[prev][parent][next]

D-1.6 Homomorphic Ciphertext-to-Ciphertext Multiplication

- Reference: TFHE Deep Dive - Part III - Key switching and leveled multiplicationsΒ [9]

TFHE supports multiplication of two ciphertexts in the form: 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) ⋅𝖦𝖲𝖢sβ†’,σβ,l(m2).

The 1st term 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) comes from one of the following:

The 2nd term 𝖦𝖲𝖢sβ†’,σβ,l(m2) comes from one of the following:

Remember the following:

𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) = (aβ†’,b) ∈ β„€qk+1, where b = aβ†’ β‹…sβ†’ + Ξ”m1 + e

𝖦𝖲𝖢sβ†’,σβ,l(m2) = {{𝖫𝖾𝗏sβ†’,σβ,l(βˆ’si β‹…m2)}i=0kβˆ’1,𝖫𝖾𝗏sβ†’,σβ,l(m2)}∈ β„€q(k+1)β‹…lβ‹…(k+1) # from Β§B-6.1

Let’s use the following notations:

𝖦𝖲𝖢sβ†’,σβ,l(m2) = 𝖼𝗍¯ = (𝖼𝗍¯0,.𝖼𝗍¯1, ⋯ 𝖼𝗍¯k)

𝖼𝗍¯i = 𝖫𝖾𝗏sβ†’,σβ,l(βˆ’si β‹…m2) for 0 ≀i ≀(k βˆ’1)

𝖼𝗍¯k = 𝖫𝖾𝗏sβ†’,σβ,l(m2)

𝖼𝗍 = 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) = (aβ†’,b) = (a0,a1,Β β‹―Β ,akβˆ’1,b) = (𝖼𝗍0,𝖼𝗍1,β‹―,𝖼𝗍k)

Let’s define the following TFHE ciphertext multiplication operation:

𝖼𝗍 ⋅𝖼𝗍¯ = βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(𝖼𝗍i),𝖼𝗍¯i⟩

Then, the following is true:

⟨Summary D-1.6⟩ TFHE Ciphertext-to-Ciphertext Multiplication

𝖼𝗍 = 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) = (a0,a1,β‹―,akβˆ’1,b)

𝖼𝗍¯ = 𝖦𝖲𝖢sβ†’,σβ,l(m2) = (𝖫𝖾𝗏sβ†’,Οƒ(βˆ’s0β‹…m2),𝖫𝖾𝗏sβ†’,σβ,l(βˆ’s1β‹…m2),β‹―,𝖫𝖾𝗏sβ†’,σβ,l(βˆ’skβˆ’1β‹…m2),𝖫𝖾𝗏sβ†’,σβ,l(m2))

𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) ⋅𝖦𝖲𝖢sβ†’,σβ,l(m2) = βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(𝖼𝗍i),𝖼𝗍¯i⟩= 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1m2)

This means that multiplying two TFHE ciphertexts (one is in LWE and another in GSW) and decrypting the resulting LWE ciphertext gives the same result as multiplying their two original plaintexts.

Proof.

1.
βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(𝖼𝗍i),𝖼𝗍¯i⟩
= βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(a0),𝖼𝗍¯0⟩+βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(a1),𝖼𝗍¯1⟩+Β β‹―Β +βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(akβˆ’1),𝖼𝗍¯kβˆ’1⟩+βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(b),𝖼𝗍¯k⟩
# expanding the dot product of two vectors
2.
For i = k:
π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(b) = (b1,b2,Β β‹―Β ,bl), where b = b1 q Ξ²1 + b2 q Ξ²2 + Β β‹―Β  + bl q Ξ²l # from Β§A-6.2
𝖼𝗍¯k = 𝖫𝖾𝗏sβ†’,σβ,l(m2) = (𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²1) ,𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²2) ,Β β‹―Β ,𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²l))

