TFHE中的几个算法
文章目录
个人总结:
关于TFHE的话其实大概的思路就是优化了FHEW当中Refresh算法里面的ACC计算,把原来的 R G S W ⊠ R G S W → R G S W {\sf RGSW} \boxtimes {\sf RGSW}\to{\sf RGSW} RGSW⊠RGSW→RGSW内乘换为了 R G S W ⊡ R L W E → R L W E {\sf RGSW} \boxdot {\sf RLWE}\to{\sf RLWE} RGSW⊡RLWE→RLWE的外乘。加快了运算速度,缩小了密钥大小。
除此之外,TFHE还提出了几个应用型算法。包括怎么计算automata,leveled binary gate。但上述的我都略过了,我比较在意的是里面的算法层面的GateBootstrapping,PublicKeySwitch,PrivateKeySwitch以及Circuit Boostrapping算法。
这几个算法比较有意思的点在于PublicKeySwitch和PrivateKeySwitch是可以运算LWE-to-RLWE的算法。Circuit Boostrapping则是可以将®LWE通过Bootstrapping刷为RGSW。
注:TFHE文章里面将LWE和RLWE抽象为TLWE,后面又用了TRLWE和TLWE来具体表示RLWE和LWE,我觉得比较混淆。所以笔记里面改为了LWE和RLWE。而且作者在之后的文章里面也是改为用LWE,RLWE,GLWE来分别表示具体和抽象的情况。而且Torus可以表示为 T [ X ] = R q [ X ] / q \mathbb{T}[X]=\R_q[X]/q T[X]=Rq[X]/q,在实现中还是用的 R q [ X ] \R_q[X] Rq[X],所以写成LWE,RLWE反而清楚一点。
外积
外积的写法是
R
G
S
W
⊡
R
L
W
E
=
D
e
c
o
m
p
(
R
L
W
E
)
⋅
R
G
S
W
→
R
L
W
E
{\sf RGSW} \boxdot{\sf RLWE} = Decomp({\sf RLWE})\cdot{\sf RGSW}\to {\sf RLWE}
RGSW⊡RLWE=Decomp(RLWE)⋅RGSW→RLWE
来看一下每个定义:
RGSW
首先要定义 R G S W {\sf RGSW} RGSW,(这里令TFHE文章中定义的是 T G S W \sf TGSW TGSW,我考虑k=1,专注于 R G S W {\sf RGSW} RGSW的情况)
那么先定义一个Decomposition matrix:是一个
2
ℓ
×
2
2\ell\times2
2ℓ×2的矩阵,其中
1
/
B
g
1/B_g
1/Bg是分解基,
H
=
(
1
/
B
g
0
⋮
⋮
1
/
B
g
ℓ
0
0
1
/
B
g
⋮
⋮
0
1
/
B
g
ℓ
)
∈
R
2
ℓ
×
2
H=\left(\begin{array}{cc} 1 / B_{g} & 0 \\ \vdots & \vdots \\ 1 / B_{g}^{\ell} & 0 \\ 0 & 1 / B_{g} \\ \vdots & \vdots \\ 0 & 1 / B_{g}^{\ell} \end{array}\right) \in \R^{2\ell\times2}
H=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛1/Bg⋮1/Bgℓ0⋮00⋮01/Bg⋮1/Bgℓ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈R2ℓ×2
再生成
2
ℓ
2\ell
2ℓ个
R
L
W
E
(
0
)
{\sf RLWE}(0)
RLWE(0)的密文,记为
Z
Z
Z:
Z
=
(
a
1
b
1
⋮
⋮
a
ℓ
b
ℓ
a
ℓ
+
1
b
ℓ
+
1
⋮
⋮
a
2
ℓ
b
2
ℓ
)
∈
R
q
2
ℓ
×
2
Z=\left(\begin{array}{cc} a_1 & b_1 \\ \vdots & \vdots \\ a_\ell & b_{\ell} \\ a_{\ell+1} & b_{\ell+1} \\ \vdots & \vdots \\ a_{2\ell} & b_{2\ell} \end{array}\right) \in R_q^{2\ell\times2}
Z=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛a1⋮aℓaℓ+1⋮a2ℓb1⋮bℓbℓ+1⋮b2ℓ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
