[parent]
Noise Elimination: If we decrypt by using the secret key , then we get the plaintext . Meanwhile, get eliminated by rounding after decryption, regardless of whatever their randomly sampled values were during encryption.
Noise Growth: Note that after decryption, the original ciphertext βs noise has increased from and to . However, if the noise is sampled from a Gaussian distribution with the mean , then the addition of multiple noises will converge to 0. Therefore, there is not much issue of noise growth in the homomorphic addition of two ciphertexts.
Hard Threshold on the Plaintextβs Value Without Modulo Reduction : During homomorphic operations (e.g., addition or multiplication) and decryption, the and terms in the relation are allowed to wrap around modulo indefinitely, because regardless of whatever their wrapping count is, the final decryption step will always subtract by , outputting , and the term is always exactly eliminated by modulo reduction by . After that, we can correctly recover by computing , eliminating the noise . However, as we explained in SummaryΒ B-2.3.1 in Β§B-2.3.1), if the error bound breaks (where can be any coefficient of ), then modulo reduction by starts to contaminate the scaled plaintext bits. This violation of the error bound occurs when the noise grows too much over homomorphic operations, or the ciphertext modulus is not sufficiently larger than the plaintext modulus . If , the scheme can take on a big value (i.e., the plaintext value can wrap around the plaintext modulus many times across its homomorphic operations). The error bound constraint is used in the BFV scheme.
[parent]