Ciphertext-to-Ciphertext Multiplication

Given two ciphertexts

{𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 1 ⟩})

and

{𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 2 ⟩})

, the goal of ciphertext-to-ciphertext multiplication is to derive a new ciphertext whose decryption is

Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

. Ciphertext-to-ciphertext multiplication is more complex than ciphertext-to-plaintext multiplication. It comprises four steps: (1) ModRaise; (2) polynomial multiplication; (3) relinearization; and (4) rescaling.

For better understanding, we will explain BFV’s ciphertext-to-ciphertext multiplication based on the alternate version of RLWE (Theorem B-4.4 in §B-4.4), where the sign of the

𝐴𝑆

term is flipped in the encryption and decryption formulas.

D-2.7.1 ModRaise

We learned from Summary D-2.3 (in §D-2.3) that a BFV ciphertext whose ciphertext modulus is

q

has the (decryption) relation:

Δ M + E = A \cdot S + B - K \cdot q

, where

K \cdot q

stands for modulo reduction by

q

. ModRaise is a process of forcibly modifying the modulus of a ciphertext from

q \to Q

, where

q ≪ Q

. Suppose we modify the modulus of ciphertext

(A, B)

from

q

Q

, where

Q = q \cdot Δ

(remember

Δ = ⌊ \frac{q}{t} ⌋

). Then, the decryption of the mod-raised ciphertext will output

A \cdot S + B mod Q

. However, since each polynomial coefficient of

A

and

B

is less than

q

and each polynomial coefficient of

S

is either

{- 1, 0, 1}

, the resulting polynomial of

A \cdot S + B

is guaranteed to have each coefficient strictly less than

Q

even without modulo reduction by

Q

– this is because

(q - 1) \cdot n + (q - 1) < Q

, where

(q - 1) \cdot n

is the maximum possible coefficient of

A \cdot S

and

(q - 1)

is the maximum possible coefficient of

B

. And as mentioned before, we know the relation:

A \cdot S + B = Δ M + E + 𝐾𝑞

. Therefore, the decryption of the mod-raised ciphertext

(A, B) mod Q

is as follows:

Δ M + E + 𝐾𝑞 mod Q = Δ M + E + 𝐾𝑞

# since

Δ M + E + 𝐾𝑞 < Q

The first step of BFV’s ciphertext-to-ciphertext multiplication is to mod-raise the two input ciphertexts

(A^{⟨ 1 ⟩}, B^{⟨ 1 ⟩}) mod q

and

(A^{⟨ 2 ⟩}, B^{⟨ 2 ⟩}) mod q

from

q \to Q

(where

Q = q \cdot Δ

) as follows:

A^{⟨ 1 ⟩} \cdot S + B^{⟨ 1 ⟩} = Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q < Q

A^{⟨ 2 ⟩} \cdot S + B^{⟨ 2 ⟩} = Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q < Q

{𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 1 ⟩} + K_{1} q) = (A^{⟨ 1 ⟩}, B^{⟨ 1 ⟩}) mod Q

{𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 2 ⟩} + K_{2} q) = (A^{⟨ 2 ⟩}, B^{⟨ 2 ⟩}) mod Q

D-2.7.2 Polynomial Multiplication

Our next goal is to derive a new ciphertext which encrypts

(Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q)

(Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q)

= (A^{⟨ 1 ⟩} \cdot S + B^{⟨ 1 ⟩}) \cdot (A^{⟨ 2 ⟩} \cdot S + B^{⟨ 2 ⟩})

= \underset{D_{0}}{\underset{⏟}{B^{⟨ 1 ⟩} B^{⟨ 2 ⟩}}} + \underset{D_{1}}{\underset{⏟}{(B^{⟨ 2 ⟩} A^{⟨ 1 ⟩} + B^{⟨ 1 ⟩} A^{⟨ 2 ⟩})}} \cdot S + \underset{D_{2}}{\underset{⏟}{(A^{⟨ 1 ⟩} \cdot A^{⟨ 2 ⟩})}} \cdot S \cdot S

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 1 ⟩} + K_{1} q) = Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 2 ⟩} + K_{2} q) = Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 1 ⟩} + K_{1} q) \cdot {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 2 ⟩} + K_{2} q) = D_{0} + D_{1} \cdot S + D_{2} \cdot S^{2}