其中
φ
s
(
a
i
,
b
i
)
=
0
\varphi_s(a_i,b_i)=0
φs(ai,bi)=0,即
b
i
+
a
i
s
=
0
+
e
i
b_i+a_is=0+e_i
bi+ais=0+ei。
那对于一个输入
μ
\mu
μ来说,
R
G
S
W
(
μ
)
=
Z
+
μ
⋅
H
=
(
a
1
+
1
/
B
g
⋅
μ
b
1
⋮
⋮
a
ℓ
+
1
/
B
g
ℓ
⋅
μ
b
ℓ
a
ℓ
+
1
b
ℓ
+
1
+
1
/
B
g
⋅
μ
⋮
⋮
a
2
ℓ
b
2
ℓ
+
1
/
B
g
ℓ
⋅
μ
)
∈
R
q
2
ℓ
×
2
{\sf RGSW}(\mu)=Z+\mu\cdot H=\left(\begin{array}{cc} a_1+1 / B_{g} \cdot \mu & b_1 \\ \vdots & \vdots \\ a_\ell + 1 / B_{g}^{\ell}\cdot\mu & b_{\ell} \\ a_{\ell+1} & b_{\ell+1} +1 / B_{g}\cdot \mu\\ \vdots & \vdots \\ a_{2\ell} & b_{2\ell} + 1 / B_{g}^{\ell}\cdot \mu \end{array}\right) \in R_q^{2\ell\times2}
RGSW(μ)=Z+μ⋅H=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛a1+1/Bg⋅μ⋮aℓ+1/Bgℓ⋅μaℓ+1⋮a2ℓb1⋮bℓbℓ+1+1/Bg⋅μ⋮b2ℓ+1/Bgℓ⋅μ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
其实可以观察一下,现在对于
1
≤
i
≤
ℓ
1\le i\le\ell
1≤i≤ℓ来说,
φ
s
(
a
i
,
b
i
)
=
1
/
B
g
i
⋅
μ
⋅
s
\varphi_s(a_i,b_i)=1 / B_{g}^{i}\cdot \mu \cdot s
φs(ai,bi)=1/Bgi⋅μ⋅s,即每一行都是
R
L
W
E
(
1
/
B
g
i
⋅
μ
⋅
s
)
{\sf RLWE}(1 / B_{g}^{i}\cdot\mu\cdot s)
RLWE(1/Bgi⋅μ⋅s),对于
ℓ
+
1
≤
i
≤
2
ℓ
\ell+1\le i\le 2\ell
ℓ+1≤i≤2ℓ来说,
φ
s
(
a
i
,
b
i
)
=
1
/
B
g
ℓ
⋅
μ
\varphi_s(a_i,b_i)=1 / B_{g}^{\ell}\cdot \mu
φs(ai,bi)=1/Bgℓ⋅μ,即每一行都是
R
L
W
E
(
1
/
B
g
i
)
⋅
μ
{\sf RLWE}(1 / B_{g}^{i})\cdot \mu
RLWE(1/Bgi)⋅μ。
那其实可以观察到
R
G
S
W
{\sf RGSW}
RGSW中的每一行都是一个
R
L
W
E
{\sf RLWE}
RLWE密文,可以写作:
R
G
S
W
(
μ
)
=
(
R
L
W
E
(
1
/
B
g
⋅
μ
⋅
s
)
⋮
R
L
W
E
(
1
/
B
g
ℓ
⋅
μ
⋅
s
)
R
L
W
E
(
1
/
B
g
⋅
μ
)
⋮
R
L
W
E
(
1
/
B
g
ℓ
⋅
μ
)
)
∈
R
q
2
ℓ
×
2
{\sf RGSW}(\mu)=\left(\begin{array}{c} {\sf RLWE}(1 / B_{g}\cdot\mu\cdot s) \\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu\cdot s) \\ {\sf RLWE}(1 / B_{g}\cdot\mu)\\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu) \end{array}\right) \in R_q^{2\ell\times2}
RGSW(μ)=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛RLWE(1/Bg⋅μ⋅s)⋮RLWE(1/Bgℓ⋅μ⋅s)RLWE(1/Bg⋅μ)⋮RLWE(1/Bgℓ⋅μ)⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
Decomp
再来看一下 D e c o m p Decomp Decomp的定义:
对于 c = R L W E ( m ) = ( a , b ) c={\sf RLWE}(m)=(a,b) c=RLWE(m)=(a,b), D e c o m p ( c ) = a 1 , . . . , a ℓ , b 1 , . . . , b ℓ Decomp(c)=a_1,...,a_{\ell},b_1,...,b_{\ell} Decomp(c)=a1,...,aℓ,b1,...,bℓ,其中 ∑ i = 1 ℓ a i ⋅ 1 / B g i = a \sum_{i=1}^{\ell}a_{i}\cdot1 / B_{g}^{i}=a ∑i=1ℓai⋅1/Bgi=a, ∑ i = 1 ℓ b i ⋅ 1 / B g i = b \sum_{i=1}^{\ell}b_{i}\cdot1 / B_{g}^{i}=b ∑i=1ℓbi⋅1/Bgi=b。
外积
有了上述定义就可以得到外积
⊡
:
R
G
S
W
×
R
L
W
E
⟶
R
L
W
E
(
A
,
b
)
⟼
A
⊡
b
=
D
e
c
o
m
p
(
b
)
⋅
A
\begin{aligned} \boxdot: {\sf RGSW} \times & {\sf RLWE} & \longrightarrow {\sf RLWE} \\ &(A, \boldsymbol{b}) \longmapsto A \boxdot \boldsymbol{b}=Decomp(\boldsymbol{b}) \cdot A \end{aligned}
⊡:RGSW×RLWE(A,b)⟼A⊡b=Decomp(b)⋅A⟶RLWE
正确性:
令
b
=
(
a
,
b
)
∈
R
L
W
E
(
μ
1
)
\boldsymbol{b}=(a,b)\in{\sf RLWE}(\mu_1)
b=(a,b)∈RLWE(μ1),
D
e
c
o
m
p
(
b
)
=
a
1
,
.
.
.
,
a
ℓ
,
b
1
,
.
.
.
,
b
ℓ
Decomp(\boldsymbol{b})=a_1,...,a_{\ell},b_1,...,b_{\ell}
Decomp(b)=a1,...,aℓ,b1,...,bℓ,其中
∑
i
=
1
ℓ
a
i
⋅
1
/
B
g
i
=
a
\sum_{i=1}^{\ell}a_{i}\cdot1 / B_{g}^{i}=a
∑i=1ℓai⋅1/Bgi=a,
∑
i
=
1
ℓ
b
i
⋅
1
/
B
g
i
=
b
\sum_{i=1}^{\ell}b_{i}\cdot1 / B_{g}^{i}=b
∑i=1ℓbi⋅1/Bgi=b。
A
∈
R
G
S
W
(
μ
2
)
A\in {\sf RGSW}(\mu_2)
A∈RGSW(μ2)。
D
e
c
o
m
p
(
b
)
⋅
A
=
(
a
1
,
.
.
.
,
a
ℓ
,
b
1
,
.
.
.
,
b
ℓ
)
⋅
(
R
L
W
E
(
1
/
B
g
⋅
μ
2
⋅
s
)
⋮
R
L
W
E
(
1
/
B
g
ℓ
⋅
μ
2
⋅
s
)
R
L
W
E
(
1
/
B
g
⋅
μ
2
)
⋮
R
L
W
E
(
1
/
B
g
ℓ
⋅
μ
2
)
)
=
∑
1
≤
i
≤
ℓ
R
L
W
E
(
1
/
B
g
i
⋅
μ
2
⋅
s
⋅
a
i
)
+
∑
ℓ
+
1
≤
i
≤
2
ℓ
R
L
W
E
(
1
/
B
g
i
⋅
μ
2
⋅
b
i
)
=
R
L
W
E
(
μ
2
⋅
s
⋅
a
)
+
R
L
W
E
(
μ
2
⋅
b
)
=
R
L
W
E
(
μ
2
(
b
+
a
s
)
)
=
R
L
W
E
(
μ
1
μ
2
)
\begin{aligned} Decomp(\boldsymbol{b}) \cdot A&=(a_1,...,a_{\ell},b_1,...,b_{\ell})\cdot\left(\begin{array}{c} {\sf RLWE}(1 / B_{g}\cdot\mu_2\cdot s) \\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu_2\cdot s) \\ {\sf RLWE}(1 / B_{g}\cdot\mu_2)\\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu_2) \end{array}\right)\\ & =\sum_{1\le i \le \ell}{\sf RLWE}(1 / B_{g^{i}}\cdot\mu_2\cdot s \cdot a_i)+\sum_{\ell+1 \le i \le2\ell}{\sf RLWE}(1 / B_{g^{i}}\cdot\mu_2 \cdot b_i)\\ &={\sf RLWE}(\mu_2\cdot s\cdot a)+{\sf RLWE}(\mu_2\cdot b)\\ &={\sf RLWE}(\mu_2(b+as))\\ &={\sf RLWE}(\mu_1\mu_2) \end{aligned}
