Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
where D i is the size <strong>of</strong> the i’th digit. See Section 3.1.6 for more details.<br />
addConstant. We roughly add the size <strong>of</strong> the constant to our noise estimate. The calling<br />
application can either specify the size <strong>of</strong> the constant, or else we use the default value<br />
sz = φ(m) · (p/2) 2 . Recalling that when current modulus is q we need to scale up the<br />
constant by q mod p, we therefore set noiseVar ′ = noiseVar + (q mod p) 2 · sz.<br />
multByConstant. We multiply our noise estimate by the size <strong>of</strong> the constant. Again, the calling<br />
application can either specify the size <strong>of</strong> the constant, or else we use the default value sz =<br />
φ(m) · (p/2) 2 . Then we set noiseVar ′ = noiseVar · sz.<br />
Addition. We first add primes to the prime-set <strong>of</strong> the two arguments until they are both defined<br />
relative to the same prime-set (i.e. the union <strong>of</strong> the prime-sets <strong>of</strong> both arguments). Then<br />
we just add the noise estimates <strong>of</strong> the two arguments, namely noiseVar ′ = noiseVar +<br />
other.noiseVar.<br />
Multiplication. We first remove primes from the prime-set <strong>of</strong> the two arguments until they are<br />
both defined relative to the same prime-set (i.e. the intersection <strong>of</strong> the prime-sets <strong>of</strong> both<br />
arguments). Then the noise estimate is set to the product <strong>of</strong> the noise estimates <strong>of</strong> the two<br />
arguments, multiplied by an additional factor which is computed as follows: Let r 1 be the<br />
highest power <strong>of</strong> s (i.e., the powerOfS value) in all the h<strong>and</strong>les in the first ciphertext, <strong>and</strong><br />
similarly let r 2 be the highest power <strong>of</strong> s in all the h<strong>and</strong>les in the second ciphertext, then the<br />
extra factor is ( r 1 +r 2<br />
r 1<br />
)<br />
. Namely, we have noiseVar ′ = noiseVar · other.noiseVar · (r 1 +r 2<br />
r 1<br />
)<br />
.<br />
(In particular if the two arguments are canonical ciphertexts then the extra factor is ( 2<br />
1)<br />
= 2.)<br />
See Section 3.1.7 for more details.<br />
Automorphism. The noise estimate does not change by an automorphism operation.<br />
3.1.5 Modulus-switching operations<br />
Our library supports modulus-switching operations, both adding <strong>and</strong> removing small primes from<br />
the current prime-set <strong>of</strong> a ciphertext. In fact, our decision to include an extra factor <strong>of</strong> (q mod p)<br />
in a ciphertext relative to current modulus q <strong>and</strong> plaintext-space modulus p, is mainly intended to<br />
somewhat simplify these operations.<br />
To add primes, we just apply the operation addPrimesAndScale to all the ciphertext parts<br />
(which are polynomials in Double-CRT format). This has the effect <strong>of</strong> multiplying the ciphertext<br />
by the product <strong>of</strong> the added primes, which we denote here by ∆, <strong>and</strong> we recall that this operation<br />
is relatively cheap (as it involves no FFTs or CRTs, cf. Section 2.8). Denote the current modulus<br />
before the modulus-UP transformation by q, <strong>and</strong> the current modulus after the transformation by<br />
q ′ = q · ∆. If before the transformation we have [〈⃗c, ⃗s〉] q = m, then after this transformation we<br />
have 〈⃗c ′ , ⃗s〉 = 〈∆ · ⃗c, ⃗s〉 = ∆ · 〈⃗c, ⃗s〉, <strong>and</strong> therefore [〈⃗c ′ , ⃗s〉] q·∆ = ∆ · m. This means that if before the<br />
transformation we had by our invariant [〈⃗c, ⃗s〉] q = m ≡ q ·m (mod p), then after the transformation<br />
we have [〈⃗c, ⃗s〉] q ′ = ∆ · m ≡ q ′ · m (mod p), as needed.<br />
For a modulus-DOWN operation (i.e., removing primes) from the current modulus q to the<br />
smallest modulus q ′ , we need to scale the ciphertext ⃗c down by a factor <strong>of</strong> ∆ = q/q ′ (thus getting<br />
a fractional ciphertext), then round appropriately to get back an integer ciphertext. Using our<br />
invariant about the extra factor <strong>of</strong> (q mod p) in a ciphertext relative to modulus q (<strong>and</strong> plaintext<br />
18