Decomposing Multiplication: DecompMultRNS

In FHE, gadget decomposition (§A-6.4) is used to compute ciphertext-to-plaintext multiplication with small noise. For example, BFV and CKKS’s homomorphic key switching (Summary C-5 in §C-5) uses gadget decomposition to compute

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (Δ M) = B + A \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S)

with small noise (where each coefficient of the polynomial

A

can be any value within the range of the ciphertext modulus

q

). As another example, the relinearization process of ciphertext-to-ciphertext multiplication in BFV (Summary D-2.7.5 in §D-2.7.5), CKKS (Summary D-3.5.6 in §D-3.5.6), and BGV (Summary D-4.8 in §D-4.8) uses gadget decomposition to derive the synthetic ciphertext

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (D_{2} \cdot S^{2})

when computing

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (Δ^{2} M^{⟨ 1 ⟩} M^{⟨ 2 ⟩}) = D_{0} + D_{1} \cdot S + D_{2} \cdot S^{2} = {𝖼𝗍}_{α} + {𝖼𝗍}_{β}

, where

{𝖼𝗍}_{α} = (D_{0}, D_{1})

{𝖼𝗍}_{β} = {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (D_{2} \cdot S^{2})

D_{0} = B_{1} B_{2}

D_{1} = A_{1} B_{2} + A_{2} B_{1}

, and

D_{2} = A_{1} A_{2}

. Using gadget decomposition, we showed the following relations:

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (A \cdot S) = ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (A), {𝖱𝖫𝖾𝗏}_{S^{'}, σ}^{β, l} (S) ⟩

▹

used in key switching

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (D_{2} \cdot S^{2}) = ⟨ {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (D_{2}), {𝖱𝖫𝖾𝗏}_{S, σ}^{β, l} (S^{2}) ⟩

▹

used in relinearization

However, if we convert a value (e.g.,

x

) into an RNS vector, then it cannot be directly expressed in a gadget-decomposed form based on the

β

and

l

parameters. Instead, given the relationship between the value

x

and its RNS residues is

x = \sum_{i = 1}^{k} x \cdot \frac{q}{q_{i}} \cdot {| ({\frac{q}{q_{i}}}^{- 1}) |}_{q_{i}} mod q

, we can treat each RNS residue as a gadget-decomposed element. For example, suppose our goal is to decompose

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (A \cdot S)

, where the RNS vector of

A = (A_{1}, A_{2}, \dots, A_{k})

has base moduli

(q_{1}, q_{2}, \dots, q_{k})

. We can decompose

{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (A \cdot S)

as follows:

= {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot (A_{1} \frac{q}{q_{1}} \cdot {| {(\frac{q}{q_{1}})}^{- 1} |}_{q_{1}} + A_{2} \frac{q}{q_{2}} \cdot {| {(\frac{q}{q_{2}})}^{- 1} |}_{q_{2}} + \dots + A_{k} \frac{q}{q_{k}} \cdot {| {(\frac{q}{q_{k}})}^{- 1} |}_{q_{k}})) mod q

= {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot A_{1} \frac{q}{q_{1}} \cdot {| {(\frac{q}{q_{1}})}^{- 1} |}_{q_{1}}) + {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot A_{2} \frac{q}{q_{2}} \cdot {| {(\frac{q}{q_{2}})}^{- 1} |}_{q_{2}}) +

\dots + {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot A_{k} \frac{q}{q_{k}} \cdot {| {(\frac{q}{q_{k}})}^{- 1} |}_{q_{k}}) mod q

= A_{1} \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{1}} \cdot {| {(\frac{q}{q_{1}})}^{- 1} |}_{q_{1}}) + A_{2} \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{2}} \cdot {| {(\frac{q}{q_{2}})}^{- 1} |}_{q_{2}}) +

\dots + A_{k} \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{k}} \cdot {| {(\frac{q}{q_{k}})}^{- 1} |}_{q_{k}}) mod q

= \sum_{i = 1}^{k} (A_{i} \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})) mod q

, where

{{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})}_{i = 1}^{k}

can be pre-generated as RNS key-switching keys.

Applying the same reasoning as above, we can also derive the following for relinearization:

{𝖱𝖫𝖶𝖤}_{S, σ} (D_{2} \cdot S^{2}) = \sum_{i = 1}^{k} (D_{2, i} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})) mod q

, where

{{𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})}_{i = 1}^{k}

can be pre-generated as relinearization keys.

$⟨$ Summary D-5.9 $⟩$ DecompMult_RNS

For key-switching:

Input: $A = (A_{1}, A_{2}, \dots, A_{k}) \in R_{⟨ n, q_{1} ⟩} \times R_{⟨ n, q_{2} ⟩} \times \dots \times R_{⟨ n, q_{k} ⟩}$ ,

$S_{⟨ S^{'}, 𝖱𝖭𝖲 ⟩} = {{𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})}_{i = 1}^{k}$ $▹$ key-switching keys

$𝖣𝖾𝖼𝗈𝗆𝗉𝖬𝗎𝗅𝗍_{𝖱𝖭𝖲} (A, S_{⟨ S^{'}, 𝖱𝖭𝖲 ⟩}) = {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (A \cdot S)$

$= \sum_{i = 1}^{k} (A_{i} \cdot {𝖱𝖫𝖶𝖤}_{S^{'}, σ} (S \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})) mod q$

For relinearization:

Input: $D_{2} = (D_{2, 1}, D_{2, 2}, \dots, D_{2, k}) \in R_{⟨ n, q_{1} ⟩} \times R_{⟨ n, q_{2} ⟩} \times \dots \times R_{⟨ n, q_{k} ⟩}$ ,

$S_{⟨ S, 𝖱𝖭𝖲 ⟩}^{2} = {{𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})}_{i = 1}^{k}$ $▹$ relinearization keys

$𝖣𝖾𝖼𝗈𝗆𝗉𝖬𝗎𝗅𝗍_{𝖱𝖭𝖲} (D_{2}, S_{⟨ S, 𝖱𝖭𝖲 ⟩}^{2}) = {𝖱𝖫𝖶𝖤}_{S, σ} (D_{2} \cdot S^{2})$

$= \sum_{i = 1}^{k} (D_{2, i} \cdot {𝖱𝖫𝖶𝖤}_{S, σ} (S^{2} \cdot \frac{q}{q_{i}} \cdot {| {(\frac{q}{q_{i}})}^{- 1} |}_{q_{i}})) mod q$

D-5.9 Decomposing Multiplication: DecompMultRNS

D-5.9 Decomposing Multiplication: DecompMult_RNS