Notice that

D_{0}, D_{1},

and

D_{2}

are known values as ciphertext components, whereas

S

is only known to the private key owner. Therefore, we can view

D_{0} + D_{1} \cdot S + D_{2} \cdot S^{2}

as a decryption formula such that given the ciphertext components

D_{0}, D_{1}, D_{2}

and the private key

S

, one can derive

(Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q)

. In other words, we can let

(D_{0}, D_{1}, D_{2})

be a new form of ciphertext which can be decrypted by

S

into

(Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q)

However,

(D_{0}, D_{1}, D_{2})

is not in the RLWE ciphertext format, because it has 3 components instead of 2. Having 3 ciphertext components is computationally inefficient, as its decryption involves a square root of

S

(i.e.,

S^{2}

). Over consequent ciphertext-to-ciphertext multiplications, this

S

term will double its exponents as

S^{4}, S^{8}, \dots

as well as the number of ciphertext components, which would exponentially increase the computational overhead of decryption. Therefore, we want to convert the intermediate ciphertext format

(D_{0}, D_{1}, D_{2})

into a regular BFV ciphertext format that has two polynomials as ciphertext components. This conversion process is called a relinearization process (which will be explained in the next subsection).

D-2.7.3 Relinearization

Relinearization is a process of converting the polynomial triplet

(D_{0}, D_{1}, D_{2}) \in R_{⟨ n, Q ⟩}^{3}

into two RLWE ciphertexts

{𝖼𝗍}_{α}

and

{𝖼𝗍}_{β}

which hold the relation:

D_{0} + D_{1} S + D_{2} S^{2} = {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{α} + {𝖼𝗍}_{β})

In the formula

D_{0} + D_{1} S + D_{2} S^{2}

, we can re-write

D_{0} + D_{1} S

as a synthetic RLWE ciphertext

{𝖼𝗍}_{α} = (D_{1}, D_{0})

, which can be decrypted by

S

into

D_{1} S + D_{0}

. Similarly, our next task is to derive a synthetic RLWE ciphertext

{𝖼𝗍}_{β}

whose decryption is

D_{2} \cdot S^{2}

(i.e.,

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{β}) = D_{2} \cdot S^{2}

A naive way of creating a ciphertext that encrypts

D_{2} \cdot S^{2}

is as follows: we encrypt

S^{2}

into an RLWE ciphertext as

{𝖱𝖫𝖶𝖤}_{S, σ} (S^{2}) = (A^{⟨ s ⟩}, B^{⟨ s ⟩})

such that

A^{⟨ s ⟩} \cdot S + B^{⟨ s ⟩} = S^{2} + E^{⟨ s ⟩} mod Q

(where the ciphertext modulus is

Q

and the plaintext scaling factor

Δ = 1

). Then, we perform a ciphertext-to-plaintext multiplication (§C-3) with

D_{2}

, treating

D_{2}

as a plaintext polynomial in modulo

Q

. However, this approach does not work in practice, because computing

D_{2} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2})

generates a huge noise as follows:

D_{2} \cdot (A^{⟨ s ⟩}, B^{⟨ s ⟩}) = (D_{2} \cdot A^{⟨ s ⟩}, D_{2} \cdot B^{⟨ s ⟩})

D_{2} \cdot A^{⟨ s ⟩} \cdot S + D_{2} \cdot B^{⟨ s ⟩} = D_{2} \cdot S^{2} + D_{2} \cdot E^{⟨ s ⟩} (𝑚𝑜𝑑 Q)

. In the above decrypted expression

D_{2} S^{2} + D_{2} E^{⟨ s ⟩} mod Q

, the term

D_{2} S^{2}

is okay to be reduced modulo

Q

, because this term is originally allowed to be reduced modulo

Q

in the final decryption formula

D_{0} + D_{1} S + D_{2} S^{2} mod Q

as well. However, the problematic term is the noise

D_{2} \cdot E^{⟨ s ⟩}

, because its coefficients can be any value in

[0, Q - 1]

(since each coefficient of polynomial

D_{2} = A^{⟨ 1 ⟩} A^{⟨ 2 ⟩}

can be any value in

[0, Q - 1]

). Such a huge noise is not allowed for correct final decryption.

