Initial Setup: $\mathrm{\Delta }=\lfloor {\displaystyle \frac{q}{t}}\rfloor \text{ is a plaintext scaling factor for polynomial encoding},S\underset{}{\overset{\$}{\leftarrow }}{R}_{⟨n,2⟩}$

, where plaintext modulus $t$ is either a prime ($p$) or a power of prime ($p^r$), and ciphertext modulus $q\gg t$. As for the coefficients of polynomial $S$, they can be either binary (i.e., $\{0,1\}$) or ternary (i.e., $\{-1,0,1\}$).

Encryption Input: $\mathrm{\Delta }M\in R_{⟨n,q⟩}$, $A_i\underset{}{\overset{\$}{\leftarrow }}{R}_{⟨n,q⟩}$, $E\underset{}{\overset{{\chi }_{\sigma }}{\leftarrow }}{R}_{⟨n,q⟩}$

1.

Compute $B=-A\cdot S+\mathrm{\Delta }M+E\in R_{⟨n,q⟩}$

2.

${\mathsf{\text{𝖱𝖫𝖶𝖤}}}_{S,\sigma }(\mathrm{\Delta }M)=(A,B)\in R_{⟨n,q⟩}^2$

Decryption Input: $\mathsf{\text{𝖼𝗍}}=(A,B)\in R_{⟨n,q⟩}^2$

${\mathsf{\text{𝖱𝖫𝖶𝖤}}}_{S,\sigma }^{-1}(\mathsf{\text{𝖼𝗍}})=\lceil {\displaystyle \frac{B+A\cdot Smodq}{\mathrm{\Delta }}}\rfloor modt=\lceil {\displaystyle \frac{\mathrm{\Delta }M+E}{\mathrm{\Delta }}}\rfloor modt=Mmodt$

(The noise $E=\underset{i=0}{\overset{n-1}{\sum <!--\; FUNCTION\; APPLICATION\; -->}}{e}_i{X}^i$ gets eliminated by the rounding process)

Conditions for Correct Decryption:

1.

Each noise coefficient $e_i$ growing during homomorphic operations should never exceed: $e_i<{\displaystyle \frac{\mathrm{\Delta }}{2}}$.

2.

Each plaintext coefficient $m_i$ being updated across homomorphic operations should never overflow or underflow $q$ (i.e., $m_i<q$)

3.

The specific noise bound is as explained in §B-2.3.1:

${\displaystyle \frac{k_{i}t+e_i}{\lfloor \frac{q}{t}\rfloor }}<{\displaystyle \frac{1}{2}}$ # $k_{i}t$ accounts for the plaintext $m_i$’s wrapped-around value as multiples of $t$