feat(CompressedXofKeySet): impl key gen of ClientKey

This adds the implemention of the ClientKey generation
that respects the threshold specs, some points are:

* 2 random generators are used one for everything public (masks)
  the other for everything private (private keys and noise).
  These generators are seeded once.
* binary secret keys are generated using
  `fill_slice_with_random_uniform_binary_bits` and support pmax param

Author: tmontaigu

tfhe/src/core_crypto/algorithms/glwe_secret_key_generation.rs

@@ -67,3 +67,53 @@ pub fn generate_binary_glwe_secret_key<Scalar, InCont, Gen>(
 {
     generator.fill_slice_with_random_uniform_binary(glwe_secret_key.as_mut());
 }
+
+/// Fill a [`GLWE secret key`](`GlweSecretKey`) with uniformly random binary coefficients.
+///
+/// The hamming weight of the secret key will be in: `(1-max_norm_hwt)*len..=max_norm_hwt*len`
+/// where max_norm_hwt is in ]0.5, 1.0]
+///
+/// # Example
+///
+/// ```rust
+/// use tfhe::core_crypto::prelude::*;
+///
+/// // DISCLAIMER: these toy example parameters are not guaranteed to be secure or yield correct
+/// // computations
+/// // Define parameters for GlweSecretKey creation
+/// let glwe_size = GlweSize(2);
+/// let polynomial_size = PolynomialSize(1024);
+///
+/// // Create the PRNG
+/// let mut seeder = new_seeder();
+/// let seeder = seeder.as_mut();
+/// let mut secret_generator = SecretRandomGenerator::<DefaultRandomGenerator>::new(seeder.seed());
+/// let max_norm_hwt = MaxNormalizedHammingWeith::new(0.7).unwrap();
+///
+/// let mut glwe_secret_key =
+///     GlweSecretKey::new_empty_key(0u64, glwe_size.to_glwe_dimension(), polynomial_size);
+///
+/// generate_binary_glwe_secret_key_with_bounded_hamming_weight(
+///     &mut glwe_secret_key,
+///     &mut secret_generator,
+///     max_norm_hwt,
+/// );
+///
+/// for polynomial in glwe_secret_key.iter() {
+///     assert!(max_norm_hwt.check_binary_slice(polynomial.as_ref()).is_ok());
+/// }
+/// ```
+pub fn generate_binary_glwe_secret_key_with_bounded_hamming_weight<Scalar, InCont, Gen>(
+    glwe_secret_key: &mut GlweSecretKey<InCont>,
+    generator: &mut SecretRandomGenerator<Gen>,
+    max_norm_hwt: MaxNormalizedHammingWeight,
+) where
+    Scalar: UnsignedInteger + RandomGenerable<UniformBinary>,
+    InCont: ContainerMut<Element = Scalar>,
+    Gen: ByteRandomGenerator,
+{
+    for mut secret_poly in glwe_secret_key.as_mut_polynomial_list().iter_mut() {
+        generator
+            .fill_slice_with_bounded_random_uniform_binary_bits(secret_poly.as_mut(), max_norm_hwt);
+    }
+}

