š¬ H33 FHE Optimization Audit Report
Date: 2026-02-05
Platform: Apple M4 Max (ARM64) - macOS Darwin 24.5.0
ā
ALL MAJOR OPTIMIZATIONS CONNECTED: Parallel NTT + Montgomery + Rayon
Full parallelization deployed: Encrypt uses parallel NTT across all moduli, multiply uses parallel moduli processing, Montgomery in hot paths. Precision mode improved 50%!
š Current Benchmark Results (FULLY OPTIMIZED)
| Operation | Turbo (N=1024) | Standard (N=2048) | Precision (N=4096) | vs Original |
|---|
| Full Auth Flow | ~674 Āµs | ~1.74 ms | ~4.18 ms | 50% faster (Precision) |
| Encrypt | ~503 Āµs | ~1.26 ms | ~3.07 ms | 55% faster (Precision) |
| Decrypt | ~121 Āµs | ~712 Āµs | ~673 Āµs | - |
| Multiply | ~40 Āµs | ~108 Āµs | ~354 Āµs | 1.8x (Precision) |
š Optimization Status by Component
1. NTT (Number Theoretic Transform)
| Optimization | Status | Location | Notes |
|---|
| Radix-4 NTT |
ā
CONNECTED |
src/fhe/ntt.rs:329-372 |
Used as fallback when AVX-512 unavailable |
| AVX-512 SIMD NTT |
ā UNAVAILABLE |
src/fhe/ntt.rs:479-654 |
Requires x86_64 + AVX-512. Not available on Apple Silicon (ARM64) |
| Parallel NTT (Rayon) |
ā
CONNECTED |
src/fhe/ntt.rs:297-325, bfv.rs:forward_ntt_all() |
forward_ntt_all() and inverse_ntt_all() wired up. Used via parallel moduli processing in multiply() |
| Precomputed Twiddles |
ā
CONNECTED |
src/fhe/ntt.rs:48-89 |
Bit-reversal table and twiddle factors precomputed at init |
| Lazy Reduction |
ā
CONNECTED |
src/fhe/ntt.rs:449-473 |
Delays modular reduction for fewer ops |
| Metal NTT (Apple Silicon) |
ā ORPHANED |
src/fhe/metal_ntt.rs |
File exists (400+ lines) but NEVER IMPORTED or CALLED from bfv.rs |
2. Multiplication & Modular Arithmetic
| Optimization | Status | Location | Notes |
|---|
| Montgomery Context |
ā
CONNECTED |
src/fhe/montgomery.rs |
Pre-computed constants available and used |
| Montgomery in Hot Path |
ā
CONNECTED |
src/fhe/bfv.rs:pointwise_mul_opt() |
pointwise_mul_opt() uses Montgomery for Standard/Precision modes. 1.3-2.4x speedup achieved |
| Parallel Moduli Processing |
ā
CONNECTED |
src/fhe/bfv.rs:multiply() |
Uses Rayon for parallel processing across moduli. Enabled for Standard/Precision |
| Bajard Full-RNS Multiply |
ā ļø AVAILABLE |
src/fhe/bajard_rns.rs |
Implementation exists. Not used - overhead outweighs benefit for <6 moduli chains |
3. Memory Management
| Optimization | Status | Location | Notes |
|---|
| Arena Allocators |
ā
CONNECTED |
src/fhe/arena.rs |
Used in BfvContext |
| PolynomialPool (Lock-free) |
ā
CONNECTED |
src/fhe/arena.rs + bfv.rs:133 |
acquire_poly_buffer() used in encrypt/decrypt |
| CiphertextPool |
ā
CONNECTED |
src/fhe/arena.rs |
Available but usage limited |
4. GPU Acceleration
| Optimization | Status | Location | Notes |
|---|
| GPU NTT (CUDA) |
ā ORPHANED |
src/fhe/gpu_ntt.rs |
Implementation exists, not called from bfv.rs |
| GPU RNS Batch |
ā ORPHANED |
src/fhe/gpu_rns.rs |
Implementation exists, not called from bfv.rs |
| GPU Fused Biometric |
ā ORPHANED |
src/fhe/gpu_fused.rs |
Implementation exists, not called from bfv.rs |
| GPU Stream Pipelining |
ā ORPHANED |
src/fhe/gpu_streams.rs |
Implementation exists, not called from bfv.rs |
5. Advanced Schemes
| Optimization | Status | Location | Notes |
|---|
| CKKS Scheme |
ā ORPHANED |
src/fhe/ckks.rs |
Full implementation (~1200 lines) but not used in benchmarks |
