Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
TFHE-rs is a pure Rust implementation of TFHE for Boolean and integer arithmetics over encrypted data. It includes a Rust and C API, as well as a client-side WASM API.
Learn the basics of TFHE-rs, set it up, and make it run with ease.
Start building with TFHE-rs by exploring its core features, discovering essential guides, and learning more with user-friendly tutorials.
Access to additional resources and join the Zama community.
Take a deep dive into TFHE-rs, exploring APIs from the highest to the lowest level of abstraction and accessing additional resources for in-depth explanations.
Rust API reference: High-level API that abstracts cryptographic complexities and simplifies the development and more
Fine-grained APIs: Mid-level APIs that enable evaluation of Boolean, short integer, and integer circuits
Core crypto API: Low-level API with the primitive functions and types of the TFHE scheme
TFHE deep dive: Resources that explain the Fully Homomorphic Encryption scheme - TFHE
Ask technical questions and discuss with the community. Our team of experts usually answers within 24 hours during working days.
Collaborate with us to advance the FHE spaces and drive innovation together.
Zama 5-Question Developer Survey
We want to hear from you! Take 1 minute to share your thoughts and helping us enhance our documentation and libraries. 👉 Click here to participate.
This document explains the basic steps of using the high-level API of TFHE-rs.
If you already know how to set up a Rust project, feel free to go directly to the next section.
First, install the Rust programming language tools. Visit https://rustup.rs/ and follow the instructions. For alternative installation methods, refer to the official Rust installation page.
After installing Rust, you can call the build and package manager Cargo
:
Your version may differ depending on when you installed Rust. To update your installation, invoke rustup update
.
Now you can invoke Cargo
and create a new default Rust project:
This will create a tfhe-example
directory and populate it with the following:
You now have a minimal Rust project.
In the next section, we'll explain how to add TFHE-rs as a dependency to the project and start using it to perform FHE computations.
To use TFHE-rs, you need to add it as a dependency to tfhe-example
.
The Cargo.toml
file is located at the root of the project. Initially, the file is minimal and doesn't contain any dependencies:
For x86 Unix systems, add the following configuration to include TFHE-rs:
Your updated Cargo.toml
file should look like this:
If you are on a different platform please refer to the installation documentation for configuration options of other supported platforms.
Now that the project has TFHE-rs as a dependency here are the detailed steps to use its high-level API:
Import the TFHE-rs prelude with the following Rust code: use tfhe::prelude::*;
Client-side: configure and generate keys
Client-side: encrypt data
Server-side: set the server key
Server-side: compute over encrypted data
Client-side: decrypt data
This example demonstrates the basic workflow combining the client and server parts:
You can learn more about homomorphic types and associated compilation features in the configuration documentation.
TFHE-rs is a pure Rust implementation of Fully Homomorphic Encryption over the Torus (TFHE) to perform Boolean and integer arithmetic on encrypted data.
TFHE-rs implements advanced TFHE features, empowering developers and researchers with fine-grained control over TFHE so that they can focus on high-level functionality without delving into low-level implementation.
TFHE-rs includes:
Rust API: the primary API for working with TFHE-rs in Rust projects.
C API: for developers who prefer to use C.
Client-side WASM API: to integrate TFHE-rs functionalities into WebAssembly applications.
TFHE is a Fully Homomorphic Encryption (FHE) scheme based on Learning With Errors (LWE), which is a secure cryptographic primitive against even quantum computers. The TFHE-rs library implements Zama’s variant of TFHE.
The basic elements of cryptography:
Message (or Cleartext): raw values before encryption.
Plaintext: encoded messages.
Ciphertext: encrypted messages.
Zama's variant of TFHE is a fully homomorphic scheme that takes fixed-precision numbers as messages. It implements all homomorphic operations needed, such as addition and function evaluation via Programmable Bootstrapping.
Refer to the the preliminary whitepaper for more details.
Using TFHE-rs in Rust includes the following steps:
Key generation: generate a pair of keys using secure parameters.
Client key: used for encryption and decryption of data. This key must be kept secret.
Server key (or Evaluation key): used for performing operations on encrypted data. This key could be public.
Encryption: encrypt plaintexts using the client key to produce ciphertexts.
Homomorphic operation: perform operations on ciphertexts using the server key.
Decryption: decrypt the resulting ciphertexts back to plaintexts using the client key.
To understand more about FHE applications, see the 6-minute introduction to homomorphic encryption.
Fundamentals
Explore the core features.
Guides
Deploy your project.
Tutorials
Learn more with tutorials.
This document explains the encryption types and operations supported by TFHE-rs.
TFHE-rs supports two main types of encrypted data:
FheUint
: homomorphic equivalent of Rust unsigned integers u8, u16, ...
FheInt
: homomorphic equivalent of Rust signed integers i8, i16, ...
TFHE-rs uses integers to encrypt all messages which are larger than 4 bits.
Similar to Rust integers, you need to specify the bit size of data when declaring a variable:
TFHE-rs supports various operations on encrypted integers (Enc
) of any size between 1 and 256 bits. These operations can also work between encrypted integers and clear integers (Int
).
Homomorphic integer types (FheUint
and FheInt
) support the following arithmetic operations:
Specifications for operations with zero:
Division by zero: returns modulus - 1.
Remainder operator: returns the first input unchanged.
Example: if ct1 = FheUint8(63)
and ct2 = FheUint8(0)
, then ct1 % ct2 returns FheUint8(63).
The following example shows how to perform arithmetic operations:
Homomorphic integer types support the following bitwise operations:
The following example shows how to perform bitwise operations:
Homomorphic integers support comparison operations. However, due to Rust's limitations, you cannot overload comparison symbols. This is because Rust requires Boolean outputs from such operations, but homomorphic types return ciphertexts. Therefore, you should use the following methods, which conform to the naming conventions of Rust’s standard traits:
Supported operations:
The following example shows how to perform comparison operations:
Homomorphic integers support the min/max operations:
The following example shows how to perform min/max operations:
The ternary conditional operator execute conditional instructions in the form if cond { choice_if_true } else { choice_if_false }
.
The syntax is encrypted_condition.select(encrypted_choice_if_true, encrypted_choice_if_false)
. The valid encrypted_condition
must be an encryption of 0 or 1.
The following example shows how to perform ternary conditional operations:
You can cast between integer types using either the cast_from
associated function or the cast_into
method.
The following example shows how to perform casting operations:
Native homomorphic Booleans support the following common Boolean operations:
This document provides instructions to set up TFHE-rs in your project.
First, add TFHE-rs as a dependency in your Cargo.toml
.
For x86_64
machine running a Unix-like OS:
For ARM
machine running a Unix-like OS:
For x86_64
machines with the rdseed instruction
running Windows:
Rust version: a minimum Rust version of 1.73 is required to compile TFHE-rs.
Performance: for optimal performance, it is highly recommended to run code that uses TFHE-rs
in release mode with cargo's --release
flag.
TFHE-rs currently supports the following platforms:
OS | x86 | aarch64 |
---|---|---|
This document summarizes the timings of some homomorphic operations over 64-bit encrypted integers, depending on the hardware. More details are given for the CPU, the GPU, or zeros-knowledge proofs.
You can get the parameters used for benchmarks by cloning the repository and checking out the commit you want to use (starting with the v0.9.0 release) and run the following make command:
This document details the CPU performance benchmarks of homomorphic operations using TFHE-rs.
By their nature, homomorphic operations run slower than their cleartext equivalents. The following are the timings for basic operations, including benchmarks from other libraries for comparison.
All CPU benchmarks were launched on an AWS hpc7a.96xlarge
instance equipped with an AMD EPYC 9R14 CPU @ 2.60GHz
and 740GB of RAM.
The following tables benchmark the execution time of some operation sets using FheUint
(unsigned integers). The FheInt
(signed integers) performs similarly.
The next table shows the operation timings on CPU when all inputs are encrypted
The next table shows the operation timings on CPU when the left input is encrypted and the right is a clear scalar of the same size:
All timings are based on parallelized Radix-based integer operations where each block is encrypted using the default parameters PARAM_MESSAGE_2_CARRY_2_KS_PBS
. To ensure predictable timings, we perform operations in the default
mode, which ensures that the input and output encoding are similar (i.e., the carries are always emptied).
You can minimize operational costs by selecting from 'unchecked', 'checked', or 'smart' modes from the fine-grained APIs, each balancing performance and correctness differently. For more details about parameters, see here. You can find the benchmark results on GPU for all these operations here.
The next table shows the execution time of a keyswitch followed by a programmable bootstrapping depending on the precision of the input message. The associated parameter set is given. The configuration is Concrete FFT + AVX-512.
TFHE-rs benchmarks can be easily reproduced from the source.
AVX512 is now enabled by default for benchmarks when available
The following example shows how to reproduce TFHE-rs benchmarks:
This document details the performance benchmarks of for using TFHE-rs.
Benchmarks for the zero-knowledge proofs have been run on a m6i.4xlarge
with 16 cores to simulate an usual client configuration. The verification are done on a hpc7a.96xlarge
AWS instances to mimic a powerful server.
This document details the GPU performance benchmarks of homomorphic operations using TFHE-rs.
All GPU benchmarks presented here were obtained on H100 GPUs, and rely on the multithreaded PBS algorithm. The cryptographic parameters PARAM_GPU_MULTI_BIT_MESSAGE_2_CARRY_2_GROUP_3_KS_PBS
were used.