Decomp(b)⋅A=(a1,...,aℓ,b1,...,bℓ)⋅⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛RLWE(1/Bg⋅μ2⋅s)⋮RLWE(1/Bgℓ⋅μ2⋅s)RLWE(1/Bg⋅μ2)⋮RLWE(1/Bgℓ⋅μ2)⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞=1≤i≤ℓ∑RLWE(1/Bgi⋅μ2⋅s⋅ai)+ℓ+1≤i≤2ℓ∑RLWE(1/Bgi⋅μ2⋅bi)=RLWE(μ2⋅s⋅a)+RLWE(μ2⋅b)=RLWE(μ2(b+as))=RLWE(μ1μ2)
与内积对比
有了外积的定义可以看一下内积:
⊠
:
R
G
S
W
×
R
G
S
W
⟶
R
G
S
W
(
A
,
B
)
⟼
A
⊠
B
=
[
A
⊡
b
1
⋮
A
⊡
b
2
ℓ
]
=
[
D
e
c
o
m
p
(
b
1
)
⋅
A
⋮
D
e
c
o
m
p
(
b
2
ℓ
)
⋅
A
]
\begin{aligned} \boxtimes: {\sf RGSW} \times {\sf RGSW} & \longrightarrow {\sf RGSW} \\ (A, B) & \longmapsto A \boxtimes B=\left[\begin{array}{c} A \boxdot b_{1} \\ \vdots \\ A \boxdot b_{2 \ell} \end{array}\right]=\left[\begin{array}{c} Decomp\left(\boldsymbol{b}_{1}\right) \cdot A \\ \vdots \\ Decomp\left(\boldsymbol{b}_{2 \ell}\right) \cdot A \end{array}\right] \end{aligned}
⊠:RGSW×RGSW(A,B)⟶RGSW⟼A⊠B=⎣⎢⎡A⊡b1⋮A⊡b2ℓ⎦⎥⎤=⎣⎢⎡Decomp(b1)⋅A⋮Decomp(b2ℓ)⋅A⎦⎥⎤
他其实每一行都是一个
R
G
S
W
⊡
R
L
W
E
{\sf RGSW} \boxdot {\sf RLWE}
RGSW⊡RLWE,而
在FHEW类型的Bootstrapping中,他计算了一个 R G S W ⊠ R G S W → R G S W {\sf RGSW} \boxtimes {\sf RGSW}\to{\sf RGSW} RGSW⊠RGSW→RGSW但结果中有用的只有一行,所以完全可以用 R L W E ⊡ R G S W {\sf RLWE} \boxdot {\sf RGSW} RLWE⊡RGSW来代替,可以节省很大的计算并缩小密钥大小。
KeySwitch
这里TFHE作者定义了两种KeySwitch,一种是Public,一种是Private。这里的KeySwitch和原来其他文章中的有点区别,他们在替换密钥的时候还会运行一个函数 f f f,我感觉这个函数一般来说可以使identity function。其中PublicKeySwitch将 f f f作为一个公共的输入,privateKeySwitch中 f f f是直接内嵌在KeySwitchKey中,即不可输入。
形式化来说,对于 f : R p → R [ X ] f:\R^p\to \R[X] f:Rp→R[X]:有 p p p个LWE密文 L W E s ( μ z ) 1 ≤ z ≤ p {\sf LWE}_s(\mu_z)_{1\le z \le p} LWEs(μz)1≤z≤p。 K e y S w i t c h ( { L W E s ( μ z ) } , f , K S K ) → R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf KeySwitch}(\{{\sf LWE}_s(\mu_z)\},f,{\sf KSK})\to {\sf RLWE}_S(f(\mu_1,...,\mu_p)) KeySwitch({LWEs(μz)},f,KSK)→RLWES(f(μ1,...,μp))。其中 K S K \sf KSK KSK是KeySwitchKey,一般来说是用密钥 S S S对密钥 s s s的加密。
这边我把 f : R p → R [ X ] f:\R^p\to \R[X] f:Rp→R[X]具体化成了这样,令 μ 0 , . . . , μ p − 1 ∈ R p \mu_0,...,\mu_{p-1} \in \R^p μ0,...,μp−1∈Rp, f ( μ 0 , . . . , μ p − 1 ) = μ 0 + μ 1 X + μ 2 X 2 + ⋯ + μ p − 1 X p − 1 + 0 X p + ⋯ + 0 X N − 1 ∈ R [ X ] f(\mu_0,...,\mu_{p-1})=\mu_0 + \mu_1X+\mu_2X^2+\cdots+\mu_{p-1}X^{p-1}+0X^p+\cdots+0X^{N-1}\in \R[X] f(μ0,...,μp−1)=μ0+μ1X+μ2X2+⋯+μp−1Xp−1+0Xp+⋯+0XN−1∈R[X]。
PublicKeySwitch
输入为:
- p p p个LWE密文 c ( z ) = ( a ( z ) , b ( z ) ) ∈ L W E s ( μ z ) , 1 ≤ z ≤ p \mathfrak{c}^{(z)}=(\mathfrak{a}^{(z)},\mathfrak{b}^{(z)})\in {\sf LWE}_s(\mu_z),1\le z\le p c(z)=(a(z),b(z))∈LWEs(μz),1≤z≤p,其中 a ( z ) = ( a 1 ( z ) , . . . a n ( z ) ) \mathfrak{a}^{(z)}=(\mathfrak{a}_1^{(z)},...\mathfrak{a}_n^{(z)}) a(z)=(a1(z),...an(z))。 b ( z ) − ⟨ a ( z ) , s ⟩ ≈ μ z \mathfrak{b}^{(z)}-\langle\mathfrak{a}^{(z)},s\rangle \approx \mu_z b(z)−⟨a(z),s⟩≈μz
- 一个公开函数 f : R p → R [ X ] f:\R^p\to \R[X] f:Rp→R[X]
- 一个KeySwitchKey K S K ( i , j ) = R L W E S ( s i 2 j ) {\sf KSK}_{(i,j)}={\sf RLWE}_{S}(\frac{s_i}{2^j}) KSK(i,j)=RLWES(2jsi)
输出为:
R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf RLWE}_S(f(\mu_1,...,\mu_p)) RLWES(f(μ1,...,μp))
过程为:
for i ∈ [ 1 , n ] i\in [1,n] i∈[1,n]:
a i = f ( a i ( 1 ) , . . . , a i ( p ) ) a_i=f(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)}) ai=f(ai(1),...,ai(p))
分解为 a i ≈ ∑ j = 1 t a i , j ⋅ 2 − j a_i\approx \sum_{j=1}^{t}a_{i,j}\cdot 2^{-j} ai≈∑j=1tai,j⋅2−j。
返回 ( 0 , f ( b ( 1 ) , … , b ( p ) ) ) − ∑ i = 1 n ∑ j = 1 t a i , j ⋅ K S K i , j \left(0, f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot {\sf KSK}_{i, j} (0,f(b(1),…,b(p)))−∑i=1n∑j=1tai,j⋅KSKi,j
正确性:
记结果为
c
c
c,计算
φ
S
(
c
)
\varphi_S(c)
φS(c):(忽略噪声)
φ
S
(
c
)
=
f
(
b
(
1
)
,
…
,
b
(
p
)
)
−
∑
i
=
1
n
∑
j
=
1
t
a
i
,
j
⋅
φ
S
(
K
S
K
i
,
j
)
=
f
(
b
(
1
)
,
…
,
b
(
p
)
)
−
∑
i
=
1
n
∑
j
=
1
t
a
i
,
j
⋅
s
i
2
j
=
f
(
b
(
1
)
,
…
,
b
(
p
)
)
−
∑
i
=
1
n
a
i
⋅
s
i
=
f
(
b
(
1
)
,
…
,
b
(
p
)
)
−
∑
i
=
1
n
f
(
a
i
(
1
)
,
.
.
.
