HOMOMORPHIC ENCRYPTION Craig Gentry Shai Halevi Chris Peikert - - PowerPoint PPT Presentation

FIELD-SWITCHING IN HOMOMORPHIC ENCRYPTION

Craig Gentry Shai Halevi Chris Peikert Nigel P. Smart

HE Over Cyclotomic Rings

 Denote the field 𝐿𝑛 = 𝑅(𝜂𝑛) ≅ 𝑅 𝑌 /(Φ𝑛 𝑌 )

 Its ring of integers is 𝑆𝑛 = 𝑎(𝜂𝑛) ≅ 𝑎 𝑌 /(Φ𝑛 𝑌 )  Mod-𝑟 denoted 𝑆𝑛,𝑟 = 𝑆𝑛/𝑟𝑆𝑛 ≅ 𝑎𝑟 𝑌 /(Φ𝑛(𝑌))

 “Native plaintext space” is 𝑆𝑛,2  Ciphertexts , secret-keys are vectors over 𝑆𝑛,𝑟  𝒅 wrt 𝒕 encrypts 𝑏 if (for representatives in 𝑆𝑛) we

have 𝒕, 𝒅 = 𝑏 ⋅

𝑟 2 + 𝑓 (𝑛𝑝𝑒 𝑟) for small 𝑓

 Decryption via 𝑏 ≔ 𝑁𝑇𝐶( 𝒕, 𝒅 )  Using “appropriate” 𝑎-bases of 𝑆𝑛,2, 𝑆𝑛,𝑟 * Not exactly

* * *

HE Over Cyclotomic Rings

 “Native plaintexts” encode vectors of values

 𝑏 ∈ 𝑆𝑛,2 → 𝛽1 … 𝛽ℓ ∈ 𝐻𝐺 2𝑒 ℓ (more on that later)

 Homomorphic Operations

 Addition: 𝒅 ⊞ 𝒅′ encrypts 𝑏 + 𝑏′ ∈ 𝑆𝑛,2, encoding

(𝛽1 + 𝛽1

′ … 𝛽ℓ + 𝛽ℓ ′)

 Multiplication: 𝒅 × 𝒅′ encrypts 𝑏 × 𝑏′ ∈ 𝑆𝑛,2, encoding

(𝛽1 × 𝛽1

′ … 𝛽ℓ × 𝛽ℓ ′)

 Automorphism: 𝒅(𝑌𝑢) encrypts 𝑏(𝑌𝑢) ∈ 𝑆𝑛,2, encoding

some permutation of (𝛽1 … 𝛽ℓ)

 Relative to key 𝒕(𝑌𝑢)

HE Over Cyclotomic Rings

 Also a key-switching operation  For any two 𝐭, 𝐭′ ∈ (𝑆𝑛,𝑟)2 we can publish a

key-switching gadget 𝑋[𝒕 → 𝒕′]

 𝑋 used to translate valid 𝐝 wrt 𝐭 into 𝐝′ wrt 𝐭′

 𝐝, 𝐝′ encrypt the same plaintext

𝒕, 𝒅 = 𝒕′, 𝒅′ + 𝑓 (𝑛𝑝𝑒 𝑟) for some small 𝑓

How Large are 𝑛, 𝑟?

 Ciphertexts are “noisy” (for security)

 noise grows during homomorphic computation  Decryption error if noise grows larger than 𝑟

Must set 𝑟 “much larger” than initial noise Security relies on LWE-hardness with very large modulus/noise ratio Dimension (𝑛) must be large to get hardness

 Asymptotically 𝑟 = 𝑞𝑝𝑚𝑧𝑚𝑝𝑕 𝑙 , 𝑛 = Ω

(𝑙)

 For realistic settings, 𝑟 ≈ 1000, 𝑛 > 10000

Switching to Smaller 𝑛?

 As we compute, the noise grows

 Cipehrtexts have smaller modulus/noise ratio  From a security perspective, it becomes permissible to

switch to smaller values of 𝑛

 How to do this?  Not even clear what outcome we want here:

 Have 𝒅 wrt 𝒕 ∈ (𝑆𝑛,𝑟)2, encrypting some 𝑏 ∈ 𝑆𝑛,2  Want 𝒅′ wrt 𝒕′ ∈ (𝑆𝑛′,𝑟)2 for 𝑛′ < 𝑛

 Encrypting 𝑏′ ∈ 𝑆𝑛′,2 ??

Ring-Switching: The Goal

 We cannot get 𝑏′ = 𝑏 since 𝑏′ ∈ 𝑆𝑛′,2, 𝑏 ∈ 𝑆𝑛,2  We want 𝑏′ to be “related” to 𝑏

 𝑏 ∈ 𝑆𝑛,2 encodes 𝛽1 … 𝛽ℓ ∈ 𝐻𝐺 2𝑒 ℓ  𝑏′ ∈ 𝑆𝑛′,2 encodes 𝛽1

′ … 𝛽ℓ′ ′

∈ 𝐻𝐺 2𝑒′ ℓ′

 May want 𝑏′ to encode a subset of the 𝛽𝑗’s?

 E.g., the first ℓ′ of them  Not always possible, only if 𝑒′ = 𝑒

 What relations between the 𝛽′𝑘, 𝛽𝑗’s are possible?

Prior Work

 A limited ring-switching technique was described in

[BGV’12]

 Only for 𝑛 = 2𝑜, 𝑛′ = 2𝑜−1

 Transforms big-ring 𝐝 into small-ring 𝒅𝟐

′ , 𝒅𝟑 ′

s.t. 𝑏 (encrypted in 𝐝) can be recovered from 𝑏1

′ , 𝑏2 ′ (encrypted in 𝒅𝟐 ′ , 𝒅𝟑 ′ ).

 Used only for bootstrapping

Our Transformation: Overview

 Work for any 𝑛, 𝑛′ as long as 𝑛′|𝑛  𝐝 wrt 𝐭 ∈ (𝑆𝑛,𝑟)2  𝐝′ wrt 𝐭′ ∈ (𝑆𝑛′,𝑟)2  𝐝, 𝐝′ encrypt 𝑏, 𝑏′, that encode vectors:

 𝒅 → 𝛽𝑗 ∈ 𝐻𝐺 2𝑒 ℓ, 𝐝′ → 𝛽𝑘

′ ∈ 𝐻𝐺 2𝑒′ ℓ′

 Necessarily 𝑒′|𝑒, so 𝐻𝐺 2𝑒′ a subfield of 𝐻𝐺(2𝑒)

 Each 𝛽𝑘

′ is a 𝐻𝐺 2𝑒′ -linear function of some 𝛽𝑗‘s

 We can choose the linear functions, but not the subset of 𝛽𝑗‘s

that correspond to each 𝛽𝑘

′

 If 𝑒′ = 𝑒, can use projections (so 𝛽𝑘

′’s a subset of 𝛽𝑗’s)

Our Transformation: Overview

Denote 𝐿 = 𝐿𝑛, 𝑆 = 𝑆𝑛, 𝐿′ = 𝐿𝑛′, 𝑆′ = 𝑆𝑛′

1.

Key-switching to map 𝒅 wrt 𝒕 𝒅′′ wrt 𝒕′



𝒕 ∈ 𝑆𝑟

2 and 𝒕′ ∈ 𝑆𝑟 ′ 2 ⊂ 𝑆𝑟 2



𝒅′′ = (𝑑0

′′, 𝑑1 ′′) over the big field, wrt subfield key

2.

Compute a small 𝑠 ∈ 𝑆𝑟 that depends only on the desired linear functions

3.

Apply the trace function, 𝑑𝑗

′ = Tr𝐿/𝐿′ 𝑠 ⋅ 𝑑𝑗 ′′

4.