Below come the results for the execution on a single H100. The following table shows the performance when the inputs of the benchmarked operation are encrypted:
The following table shows the performance when the left input of the benchmarked operation is encrypted and the other is a clear scalar of the same size:
Below come the results for the execution on two H100's. The following table shows the performance when the inputs of the benchmarked operation are encrypted:
The following table shows the performance when the left input of the benchmarked operation is encrypted and the other is a clear scalar of the same size:
The next table shows the execution time of a keyswitch followed by a programmable bootstrapping depending on the precision of the input message. The associated parameter set is given.
This document explains how to call the function set_server_key
.
This function will move the server key to an internal state of the crate and manage the details for a simpler interface.
Here is an example:
This document introduces the cryptographic concepts of the scheme of Fully Homomorphic Encryption over the Torus (TFHE) and the security considerations of TFHE-rs.
TFHE-rs is a cryptographic library that implements Fully Homomorphic Encryption using the TFHE scheme. You should understand the basics of TFHE to consider its limitations, such as:
The precision: TFHE has limitations on the number of bits used to represent plaintext values.
The execution time: TFHE operations are slower than native operations due to their complexity.
TFHE-rs primarily utilizes Learning With Errors (LWE) ciphertexts. The LWE problem forms the basis of TFHE's security and is considered resistant to quantum attacks.
An LWE Ciphertext is a collection of 32-bit or 64-bit unsigned integers. Before encrypting a message in an LWE ciphertext, you first need to encode it as a plaintext by shifting the message to the most significant bits of the unsigned integer type used.
Then, you add a small random value called noise to the least significant bits. This noise is crucial in ensuring the security of the ciphertext.
To get a ciphertext from a plaintext, you must encrypt the plaintext using a secret key.
An LWE ciphertext is composed of two parts:
The mask of a fresh ciphertext (the result of an encryption, and not the result of operations such as ciphertext addition) is a list of n
uniformly random values.
The body is computed as follows:
Now that the encryption scheme is defined, let's review the example of the addition between ciphertexts to illustrate why it is slower to compute over encrypted data.
To add two ciphertexts, we must add their $mask$ and $body$:
In FHE, two types of operations can be applied to ciphertexts:
Leveled operations, which increase the noise in the ciphertext
Bootstrapped operations, which reduce the noise in the ciphertext
Noise is critical in FHE because it can tamper with the message if not tracked and managed properly. Bootstrapping operations decrease noise within the ciphertexts and guarantee the correctness of computation. The rest of the operations do not need bootstrapping operations, thus they are called leveled operations and are usually very fast as a result.
The following sections explain the concept of noise and padding in ciphertexts.
To ensure security, LWE requires random noise to be added to the message during encryption.
TFHE scheme draws this random noise from a Centered Normal Distribution with a standard deviation parameter. The choice of standard deviation impacts the security level: increasing the standard deviation enhances security while keeping other factors constant.
TFHE-rs encodes the noise in the least significant bits of each plaintext. Each leveled computation increases the value of the noise. If too many computations are performed, the noise will eventually overflow into the message bits and lead to an incorrect result.
The following figure illustrates how the extra bit of noise is incurred during an addition operation.
TFHE-rs enables automatic noise management by performing bootstrapping operations to reset the noise.
The bootstrapping of TFHE is programmable. This allows any function to be homomorphically computed over an encrypted input, while also reducing the noise. These functions are represented by look-up tables.
In general, the computation of a PBS is preceded or followed by a keyswitch, an operation to change the encryption key. The output ciphertext is then encrypted with the same key as the input one. To do this, two (public) evaluation keys are required: a bootstrapping key and a keyswitching key.
Since encoded values have a fixed precision, operating on them can produce results that are outside of the original interval. To avoid losing precision or wrapping around the interval, TFHE-rs uses additional bits by defining bits of padding on the most significant bits.
For example, when adding two ciphertexts, the sum could exceed the range of either ciphertext, and thus necessitate a carry that would then be transferred onto the first padding bit. In the following figure, each plaintext over 32 bits has one bit of padding on its left (the most significant bit). After the addition, the padding bit gets consumed to accommodate the carry. We refer to this process as consuming bits of padding. Without any padding-left, further additions may not produce accurate results.
The default parameters for the TFHE-rs library are chosen considering the IND-CPA security model, and are selected with a bootstrapping failure probability fixed at p_error = $2^{-40}$. In particular, it is assumed that the results of decrypted computations are not shared by the secret key owner with any third parties, as such an action can lead to leakage of the secret encryption key. If you are designing an application where decryptions must be shared, you will need to craft custom encryption parameters which are chosen in consideration of the IND-CPA^D security model [1].
This document explains how to encrypt data.
To encrypt data, use the encrypt
method from the FheEncrypt
trait. This crate provides types that implement either FheEncrypt
or FheTryEncrypt
or both, to enable encryption.
Here is an example:
This document explains how to initialize the configuration and generate keys.
The configuration specifies the selected data types and their custom crypto-parameters. You should only use custom parameters for advanced usage and/or testing.
To create a configuration, use the ConfigBuilder
type. The following example shows the setup using 8-bit unsigned integers with default parameters. Additionally, ensure the integers
feature is enabled, as indicated in the table on .
The configuration is initialized by creating a builder with all types deactivated. Then, the integer types with default parameters are activated, for using FheUint8
values.
The generate_keys
command returns a client key and a server key:
Client_key: this key should remain private and never leave the client.
Server_key: this key can be public and sent to a server to enable FHE computations.
FHE allows to compute on ciphertexts without revealing the content of the messages. A scheme is fully homomorphic if it supports at least two of the following operations when evaluating any programs. ( is a plaintext and is the corresponding ciphertext):
Homomorphic univariate function evaluation:
Homomorphic addition:
Homomorphic multiplication:
name | symbol | type |
---|---|---|
Example: for FheUint8 (modulus = ), dividing by zero returns an ecryption of 255.
name | symbol | type |
---|---|---|
name | symbol | type |
---|---|---|
name | symbol | type |
---|---|---|
name | symbol | type |
---|---|---|
name | symbol | type |
---|---|---|
An LWE secret key is a list of n
random integers: . is called the
The mask
The body
To add ciphertexts, it is necessary to add both their masks and bodies. The operation involves adding elements, rather than just adding two integers. This is an intuitive example to show how FHE computation is slower compared to plaintext computation. However, other operations are far more expensive (for example, the computation of a lookup table using Programmable Bootstrapping).
These operations are quite complex to describe in short, you can find more details about these operations (or about TFHE in general) in the .
By default, the cryptographic parameters provided by TFHE-rs ensure at least 128 bits of security. The security has been evaluated using the latest versions of the Lattice Estimator () with red_cost_model = reduction.RC.BDGL16
.
[1]
In classical public key encryption, the public key contains a given number of ciphertexts all encrypting the value 0. By setting the number of encryptions to 0 in the public key at , where is the LWE dimension, is the ciphertext modulus, and is the number of security bits. This construction is secure due to the leftover hash lemma, which relates to the impossibility of breaking the underlying multiple subset sum problem. This guarantees both a high-density subset sum and an exponentially large number of possible associated random vectors per LWE sample .
Linux
x86_64-unix
aarch64-unix
*
macOS
x86_64-unix
aarch64-unix
*
Windows
x86_64
with RDSEED
instruction
Unsupported
-
Unary
+
Binary
-
Binary
*
Binary
Div*
/
Binary
Rem*
%
Binary
!
Unary
&
Binary
|
Binary
^
Binary
>>
Binary
<<
Binary
rotate_right
Binary
rotate_left
Binary
eq
Binary
ne
Binary
gt
Binary
ge
Binary
lt
Binary
le
Binary
Min
min
Binary
Max
max
Binary
Ternary operator
select
Ternary
&
Binary
|
Binary
^
Binary
!
Unary
This document explains a feature to facilitate debugging.
Starting from TFHE-rs 0.5, trivial ciphertexts introduce a new feature to facilitate debugging. This feature supports a debugger, print statements, and faster execution, significantly reducing waiting time and enhancing the development pace of FHE applications.
Trivial ciphertexts are not secure. An application released/deployed in production must never receive trivial ciphertext from a client.
To use this feature, simply call your circuits/functions with trivially encrypted values that are created using encrypt_trivial
(instead of real encryptions that are created using encrypt
):
This example is going to print:
If any input to mul_all
is not a trivial ciphertexts, the computations will be done 100% in FHE, and the program will output:
Using trivial encryptions as input, the example runs in 980 ms on a standard 12-core laptop, compared to 7.5 seconds on a 128-core machine using real encryptions.
This document provides instructions on how to decrypt data.
To decrypt data, use the decrypt
method from the FheDecrypt
trait:
This document explains the mechanism and steps to generate an oblivious encrypted random value using only server keys.
The goal is to give to the server the possibility to generate a random value, which will be obtained in an encrypted format and will remain unknown to the server. The implementation is based on this article.
This is possible through two methods on FheUint
and FheInt
:
generate_oblivious_pseudo_random
which return an integer taken uniformly in the full integer range ([0; 2^N[
for a FheUintN
and [-2^(N-1); 2^(N-1)[
for a FheIntN
).
generate_oblivious_pseudo_random_bounded
which return an integer taken uniformly in [0; 2^random_bits_count[
. For a FheUintN
, we must have random_bits_count <= N
. For a FheIntN
, we must have random_bits_count <= N - 1
.
