fix(core): ignore value in the body when doing LWE encryption

zama-ai · Jan 23, 2024 · 0d6e0c7 · 0d6e0c7
1 parent bd26d0e
commit 0d6e0c7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 22 deletions.
diff --git a/tfhe/src/core_crypto/algorithms/lwe_encryption.rs b/tfhe/src/core_crypto/algorithms/lwe_encryption.rs
@@ -94,10 +94,8 @@ pub fn fill_lwe_mask_and_body_for_encryption_native_mod_compatible<
     // generate an error from the normal distribution described by std_dev
     let noise = generator.random_noise_custom_mod(noise_parameters, ciphertext_modulus);
     // compute the multisum between the secret key and the mask
-    let mask_key_dot_product = (*output_body.data).wrapping_add(slice_wrapping_dot_product(
-        output_mask.as_ref(),
-        lwe_secret_key.as_ref(),
-    ));
+    let mask_key_dot_product =
+        slice_wrapping_dot_product(output_mask.as_ref(), lwe_secret_key.as_ref());
 
     // Store sum(ai * si) + delta * m + e in the body
     *output_body.data = mask_key_dot_product

diff --git a/tfhe/src/core_crypto/algorithms/test/lwe_encryption.rs b/tfhe/src/core_crypto/algorithms/test/lwe_encryption.rs
@@ -167,24 +167,30 @@ fn lwe_encrypt_decrypt_custom_mod<Scalar: UnsignedTorus>(params: ClassicTestPara
 
             let plaintext = Plaintext(msg * delta);
 
-            encrypt_lwe_ciphertext(
-                &lwe_sk,
-                &mut ct,
-                plaintext,
-                lwe_modular_std_dev,
-                &mut rsc.encryption_random_generator,
-            );
-
-            assert!(check_encrypted_content_respects_mod(
-                &ct,
-                ciphertext_modulus
-            ));
-
-            let decrypted = decrypt_lwe_ciphertext(&lwe_sk, &ct);
-
-            let decoded = round_decode(decrypted.0, delta) % msg_modulus;
-
-            assert_eq!(msg, decoded);
+            // This may look silly, but this is to catch a regression where the previous content of
+            // the ciphertext was wrongly used during encryption, re-encrypting in a ciphertext
+            // where we already encrypted allows to check the encryption is valid even if the
+            // destination LWE is dirty
+            for _ in 0..2 {
+                encrypt_lwe_ciphertext(
+                    &lwe_sk,
+                    &mut ct,
+                    plaintext,
+                    lwe_modular_std_dev,
+                    &mut rsc.encryption_random_generator,
+                );
+
+                assert!(check_encrypted_content_respects_mod(
+                    &ct,
+                    ciphertext_modulus
+                ));
+
+                let decrypted = decrypt_lwe_ciphertext(&lwe_sk, &ct);
+
+                let decoded = round_decode(decrypted.0, delta) % msg_modulus;
+
+                assert_eq!(msg, decoded);
+            }
         }
 
         // In coverage, we break after one while loop iteration, changing message values does not