Therefore:
βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(b),𝖼𝗍¯k⟩
= b1 ⋅𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²1) + b2 ⋅𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²2) + Β β‹―Β  + bl ⋅𝖫𝖢𝖀sβ†’,Οƒ (m2 q Ξ²l)
= 𝖫𝖢𝖀sβ†’,Οƒ (b1m2 q Ξ²1) + 𝖫𝖢𝖀sβ†’,Οƒ (b2m2 q Ξ²2) + Β β‹―Β  + 𝖫𝖢𝖀sβ†’,Οƒ (blm2 q Ξ²l) # from Β§C-3
= 𝖫𝖢𝖀sβ†’,Οƒ (b1m2 q Ξ²1 + b2m2 q Ξ²2 + Β β‹―Β  + blm2 q Ξ²l) # from Β§C-1
= 𝖫𝖢𝖀sβ†’,Οƒ (m2 β‹… (b1 q Ξ²1 + b2 q Ξ²2 + Β β‹―Β  + bl q Ξ²l))
= 𝖫𝖢𝖀sβ†’,Οƒ(m2b) # from Β§A-6.2

3.
For 0 ≀i ≀(k βˆ’1):
π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(ai) = (a⟨i,1⟩,a⟨i,2⟩,Β β‹―Β ,a⟨i,l⟩), where ai = a⟨i,1⟩ q Ξ²1 + a⟨i,2⟩ q Ξ²2 + Β β‹―Β  + a⟨i,l⟩ q Ξ²l
𝖼𝗍¯i = 𝖫𝖾𝗏sβ†’,σβ,l(βˆ’sim2) = (𝖫𝖢𝖀sβ†’,Οƒ (βˆ’sim2 q Ξ²1) ,𝖫𝖢𝖀sβ†’,Οƒ (βˆ’sim2 q Ξ²2) ,Β β‹―Β ,𝖫𝖢𝖀sβ†’,Οƒ (βˆ’sim2 q Ξ²l))

Therefore:
βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(a0),𝖼𝗍¯0⟩+ βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(a1),𝖼𝗍¯1⟩+ Β β‹―Β  + βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(akβˆ’1),𝖼𝗍¯kβˆ’1⟩
= βˆ‘ ⁑ i=0kβˆ’1βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(ai),𝖼𝗍¯i⟩
= βˆ‘ ⁑ i=0kβˆ’1 (a⟨i,1βŸ©β‹…π–«π–Άπ–€sβ†’,Οƒ (βˆ’sim2 q Ξ²1) + a⟨i,2βŸ©β‹…π–«π–Άπ–€sβ†’,Οƒ (βˆ’sim2 q Ξ²2) + Β β‹―Β  + a⟨i,lβŸ©β‹…π–«π–Άπ–€sβ†’,Οƒ (βˆ’sim2 q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1 (𝖫𝖢𝖀sβ†’,Οƒ (βˆ’a⟨i,1⟩sim2 q Ξ²1) + 𝖫𝖢𝖀sβ†’,Οƒ (βˆ’a⟨i,2⟩sim2 q Ξ²2) + Β β‹―Β  + 𝖫𝖢𝖀sβ†’,Οƒ (βˆ’a⟨i,l⟩sim2 q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1𝖫𝖢𝖀sβ†’,Οƒ (βˆ’a⟨i,1⟩sim2 q Ξ²1 + βˆ’a⟨i,2⟩sim2 q Ξ²2 + Β β‹―Β  + βˆ’a⟨i,l⟩sim2 q Ξ²l)
= βˆ‘ ⁑ i=0kβˆ’1𝖫𝖢𝖀sβ†’,Οƒ (βˆ’sim2 β‹… (a⟨i,1⟩ q Ξ²1 + a⟨i,2⟩ q Ξ²2 + Β β‹―Β  + a⟨i,l⟩ q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1𝖫𝖢𝖀sβ†’,Οƒ(βˆ’sim2ai)

4.
According to step 2 and 3,
βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(𝖼𝗍i),𝖼𝗍¯i⟩
= βˆ‘ ⁑ i=0kβˆ’1𝖫𝖢𝖀sβ†’,Οƒ(βˆ’sim2ai) + 𝖫𝖢𝖀sβ†’,Οƒ(m2b)
= 𝖫𝖢𝖀sβ†’,Οƒ( βˆ‘ ⁑ i=0kβˆ’1(βˆ’sim2ai) + m2b) # addition of two GLWE ciphertexts
= 𝖫𝖢𝖀sβ†’,Οƒ(m2b βˆ’βˆ‘ ⁑ i=0kβˆ’1m2aisi)
= 𝖫𝖢𝖀sβ†’,Οƒ(m2(b βˆ’βˆ‘ ⁑ i=0kβˆ’1aisi))
= 𝖫𝖢𝖀sβ†’,Οƒ(m2(Ξ”m1 + e))
= 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1m2 + m2e)
β‰ˆπ–«π–Άπ–€sβ†’,Οƒ(Ξ”m1m2) # given e is small and thus m2e is also small
β–‘
D-1.6.1 Discussion on the Noise Growth

