[prev][parent][next]

D-5.9 Decomposing Multiplication: DecompMultRNS

In FHE, gadget decomposition (Β§A-6.4) is used to compute ciphertext-to-plaintext multiplication with a small noise. For example, BFV and CKKS’s homomorphic key switching (SummaryΒ C-5 in Β§C-5) uses gadget decomposition to compute 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(Ξ”M) = B + A ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ(S) with a small noise (where each coefficient of the polynomial A can be any value within the range of the ciphertext modulus q). As another example, the relinearization process of ciphertext-to-ciphertext multiplication in BFV (SummaryΒ D-2.7.5 in Β§D-2.7.5), CKKS (SummaryΒ D-3.5.6 in Β§D-3.5.6), and BGV (SummaryΒ D-4.8 in Β§D-4.8) uses gadget decomposition to derive the synthetic ciphertext 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(D2 β‹…S2) when computing 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(Ξ”2M⟨1⟩M⟨2⟩) = D0 + D1 β‹…S + D2 β‹…S2 = 𝖼𝗍α + 𝖼𝗍β, where 𝖼𝗍α = (D0,D1), 𝖼𝗍β = 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(D2 β‹…S2), D0 = B1B2, D1 = A1B2 + A2B1, and D2 = A1A2. Using gadget decomposition, we showed the following relations:

𝖱𝖫𝖢𝖀Sβ€²,Οƒ(A β‹…S) = βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(A), 𝖱𝖫𝖾𝗏Sβ€²,σβ,l(S)⟩ # used in key switching

𝖱𝖫𝖢𝖀Sβ€²,Οƒ(D2 β‹…S2) = βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(D2), 𝖱𝖫𝖾𝗏S,σβ,l(S2)⟩ # used in relinearization

However, if we convert a value (e.g., x) into an RNS vector, then it cannot be directly expressed in a gadget-decomposed form based on the Ξ² and l parameters. Instead, given the relationship between the value x and its RNS residues is x = βˆ‘ ⁑ i=1kx β‹…q qi β‹… |(q qiβˆ’1)| qi mod q, we can treat each RNS residue as a gadget-decomposed element. For example, suppose our goal is to decompose 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(A β‹…S), where the RNS vector of A = (A1,A2,β‹―,Ak) and whose base moduli are (q1,q2,β‹―,qk). We can decompose 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(A β‹…S) as follows:

𝖱𝖫𝖢𝖀Sβ€²,Οƒ(A β‹…S) mod q

= 𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹… (A1 q q1 β‹… |( q q1) βˆ’1| q1 + A2 q q2 β‹… |( q q2) βˆ’1| q2 + β‹― + Ak q qk β‹… |( q qk) βˆ’1| qk)) mod q

= 𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…A1 q q1 β‹… |( q q1) βˆ’1| q1) + 𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…A2 q q2 β‹… |( q q2) βˆ’1| q2) +

β‹― + 𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…Ak q qk β‹… |( q qk) βˆ’1| qk) mod q

= A1 ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹… q q1 β‹… |( q q1) βˆ’1| q1) + A2 ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹… q q2 β‹… |( q q2) βˆ’1| q2) +

β‹― + Ak ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹… q qk β‹… |( q qk) βˆ’1| qk) mod q

= βˆ‘ ⁑ i=1k (Ai ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…q qi β‹… |(q qi) βˆ’1| qi)) mod q

, where {𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…q qi β‹… |(q qi) βˆ’1| qi)} i=1k can be pre-generated as RNS key-switching keys.

Applying the same reasoning as the above, we can also derive the following for relinearization:

𝖱𝖫𝖢𝖀S,Οƒ(D2 β‹…S2) = βˆ‘ ⁑ i=1k(D2,i ⋅𝖱𝖫𝖢𝖀S,Οƒ (S2 β‹…q qi β‹… |(q qi) βˆ’1| qi) ) mod q

, where {𝖱𝖫𝖢𝖀S,Οƒ (S2 β‹…q qi β‹… |(q qi) βˆ’1| qi)} i=1k can be pre-generated as relinearization keys.

RNS-based multiplication decomposition is summarized as follows:

⟨Summary D-5.9⟩ DecompMultRNS

For key-switching:

Input: A = (A1,A2,β‹―,Ak) ∈R⟨n,q1βŸ©Γ—R⟨n,q2βŸ©Γ—β‹― Γ—R⟨n,qk⟩,

S⟨Sβ€²,π–±π–­π–²βŸ© = {𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…q qi β‹… |(q qi) βˆ’1| qi)} i=1k # key-switching keys

π–£π–Ύπ–Όπ—ˆπ—†π—‰π–¬π—Žπ—…π—π–±π–­π–²(A,S⟨Sβ€²,π–±π–­π–²βŸ©) = 𝖱𝖫𝖢𝖀Sβ€²,Οƒ(A β‹…S)

= βˆ‘ ⁑ i=1k(Ai ⋅𝖱𝖫𝖢𝖀Sβ€²,Οƒ (S β‹…q qi β‹… |(q qi) βˆ’1| qi) ) mod q

For relinearization:

Input: D2 = (D2,1,D2,2,β‹―,D2,k) ∈R⟨n,q1βŸ©Γ—R⟨n,q2βŸ©Γ—β‹― Γ—R⟨n,qk⟩,

S⟨S,π–±π–­π–²βŸ©2 = {𝖱𝖫𝖢𝖀S,Οƒ (S2 β‹…q qi β‹… |(q qi) βˆ’1| qi)} i=1k # relinearization keys

π–£π–Ύπ–Όπ—ˆπ—†π—‰π–¬π—Žπ—…π—π–±π–­π–²(D2,S⟨S,π–±π–­π–²βŸ©2) = 𝖱𝖫𝖢𝖀S,Οƒ(D2 β‹…S2)

= βˆ‘ ⁑ i=1k(D2,i ⋅𝖱𝖫𝖢𝖀S,Οƒ (S2 β‹…q qi β‹… |(q qi) βˆ’1| qi) ) mod q

[prev][parent][next]