,
a
i
(
p
)
)
⋅
s
i
=
f
(
(
b
(
1
)
,
…
,
b
(
p
)
)
−
∑
i
=
1
n
s
i
(
a
i
(
1
)
,
.
.
.
,
a
i
(
p
)
)
)
=
f
(
μ
1
,
.
.
.
μ
p
)
\begin{aligned} \varphi_S(c)&=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot \varphi_S({\sf KSK}_{i, j})\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot \frac{s_i}{2^j}\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} a_{i} \cdot {s_i}\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} f(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)}) \cdot {s_i}\\ &=f\left((\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)})- \sum_{i=1}^{n} s_i(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)})\right)\\ &=f(\mu_1,...\mu_p) \end{aligned}
φS(c)=f(b(1),…,b(p))−i=1∑nj=1∑tai,j⋅φS(KSKi,j)=f(b(1),…,b(p))−i=1∑nj=1∑tai,j⋅2jsi=f(b(1),…,b(p))−i=1∑nai⋅si=f(b(1),…,b(p))−i=1∑nf(ai(1),...,ai(p))⋅si=f((b(1),…,b(p))−i=1∑nsi(ai(1),...,ai(p)))=f(μ1,...μp)
所以最后能得到一个
R
L
W
E
S
(
f
(
μ
1
,
.
.
.
,
μ
p
)
)
{\sf RLWE}_S(f(\mu_1,...,\mu_p))
RLWES(f(μ1,...,μp))。
PrivateKeySwitch
输入为:
- p p p个LWE密文 c ( z ) = ( a ( z ) , b ( z ) ) ∈ L W E s ( μ z ) , 1 ≤ z ≤ p \mathfrak{c}^{(z)}=(\mathfrak{a}^{(z)},\mathfrak{b}^{(z)})\in {\sf LWE}_s(\mu_z),1\le z\le p c(z)=(a(z),b(z))∈LWEs(μz),1≤z≤p,其中 a ( z ) = ( a 1 ( z ) , . . . a n ( z ) ) \mathfrak{a}^{(z)}=(\mathfrak{a}_1^{(z)},...\mathfrak{a}_n^{(z)}) a(z)=(a1(z),...an(z))。 b ( z ) − ⟨ a ( z ) , s ⟩ ≈ μ z \mathfrak{b}^{(z)}-\langle\mathfrak{a}^{(z)},s\rangle \approx \mu_z b(z)−⟨a(z),s⟩≈μz
- 一个KeySwitchKey K S K z , i , j ( f ) = R L W E S ( f ( 0 , . . . , 0 , s i 2 j , 0 , . . . , 0 ) ) {\sf KSK}_{z,i,j}^{(f)}={\sf RLWE}_{S}(f(0,...,0,\frac{s_i}{2^j},0,...,0)) KSKz,i,j(f)=RLWES(f(0,...,0,2jsi,0,...,0)), s i 2 j \frac{s_i}{2^j} 2jsi处于第 z z z个位置。令 s i + 1 = − 1 s_{i+1}=-1 si+1=−1。
可以看到输入和PublicKeySwitch区别就在于没有公开的 f f f,而是把 f f f嵌入了 K S K \sf KSK KSK中
输出为:
R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf RLWE}_S(f(\mu_1,...,\mu_p)) RLWES(f(μ1,...,μp))
过程为:
for z ∈ [ 1 , p ] z\in[1,p] z∈[1,p]
for i ∈ [ i , n + 1 ] i\in[i,n+1] i∈[i,n+1]
c i ( z ) ≈ c i , j ( z ) ⋅ 2 − j \mathfrak{c}_i^{(z)}\approx c_{i,j}^{(z)}\cdot 2^{-j} ci(z)≈ci,j(z)⋅2−j
返回 − ∑ z = 1 p ∑ i = 1 n + 1 ∑ j = 1 t c i , j ( z ) ⋅ K S K z , i , j -\sum_{z=1}^p\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}\cdot {\sf KSK}_{z,i,j} −∑z=1p∑i=1n+1∑j=1tci,j(z)⋅KSKz,i,j。
正确性:
φ
S
(
c
)
=
−
∑
z
=
1
p
∑
i
=
1
n
+
1
∑
j
=
1
t
c
i
,
j
(
z
)
⋅
φ
S
(
K
S
K
z
,
i
,
j
(
f
)
)
=
−
∑
z
=
1
p
∑
i
=
1
n
+
1
∑
j
=
1
t
c
i
,
j
(
z
)
f
(
0
,
.
.
.
,
s
i
2
j
,
.
.
.
,
0
)
=
−
∑
z
=
1
p
∑
i
=
1
n
+
1
f
(
0
,
.
.
.
,
∑
j
=
1
t
s
i
2
j
c
i
,
j
(
z
)
,
.
.
.
,
0
)
=
−
∑
z
=
1
p
∑
i
=
1
n
+
1
f
(
0
,
.
.
.
,
s
i
c
i
(
z
)
,
.
.
.
,
0
)
=
−
∑
i
=
1
n
+
1
s
i
f
(
c
i
(
1
)
,
.
.
.
,
c
i
(
p
)
)
=
f
(
−
∑
i
=
1
n
+
1
s
i
c
i
(
1
)
,
.
.
.
,
−
∑
i
=
1
n
+
1
s
i
c
i
(
p
)
)
=
f
(
μ
1
,
.
.
.
,
μ
p
)
\begin{aligned} \varphi_S(c)&=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}\cdot \varphi_S({\sf KSK}_{z,i,j}^{(f)})\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}f(0,...,\frac{s_i}{2^j},...,0)\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}f(0,...,\sum_{j=1}^t\frac{s_i}{2^j}c_{i,j}^{(z)},...,0)\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}f(0,...,s_i\mathfrak{c}_i^{(z)},...,0)\\ &=-\sum_{i=1}^{n+1}s_if(\mathfrak{c}_i^{(1)},...,\mathfrak{c}_i^{(p)})\\ &=f\big( -\sum_{i=1}^{n+1}s_i\mathfrak{c}_i^{(1)},..., -\sum_{i=1}^{n+1}s_i\mathfrak{c}_i^{(p)}\big)\\ &=f(\mu_1,...,\mu_p) \end{aligned}
φS(c)=−z=1∑pi=1∑n+1j=1∑tci,j(z)⋅φS(KSKz,i,j(f))=−z=1∑pi=1∑n+1j=1∑tci,j(z)f(0,...,2jsi,...,0)=−z=1∑pi=1∑n+1f(0,...,j=1∑t2jsici,j(z),...,0)=−z=1∑pi=1∑n+1f(0,...,sici(z),...,0)=−i=1∑n+1sif(ci(1),...,ci(p))=f(−i=1∑n+1sici(1),...,−i=1∑n+1sici(p))=f(μ1,...,μp)
对比
PublicKeySwitch和PrivateKeySwitch的主要区别在于 f f f是作为输入还是作为 K S K \sf KSK KSK包含的一部分信息。
效率上的比较来说
PublicKeySwitch的效率是普通KeySwitch的 n n n倍。
PrivateKeySwitch的效率是普通KeySwitch的 ( n + 1 ) ⋅ p (n+1)\cdot p (n+1)⋅p倍。
Gate Bootstrapping
这块比较熟悉,就不写了
Circuit Bootstrapping
一个很重要的观察是 R G S W {\sf RGSW} RGSW是由多个 R L W E {\sf RLWE} RLWE组合而成的,因此可以通过构造 2 ℓ 2\ell 2ℓ个 R L W E {\sf RLWE} RLWE的方法来组合成 R G S W {\sf RGSW} RGSW
因为有了LWE-to-LWE的bootstrapping,可以通过PBS来对某个 L W E ( μ ) \sf LWE(\mu) LWE(μ)进行运算,得到 L W E ( 1 B g i ⋅ μ ) {\sf LWE}(\frac{1}{B_g^i}\cdot \mu) LWE(Bgi1⋅μ),然后通过一个PrivateKeyswitch将执行LWE-to-RLWE,就可以得到多个 R L W E {\sf RLWE} RLWE密文 R L W E ( 1 B g i ⋅ μ ⋅ s ) , R L W E ( 1 B g i ⋅ μ ) {\sf RLWE}(\frac{1}{B_g^i}\cdot \mu \cdot s),{\sf RLWE}(\frac{1}{B_g^i}\cdot \mu) RLWE(Bgi1⋅μ⋅s),RLWE(Bgi1⋅μ),然后将他们组合起来得到 R G S W {\sf RGSW} RGSW。总体思路就是这个样子,细节部分没有去深究。