Both methods functions take a seed Seed
as input, which could be any u128
value. They both rely on the use of the usual server key. The output is reproducible, i.e., the function is deterministic from the inputs: assuming the same hardware, seed and server key, this function outputs the same random encrypted value.
Here is an example of the usage:
This document describes how to perform computation on encrypted data.
With TFHE-rs, the program can be as straightforward as conventional Rust coding by using operator overloading.
The following example illustrates the complete process of encryption, computation using Rust’s built-in operators, and decryption:
This document explains the mechanism and steps to compress ciphertext and keys to reduce the storage needed as well as transmission times.
Most TFHE-rs entities contain random numbers generated by a Pseudo Random Number Generator (PRNG). Since the implemented PRNG is deterministic, storing only the random seed used to generate those numbers preserves all necessary information. When decompressing the entity, using the same PRNG and the same seed will reconstruct the full chain of random values.
In TFHE-rs, compressible entities are prefixed with Compressed
. For instance, a compressed FheUint256
is declared as CompressedFheUint256
.
In the following example code, we use the bincode
crate dependency to serialize in a binary format and compare serialized sizes.
This example shows how to compress a ciphertext encrypting messages over 16 bits:
You can compress ciphertexts at any time, even after performing multiple homomorphic operations.
To do so, you need to build a list containing all the ciphertexts that have to be compressed. This list might contain ciphertexts of different types, e.g., FheBool, FheUint32, FheInt64,... There is no constraint regarding the size of the list.
There are two possible approaches:
Single list: Compressing several ciphertexts into a single list. This generally yields a better compression ratio between output and input sizes;
Multiple lists: Using multiple lists. This offers more flexibility, since compression might happen at different times in the code, but could lead to larger outputs.
In more details, the optimal ratio is achieved with a list whose size is equal to the lwe_per_glwe
field from the CompressionParameters
.
The following example shows how to compress and decompress a list containing 4 messages: one 32-bits integer, one 64-bit integer, one boolean, and one 2-bit integer.
This example shows how to compress the server keys:
This example shows how to compress the classical public keys:
It is not currently recommended to use the CompressedPublicKey
to encrypt ciphertexts without first decompressing them. If the resulting PublicKey is too large to fit in memory, it may result in significant slowdowns.
This issue has been identified and will be addressed in future releases.
This example shows how to use compressed compact public keys:
This document explains the serialization
and deserialization
features that are useful to send data to a server to perform the computations.
When dealing with sensitive types, it's important to implement safe serialization and safe deserialization functions to prevent runtime errors and enhance security. TFHE-rs provide easy to use functions for this purpose, such as safe_serialize
, safe_deserialize
and safe_deserialize_conformant
.
Here is a basic example on how to use it:
The safe deserialization must take the output of a safe-serialization as input. During the process, the following validation occurs:
Type match: deserializing type A
from a serialized type B
raises an error indicating "On deserialization, expected type A, got type B".
Version compatibility: data serialized in previous versions of TFHE-rs are automatically upgraded to the latest version using the data versioning feature.
Parameter compatibility: deserializing an object of type A
with one set of crypto parameters from an object of type A
with another set of crypto parameters raises an error indicating "Deserialized object of type A not conformant with given parameter set"
If both parameter sets have the same LWE dimension for ciphertexts, a ciphertext from param 1 may not fail this deserialization check with param 2.
This check can't distinguish ciphertexts/server keys from independent client keys with the same parameters.
This check is meant to prevent runtime errors in server homomorphic operations by checking that server keys and ciphertexts are compatible with the same parameter set.
You can use the standalone is_conformant
method to check parameter compatibility. Besides, the safe_deserialize_conformant
function includes the parameter compatibility check, and the safe_deserialize
function does not include the compatibility check.
Size limit: both serialization and deserialization processes expect a size limit (measured in bytes) for the serialized data:
On serialization, an error is raised if the serialized output exceeds the specific limit.
On deserialization, an error is raised if the serialized input exceeds the specific limit.
This feature aims to gracefully return an error in case of an attacker trying to cause an out-of-memory error on deserialization.
Here is a more complete example:
The safe serialization and deserialization use bincode
internally.
To selectively disable some of the features of the safe serialization, you can use SerializationConfig
/DeserializationConfig
builders. For example, it is possible to disable the data versioning:
TFHE-rs uses the Serde framework and implements Serde's Serialize
and Deserialize
traits.
This allows you to serialize into any data format supported by serde. However, this is a more bare bone approach as none of the checks described in the previous section will be performed for you.
In the following example, we use bincode for its binary format:
name
symbol
Enc
/Enc
Enc
/ Int
Neg
-
Add
+
Sub
-
Mul
*
Div
/
Rem
%
Not
!
BitAnd
&
BitOr
|
BitXor
^
Shr
>>
Shl
<<
Min
min
Max
max
Greater than
gt
Greater or equal than
ge
Less than
lt
Less or equal than
le
Equal
eq
Cast (into dest type)
cast_into
Cast (from src type)
cast_from
Ternary operator
select
This document provides basic instructions to configure the Rust toolchain and features for TFHE-rs.
TFHE-rs requires a nightly Rust toolchain to build the C API and utilize advanced SIMD instructions. However, for other uses, a stable toolchain (version 1.73 or later) is sufficient.
Follow the following instructions to install the necessary Rust toolchain:
You can set the toolchain using either of the following methods.
Manually specify the toolchain for each cargo command:
Override the toolchain for the current project:
To verify the default toolchain used by Cargo, execute:
TFHE-rs provides various cargo features to customize the types and features used.
This crate provides 3 kinds of data types. Each kind is enabled by activating the corresponding feature in the TOML line and has multiple types:
This document explains how TFHE-rs implements specific operations to detect overflows in computations.
The mechanism of detecting overflow consists in returning an encrypted flag with a specific ciphertext that reflects the state of the computation. When an overflow occurs, this flag is set to true. Since the server is not able to evaluate this encrypted value, the client has to check the flag value when decrypting to determine if an overflow has happened.
These operations might be slower than their non-overflow-detecting equivalent, so they are not enabled by default. To use them, you must explicitly call specific operators. At the moment, only additions, subtractions, and multiplications are supported. We plan to add more operations in future releases.
Here's the list of operations supported along with their symbol:
name | symbol | type |
---|
The usage of these operations is similar to the standard ones. The key difference is in the decryption process, as shown in following example:
The following tables show the current benchmarks result.
Unsigned homomorphic integers:
Signed homomorphic integers:
This document explains how to implement the zero-knowledge proofs function for compact public key encryption to verify the encryption process without revealing the encrypted information.
TFHE-rs can generate zero-knowledge proofs to verify that the compact public key encryption process is correct. In other words, TFHE-rs generates the proof without revealing any information other than the already known range of the encrypted message. This technique is derived from .
You can enable this feature using the flag: --features=zk-pok
when building TFHE-rs.
Using this feature is straightforward: during encryption, the client generates the proof, and the server validates it before conducting any homomorphic computations. The following example demonstrates how a client can encrypt and prove a ciphertext, and how a server can verify the ciphertext and compute it:
Performance can be improved by setting lto="fat"
in Cargo.toml
and by building the code for the native CPU architecture and in release mode, e.g. by calling RUSTFLAGS="-C target-cpu=native" cargo run --release
.
You can choose a more costly proof with ZkComputeLoad::Proof
, which has a faster verification time. Alternatively, you can select ZkComputeLoad::Verify
for a faster proof and slower verification.
You can use dedicated parameters for the compact public key encryption to reduce the size of encrypted data and speed up the zero-knowledge proof computation.
This works essentially in the same way as before. Additionally, you need to indicate the dedicated parameters to use:
This document explains how to save and load versioned data using the data versioning feature.
Starting from v0.6.4, TFHE-rs supports versioned data types. This allows you to store data and load it in the future without compatibility concerns. This feature is done by the tfhe-versionable
crate.
This versioning scheme is compatible with all the supported by serde.
To use the versioning feature, wrap your types in their versioned equivalents before serialization using the versionize
method. You can load serialized data with the unversionize
function, even in newer versions of TFHE-rs where the data types might evolve. The unversionize
function manages any necessary data type upgrades, ensuring compatibility.
Calling .versionize()
on a value will add versioning tags. This is done recursively so all the subtypes that compose it are versioned too. Under the hood, it converts the value into an enum where each version of a type is represented by a new variant. The returned object can be serialized using serde:
The Type::unversionize()
function takes a versioned value, upgrades it to the latest version of its type and removes the version tags. To do that, it matches the version in the versioned enum and eventually apply a conversion function that upgrades it to the most recent version. The resulting value can then be used inside TFHE-rs
When possible, data will be upgraded automatically without any kind of interraction. However, some changes might need information that are only known by the user of the library. These are called data breaking changes. In these occasions, TFHE-rs provides a way to upgrade these types manually.
You will find below a list of breaking changes and how to upgrade them.
We will share code to manage outdated data for this breaking change here shortly.
This document explains public key encryption and provides instructions for 2 methods.
Public key encryption refers to the cryptographic paradigm where the encryption key can be publicly distributed, whereas the decryption key remains secret to the owner. This differs from the usual case where the same secret key is used to encrypt and decrypt the data. In TFHE-rs, there are two methods for public key encryptions:
Classical public key: the first method involves the public key containing many encryptions of zero, as detailed in
Compact public key: the second method is based on the paper , allowing for significantly smaller key sizes compared to the first method.
Public keys can also be to reduce size.
This example shows how to use classical public keys.
