Sparsely Packing Ciphertexts

In §D-3.1, we learned the CKKS encoding scheme which encodes an input vector with

\frac{n}{2}

slots (i.e.,

\frac{n}{2}

-dimensional input vector) into an

(n - 1)

-degree polynomial. While the polynomial ring’s degree

n

is fixed at the setup stage of CKKS as a security parameter, some applications may only need to use fewer than

\frac{n}{2}

input vector slots. Suppose we only need to use

\frac{n^{'}}{2}

slots out of

\frac{n}{2}

slots, where

n^{'}

is some number that divides

n

. Then, the corresponding input vector and encoded polynomial get a special property as described below:

$⟨$ Summary D-3.12 $⟩$ CKKS’s Sparsely Packing Polynomial and Ciphertext

Suppose that an $\frac{n}{2}$ -dimensional input vector gets encoded into a polynomial in $ℝ [X] ∕ (X^{n} + 1)$ . And suppose that $n^{'}$ is some number that divides $n$ . We define polynomial $M (X) \in ℝ [X] ∕ (X^{n} + 1)$ as the one which has non-zero constants at the terms whose power is a multiple of $\frac{n}{n^{'}}$ and all other terms have zero constants (i.e., $M (X) = c_{0} + c_{\frac{n}{n^{'}}} X^{\frac{n}{n^{'}}} + c_{\frac{2 n}{n^{'}}} X^{\frac{2 n}{n^{'}}} + \dots + c_{n - \frac{n}{n^{'}}} X^{n - \frac{n}{n^{'}}}$ ). We can express $M (X)$ as some $M_{Y} (Y) \in ℝ [Y] ∕ (Y^{n^{'}} + 1)$ where $Y = X^{\frac{n}{n^{'}}}$ and thus $M (X) = M_{Y} (X^{\frac{n}{n^{'}}})$ .

Then, the following are true:

1.: Every $M_{Y} (Y) \in ℝ [Y] ∕ (Y^{n^{'}} + 1)$ is isomorphically mapped to (i.e., decoded into) some $\frac{n}{2}$ -dimensional input vector which comprises $\frac{n}{n^{'}}$ repetitions of $\frac{n^{'}}{2}$ consecutive slot values.
2.: Conversely, if an $\frac{n}{2}$ -dimensional input vector comprises $\frac{n}{n^{'}}$ repetitions of the first $\frac{n^{'}}{2}$ consecutive slot values, then the vector gets encoded into some $M_{Y} (Y) \in ℝ [Y] ∕ (Y^{n^{'}} + 1)$ (i.e., some polynomial in $ℝ [X] ∕ (X^{n} + 1)$ that has zero constants at the terms whose degree is not a multiple of $\frac{n}{n^{'}}$ ).

We could show both directions of proof: (1) the forward (decoding-direction) proof; and (2) the backward (encoding-direction) proof. However, it is sufficient to prove only either direction, because the encoding (

σ^{- 1}

) and decoding (

σ

) processes are isomorphic. Among these two, we will show only the forward proof for simplicity.

D-3.12.1 Forward Proof: Decoding of Sparsely Packed Ciphertext

We will prove that for each

M_{Y} (Y) \in ℤ [Y] ∕ (Y^{n^{'}} + 1)

(i.e., a polynomial in

ℝ [X] ∕ (X^{n} + 1)

which has non-zero constants only at those terms with a power of multiple of

\frac{n}{n^{'}}

and zero constants in all other terms), the polynomial gets decoded into some

\frac{n}{2}

-dimensional input vector which comprises

\frac{n}{n^{'}}

repetitions of the first

\frac{n^{'}}{2}

consecutive slot values.

To decode

M (X)

into an input vector, we need to evaluate

M (X)

\frac{n}{2}

distinct roots of

X^{n} + 1

(i.e.,

n

distinct primitive

(μ = 2 n)

-th roots of unity), which are:

# where

ω = e^{\frac{𝑖𝜋}{n}}

, the base and generator of the primitive (

μ = 2 n

)-th roots of unity

But since

M (X) = M_{Y} (X^{\frac{n}{n^{'}}})

, the above evaluation is equivalent to evaluating:

(M_{Y} ({(ω^{J (0)})}^{\frac{n}{n^{'}}}), M_{Y} ({(ω^{J (1)})}^{\frac{n}{n^{'}}}), \dots, M_{Y} ({(ω^{J (\frac{n}{2} - 1)})}^{\frac{n}{n^{'}}}))

= (M_{Y} ({(ω^{\frac{n}{n^{'}}})}^{J (0)}), M_{Y} ({(ω^{\frac{n}{n^{'}}})}^{J (1)}), \dots, M_{Y} ({(ω^{\frac{n}{n^{'}}})}^{J (\frac{n}{2} - 1)}))

= (M_{Y} (ξ^{J (0)}), M_{Y} (ξ^{J (1)}), \dots, M_{Y} (ξ^{J (\frac{n}{2} - 1)}))

# where

ξ = e^{\frac{𝑖𝜋}{n^{'}}}

, the base and generator of the primitive

(μ = 2 n^{'})

-th roots of unity

Notice that

ξ = ω^{\frac{n}{n^{'}}}

. Therefore, the above evaluation of

M_{Y} (Y)

outputs

\frac{n}{n^{'}}

repeated values of

M_{Y} (Y)

evaluated at

\frac{n^{'}}{2}

distinct primitive

(μ = 2 n^{'})

-th roots of unity.

D-3.12 Sparsely Packing Ciphertexts

D-3.12.1 Forward Proof: Decoding of Sparsely Packed Ciphertext