test(core): add a many LUT test in core crypto

[IceTDrinker]

PR content/description

• it does not require any new primitive so was made into a test at the core crypto level
• shortint will have a more user friendly API but it requires some design

Check-list:

• Tests for the changes have been added (for bug fixes / features)
  * [ ] Docs have been added / updated (for bug fixes / features)
  * [ ] Relevant issues are marked as resolved/closed, related issues are linked in the description
  * [ ] Check for breaking changes (including serialization changes) and add them to commit message following the conventional commit specification

[github-actions]

@slab-ci cpu_fast_test

[IceTDrinker]

using the MSB to manage the LUT location looks more interesting to avoid delta/encoding mixing (as discovered while checking this with @mayeul-zama)

[github-actions]

@slab-ci cpu_fast_test

[mayeul-zama]

I think it would be cleaner to assert!(funcs.len() * input_max_degree * mega_case_size < poly_size)
And then cut the LUT into funcs.len() chunks of size input_max_degree * mega_case_size (the end of the LUT may be filled with 0)
And then, fill each mega case i of each chunk j with f_j(i)

This way, fn_count does not need to be a power of 2

[mayeul-zama]

Or we may choose the biggest possible input_max_degree and then in the shortint API, we return an error if the degree is bigger than this inferred max degree

[IceTDrinker]

We do not require the power of 2 in that case it's just that we use power of 2 to organize the data which IMO is much less of a headache

[mayeul-zama]

But it seems to me that it limits the maximum possible degree of the inputs of the many LUT

[IceTDrinker]

I think the first implementation will be based on the power of 2 approach, and if we see we are missing some optimizations we'll likely update to be able to be more flexible wrt to the degree.

The only time we would have a limit is if we have a small degree and lots of functions then there may be a world where some functions will not be evaluated because of wasted space if we use the power of 2, I think it's an acceptable tradeoff at first.

Plus here for core we don't really care, it's a first implementation to check the principles, the question will be of more interest later when it goes up to shortint

[mayeul-zama]

It seems to me that the non power of 2 approach is not more complex

Plus here for core we don't really care, it's a first implementation to check the principles, the question will be of more interest later when it goes up to shortint

Why merge it then? Shouldn't we only merge the shortint version in main once ready?

[IceTDrinker]

well at least from a design perspective it means the LUT generation does not need the input ciphertext degree in the power of 2 approach as it's a pessimistic case, in the degree approach the lut needs to be tailor made for the ciphertext

[mayeul-zama]

As described in my second comment, I believe we can take the biggest possible input_max_degree (which depend on fn_count and full_msg_mod) to build the LUT and we can use it for all compatible ciphertexts

[mayeul-zama]

Does message_modulus include the carries?
I think it should, but the name, as used in shortint does not reflect that.
Does message_modulus have a differen meaning in core_crypto?

[IceTDrinker]

yeah in core crypto it's most likely the full msg space here, it would be adapted for the port to shortint

[github-actions]

@slab-ci cpu_fast_test
@slab-ci gpu_test

[github-actions]

@slab-ci gpu_test

[github-actions]

@slab-ci gpu_test

[github-actions]

Pull Request has been approved 🎉
Launching full test suite...
@slab-ci cpu_test
@slab-ci cpu_unsigned_integer_test
@slab-ci cpu_signed_integer_test
@slab-ci cpu_wasm_test
@slab-ci csprng_randomness_testing