Output 𝒅′ = (𝑑0

′, 𝑑1 ′)

Algebra

Geometry of 𝐿

 Use canonical-embedding to associate 𝑣 ∈ 𝐿 with a

𝜚(𝑛)-vector of complex numbers

 Thinking of 𝑣 = 𝑣(𝑌) as a polynomial, associate 𝑣 with

the vector 𝜏 𝑣 = 𝑣 𝜍𝑗

𝑗∈𝑎𝑛

∗

 𝜍 = 𝑓2𝜌𝑗/𝑛, the principal complex 𝑛’th root of unity  E.g., if 𝑣 ∈ 𝑅 ⊂ 𝐿 then 𝜏 𝑣 = 𝑣, 𝑣, … , 𝑣  We can talk about the “size of 𝑣”

 say the 𝑚2 or 𝑚∞ norm of 𝜏 𝑣  For decryption, the “noise element” must be ≪ 𝑟

Geometry of 𝐿, 𝐿′

 𝐿 can be expressed as a vector-space over 𝐿′

 Similarly 𝑆 over 𝑆′, 𝑆𝑟 over 𝑆𝑟

′ , etc.

 Every 𝑆′ -basis 𝐶 induces a transformation

𝑈𝐶: coefficients in 𝑆′ ↦ element of 𝑆

 With canonical embedding on both sides, we have

a 𝐷-linear transformation 𝑈𝐶: 𝐷𝜚(𝑛) → 𝐷𝜚(𝑛)

 We want a “good basis”, where 𝑈𝐶 is “short”

and “nearly orthogonal”

Geometry of 𝐿, 𝐿′

 Lemma 1: There exists 𝑆′-basis 𝐶 of R for which all

the singular values of 𝑈𝐶 are nearly the same.

 Specifically 𝑡1 𝑈 = 𝑡𝑜 𝑈 ⋅

𝑔 where

𝑔 ≤

𝑠𝑏𝑒 𝑛 𝑠𝑏𝑒 𝑛′ = ∏ primes that divide 𝑛 but not 𝑛′

 The proof follows techniques from [LPR13],

the basis 𝐶 is essentially a tensor of DFT matrices

The Trace Function

 For 𝑣 ∈ 𝐿, Tr 𝑣 =

𝜏 𝑣 𝑗

𝑗∈𝑎𝑛

∗

∈ 𝑅

 By definition: if 𝑣 is small then so is Tr 𝑣

 Tr: 𝐿 → 𝑅 is 𝑅−linear

 𝑀: 𝐿 → 𝑅 is 𝑅-linear if ∀𝑣, 𝑤 ∈ 𝐿, 𝑟 ∈ 𝑅,

𝑀 𝑣 + 𝑀 𝑤 = 𝑀(𝑣 + 𝑤) and 𝑀 𝑟 ⋅ 𝑣 = 𝑟 ⋅ 𝑀(𝑣)

 The trace is a “universal” 𝑅-linear function:

 For every 𝑅-linear function 𝑀 there exists 𝜆 ∈ 𝐿 such

that 𝑀 𝑣 = Tr 𝜆 ⋅ 𝑣 ∀𝑣 ∈ 𝐿

The Trace Function

 The trace Implies also a 𝑎-linear map Tr: 𝑆 → 𝑎,

and 𝑎𝑟-linear map Tr: 𝑆𝑟 → 𝑎𝑟

 Every 𝑎-linear map L ∶ 𝑆 → 𝑎 can be written as

𝑀 𝑏 = Tr 𝜆 ⋅ 𝑏

 But 𝜆 need not be in 𝑆  More on that later

The Intermediate Trace Function

 𝑈𝑠𝐿/𝐿′: 𝐿 → 𝐿′ when 𝐿 is an extension of 𝐿′

 Satisfies 𝑈𝑠

𝐿/𝑅 = 𝑈𝑠𝐿/𝐿′ ∘ 𝑈𝑠𝐿′/𝑅

 Lemma 2: if 𝑣 is small then so is Tr𝐿/𝐿′ 𝑣

 Less trivial than for Tr𝐿/𝑅 but still true

 Tr𝐿/𝐿′ is a “universal” 𝐿′-linear function:

 Tr𝐿/𝐿′: 𝐿 → 𝐿′ is 𝐿′−linear  For every 𝐿′-linear function 𝑀 there exists 𝜆 ∈ 𝐿𝑛 such

that 𝑀 𝑣 = TrK/K′ 𝜆 ⋅ 𝑣 ∀𝑣 ∈ 𝐿𝑛

 Similarly implies 𝑆′-linear map 𝑈𝑠𝐿/𝐿′: 𝑆 → 𝑆′ and

𝑆𝑟

′ -linear map 𝑈𝑠𝐿/𝐿′: 𝑆𝑟 → 𝑆𝑟 ′

Some Complications

 Often we get Tr𝐿 𝐿′

𝑆 ⊆ 𝑆′

 Also for many linear functions we get

𝑀 𝑣 = TrK/K′ 𝜆 ⋅ 𝑣 where 𝜆 is not in 𝑆

 In our setting this will cause problems when we

apply the trace to ciphertext elements

 That’s (one reason) why ciphertexts are not really

vectors over R

 Hence the *‘s throughout the slides

The Dual of 𝑆

 Instead of 𝑆, ciphertext are vectors over the dual

𝑆∨ = {𝑏 ∈ 𝐿: ∀ 𝑠 ∈ 𝑆, Tr 𝑏𝑠 ∈ 𝑎}

 R∨ = R/t, R′∨ = R′/t′ for some t ∈ 𝑆, 𝑢′ ∈ 𝑆′

 We have Tr𝐿 𝐿′

R∨ = 𝑆′∨

 Also every R′-linear 𝑀: 𝑆∨ → 𝑆′∨ can be written as

𝑀 𝑏 = 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑏) for some 𝑠 ∈ 𝑆

 In the rest of this talk we ignore this point, and pretend

that everything is over 𝑆

Prime Splitting

 The integer 2 splits over 𝑆 as 2 = ∏ 𝒒𝑗

𝑓 𝑗

 𝑗 ranges over 𝐻 = 𝑎𝑛 ∗ /(2)

 𝒒𝑗 is generated by (2, 𝐺𝑗 𝑌 = ∏

𝑌 − 𝜂𝑛

𝑗⋅2𝑘 𝑘

)

 In this talk we assume 𝑓=1 (i.e., 𝑛 is odd)  ℓ = |𝐻| prime ideals, each 𝑆/𝒒𝑗 ≅ 𝐻𝐺(2𝑒)  R2 = 𝑆/(2) ≅⊕𝑗 𝑆/𝒒𝑗 ≅⊕𝑗 𝐻𝐺(2𝑒)

 Using CRT, each 𝑏 ∈ 𝑆2 encodes the vector

(𝑏 𝑛𝑝𝑒 𝒒𝑗1

𝛽1

, … , 𝑏 𝑛𝑝𝑒 𝒒𝑗ℓ

𝛽ℓ

) ∈ 𝐻𝐺 2𝑒 ℓ

Prime Splitting

 Similarly 2 splits over 𝑆′ as 2 = ∏ 𝒒𝑘

′ 𝑓′ 𝑘

 Again we assume 𝑓′ = 1  Using CRT, each 𝑏′ ∈ 𝑆2

′ encodes the vector

(𝑏′ 𝑛𝑝𝑒 𝒒𝑘1

′ 𝛽1

′

, … , 𝑏′ 𝑛𝑝𝑒 𝒒𝑘ℓ′

′ 𝛽ℓ

′

) ∈ 𝐻𝐺 2𝑒′ ℓ′

 When 𝑛′|𝑛 then also 𝑒′|𝑒, ℓ′|ℓ, and each 𝒒𝒌

′ split

• ver 𝑆 as a product of some of the 𝒒𝑗 ’s

Prime Splitting

 Example for 𝑛 = 91, 𝑛′ = 7

2 𝒒1

′

𝒒3

′

𝒒22 𝒒15 𝒒1 𝒒31 𝒒17 𝒒3

𝑎 𝑆′ 𝑆 ⊆ ⊆

𝑒 = 12 ℓ = 6 𝑒′ = 3 ℓ′ = 2

Lie over 2 Lie over 𝑞1

′

Lie over 𝑞3

′

Plaintext-Slot Representation

 Recall that 𝑆/𝒒𝑗 ≅ 𝐻𝐺(2𝑒) for all the 𝒒𝑗’s

 But the isomorphisms are not unique

 To fix the isomorphisms:

 Fix a primitive 𝑛-th root of unity 𝜕 ∈ 𝐻𝐺(2𝑒)  Fix representatives 𝑣𝑗 ∈ 𝑎𝑛

∗ for all 𝑗 ∈ 𝑎𝑛 ∗ /(2)

 ℎ𝑗: 𝑆 𝒒𝑗

→ 𝐻𝐺(2𝑒) defined via ℎ𝑗 𝜂𝑛 = 𝜕𝑣𝑗

 Same for isomorphisms 𝑆′/𝒒𝑘

′ ≅ 𝐻𝐺(2𝑒′)

 Define ℎ𝑘

′: 𝑆′ 𝒒𝑘 ′

→ 𝐻𝐺(2𝑒′) by fixing 𝜍′ and 𝑣𝑘

′

Plaintext-Slot Representation

 Making the ℎ𝑗’s and ℎ𝑘

′‘s “consistent”

 Fix 𝜕 ∈ 𝐻𝐺(2𝑒) and set 𝜕′ = 𝜍𝑛/𝑛′ ∈ 𝐻𝐺(2𝑒′)  Fix 𝑣𝑘

′ ∈ 𝑘 ⋅ 2 ⊂ 𝑎𝑛′ ∗ ∀𝑘, then ∀ 𝒒𝑗 that lies over 𝒒𝑘 ′,

choose 𝑣𝑗 ∈ 𝑗 ⋅ (2) s.t. 𝑣𝑗 = 𝑣𝑘

′ mod 𝑛′

 Fact: if 𝒒𝑗 lies over 𝒒𝑘

′ and 𝑠′ ∈ 𝑆′ ⊂ 𝑆, then

ℎ𝑗 𝑠′𝑛𝑝𝑒 𝒒𝑗 = ℎ𝑘

′ 𝑠′𝑛𝑝𝑒 𝒒𝑘 ′

∈ 𝐻𝐺(2𝑒′)

 In words: for a sub-ring plaintext, the slots mod 𝒒𝑘

′ and

all the 𝒒𝑗’s lie over it, hold the same value

Plaintext-Slot Representation

 Lemma 3: ∀ collection of 𝐻𝐺(2𝑒′)-linear functions

𝑀𝑘: 𝐻𝐺 2𝑒

ℓ ℓ′ → 𝐻𝐺 2𝑒′

𝑘∈𝑎𝑛′

∗ /2

∃ a unique 𝑆2

′ -linear function 𝑀: 𝑆2 → 𝑆2 ′ s.t.

ℎ𝑘

′(𝑏′mod 𝒒𝑘 ′) = 𝑀𝑘((ℎ𝑗 𝑏 𝑛𝑝𝑒 𝒒𝑗 𝑗))

holds ∀ 𝑏 ∈ 𝑆2 and 𝑏′ = 𝑀(𝑏), and ∀ 𝑘

 The 𝑗’s range over all the 𝒒𝑗’s that lie over 𝒒𝑘

′

Illustration of Lemma 3

 ∃𝑀: 𝑆2 → 𝑆2

′ s.t. ∀ 𝑏 ∈ 𝑆2 and 𝑏′ = 𝑀 𝑏 ∈ 𝑆2 ′

 ℎ1

′ 𝑏′ = 𝑀1 ℎ1 𝑏 , ℎ15 𝑏 , ℎ22 𝑏

 ℎ3

′ 𝑏′ = 𝑀2 ℎ3 𝑏 , ℎ17 𝑏 , ℎ31 𝑏

 Can express 𝑀 𝑏 = 𝑈𝑠

𝐿/𝐿′(𝑠 ⋅ 𝑏) for some 𝑠 ∈ 𝑆2

𝒒1

′

𝒒3

′

𝒒22 𝒒15 𝒒1 𝒒31 𝒒17 𝒒3

𝑆′ 𝑆

⊆

(𝑒 = 12, ℓ = 6) (𝑒′ = 3, ℓ′ = 2)

𝑀1: 𝐻𝐺 212 3 → 𝐻𝐺(23) 𝑀3: 𝐻𝐺 212 3 → 𝐻𝐺(23) * Not exactly

*

The Transformation

Step 1, Key Switching

 Let 𝒕 ∈ 𝑆𝑟

2, 𝒕′ ∈ 𝑆𝑟 ′ 2 ⊂ 𝑆𝑟 2 (chosen at keygen)

 Publish a key-switching matrix 𝑋[𝒕 → 𝒕′]  Given ctxt 𝒅 wrt 𝒕, use W to get 𝒅′′ wrt 𝒕′

 Just plain key-switching in the big ring  𝒅′′ still over the big ring, but wrt a sub-ring key  𝒅′′ encrypts the same 𝑆2-element as 𝒅

Security of Key-Swicthing

 Security of usual big-ring key-switching relies on the

secret 𝒕′ being drawn from 𝑆𝑟

 Then 𝑋 constrains only LWE-instance over 𝑆𝑟  What can we say when it is drawn from 𝑆𝑟

′ ?

 We devise LWE instances over 𝑆𝑟 with secret from

𝑆𝑟

′ , with security relying on LWE in 𝑆𝑟 ′

 Instead of one small error element in 𝑆𝑟, choose many

small elements in 𝑆𝑟

′ , use an 𝑆𝑟 ′ -basis of 𝑆𝑟 to combine

them into a single error element in 𝑆𝑟

𝑆𝑟-LWE With Secret in 𝑆𝑟

′

 Let 𝐶 = (𝛾1, … , 𝛾𝑜) be any 𝑆𝑟

′ -basis of 𝑆𝑟

 Given the LWE secret 𝑡′ ∈ 𝑆𝑟

′ ⊂ 𝑆𝑟

 Choose uniform 𝑏 ← 𝑆𝑟 and small 𝑓1

′, … , 𝑓𝑜 ′ ← 𝑆𝑟 ′

 Set 𝑓 = 𝑓𝑗

′𝛾𝑗 𝑗

∈ 𝑆𝑟 and output (𝑏, 𝑐 = 𝑏𝑡′ + 𝑓)

 If the basis B is “good” (short, orthogonal) then 𝑓 is

not much larger than the 𝑓𝑗

′’s

 This is where we use Lemma 1 (∃ good basis)

𝑆𝑟-LWE With Secret in 𝑆𝑟

′

 Theorem: If decision-LWE is hard in 𝑆𝑟

′ , then (𝑏, 𝑐)

is indistinguishable from uniform in 𝑆𝑟

2

 Proof:

 We can consider 𝑏 = 𝑏𝑗

′𝛾𝑗 𝑗

for uniform 𝑏𝑗

′ ← 𝑆𝑟 ′

 Induces the same uniform distribution on 𝑏

 Then we would get 𝑐 = (𝑏𝑗

′𝑡′ + 𝑓𝑗 ′)𝛾𝑗 𝑗

.