tfhe/src/core_crypto/algorithms/lwe_secret_key_generation.rs

@@ -1,7 +1,7 @@
 //! Module containing primitives pertaining to the generation of
 //! [`LWE secret keys`](`LweSecretKey`).
-
 use crate::core_crypto::commons::generators::SecretRandomGenerator;
+
 use crate::core_crypto::commons::math::random::{RandomGenerable, UniformBinary};
 use crate::core_crypto::commons::parameters::*;
 use crate::core_crypto::commons::traits::*;
@@ -62,3 +62,47 @@ pub fn generate_binary_lwe_secret_key<Scalar, InCont, Gen>(
 {
     generator.fill_slice_with_random_uniform_binary(lwe_secret_key.as_mut());
 }
+
+/// Fill an [`LWE secret key`](`LweSecretKey`) with uniformly random binary coefficients.
+///
+/// The hamming weight of the secret key will be in: `(1-max_norm_hwt)*len..=max_norm_hwt*len`
+/// where max_norm_hwt is in ]0.5, 1.0]
+///
+/// # Example
+///
+/// ```rust
+/// use tfhe::core_crypto::prelude::*;
+///
+/// // DISCLAIMER: these toy example parameters are not guaranteed to be secure or yield correct
+/// // computations
+/// // Define parameters for LweCiphertext creation
+/// let lwe_dimension = LweDimension(742);
+///
+/// // Create the PRNG
+/// let mut seeder = new_seeder();
+/// let seeder = seeder.as_mut();
+/// let mut secret_generator = SecretRandomGenerator::<DefaultRandomGenerator>::new(seeder.seed());
+/// let max_norm_hwt = MaxNormalizedHammingWeith::new(0.7).unwrap();
+/// let mut lwe_secret_key = LweSecretKey::new_empty_key(0u64, lwe_dimension);
+///
+/// generate_binary_lwe_secret_key_with_bounded_hamming_weight(
+///     &mut lwe_secret_key,
+///     &mut secret_generator,
+///     max_norm_hwt,
+/// );
+///
+/// // Check all coefficients are not zero as we just generated a new key
+/// assert!(max_norm_hwt.check_binary_slice(lwe_secret_key.as_ref()).is_ok());
+/// ```
+pub fn generate_binary_lwe_secret_key_with_bounded_hamming_weight<Scalar, InCont, Gen>(
+    lwe_secret_key: &mut LweSecretKey<InCont>,
+    generator: &mut SecretRandomGenerator<Gen>,
+    max_norm_hwt: MaxNormalizedHammingWeight,
+) where
+    Scalar: RandomGenerable<UniformBinary> + UnsignedInteger,
+    InCont: ContainerMut<Element = Scalar>,
+    Gen: ByteRandomGenerator,
+{
+    generator
+        .fill_slice_with_bounded_random_uniform_binary_bits(lwe_secret_key.as_mut(), max_norm_hwt);
+}

tfhe/src/core_crypto/commons/generators/encryption/mod.rs

@@ -110,7 +110,7 @@ impl<G: ByteRandomGenerator> EncryptionRandomGenerator<G> {
         }
     }
 
-    #[cfg(all(feature = "integer", test))]
+    #[cfg(feature = "integer")]
     pub(crate) fn from_raw_parts(
         mask: MaskRandomGenerator<G>,
         noise: NoiseRandomGenerator<G>,

tfhe/src/core_crypto/commons/generators/encryption/noise_random_generator.rs

@@ -108,6 +108,10 @@ impl<G: ByteRandomGenerator> NoiseRandomGenerator<G> {
         }
     }
 
+    pub fn from_raw_parts(gen: RandomGenerator<G>) -> Self {
+        Self { gen }
+    }
+
     /// Create a new [`NoiseRandomGenerator`], using the provided seed
     pub fn new_from_seed(seed: impl Into<SeedKind>) -> Self {
         Self {

tfhe/src/core_crypto/commons/generators/secret.rs

@@ -1,19 +1,30 @@
 //! Module containing primitives pertaining to random generation in the context of secret key
 //! generation.
 
+use tfhe_csprng::seeders::SeedKind;
+
 use crate::core_crypto::commons::math::random::{
-    ByteRandomGenerator, RandomGenerable, RandomGenerator, Seed, UniformBinary,
+    ByteRandomGenerator, RandomGenerable, RandomGenerator, UniformBinary,
 };
+use crate::core_crypto::prelude::{MaxNormalizedHammingWeight, UnsignedInteger};
 
 /// A random number generator which can be used to generate secret keys.
 pub struct SecretRandomGenerator<G: ByteRandomGenerator>(RandomGenerator<G>);
 
 impl<G: ByteRandomGenerator> SecretRandomGenerator<G> {
     /// Create a new generator, optionally seeding it with the given value.
-    pub fn new(seed: Seed) -> Self {
+    pub fn new(seed: impl Into<SeedKind>) -> Self {
         Self(RandomGenerator::new(seed))
     }
 