To avoid this noise issue, an improved solution is to express the RLWE ciphertext that encrypts

D_{2} S^{2}

as additions of multiple RLWE ciphertexts with small noises by using the gadget decomposition technique (§A-6.4). For this, we use an RLev ciphertext (§B-5) that encrypts

S^{2}

. Suppose our gadget vector is

\vec{g} = (\frac{Q}{β}, \frac{Q}{β^{2}}, \frac{Q}{β^{3}}, \dots, \frac{Q}{β^{l}})

. Remember that our goal is to find

{𝖼𝗍}_{β} = {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot D_{2})

given known

D_{2}

, unknown

S

, and known

{𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) = {{𝖱𝖫𝖶𝖤}_{S, σ} (\frac{Q}{β^{i}} \cdot S)}_{i = 1}^{l}

. Then, we can derive

{𝖼𝗍}_{β}

as follows:

= {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot (D_{2, 1} \frac{Q}{β} + D_{2, 2} \frac{Q}{β^{2}} + \dots D_{2, l} \frac{Q}{β^{l}}))

# by decomposing

D_{2}

= {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot D_{2, 1} \cdot \frac{Q}{β}) + {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot D_{2, 2} \cdot \frac{Q}{β^{2}}) + \dots + {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot D_{2, l} \cdot \frac{Q}{β^{l}})

= D_{2, 1} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{Q}{β}) + D_{2, 2} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{Q}{β^{2}}) + \dots + D_{2, l} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{Q}{β^{l}})

# where each RLWE ciphertext is an encryption of

S^{2} \frac{Q}{β}, S^{2} \frac{Q}{β^{2}}, \dots, S^{2} \frac{Q}{β^{l}}

as plaintext with the plaintext scaling factor

Δ = 1

= ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (D_{2}), {𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) ⟩

# inner product of Decomp and RLev treating them as vectors

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{β} = ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (D_{2}), {𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) ⟩)

# the scaling factors of

{𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2})

are all 1

= D_{2, 1} \cdot (E_{1}^{'} + S^{2} \frac{Q}{β}) + D_{2, 2} \cdot (E_{2}^{'} + S^{2} \frac{Q}{β^{2}}) + \dots + D_{2, l} \cdot (E_{l}^{'} + S^{2} \frac{Q}{β^{l}})

# where each

E_{i}^{'}

is a noise embedded in

{𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{Q}{β^{i}})

= \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) + S^{2} \cdot (D_{2, 1} \frac{Q}{β} + D_{2, 2} \frac{Q}{β^{2}} + \dots + D_{2, l} \frac{Q}{β^{l}})

= \sum_{i = 1}^{l} 𝜖_{i} + D_{2} \cdot S^{2}

# where each

𝜖_{i} = E_{i}^{'} \cdot D_{2, i}

\approx D_{2} \cdot S^{2}

\sum_{i = 1}^{l} 𝜖_{i} ≪ D_{2} \cdot E^{″}

, where

E^{″}

is the noise that could’ve been embedded in

{𝖱𝖫𝖶𝖤}_{S, σ} (S^{2})

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 1 ⟩} + K_{1} q) \cdot {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} (Δ M^{⟨ 2 ⟩} + K_{2} q) mod Q

= (Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q) mod Q

= (A^{⟨ 1 ⟩} \cdot S + B^{⟨ 1 ⟩}) \cdot (A^{⟨ 2 ⟩} \cdot S + B^{⟨ 2 ⟩}) mod Q

= D_{0} + D_{1} \cdot S + D_{2} \cdot S^{2} mod Q

D_{0} = B^{⟨ 1 ⟩} B^{⟨ 2 ⟩}

D_{1} = A^{⟨ 1 ⟩} B^{⟨ 2 ⟩} + A^{⟨ 2 ⟩} B^{⟨ 1 ⟩}

D_{2} = A^{⟨ 1 ⟩} A^{⟨ 2 ⟩}

= {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{α}) + {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{β}) - \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q

{𝖼𝗍}_{α} = (D_{1}, D_{0}) = (A_{α}, B_{β})

{𝖼𝗍}_{β} = ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (D_{2}), {𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) ⟩ = (A_{β}, B_{β})

= {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{α} + {𝖼𝗍}_{β}) - \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q

= {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ((A_{α + β}, B_{α + β})) - \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q

A_{α + β} = A_{α} + A_{β}

B_{α + β} = B_{α} + B_{β}

(Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} + K_{1} q) \cdot (Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} + K_{2} q) mod Q

= Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + Δ \cdot (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (Δ M^{⟨ 1 ⟩} K_{2} + Δ M^{⟨ 2 ⟩} K_{1} + E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} mod Q

= {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ((A_{α + β}, B_{α + β})) - \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q

{𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ((A_{α + β}, B_{α + β})) = A_{α + β} \cdot S + B_{α + β} mod Q

= Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + Δ \cdot (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (Δ M^{⟨ 1 ⟩} K_{2} + Δ M^{⟨ 2 ⟩} K_{1} + E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q

To verbally interpret the above relation, decrypting the synthetically generated ciphertext

(A_{α + β}, B_{α + β})

and applying a reduction modulo

Q

to it gives us

Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

with a lot of noise terms. Meanwhile, as explained in the beginning of this subsection, our goal is to derive a ciphertext whose decryption is

Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

, also ensuring that the decrypted ciphertext’s noise is small enough to be fully eliminated by scaling down the plaintext by

Δ

at the end. This goal is accomplished by the final rescaling step to be explained in the next subsection.

D-2.7.4 Rescaling

The rescaling step is equivalent to converting the ciphertext

(A_{α + β}, B_{α + β}) mod Q

into

(⌈ \frac{A_{α + β}}{Δ} ⌋, ⌈ \frac{B_{α + β}}{Δ} ⌋) mod q

, where

Δ = ⌊ \frac{q}{t} ⌋ \approx \frac{q}{t}

. The decryption of this rescaled ciphertext (and finally scaling down by

Δ

) is

Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

. This is demonstrated below:

⌈ \frac{A_{α + β}}{Δ} ⌋ \cdot S + ⌈ \frac{B_{α + β}}{Δ} ⌋ mod q

# decryption of ciphertext

(⌈ \frac{A_{α + β}}{Δ} ⌋, ⌈ \frac{B_{α + β}}{Δ} ⌋) mod q

= ⌈ \frac{A_{α + β}}{Δ} ⌋ \cdot S + ⌈ \frac{B_{α + β}}{Δ} ⌋ + K_{3} q

# where

K_{3} q

stands for modulo reduction by

q

= ⌈ \frac{A_{α + β}}{Δ} ⌋ \cdot S + ⌈ \frac{B_{α + β}}{Δ} ⌋ + \frac{K_{3} Q}{Δ}

# since

Q = Δ \cdot q

= ⌈ \frac{1}{Δ} \cdot (A_{α + β} \cdot S + B_{α + β} + K_{3} Q) ⌋ + E_{r}

E_{r}

is a rounding error

= ⌈ \frac{1}{Δ} \cdot (A_{α + β} \cdot S + B_{α + β} mod Q) ⌋ + E_{r}

= ⌈ \frac{1}{Δ} \cdot (Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + Δ \cdot (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) +

q \cdot (Δ M^{⟨ 1 ⟩} K_{2} + Δ M^{⟨ 2 ⟩} K_{1} + E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) mod Q) ⌋ + E_{r}

= ⌈ \frac{1}{Δ} \cdot (Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + Δ \cdot (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) +

q \cdot (Δ M^{⟨ 1 ⟩} K_{2} + Δ M^{⟨ 2 ⟩} K_{1} + E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i}) + K_{4} Q) ⌋ + E_{r}

= ⌈ Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (M^{⟨ 1 ⟩} K_{2} + M^{⟨ 2 ⟩} K_{1})

+ \frac{1}{Δ} \cdot q \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + \frac{1}{Δ} \cdot (K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i})) + K_{5} q ⌋

= ⌈ Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (M^{⟨ 1 ⟩} K_{2} + M^{⟨ 2 ⟩} K_{1}) + (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1})

+ \frac{1}{Δ} \cdot (K_{1} K_{2} q^{2} + E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i})) + K_{5} q ⌋

# where

𝜖 = \frac{q}{Δ} - \frac{q}{\frac{q}{t}} = \frac{q}{⌊ \frac{q}{t} ⌋} - \frac{q}{\frac{q}{t}} \approx 0

, thus we substituted

\frac{q}{Δ} = 𝜖 + t

= ⌈ Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (M^{⟨ 1 ⟩} K_{2} + M^{⟨ 2 ⟩} K_{1}) + (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1})

+ \frac{K_{1} K_{2} q^{2}}{Δ} + \frac{E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i})}{Δ} + K_{5} q ⌋

# Now, let

𝜖^{'} = \frac{K_{1} K_{2} q^{2}}{Δ} - \frac{K_{1} K_{2} q^{2}}{\frac{q}{t}} = \frac{K_{1} K_{2} q^{2}}{⌊ \frac{q}{t} ⌋} - \frac{K_{1} K_{2} q^{2}}{\frac{q}{t}} \approx 0

