• set_ckks_data_type: Set the CKKS data type to CKKSDataType$REAL or CKKSDataType$COMPLEX. Only meaningful for CKKS plaintexts. Most R vignettes use the default REAL type; set to COMPLEX only when you are constructing a CKKS plaintext from a complex vector.

• get_encoding_type: ⁠parity-deferred:⁠ integer encoding type (see PlaintextEncodings for the enum values).

• get_scaling_factor_int: ⁠parity-deferred:⁠ BGV integer scaling factor. Returned as a double carrying a losslessly rounded 53-bit integer per design.md §7.

• get_scheme_id: ⁠parity-deferred:⁠ scheme identifier (see SchemeId enum).

• is_encoded: ⁠parity-deferred:⁠ logical "has the plaintext been encoded yet?" The factory methods typically encode plaintexts eagerly, so this is TRUE for fresh plaintexts. Returns FALSE only for plaintexts constructed in a two-step uninitialised form.

• low_bound: ⁠parity-deferred:⁠ integer lower bound that can be encoded with the current plaintext modulus: -floor(t / 2).

• high_bound: ⁠parity-deferred:⁠ integer upper bound that can be encoded with the current plaintext modulus: floor(t / 2).

• get_slots: ⁠parity-deferred:⁠ integer CKKS slot count. For Plaintext dispatch this is the GetSlots() value set at construction. The harness Signal 2 fixture reads this value to verify the slots argument reached the C++ call site.

• get_log_error: ⁠parity-deferred:⁠ numeric log2 of the error estimate. Only meaningful for CKKS plaintexts; throws for BFV/BGV.

• get_coef_packed_value: ⁠parity-deferred:⁠ integer vector of the underlying coef-packed encoding. Throws for plaintexts whose subclass is not coef-packed.

• get_string_value: ⁠parity-deferred:⁠ string value of a string-encoded plaintext. Throws for plaintexts whose subclass is not string-encoded.

• get_element_ring_dimension: ⁠parity-deferred:⁠ integer ring dimension of the underlying Element. This is the plaintext's view of the lattice ring dimension; typically matches the crypto context's ring dimension.

• set_scaling_factor: ⁠parity-deferred:⁠ set the CKKS plaintext scaling factor.

• set_scaling_factor_int: ⁠parity-deferred:⁠ set the BGV plaintext integer scaling factor.

• set_noise_scale_deg: ⁠parity-deferred:⁠ set the plaintext noise scale degree. Most users should not call this directly — the factory methods and the evaluator manage noise_scale_deg automatically.

• set_level: ⁠parity-deferred:⁠ set the plaintext level. As with set_noise_scale_deg, most users should not call this directly.

• set_slots: ⁠parity-deferred:⁠ set the CKKS slot count. As with set_length, this is typically managed by the factory methods.

• set_string_value: ⁠parity-deferred:⁠ set the string value of a string-encoded plaintext. Throws for plaintexts whose subclass is not string-encoded.

• set_int_vector_value: ⁠parity-deferred:⁠ set the integer-vector value of an integer-encoded plaintext. Throws for plaintexts whose subclass does not support an integer vector.

Description

Combines the plaintext's encoding type, scaling factor, noise scale degree, level, and slot count into a deterministic string representation. Two plaintexts with identical parameters produce identical strings; any parameter change produces a different string.

Usage

plaintext_params_hash(x)

Arguments

Details

Named plaintext_params_hash in design.md §10 as the fourth "harness unblocker" for the Signal 2 differential fixture for make_ckks_packed_plaintext. The fixture calls plaintext_params_hash() on a default and a perturbed plaintext and expects different strings when the perturbation reaches the C++ call site.

Not a cryptographic hash — equality comparison is the only guarantee. The returned string's format is implementation detail and may change without notice.

Value

Character scalar.

Description

Plaintext Encoding Types Source: pke/constants-defs.h enum PlaintextEncodings

Usage

PlaintextEncodings

Description

Proxy Re-encryption Mode Source: pke/constants-defs.h enum ProxyReEncryptionMode R-side name PREMode matches the design.md §8 shortening convention (same pattern as Feature for PKESchemeFeature).

Usage

PREMode

Description

Private Key

Usage

PrivateKey(ptr = NULL)

Arguments

Description

Public Key

Usage

PublicKey(ptr = NULL)

Arguments

Description

Inverse of share_keys(). Given a SecretShareMap holding at least threshold shares, reconstructs a PrivateKey equivalent to the original secret at the point of sharing. The reconstructed key participates in distributed decryption identically to the original, so a dropped-out party's share of a threshold decryption can still be completed by the remaining parties.