This example shows how to use compact public keys. The main difference is in the ConfigBuilder
where the parameter set has been changed.
This guide explains how to update your existing program to leverage GPU acceleration, or to start a new program using GPU.
TFHE-rs now supports a GPU backend with CUDA implementation, enabling integer arithmetic operations on encrypted data.
Cuda version >= 10
Compute Capability >= 3.0
>= 8.0 - check this for more details about nvcc/gcc compatible versions
>= 3.24
Rust version - check this
To use the TFHE-rs GPU backend in your project, add the following dependency in your Cargo.toml
.
If you are using an x86
machine:
If you are using an ARM
machine:
For optimal performance when using TFHE-rs, run your code in release mode with the --release
flag.
TFHE-rs GPU backend is supported on Linux (x86, aarch64).
Here is a full example (combining the client and server parts):
Beware that when the GPU feature is activated, when calling: let config = ConfigBuilder::default().build();
, the cryptographic parameters differ from the CPU ones, used when the GPU feature is not activated. Indeed, TFHE-rs uses dedicated parameters for the GPU in order to achieve better performance.
The configuration of the key is different from the CPU. More precisely, if both client and server keys are still generated by the client (which is assumed to run on a CPU), the server key has then to be decompressed by the server to be converted into the right format. To do so, the server should run this function: decompressed_to_gpu()
.
Once decompressed, the operations between CPU and GPU are identical.
On the client-side, the method to encrypt the data is exactly the same than the CPU one, as shown in the following example:
The server first need to set up its keys with set_server_key(gpu_key)
.
Finally, the client decrypts the results using:
The GPU backend includes the following operations for both signed and unsigned encrypted integers:
TFHE-rs supports platforms with multiple GPUs with some restrictions at the moment: the platform should have NVLink support, and only GPUs that have peer access to GPU 0 via NVLink will be used for the computation. Depending on the platform, this can restrict the number of GPUs used to perform the computation.
There is nothing to change in the code to execute on multiple GPUs, when they are available and have peer access to GPU 0 via NVLink. To keep the API as user-friendly as possible, the configuration is automatically set, i.e., the user has no fine-grained control over the number of GPUs to be used.
When measuring GPU times on your own on Linux, set the environment variable CUDA_MODULE_LOADING=EAGER
to avoid CUDA API overheads during the first kernel execution.
The way to do it is very similar to how it's done on the CPU. The following example shows how to compress and decompress a list containing 4 messages:
One 32-bits integer
One 64-bit integer
One Boolean
One 2-bit integer
Kind | Features | Type (s) |
---|
While the library generally selects automatically the best instruction sets available by the host, in the case of 'AVX-512', you have to choose it explicitly. This requires to use a with the feature nightly-avx512
.
Operation\Size | FheUint8 | FheUint16 | FheUint32 | FheUint64 | FheUint128 | FheUint256 |
---|
Operation\Size | FheInt8 | FheInt16 | FheInt32 | FheInt64 | FheInt128 | FheInt256 |
---|
Please refer to the for detailed performance benchmark results.
For more information on using compact public keys to encrypt data and generate a zero-knowledge proof of correct encryption at the same time, see .
OS | x86 | aarch64 |
---|
Comparing to the , GPU set up differs in the key creation, as detailed
Then, homomorphic computations are performed using the same approach as the .
All operations follow the same syntax than the one described in .
Please refer to the for detailed performance benchmark results.
You can compress ciphertexts using the GPU, even after computations, just like on the .
Booleans |
| Booleans |
ShortInts |
| Short integers |
Integers |
| Arbitrary-sized integers |
unsigned_overflowing_add | 63.67 ms | 84.11 ms | 107.95 ms | 120.8 ms | 147.38 ms | 191.28 ms |
unsigned_overflowing_sub | 68.89 ms | 81.83 ms | 107.63 ms | 120.38 ms | 150.21 ms | 190.39 ms |
unsigned_overflowing_mul | 140.76 ms | 191.85 ms | 272.65 ms | 510.61 ms | 1.34 s | 4.51 s |
signed_overflowing_add | 76.54 ms | 84.78 ms | 104.23 ms | 134.38 ms | 162.99 ms | 202.56 ms |
signed_overflowing_sub | 82.46 ms | 86.92 ms | 104.41 ms | 132.21 ms | 168.06 ms | 201.17 ms |
signed_overflowing_mul | 277.91 ms | 365.67 ms | 571.22 ms | 1.21 s | 3.57 s | 12.84 s |
Linux |
|
|
macOS | Unsupported | Unsupported* |
Windows | Unsupported | Unsupported |
This document describes how to use trivial encryption in TFHE-rs to initialize server-side values.
Sometimes, the server side needs to initialize a value. For example, when computing the sum of a list of ciphertexts, you typically initialize the sum
variable to 0
.
Instead of asking the client to send an actual encrypted zero, the server can use a trivial encryption. A trivial encryption creates a ciphertext that contains the desired value but isn't securely encrypted - essentially anyone, any key can decrypt it.
Note that when you want to do an operation that involves a ciphertext and a clear value (often called scalar operation), you should only use trivial encryption of the clear value if the scalar operations that you want to run are not supported.
This document describes the implementation and benefits of parallelized Programmable Bootstrapping (PBS) in TFHE-rs, including code examples for using multi-bit PBS parameters and ensuring deterministic execution.
Programmable Bootstrapping is inherently a sequential operation. However, some recent results showed that introducing parallelism is feasible at the expense of larger keys, thereby enhancing the performance of PBS. This new PBS is called a multi-bit PBS.
TFHE-rs can already perform parallel execution of integer homomorphic operations. Activating this feature can lead to performance improvements, particularly in the case of high core-count CPUs when enough cores are available, or when dealing with operations that require small input message precision.
The following example shows how to use parallelized bootstrapping by choosing multi-bit PBS parameters:
By nature, the parallelized PBS might not be deterministic: while the resulting ciphertext will always decrypt to the correct plaintext, the order of the operations could vary, resulting in different output ciphertext. To ensure a consistent ciphertext output regardless of execution order, add the with_deterministic_execution()
suffix to the parameters.
Here's an example:
This document describes the C bindings to the TFHE-rs high-level primitives for creating Fully Homomorphic Encryption (FHE) programs.
You can build TFHE-rs C API on a Unix x86_64 machine using the following command:
For a Unix aarch64 machine, use the following command:
Locate files in the right path:
In ${REPO\_ROOT}/target/release/
, you can find:
The tfhe.h
header
The static (.a) and dynamic (.so) libtfhe
binaries
In ${REPO\_ROOT}/target/release/deps/
, you can find:
The tfhe-c-api-dynamic-buffer.h
header
The static (.a) and dynamic (.so) libraries
Ensure your build system configures the C or C++ program links against TFHE-rs C API binaries and the dynamic buffer library.
The following is a minimal CMakeLists.txt
configuration example:
TFHE-rs C API
.The following example demonstrates uint128 subtraction using the TFHE-rs C API:
WARNING: this example omits proper memory management in the error case to improve code readability.
Ensure the above CMakeLists.txt
and main.c
files are in the same directory. Use the following commands to execute the example:
This document describes how to use Rayon for parallel processing in TFHE-rs, detailing configurations for single and multi-client applications with code examples.
Rayon is a popular Rust crate that simplifies writing multi-threaded code. You can use Rayon to write multi-threaded TFHE-rs code. However, due to the specifications of Rayon and TFHE-rs, certain setups are necessary.
The high-level API requires to call set_server_key
on each thread where computations need to be done. So a first attempt to use Rayon with TFHE-rs might look like this:
However, due to Rayon's work-stealing mechanism and TFHE-rs' internals, this may create BorrowMutError
.
The correct way is to call rayon::broadcast
as follows:
For applications that need to operate concurrently on data from different clients and require each client to use multiple threads, you need to create separate Rayon thread pools:
This can be useful if you have some rust #[test]
, see the example below:
This document outlines how to use the TFHE-rs WebAssembly (WASM) client API for key generation, encryption, and decryption, providing setup examples for Node.js and web browsers.
TFHE-rs supports WASM client API, which includes functionality for key generation, encryption, and decryption. However, it does not support FHE computations.
TFHE-rs supports 3 WASM targets
:
Node.js: For use in Node.js applications or packages
Web: For use in web browsers
Web-parallel: For use in web browsers with multi-threading support
The core of the API remains the same, requiring only minor changes in the initialization functions.
Example:
When using the Web WASM target, you should call an additional init
function. With parallelism enabled, you need to call another additional initThreadPool
function.
Example:
Use the provided Makefile in the TFHE-rs repository to compile for the desired target:
make build_node_js_api
for the Node.js API
make build_web_js_api
for the browser API
make build_web_js_api_parallel
for the browser API with parallelism
The compiled WASM packages are located in tfhe/pkg
.
The browser API and the Node.js API are available as npm packages. Using npm i tfhe
for the browser API and npm i node-tfhe
for the Node.js API.
TFHE-rs uses WASM to provide a JavaScript (JS) binding to the client-side primitives, like key generation and encryption within the Boolean and shortint modules.
Currently, there are several limitations. Due to a lack of threading support in WASM, key generation can be too slow to be practical for bigger parameter sets.
Some parameter sets lead to the FHE keys exceeding the 2GB memory limit of WASM, making these parameter sets virtually unusable.
