This document explains how to manage keys when using Concrete, introducing the key management API for generating, reusing, and securely handling keys.
Concrete generates keys lazily when needed. While this is convenient for development, it's not ideal for the production environment. The explicit key management API is available for you to easily generate and reuse keys as needed.
Let's start by defining a circuit with the following example:
Circuits have a keys
property of type fhe.Keys
, which includes several utilities for key management.
To explicitly generate keys for a circuit, use:
Generated keys are stored in memory and remain unencrypted.
You can also set a custom seed for reproducibility:
Do not specify the seed manually in a production environment! This is not secure and should only be done for debugging purposes.
To serialize keys, for tasks such as sending them across a network, use:
Keys are not serialized in encrypted form. Please make sure you keep them in a safe environment, or encrypt them manually after serialization.
To deserialize the keys back after receiving serialized keys, use:
Once you have a valid fhe.Keys
object, you can directly assign it to the circuit:
If assigned keys are generated for a different circuit, an exception will be raised.
You can also use the filesystem to store the keys directly, without managing serialization and file management manually:
Keys are not saved in encrypted form. Please make sure you store them in a safe environment, or encrypt them manually after saving.
After saving keys to disk, you can load them back using:
If you want to generate keys in the first run and reuse the keys in consecutive runs, use: