Batch Encoding

While the single-value encoding scheme (§D-2.1) encodes & decodes each individual value one at a time, the batch encoding scheme does the same for a huge list of values simultaneously using a large dimensional vector. Therefore, batch encoding is more efficient than single-value encoding. Furthermore, batch-encoded values can be homomorphically added or multiplied simultaneously element-wise by vector-to-vector addition and Hadamard product. Therefore, the homomorphic operation of batch-encoded values can be processed more efficiently in a SIMD (single-instruction-multiple-data) manner than single-value encoded ones.

BFV’s encoding converts an

n

-dimensional integer input slot vector

\vec{v} = (v_{0}, v_{1}, v_{2}, \dots v_{n - 1})

modulo

t

into another

n

-dimensional vector

\vec{m} = (m_{0}, m_{1}, m_{2}, \dots m_{n - 1})

modulo

t

, which are the coefficients of the encoded

(n - 1)

-degree (or lesser-degree) polynomial

M (X) \in ℤ_{t} [X] ∕ (X^{n} + 1)

D-2.2.1 Encoding₁

In §A-10.6, we learned that an

(n - 1)

-degree (or lesser degree) polynomial can be isomorphically mapped to an

n

-dimensional vector based on the mapping

σ

(we notate

σ_{c}

in §A-10.6 as

σ

for simplicity):

σ : M (X) \in ℤ_{t} [X] ∕ (X^{n} + 1) \to (M (ω), M (ω^{3}), M (ω^{5}), \dots, M (ω^{2 n - 1})) \in ℤ_{t}^{n}

, which evaluates the polynomial

M (X)

n

distinct

(μ = 2 n)

-th primitive roots of unity:

ω, ω^{3}, ω^{5}, \dots, ω^{2 n - 1}

. Let

\vec{m}

be a vector that contains

n

coefficients of the polynomial

M (X)

. Then, we can express the mapping

σ

as follows:

W^{T} = [\begin{matrix} 1 & (ω) & {(ω)}^{2} & \dots & {(ω)}^{n - 1} \\ 1 & (ω^{3}) & {(ω^{3})}^{2} & \dots & {(ω^{3})}^{n - 1} \\ 1 & (ω^{5}) & {(ω^{5})}^{2} & \dots & {(ω^{5})}^{n - 1} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ 1 & (ω^{2 n - 1}) & {(ω^{2 n - 1})}^{2} & \dots & {(ω^{2 n - 1})}^{n - 1} \end{matrix}]

W^{T}

is a transpose of

W

described in §A-10.6

Note that the dot product between each row of

W^{T}

and

\vec{m}

computes the evaluation of

M (X)

at each

X = {w, w^{3}, w^{5}, \dots, w^{2 n - 1}}

. In the BFV encoding scheme, the Encoding₁ process encodes an

n

-dimensional input slot vector

\vec{v}

\in ℤ_{t}

into a plaintext polynomial

M (X) \in ℤ_{t} [X] ∕ (X^{n} + 1)

, and the Decoding₂ process decodes

M (X)

back to

\vec{v}

. Since

W^{T} \cdot \vec{m}

gives us

\vec{v}

which is a decoding of

M (X)

, we call

W^{T}

a decoding matrix. Meanwhile, the goal of Encoding₁ is to encode

\vec{v}

into

M (X)

so that we can do homomorphic computations based on

M (X)

. Given the relation

\vec{v} = W^{T} \cdot \vec{m}

, the encoding formula can be derived as follows:

Therefore, we need to find out what

{(W^{T})}^{- 1}

is, the inverse of

W^{T}

as the encoding matrix. But we already learned from Theorem A-11.4 (in §A-11.4) that

V^{- 1} = \frac{V^{T} \cdot I_{n}^{R}}{n}

, where

V = W^{T}

and

V = W

. In other words,

{(W^{T})}^{- 1} = \frac{W \cdot I_{n}^{R}}{n}

. Therefore, we can express the BFV encoding formula as:

\vec{m} = {(W^{T})}^{- 1} \cdot \vec{v} = \frac{W \cdot I_{n}^{R} \cdot \vec{v}}{n}

, where

W = [\begin{matrix} 1 & 1 & 1 & \dots & 1 \\ (ω) & (ω^{3}) & (ω^{5}) & \dots & (ω^{2 n - 1}) \\ {(ω)}^{2} & {(ω^{3})}^{2} & {(ω^{5})}^{2} & \dots & {(ω^{2 n - 1})}^{2} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ {(ω)}^{n - 1} & {(ω^{3})}^{n - 1} & {(ω^{5})}^{n - 1} & \dots & {(ω^{2 n - 1})}^{n - 1} \end{matrix}]

= [\begin{matrix} 1 & 1 & \dots & 1 & 1 & \dots & 1 & 1 \\ (ω) & (ω^{3}) & \dots & (ω^{\frac{n}{2} - 1}) & (ω^{- (\frac{n}{2} - 1)}) & \dots & (ω^{- 3}) & (ω^{- 1}) \\ {(ω)}^{2} & {(ω^{3})}^{2} & \dots & {(ω^{\frac{n}{2} - 1})}^{2} & {(ω^{- (\frac{n}{2} - 1)})}^{2} & \dots & {(ω^{- 3})}^{2} & {(ω^{- 1})}^{2} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ {(ω)}^{n - 1} & {(ω^{3})}^{n - 1} & \dots & {(ω^{\frac{n}{2} - 1})}^{n - 1} & {(ω^{- (\frac{n}{2} - 1)})}^{n - 1} & \dots & {(ω^{- 3})}^{n - 1} & {(ω^{- 1})}^{n - 1} \end{matrix}]

, where

ω = g^{\frac{t - 1}{2 n}} mod t

(

g

is a generator of

ℤ_{t}^{\times}

). In §A-10.6, we learned that

W

is a valid basis of the

n

-dimensional vector space. Therefore,

\frac{W \cdot \vec{v}}{n} = \vec{m}

is guaranteed to be a unique vector corresponding to each

\vec{v}

in the

n

-dimensional vector space

ℤ_{t}^{n}

(refer to Theorem A-10.4 in §A-10.4), and thereby the polynomial

M (X)

comprising the

n

elements of

\vec{m}

as coefficients is a unique polynomial bi-jective to

\vec{v}

Note that by computing

\frac{W \cdot I_{n}^{R} \cdot \vec{v}}{n}

, we transform the input slot vector

\vec{v}

into another vector

\vec{m}

in the same vector space

ℤ_{t}^{n}

, while preserving isomorphism between these two vectors (i.e., bi-jective one-to-one mappings and homomorphism on the

(+,⋅)

operations).

D-2.2.2 Encoding₂

Once we have the

n

-dimensional vector

\vec{m}

, we scale (i.e., multiply) it by some scaling factor

Δ = ⌊ \frac{q}{t} ⌋

, where

q

is the ciphertext modulus. We scale

\vec{m}

Δ

and make it

Δ \vec{m}

. The

n

integers in

Δ \vec{m}

will be used as

n

coefficients of the plaintext polynomial for RLWE encryption. The finally encoded plaintext polynomial

Δ M = \sum_{i = 0}^{n - 1} Δ m_{i} X^{i}

D-2.2.3 Decoding₁

Once an RLWE ciphertext is decrypted to

Δ M = \sum_{i = 0}^{n - 1} Δ m_{i} X^{i}

, we compute

\frac{Δ \vec{m}}{Δ} = \vec{m}

D-2.2.4 Decoding₂

In §D-2.2.1, we already derived the decoding formula that transforms an

(n - 1)

-degree polynomial having integer modulo

t

coefficients into an

n

-dimensional input slot vector as follows:

D-2.2.5 Summary

$⟨$ Summary D-2.2.5 $⟩$ BFV’s Encoding and Decoding

Input: An $n$ -dimensional integer modulo $t$ vector $\vec{v} = (v_{0}, v_{1}, \dots, v_{n - 1}) \in ℤ_{t}^{n}$

Encoding

1.

