Design and Implementation of a Homomorphic ... - Researcher

with ˜c 2 = [ ∑ j c′′ j ] qQ ∗
˜c 2 + ˜c 1 s j =
and ˜c 1 = [ ∑ j c′ j ] qQ∗, and we have
⎛
⎝ ∑ j
⎞
c j s ′ ⎠
j + p ( ∑ ) ( ∑ )
e i c i,j = m + p e i c i,j
i,j
i,j
(mod qQ ∗ ).
Hence, as long as the additive term p( ∑ i,j e ic i,j ) is small enough, decrypting the new ciphertext
yields the same plaintext value modulo p as decrypting the original ciphertext ⃗c.
In terms of noise magnitude, we first scale up the noise by a factor of Q ∗ when adding all the
special primes, and then add the extra noise term p · ∑i,j e ic i,j . Since the c i,j ’s have coefficients of
magnitude at most D i /2 and the polynomials e i are RLWE error terms with zero-mean coefficients
and variance σ 2 , then the second moment of e i (τ m ) · c i,j (τ m ) is no more than φ(m)σ 2 · Di 2 /4. Thus
for every ciphertext part that we need to switch (i.e. that has a handle that points to something
other than 1 or base), we add a term of φ(m)σ 2 · p 2 · Di 2 /4. Therefore, if our noise estimate after
the scale-up is noiseVar ′ and we need to switch k
3.1.7 Native arithmetic operations
∑
noiseVar ′′ = noiseVar ′ + k · φ(m)σ 2 · p 2 · Di 2 /4
The native arithmetic operations that can be performed on ciphertexts are negation, addition/subtraction,
multiplication, addition of constants, multiplication by constant, and automorphism. In our library
we expose to the application both the operations in their “raw form” without any additional
modulus- or key-switching, as well as some higher-level interfaces for multiplication and automorphisms
that include also modulus- and key-switching.
Negation. The method Ctxt::negate() transforms an encryption of a polynomial m ∈ A p to
an encryption of [−m] p , simply by negating all the ciphertext parts modulo the current modulus.
(Of course this has an effect on the plaintext only when p > 2.) The noise estimate is unaffected.
Addition/subtraction. Both of these operations are implemented by the single method
void Ctxt::addCtxt(const Ctxt& other, bool negative=false);
depending on the negative boolean flag. For convenience, we provide the methods Ctxt::operator+=
and Ctxt::operator-= that call addCtxt with the appropriate flag. A side effect of this operation
is that the prime-set of *this is set to the union of the prime sets of both ciphertexts. After this
scaling (if needed), every ciphertext-part in other that has a matching part in *this (i.e. a part
with the same handle) is added to this matching part, and any part in other without a match is
just appended to *this. We also add the noise estimate of both ciphertexts.
Constant addition. Implemented by the methods
void Ctxt::addConstant(const ZZX& poly, double size=0.0);
void Ctxt::addConstant(const DoubleCRT& poly, double size=0.0);
The constant is scaled by a factor f = (q mod p), with q the current modulus and p the ciphertext
modulus (to maintain our invariant that a ciphertext relative to q has this extra factor), then added
to the part of *this that points to 1. The calling application can specify the size of the added
21
n ′
i=1