Usage

recover_shared_key(
  cc,
  share_map,
  n_parties,
  threshold,
  sharing_scheme = "additive"
)

Arguments

Details

Under the hood, the C++ API takes a mutable PrivateKey reference that must be pre-allocated as an empty PrivateKeyImpl bound to cc. The R wrapper constructs that empty placeholder internally so R users do not have to know about the in-place-fill convention.

Value

A PrivateKey holding the reconstructed secret.

See Also

share_keys()

Description

Reduces a ciphertext to 2 polynomial components. Needed after a sequence of eval_mult_no_relin() calls to restore a decryptable form. A relinearization key must have been generated via key_gen(cc, eval_mult = TRUE) before calling this.

Usage

relinearize(x, ...)

Arguments

Value

A Ciphertext with exactly 2 components.

Description

Reduces the modulus chain by one level. Required after eval_mult under FIXEDMANUAL scaling; automatic under FIXEDAUTO / FLEXIBLEAUTO.

Usage

rescale(ct, ...)

Arguments

Value

A Ciphertext at one lower level

Description

Returns N, the cyclotomic ring dimension. The cyclotomic order M used by eval_fast_rotation() is 2 * N.

Usage

ring_dimension(cc, ...)

Arguments

Value

Integer ring dimension

Description

Scaling Techniques (CKKS) Source: pke/constants-defs.h enum ScalingTechnique

Usage

ScalingTechnique

Description

Returned by get_scheme() on any CCParams object. R-side name SchemeId matches the upstream pke/scheme/scheme-id.h header filename and avoids colliding with a future Scheme S7 class (design.md §6 mentions a potential wrapper around ⁠std::shared_ptr<SchemeBase<DCRTPoly>>⁠ with that name).

Usage

SchemeId

Details

Source: pke/scheme/scheme-id.h enum SCHEME

Description

Secret Key Distribution Source: core/lattice/constants-lattice.h enum SecretKeyDist

Usage

SecretKeyDist

Description

Opaque S7 wrapper around a ⁠shared_ptr<std::unordered_map<uint32_t, DCRTPoly>>⁠. Produced by share_keys() — each call returns one party's contribution to the distributed shares of their own secret key. Consumed by recover_shared_key(), which reconstructs the original secret from threshold or more shares when a party drops out.

Usage

SecretShareMap(ptr = NULL)

Arguments

Details

The map is keyed by party index (1-based uint32). Users do not index into it directly; it is a transport format for the secret-sharing protocol.

Description

Security Levels Source: core/lattice/stdlatticeparms.h enum SecurityLevel

Usage

SecurityLevel

Description

Serialize evaluation keys to file

Usage

serialize_eval_keys(
  filename,
  type = c("mult", "automorphism", "sum"),
  format = "binary",
  key_tag = ""
)

Arguments

Value

TRUE on success (invisibly)

Description

Sets the scheme-level correction factor used by subsequent bootstraps. Normally this is set via the correction_factor argument to eval_bootstrap_setup() at bootstrap setup time; this pair exists for post-setup programmatic control.

Usage

set_ckks_boot_correction_factor(cc, cf)

Arguments

Value

The cc, invisibly.

See Also

get_ckks_boot_correction_factor()

Description

Set the key-generation level of a CryptoContext

Usage

set_key_gen_level(cc, ...)

Arguments

Value

cc invisibly.

Description

Set the effective length of a plaintext

Usage

set_length(pt, len)

Arguments

Description

Produces the set of shares that party index would distribute to the other parties under the chosen sharing_scheme. The returned SecretShareMap is opaque; in a real deployment the shares would be serialized and routed over the network to each receiving party, and the receiving parties would store them for use in an abort recovery.

Usage

share_keys(cc, sk, n_parties, threshold, index, sharing_scheme = "additive")

Arguments

Details

Two sharing schemes are supported:

• "additive" — N-1 threshold; every party must contribute their share to reconstruct. Robust against corruption of any single party's storage but not against any party dropping out.

• "shamir" — floor(N/2) + 1 threshold; the secret can be reconstructed from any majority subset of the distributed shares. Robust against up to floor((N-1)/2) parties dropping out.

Value

A SecretShareMap suitable for passing to recover_shared_key().

See Also

recover_shared_key()

Description

Performs a full n-of-n threshold decryption of ct given the ordered list of party secret keys. The first key in sks is used for multiparty_decrypt_lead(); the remaining keys for multiparty_decrypt_main(); the resulting partials are then fused with multiparty_decrypt_fusion().

Usage

threshold_decrypt(cc, sks, ct)

Arguments

Details

Use this when you have all secret keys in one place (testing, simulation, single-process demos). In a real distributed deployment each site holds only its own secret key and the partials travel over the network — that flow uses the lead / main / fusion functions directly.

Value

A Plaintext

Description

Clears eval keys and releases contexts on exit (even on error).

Usage

with_fhe_context(expr)

Arguments