To build the JS on WASM bindings for TFHE-rs, install wasm-pack
and the necessary rust toolchain
. Cone the TFHE-rs repository and build using the following commands (this will build using the default branch, you can check out a specific tag depending on your requirements):
The command above targets Node.js. To generate a binding for a web browser, use --target=web
. However, this tutorial does not cover that particular use case.
Both Boolean and shortint features are enabled here, but it's possible to use them individually.
After the build, a new directory pkg is available in the tfhe
directory.
Make sure to update the path of the required clause in the example below to match the location of the TFHE package that was just built.
Then, you can run the example.js
script using node
as follows:
| Binary |
| Binary |
| Binary |
name | symbol |
|
|
Neg |
| N/A |
Add |
|
Sub |
|
Mul |
|
Div |
|
Rem |
|
Not |
| N/A |
BitAnd |
|
BitOr |
|
BitXor |
|
Shr |
|
Shl |
|
Rotate right |
|
Rotate left |
|
Min |
|
Max |
|
Greater than |
|
Greater or equal than |
|
Lower than |
|
Lower or equal than |
|
Equal |
|
Cast (into dest type) |
| N/A |
Cast (from src type) |
| N/A |
Ternary operator |
|
This document serves as a practical reference for implementing generic functions in Rust that use operators across mixed references and values. The following explanations help you to understand the trait bounds necessary to handle such operations.
Operators such as +
, *
, >>,
and so on are tied to traits in std:::ops
. For instance, the +
operator corresponds to std::ops::Add
. When writing a generic function that uses the +
operator, you need to specify std::ops::Add
as a trait bound.
The trait bound varies slightly depending on whether the left-hand side / right-hand side is an owned value or a reference. The following table shows the different scenarios:
operation | trait bound |
---|---|
The for<'a>
syntax refers to the Higher-Rank Trait Bounds(HRTB).
Using generic functions allows for clearer input handling, which simplifies the debugging.
This document explains how to use the PBS statistics feature in TFHE-rs' shortint API to assess the overall computational intensity in FHE applications.
The shortint
API now includes a global counter to track the number of Programmable Bootstrapping (PBS) executed with the pbs-stats
feature. This feature enables precise tracking of PBS executions in a circuit. It helps to estimate the overall compute intensity of FHE code using either the shortint
, integer,
or High-Level APIs.
To know how many PBSes were executed, call get_pbs_count
. To reset the PBS count, call reset_pbs_count
. You can combine two functions to understand how many PBSes were executed in each part of your code.
When combined with the , this feature allows for quick estimations during iterations on the FHE code.
Here is an example of how to use the PBS counter:
This tutorial demonstrates how to build a data type that represents an ASCII string in Fully Homomorphic Encryption (FHE) by implementing to_lower and to_upper functions.
An ASCII character is stored in 7 bits. To store an encrypted ASCII, we use the FheUint8
:
The uppercase letters are in the range [65, 90]
The lowercase letters are in the range [97, 122]
The relationship between uppercase and lowercase letters is defined as follows:
lower_case
= upper_case
+ UP_LOW_DISTANCE
upper_case
= lower_case
- UP_LOW_DISTANCE
Where UP_LOW_DISTANCE = 32
This type stores the encrypted characters as a Vec<FheUint8>
to implement case conversion functions.
To use the FheUint8
type, enable the integer
feature:
Refer to the for other configurations.
The FheAsciiString::encrypt
function performs data validation to ensure the input string contains only ASCII characters.
In FHE operations, direct branching on encrypted values is not possible. However, you can evaluate a boolean condition to obtain the desired outcome. Here is an example to check and convert the 'char' to a lowercase without using a branch:
You can remove the branch this way:
This method can adapt to operations on homomorphic integers:
Full example:
This document describes the array types provided by the High-level API.
This new encrypted types allow you to easily perform array and tensor operations on encrypted data, taking care of the iteration and shape logic for you.
It also implements efficient algorithms in some cases, like summing elements of an array.
The following example shows a complete workflow of working with encrypted arrays, including:
Generating keys
Encrypting arrays of integers
Performing operations such as:
slicing arrays
computing on a sub array, adding encrypted data to it
computing on a sub array, adding clear data to it
Decrypting the result, getting back a Rust Vec
of decrypted values
This tutorial shows how to build a small function that homomorphically computes a parity bit in 2 steps:
Write a non-generic function
Use generics to handle the case where the function inputs are both FheBool
s and clear bool
s.
The parity bit function processes two parameters:
A slice of Boolean
A mode (Odd
or Even
)
This function returns a Boolean (true
or false
) so that the total count of true
values across the input and the result matches with the specified parity mode (Odd
or Even
).
Refer to the for other configurations.
First, define the verification function.
The function initializes the parity bit to false
, then applies the XOR
operation across all bits, adding negation based on the requested mode.
The validation function also adds the number of the bits set in the input to the computed parity bit and checks whether the sum is even or odd, depending on the mode.
After configurations, call the function:
To enable the compute_parity_bit
function to operate with both encrypted FheBool
and plain bool, we introduce generics. This approach allows for validation using clear data and facilitates debugging.
Writing generic functions that incorporate operator overloading for our Fully Homomorphic Encryption (FHE) types is more complex than usual because FHE types do not implement the Copy
trait. Consequently, it is necessary to use references (&) with these types, unlike native types, which typically implement Copy
.
This complicates generic bounds at first.
The function has the following signature:
To make it generic, the first steps is:
Next, define the generic bounds with the where
clause.
In the function, you can use the following operators:
!
(trait: Not
)
^
(trait: BitXor
)
Adding them to where
, it gives:
However, the compiler will return an error:
fhe_bit
is a reference to a BoolType
(&BoolType
), because BoolType
is borrowed from the fhe_bits
slice during iteration. To fix the error, the first approach could be changing the BitXor
bounds to what the Compiler suggests, by requiring &BoolType
to implement BitXor
rather than BoolType
.
However, this approach still leads to an error:
To fix this error, use Higher-Rank Trait Bounds
:
The final code is as follows:
Here is a complete example that uses this function for both clear and FHE values:
This tutorial guides you to convert a regular SHA-256 function to its homomorphic version, with considerations of optimal performances. You will learn:
The basics of the SHA-256 function.
The steps to implement SHA-256 homomorphically.
First, you need to implement the SHA-256 function. You can find the official specification for SHA-256 . We summarize the three key aspects of SHA-256 outlined in the document:
The SHA-256 function processes the input data in blocks or chunks of 512 bits. Before performing the hash computations, prepare the data as follows:
Append a single "1" bit
Append "0" bits until exactly 64 bits remain to make the message length a multiple of 512
Append the last 64 bits as a binary encoding of the original input length
In this diagram, the numbers on the top represent the length of the padded input at each position. The formula L+1+k+64 ensures that the length reaches a multiple of 512, matching the required length of the padded input.
We will use bitwise AND, XOR, NOT, addition modulo 2^32, the Rotate Right (ROTR) and Shift Right (SHR) operations as building blocks for functions inside the SHA-256 computation. These operations all use 32-bit words and produce new words.
We combine these operations inside the sigma (with 4 variations), Ch,
and Maj
functions. When changing SHA-256 to the homomorphic computation, we will mainly change the code of each operation.
Here is the definition of each function:
We simplify Maj
using the Boolean distributive law: (x AND y) XOR (x AND z) = x AND (y XOR z), as shown below:
We simplify Ch
using a single bitwise multiplexer. Here's the truth table of the Ch
expression.
This table shows that the result equals to z
when x = 0
, and the result equals to y
when x = 1
, which means if x {y} else {z}
. Hence we can replace the 4 bitwise operations of Ch
by a single bitwise multiplexer.
All these operations can be evaluated homomorphically:
ROTR and SHR: They can be evaluated by changing the index of each ecrypted bit of the word without using any homomorphic operation.
Bitwise AND, XOR and multiplexer: They can be computed homomorphically
Addition modulo 2^32: It can be broken down into boolean homomorphic operations.
The SHA-256 function processes data in 512-bit chunks. Here is what happens during computation:
The 512-bit chunk is computed into 16 words, each containing 32 bits.
Another 48 words are computed using the previous function.
After computing the 64 words, within the same chunk, a compression loop will compute a hash value (8 32-bit words) using the previous functions and some constants to mix everything up.
This entire process iterate through each 512-bit chunk of your data.
When we finish the last chunk iteration, the resulting hash values will be the output of the SHA-256 function.
Here is an example of this function using arrays of 32 bools to represent words:
To convert SHA-256 to a homomorphic version, you can replace each bit of padded_input
with a fully homomorphic encryption of the same bit value and operate on the encrypted value using homomorphic operations.
While the structure of the SHA-256 function remains the same, there are some important considerations in the code:
The function signature and the borrowing rules should adapt to the ciphertext type (representing the encrypted bits).
Implementing SHA-256 operations with homomorphic encryption uses homomorphic boolean operations internally.
Homomorphic operations on encrypted data can be very expensive. Consider these options for better speed:
Remove unnecessary use of homomorphic operations and maximize parallelization.
Simplify the code with Rayon crate that parallelizes iterators and manages threads efficiently.
Now let's dive into details of each SHA256 operation.
Rotate Right and Shift Right can be evaluated by changing the position of each encrypted bit in the word, requiring no homomorphic operations. Here is the implementation:
To implement these operations, we will use the xor
, and mux
methods from the TFHE-rs library to perform each boolean operation homomorphically.