Note that after ciphertext-to-ciphertext multiplication, the noise grows to:

𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1) ⋅𝖦𝖲𝖢S,σβ,l(m2) = 𝖫𝖢𝖀sβ†’,Οƒ(Ξ”m1m2 + m2e)Β (β‰ˆπ–«π–Άπ–€sβ†’,Οƒ(Ξ”m1m2))

To reduce the noise, noise bootstrapping is needed (will be discussed in Β§D-1.8).

D-1.6.2 Generalization to GLWE-to-GGSW Multiplication

We can further generalize TFHE’s LWE-to-GSW multiplication to GLWE-to-GGSW multiplication between the following two ciphertexts: 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) ⋅𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2), where M1, M2, and S are (n βˆ’1)-degree polynomials.

The 1st term 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) comes from one of the following:

The 2nd term 𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2) comes from one of the following:

Remember the following:

𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) = (A0,A0,Β β‹―Β ,Akβˆ’1,B) ∈Rn,qk+1, where B = βˆ‘ ⁑ i=0kβˆ’1(Ai β‹…Si) + Ξ”M1 + E
# from Β§B-4.2

𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2) = {{𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’Si β‹…M2)}i=0kβˆ’1,𝖦𝖫𝖾𝗏Sβ†’,σβ,l(M2)}∈R⟨n,q⟩(k+1)β‹…lβ‹…(k+1) # from Β§B-6.1

Let’s use the following notations:

𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2) = CΒ― = (C0Β―,.C1Β―,Β β‹―Β CkΒ―)

CiΒ― = 𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’Si β‹…M2) for 0 ≀i ≀(k βˆ’1)

CkΒ― = 𝖦𝖫𝖾𝗏Sβ†’,σβ,l(M2)

𝖼𝗍 = 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) = (C0,C1,Β β‹―Β ,Ck) = (A0,A1,Β β‹―Β ,Akβˆ’1,B)

Let’s define the following TFHE ciphertext multiplication operation:

𝖼𝗍 β‹…CΒ― = βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ci),Ci¯⟩

Then, the following is true:

⟨Summary D-1.6.2⟩ Generalization to GLWE-to-GGSW Multiplication

𝖼𝗍 = 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) = (A0,A1,β‹―,Akβˆ’1,B)

CΒ― = 𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2)

= (𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’S0β‹…M2),𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’S1β‹…M2),β‹―,𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’Skβˆ’1β‹…M2),𝖦𝖫𝖾𝗏Sβ†’,σβ,l(M2))

𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1) ⋅𝖦𝖦𝖲𝖢Sβ†’,σβ,l(M2) = βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ci),Ci¯⟩= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1M2)

This means that multiplying two TFHE ciphertexts (one is in GLWE and another in GGSW) and decrypting the resulting GLWE ciphertext gives the same result as multiplying their two original plaintexts.

Proof.

1.
βˆ‘ ⁑ i=0kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ci),Ci¯⟩
= βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(A0),C0¯⟩+βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(A1),C1¯⟩+Β β‹―Β +βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Akβˆ’1),CΒ―kβˆ’1⟩+βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(B),Ck¯⟩
# expanding the dot product of two vectors
2.
For i = k:
π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(B) = (B1,B2,Β β‹―Β ,Bl), where B = B1 q Ξ²1 + B2 q Ξ²2 + Β β‹―Β  + Bl q Ξ²l # from Β§A-6.2
CΒ―k = 𝖦𝖫𝖾𝗏Sβ†’,σβ,l(M2) = (𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²1) ,𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²2) ,Β β‹―Β ,𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²l))

