[prev][parent][next]

C-4.4 RLWE Modulus Switching

RLWE modulus switching is similar to LWE modulus switching. Recall that the RLWE cryptosystem (§B-3.2) comprises the following components:

RLWE modulus switching is done as follows:

Summary C-4.4 RLWE Modulus Switching

For an RLWE ciphertext (A,B) where B = 𝐴𝑆 + ΔM + E and M Rn,q, modulus switch of the ciphertext from q to q^ is equivalent to updating (A,B) to (A^,B^) as follows:

A^ = a^0 + a^1X + a^2X2 + + a^n1Xn1, where each a^i = aiq^ q q^

B^ = b^0 + b^1X + b^2X2 + + b^n1Xn1, where each b^i = biq^ q q^

𝖱𝖫𝖶𝖤S,σ(Δ^M) = (A^,B^) Rn,q^2

The above update effectively changes Δ and E as follows:

Δ^ = Δq^ q # which should be an integer

E^ = e^0 + e^1X + e^2X2 + + e^n1Xn1, where each e^i = eiq^ q q^

Meanwhile, S and M stay the same as before.

The proof is similar to that of LWE modulus switching.

Proof

1.
Note the following:

b^i = biq^ q = biq^ q + 𝜖bi (where 0.5 < 𝜖bi < 0.5, a rounding drift error)

a^i = aiq^ q = aiq^ q + 𝜖ai (where 0.5 < 𝜖ai < 0.5)

e^i = eiq^ q = eiq^ q + 𝜖ei (where 0.5 < 𝜖ei < 0.5)

2.
Note the following:

B A S

= (b0 + b1X +    + bn1Xn1) (a0 + a1X +    + an1Xn1)(s0 + s1X +    + sn1Xn1)

= (b0 ( i=00(a0isi) i=1n1(anisi)))

+ (b1 ( i=01(a1isi) i=2n1(an+1isi))) X

+ (b2 ( i=02(a2isi) i=3n1(an+2isi))) X2

  

+ (bn1 ( i=0n1(an1isi) i=nn1(an+n1isi))) Xn1 # Grouping the terms by same exponents

= h=0n1 (bh ( i=0h(ahisi) i=h+1n1(an+hisi))) Xh

Thus,

B = h=0n1bhXh

A S = h=0n1 ( i=0h(ahisi) i=h+1n1(an+hisi)) Xh

3.
Based on step 2,

B = A S + ΔM + E

h=0n1bhXh = h=0n1 ( i=0h(ahisi) i=h+1n1(an+hisi))Xh+Δ h=0n1mhXh+ h=0n1ehXh q

h=0n1bhXh = h=0n1 ( i=0h(ahisi) i=h+1n1(an+hisi))Xh+Δ h=0n1mhXh+ h=0n1ehXh+Hq

(where modulo q is replaced by adding H q, an (n 1)-degree polynomial whose each coefficient ci is some multiple of q)

4.
According to step 1 and 3, for each j in 0 j n 1:

b^j = bjq^ q + 𝜖bj q^

= ( i=0j(ajisi) i=j+1n1(an+jisi) + Δmj + ej + cj q) q^ q + 𝜖bj

= q^ q i=0j(ajisi) q^ q i=j+1n1(an+jisi) + q^ q Δmj + q^ q ej + q^ q cj q + 𝜖bj

= i=0j (q^ q ajisi) i=j+1n1 (q^ q an+jisi) + Δ^mj + (e^j 𝜖ej) + q^ cj + 𝜖bj

= i=0j((a^ji𝜖aji)si) i=j+1n1((a^n+ji𝜖an+ji)si)+Δ^mj+(e^j𝜖ej)+q^cj+𝜖bj

= i=0j(a^jisi) i=j+1n1(a^n+jisi) i=0j(𝜖ajisi)+ i=j+1n1(𝜖an+jisi)+Δ^mj+(e^j𝜖ej)+q^cj+𝜖bj

= ( i=0j(a^jisi) i=j+1n1(a^n+jisi))+Δ^mj+e^j+(𝜖bj 𝜖ej i=0j(𝜖ajisi) + i=j+1n1(𝜖an+jisi))+q^cj

= ( i=0j(a^jisi) i=j+1n1(a^n+jisi)) + Δ^mj + e^j + 𝜖𝑎𝑙𝑙 q^

# where 𝜖𝑎𝑙𝑙 = 𝜖bj 𝜖ej i=0j(𝜖ajisi) + i=j+1n1(𝜖an+jisi) 0

5.
To summarize, for each 0 j n 1, each polynomial degree coefficient bj^ is approximately as follows:

b^j = ( i=0j(a^jisi) i=j+1n1(a^n+jisi)) + Δ^mj + e^j + 𝜖𝑎𝑙𝑙

( i=0j(a^jisi) i=j+1n1(a^n+jisi)) + Δ^mj + e^j

Thus, (a^0,a^1,  ,b^) = 𝖱𝖫𝖶𝖤S,σ(Δ^M), decrypting which will give us M.

[prev][parent][next]