a590003

space modulus p), we need to convert ⃗c into another ciphertext vector ⃗c ′ satisfying (a) (q ′ ) −1 ⃗c ′ ≡
q −1 ⃗c (mod p), and (b) the “rounding error term” ɛ def = ⃗c ′ − (q ′ /q)⃗c is small. As described in [5], we
apply the following optimized procedure:
1. Let ⃗ δ = ⃗c mod ∆,
2. Add or subtract multiples of ∆ from the coefficients in ⃗ δ until it is divisible by p,
3. Set ⃗c ∗ = ⃗c − ⃗ δ, // ⃗c ∗ divisible by ∆, and ⃗c ∗ ≡ ⃗c (mod p)
4. Output ⃗c ′ = ⃗c/∆.
An argument similar to the proof of [2, Lemma 4] shows that if before the transformation we
had m = [〈⃗c, ⃗s〉] q ≡ q · m (mod p), then after the transformation we have m ′ = [〈⃗c ′ , ⃗s〉] q ′ ≡ q ′ · m
(mod p), as needed. (The difference from [2, Lemma 4] is that we do not assume that q, q ′ ≡ 1
(mod p).)
Considering the noise magnitude, we can write ⃗c ′ = ⃗c/∆ + ⃗ɛ where ⃗ɛ is the rounding error (i.e.,
the terms that are added in Step 2 above, divided by ∆). The noise polynomial is thus scaled down
by a ∆ factor, then increased by the additive term a def = 〈⃗ɛ, ⃗s〉 = ∑ j ɛ j(X) · s r j
j
(X t j
) (with a ∈ A).
We make the heuristic assumption that the coefficients in all the ɛ j ’s behave as if they are chosen
uniformly in the interval −[p/2, p/2). Under this assumption, we have
[
E |ɛ j (τ m )| 2] = φ(m) · p 2 /12,
since the variance of a uniform random variable in −[p/2, p/2) is p 2 /12, and ɛ j (τ m ) is a sum of
φ(m) such variables, scaled by different magnitude-1 complex constants. Assuming heuristically
that the ɛ j ’s are independent of the public key, we have
[
E |a(τ m )| 2] = ∑ j
[
E |ɛ j (ρ m )| 2] [ ∣∣∣s r
· E
j
j
(X t j ) ∣ 2] ≈ ∑ j
(φ(m) · p 2 /12) · (r j )! · H r j
j
,
where p is the plaintext-space modulus, H j is the Hamming weight of the secret key for the j’th
part, and r j is the power of that secret key.
3.1.6 Key-switching/re-linearization
The re-linearization operation ensures that all the ciphertext parts have handles that point to either
the constant 1 or a base secret-key: Any ciphertext part j with a handle pointing to s r j
j
(X t j
) with
either r j > 1 or r j = 1 and t j > 1, is replace by two adding two parts, one that points to 1 and
the other than points to s j (X), using some key-switching matrices from the public key. Also, a
side-effect of re-linearization is that we add all the “special primes” to the prime-set of the resulting
ciphertext.
To explain the re-linearization procedure, we begin by recalling that the “ciphertext primes”
that define our moduli-chain are partitioned into some number n ≥ 1 of “digits”, of roughly equal
size. (For example, say that we have 15 small primes in the chain and we partition them to three
digits, then we may take the first five primes to be the first digit, the next five primes to be the
second, and the last five primes to be the third.) The size of a digit is the product of all the primes
that are associated with it, and below we denote by D i the size of the i’th digit.
19
16. Design and Implementation of a Homomorphic-Encryption Library