 If the (𝑏𝑗

′𝑡′ + 𝑓𝑗 ′) were uniform in 𝑆𝑟 ′ , then 𝑐 would be

uniform in 𝑆𝑟. □

Steps 2,3: Ring Switching

 𝒅′′ encrypts 𝑏 ∈ 𝑆2 wrt 𝒕′

 𝑏 encodes a vector 𝜷 = 𝛽𝑗 𝑗 ∈ 𝐻𝐺 2𝑒 ℓ  We view it as 𝜷 = (𝜷1, … , 𝜷ℓ′) ∈ 𝐻𝐺 2𝑒 ℓ/ℓ′ ℓ′

 ℓ′ target functions, 𝑀𝑘: 𝐻𝐺 2𝑒 ℓ/ℓ′

→ 𝐻𝐺(2𝑒′)

 Want small-ring ciphertext 𝒅′ encrypting 𝑏 ∈ 𝑆2

′ that

encodes 𝜷′ = 𝛽1

′, … , 𝛽ℓ′ ′

∈ 𝐻𝐺 2𝑒′ ℓ′

 For each 𝑘, 𝛽𝑘

′ = 𝑀𝑘(𝜷𝑘)

Steps 2,3: Ring Switching

 By Lemma 2, ∃𝑀: 𝑆2 → 𝑆2

′ that induces the 𝑀𝑘’s

 Expressed as 𝑀 𝑏 = 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑏) for 𝑠 ∈ 𝑆2

′

 We identify 𝑠 with a short representative in 𝑆′

 One must exists since 2 is “short”  Thus identify 𝑀 with 𝑀 𝑏 = 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑏) over 𝑆

 Further identify 𝑠 as a representative of 𝑠 ∈ 𝑆𝑟

′

 Apply the trace, 𝑑𝑗

′ = 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑑𝑗 ′′)

 Recall that 𝒅′′ is valid wrt 𝒕′ ∈ 𝑆𝑟

′ ⊂ 𝑆𝑟

* Not exactly

*

Correctness

 Recall 𝒕′, 𝒅′′ = 𝑙 ⋅ 𝑟 + 𝑏 ⋅

𝑟 2 + 𝑓 over 𝐿

 For some 𝑙, 𝑓 ∈ 𝑆 (with 𝑓 small) and 𝐭′ over 𝑆′

 Thus we have the equalities (over 𝐿):

 𝒕′, 𝒅′ = 𝒕′, 𝑈𝑠𝐿/𝐿′ (𝑠 ⋅ 𝒅′′) = 𝑈𝑠𝐿/𝐿′ 𝑠 ⋅ 𝒕′, 𝒅′′

= 𝑀 𝑟 ⋅ 𝑙 + 𝑏 ⋅ 𝑟 2 + 𝑓 = 𝑀 𝑙 ⋅ 𝑟 + 𝑀 𝑏 ⋅ 𝑟 2 + 𝑀 𝑓 = 𝑙′ ⋅ 𝑟 + 𝑏′ ⋅ 𝑟 2 + 𝑓′

 𝑏′ encodes the 𝛽𝑘

′’s that we want

Correctness

• We have 𝒕′, 𝒅′ = 𝑙′ ⋅ 𝑟 + 𝑏′ ⋅

𝑟 2 + 𝑓′

 This looks like a valid encryption of 𝑏′  It remains to show that 𝑓′ is short

 𝑓′ = 𝑀 𝑓 = 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑓)

 𝑓 is short (from the input), 𝑠 is short (reduced mod 2)  So 𝑠 ⋅ 𝑓 is short  By Lemma 3 also 𝑈𝑠𝐿/𝐿′(𝑠 ⋅ 𝑓) is short

Conclusions

 We have a general ring-switching technique

 Converts 𝒅 over 𝑆𝑛 to 𝒅′ over 𝑆𝑛′ for 𝑛′|𝑛  The plaintext slots in 𝒅′ can contain any linear functions

• f the slots in 𝒅

 A 𝒅′-slot is a function of the 𝒅-slots that lie above it

 We may choose projection functions to have 𝒅′ contain

subset of the slots of 𝒅

 Lets us to speed up computation by switching to a

smaller ring

Epilog: The [AP13] Work

Alperin-Sheriff & Peikert described a clever use of ring-switching for efficient homomorphic computation

• f DFT-like transformations:

1.

Decompose it to an FFT-like network of “local” linear functions

2.

Use ring-switching for each level

3.

Then switch back up before the next level Yields fastest bootstrapping procedure to date