Fully Homomorphic Encryption without Modulus Switching

From certFHE Community KB
Jump to navigation Jump to search

This scheme proposed by Brakerski [1] has a number of advantages over previous candidates such as BGV. In particular, it uses the same modulus throughout the evaluation process, so there's no need for modulus switching. Security of these scheme is baed on the hardness of the GapSVP problem.


For an integer , write . This is not the same with the ring . For any , write for the unique value in that is congruent to modulo .

If are two -dimensional vectors, then the tensor product is the dimensional vector containing all elements of the form . Note that

Building Blocks of a homomorphic encryption scheme

We start by presenting Regev's [2] basic public-key encryption scheme.

The Regev scheme

Let be an integer function and let be a distribution over . The scheme 'Regev' is defined as follows:

  • Regev.SecretKeygen( ): Sample uniformly. Output .
  • Regev.PublicKeygen(): Let . Sample uniformly then sample . Compute . Here we apply to every entry in the -dimensional vector and define

Output .

  • Regev.Enc(): To encrypt a message using , sample uniformly and output the ciphertext

where .

  • Regev.Dec(): To decrypt using the secret key , compute

In order to prove corectness, the author first shows (Lemma 3.1 in [1]) that if and - -bounded are parameters for the 'Regev' scheme described above and if is the fresh encryption of some message , then

for some with .

Then, Lemma 3.2 in the same article asserts that if is some vector and is such that

with and , then

Regev.Dec( )= .

Brakerski claims that the security of this scheme reduces to the hardness of (a decisional variant of) LWE problem by classical arguments (originally due to Regev [2]).

Vector decompositions

Recall from BGV the procedures


When the modulus is clear from the context we will omit its writing.

We also recall the property


Key switching

In the functions described below is an integer and is a distribution over .

  • ): For a 'source' key and target key this outputs matrix with rows and columns, very similar to an encryption of under the secret key . Let us call this matrix .

  • : To switch a ciphertext from a secret key to , output

Details on the correctness and security of this scheme are given at the end of Section 3 in [1].

A scale Invariant Homomorphic Encryption Scheme

Let be an integer function, a polynomial and a distribution over the integers. The SI-HE scheme is defined as follows:

  • SI-HE.Keygen(): Sample vectors Regev.SecretKeygen( ) and generate a Regev public key for the first one: . For all , define

and compute


Output and and .

  • SI-HE.Enc(): This is identical to Regev's. Just output .
  • SI-HE.Eval(): Here we describe homomorphic addition and multiplication over the field with two elements, operations that allow the evaluation of depth arithmetic circuits in a gate-by-gate manner. The convention for a gate at level of the circuit is that the operand ciphertexts are decryptable using , and the output of the homomorphic operation is decryptable using .

Recall that evk contains key switching parameters from to , homomorphic addition and multiplication both first produce an intermediate output that corresponds to and then use key switching to obtain the final output.

-- SI-HE.: Assume that both input ciphertexts are encrypted under the same secret key . First compute

and then output

Above the ciphertexts are first added (as vectors) to obtain , but the output of this corresponds to and not , as required. The vector is generated by tensoring with a trivial ciphertext, the result being an encryption of the sum under the key . This result can now be key-switched to obtain an output corresponding to . The PowersOfTwo procedure is used in order to control the norm of the secret key.

-- SI-HE.: Again, we assume that both input ciphertexts are encrypted under the same secret key .

One first computes


then output


  • SI-HE.: If is a ciphertext that corresponds to , then decryption is identical to the one in Regev's scheme. Just output .

The author also gives a proof of its security (see Lemma 4.1), i.e. the security of these scheme is reduced to the hardness of a (decisional) LWE problem.

The Homomorphic Properties of SI-HE

The authors prove the following theorem.

Theorem.(4.2 in [1]) The scheme SI-HE with parameters for which


is -homomorphic.

The theorem is proved using a lemma whose assertion establishes bounds for the growth of the noise in gate evaluation.

To summarise, if are two ciphertexts such that the magnitudes of their noise vectors , then we have the following:

After homomorphic opperation (addition or multiplication) on and , the ciphertext has noise , where is the bound on the noise distribution .

As it is usually the case with FHE schemes, homomorphic addition increases noise much more moderately than multiplication, however the noise estimation above is sufficient for proving that the scheme is bootstrappable.

The complexity of the decryption circuit

For all ciphertexts , the function can be implemented by a circuit of depth (This result is proved in many places, see the discussion proceeding Lemma 4.4 for details).

A corollary is the following: If and , then, under a circular security assumption, this scheme can be bootstrapped into a (non-leveled) fully homomorphic encryption scheme.

Example of performing basic arithmetic in BFV

At the link below, one can see a quick tutorial on how to perform simple computations (a polynomial evaluation) on encrypted integers using the BFV encryption scheme.



  1. Z. Brakerski, Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_50
  2. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, STOC, pages 84–93. ACM, 2005