Thus, we will substitute

\frac{K_{1} K_{2} q^{2}}{Δ} = \frac{K_{1} K_{2} q^{2}}{\frac{q}{t}} + 𝜖^{'} = K_{1} K_{2} 𝑞𝑡 + 𝜖^{'}

= Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩} + (M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩}) + q \cdot (M^{⟨ 1 ⟩} K_{2} + M^{⟨ 2 ⟩} K_{1})

+ (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} 𝑞𝑡 + 𝜖^{'} + K_{5} q + ⌈ \frac{E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i})}{Δ} ⌋

# where

K_{6} q = K_{5} q + q \cdot (M^{⟨ 1 ⟩} K_{2} + M^{⟨ 2 ⟩} K_{1}) + K_{1} K_{2} 𝑞𝑡,

𝜖^{″} = M^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + M^{⟨ 2 ⟩} E^{⟨ 1 ⟩} + (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) + ⌈ \frac{E^{⟨ 1 ⟩} E^{⟨ 2 ⟩} + \sum_{i = 1}^{l} (E_{i}^{'} \cdot D_{2, i})}{Δ} ⌋

In conclusion, the ciphertext

(⌈ \frac{A_{α + β}}{Δ} ⌋, ⌈ \frac{B_{α + β}}{Δ} ⌋) mod q

successfully decrypts to

Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

𝜖^{″} < \frac{Δ}{2} \approx \frac{q}{2 t}

Noise Analysis: Among the terms of

𝜖^{″}

, let’s analyze the noise growth of the

(t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1})

term after ciphertext-to-ciphertext multiplication. Each coefficient of

K_{1}

is at most

n

, because

A^{⟨ 1 ⟩} \cdot S + B^{⟨ 1 ⟩} = Δ M + E^{⟨ 1 ⟩} + K_{1} q

, where the maximum possible coefficient value of

A^{⟨ 1 ⟩} \cdot S + B^{⟨ 1 ⟩}

q \cdot n

. And the same is true for the coefficients of

K_{2}

. Therefore, after scaling down

(t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1})

Δ

upon the final decryption stage, this term’s down-scaled noise gets bound by:

\frac{1}{Δ} \cdot (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) \approx \frac{t}{q} \cdot (t + 𝜖) \cdot (E^{⟨ 1 ⟩} K_{2} + E^{⟨ 2 ⟩} K_{1}) < \frac{𝑛𝑡 \cdot (t + 𝜖)}{q} \cdot (E^{⟨ 1 ⟩} + E^{⟨ 2 ⟩})

This implies that for correct decryption,

\frac{𝑛𝑡 \cdot (t + 𝜖)}{q} \cdot (E^{⟨ 1 ⟩} + E^{⟨ 2 ⟩})

has to be smaller than

0.5

. In other words,

E^{⟨ 1 ⟩} + E^{⟨ 2 ⟩}

has to be smaller than

\frac{q}{2 𝑛𝑡 \cdot (t + 𝜖)}

. We can do noise analysis for all other terms for

𝜖^{″}

in a similar manner. Importantly, upon decryption, the aggregation of all these noise terms’ down-scaled values has to be smaller than

0.5

for correct decryption.

Modulus Switch v.s. Rescaling: Notice in the rescaling process, multiplying

\frac{1}{Δ}

A_{α + β}

and

B_{α + β}

results in two effects: (1) converts

Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

into

Δ M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

; (2) switches the modulus of the mod-raised ciphertexts from

Q \to q

. In fact, modulus switch and rescaling are closely equivalent to each other. Modulus switch is a process of changing a ciphertext’s modulus (e.g.,

q \to q^{'}

), while preserving the property that the decryption of both ciphertexts results in the same plaintext. On the other hand, rescaling refers to the process of changing the scaling factor of a plaintext within a ciphertext (e.g.,

Δ \to Δ^{'}

). Modulus switch inevitably changes the scaling factor of the plaintext within the target ciphertext, and rescaling also inevitably changes the modulus of the ciphertext that contains the plaintext (as shown in §D-2.7.4). Therefore, these two terms can be used interchangeably.