For better efficiency, we can parallelize the homomorphic computations because we operate bitwise. It means that we can homomorphically XOR the bits at index 0 of two words using one thread while XORing the bits at index 1 using another thread, and so on. This approach allows for the computation of bitwise operations using up to 32 concurrent threads, corresponding to the 32-bit words used.
Here is the implementation of the bitwise homomorphic XOR operation. The par_iter
and par_iter_mut
methods create a parallel iterator that we use to compute each XOR efficiently. The other two bitwise operations are implemented in the same way.
This might be the trickiest operation to efficiently implement in a homomorphic manner. A naive implementation could use the Ripple Carry Adder algorithm, which is straightforward but cannot be parallelized because each step depends on the previous one.
A better choice is to use Carry Lookahead Adder, which allows us to use the parallelized AND and XOR bitwise operations. With this design, our adder is around 50% faster than the Ripple Carry Adder.
To further optimize performance, we use parallel prefix algorithms to parallelize the function that computes the carry signals. These algorithms involve more (homomorphic) boolean operations and their parallel nature speeds up the processing. We have implemented the Brent-Kung and Ladner-Fischer algorithms with different tradeoffs:
Brent-Kung has the least amount of boolean operations we could find (140 when using grey cells, for 32-bit numbers), which makes it suitable when we can't process many operations concurrently and fast. Our results confirm that it's indeed faster than both the sequential algorithm and Ladner-Fischer when run on regular computers.
On the other hand, Ladner-Fischer performs more boolean operations (209 using grey cells) than Brent-Kung, but they are performed in larger batches. Hence we can compute more operations in parallel and finish earlier, but we need more fast threads available or they will slow down the carry signals computation. Ladner-Fischer can be suitable when using cloud-based computing services, which offer many high-speed threads.
Our implementation uses Brent-Kung by default, but you can enable Ladner-Fischer by using the --ladner-fischer
command line argument.
Finally, with all these SHA-256 operations working homomorphically, our functions will be homomomorphic as well along with the whole SHA-256 function (after adapting the code to work with the Ciphertext type).
Let's talk about other performance improvements we can make before we finish.
In the main sha256_fhe
, you can perform some functions in parallel. For example, in the compression loop, temp1
and temp2
can be computed in parallel by using the rayon::join()
function when there is a CPU available. The two temporary values in the compression loop are the result of multiple additions, so you can use nested calls to rayon::join()
to parallelize more operations.
Another way to speed up consecutive additions would be using the Carry Save Adder, a very efficient adder that takes 3 numbers and returns a sum and a carry sequence. If our inputs are A, B, and C, we can construct a CSA with our previously implemented Maj function and the bitwise XOR operation as follows:
By chaining CSAs, we can input the sum and carry from a preceding stage along with another number into a new CSA. Finally, to get the result of the additions we add the sum and carry sequences using a conventional adder. In the end, we are performing the same number of additions, but some of them are now CSAs, speeding up the process. Below is the illustration of this process in the temp1
and temp2
computations.
The first closure of the outer call to join will return temp1
and the second temp2
.
Inside the first outer closure, we call join recursively until we add the value h
, the current word w[i],
and the current constant K[i]
by using the CSA, while potentially computing the ch
function in parallel. Then we take the sum, carry, and ch values and add them again using the CSA.
All this is done while potentially computing the sigma_upper_case_1
function. Finally we input the previous sum, carry, and sigma values to the CSA and perform the final addition with add
. Once again, this is done while potentially computing sigma_upper_case_0
and maj
and adding them to get temp2
, in the second outer closure.
With these types of changes, we finally get a homomorphic SHA256 function that doesn't leave unused computational resources.
First, use the --release
flag when running the program. Considering the implementation of encrypt_bools
and decrypt_bools
, the use of SHA-256 will be as follows:
We can supply the data to hash using a file instead of the command line by using stdin
. For example, if the file input.txt
is in the same directory as the project, we can use the following shell command after building with cargo build --release
:
The program accepts hexadecimal inputs. The input must start with "0x" and contain only valid hex digits, otherwise it will be interpreted as text.
Finally, padding is performed on the client side. This has the advantage of hiding the exact length of the input content from the server, thus avoiding the server extracting information from the length, even though the content is fully encrypted.
It is also feasible to perform padding on the server side. The padding function would take the encrypted input and pad it with trivial bit encryptions. We can then integrate the padding function into the sha256_fhe
function computed by the server.
x | y | z | Result |
---|
The final code is available .
For more information about parallel prefix adders, you can read or .
T $op T
T: $Op<T, Output=T>
T $op &T
T: for<'a> $Op<&'a T, Output=T>
&T $op T
for<'a> &'a T: $Op<T, Output=T>
&T $op &T
for<'a> &'a T: $Op<&'a T, Output=T>
0 | 0 | 0 | 0 |
0 | 0 | 1 | 1 |
0 | 1 | 0 | 0 |
0 | 1 | 1 | 1 |
1 | 0 | 0 | 0 |
1 | 0 | 1 | 0 |
1 | 1 | 0 | 1 |
1 | 1 | 1 | 1 |
Since the ServerKey
and ClientKey
types both implement the Serialize
and Deserialize
traits, you are free to use any serializer that suits you to save and load the keys to disk.
Here is an example using the bincode
serialization library, which serializes to a binary format:
This contains the operations available in tfhe::boolean, along with code examples.
Let ct_1, ct_2, ct_3
be three Boolean ciphertexts. Then, the MUX gate (abbreviation of MUltipleXer) is equivalent to the operation:
This example shows how to use the MUX ternary gate:
This library makes it possible to execute homomorphic operations over encrypted data, where the data are either Booleans, short integers (named shortint in the rest of this documentation), or integers up to 256 bits. It allows you to execute a circuit on an untrusted server because both circuit inputs and outputs are kept private. Data are indeed encrypted on the client side, before being sent to the server. On the server side, every computation is performed on ciphertexts.
The server, however, has to know the circuit to be evaluated. At the end of the computation, the server returns the encryption of the result to the user. Then the user can decrypt it with the secret key
.
The overall process to write an homomorphic program is the same for all types. The basic steps for using the TFHE-rs library are the following:
Choose a data type (Boolean, shortint, integer)
Import the library
Create client and server keys
Encrypt data with the client key
Compute over encrypted data using the server key
Decrypt data with the client key
This library has different modules, with different levels of abstraction.
There is the core_crypto module, which is the lowest level API with the primitive functions and types of the TFHE scheme.
Above the core_crypto module, there are the Boolean, shortint, and integer modules, which contain easy to use APIs enabling evaluation of Boolean, short integer, and integer circuits.
Finally, there is the high-level module built on top of the Boolean, shortint, integer modules. This module is meant to abstract cryptographic complexities: no cryptographical knowledge is required to start developing an FHE application. Another benefit of the high-level module is the drastically simplified development process compared to lower level modules.
TFHE-rs exposes a high-level API by default that includes datatypes that try to match Rust's native types by having overloaded operators (+, -, ...).
Here is an example of how the high-level API is used:
Use the --release
flag to run this example (eg: cargo run --release
)
Here is an example of how the library can be used to evaluate a Boolean circuit:
Use the --release
flag to run this example (eg: cargo run --release
)
Here is a full example using shortint:
Use the --release
flag to run this example (eg: cargo run --release
)
Use the --release
flag to run this example (eg: cargo run --release
)
The library is simple to use and can evaluate homomorphic circuits of arbitrary length. The description of the algorithms can be found in the TFHE paper (also available as ePrint 2018/421).
In tfhe::boolean
, the available operations are mainly related to their equivalent Boolean gates (i.e., AND, OR... etc). What follows are examples of a unary gate (NOT) and a binary gate (XOR). The last one is about the ternary MUX gate, which allows homomorphic computation of conditional statements of the form If..Then..Else
.
This library is meant to be used both on the server side and the client side. The typical use case should follow the subsequent steps:
On the client side, generate the client
and server keys
.
Send the server key
to the server.
Then any number of times:
On the client side, encrypt the input data with the client key
.
Transmit the encrypted input to the server.
On the server side, perform homomorphic computation with the server key
.
Transmit the encrypted output to the client.
On the client side, decrypt the output data with the client key
.
In the first step, the client creates two keys, the client key
and the server key
, with the tfhe::boolean::gen_keys
function:
The client_key
is of type ClientKey
. It is secret and must never be transmitted. This key will only be used to encrypt and decrypt data.
The server_key
is of type ServerKey
. It is a public key and can be shared with any party. This key has to be sent to the server because it is required for homomorphic computation.
Note that both the client_key
and server_key
implement the Serialize
and Deserialize
traits. This way you can use any compatible serializer to store/send the data. To store the server_key
in a binary file, you can use the bincode
library:
Once the server key is available on the server side, it is possible to perform some homomorphic computations. The client needs to encrypt some data and send it to the server. Again, the Ciphertext
type implements the Serialize
and the Deserialize
traits, so that any serializer and communication tool suiting your use case can be employed:
Anyone (the server or a third party) with the public key can also encrypt some (or all) of the inputs. The public key can only be used to encrypt, not to decrypt.
Once the encrypted inputs are on the server side, the server_key
can be used to homomorphically execute the desired Boolean circuit:
Once the encrypted output is on the client side, the client_key
can be used to decrypt it:
tfhe::integer
is dedicated to integers smaller than 256 bits. The steps to homomorphically evaluate an integer circuit are described here.
integer
provides 3 basic key types:
ClientKey
ServerKey
PublicKey
The ClientKey
is the key that encrypts and decrypts messages, thus this key is meant to be kept private and should never be shared. This key is created from parameter values that will dictate both the security and efficiency of computations. The parameters also set the maximum number of bits of message encrypted in a ciphertext.
