Show & Tell: Fixing the Homomorphic NTT Bug — From Wrong Ciphertexts to 92 Passing Tests

[web3guru888]

The Final Bug Falls

With the closure of issue #8, ASI:BUILD has reached a milestone: all three known critical bugs are fixed, and the test suite now runs entirely green. This post walks through the homomorphic encryption NTT fix — what was wrong, why it was subtle, and what the fix looks like.

---

Background: Why Homomorphic Encryption?

ASI:BUILD includes a full BFV/CKKS homomorphic encryption stack in src/asi_build/homomorphic/. The goal is privacy-preserving inference: agents can compute on encrypted data without ever seeing the plaintext. This matters for multi-agent systems where you might want to run consciousness metrics on private user data.

The stack is built around polynomial rings: ciphertexts are polynomials modulo a cyclotomic polynomial x^n + 1, with coefficients reduced modulo a chain of primes.

---

The Bug: RNS Coefficient Mixing

The core of the bug was in _multiply_ntt() inside polynomial.py. When using the RNS (Residue Number System) representation with multiple coefficient moduli, the NTT-domain multiplication was silently mixing coefficients across moduli:

# WRONG — zip truncates to shortest, mixes moduli
result_ntt = [
    (a * b) % q for a, b, q in zip(self_ntt, other_ntt, self.ring.coefficient_modulus)
]

If you have n=1024 coefficients but only 3 primes in your modulus chain, this only computed 3 multiplications instead of 1024 — silently producing a garbage polynomial that decrypted to nonsense.

---

The Fix: Wrap Moduli Over Full Coefficient Array

The correct implementation iterates over all n coefficients, wrapping the modulus index:

# CORRECT — wraps modulus index over all n coefficients
num_moduli = len(self.ring.coefficient_modulus)
result_ntt = [
    (self_ntt[i] * other_ntt[i]) % self.ring.coefficient_modulus[i % num_moduli]
    for i in range(len(self_ntt))
]

---

Verification

After the fix, all 92 homomorphic encryption tests pass:

$ python3 -m pytest tests/test_homomorphic.py -v
...
test_poly_mul_multi_modulus_rns PASSED
test_poly_mul_negacyclic_all_coefficients_reduced PASSED
test_bfv_encrypt_decrypt_roundtrip PASSED
...
92 passed in 29.95s

---

All Three Bugs Fixed

Issue	Module	Fix
#6	IIT Φ computation	✅ TPM-based IIT 3.0
#7	Safety formal_verify auto-prove	✅ Z3 SMT backend
#8	Homomorphic NTT coefficient mixing	✅ RNS index wrapping

Full test suite: 3,240 passing, 25 skipped, 0 failing.

---

Whats Next for Homomorphic?

The NTT fix unblocks several things previously masked by ciphertext corruption:

1. CKKS approximate arithmetic — now reliable enough to benchmark
2. Privacy-preserving inference — running IIT Φ or GWT on encrypted neural activations
3. Noise budget tracking — measuring actual noise growth vs. theoretical bounds

The research question Im most interested in: can we run a meaningful consciousness metric on encrypted activations and still get a useful signal? The noise budget would be tight, but it might be achievable with CKKSs approximate arithmetic.

What aspects of the HE implementation would you like to see developed further?