Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
space modulus p), we need to convert ⃗c into another ciphertext vector ⃗c ′ satisfying (a) (q ′ ) −1 ⃗c ′ ≡<br />
q −1 ⃗c (mod p), <strong>and</strong> (b) the “rounding error term” ɛ def = ⃗c ′ − (q ′ /q)⃗c is small. As described in [5], we<br />
apply the following optimized procedure:<br />
1. Let ⃗ δ = ⃗c mod ∆,<br />
2. Add or subtract multiples <strong>of</strong> ∆ from the coefficients in ⃗ δ until it is divisible by p,<br />
3. Set ⃗c ∗ = ⃗c − ⃗ δ, // ⃗c ∗ divisible by ∆, <strong>and</strong> ⃗c ∗ ≡ ⃗c (mod p)<br />
4. Output ⃗c ′ = ⃗c/∆.<br />
An argument similar to the pro<strong>of</strong> <strong>of</strong> [2, Lemma 4] shows that if before the transformation we<br />
had m = [〈⃗c, ⃗s〉] q ≡ q · m (mod p), then after the transformation we have m ′ = [〈⃗c ′ , ⃗s〉] q ′ ≡ q ′ · m<br />
(mod p), as needed. (The difference from [2, Lemma 4] is that we do not assume that q, q ′ ≡ 1<br />
(mod p).)<br />
Considering the noise magnitude, we can write ⃗c ′ = ⃗c/∆ + ⃗ɛ where ⃗ɛ is the rounding error (i.e.,<br />
the terms that are added in Step 2 above, divided by ∆). The noise polynomial is thus scaled down<br />
by a ∆ factor, then increased by the additive term a def = 〈⃗ɛ, ⃗s〉 = ∑ j ɛ j(X) · s r j<br />
j<br />
(X t j<br />
) (with a ∈ A).<br />
We make the heuristic assumption that the coefficients in all the ɛ j ’s behave as if they are chosen<br />
uniformly in the interval −[p/2, p/2). Under this assumption, we have<br />
[<br />
E |ɛ j (τ m )| 2] = φ(m) · p 2 /12,<br />
since the variance <strong>of</strong> a uniform r<strong>and</strong>om variable in −[p/2, p/2) is p 2 /12, <strong>and</strong> ɛ j (τ m ) is a sum <strong>of</strong><br />
φ(m) such variables, scaled by different magnitude-1 complex constants. Assuming heuristically<br />
that the ɛ j ’s are independent <strong>of</strong> the public key, we have<br />
[<br />
E |a(τ m )| 2] = ∑ j<br />
[<br />
E |ɛ j (ρ m )| 2] [ ∣∣∣s r<br />
· E<br />
j<br />
j<br />
(X t j ) ∣ 2] ≈ ∑ j<br />
(φ(m) · p 2 /12) · (r j )! · H r j<br />
j<br />
,<br />
where p is the plaintext-space modulus, H j is the Hamming weight <strong>of</strong> the secret key for the j’th<br />
part, <strong>and</strong> r j is the power <strong>of</strong> that secret key.<br />
3.1.6 Key-switching/re-linearization<br />
The re-linearization operation ensures that all the ciphertext parts have h<strong>and</strong>les that point to either<br />
the constant 1 or a base secret-key: Any ciphertext part j with a h<strong>and</strong>le pointing to s r j<br />
j<br />
(X t j<br />
) with<br />
either r j > 1 or r j = 1 <strong>and</strong> t j > 1, is replace by two adding two parts, one that points to 1 <strong>and</strong><br />
the other than points to s j (X), using some key-switching matrices from the public key. Also, a<br />
side-effect <strong>of</strong> re-linearization is that we add all the “special primes” to the prime-set <strong>of</strong> the resulting<br />
ciphertext.<br />
To explain the re-linearization procedure, we begin by recalling that the “ciphertext primes”<br />
that define our moduli-chain are partitioned into some number n ≥ 1 <strong>of</strong> “digits”, <strong>of</strong> roughly equal<br />
size. (For example, say that we have 15 small primes in the chain <strong>and</strong> we partition them to three<br />
digits, then we may take the first five primes to be the first digit, the next five primes to be the<br />
second, <strong>and</strong> the last five primes to be the third.) The size <strong>of</strong> a digit is the product <strong>of</strong> all the primes<br />
that are associated with it, <strong>and</strong> below we denote by D i the size <strong>of</strong> the i’th digit.<br />
19