the third generation fhe scheme(gsw)

As we mentioned above in this FHE scheme homomorphic operation is matrix addition and matrix multiplication, this works because a message ${muinmathbb{Z}_p }$ is encrypted as a $N times N$ matrix ciphertext over $mathbb{Z}_p$. In order to decrypt such a matrix ciphertext, a trick in linear algebra is used: if we set secret key $stackrel{rightarrow}{v}$ of the encryption scheme the approximate eigenvector of matrix $C $then we can say $C$ encrypts $mu$ when $Ccdotstackrel{rightarrow}{v}=mucdotstackrel{rightarrow}{v}+stackrel{rightarrow}{e}$ and compute $x=< C_i,stackrel{rightarrow}{v}>=mucdot v_i+e_i$ to decrypt for $mu=leftlfloor x/v_irightrceil$.

Thus, it is easy to see that matrix addtion just double the errors for $C^+cdot stackrel{rightarrow}{v}=(mu_1+mu_2)cdot stackrel{rightarrow}{v}+(stackrel{rightarrow}{e}_1+stackrel{rightarrow}{e}_2)$ and for matrix multiplication we have $$C^timescdot stackrel{rightarrow}{v}= C_1cdot(mu_2cdot stackrel{rightarrow}{v}+stackrel{rightarrow}{e}_2)=mu_1cdotmu_2cdotstackrel{rightarrow}{v}+mu_2cdotstackrel{rightarrow}{e}_1+C_1cdotstackrel{rightarrow}{e}_2$$

Errors from matrix multiplication come from the part $mu_2cdotstackrel{rightarrow}{e}_1+C_1cdotstackrel{rightarrow}{e}_2$ and it is actually a large error vector because $C_1$ is a $Ntimes N$ matrix in $mathbb{Z}_q$ the coefficient of $stackrel{rightarrow}{e}_2$ will be $Ncdot q$ at most. In short, in order to construct a FHE scheme we short to dcrease the magnitude of the error vector’s coefficients. However, the error vector is necessary, because the security of the scheme base on LWE problem.

As we see above $C_1$ contribute the most factor of error, to obtain a leveled FHE scheme the coefficients of the ciphertext $C$ must have a small magnitude thus ensuring better bounds on the growth of the error. A B-strongly-bounded cipher text is sufficient, namely, the associated message $mu$ and coefficients of $C$ have magnitude at most 1, while the coefficients of the error $stackrel{rightarrow}{e}$ has at most $B$. Then after evaluating a circuit of depth $L $ the error of ciphertext has magnitude at most $(N+1)^LB$ In order to keep ciphertext strongly bounded a operation called flattening is described. It also has several subroutines like what we described in the last summary abot key switching, we recall them here:

From these three subroutines, it’s not difficult to see that the most direct way to make the coefficients of a vector or matrix small is to run $texttt{Bitdecomp}$ so that all coefficients are in ${0,1}$ and then the ciphertext is B-strongly bounded indeed. However, the final aim of ciphertexts’ B-strongly bound is to decrease the magnitude of error produced by homomorphic multiplication the procedure of $texttt{BitDecomp}$ will expand the dimension of vectors by a factor of $leftlfloor log_qrightrfloor+1$ as well as procedure $texttt{Powersoft2}$.

This disadvantage will lead to the expansion of the error and it also increases the need for storage. Thus, in order to meet the need of restricting the increase of errors we should keep the dimension of vectors unchanged. Observed that $texttt{BitDecomp_{-1}}$ decrease the dimension as same as the increase by $texttt{BitDecomp}$, the technique $text{Flatten}(stackrel{rightarrow}{a}’)=texttt{BitDecomp}(texttt{BitDecomp}_{-1}(stackrel{rightarrow}{a}’)) $ make coefficients of vectors in ${0,1}$ with its dimension unchanged. The decryption of ciphertext is ensured by the good property of $texttt{Flatten}$ that for any vector $stackrel{rightarrow}{a}’$, $langlestackrel{rightarrow}{a}’,texttt{Powersof2}(stackrel{rightarrow}{b}) rangle=langletexttt{Flatten}(stackrel{rightarrow}{a}’), texttt{Powersof2}(stackrel{rightarrow}{b})rangle$.

In this scheme, we will only consider NAND gate: $C_3=I_N-C_1cdot C_2$, because NAND gate is the most universal gate and can be used to build any other gates. And we usually consider the message space ${0,1}$ so that the error increase $(N+1)B$ and a NAND-based Boolean circuit could be used for further computations. Then we get the leveled FHE scheme:

Since $mu_2in{0,1}$, the error is increased by a factor of at most $N+1$ and the final ciphertext’s error will be bounded by $(N+1)^Lcdot B$.

The security argument is surprisingly simple. Consider $C’=texttt{BitDecomp}^{-1}(C)$. Because $C$ is already the output of $texttt{Flatten}$ it reveals nothing more than $C’$. Unpacking $C’$ to $texttt{BitDecomp}^{-1}(mu cdot I_N) + Rcdot A$, note that $Rtimes A $ is statistically uniform by the leftover hash lemma for uniform $A$. Finally, $A$ is indistinguishable from a uniform by the decisional LWE assumption.

This leveled FHE scheme without evaluate key make it possible for constructing an identity-based FHE scheme which is an open problem mentioned in previous works. And I think the message to take home of this scheme is that they find a proper method to decrease the coefficients of matrix without change it’s dimension. In BGV’s FHE scheme they change the dimension of key space with key switching and modulus switching to come to the aim of decreasing noise and in this scheme the change of ciphertext space make it possible to do a much natural homomorphic calculation without increasing the error sharply.

Reference