| CKKS Bootstrapping |
ā ļø PARTIAL |
src/fhe/ckks.rs |
Structure exists, Chebyshev approximation needs verification |
| CKKSāBFV Switching |
ā ļø PARTIAL |
src/fhe/ckks.rs |
SchemeSwitcher exists, not integrated |
| Speculative Execution |
ā ORPHANED |
src/fhe/speculative.rs |
Implementation exists (~500 lines), never used |
š What's Actually Running in Each Mode
Turbo Mode (N=1024)
Connected: Scalar Radix-4 NTT, Pooled Buffers, Precomputed Twiddles
Not Connected: Montgomery (uses naive u128), Parallel NTT (single-threaded)
Standard Mode (N=2048)
Connected: Scalar Radix-4 NTT, Pooled Buffers
ORPHANED:
- Parallel NTT - would process 3 moduli in parallel
- Montgomery multiplication - would reduce ~29 hot-path divisions
- Bajard RNS - would give 4x speedup on multiply
Precision Mode (N=4096)
Connected: Scalar Radix-4 NTT, Pooled Buffers
ORPHANED:
- Parallel NTT - would process 5 moduli in parallel
- Montgomery multiplication
- Bajard RNS - would give 4x speedup on multiply
- Metal NTT - would give 10x speedup on Apple Silicon
š§ Code Evidence
Parallel NTT Never Called
$ grep -c "forward_parallel\|inverse_parallel" src/fhe/bfv.rs
0
Bajard RNS Never Imported
$ grep -c "bajard\|Bajard" src/fhe/bfv.rs
0
Metal NTT Never Imported
$ grep -c "metal\|Metal" src/fhe/bfv.rs
0
29 Naive u128 Multiplications in Hot Path
$ grep -c "as u128 \* " src/fhe/bfv.rs
29
š Recommended Fixes
- Add parallel NTT: Call
ntt.forward_parallel() instead of looping over moduli
- Wire up Bajard RNS: Import and use
BajardMultiplier in Evaluator::multiply()
- Enable Metal NTT: Add
#[cfg(all(target_os = "macos", feature = "metal"))] path in BfvContext
- Use Montgomery in hot path: Replace
((a as u128 * b as u128) % q as u128) as u64 with montgomery.montgomery_mul()
- Add ARM NEON: Implement NEON intrinsics for Apple Silicon as alternative to AVX-512
š Performance After FULL Optimizations
| Mode | Original | After (Current) | Improvement |
|---|
| Turbo Full Auth | 679 Āµs | 674 Āµs | - |
| Standard Full Auth | 2.19 ms | 1.74 ms | 20% faster |
| Precision Full Auth | 8.43 ms | 4.18 ms | 50% faster!!! |
| Encrypt Precision | 6.88 ms | 3.07 ms | 55% faster |
| Multiply Precision | 637 Āµs | 354 Āµs | 1.8x |
Optimizations Now Connected
- ā
Parallel NTT in encrypt(): All moduli processed in parallel via Rayon
- ā
Parallel moduli in multiply(): All moduli processed in parallel
- ā
Montgomery multiplication: Used in hot paths for Standard/Precision
- ā
forward_ntt_all() / inverse_ntt_all(): Now actually called!
Remaining Opportunities
- Metal NTT: Requires actual Metal API integration (metal-rs crate). Could give additional 10x on NTT.
- Keep Data in Montgomery Form: Currently converting to/from Montgomery per operation.
- Full CRT Decrypt: Current decrypt() only uses modulus 0 for simplicity. Full CRT reconstruction would be more accurate and enable parallel processing across moduli.
Investigated But Not Beneficial
- multiply_and_switch() / mod_switch() before decrypt: TESTED - adds overhead without benefit.
Current decrypt() only accesses modulus 0 (ignores extra moduli), so pre-switching just adds
expensive u128 division overhead. Would only help with full CRT decrypt implementation.
- strip_for_decrypt(): TESTED - clone overhead exceeds minimal benefit from smaller
data structure. Useful for serialization/network transfer but not for in-memory decrypt.