Full RNA BGV/BFV

references:

1. [BV11] Brakerski Z, Vaikuntanathan V. Fully homomorphic encryption from ring-LWE and security for key dependent messages[C]//Annual cryptology conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011: 505-524.
2. [GHS12] Gentry C, Halevi S, Smart N P. Homomorphic evaluation of the AES circuit[C]//Annual Cryptology Conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012: 850-867.
3. [CP16] Crockett E, Peikert C. Λολ: Functional Lattice Cryptography[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 993-1005.
4. [BEHZ16] Bajard J C, Eynard J, Hasan M A, et al. A full RNS variant of FV like somewhat homomorphic encryption schemes[C]//International Conference on Selected Areas in Cryptography. Cham: Springer International Publishing, 2016: 423-442.
5. [HPS19] Halevi S, Polyakov Y, Shoup V. An improved RNS variant of the BFV homomorphic encryption scheme[C]//Topics in Cryptology–CT-RSA 2019: The Cryptographers’ Track at the RSA Conference 2019, San Francisco, CA, USA, March 4–8, 2019, Proceedings. Springer International Publishing, 2019: 83-105.
6. [KPZ21] Kim A, Polyakov Y, Zucca V. Revisiting homomorphic encryption schemes for finite fields[C]//Advances in Cryptology–ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part III 27. Springer International Publishing, 2021: 608-639.

RNS Basis Extension

Generally, FHE requires a large modulus $Q$, Masashi copy $Q={\prod }_{i=1}^L{q}_i$，满足 $q_i=1(\mathrm{mod}2N)$，我们简记 $Q_i=q_1\cdots q_i$，集合 { q i } \{q_i\} { qi​} name RNS basis, virtually any size $64$ bits. We hope that all operations of FHE are single-precision (machine words of modern computers), that is, all operations are completed under RNS without the need for multi-precision arithmetic.

Conversion between different RNS, the ring element $a\in {\mathcal{R}}_Q$ From modulus $Q=q_1\cdots q_k$ lower $[a{]}_Q$ Convert to modulus $P=p_1\cdots p_l$ 下的 $[[a{]}_Q{]}_P$，可以直接在 RNS 下计算：
$$\text{FastBaseExt}(a,Q,P)={\left\{\sum _{i=1}^k{\left[a\cdot {\left(\frac{Q}{q_i}\right)}^{-1}\right]}_{q_i}\cdot \frac{Q}{q_i}(\mathrm{mod}{p}_j)\right\}}_{j=1,\cdots ,l}$$
I read it $q_i^{\ast }:=Q/q_i$ 和 ${\tilde{q}}_i:=(Q/q_i{)}^{-1}(mod{q}_i)$，满足 $q_i^{\ast }\cdot {\tilde{q}}_i\equiv 1(mod{q}_i)$，那么根据 CRT 合成定理，
$$\sum _i[a\cdot {\tilde{q}}_i{]}_{q_i}\cdot q_i^{\ast }=[a{]}_Q+in\cdot Q\in Z$$
其中 $\Vert u{\Vert }_{\infty }\le k/2$ Name $Q$-overflow，因此算法 $\text{FastBaseExt}(a,Q,P)$ Just come out $[[a{]}_Q{]}_P$ 的近似值 $[[a{]}_Q+in\cdot Q{]}_P$

Existence in a small practical example,$The\; impact\; of\; u$ is almost negligible; however, there are some instances where $u$ may cause significant noise growth, and it is necessary to find a way to remove it.

We misuse symbols, $Q,P$ represents the corresponding RNS basis set, $[a{]}_Q$represents its RNS representation.

$\gamma$-correction technique

A key calculation of BFV is
$$\lfloor \frac{P}{Q}[a{]}_Q\rceil =\frac{P\cdot [a{]}_Q-[Pa{]}_Q}{Q}\in {\mathcal{R}}_P$$
Because the above operation is integer division, we can use modular multiplication inverse element Substitution,$(P\cdot [a{]}_Q-\left[Pa{]}_Q\right)\cdot Q^{-1}\left(modP\right)$

[BEHZ16] adopts integer instructions, and additionally introduces $P,Q$ allomeric integer $\gamma$，假设 $[a{]}_Q=Q/P\cdot m+It\; is+Qr$，将 $[a{]}_Q$ Multiplication $\gamma$, except
$$\begin{array}{rl}& \text{FastBaseExt}(\gamma Pa,Q,\gamma P)\cdot [-Q^{-1}{]}_P\\ =& [[\gamma Pa{]}_Q+in\cdot Q{]}_{\gamma P}\cdot [-Q^{-1}{]}_{\gamma P}\\ =& \lfloor \frac{\gamma P}{Q}[a{]}_Q\rceil -in\\ =& c\cdot (m+Pr)+\lfloor \frac{\gamma Pe}{Q}\rceil -u\end{array}$$
当 $\gamma$ When certain conditions are met (I can’t understand what is written in the article, it does not explain it), RNS’s about$\gamma$ 的部分，满足
$${\left[\lfloor \frac{\gamma Pe}{Q}\rceil -u\right]}_{\gamma }=\lfloor \frac{\gamma Pe}{Q}\rceil -in\in R$$
Individually, independently:
$$[m{]}_P=\left({\left[\gamma \cdot (m+Pr)+\lfloor \frac{\gamma Pe}{Q}\rceil -u\right]}_P-{\left[\lfloor \frac{\gamma Pe}{Q}\rceil -u\right]}_{\gamma }\right)\cdot [{\gamma }^{-1}{]}_P$$

However, [BEHZ16]’s method can only alleviate but does not fundamentally solve$Q$-overflow question. And [HPS19]'s method can completelyremoveit.

Retrieve the Overflow

[HPS19] TakeoverFloating point command, direct calculation $u$ 的值（精度受限的），
$$\begin{array}{rl}u& =\lfloor \frac{{\sum }_i[a\cdot {\tilde{q}}_i{]}_{q_i}\cdot q_i^{\ast }}{Q}\rceil =\lfloor \sum _{i=1}^k\frac{[a\cdot {\tilde{q}}_i{]}_{q_i}}{q_i}\rceil \end{array}$$
于是 $[a{]}_Q=({\sum }_i[a\cdot {\tilde{q}}_i{]}_{q_i}\cdot q_i^{\ast })-in\cdot Q$, increment free:
$$[[a{]}_Q{]}_P=\text{FastBaseExt}(a,Q,P)-in\cdot [Q{]}_P$$

Specific steps: precalculation$[q_i^{\ast }{]}_{p_j},\forall i\in [k],\forall j\in [l]$，预计算 $[{\tilde{q}}_i{]}_{q_i},\forall i\in [k]$，预计算 $[Q{]}_{p_j},\forall j\in [l]$

1. Import $[a{]}_Q$ 的 RNS 表示 $(a_1,\cdots ,a_k)$, inside $a_i=[a{]}_{q_i}$
2. Used precisionInteger command, calculation ${and}_i=[a_i\cdot {\tilde{q}}_i{]}_{q_i}$
3. Using precisionFloating point command, calculation ${With}_i={and}_i/q_i$
4. Calculation $in=\lfloor {\sum }_i{With}_i\rceil \in {WITH}_k$
5. 在 $Q$ 的 RNS 下，计算 $x_i=a_i\cdot [{\tilde{q}}_i{]}_{q_i}(\mathrm{mod}{q}_i)$
6. present $P$ 的 RNS 下，计算 $A_j^{\prime }={\sum }_i{x}_i\cdot \left[q_i^{\ast }{]}_{p_j}\right(mod{p}_j)$
7. 纠正错误，$A_j=A_j^{\prime }-in\cdot [Q{]}_{p_j}$
8. 输出 [ a ] P = { A 1 , ⋯   , A l } [a]_{P} = \{A_1,\cdots,A_l\} [a]P​={ A1​,⋯,Al​}，易知 $[a{]}_Q\cup [a{]}_P=[a{]}_{PQ}$

Because the precision of floating point numbers is limited, the actual calculated value is ${With}_i^{\ast }={With}_i+{ϵ}_i$, the final result has arrived ${in}^{\ast }=\lfloor {\sum }_i{With}_i^{\ast }\rceil$, infinitesimal $ϵ={\sum }_i{ϵ}_i$，使用 IEEE-754 double 那么有 $ϵ<k\cdot 2^{-53}$ Z+[0.5-\epsilon, 0.5+\epsilon] $WITH+[0.5-ϵ,0.5+ϵ]$ 是 possible-error region，一旦 ${\sum }_i{With}_i^{\ast }$If you fall into this range, you should use high-precision arithmetic. However, even if it is ignored, it has little effect and only makes a minimal contribution to noise growth.