Therefore:
βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(B),Ck¯⟩
= B1 ⋅𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²1) + B2 ⋅𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²2) + Β β‹―Β  + Bl ⋅𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 q Ξ²l)
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (B1M2 q Ξ²1) + 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (B2M2 q Ξ²2) + Β β‹―Β  + 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (BlM2 q Ξ²l) # from Β§C-3
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (B1M2 q Ξ²1 + B2M2 q Ξ²2 + Β β‹―Β  + BlM2 q Ξ²l) # from Β§C-1
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (M2 β‹… (B1 q Ξ²1 + B2 q Ξ²2 + Β β‹―Β  + Bl q Ξ²l))
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(M2B) # from Β§A-6.2

3.
For 0 ≀i ≀(k βˆ’1):
π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ai) = (A⟨i,0⟩,A⟨i,1⟩,Β β‹―Β ,A⟨i,l⟩), where Ai = A⟨i,0⟩ q Ξ²1 + A⟨i,1⟩ q Ξ²2 + Β β‹―Β  + A⟨i,l⟩ q Ξ²l
CiΒ― = 𝖦𝖫𝖾𝗏Sβ†’,σβ,l(βˆ’SiM2) = (𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’SiM2 q Ξ²1) ,𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’SiM2 q Ξ²2) ,Β β‹―Β ,𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’SiM2 q Ξ²l))

Therefore:
βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(A0),C0¯⟩+ βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(A1),C1¯⟩+ Β β‹―Β  + βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Akβˆ’1),CΒ―kβˆ’1⟩
= βˆ‘ ⁑ i=0kβˆ’1βŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ai),Ci¯⟩
= βˆ‘ ⁑ i=0kβˆ’1 (A⟨i,1βŸ©β‹…π–¦π–«π–Άπ–€Sβ†’,Οƒ (βˆ’SiM2 q Ξ²1) + A⟨i,2βŸ©β‹…π–¦π–«π–Άπ–€Sβ†’,Οƒ (βˆ’SiM2 q Ξ²2) + Β β‹―Β  + A⟨i,lβŸ©β‹…π–¦π–«π–Άπ–€Sβ†’,Οƒ (βˆ’SiM2 q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1 (𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’A⟨i,1⟩SiM2 q Ξ²1) + 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’A⟨i,2⟩SiM2 q Ξ²2) + Β β‹―Β  + 𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’A⟨i,l⟩SiM2 q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’A⟨i,1⟩SiM2 q Ξ²1 + βˆ’A⟨i,2⟩SiM2 q Ξ²2 + Β β‹―Β  + βˆ’A⟨i,l⟩SiM2 q Ξ²l)
= βˆ‘ ⁑ i=0kβˆ’1𝖦𝖫𝖢𝖀Sβ†’,Οƒ (βˆ’SiM2 β‹… (A⟨i,1⟩ q Ξ²1 + A⟨i,2⟩ q Ξ²2 + Β β‹―Β  + A⟨i,l⟩ q Ξ²l))
= βˆ‘ ⁑ i=0kβˆ’1𝖦𝖫𝖢𝖀Sβ†’,Οƒ(βˆ’SiM2Ai)

4.
According to step 2 and 3,
βˆ‘ ⁑ i=0k=kβŸ¨π–£π–Ύπ–Όπ—ˆπ—†π—‰Ξ²,l(Ci),Ci¯⟩
= βˆ‘ ⁑ i=0kβˆ’1𝖦𝖫𝖢𝖀Sβ†’,Οƒ(βˆ’SiM2Ai) + 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(M2B)
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ( βˆ‘ ⁑ i=0kβˆ’1(βˆ’SiM2Ai) + M2B) # addition of two GLWE ciphertexts
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(BM2 βˆ’βˆ‘ ⁑ i=0kβˆ’1M2AiSi)
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(M2(B βˆ’βˆ‘ ⁑ i=0kβˆ’1AiSi))
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(M2(Ξ”M1 + E))
= 𝖦𝖫𝖢𝖀Sβ†’,Οƒ(Ξ”M1M2 + M2E)
β‰ˆπ–¦π–«π–Άπ–€Sβ†’,Οƒ(Ξ”M1M2) # given E is small and thus M2E is also small
β–‘

[prev][parent][next]