Full Domain Functional Bootstrap** with Least Significant Bit Encoding

Abstract

Functional bootstrap** (FBS) is a powerful technique that evaluates a look-up table (LUT) while refreshing an LWE ciphertext in FHEW and TFHE schemes. However, the LUT evaluation over the message space is constrained by negacyclicity, which affects the practical application of functional bootstrap**. Existing methods require multiple FBS and some homomorphic operations to address this issue, which results in inferior performance compared with the original functional bootstrap**.

In this paper, we utilize the variant least significant bit (LSB) encoding method to efficiently achieve the full domain functional bootstrap** for message space in FHEW-like schemes. Specifically, the message space \(\mathbb {Z}_t\) is embedded into the encoding space \(\mathbb {Z}_{N}\) by setting the most significant bit of noise to zero. As a result, the encoding space is equal to the domain of the LUT and our functional bootstrap** can evaluate arbitrary functions. In addition, our technique can be applied to multi-value bootstrap** and tree-based bootstrap**. Thus, these algorithms only need one FBS to achieve the full domain property.

Finally, we implement our full domain functional bootstrap** in the OpenFHE cryptography library. Experiments demonstrate that up to 2 \(\times \) performance improvement is achieved compared with the state-of-the-art work [27].

A Algorithms of functions presented in Section 2.4

1.1 A.1 Correctness of the Key Switching

Lemma 1

Input an LWE ciphertext \(\textsf{ct} = \textsf{LWE}_{\textbf{z}}^N(m) \) with error variance \(\textsf{Var}(e)\), and the switching keys \(\textsf{ksk}_{i, j, v}\) with error variance \(\textsf{Var}(e_{\textsf{ksk}})\), the key switching algorithm outputs a new LWE ciphertext \(\textsf{ct}^{{\prime }} =\textsf{KeySwitch}_{\textbf{z} \rightarrow \textbf{s}}(\textsf{ct})\) with error variance \(\textsf{Var}(e^{\prime })\).

Proof

Let \(\textsf{ksk}_{i, j, v}=(\textbf{a}^{\prime }_{i, j, v},\textbf{a}^{\prime }_{i, j, v}\cdot \textbf{s}+v z_{i} B_{ks}^{j}+e_{i, j, v})\) for some \(\textbf{a}^{\prime }_{i, j, v} \in \mathbb {Z}_q^n\) and \(e_{i, j, v} \in \chi _{\delta }\), the output ciphertext is

$$\begin{aligned} \begin{aligned} \textsf{ct}^{{\prime }} &=\textsf{KeySwitch}_{\textbf{z} \rightarrow \textbf{s}}(\textsf{ct}) \\ &=(\textbf{0}, b)-\sum _{i, j} \textsf{ksk}_{i, j, a_{i, j}} \\ &=(\textbf{a}^{\prime },b^{\prime })\bmod q \in \textsf{LWE}_{\textbf{s}}^n(m), \end{aligned} \end{aligned}$$

where \(\textbf{a}^{\prime } = -\sum _{i, j} \textbf{a}^{\prime }_{i, j, a_{i, j}}\) and \(b^{\prime } = b-\textbf{a}\cdot \textbf{z}+\textbf{a}^{\prime } \cdot \textbf{s} - \sum _{i, j}e_{i, j, a_{i, j}}\). According to Theorem 6 of [15], the variance of the noise satisfies \(\textsf{Var}(e^{'}) \le \textsf{Var}(e)+Nd_{ks}\cdot \textsf{Var}(e_{\textsf{ksk}})\).

1.2 A.2 Correctness of the Modulus Switching

Lemma 2

Input an LWE ciphertext \(\textsf{ct} = (\textbf{a},b) \in \textsf{LWE}_{\textbf{s}}^n(m)\) with error variance \(\textsf{Var}(e)\) modulo Q, the modulus switching algorithm outputs a new LWE ciphertext \(\textsf{ct}^{\prime } =\textsf{ModSwitch}_{Q \rightarrow q}(\textsf{ct})\) with error variance \(\textsf{Var}(e^{\prime })\) modulo q.

Proof

Let the integers \(Q> q> t\) and \(Q \equiv 1 \bmod t,q \equiv 1 \bmod t\), the output ciphertext is

$$\begin{aligned} \begin{aligned} \textsf{ct}^{{\prime }} &=\textsf{ModSwitch}_{Q \rightarrow q}(\textsf{ct}) \\ &=(\lfloor \frac{q}{Q}\cdot \textbf{a} \rceil ,\lfloor \frac{q}{Q}\cdot b \rceil )\\ &=(\textbf{a}^{\prime },b^{\prime })\in \mathbb {Z}_q^{n+1}, \end{aligned} \end{aligned}$$

and satisfies the requirement that \(a_i^{\prime } \equiv a_i \bmod t, b^{\prime } \equiv b \bmod t\). It is straightforward to conclude that \(b+\left\langle \textbf{a},\textbf{s} \right\rangle \bmod Q \bmod t = b^{\prime }+\left\langle \textbf{a}^{\prime },\textbf{s} \right\rangle \bmod q \bmod t\) according to Lemma 5 of [6], and the variance of noise satisfies \(\textsf{Var}(e^{\prime }) \le (\frac{q}{Q})^2\cdot \textsf{Var}(e)+ \frac{t}{2}\cdot ||\textbf{s}||_2^2\).

1.3 A.3 Correctness of the Encoding Transformation

Lemma 3

Input an LWE ciphertext \(\textsf{ct} \in \mathsf {MSB.LWE}^n _\textbf{s}(m)\) with error variance \(\textsf{Var}(e)\), the encoding transformation algorithm outputs a new LWE ciphertext \(\textsf{ct}^{\prime } =\mathsf {EncodeTrans(ct)} \in \mathsf {LSB.LWE}^n _\textbf{s}(-m)\) with error variance \(\textsf{Var}(e)\).

Proof

Let \(\textsf{ct}= (\textbf{a},b=-\left\langle \textbf{a},\textbf{s} \right\rangle + \omega ) \in \mathbb {Z}^{n+1}_q\) with \(q \equiv 1 \bmod t\), where \(\omega = \left\lfloor \frac{q}{t} \cdot m \right\rceil +e\). The decoding procedure of MSB encoding is

$$\left\lfloor \omega \cdot \frac{t}{q} \right\rceil = \omega \cdot \frac{t}{q} - f = m \bmod t $$

for some \(f \in \frac{1}{q} \mathbb {Z}\cap [-1/2,1/2)\). By multiplying by q and let \(\mu = q\cdot f \in \mathbb {Z}\cap [-q/2,q/2)\), one can get \(\omega \cdot t - \mu = q \cdot m \bmod tq\). Then \(\textsf{ct}^{\prime }=\mathsf {EncodeTrans(ct)} =(t \cdot \textbf{a},t \cdot b) \bmod q\) is a ciphertext with the LSB encoding since the decryption step is \( \omega \cdot t = \mu \bmod q\) and

$$\mu = -q \cdot m \bmod t = -m \bmod t.$$