Modulus-Switching and Scaling in RNS

Simple Reduction

输入 $x\in {WITH}_{PQ}$The RNS representation of is denoted as$(x_1,\cdots ,x_k,x_1^{\prime },\cdots ,x_l^{\prime })$，Branch separation $Q={\prod }_i{q}_i$ 和 $P={\prod }_j{p}_j$

Module reduction under RNS: In order to calculate$x(\mathrm{mod}Q)$，简单删除 $Components\; of\; P$, output$[x{]}_Q=(x_1,\cdots ,x_k)$

RNS LowerDivision method：假设$P|x$(equation $x_j^{\prime }=0$), 为了计计$x/P$，预计$[P{]}_{q_i}$, online calculation$[x/P{]}_Q=([x_1\cdot P{]}_{q_1},\cdots ,[x_k\cdot P{]}_{q_k})$

Note that the RNS systemis not a numerical system (positional system) and cannot be calculated Z \mathbb Z < /span>The division with remainder on operations. Therefore, special solutions need to be designed for some necessary operations in BGV and BFV (BGV mode switching, BFV multiplication scaling, key switching, decryption). roundandCompare also cannot be executed$Z$

Modulus-Switching for BGV

[GHS12] gives a Double-CRT implementation of BGV for $t=2$ Trivial plaintext modulus, since $q_i=1\left(modt\right)$ leads to simple implementation. For general plaintext modulus $t$, let it be a larger prime number (for example$t=2^{16}+1$), concise sentence $c\in {\mathcal{R}}_{Q_k}^2$, we calculate the special $c^{†}\in R^2$ (with corollary $Z$ top), full foot

• 解密条件：$c^{†}\equiv c\cdot q_k(modt)$，那么 $c^{\prime }=c^{†}/q_k=[c^{†}\cdot q_k^{-1}{]}_{Q_{k-1}}$ Original message encrypted $[m{]}_t$

• 噪声条件：$d=c^{†}-c$ has a smaller norm

• Divisibility condition:$q_k\mid c^{†}$，注意 $Divisibility\; on\; Z$ is exactly ${WITH}_{Q_{k-1}}$Multiply the above by the inverse element,

We want to calculate the small gap first $\delta$ 满足 $d\equiv (q_k-1)\cdot c(\mathrm{mod}t)$, then re-search $c^{†}$, finally calculated $c^{\prime }=c^{†}/q_k$, but $[c{]}_t$, guide $\delta$ is difficult to calculate. [GHS12] turns to calculate the following ciphertext (the appendix of [GHS12] is too brief and difficult to understand),
$$\hat{c}=[q_k{]}_t\cdot c(mod{Q}_k)$$
It encrypts distorted message $[q_k{]}_t\cdot m$（对于 $t=2$ special case, just not reversed), and the noise has grown $q_k$ times，寻找$c^{The\; condition\; for\; †}$ is changed to:

• 解密条件：$c^{†}\equiv \hat{c}(modt)$，它使得 $[[c^{†}s{]}_{Q_k}{]}_t=[q_{k}m{]}_t$
• 噪声条件：$d=c^{†}-\hat{c}$, note that the change here results in $d\equiv 0\left(modt\right)$，这是$\delta$ is $t$ multiple (unrepeatable demand $[c{]}_t$knowledge）
• Divisibility condition:$q_k|c^{†}$，计算出 $c^{\prime }=c^{†}/q_k$, what it encrypts isthe original message $[[c^{\prime }s{]}_{Q_{k-1}}{]}_t=[[q_k^{-1}{c}^{†}s{]}_{Q_{k-1}}{]}_t=[m{]}_t$(This is what I understand, it should be, the original article did not write in detail)

at this time $\delta$ Easy calculation (because $[\delta {]}_t=0$ 已Chi)、Sanpo Nyoge:

1. 输入 $c(mod{Q}_{k}RNS\; representation\; of\; )$ (encrypted $[m{]}_t$）
2. 先计算 $\hat{c}=[q_k{]}_t\cdot RNS\; representation\; of\; c$, and then calculate $[\hat{c}{]}_{q_k}$The coefficient representation of $\bar{c}$
3. We calculate the gap$d\in [-q_{k}t/2,q_{k}t/2{)}^{N\times 2}$，使得它满足 $d\equiv 0(\mathrm{mod}t)$ 以及 $d\equiv -\bar{c}\left(mod{q}_k\right)$, to be exact we set$d=t[-\bar{c}{t}^{-1}{]}_{q_k}$
4. 计算出 $c^{†}=\hat{c}+\delta$（在模数 $Q_k$ 下），易知 $c^{†}\equiv \hat{c}\left(modt\right)$ (decryption is the same) and $c^{†}\equiv 0\left(mod{q}_k\right)$(divisibility)
5. Final calculationDivisibility $c^{\prime }=c^{†}/q_k\left(mod{Q}_{k-1}\right)$, each quantityfrom the inverse element $[q_k^{-1}{]}_{q_i},\forall i\le k-1$
6. 输出 $c^{\prime }(mod{Q}_{k-1}RNS\; representation\; of\; )$, which encrypts $\hat{c}$ encrypted message $[m{]}_t$

In fact, mode switching is not required and the result is still the encryption of the original message:

• The noise condition is changed to $d=c^{†}-c$，
• The decryption condition is changed to $c^{†}\equiv c(modt)$（即 $c+d\equiv c(modt)$），
• and such that $q\mid c^{†}$（即 $c+d\equiv 0(modq)$）

Any plaintext modulus $t\ge The\; mode\; switching\; algorithm\; of\; 2$ is:

1. 输入 $[m{]}_t$Ciphertext of $c=(c_0,c_1)\in {\mathcal{R}}_Q$，A cry is $v$，从 $Q$ 切换到 $Q^{\prime }$，简记 $q=Q/Q^{\prime }$ (can span multiple levels)
2. 计算差距 $d=({\delta }_0=t[-t^{-1}{c}_0{]}_q,d_1=t[-t^{-1}{c}_1{]}_q)$，它满足 $d\equiv 0(\mathrm{mod}t)$ 以及 $d\equiv -c\left(modq\right)$，Last Commander $\delta$ rush $Q$ (not trivial under RNS, requiresRNS Basis Extension)
3. 那么 $c^{†}=[c+\delta {]}_Q\in [-Q/2,Q/2)$ $q$ “Division” (RNS subgroup $The\; corresponding\; components\; of\; q$ are all zero), Lift it to $Z$, the division result falls on$[-Q^{\prime }/2,Q^{\prime }/2)$, in this way “乘乘回原” Next change generation (RNS lower group $Q^{\prime }$ The inverse element on the corresponding component, $\gcd (q,Q^{\prime })=1$), we calculate$c^{\prime }=[c^{†}\cdot q^{-1}{]}_{Q^{\prime }}$, which is exactly $c^{†}/q\in Z$ result (imitation) $Q^{\prime }$ 目）
4. Output $c^{\prime }\in {\mathcal{R}}_{Q^{\prime }}$, it encrypts the distorted message $[m\cdot q^{-1}{]}_t$, the noise is scaled approximately $1/q$ 成为 $v/q+{in}_{ms}$（注意 $[c^{†}\cdot q^{-1}{]}_{Q^{\prime }}$ is equivalent to integer division. This scalar multiplication causes the noise to grow to $q^{-1}$ times, actually reduces the absolute size of the noise

We need to track the scaling factors of different ciphertexts in real time (simple modular reduction does not distort the message), and two ciphertexts must first be twisted to the same factor before being operated on.

Scaling for BFV

[HPS19] gives two scaling procedures for BFV, the former can be used for decryption and the latter is used for GHS key switching.

Simple scaling

输入：$x\in {WITH}_Q$ 的 RNS 表示 $(x_1,\cdots ,x_k)$, any positive integer $t$(single precision integer)

输出：$and=\lfloor t/Q\cdot x\rceil \in {WITH}_t$

Similar to the idea of ​​CRT Basis Extension, $[x{]}_Q$ Heavy construction $x$，观察提取出可预计算的部分，
$$\begin{array}{rl}and& =\lfloor \frac{t}{Q}\cdot x\rceil =\lfloor \frac{t}{Q}\cdot \sum _{i=1}^k{x}_i\cdot q_i^{\ast }\cdot {\tilde{q}}_i-in\cdot t\rceil \\ & =\lfloor \sum _{i=1}^k{x}_i\cdot \left(\frac{t}{q_i}\cdot {\tilde{q}}_i\right)\rceil -in\cdot t\end{array}$$
I am a constant in the calculation, the fraction isIntegerSumDecimalTwo parts,
$$\frac{t{\tilde{q}}_i}{q_i}={oh}_i+i_i,{oh}_i\in {WITH}_t,i_i\in [-0.5,0.5)$$
Streaming:

1. Used precisionInteger command, calculation $In=[{\sum }_i{x}_i\cdot {oh}_i{]}_t$
2. Using precisionFloating point command, calculation $in=\lfloor {\sum }_i{x}_i\cdot i_i\rceil \in {WITH}_k$
3. 合并为 $and=[w+v{]}_t$

Similarly, there are errors in actual calculations: the decimal part is represented by floating point$i_i^{\ast }=i_i+{ϵ}_i,|{ϵ}_i|<ϵ$ (If using IEEE-754 double, the error scale is$ϵ=2^{-53}$），计算出的 ${in}^{\ast }=\lfloor {\sum }_{i=1}^k{x}_i({\omega }_i+i_i^{\ast })\rceil$ 可能会和 $in=\lfloor {\sum }_{i=1}^k{x}_i({\omega }_i+i_i)\rceil$ 对于、计误误为为 ${\sum }_i{x}_i{ϵ}_i<ϵ/2\cdot {\sum }_i{q}_i$，其中 $x_i=[x{]}_{q_i}\in [-q_i/2,q_i/2)$

