Decryption

[prev][parent][next]

B-4.3 Decryption

1.: Given the ciphertext $({A_{i}}_{i = 0}^{k - 1}, B)$ where $B = \sum_{i = 0}^{k - 1} (A_{i} \cdot S_{i}) + Δ \cdot M + E \in R_{⟨ n, q ⟩}$ , compute $B - \sum_{i = 0}^{k - 1} (A_{i} \cdot S_{i}) = Δ \cdot M + E$ .
2.: Round each coefficient of the polynomial $Δ \cdot M + E \in R_{⟨ n, q ⟩}$ to the nearest multiple of $Δ$ (i.e., round it as a base $Δ$ number), which is denoted as $⌈ Δ \cdot M + E ⌋_{Δ}$ . This operation successfully eliminates $E$ and gives $Δ \cdot M$ . One caveat is that $E$ ’s each coefficient $e_{i}$ has to be $e_{i} < \frac{Δ}{2}$ to be eliminated during the rounding. Otherwise, some of $e_{i}$ ’s higher bits will overlap the plaintext $m_{i}$ coefficient’s lower bit and won’t be eliminated during decryption, corrupting the plaintext $m_{1}$ .
3.: Compute $\frac{Δ \cdot M}{Δ}$ , which is equivalent to right-shifting each polynomial coefficient in $Δ \cdot M$ by ${log}_{2} Δ$ bits.

In summary, the GLWE decryption formula is summarized as follows:

$⟨$ Summary B-4.3 $⟩$ GLWE Decryption

Decryption Input: $C = ({A_{i}}_{i = 0}^{k - 1}, B) \in R_{⟨ n, q ⟩}^{k + 1}$

1.: ${𝖦𝖫𝖶𝖤}_{S, σ}^{- 1} (C) = B - \sum_{i = 0}^{k - 1} (A_{i} \cdot S_{i}) = Δ M + E \in R_{⟨ n, q ⟩}$
2.: Scale down $⌈ \frac{Δ M + E}{Δ} ⌋ mod t = M \in R_{⟨ n, t ⟩}$

For correct decryption, every noise coefficient $e_{i}$ of polynomial $E$ should be: $e_{i} < \frac{Δ}{2}$ .

B-4.3.1 Discussion

1.: LWE is a special case of GLWE where the polynomial ring’s degree $n = 1$ . That is, all polynomials in ${A_{i}}_{i = 0}^{k - 1}, {S_{i}}_{i = 0}^{k - 1}, E$ , and $M$ are zero-degree polynomial constants. Instead, there are $k$ such constants for $A_{i}$ and $S_{i}$ , so each of them forms a vector.
2.: RLWE is a special case of GLWE where $k = 1$ . That is, the secret key $S$ is a single polynomial $S_{0}$ , and each encryption is processed by only a single polynomial $A_{0}$ as a public key.
3.: Size of $𝐧$ : A large polynomial degree $n$ increases the number of the secret key’s coefficient terms (i.e., $S_{i} = s_{i, 0} + s_{i, 1} X + \dots + s_{i, n - 1} X^{n - 1}$ ), which makes it more difficult to guess the complete secret key. The same applies to the noise polynomial $E$ and the public key polynomials $A_{i}$ , thus making it harder to solve the search-hard problem (§B-1.1). Also, higher-degree polynomials can encode more plaintext terms in the same plaintext polynomial $M$ , improving the throughput efficiency of processing ciphertexts.
4.: Size of $𝐤$ : A large $k$ increases the number of the secret key polynomials $(S_{0}, S_{1}, \dots, S_{k})$ and the number of the one-time public key polynomials $(A_{0}, A_{1}, \dots, A_{k})$ , which makes it more difficult for the attacker to guess the complete secret keys. Meanwhile, there is only a single $M$ and $E$ polynomials per GLWE ciphertext, regardless of the size of $k$ .
5.: Reducing the Ciphertext Size: The public key ${A_{i}}_{i = 0}^{k - 1}$ has to be created for each ciphertext, which is a big size. To reduce this size, each ciphertext can instead include the seed $d$ for the pseudo-random number generation hash function $H$ . Then, the public key can be lively computed $k - 1$ times upon each encryption & decryption as ${H (s), H (H (s)), H (H (H (s)), \dots}$ . Note that $H$ , by nature, generates the same sequence of numbers given the same random initial seed $d$ .

[prev][parent][next]