D-3.7 ModDrop

Remember that CKKS’s ciphertext decryption relation is as follows:

$\mathrm{\Delta }M+E=A\cdot S+Bmod{q}_l$

$\mathrm{\Delta }M+E=A\cdot S+B-K\cdot q_l$ # where $K\cdot q_l$ represents a modulo reduction by $q_l$

ModDrop is an operation of lowering the multiplicative level of a ciphertext by sequentially throwing away its modulus’s one or more prime elements $\left(\text{i.e.,}{\left\{{\displaystyle \frac{q_i}{q_{i-1}}}\right\}}_{i=0}^L\right)$ except for the last one $q_0$, while ensuring that the plaintext’s scaling factor $\mathrm{\Delta }$ stays the same as before. Specifically, a ModDrop operation that decreases its modulus from $q_l\to q_{l-1}$ is performed by updating the ciphertext $(A,B)$ to a new one: $(A^{\prime }=Amod{q}_{l-1}$, $B^{\prime }=Bmod{q}_{l-1})$. After the ModDrop, the ciphertext’s modulus decreases from $q_l\to q_{l-1}$, yet its decryption relation still holds the same as follows:

$A^{\prime }\cdot S+B^{\prime }-K\cdot q_l$

$=(Amod{q}_{l-1})\cdot S+(Bmod{q}_{l-1})-K\cdot q_l$

$=(A-K_A\cdot q_{l-1})\cdot S+(B-K_B\cdot q_{l-1})-K\cdot q_l$

$=A\cdot S+B-(K_A+K_B+K{\displaystyle \frac{q}{q_{l-1}}})\cdot q_{l-1}$ # where ${\displaystyle \frac{q}{q_{l-1}}}$ is an integer (the $l$-the prime element of $q_L$)

$=A\cdot S+B-K^{\prime }\cdot q_{l-1}$ # where $K^{\prime }=K_A+K_B+K{\displaystyle \frac{q}{q_{l-1}}}$ is an integer

$=A\cdot S+Bmod{q}_{l-1}$

$=\mathrm{\Delta }M+E$ # since $\mathrm{\Delta }M+E<q_0<q_{l-1}$

As shown above, $(A^{\prime },B^{\prime })mod{q}_{l-1}$ decrypts to the same $\mathrm{\Delta }M+E$, a scaled plaintext with an error.

CKKS’s ModDrop is summarized as follows:

D-3.7.1 Difference between Modulus Switch and ModDrop

In CKKS, both modulus switch (i.e., rescaling explained in §D-3.5.4) and ModDrop lower a ciphertext’s modulus from $q_l\to q_{l-1}$. However, the key difference is that rescaling also decreases the plaintext’s scaling factor by the ${\displaystyle \frac{q_l}{q_{l-1}}}\approx \mathrm{\Delta }$, whereas ModDrop does not affect the plaintext’s scaling factor and the noise. Therefore, rescaling is used only during ciphertext-to-ciphertext multiplication when scaling down the plaintext’s scaling factor in the intermediate ciphertext from ${\mathrm{\Delta }}^2\to \mathrm{\Delta }$. Meanwhile, ModDrop is used to reduce the modulo computation time during an application’s routine when it becomes certain that the ciphertext will not undergo any additional ciphertext-to-ciphertext multiplication (i.e., no need to further decrease the ciphertext’s modulus).