a590003

Proof. By definition
⟨c, (1, s)⟩ =
=
=
=
⟨ ⌊ q
⟩
P T · r + · m, (1, s) (mod q)
⌊
2⌋
q
· m + r
2⌋
T P · (1, s) (mod q)
⌊ q
· m + r
2⌋
T b − r T As (mod q)
⌊ q
· m + ⟨r, e⟩ (mod q) .
2⌋
The lemma follows since |⟨r, e⟩| ≤ N · B.
We proceed to state the correctness of decryption for low-noise ciphertexts. The proof easily
follows by assignment into the definition of Regev.Dec and is omitted.
Lemma 3.2 (decryption noise). Let s ∈ Z n be some vector, and let c ∈ Z n+1
q
⌊ q
⟨c, (1, s)⟩ = · m + e (mod q) ,
2⌋
be such that
with m ∈ {0, 1} and |e| < ⌊q/2⌋ /2. Then
Regev.Dec s (c) = m .
Security. The following lemma states the security of Regev. The proof is standard (see e.g. [Reg05])
and is omitted.
Lemma 3.3. Let n, q, χ be some parameters such that DLWE n,q,χ holds. Then for any m ∈ {0, 1}, if
s←Regev.SecretKeygen(1 n ), P←Regev.PublicKeygen(s), c←Regev.Enc P (m), it holds that the joint
distribution (P, c) is computationally indistinguishable from uniform over Zq N×(n+1) × Z n+1
q .
3.2 Vector Decomposition and Key Switching
We show how to decompose vectors in a way that preserves inner product and how to generate and
use key switching parameters. Our notation is generally adopted from [BGV12].
Vector Decomposition.
We often break vectors into their bit representations as defined below:
• BitDecomp q (x): For x ∈ Z n , let w i ∈ {0, 1} n be such that x = ∑ ⌈log q⌉−1
i=0
2 i·w i (mod q). Output
the vector
(w 0 , . . . , w ⌈log q⌉−1 ) ∈ {0, 1} n·⌈log q⌉ .
• PowersOfTwo q (y): For y ∈ Z n , output
[
]
(y, 2 · y, . . . , 2 ⌈log q⌉−1 q⌉
· y) ∈ Zn·⌈log
q .
q
We will usually omit the subscript q when it is clear from the context.
Claim 3.4. For all q ∈ Z and x, y ∈ Z n , it holds that
⟨x, y⟩ = ⟨BitDecomp q (x), PowersOfTwo q (y)⟩ (mod q) .
9
6. FHE without Modulus Switching