How can encrypter access randomness underlying a homomorphically evaluated ciphertext?

Hi Zama,

I am a PhD student working on cryptography. For one of my research projects, I am using FHE as one of the building blocks in a larger protocol. I am implementing our protocol using ConcreteML and need to write a Zero-Knowledge (ZK) proof for some relation about a homomorphically evaluated ciphertext. The ZK prover’s witness in my system is the (message, randomness) tuple underlying the homomorphically evaluated ciphertext. I want to know is there a way for the prover to access the randomness here? A natural way to do this could be as follows: 1. the prover (encrypter) choose the randomness on its own and encrypt with respect to it. 2. Since homomorphic evaluation is a deterministic process, the prover can compute how the original randomness must have been modified in the evaluated ciphertext. In ConcreteML or TFHE-rs, is there a way I can track randomness in steps 1 and 2 above?

I’m not sure I understand the question well, but if you want to retrieve the random bits of a ciphertext: the mask and the error term, you can do that by accessing the mask+message bits.

For Concrete you could serialize the LWE ciphertext that you encrypt and look at the bits. To know more about the file format of the serialized LWE ciphertext I suggest you ask on the Concrete forum.

For TFHE-rs you can have different types of ciphertexts (LWE/GLWE/high level radix LWEs). You can obtain the int64 values of the LWEs mask easily. You can also extract LWE blocks of the high level radix datatypes and extract the mask. You should ask for more details on the TFHE-rs forum.