The ServerKey
is the key that is used to actually do the FHE computations. It contains a bootstrapping key and a keyswitching key. This key is created from a ClientKey
that needs to be shared to the server, so it is not meant to be kept private. A user with a ServerKey
can compute on the encrypted data sent by the owner of the associated ClientKey
.
To reflect this, computation/operation methods are tied to the ServerKey
type.
The PublicKey
is a key used to encrypt messages. It can be publicly shared to allow users to encrypt data such that only the ClientKey
holder will be able to decrypt. Encrypting with the PublicKey
does not alter the homomorphic capabilities associated to the ServerKey
.
To generate the keys, a user needs two parameters:
A set of shortint
cryptographic parameters.
The number of ciphertexts used to encrypt an integer (we call them "shortint blocks").
We are now going to build a pair of keys that can encrypt 8-bit integers (signed or unsigned) by using 4 shortint blocks that store 2 bits of message each.
Once we have our keys, we can encrypt values:
Once the client key is generated, the public key can be derived and used to encrypt data.
With our server_key
, and encrypted values, we can now do an addition and then decrypt the result.
The TFHE cryptographic scheme relies on a variant of Regev cryptosystem and is based on a problem so difficult that it is even post-quantum resistant.
Some cryptographic parameters will require tuning to ensure both the correctness of the result and the security of the computation.
To make it simpler, we've provided two sets of parameters, which ensure correct computations for a certain probability with the standard security of 128 bits. There exists an error probability due to the probabilistic nature of the encryption, which requires adding randomness (noise) following a Gaussian distribution. If this noise is too large, the decryption will not give a correct result. There is a trade-off between efficiency and correctness: generally, using a less efficient parameter set (in terms of computation time) leads to a smaller risk of having an error during homomorphic evaluation.
In the two proposed sets of parameters, the only difference lies in this error probability. The default parameter set ensures an error probability of at most when computing a programmable bootstrapping (i.e., any gates but the not
). The other one is closer to the error probability claimed in the original TFHE paper, namely , but it is up-to-date regarding security requirements.
The following array summarizes this:
Parameter set | Error probability |
---|---|
You can also create your own set of parameters. This is an unsafe
operation as failing to properly fix the parameters will result in an incorrect and/or insecure computation:
All parameter sets provide at least 128-bits of security according to the , with an error probability equal to when using programmable bootstrapping. This error probability is due to the randomness added at each encryption (see for more details about the encryption process).
shortint
comes with sets of parameters that permit the use of the library functionalities securely and efficiently. Each parameter set is associated to the message and carry precisions. Therefore, each key pair is entangled to precision.
The user is allowed to choose which set of parameters to use when creating the pair of keys.
The difference between the parameter sets is the total amount of space dedicated to the plaintext, how it is split between the message buffer and the carry buffer, and the order in which the keyswitch (KS) and bootstrap (PBS) are computed. The syntax chosen for the name of a parameter is: PARAM_MESSAGE_{number of message bits}_CARRY_{number of carry bits}_{KS_PBS | PBS_KS}
. For example, the set of parameters for a message buffer of 5 bits, a carry buffer of 2 bits and where the keyswitch is computed before the bootstrap is PARAM_MESSAGE_5_CARRY_2_KS_PBS
.
Note that the KS_PBS
order should have better performance at the expense of ciphertext size, PBS_KS
is the opposite.
This example contains keys that are generated to have messages encoded over 2 bits (i.e., computations are done modulus ) with 2 bits of carry.
The PARAM_MESSAGE_2_CARRY_2_KS_PBS
parameter set is the default shortint
parameter set that you can also use through the tfhe::shortint::prelude::DEFAULT_PARAMETERS
constant.
The computations of bi-variate functions is based on a trick: concatenating two ciphertexts into one. Where the carry buffer is not at least as large as the message buffer, this trick no longer works. In this case, many bi-variate operations, such as comparisons, cannot be correctly computed. The only exception concerns multiplication.
It is possible to define new parameter sets. To do so, it is sufficient to use the function new()
or to manually fill the ClassicPBSParameters
structure fields.
For instance:
The structure and operations related to short integers are described in this section.
In shortint
, the encrypted data is stored in an LWE ciphertext.
Conceptually, the message stored in an LWE ciphertext is divided into a carry buffer and a message buffer.
The message buffer is the space where the actual message is stored. This represents the modulus of the input messages (denoted by MessageModulus
in the code). When doing computations on a ciphertext, the encrypted message can overflow the message modulus. The part of the message which exceeds the message modulus is stored in the carry buffer. The size of the carry buffer is defined by another modulus, called CarryModulus
.
Together, the message modulus and the carry modulus form the plaintext space that is available in a ciphertext. This space cannot be overflowed, otherwise the computation may result in an incorrect output.
In order to ensure the correctness of the computation, we track the maximum value encrypted in a ciphertext via an associated attribute called the degree. When the degree reaches a defined threshold, the carry buffer may be emptied to safely resume the computations. In shortint
the carry modulus is considered useful as a means to do more computations.
The operations available via a ServerKey
may come in different variants:
operations that take their inputs as encrypted values
scalar operations that take at least one non-encrypted value as input
For example, the addition has two variants:
ServerKey::unchecked_add
, which takes two encrypted values and adds them.
ServerKey::unchecked_scalar_add
, which takes an encrypted value and a clear value (a so-called scalar) and adds them.
Each operation may come in different 'flavors':
unchecked
: always does the operation, without checking if the result may exceed the capacity of the plaintext space. Using this operation might have an impact on the correctness of the following operations;
checked
: checks are done before computing the operation, returning an error if operation cannot be done safely;
smart
: always does the operation. If the operation cannot be computed safely, the smart operation will clear the carry to make the operation possible. Some of those will require a mutable reference as input: this is to allow the modification of the carry, but this will not change the underlying encrypted value;
default
: always does the operation and always clears the carry. Could be slower than smart, but it ensures that the timings are consistent from one call to another.
Not all operations have these 4 flavors, as some of them are implemented in a way that the operation is always possible without ever exceeding the plaintext space capacity.
If you don't know which flavor to use, you should use the default
one.
Let's try to do a circuit evaluation using the different flavors of operations that we have already introduced. For a very small circuit, the unchecked
flavour may be enough to do the computation correctly. Otherwise,checked
and smart
are the best options.
Let's do a scalar multiplication, a subtraction, and a multiplication.
During this computation, the carry buffer has been overflowed and, as all the operations were unchecked
, the output may be incorrect.
If we redo this same circuit with the checked
flavor, a panic will occur:
The checked
flavor permits manual management of the overflow of the carry buffer by raising an error if correctness is not guaranteed.
Using the smart
flavor will output the correct result all the time. However, the computation may be slower as the carry buffer may be cleaned during the computations.
The main advantage of the default flavor is to ensure predictable timings as long as this is the only kind of operation which is used.
Using default
could slow-down computations.
#List of available operations
Certain operations can only be used if the parameter set chosen is compatible with the bivariate programmable bootstrapping, meaning the carry buffer is larger than or equal to the message buffer. These operations are marked with a star (*).
The list of implemented operations for shortint is:
addition between two ciphertexts
addition between a ciphertext and an unencrypted scalar
comparisons <
, <=
, >
, >=
, ==
, !=
between a ciphertext and an unencrypted scalar
division of a ciphertext by an unencrypted scalar
LSB multiplication between two ciphertexts returning the result truncated to fit in the message buffer
multiplication of a ciphertext by an unencrypted scalar
bitwise shift <<
, >>
subtraction of a ciphertext by another ciphertext
subtraction of a ciphertext by an unencrypted scalar
negation of a ciphertext
bitwise and, or and xor (*)
comparisons <
, <=
, >
, >=
, ==
, !=
between two ciphertexts (*)
division between two ciphertexts (*)
MSB multiplication between two ciphertexts returning the part overflowing the message buffer
(*)
TFHE-rs supports both private and public key encryption methods. The only difference between both lies in the encryption step: in this case, the encryption method is called using public_key
instead of client_key
.
Here is a small example on how to use public encryption:
Classical arithmetic operations are supported by shortint:
Short homomorphic integer types support some bitwise operations.
A simple example on how to use these operations:
Short homomorphic integer types support comparison operations.
A simple example on how to use these operations:
A simple example on how to use this operation to homomorphically compute the hamming weight (i.e., the number of bits equal to one) of an encrypted number.
Using the shortint types offers the possibility to evaluate bi-variate functions, or functions that take two ciphertexts as input. This requires choosing a parameter set such that the carry buffer size is at least as large as the message (i.e., PARAM_MESSAGE_X_CARRY_Y with X <= Y).
Here is a simple code example:
As explained in the introduction, some types (Serverkey
, Ciphertext
) are meant to be shared with the server that performs the computations.
The easiest way to send these data to a server is to use the serialization and deserialization features. tfhe::shortint
uses the framework. Serde's Serialize and Deserialize are then implemented on the tfhe::shortint
types.
To serialize the data, we need to pick a . For our use case, is a good choice, mainly because it is a binary format.
tfhe::shortint
is dedicated to unsigned integers smaller than 8 bits. The steps to homomorphically evaluate a circuit are described below.
tfhe::shortint
provides 3 key types:
ClientKey
ServerKey
PublicKey
The ClientKey
is the key that encrypts and decrypts messages (integer values up to 8 bits here). It is meant to be kept private and should never be shared. This key is created from parameter values that will dictate both the security and efficiency of computations. The parameters also set the maximum number of bits of message encrypted in a ciphertext.
