a590003

Here, each index i t runs over the set {0, . . . , m − 1}. In this sum, because of independence and the
fact that any odd power of f i has expected value 0, the only terms that contribute a non-zero value
are those in which each index value occurs an even number of times, in which case, if there are k
distinct values among i 1 , . . . , i 2r , we have
E[f i1 · · · f i2r ] = (H/m) k .
We want to regroup the terms in (4). To this end, we introduce some notation: for an integer
t ∈ {1, . . . , 2r} define w(t) = 1 if t ≤ r, and w(t) = −1 if t > r; for a subset e ⊆ {1, . . . , 2r}, define
w(e) = ∑ t∈e
w(t). We call w(e) the “weight” of e. Then we have:
∑
E[f(τ) 2r ] = (H/m) ∑ k ′
τ j 1w(e 1 )+···+j k w(e k ) . (5)
j 1 ,...,j k
P ={e 1 ,...,e k }
Here, the outer summation is over all “even” partitions P = {e 1 , . . . , e k } of the set {1, . . . , 2r}, where
each element of the partition has an even cardinatilty. The inner summation is over all sequences
of indices j 1 , . . . , j k , where each index runs over the set {0, . . . , m − 1}, but where no value in the
sequence is repeated — the special summation notation ∑ ′
j 1 ,...,j k
emphasizes this restriction.
Since |τ| = 1, it is clear that
∑
∣ E[f(τ)2r ] − (H/m) ∑
k
∣ ≤
∑
(H/m) k (m k − m k ) (6)
P ={e 1 ,...,e k }
j 1 ,...,j k
τ j 1w(e 1 )+···+j k w(e k )
P ={e 1 ,...,e k }
Note that in this inequality the inner sum on the left is over all sequences of indices j 1 , . . . , j k ,
without the restriction that the indices in the sequence are unique.
Our first task is to bound the sum on the right-hand side of (6). Observe that any even partition
P = {e 1 , . . . , e k } can be formed by merging the edges of some perfect matching on the complete
graph on vertices {1, . . . , 2r}. So we have
∑
∑
(H/m) k (m k − m k ) ≤ (H/m) k k 2 m k−1 (by Lemma 1)
P ={e 1 ,...,e k }
Combining this with (6), we have
∑
∣ E[f(τ)2r ] −
P ={e 1 ,...,e k }
P ={e 1 ,...,e k }
≤ r2
m
≤ r2
m M 2r
≤ r2 2 r r!
m
∑
P ={e 1 ,...,e k }
≤ r2 2 r+1 r!
m
r∑
k=1
r∑
k=1
H k
{ r
k}
H k
{ r
k}
H k (by (3))
r∑
k=1
= r2 2 r+1 r!
m Hr (by 1).
(H/m) k
∑
(partitions formed from matchings)
{ r
k}
H k (by Lemma 2)
j 1 ,...,j k
τ j 1w(e 1 )+···+j k w(e k )
39
∣ ≤ r!Hr · 2r+1 r 2
m . (7)
16. Design and Implementation of a Homomorphic-Encryption Library