+    pub fn from_raw_parts(inner: RandomGenerator<G>) -> Self {
+        Self(inner)
+    }
+
+    pub fn into_raw_parts(self) -> RandomGenerator<G> {
+        self.0
+    }
+
     /// Return the number of remaining bytes, if the generator is bounded.
     pub fn remaining_bytes(&self) -> Option<usize> {
         self.0.remaining_bytes()
@@ -32,4 +43,31 @@ impl<G: ByteRandomGenerator> SecretRandomGenerator<G> {
     {
         self.0.random_uniform_binary()
     }
+
+    pub fn fill_slice_with_random_uniform_binary_bits<Scalar>(&mut self, output: &mut [Scalar])
+    where
+        Scalar: UnsignedInteger,
+    {
+        self.0.fill_slice_with_random_uniform_binary_bits(output);
+    }
+
+    /// Fills the slice with uniform binary random, such that the
+    /// hamming weight of the output is ok with regards to the max normalized hamming weight
+    ///
+    /// This will loop and reject slices until an ok sequence of random binary was generated
+    pub fn fill_slice_with_bounded_random_uniform_binary_bits<Scalar>(
+        &mut self,
+        output: &mut [Scalar],
+        max_norm_hwt: MaxNormalizedHammingWeight,
+    ) where
+        Scalar: UnsignedInteger,
+    {
+        loop {
+            self.0.fill_slice_with_random_uniform_binary_bits(output);
+
+            if let Ok(()) = max_norm_hwt.check_binary_slice(output) {
+                break;
+            }
+        }
+    }
 }

tfhe/src/core_crypto/commons/parameters.rs

@@ -3,10 +3,13 @@
 //!
 //! These types have 0 overhead compared to the type being wrapped.
 
+use std::ops::RangeInclusive;
+
 use serde::{Deserialize, Serialize};
 use tfhe_versionable::Versionize;
 
 pub use super::ciphertext_modulus::CiphertextModulus;
+use super::traits::CastInto;
 use crate::core_crypto::backward_compatibility::commons::parameters::*;
 
 /// The number plaintexts in a plaintext list.
@@ -408,3 +411,59 @@ pub struct NoiseEstimationMeasureBound(pub f64);
 #[derive(Copy, Clone, Debug, Eq, PartialEq, Serialize, Deserialize, Versionize)]
 #[versionize(ChunkSizeVersions)]
 pub struct ChunkSize(pub usize);
+
+/// The max normalized hamming weight
+#[derive(Copy, Clone, Debug, PartialEq, Serialize, Deserialize)]
+pub struct MaxNormalizedHammingWeight(f64);
+
+impl MaxNormalizedHammingWeight {
+    /// Creates `self`, returns None if pmax not in ]0.5, 1.0]
+    pub fn new(pmax: f64) -> Option<Self> {
+        if 0.5 < pmax && pmax <= 1.0 {
+            Some(Self(pmax))
+        } else {
+            None
+        }
+    }
+
+    /// Returns the inner value
+    pub fn get(self) -> f64 {
+        self.0
+    }
+
+    /// Given the number of bits `num_bits`, returns the range
+    /// of acceptable hamming weights for a slice of `num_bits` bits
+    pub fn hamming_weight_range(self, num_bits: usize) -> RangeInclusive<u128> {
+        RangeInclusive::new(
+            ((1.0 - self.0) * num_bits as f64) as u128,
+            (self.0 * num_bits as f64) as u128,
+        )
+    }
+
+    /// Checks that the binary_slice's hamming weight is ok with regards to `self`
+    ///
+    /// * Returns Ok(()) if the hamming weight is ok, otherwise Err(())
+    ///
+    /// # Note
+    ///
+    /// The slice elements must be binary, that is they must be 0 or 1,
+    /// otherwise the result will be incorrect
+    pub fn check_binary_slice<T>(self, binary_slice: &[T]) -> Result<(), ()>
+    where
+        T: Copy + CastInto<u128>,
+    {
+        let hamming_weight = binary_slice
+            .iter()
+            .copied()
+            .map(|bit| -> u128 { bit.cast_into() })
+            .sum::<u128>();
+
+        let bounds = self.hamming_weight_range(binary_slice.len());
+
+        if bounds.contains(&hamming_weight) {
+            Ok(())
+        } else {
+            Err(())
+        }
+    }
+}

tfhe/src/core_crypto/entities/glwe_secret_key.rs

@@ -149,6 +149,12 @@ impl<Scalar: UnsignedInteger, C: ContainerMut<Element = Scalar>> GlweSecretKey<C
         let polynomial_size = self.polynomial_size;
         GlweSecretKey::from_container(self.as_mut(), polynomial_size)
     }
+
+    /// Interpret the [`GlweSecretKey`] as a [`PolynomialListMutView`].
+    pub fn as_mut_polynomial_list(&mut self) -> PolynomialListMutView<'_, C::Element> {
+        let poly_size = self.polynomial_size;
+        PolynomialListMutView::from_container(self.as_mut(), poly_size)
+    }
 }
 
 /// A [`GlweSecretKey`] owning the memory for its own storage.