Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Design and Implementation of a Homomorphic ... - Researcher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Automorphism. “Raw” automorphism is implemented in the method<br />
void Ctxt::automorph(long k);<br />
For convenience we also provide Ctxt& operator>>=(long k); that does the same thing. These<br />
methods just apply the automorphism X ↦→ X k to every part <strong>of</strong> the current ciphertext, without<br />
changing the noise estimate, <strong>and</strong> multiply by k (modulo m) the powerOfX value in the h<strong>and</strong>les <strong>of</strong><br />
all these parts.<br />
“Smart” Automorphism. Higher-level automorphism is implemented in the method<br />
void Ctxt::smartAutomorph(long k);<br />
The difference between automorph <strong>and</strong> smartAutomorph is that the latter ensures that the result<br />
can be re-linearized using key-switching matrices from the public key. Specifically, smartAutomorph<br />
breaks the automorphism X ↦→ X k into some number t ≥ 1 <strong>of</strong> steps, X ↦→ X k i<br />
for i = 1, 2, . . . t,<br />
such that the public key contains key-switching matrices for re-linearizing all these steps (i.e.<br />
W = W [s(X k i<br />
) ⇒ s(X)]), <strong>and</strong> at the same time we have ∏ t<br />
i=1 k i = k (mod m). The method<br />
smartAutomorph then begin by re-linearizing its argument, then in every step it performs one <strong>of</strong><br />
the automorphisms X ↦→ X k i<br />
followed by re-linearization.<br />
The decision <strong>of</strong> how to break each exponent k into a sequence <strong>of</strong> k i ’s as above is done <strong>of</strong>f line<br />
during key-generation, as described in Section 3.2.2. After this <strong>of</strong>f-line computation, the public key<br />
contains a table that for each k ∈ Z ∗ m indicates what is the first step to take when implementing the<br />
automorphism X ↦→ X k . The smartAutomorph looks up the first step k 1 in that table, performs<br />
the automorphism X ↦→ X k 1<br />
, then compute k ′ = k/k 1 mod m <strong>and</strong> does another lookup in the table<br />
for the first step relative to k ′ , <strong>and</strong> so on.<br />
3.1.8 More Ctxt methods<br />
The Ctxt class also provide the following utility methods:<br />
void clear(); Removes all the parts <strong>and</strong> sets the noise estimate to zero.<br />
xdouble modSwitchAddedNoiseVar() const; computes the added-noise from modulus-switching,<br />
namely it returns ∑ j (φ(m)·p2 /12)·(r j )!·H r j<br />
j<br />
where H j <strong>and</strong> r j are respectively the Hamming<br />
weight <strong>of</strong> the secret key that the j’th ciphertext-part points to, <strong>and</strong> the power <strong>of</strong> that secret<br />
key (i.e., the powerOfS value in the relevant h<strong>and</strong>le).<br />
void findBaseSet(IndexSet& s) const; Returns in s the largest prime-set such that modulusswitching<br />
to s would make ctxt.modSwitchAddedNoiseVar the most significant noise term.<br />
In other words, modulus-switching to s results in a significantly smaller noise than to any<br />
larger prime-set, but modulus-switching further down would not reduce the noise by much.<br />
When multiplying ciphertexts using the multiplyBy “high-level” methods, the ciphertexts<br />
are reduced to (the intersection <strong>of</strong>) their “base sets” levels before multiplying.<br />
long getLevel() const; Returns the number <strong>of</strong> primes in the result <strong>of</strong> findBaseSet.<br />
bool inCanonicalForm(long keyID=0) const; Returns true if this is a canonical ciphertexts,<br />
with only two parts: one that points to 1 <strong>and</strong> the other that points to the “base” secret key<br />
s i (X), (where i = keyId is specified by the caller).<br />
23