Convert

\vec{v} \in ℤ_{t}^{n}

into

\vec{m} \in ℤ_{t}^{n}

by applying the transformation

\vec{m} = n^{- 1} \cdot W \cdot I_{n}^{R} \cdot \vec{v}

, where $W$ is a basis of the $n$ -dimensional vector space crafted as follows:

$W = [\begin{matrix} 1 & 1 & 1 & \dots & 1 \\ (ω) & (ω^{3}) & (ω^{5}) & \dots & (ω^{2 n - 1}) \\ {(ω)}^{2} & {(ω^{3})}^{2} & {(ω^{5})}^{2} & \dots & {(ω^{2 n - 1})}^{2} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ {(ω)}^{n - 1} & {(ω^{3})}^{n - 1} & {(ω^{5})}^{n - 1} & \dots & {(ω^{2 n - 1})}^{n - 1} \end{matrix}]$

$= [\begin{matrix} 1 & 1 & \dots & 1 & 1 & \dots & 1 & 1 \\ (ω) & (ω^{3}) & \dots & (ω^{\frac{n}{2} - 1}) & (ω^{- (\frac{n}{2} - 1)}) & \dots & (ω^{- 3}) & (ω^{- 1}) \\ {(ω)}^{2} & {(ω^{3})}^{2} & \dots & {(ω^{\frac{n}{2} - 1})}^{2} & {(ω^{- (\frac{n}{2} - 1)})}^{2} & \dots & {(ω^{- 3})}^{2} & {(ω^{- 1})}^{2} \\ ⋮ & ⋮ & ⋮ & ⋱ & ⋮ \\ {(ω)}^{n - 1} & {(ω^{3})}^{n - 1} & \dots & {(ω^{\frac{n}{2} - 1})}^{n - 1} & {(ω^{- (\frac{n}{2} - 1)})}^{n - 1} & \dots & {(ω^{- 3})}^{n - 1} & {(ω^{- 1})}^{n - 1} \end{matrix}]$

, where $ω = g^{\frac{t - 1}{2 n}} mod t$ ( $g$ is a generator of $ℤ_{t}^{\times}$ )

2.

Convert

\vec{m}

into a scaled integer vector

Δ \vec{m}

, where

1 \leq Δ \leq ⌊ \frac{q}{t} ⌋

is a scaling factor. If

Δ

is too close to 1, the noise budget will become too small. If

Δ

is too close to

⌊ \frac{q}{t} ⌋

, the plaintext budget will become too small (i.e., cannot wrap around

t

much). The finally encoded plaintext polynomial

Δ M = \sum_{i = 0}^{n - 1} Δ m_{i} X^{i} \in ℤ_{q} [X] ∕ (X^{n} + 1)

Decoding: From the plaintext polynomial $Δ M = \sum_{i = 0}^{n - 1} Δ m_{i} X^{i}$ , recover $\vec{m} = \frac{Δ \vec{m}}{Δ}$ . Then, compute $\vec{v} = W^{T} \cdot \vec{m}$ .

However, Summary D-2.2.5 is not the final version of BFV’s batch encoding. In §D-2.9, we will explain how to homomorphically rotate the input vector slots without decrypting the ciphertext that encapsulates it. To support such homomorphic rotation, we will need to slightly update the encoding scheme explained in Summary D-2.2.5. We will explain how to do this in §D-2.9, and BFV’s final encoding scheme is summarized in Summary D-2.9.3 in §D-2.9.3.

D-2.2 Batch Encoding

D-2.2.1 Encoding1

D-2.2.2 Encoding2

D-2.2.3 Decoding1

D-2.2.4 Decoding2

D-2.2.5 Summary

D-2.2.1 Encoding₁

D-2.2.2 Encoding₂

D-2.2.3 Decoding₁

D-2.2.4 Decoding₂