a590003

The computation needed to compute the tensored ciphertext c 3 is Õ(dn2 j log q j). For the RLWE instantiation,
since n j = 1 and since (as we will see) log q j depends logarithmically on the security parameter and
linearly on L, the computation here is only quasi-linear in the security parameter. For the LWE instantiation,
the computation is quasi-quadratic.
4.3 Correctness and Performance of FHE.Refresh
FHE.Refresh consists of three steps: Expand, Switch Moduli, and Switch Keys. We address each of these
steps in turn.
Correctness and Performance of the Expand Step. The Expand step of FHE.Refresh takes as input a long
ciphertext c under the long tensored key s ′ j = s j ⊗ s j for modulus q j . It simply applies the Powersof2
transformation to c to obtain c 1 . By Lemma 2, we know that
〈
Powersof2(c, qj ), BitDecomp(s ′ j, q j ) 〉 = 〈 c, s ′ 〉
j mod qj
i.e., we know that if s ′ j decrypts c correctly, then s′′ j decrypts c 1 correctly. The noise has not been affected
at all.
If implemented naively, the computation in the Expand step is Õ(dn2 j log2 q j ). The somewhat high
computation is due to the fact that the expanded ciphertext is a ( ( n j +1) 2 · ⌈log qj ⌉)-dimensional vector over
R q .
However, recall that s j is drawn using the distribution χ – i.e., it has small coefficients of size basically
independent of q j . Consequently, s ′ j also has small coefficients, and we can use this a priori knowledge
in combination with an optimized version of BitDecomp to output a shorter bit decomposition of s ′ j – in
particular, a ( ( n j +1) 2 · ⌈log q
′
j ⌉)-dimensional vector over R q where q j ′ ≪ q j is a bound (with overwhelming
probability) on the coefficients of elements output by χ. Similarly, we can use an abbreviated version of
Powersof2(c, q j ). In this case, the computation is Õ(dn2 j log q j).
Correctness and Performance of the Switch-Moduli Step. The Switch Moduli step takes as input a ciphertext
c 1 under the secret bit-vector s ′′
j for the modulus q j, and outputs the ciphertext c 2 ← Scale(c 1 , q j , q j−1 , 2),
which we claim to be a ciphertext under key s ′′
j for modulus q j−1. Note that s ′′
j is a short secret key, since it
is a bit vector in R t j
2 for t j ≤ ( n j +1) 2 · ⌈log qj ⌉. By Corollary 1, and using the fact that l 1 (s ′′
j ) ≤ √ d · t j , the
following is true: if the noise of c 1 has length at most B < q j /2 − (q j /q j−1 ) · d · γ R · t j , then correctness
is preserved and the noise of c 2 is bounded by (q j−1 /q j ) · B + d · γ R · t j . Of course, the key feature of this
step for our purposes is that switching moduli may reduce the length of the moduli when q j−1 < q j .
We capture the correctness of the Switch-Moduli step in the following lemma.
Lemma 8. Let c 1 be a ciphertext under the key s ′′
j = BitDecomp(s j ⊗ s j , q j ) such that e j ← [〈c 1 , s ′′
j 〉] q j
has length at most B and m = [e j ] 2 . Let c 2 ← Scale(c 1 , q j , q j−1 , 2), and let e j−1 = [〈c 2 , s ′′
j 〉] q j−1
. Then,
e j−1 (the new noise) has length at most (q j−1 /q j ) · B + d · γ R · (n j +1) 2 · ⌈log qj ⌉, and (assuming this noise
length is less than q j−1 /2) we have m = [e j−1 ] 2 .
The computation in the Switch-Moduli step is Õ(dn2 j log q j), using the optimized versions of BitDecomp
and Powersof2 mentioned above.
Correctness and Performance of the Switch-Key Step. Finally, in the Switch Keys step, we take as input a
ciphertext c 2 under key s ′′
j for modulus q j−1 and set c 3 ← SwitchKey(τ s ′′
j →s , c j−1 2, q j−1 ), a ciphertext under
the key s j−1 for modulus q j−1 . In Lemma 3, we proved the correctness of key switching and established
that the noise grows only by the additive factor 2 〈BitDecomp(c 2 , q j−1 ), e〉, where BitDecomp(c 2 , q j−1 ) is
14
2. Fully Homomorphic Encryption without Bootstrapping