Gadget Decomposition for Noise Suppression

C-3.1 Gadget Decomposition for Noise Suppression

In the ciphertext-to-plaintext multiplication $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ , the noise $E$ grows to $E^{'} = Λ \cdot E$ . To limit this noise growth, we introduce a technique based on decomposing $Λ$ (§A-6.1) and a GLev encryption (§B-5.1) of $M$ as follows:

$Λ = Λ_{1} \frac{q}{β^{1}} + Λ_{2} \frac{q}{β^{2}} + \dots + Λ_{l} \frac{q}{β^{l}} \to {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) = (Λ_{1}, Λ_{2}, \dots, Λ_{l})$

${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M) = {{𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{1}} + E_{1}), {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{2}} + E_{2}), \dots {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{l}} + E_{l})}$

We will encrypt the plaintext $M$ as ${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of ${𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ , and compute ${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ . Notice that the results of both computations are the same as follows:

${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$

$= (Λ_{1}, Λ_{2}, \dots, Λ_{l}) \cdot ({𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M + E_{1}), {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M + E_{2}), \dots, {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M + E_{l}))$

$= Λ_{1} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M + E_{1}) + Λ_{2} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M + E_{2}) + \dots + Λ_{l} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M + E_{l})$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} Δ M + Λ_{1} E_{1}) + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{2} \cdot \frac{q}{β^{2}} Δ M + Λ_{2} E_{2}) + \dots + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{l} \cdot \frac{q}{β^{l}} Δ M + Λ_{l} E_{l})$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} Δ M + Λ_{2} \cdot \frac{q}{β^{2}} Δ M + \dots + Λ_{l} \cdot \frac{q}{β^{l}} Δ M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} ((Λ_{1} \cdot \frac{q}{β} + Λ_{2} \cdot \frac{q}{β^{2}} + \dots + Λ_{l} \cdot \frac{q}{β^{l}}) \cdot Δ M + E_{𝑎𝑙𝑙})$ $▹$ where $E_{𝑎𝑙𝑙} = \sum_{i = 1}^{l} Λ_{i} E_{i}$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ \cdot Δ M + E_{𝑎𝑙𝑙})$ $▹$ whose decryption is $Λ \cdot M$

While the decrypted results are the same, as we decompose $Λ$ into smaller plaintext polynomials $Λ_{1}, Λ_{2}, \dots, Λ_{l}$ , the noise generated by each of $l$ plaintext-to-ciphertext multiplications becomes smaller. Given the noise of each GLWE ciphertext in the GLev ciphertext is $E_{i}$ , the final noise of the ciphertext-to-plaintext multiplication is $E_{𝑎𝑙𝑙} = \sum_{i = 1}^{l} Λ_{i} \cdot E_{i}$ , which is much smaller than $Λ \cdot E$ , because the coefficients of each decomposed polynomial $Λ_{i}$ are significantly smaller than those of $Λ$ (i.e., $∥ Λ_{i} ∥_{\infty} \leq β ∕ 2$ , whereas $∥ Λ ∥_{\infty}$ can be as large as $q ∕ 2$ ). This is visually depicted in Figure 11.

Figure 11: Noise reduction in ciphertext-to-plaintext multiplication by gadget decomposition.

C-3.1.1 Discussion

Nevertheless, the decomposition technique is still very useful: for GLWE key-switching (§C-5), we will show how to key-switch by combining decomposed mask polynomials ${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (A_{i})$ with a precomputed key-switching key ${𝖪𝖲𝖪}_{i} = {𝖦𝖫𝖾𝗏}_{S^{'}, σ}^{β, l} (S_{i})$ , so gadget decomposition can be repeatedly leveraged across key-switching calls even though each individual application outputs a standard GLWE ciphertext.

Meanwhile, for the technique to repeatedly re-initialize the noise $E$ of regular ciphertexts, we will describe TFHE’s noise bootstrapping technique in §D-1.8.

[parent]