RNS-based ModDrop: ModDropRNS

ModDrop (§D-3.7, §D-4.6) is an operation of decreasing a ciphertext’s modulus from

q \to q^{'}

(where

q^{'}

divides

q

) without affecting the plaintext’s scaling factor(in the case of CKKS) or the noise’s scaling factor (in the case of BGV).

In an RNS-based ciphertext representation, ModDrop is equivalent to removing some of the base moduli in the ciphertext without affecting the scaling factor

Δ

. This can be achieved by converting the ciphertext’s base from

q

\bar{q}

where the base moduli set of

\bar{q}

are a subset of that of

q

; that is,

\bar{q}

divides

q

. Specifically, suppose that we have an input

(x_{1}, x_{2}, \dots, x_{k}) \in ℤ_{q_{1}} \times ℤ_{q_{2}} \times \dots \times ℤ_{q_{k}}

, and a new subset base

\bar{q} = q_{1} \cdot q_{2} \cdot \dots \cdot q_{k^{'}}

, where

k^{'} < k

. In this setup, the fast base conversion from

q \to \bar{q}

is equivalent to simply extracting the input value’s RNS residues associated with the base moduli

(q_{1}, q_{2}, \dots, q_{k^{'}})

. This is because of the following reasoning:

𝖥𝖺𝗌𝗍𝖡𝖢𝗈𝗇𝗏 ({x_{i}}_{i = 1}^{k}, q, \bar{q}) = {(\sum_{i = 1}^{k} | x_{i} \cdot z_{i} |_{q_{i}} \cdot y_{i} mod q_{j})}_{j \in [1, k^{'}]}

= x mod \bar{q}

𝑢𝑞

gets eliminated because

\bar{q}

divides

𝑢𝑞

= (x_{1}, x_{2}, \dots, x_{k^{'}}) \in ℤ_{q_{1}} \times ℤ_{q_{2}} \times \dots \times ℤ_{q_{k^{'}}}

Notice that the above fast base conversion from

q \to \bar{q}

(where

\bar{q}

divides

q

) does not generate any noise. This is different from the case of fast base conversion from

q \to b

(Summary D-5.1 in §D-5.1) where

q

and

b

are co-prime, which generates the noise

| 𝑢𝑞 |_{b}

(where integer

| u | \leq \frac{k}{2} + 1

The ModDrop operation is supported in all of BFV, BGV, and CKKS ciphertexts that are represented in RNS forms. However, note that ModDrop is possible only if the scaled plaintext (in the case of BFV and CKKS) or the scaled noise (in the case of BGV) does not exceed the ciphertext modulus after the mod-drop operation, because otherwise correct decryption is not possible. ModDrop_RNS is summarized as follows:

$⟨$ Summary D-5.3 $⟩$ ModDrop_RNS

Input: $(x_{1}, x_{2}, \dots, x_{k}) \in ℤ_{q_{1}} \times ℤ_{q_{2}} \times \dots \times ℤ_{q_{k}}$

$𝖥𝖺𝗌𝗍𝖡𝖢𝗈𝗇𝗏 ({x_{i}}_{i = 1}^{k}, q, \bar{q}) = {(\sum_{i = 1}^{k} | x_{i} \cdot z_{i} |_{q_{i}} \cdot y_{i} mod q_{j})}_{j \in [1, k^{'}]}$

# where $\bar{q}$ is a product of co-primes $q_{1} \cdot q_{2} \cdot \dots \cdot q_{k^{'}}$ , and $\bar{q}$ divides $q$

$= (x_{1}, x_{2}, \dots, x_{k^{'}}) \in ℤ_{q_{1}} \times ℤ_{q_{2}} \times \dots \times ℤ_{q_{k^{'}}}$ # no noise generated during the conversion

D-5.3 RNS-based ModDrop: ModDropRNS

D-5.3 RNS-based ModDrop: ModDrop_RNS