The ServerKey
is the key that is used to evaluate the FHE computations. Most importantly, it contains a bootstrapping key and a keyswitching key. This key is created from a ClientKey
that needs to be shared to the server (it is not meant to be kept private). A user with a ServerKey
can compute on the encrypted data sent by the owner of the associated ClientKey
.
Computation/operation methods are tied to the ServerKey
type.
The PublicKey
is the key used to encrypt messages. It can be publicly shared to allow users to encrypt data such that only the ClientKey
holder will be able to decrypt. Encrypting with the PublicKey
does not alter the homomorphic capabilities associated to the ServerKey
.
Once the keys have been generated, the client key is used to encrypt data:
Once the keys have been generated, the client key is used to encrypt data:
Using the server_key
, addition is possible over encrypted values. The resulting plaintext is recovered after the decryption via the secret client key.
The structure and operations related to integers are described in this section.
In integer
, the encrypted data is split amongst many ciphertexts encrypted with the shortint
library. Below is a scheme representing an integer composed by k shortint ciphertexts.
This crate implements two ways to represent an integer:
the Radix representation
the CRT (Chinese Reminder Theorem) representation
In this representation, the correctness of operations requires the carries to be propagated throughout the ciphertext. This operation is costly, since it relies on the computation of many programmable bootstrapping operations over shortints.
This representation has many advantages: no carry propagation is required, cleaning the carry buffer of each ciphertext block is enough. This implies that operations can easily be parallelized. It also allows the efficient computation of PBS in the case where the function is CRT-compliant.
A variant of the CRT is proposed where each block might be associated to a different key couple. Here, a keychain to the computations is required, but this may result in a performance improvement.
The list of operations available in integer
depends on the type of representation:
Much like shortint
, the operations available via a ServerKey
may come in different variants:
operations that take their inputs as encrypted values.
scalar operations take at least one non-encrypted value as input.
For example, the addition has both variants:
ServerKey::unchecked_add
, which takes two encrypted values and adds them.
ServerKey::unchecked_scalar_add
, which takes an encrypted value and a clear value (the so-called scalar) and adds them.
Each operation may come in different 'flavors':
unchecked
: always does the operation, without checking if the result may exceed the capacity of the plaintext space.
checked
: checks are done before computing the operation, returning an error if operation cannot be done safely.
smart
: always does the operation, if the operation cannot be computed safely, the smart operation will propagate the carry buffer to make the operation possible. Some of those will require a mutable reference as input: this is because the inputs' carry might be cleaned, but this will not change the underlying encrypted value.
default
: always compute the operation and always clear the carry. Could be slower than smart, but ensure that the timings are consistent from one call to another.
Not all operations have these 4 flavors, as some of them are implemented in a way that the operation is always possible without ever exceeding the plaintext space capacity.
If you don't know which flavor to use, you should use the default
one.
Let's try to do a circuit evaluation using the different flavors of already introduced operations. For a very small circuit, the unchecked
flavor may be enough to do the computation correctly. Otherwise, checked
and smart
are the best options.
As an example, let's do a scalar multiplication, a subtraction, and an addition.
During this computation the carry buffer has been overflowed, and the output may be incorrect as all the operations were unchecked
.
If the same circuit is done but using the checked
flavor, a panic will occur:
The checked
flavor permits the manual management of the overflow of the carry buffer by raising an error if correctness is not guaranteed.
Using the smart
flavor will output the correct result all the time. However, the computation may be slower as the carry buffer may be propagated during the computations.
You must avoid cloning the inputs when calling smart
operations to preserve performance. For instance, you SHOULD NOT have these kind of patterns in the code:
The main advantage of the default flavor is to ensure predictable timings, as long as only this kind of operation is used. Only the parallelized version of the operations is provided.
Using default
could slow down computations.
As shown , the choice of the parameter set impacts the operations available and their efficiency.
In the case of multiplication, two algorithms are implemented: the first one relies on the bi-variate function trick, where the other one is based on the . To correctly compute a multiplication, the only requirement is to have at least one bit of carry (i.e., using parameter sets PARAM_MESSAGE_X_CARRY_Y with Y>=1). This method is slower than using the other one. Using the smart
version of the multiplication automatically chooses which algorithm is used depending on the chosen parameters.
The first possibility to represent a large integer is to use a Radix-based decomposition on the plaintexts. Let be a basis such that the size of is smaller than (or equal to) 4 bits. Then, an integer can be written as , where each is strictly smaller than . Each is then independently encrypted. In the end, an Integer ciphertext is defined as a set of shortint ciphertexts.
The definition of an integer requires a basis and a number of blocks. These parameters are chosen at key generation. Below, the keys are dedicated to integers encrypting messages over 8 bits, using a basis over 2 bits (i.e., ) and 4 blocks.
The second approach to represent large integers is based on the Chinese Remainder Theorem. In this case, the basis is composed of several integers , such that there are pairwise coprime, and each has a size smaller than 4 bits. The CRT-based integer are defined modulus . For an integer , its CRT decomposition is simply defined as . Each part is then encrypted as a shortint ciphertext. In the end, an Integer ciphertext is defined as a set of shortint ciphertexts.
In the following example, the chosen basis is . The integer is defined modulus . There is no need to pre-size the number of blocks since it is determined from the number of values composing the basis. Here, the integer is split over three blocks.
Operation name | Radix-based | CRT-based |
---|
DEFAULT_PARAMETERS
TFHE_LIB_PARAMETERS
integer
does not come with its own set of parameters. Instead, it relies on parameters from shortint
. Currently, parameter sets having the same space dedicated to the message and the carry (i.e. PARAM_MESSAGE_{X}_CARRY_{X}
with X
in [1,4]) are recommended. See here for more details about cryptographic parameters, and here to see how to properly instantiate integers depending on the chosen representation.
The core_crypto
module from TFHE-rs
is dedicated to the implementation of the cryptographic tools related to TFHE. To construct an FHE application, the shortint and/or Boolean modules (based on core_crypto
) are recommended.
The core_crypto
module offers an API to low-level cryptographic primitives and objects, like lwe_encryption
or rlwe_ciphertext
. The goal is to propose an easy-to-use API for cryptographers.
The overall code architecture is split in two parts: one for entity definitions and another focused on algorithms. The entities contain the definition of useful types, like LWE ciphertext or bootstrapping keys. The algorithms are then naturally defined to work using these entities.
The API is convenient to add or modify existing algorithms, or to have direct access to the raw data. Even if the LWE ciphertext object is defined, along with functions giving access to the body, it is also possible to bypass these to get directly the element of LWE mask.
For instance, the code to encrypt and then decrypt a message looks like:
As explained in the introduction, some types (Serverkey
, Ciphertext
) are meant to be shared with the server that does the computations.
The easiest way to send these data to a server is to use the serialization and deserialization features. TFHE-rs
uses the serde framework, so serde's Serialize and Deserialize are implemented.
To be able to serialize our data, a data format needs to be picked. Here, bincode is a good choice, mainly because it is binary format.
core_crypto
primitivesWelcome to this tutorial about TFHE-rs
core_crypto
module.
core_crypto
moduleTo use TFHE-rs
, it first has to be added as a dependency in the Cargo.toml
:
This enables the x86_64-unix
feature to have efficient implementations of various algorithms for x86_64
CPUs on a Unix-like system. The 'unix' suffix indicates that the UnixSeeder
, which uses /dev/random
to generate random numbers, is activated as a fallback if no hardware number generator is available (like rdseed
on x86_64
or if the Randomization Services
on Apple platforms are not available). To avoid having the UnixSeeder
as a potential fallback or to run on non-Unix systems (e.g., Windows), the x86_64
feature is sufficient.
For Apple Silicon, the aarch64-unix
or aarch64
feature should be enabled. aarch64
is not supported on Windows as it's currently missing an entropy source required to seed the CSPRNGs used in TFHE-rs
.
In short: For x86_64
-based machines running Unix-like OSes:
For Apple Silicon or aarch64-based machines running Unix-like OSes:
For x86_64
-based machines with the rdseed instruction
running Windows:
core_crypto
module.As a complete example showing the usage of some common primitives of the core_crypto
APIs, the following Rust code homomorphically computes 2 * 3 using two different methods. First using a cleartext multiplication and then using a PBS.
There are two ways to contribute to TFHE-rs
. You can:
open issues to report bugs and typos and to suggest ideas;
ask to become an official contributor by emailing hello@zama.ai. Only approved contributors can send pull requests, so get in touch before you do.
Negation |
Addition |
Scalar Addition |
Subtraction |
Scalar Subtraction |
Multiplication |
Scalar Multiplication |
Bitwise OR, AND, XOR |
Equality |
Left/Right Shift |
Comparisons |
Min, Max |
TFHE is a fully homomorphic encryption scheme that enables fast homomorphic operations on booleans, integers and reals.
By enabling both leveled and bootstrapped operations, TFHE can be used for a wide range of usecases, from homomorphic boolean circuits to homomorphic neural networks.
Here are a series of articles that guide you to go deeper into the understanding of the scheme:
The article Guide to Fully Homomorphic Encryption over the Discretized Torus gives more mathematical details about the TFHE scheme.
You can also watch the video record of the original talk by Ilaria Chillotti for FHE.org: