Gadget Decomposition for Noise Suppression

C-3.1 Gadget Decomposition for Noise Suppression

In ciphertext-to-plaintext multiplication $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (M)$ , the noise $E$ grows to $E^{'} = Λ \cdot E$ . To limit this noise growth, we introduce a technique based on decomposing $Λ$ (§A-6.1) and a GLev encryption (§B-5.1) of $M$ as follows:

$Λ = Λ_{1} \frac{q}{β^{1}} + Λ_{2} \frac{q}{β^{2}} + \dots + Λ_{l} \frac{q}{β^{l}} \to {𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) = (Λ_{1}, Λ_{2}, \dots, Λ_{l})$

${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M) = {{𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{1}}), {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{2}}), \dots {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M \frac{q}{β^{l}})}$

We will encrypt the plaintext $M$ as ${𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of ${𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ , and compute $𝖣𝖾𝖼𝗈𝗆𝗉 ({𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$ instead of $Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$ . Notice that the results of both computations are the same as follows:

${𝖣𝖾𝖼𝗈𝗆𝗉}^{β, l} (Λ) \cdot {𝖦𝖫𝖾𝗏}_{S, σ}^{β, l} (Δ M)$

$= (Λ_{1}, Λ_{2}, \dots, Λ_{l}) \cdot ({𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M), {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M), \dots, {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M))$

$= Λ_{1} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β} Δ M) + Λ_{2} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{2}} Δ M) + \dots + Λ_{l} \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (\frac{q}{β^{l}} Δ M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} M) + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{2} \cdot \frac{q}{β^{2}} M) + \dots + {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{l} \cdot \frac{q}{β^{l}} M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ_{1} \cdot \frac{q}{β} Δ M + Λ_{2} \cdot \frac{q}{β^{2}} Δ M + \dots + Λ_{l} \cdot \frac{q}{β^{l}} Δ M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} ((Λ_{1} \cdot \frac{q}{β} + Λ_{2} \cdot \frac{q}{β^{2}} + \dots + Λ_{l} \cdot \frac{q}{β^{l}}) \cdot Δ M)$

$= {𝖦𝖫𝖶𝖤}_{S, σ} (Λ \cdot Δ M)$

$= Λ \cdot {𝖦𝖫𝖶𝖤}_{S, σ} (Δ M)$

While the computation results are the same, as we decompose $Λ$ into smaller plaintext polynomials $Λ_{1}, Λ_{2}, \dots, Λ_{l}$ , the generated noise by each of $l$ plaintext-to-ciphertext multiplications becomes smaller. Given the noise of each GLWE ciphertext in the GLev ciphertext is $E_{i}$ , the final noise of the ciphertext-to-plaintext multiplication is $\sum_{i = 1}^{l} Λ_{i} \cdot E_{i}$ , which is much smaller than $Λ \cdot E$ (because the coefficients of each decomposed polynomial $Λ_{i}$ are significantly smaller than those of $Λ$ ). This is visually depicted in Figure 11.

Figure 11: Noise reduction in ciphertext-to-plaintext multiplication by gadget decomposition.

However, we cannot use this decomposition technique to the resulting ciphertext again, because the output of this algorithm is a GLWE ciphertext and converting it into a GLev ciphertext without decrypting it costs much noise and computation time (as we need to multiply the GLWE ciphertext by $\frac{q}{β}, \frac{q}{β^{2}}, \dots, \frac{q}{β^{l}})$ .

As a more efficient technique to re-initialize the noise $E$ , we will describe TFHE’s noise bootstrapping technique in §D-1.8.

[parent]