D-2.7.5 Summary

To put all things together, BFV’s ciphertext-to-ciphertext multiplication is summarized as follows:

$⟨$ Summary D-2.7.5 $⟩$ BFV’s Ciphertext-to-Ciphertext Multiplication

Suppose we have the following two RLWE ciphertexts:

${𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 1 ⟩}) = (A^{⟨ 1 ⟩}, B^{⟨ 1 ⟩}) mod q$ , where $B^{⟨ 1 ⟩} = - A^{⟨ 1 ⟩} \cdot S + Δ M^{⟨ 1 ⟩} + E^{⟨ 1 ⟩} mod q$

${𝖱𝖫𝖶𝖤}_{S, σ} (Δ M^{⟨ 2 ⟩}) = (A^{⟨ 2 ⟩}, B^{⟨ 2 ⟩}) mod q$ , where $B^{⟨ 2 ⟩} = - A^{⟨ 2 ⟩} \cdot S + Δ M^{⟨ 2 ⟩} + E^{⟨ 2 ⟩} mod q$

Multiplication between these two ciphertexts is performed as follows:

1.

ModRaise

Forcibly modify the modulus of the ciphertexts $(A^{⟨ 1 ⟩}, B^{⟨ 1 ⟩}) mod q$ and $(A^{⟨ 2 ⟩}, B^{⟨ 2 ⟩}) mod q$ to $Q$ (where $Q = q \cdot Δ$ ) as follows:

$(A^{⟨ 1 ⟩}, B^{⟨ 1 ⟩}) mod Q$

$(A^{⟨ 2 ⟩}, B^{⟨ 2 ⟩}) mod Q$

2.

Multiplication

Compute the following polynomial multiplications in modulo $Q$ :

$D_{0} = B^{⟨ 1 ⟩} B^{⟨ 2 ⟩} mod Q$

$D_{1} = B^{⟨ 2 ⟩} A^{⟨ 1 ⟩} + B^{⟨ 1 ⟩} A^{⟨ 2 ⟩} mod Q$

$D_{2} = A^{⟨ 1 ⟩} \cdot A^{⟨ 2 ⟩} mod Q$

3.

Relinearization

Compute the following:

${𝖼𝗍}_{α} = (D_{1}, D_{0})$

${𝖼𝗍}_{β} = ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (D_{2}), {𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) ⟩$ .

${𝖼𝗍}_{α + β} = {𝖼𝗍}_{α} + {𝖼𝗍}_{β}$

Then, this property holds: ${𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖱𝖫𝖶𝖤}_{S, σ} (Δ^{2} \cdot M^{⟨ 1 ⟩} \cdot M^{⟨ 2 ⟩})) \approx {𝖱𝖫𝖶𝖤}_{S, σ}^{- 1} ({𝖼𝗍}_{α + β})$

4.

Rescaling

Update ${𝖼𝗍}_{α + β} = (A_{α + β}, B_{α + β}) mod Q$ to ${𝖼𝗍’}_{α + β} = (⌈ \frac{A_{α + β}}{Δ} ⌋, ⌈ \frac{B_{α + β}}{Δ} ⌋) mod q$ .

This plaintext rescaling process can be also viewed as a modulus switch of the ciphertext ${𝖼𝗍}_{α + β}$ from $Q \to q$ .

Note that after the ciphertext-to-ciphertext multiplication, the plaintext scaling factor $Δ = ⌊ \frac{q}{t} ⌋$ , the ciphertext modulus $q$ , the plaintext $M$ , and the private key $S$ stay the same as before.

The Purpose of ModRaise: When we multiply polynomials at the second step of ciphertext-to-ciphertext multiplication (§D-2.7.2), the underlying plaintext within the ciphertext temporarily grows to

Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

, which exceeds the allowed maximum boundary

q

for the plaintext (Summary D-2.3 in §D-2.3). After this point, applying modulo-

q

reduction to the intermediate result will irrevocably corrupt the plaintext. To avoid the corruption of the plaintext when it grows to

Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

, we temporarily increase the ciphertext modulus from

q \to Q

, which is sufficiently large to hold

Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}

without wrapping around the boundary of the ciphertext modulus.

Swapping the Order of Relinearization and Rescaling: The order of relinearization and rescaling is interchangeable. Running rescaling before relinearization reduces the size of the ciphertext modulus, and therefore the subsequent relinearization can be executed faster.

D-2.7 Ciphertext-to-Ciphertext Multiplication

D-2.7.1 ModRaise

D-2.7.2 Polynomial Multiplication

D-2.7.3 Relinearization

D-2.7.4 Rescaling

D-2.7.5 Summary