Decryption

B-2.3 Decryption

1.: Given the ciphertext $(\vec{a}, b)$ where $b = \vec{a} \cdot \vec{s} + Δ \cdot m + e \in ℤ_{q}$ , compute $b - \vec{a} \cdot \vec{s}$ , which gives the same value as $Δ \cdot m + e \in ℤ_{q}$ .
2.: Round $Δ \cdot m + e \in ℤ_{q}$ to the nearest multiple of $Δ$ (i.e., round it as a base $Δ$ number), which is denoted as $⌈ Δ \cdot m + e ⌋_{Δ}$ . This rounding operation successfully eliminates $e$ and gives $Δ m$ , provided $e$ is small enough to be $e < \frac{Δ}{2}$ . If $e \geq \frac{Δ}{2}$ , then some of the higher bits of the noise $e$ will overlap with the plaintext $m$ , won’t be blown away, and will corrupt some lower bits of the plaintext $m$ .
3.: Compute $\frac{Δ m}{Δ}$ , which is equivalent to right-shifting $⌈ Δ \cdot m + e ⌋_{Δ}$ by ${log}_{2} Δ$ bits. (Here we assume $Δ$ is a power of 2; if $Δ$ is not a power of 2, scaling up or down $m$ by $Δ$ is equivalent to multiplying or dividing the value by $Δ$ .)

The LWE decryption formula is summarized as follows:

$⟨$ Summary B-2.3 $⟩$ LWE Decryption

Decryption Input: $𝖼𝗍 = (\vec{a}, b) \in ℤ_{q}^{k + 1}$

1.: ${𝖫𝖶𝖤}_{S, σ}^{- 1} (𝖼𝗍) = b - \vec{a} \cdot \vec{s} = Δ m + e (𝑚𝑜𝑑 q)$
2.: Scale down $⌈ \frac{Δ m + e}{Δ} ⌋ mod t = m \in ℤ_{t}$

For correct decryption, the noise $e$ should be $e < \frac{Δ}{2}$ .

During decryption, the secret key owner can subtract $\vec{a} \cdot \vec{s}$ from $b$ because he can directly compute $\vec{a} \cdot \vec{s}$ by using his secret key $\vec{s}$ .

The reason we scaled the plaintext $m$ by $Δ$ is: (i) to left-shift $m$ by ${log}_{2} Δ$ bits and separate it from the noise $e$ in the lower bits during encryption, whereas $e$ is essential to make it hard for the attacker to guess $m$ or $\vec{s}$ ; and (ii) to eliminate $e$ in the lower bits by right-shifting it by ${log}_{2} Δ$ bits without compromising $m$ in the higher bits during decryption. The process of right-shifting (i.e., scaling) the plaintext $m$ by ${log}_{2} Δ$ bits, followed by adding the noise $e$ , is illustrated in Figure 8.

B-2.3.1 In the Case of $t$ not Dividing $q$

In Summary B-2.2 (§B-2.2), we assumed that $t$ divides $q$ . In this case, there is no upper or lower limit on the size of plaintext $m$ : its value is allowed to wrap around modulo $t$ indefinitely, yet the decryption works correctly. This is because any $m$ value greater than $t$ will be correctly modulo-reduced by $t$ when we perform modulo reduction by $q$ during decryption.

On the other hand, suppose that $t$ does not divide $q$ . In such a case, we set the scaling factor as $Δ = ⌊ \frac{q}{t} ⌋$ . Then, provided $q ≫ t$ , the decryption works correctly even if $m$ is a large value that wraps around $t$ . We will show why this is so.

In this subsection’s analysis, we choose $t$ to be an odd (prime) number, which is the general FHE practice for computational efficiency reasons (see §A-10.6.1). We assume the use of the centered residue system, where the plaintext domain is $[- \frac{t - 1}{2}, \frac{t - 1}{2}]$ and the ciphertext domain is $[- \frac{q}{2}, \frac{q}{2} - 1]$ . We denote plaintext $m mod t$ as $m = m^{'} + 𝑘𝑡$ , where $m^{'} \in ℤ_{t}$ , and $k$ is an integer that represents the $t$ -overflow portions of $m$ . We set the plaintext scaling factor as $Δ = ⌊ \frac{q}{t} ⌋$ . Then, the noise-added and $Δ$ -scaled plaintext can be expressed as follows:

$⌊ \frac{q}{t} ⌋ \cdot m + e$

$= ⌊ \frac{q}{t} ⌋ \cdot m^{'} + ⌊ \frac{q}{t} ⌋ \cdot 𝑘𝑡 + e$ $▹$ applying $m = m^{'} + 𝑘𝑡$

$= ⌊ \frac{q}{t} ⌋ \cdot m^{'} + \frac{q}{t} \cdot 𝑘𝑡 - (\frac{q}{t} - ⌊ \frac{q}{t} ⌋) \cdot 𝑘𝑡 + e$

$= ⌊ \frac{q}{t} ⌋ \cdot m^{'} + 𝑞𝑘 - (\frac{q}{t} - ⌊ \frac{q}{t} ⌋) \cdot 𝑘𝑡 + e$

$= ⌊ \frac{q}{t} ⌋ \cdot m^{'} + 𝑞𝑘 - 𝜖 \cdot 𝑘𝑡 + e$ $▹$ where $𝜖 = \frac{q}{t} - ⌊ \frac{q}{t} ⌋$ , a decimal value between $[0, 1)$

Remember that the LWE decryption relation: $\frac{b - \vec{a} \cdot \vec{s} mod q}{Δ} mod t = \frac{Δ m + e mod q}{Δ} mod t$ . Therefore, from the above expression, we can decrypt the message by computing as follows:

$⌈ \frac{1}{Δ} \cdot (b - \vec{a} \cdot \vec{s} mod q) ⌋ mod t$

$= ⌈ \frac{1}{Δ} \cdot (Δ m + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot (m^{'} + 𝑘𝑡) + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} + ⌊ \frac{q}{t} ⌋ \cdot 𝑘𝑡 + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} + (\frac{q}{t} - 𝜖) \cdot 𝑘𝑡 + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} + 𝑘𝑞 - 𝜖𝑘𝑡 + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e mod q) ⌋ mod t$

In order for the decryption to work, we ideally want to eliminate the inner modulo $q$ reduction. That is, assuming the centered residue system $[- \frac{q}{2}, \frac{q}{2} - 1]$ , we want $- \frac{q}{2} \leq ⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e < \frac{q}{2}$ , or more strictly, $| ⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e | < \frac{q}{2}$ .

To ensure these conditions hold, we will make a special assumption: $| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2}$ . Applying this assumption to the expression above, we can derive the following relation:

$| ⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e |$

$\leq | ⌊ \frac{q}{t} ⌋ \cdot m^{'} | + | - 𝜖𝑘𝑡 + e |$

$\leq | ⌊ \frac{q}{t} ⌋ \cdot \frac{t - 1}{2} | + | - 𝜖𝑘𝑡 + e |$ $▹$ we assume $t$ is an odd prime, as that’s the general FHE practice

$\leq | \frac{q}{t} \cdot \frac{t - 1}{2} | + | - 𝜖𝑘𝑡 + e |$

$= \frac{q}{2} - \frac{q}{2 t} + | - 𝜖𝑘𝑡 + e |$

$< \frac{q}{2} - \frac{q}{2 t} + \frac{Δ}{2}$ $▹$ applying our special assumption $| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2}$

$= \frac{q}{2} + \frac{1}{2} \cdot (Δ - \frac{q}{t})$

$< \frac{q}{2}$ $▹$ since $Δ < \frac{q}{t}$

Therefore, if we assume $| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2}$ , then $⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e mod q$ can be simplified to $⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e$ . We continue with the following derivation:

$⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e mod q) ⌋ mod t$

$= ⌈ \frac{1}{⌊ \frac{q}{t} ⌋} \cdot (⌊ \frac{q}{t} ⌋ \cdot m^{'} - 𝜖𝑘𝑡 + e) ⌋ mod t$

$= ⌈ m^{'} + \frac{- 𝜖𝑘𝑡 + e}{⌊ \frac{q}{t} ⌋} ⌋ mod t$

$= m^{'} + ⌈ \frac{- 𝜖𝑘𝑡 + e}{⌊ \frac{q}{t} ⌋} ⌋ mod t$ $▹$ since $⌈ m^{'} ⌋ = m^{'}$

$= m^{'} mod t$ $▹$ applying special assumption $| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2} = \frac{⌊ \frac{q}{t} ⌋}{2}$

To summarize, if we set the plaintext’s scaling factor as $Δ = ⌊ \frac{q}{t} ⌋$ and $t$ is an odd (prime) number, the decryption works correctly as long as the following error-bounding condition holds: $| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2} = \frac{⌊ \frac{q}{t} ⌋}{2}$ . This condition (i.e., decryption) breaks if: (1) the noise $e$ is too large relative to $q$ ; (2) the plaintext modulus $t$ is too large relative to $q$ ; or (3) the plaintext value wraps around $t$ too many times (i.e., $k$ is too large). A general solution to ensure all these error bound conditions is to set the ciphertext modulus $q$ to be sufficiently large. To put it differently, if $q ≫ t$ and $q ≫ e$ , then the error bound holds.

We can generalize the formula for the plaintext’s scaling factor in Summary B-2.2 (in §B-2.2) as $⌊ \frac{q}{t} ⌋$ , where $t$ is an odd (prime) number.

$⟨$ Summary B-2.3.1 $⟩$ Noise Budget for an Odd Plaintext Modulus $𝐭$

Given the plaintext’s scaling factor $Δ = ⌊ \frac{q}{t} ⌋$ and $t$ is an odd (prime) number, the LWE decryption works correctly as long as the error-bounding condition holds:

$| - 𝜖𝑘𝑡 + e | < \frac{Δ}{2}$

, where $𝜖 = \frac{q}{t} - ⌊ \frac{q}{t} ⌋$ is a decimal value between $[0, 1)$ , and $k$ accounts for the $t$ -overflows of the plaintext $m$ .

[prev][parent]

B-2.3 Decryption

B-2.3.1 In the Case of t not Dividing q

B-2.3.1 In the Case of $t$ not Dividing $q$