Fully Homomorphic Encryption without Modulus Switching

This scheme proposed by Brakerski ^[1] has a number of advantages over previous candidates such as BGV. In particular, it uses the same modulus throughout the evaluation process, so there's no need for modulus switching. Security of these scheme is baed on the hardness of the GapSVP problem.

Preliminaries

For an integer ${\displaystyle q}$, write ${\displaystyle \mathbb {Z} _{q}:=\left(-q/2,q/2\right]\cap \mathbb {Z} }$. This is not the same with the ring ${\displaystyle \mathbb {Z} /q\mathbb {Z} }$. For any ${\displaystyle x\in \mathbb {Q} }$, write ${\displaystyle [x]_{p}}$ for the unique value in ${\displaystyle \left(-q/2,q/2\right]\cap \mathbb {Z} }$ that is congruent to ${\displaystyle x}$ modulo ${\displaystyle q}$.

If ${\displaystyle v,w}$ are two ${\displaystyle n}$-dimensional vectors, then the tensor product ${\displaystyle v\otimes w}$ is the ${\displaystyle n^{2}}$ dimensional vector containing all elements of the form ${\displaystyle v[i]w[j]}$. Note that

${\displaystyle <v\otimes w,x\otimes y>=<v,x>\cdot <w,y>.}$

Building Blocks of a homomorphic encryption scheme

We start by presenting Regev's ^[2] basic public-key encryption scheme.

Let ${\displaystyle q=q(n)}$ be an integer function and let ${\displaystyle \chi (n)}$ be a distribution over ${\displaystyle \mathbb {Z} }$. The scheme 'Regev' is defined as follows:

• Regev.SecretKeygen( ${\displaystyle 1^{n}}$ ): Sample ${\displaystyle s\leftarrow \mathbb {Z} _{q}^{n}}$ uniformly. Output ${\displaystyle sk=s}$.

• Regev.PublicKeygen(${\displaystyle s}$): Let ${\displaystyle N:=(n+1)(\log q+O(1))}$. Sample uniformly ${\displaystyle A\leftarrow \mathbb {Z} _{q}^{N\times n}}$ then sample ${\displaystyle e\leftarrow \chi ^{N}}$. Compute ${\displaystyle b:=[A\cdot s+e]_{q}}$. Here we apply ${\displaystyle [\cdot ]_{q}}$ to every entry in the ${\displaystyle N}$-dimensional vector ${\displaystyle A\cdot s+e}$ and define

${\displaystyle P:=[b\vert -A]\in \mathbb {Z} _{q}^{N\times (n+1)}}$.

Output ${\displaystyle pk=P}$.

• Regev.Enc(${\displaystyle pk,m}$): To encrypt a message ${\displaystyle m\in \{0,1\}}$ using ${\displaystyle pk=P}$, sample ${\displaystyle r\in \{0,1\}^{N}}$ uniformly and output the ciphertext

where ${\displaystyle {\hat {m}}:=(m,0,\dots ,0)\in \{0,1\}^{n+1}}$.

• Regev.Dec(${\displaystyle sk,c}$): To decrypt ${\displaystyle c\in \mathbb {Z} _{q}^{n+1}}$ using the secret key ${\displaystyle sk=s}$, compute

${\displaystyle m:=\left[\left\lfloor 2\cdot {\frac {[<c,(1,2)>]_{q}}{q}}\right\rceil \right]_{2}.}$

References