Gadget Decomposition for Noise Suppression

C-3.1 Gadget Decomposition for Noise Suppression

In the ciphertext-to-plaintext multiplication $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ , the noise $E$ grows to $E^{'} = Λ \cdot E$ . To limit this noise growth, we introduce a technique based on decomposing $Λ$ (§A-6.1) and a GLev encryption (§B-5.1) of $M$ as follows:

$Λ = Λ_{1} \frac{q}{β^{1}} + Λ_{2} \frac{q}{β^{2}} + \dots + Λ_{l} \frac{q}{β^{l}} \to {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) = (Λ_{1}, Λ_{2}, \dots, Λ_{l})$

${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M) = {{𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{1}} + E_{1}), {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{2}} + E_{2}), \dots {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{l}} + E_{l})}$

We will encrypt the plaintext $M$ as ${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of ${𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ , and compute ${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ . Notice that the results of both computations are the same as follows:

${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$

$= (Λ_{1}, Λ_{2}, \dots, Λ_{l}) \cdot ({𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M + E_{1}), {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M + E_{2}), \dots, {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M + E_{l}))$

$= Λ_{1} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M + E_{1}) + Λ_{2} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M + E_{2}) + \dots + Λ_{l} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M + E_{l})$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} Δ M + Λ_{1} E_{1}) + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{2} \cdot \frac{q}{β^{2}} Δ M + Λ_{2} E_{2}) + \dots + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{l} \cdot \frac{q}{β^{l}} Δ M + Λ_{l} E_{l})$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} Δ M + Λ_{2} \cdot \frac{q}{β^{2}} Δ M + \dots + Λ_{l} \cdot \frac{q}{β^{l}} Δ M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} ((Λ_{1} \cdot \frac{q}{β} + Λ_{2} \cdot \frac{q}{β^{2}} + \dots + Λ_{l} \cdot \frac{q}{β^{l}}) \cdot Δ M + E_{𝑎𝑙𝑙})$ $▹$ where $E_{𝑎𝑙𝑙} = \sum_{i = 1}^{l} Λ_{i} E_{i}$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ \cdot Δ M + E_{𝑎𝑙𝑙})$

$= Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M + E_{𝑎𝑙𝑙})$

While the computation results are the same, as we decompose $Λ$ into smaller plaintext polynomials $Λ_{1}, Λ_{2}, \dots, Λ_{l}$ , the noise generated by each of $l$ plaintext-to-ciphertext multiplications becomes smaller. Given the noise of each GLWE ciphertext in the GLev ciphertext is $E_{i}$ , the final noise of the ciphertext-to-plaintext multiplication is $E_{𝑎𝑙𝑙} = \sum_{i = 1}^{l} Λ_{i} \cdot E_{i}$ , which is much smaller than $Λ \cdot E$ , because the coefficients of each decomposed polynomial $Λ_{i}$ are significantly smaller than those of $Λ$ (i.e., $∥ Λ_{i} ∥_{\infty} \leq β ∕ 2$ , whereas $∥ Λ ∥_{\infty}$ can be as large as $q ∕ 2$ ). This is visually depicted in Figure 11.

Figure 11: Noise reduction in ciphertext-to-plaintext multiplication by gadget decomposition.

However, we cannot use this decomposition technique to the resulting ciphertext again, because the output of this algorithm is a GLWE ciphertext and converting it into a GLev ciphertext without decrypting it costs much noise and computation time (as we need to multiply the GLWE ciphertext by $\frac{q}{β}, \frac{q}{β^{2}}, \dots, \frac{q}{β^{l}})$ .

As a more efficient technique to re-initialize the noise $E$ , we will describe TFHE’s noise bootstrapping technique in §D-1.8.

[parent]