Suppose we constrain $and=\lfloor \frac{t}{Q}\cdot x\rceil$ 满足 $and(\mathrm{mod}\mathbb{Z})\in [-1/4,1/4]$ (the noise scale in the control ciphertext is less than $Q/4t$, but unusual $Q/2t$), な么么过加积误误满足$|{\sum }_i{x}_i{ϵ}_i|<1/4$ (a floating point number with high enough precision), it can always be rounded correctly ($in={in}^{\ast }$). MaybeIEEE-754 double is not precise enough and you need to use non-standard C/C++ long double

Complex scaling

输入：$x\in {WITH}_{PQ}$The RNS of represents a positive integer $t$，满足 $x\in [-PQ/2t,PQ/2t)$ Fall较小范围内

输出：$and=\lfloor t/Q\cdot x\rceil \in {WITH}_Q$

Abstractly, this can be done in two steps,

1. 利用 Simple scaling 过程，设置 $Q^{\prime }=PQ,t^{\prime }=tP$，获得 ${and}^{\prime }=\lfloor t^{\prime }/Q^{\prime }\cdot x\rceil =\lfloor t/Q\cdot x\rceil \in {WITH}_{tP}$，丢弃 $Part\; of\; t$ (equivalent to simple modulo) obtains${and}^{\prime }=\lfloor t/Q\cdot x\rceil \in [-P/2,P/2)$（以业 $x$ 的电影小，${and}^{\prime }$ is the result of not taking modulo)
2. Use RNS Basis Extension $[y^{\prime }{]}_P$ Exhibition $[y^{\prime }{]}_{PQ}$，丢弃 $P$ part, out $and=[y^{\prime }{]}_Q$

Step 1 uses $t^{\prime }$ is a high-precision number. It needs to be decomposed by RNS first and then perform the Simple scaling process separately. However, we actually only need $[y^{\prime }{]}_P$ 而非 $[y^{\prime }{]}_{tP}$$P|\gcd (Q^{\prime },t^{\prime })$, there is actually a faster algorithm.

简记 $Q_i^{\ast }=Q/q_i=q_i^{\ast }P,P_j=Q/p_j=Q{p}_j^{\ast }$，计算 ${\tilde{Q}}_i=[(Q_i^{\ast }{)}^{-1}{]}_{q_i},{\tilde{P}}_j=[(P_j^{\ast }{)}^{-1}{]}_{p_j}$，简记 $x_i=[x{]}_{q_i},x_j^{\prime }=[x{]}_{p_j}$，那么
$$\begin{array}{rl}{and}^{\prime }& =\lfloor \frac{t^{\prime }}{Q^{\prime }}\cdot x\rceil =\lfloor \frac{t}{Q}\cdot \left(\sum _{i=1}^k{x}_i\cdot Q_i^{\ast }\cdot {\tilde{Q}}_i+\sum _{j=1}^l{x}_j^{\prime }\cdot P_j^{\ast }\cdot {\tilde{P}}_j\right)-in\cdot tP\rceil \\ & =\lfloor \sum _{i=1}^k{x}_i\cdot \left(\frac{t}{q_i}\cdot {\tilde{Q}}_{i}P\right)+\sum _{j=1}^l{x}_j^{\prime }\cdot \left(t\cdot {\tilde{P}}_j{p}_j^{\ast }\right)\rceil -in\cdot tP\end{array}$$
$[y^{\prime }{]}_P$ 的 RNS 表示，
$$[y^{\prime }{]}_{p_j}={\left[\lfloor \sum _{i=1}^k{x}_i\cdot \left(\frac{t}{q_i}\cdot {\tilde{Q}}_{i}P\right)\rceil +x_j^{\prime }\cdot \left(t\cdot {\tilde{P}}_j{p}_j^{\ast }\right)\right]}_{p_j}$$
需要预计算
$$\frac{t{\tilde{Q}}_{i}P}{q_i}={oh}_i+i_i,{oh}_i\in {WITH}_P,i_i\in [-0.5,0.5)$$
General ${In}_i$ Decomposed into single-precision integers${In}_{ij}:=[w_i{]}_{p_j},\forall i\in [k],\forall j\in [l]$，另外预计算 $l_j:=[t{\tilde{P}}_j{p}_j^{\ast }{]}_{p_j},\forall j\in [l]$

输入 $(x_1,\cdots ,x_k,x_1^{\prime },\cdots ,x_l^{\prime })$, then the steps of step 1 are:

1. Used floating point number command, calculation $in=\lfloor {\sum }_i{x}_i{i}_i\rceil \in {WITH}_k$, this is shared by
2. Use integer instructions to calculate${In}_j=[{\sum }_i{x}_i{In}_{ij}+l_j{x}_j^{\prime }{]}_{p_j}$, the second term is accumulated$(\mathrm{mod}{p}_j)$ BasicDelete
3. 合并为 $[y^{\prime }{]}_{p_j}=[v+{In}_j{]}_{p_j}$

Scaling between Arbitrary RNS Bases

[KPZ21] gives another implementation of Simple scaling,

输入：$x\in {WITH}_Q$The RNS representation of is the same as $Q$ Comparatively prime multiple-precision integers $P$

输出：$\lfloor P/Q\cdot [x{]}_Q\rceil (modP)$

In [BEHZ16], it roundingcan be written asinteger division ⌊ P Q ⋅ [ x ] Q ⌉ = P ⋅ [ x ] Q − [ P x ] Q Q \left\lfloor \dfrac{P}{Q} \ cdot [x]_Q \right\rceil = \dfrac{P \cdot[x]_Q - [Px]_Q}{Q} ,
$$\lfloor \frac{P}{Q}\cdot [x{]}_Q\rceil =\frac{P\cdot [x{]}_Q-[Px{]}_Q}{Q}$$
Therefore it is equivalent to Z P \mathbb Z_P in ${WITH}_P$ 中乘以逆元，
$${\left[\lfloor \frac{P}{Q}\cdot [x{]}_Q\rceil \right]}_P=[-[Px{]}_Q{]}_P\cdot [Q^{-1}{]}_P$$
根据 CRT 组合公式，
$$[Px{]}_Q=\sum _{i=1}^k[Px{]}_{q_i}\cdot [{\tilde{q}}_i{]}_{q_i}\cdot q_i^{\ast }-in\cdot Q$$
Therefore, the calculation formula of the RNS representation of the final result is:
$$[-[Px{]}_Q{]}_{p_j}\cdot [Q^{-1}{]}_{p_j}={\left[u-\sum _{i=1}^k[Px{]}_{q_i}\cdot [{\tilde{q}}_i{]}_{q_i}\cdot q_i^{-1}\right]}_{p_j}$$
Inside $\Vert u{\Vert }_{\infty }\le k/2$, you can use [HPS19]'s floating point arithmetic

Key-Switch in RNS

Import $s_A$ Encrypted ciphertext $c{t}_A=(c_0,c_1)$, set $s_B$ 加密的 $s_A$ secret sentence $k{s}_{A\to B}$，
$$k{s}_{A\to B}:=(k{s}_0=[a\cdot s_B+te+s_A{]}_Q,k{s}_1=[-a{]}_Q)$$
Key switching is homomorphic linear decryption, abstractly described as$c_0+c_1\cdot E(s_A)$，具体地：
$$\begin{array}{rl}c{t}_B& =c_0\cdot (1,0)+c_1\cdot k{s}_{A\to B}\\ & =([c_0+c_1\cdot k{s}_0{]}_Q,[c_1\cdot k{s}_1{]}_Q)\end{array}$$
Reproducibility is a special key switching: input ciphertext$ct=(c_0,c_1,c_2)$, set $s$ 加密的 $s^2$'s secret sentence $rlk$，
$$rlk:=(rl{k}_0=[a\cdot s+te+s^2{]}_Q,rl{k}_1=[-a{]}_Q)$$
Yuyu $(0,1)$ is $s$'s own ciphertext, reproducibility's abstract description is$c_0+c_1\cdot E(s)+c_2\cdot E(s^2)$，具体地：
$$\begin{array}{rl}c{t}^{\prime }& =c_0\cdot (1,0)+c_1\cdot (0,1)+c_2\cdot rlk\\ & =([c_0+c_2\cdot rl{k}_0{]}_Q,[c_1+c_2\cdot rl{k}_1])\end{array}$$
但是 $c_1$The scale of is relative to the ciphertext modulus $Q$ 过大，导入卼钥切换中 $k{s}_{A\to B}$The noise is greatly increased. There are two ways to control noise, [BV11] and [GHS12], as well as a mixture of them.

Brakerski-Vaikuntanathan

[BV11] Adoptdigital decomposition technology, select radix-$w$, the number is $l=\lfloor {\log }_{w}Q\rceil +1$

• 分解：$D_{w,Q}(a)=([a{]}_w,[\lfloor a/w\rceil {]}_w,\cdots ,[\lfloor a/w^{l-1}\rceil {]}_w)\in {\mathcal{R}}_{In}^l$，
• 幂次：$P_{w,Q}\left(a\right)=([a{]}_Q,[aw{]}_Q,\cdots ,[a{w}^l{]}_Q)\in R_Q^l$
• 易知 $⟨D(a),P(b)⟩\equiv ab(\mathrm{mod}Q)$

Therefore, the key switching key is:
$$k{s}_{A\to B}^{BV}:=(k{s}_0=[\vec{a}\cdot s_B+t\overrightarrow{It\; is}+P_{w,Q}(s_A){]}_Q,k{s}_1=[-\vec{a}{]}_Q)\in R_Q^{l\times 2}$$
The secret key switching procedure is:
$$c{t}_B=([c_0+⟨D_{w,Q}(c_1),k{s}_0⟩{]}_Q,[⟨D_{w,Q}\left(c_1\right),k{s}_1⟩{]}_Q)$$
However, the RNS system is not a digital system, and the above radix-$w$ Decomposition cannot be performed naturally. [BEHZ16] Directly use each remainder ofRNS as the decomposition form of the element, let$Q=q_1\cdots q_k$，简记 $q_i^{\ast }=Q/q_i,{\tilde{q}}_i=(q_i^{\ast }{)}^{-1}(mod{q}_i)$

• 分解：$D_Q\left(a\right)=([a{\tilde{q}}_1{]}_{q_1},[a{\tilde{q}}_2{]}_{q_2},\cdots ,[a{\tilde{q}}_k{]}_{q_k})\in R^k$
• 幂次：$P_Q(a)=([a{q}_1^{\ast }{]}_Q,[a{q}_2^{\ast }{]}_Q,\cdots ,[a{q}_k^{\ast }{]}_Q)\in {\mathcal{R}}_Q^k$
• Easy to verify, it also satisfies$⟨D(a),P(b)⟩\equiv ab(modQ)$

Under RNS, the key switching key is:
$$k{s}_{A\to B}^{RNS-BV}:=(k{s}_0=[\vec{a}\cdot s_B+t\overrightarrow{It\; is}+P_Q(s_A){]}_Q,k{s}_1=[-\vec{a}{]}_Q)\in R_Q^{k\times 2}$$
The secret key switching procedure is:
$$c{t}_B=([c_0+⟨D_Q(c_1),k{s}_0⟩{]}_Q,[⟨D_Q\left(c_1\right),k{s}_1⟩{]}_Q)$$
[HPS19] Further optimization, modified to

• 分解：$D_Q\left(a\right)=([a{]}_{q_1},[a{]}_{q_2},\cdots ,[a{]}_{q_k})\in R^k$
• 幂次：$P_Q\left(a\right)=([a{q}_1^{\ast }{\tilde{q}}_1{]}_Q,[a{q}_2^{\ast }{\tilde{q}}_2{]}_Q,\cdots ,[a{q}_k^{\ast }{\tilde{q}}_k{]}_Q)\in R_Q^k$

Therefore $[c_1{]}_Q$ is directly $D(c_1)$, thus saving some multiplication operations.

Specific process and corresponding complexity:

Gentry-Halevi-Smart

[GHS12] Use temporary expansion technique to select a sufficiently large $P=p_1\cdots p_l\approx Q$

Specify the equation:
$$k{s}_{A\to B}^{GHS}:=(k{s}_0=[a\cdot s_B+te+P{s}_A{]}_{PQ},k{s}_1=[-a{]}_{PQ})\in R_{PQ}^2$$
The key switching procedure is:

1. 先在 $PQ$ 下计算 $c_1\cdot E(s_A)$，
   $$c{t}_B^{\prime }=(c_0^{\prime }=[c_1\cdot k{s}_0{]}_{PQ},c_1^{\prime }=[c_1\cdot k{s}_1{]}_{PQ})$$

2. Then calculate $c{t}_B^{\prime }$ Division $P$ Distance (complete) $[\delta {]}_t=0$ 和 $[c{t}_B^{\prime }{]}_P=[\delta {]}_P$），
   $$d=({\delta }_0=t[-t^{-1}{c}_0^{\prime }{]}_P,d_1=t[-t^{-1}{c}_1^{\prime }{]}_P)\in {\mathcal{R}}_{PQ}^2$$

3. 将 $c{t}_B^{\prime }+\delta$ 从 $PQ$ Zoom to $Q$(excluding $P$,fix the free range),solve
   $$c{t}_B=\left({\left[c_0+\frac{c_0^{\prime }+d_0}{P}\right]}_Q,{\left[c_1+\frac{c_1^{\prime }+d_1}{P}\right]}_Q\right)$$

Executed under RNS,

1. 将 $[c_1{]}_Q$ Extended usingRNS Basis Extension to$[[c_1{]}_Q+uQ{]}_P$, inside $\Vert u{\Vert }_{\infty }\le k/2$ Yes CRT synthesis time $Q$-overflow
2. 计算 $[c_1{]}_{PQ}$ 和 $k{s}_{A\to B}^{GHS}$The product of gives $[c{t}_B^{\prime }{]}_{PQ}$
3. 将 $[-t^{-1}c{t}_B^{\prime }{]}_P$ 利用 RNS Basis Extension 扩展到 $[[-t^{-1}c{t}_B^{\prime }{]}_P+{in}^{\prime }P{]}_Q$, inside $\Vert u^{\prime }{\Vert }_{\infty }\le l/2$
4. We calculated $PQ$ Approximate value of the lower gap$d^{\prime }=d+t{u}^{\prime }P$，再利用 Madulus-Switching / Scaling，计算出 $[c{t}_B{]}_Q$

其中的$u,{in}^{\prime }$ can be eliminated by the techniques of [BEHZ16] and [HPS19], but here they are both small and only make a negligible contribution to the noise growth.

Specific process and corresponding complexity:

Hybrid

The disadvantage of BV Key-Switch is: the ciphertext is expanded $l$ times, a larger number of NTTs are required. The disadvantage of GHS Key-Switch is: the modulus is increased $P$ times, in order to compensate for the loss of safety, either the dimension is expanded twice or the number of multiplication layers is reduced by half. [GHS12] proposed that the two can be mixed to achieve tradeoff performance.

Generally speaking, the hybrid scheme performs better in terms of efficiency and noise control. Use a relatively large radix-$w$, usage number $l=\lfloor {\log }_{w}Q\rceil +1$ is small, and a smaller scale $P\approx lw/2$，
$$k{s}_{A\to B}^{Hybrid}=([\vec{a}\cdot s_B+t\overrightarrow{It\; is}+P\cdot P_{w,Q}(s_A){]}_{PQ},[-\vec{a}{]}_{PQ})$$
The calculation process is:

1. 输入 $c{t}_A=(c_0,c_1)\in {\mathcal{R}}_Q^2$，decompose $c_1$ 为 $D_{w,Q}\left(c_1\right)\in R^l$
2. 计算 $c{t}_B^{\prime }=([⟨D_{w,Q}(c_1),k{s}_0⟩{]}_{PQ},[⟨D_{w,Q}\left(c_1\right),k{s}_1⟩{]}_{PQ})$
3. Use mode switching to divide it by $P$ Zoom to $Q\; c\; 1\; +\; (\; c\; 1\; \prime \; +\; \delta \; 1\; )\; /\; P\; ]\; Q\; )\; ct\_B=([c\_0+(c\_0\text{'}+\backslash delta\_0)/P]\_Q,\; [c\_1+(c\_1\text{'}+\backslash delta\_1)/P]\_Q\; )$$c{t}_B=([c_0+(c_0^{\prime }+d_0)/P{]}_Q,[c_1+(c_1^{\prime }+d_1)/P{]}_Q)$

For RNS systems, using a similar decomposition of [BEHZ16], $Q$ 分为 $Q_0,\cdots ,Q_d$，each $Q_i$ 包含 $a\approx k/d$ Small prime number, simple $Q_i^{\ast }=Q/Q_i$，${\tilde{Q}}_i=[(Q_i^{\ast }{)}^{-1}{]}_{Q_i}$

The decomposition function is${\tilde{D}}_Q(a)=([a{]}_{Q_1},\cdots ,\left[a{]}_{Q_d}\right)\in R^d$，幂次函数定义为
$${\tilde{P}}_Q(a)=\left({\left[s_B{Q}_i^{\ast }{\tilde{Q}}_i\right]}_Q,\cdots ,{\left[s_B{Q}_i^{\ast }{\tilde{Q}}_i\right]}_Q\right)\in {\mathcal{R}}_Q^d$$
Then, the key switching key is:
$$k{s}_{A\to B}^{RNS-Hybrid}=([\vec{a}\cdot s_B+t\overrightarrow{It\; is}+P\cdot {\tilde{P}}_Q(s_B){]}_{PQ},[-\vec{a}{]}_{PQ})$$
The calculation step is the appropriate combination of RNS-BV and RNS-GHS,

1. decompose $c_1$ 为 ${\tilde{D}}_Q(c_1)$，并扩到到$PQ$
2. 在 $Calculate\; on\; PQ$ $c{t}_B^{\prime }$
3. Zoom to $Q$，再加上 $c_0$，得到 $c{t}_B$

Specific process and corresponding complexity:

Complexities and Size

GHS selection: BFV’s $k\approx l$，BGV 的 $k^{\prime }\approx l^{\prime }$

Hybrid 选取：BFV 的 $a\approx k,d\alpha \approx l$，BGV 的 $a^{\prime }\approx k^{\prime },d{\alpha }^{\prime }\approx l^{\prime }$

The complexity is: