关于TFHE的话其实大概的思路就是优化了FHEW当中Refresh算法里面的ACC计算,把原来的 R G S W ⊠ R G S W → R G S W {\sf RGSW} \boxtimes {\sf RGSW}\to{\sf RGSW} RGSW⊠RGSW→RGSW内乘换为了 R G S W ⊡ R L W E → R L W E {\sf RGSW} \boxdot {\sf RLWE}\to{\sf RLWE} RGSW⊡RLWE→RLWE的外乘。加快了运算速度,缩小了密钥大小。
除此之外,TFHE还提出了几个应用型算法。包括怎么计算automata,leveled binary gate。但上述的我都略过了,我比较在意的是里面的算法层面的GateBootstrapping,PublicKeySwitch,PrivateKeySwitch以及Circuit Boostrapping算法。
这几个算法比较有意思的点在于PublicKeySwitch和PrivateKeySwitch是可以运算LWE-to-RLWE的算法。Circuit Boostrapping则是可以将®LWE通过Bootstrapping刷为RGSW。
注:TFHE文章里面将LWE和RLWE抽象为TLWE,后面又用了TRLWE和TLWE来具体表示RLWE和LWE,我觉得比较混淆。所以笔记里面改为了LWE和RLWE。而且作者在之后的文章里面也是改为用LWE,RLWE,GLWE来分别表示具体和抽象的情况。而且Torus可以表示为 T [ X ] = R q [ X ] / q \mathbb{T}[X]=\R_q[X]/q T[X]=Rq[X]/q,在实现中还是用的 R q [ X ] \R_q[X] Rq[X],所以写成LWE,RLWE反而清楚一点。
外积的写法是
R G S W ⊡ R L W E = D e c o m p ( R L W E ) ⋅ R G S W → R L W E {\sf RGSW} \boxdot{\sf RLWE} = Decomp({\sf RLWE})\cdot{\sf RGSW}\to {\sf RLWE} RGSW⊡RLWE=Decomp(RLWE)⋅RGSW→RLWE
来看一下每个定义:
首先要定义 R G S W {\sf RGSW} RGSW,(这里令TFHE文章中定义的是 T G S W \sf TGSW TGSW,我考虑k=1,专注于 R G S W {\sf RGSW} RGSW的情况)
那么先定义一个Decomposition matrix:是一个 2 ℓ × 2 2\ell\times2 2ℓ×2的矩阵,其中 1 / B g 1/B_g 1/Bg是分解基,
H = ( 1 / B g 0 ⋮ ⋮ 1 / B g ℓ 0 0 1 / B g ⋮ ⋮ 0 1 / B g ℓ ) ∈ R 2 ℓ × 2 H=\left(\begin{array}{cc} 1 / B_{g} & 0 \\ \vdots & \vdots \\ 1 / B_{g}^{\ell} & 0 \\ 0 & 1 / B_{g} \\ \vdots & \vdots \\ 0 & 1 / B_{g}^{\ell} \end{array}\right) \in \R^{2\ell\times2} H=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛1/Bg⋮1/Bgℓ0⋮00⋮01/Bg⋮1/Bgℓ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈R2ℓ×2
再生成 2 ℓ 2\ell 2ℓ个 R L W E ( 0 ) {\sf RLWE}(0) RLWE(0)的密文,记为 Z Z Z:
Z = ( a 1 b 1 ⋮ ⋮ a ℓ b ℓ a ℓ + 1 b ℓ + 1 ⋮ ⋮ a 2 ℓ b 2 ℓ ) ∈ R q 2 ℓ × 2 Z=\left(\begin{array}{cc} a_1 & b_1 \\ \vdots & \vdots \\ a_\ell & b_{\ell} \\ a_{\ell+1} & b_{\ell+1} \\ \vdots & \vdots \\ a_{2\ell} & b_{2\ell} \end{array}\right) \in R_q^{2\ell\times2} Z=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛a1⋮aℓaℓ+1⋮a2ℓb1⋮bℓbℓ+1⋮b2ℓ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
其中 φ s ( a i , b i ) = 0 \varphi_s(a_i,b_i)=0 φs(ai,bi)=0,即 b i + a i s = 0 + e i b_i+a_is=0+e_i bi+ais=0+ei。
那对于一个输入 μ \mu μ来说,
R G S W ( μ ) = Z + μ ⋅ H = ( a 1 + 1 / B g ⋅ μ b 1 ⋮ ⋮ a ℓ + 1 / B g ℓ ⋅ μ b ℓ a ℓ + 1 b ℓ + 1 + 1 / B g ⋅ μ ⋮ ⋮ a 2 ℓ b 2 ℓ + 1 / B g ℓ ⋅ μ ) ∈ R q 2 ℓ × 2 {\sf RGSW}(\mu)=Z+\mu\cdot H=\left(\begin{array}{cc} a_1+1 / B_{g} \cdot \mu & b_1 \\ \vdots & \vdots \\ a_\ell + 1 / B_{g}^{\ell}\cdot\mu & b_{\ell} \\ a_{\ell+1} & b_{\ell+1} +1 / B_{g}\cdot \mu\\ \vdots & \vdots \\ a_{2\ell} & b_{2\ell} + 1 / B_{g}^{\ell}\cdot \mu \end{array}\right) \in R_q^{2\ell\times2} RGSW(μ)=Z+μ⋅H=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛a1+1/Bg⋅μ⋮aℓ+1/Bgℓ⋅μaℓ+1⋮a2ℓb1⋮bℓbℓ+1+1/Bg⋅μ⋮b2ℓ+1/Bgℓ⋅μ⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
其实可以观察一下,现在对于 1 ≤ i ≤ ℓ 1\le i\le\ell 1≤i≤ℓ来说, φ s ( a i , b i ) = 1 / B g i ⋅ μ ⋅ s \varphi_s(a_i,b_i)=1 / B_{g}^{i}\cdot \mu \cdot s φs(ai,bi)=1/Bgi⋅μ⋅s,即每一行都是 R L W E ( 1 / B g i ⋅ μ ⋅ s ) {\sf RLWE}(1 / B_{g}^{i}\cdot\mu\cdot s) RLWE(1/Bgi⋅μ⋅s),对于 ℓ + 1 ≤ i ≤ 2 ℓ \ell+1\le i\le 2\ell ℓ+1≤i≤2ℓ来说, φ s ( a i , b i ) = 1 / B g ℓ ⋅ μ \varphi_s(a_i,b_i)=1 / B_{g}^{\ell}\cdot \mu φs(ai,bi)=1/Bgℓ⋅μ,即每一行都是 R L W E ( 1 / B g i ) ⋅ μ {\sf RLWE}(1 / B_{g}^{i})\cdot \mu RLWE(1/Bgi)⋅μ。
那其实可以观察到 R G S W {\sf RGSW} RGSW中的每一行都是一个 R L W E {\sf RLWE} RLWE密文,可以写作:
R G S W ( μ ) = ( R L W E ( 1 / B g ⋅ μ ⋅ s ) ⋮ R L W E ( 1 / B g ℓ ⋅ μ ⋅ s ) R L W E ( 1 / B g ⋅ μ ) ⋮ R L W E ( 1 / B g ℓ ⋅ μ ) ) ∈ R q 2 ℓ × 2 {\sf RGSW}(\mu)=\left(\begin{array}{c} {\sf RLWE}(1 / B_{g}\cdot\mu\cdot s) \\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu\cdot s) \\ {\sf RLWE}(1 / B_{g}\cdot\mu)\\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu) \end{array}\right) \in R_q^{2\ell\times2} RGSW(μ)=⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛RLWE(1/Bg⋅μ⋅s)⋮RLWE(1/Bgℓ⋅μ⋅s)RLWE(1/Bg⋅μ)⋮RLWE(1/Bgℓ⋅μ)⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞∈Rq2ℓ×2
再来看一下 D e c o m p Decomp Decomp的定义:
对于 c = R L W E ( m ) = ( a , b ) c={\sf RLWE}(m)=(a,b) c=RLWE(m)=(a,b), D e c o m p ( c ) = a 1 , . . . , a ℓ , b 1 , . . . , b ℓ Decomp(c)=a_1,...,a_{\ell},b_1,...,b_{\ell} Decomp(c)=a1,...,aℓ,b1,...,bℓ,其中 ∑ i = 1 ℓ a i ⋅ 1 / B g i = a \sum_{i=1}^{\ell}a_{i}\cdot1 / B_{g}^{i}=a ∑i=1ℓai⋅1/Bgi=a, ∑ i = 1 ℓ b i ⋅ 1 / B g i = b \sum_{i=1}^{\ell}b_{i}\cdot1 / B_{g}^{i}=b ∑i=1ℓbi⋅1/Bgi=b。
有了上述定义就可以得到外积
⊡ : R G S W × R L W E ⟶ R L W E ( A , b ) ⟼ A ⊡ b = D e c o m p ( b ) ⋅ A \begin{aligned} \boxdot: {\sf RGSW} \times & {\sf RLWE} & \longrightarrow {\sf RLWE} \\ &(A, \boldsymbol{b}) \longmapsto A \boxdot \boldsymbol{b}=Decomp(\boldsymbol{b}) \cdot A \end{aligned} ⊡:RGSW×RLWE(A,b)⟼A⊡b=Decomp(b)⋅A⟶RLWE
正确性:
令 b = ( a , b ) ∈ R L W E ( μ 1 ) \boldsymbol{b}=(a,b)\in{\sf RLWE}(\mu_1) b=(a,b)∈RLWE(μ1), D e c o m p ( b ) = a 1 , . . . , a ℓ , b 1 , . . . , b ℓ Decomp(\boldsymbol{b})=a_1,...,a_{\ell},b_1,...,b_{\ell} Decomp(b)=a1,...,aℓ,b1,...,bℓ,其中 ∑ i = 1 ℓ a i ⋅ 1 / B g i = a \sum_{i=1}^{\ell}a_{i}\cdot1 / B_{g}^{i}=a ∑i=1ℓai⋅1/Bgi=a, ∑ i = 1 ℓ b i ⋅ 1 / B g i = b \sum_{i=1}^{\ell}b_{i}\cdot1 / B_{g}^{i}=b ∑i=1ℓbi⋅1/Bgi=b。 A ∈ R G S W ( μ 2 ) A\in {\sf RGSW}(\mu_2) A∈RGSW(μ2)。
D e c o m p ( b ) ⋅ A = ( a 1 , . . . , a ℓ , b 1 , . . . , b ℓ ) ⋅ ( R L W E ( 1 / B g ⋅ μ 2 ⋅ s ) ⋮ R L W E ( 1 / B g ℓ ⋅ μ 2 ⋅ s ) R L W E ( 1 / B g ⋅ μ 2 ) ⋮ R L W E ( 1 / B g ℓ ⋅ μ 2 ) ) = ∑ 1 ≤ i ≤ ℓ R L W E ( 1 / B g i ⋅ μ 2 ⋅ s ⋅ a i ) + ∑ ℓ + 1 ≤ i ≤ 2 ℓ R L W E ( 1 / B g i ⋅ μ 2 ⋅ b i ) = R L W E ( μ 2 ⋅ s ⋅ a ) + R L W E ( μ 2 ⋅ b ) = R L W E ( μ 2 ( b + a s ) ) = R L W E ( μ 1 μ 2 ) \begin{aligned} Decomp(\boldsymbol{b}) \cdot A&=(a_1,...,a_{\ell},b_1,...,b_{\ell})\cdot\left(\begin{array}{c} {\sf RLWE}(1 / B_{g}\cdot\mu_2\cdot s) \\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu_2\cdot s) \\ {\sf RLWE}(1 / B_{g}\cdot\mu_2)\\ \vdots \\ {\sf RLWE}(1 / B_{g}^{\ell}\cdot\mu_2) \end{array}\right)\\ & =\sum_{1\le i \le \ell}{\sf RLWE}(1 / B_{g^{i}}\cdot\mu_2\cdot s \cdot a_i)+\sum_{\ell+1 \le i \le2\ell}{\sf RLWE}(1 / B_{g^{i}}\cdot\mu_2 \cdot b_i)\\ &={\sf RLWE}(\mu_2\cdot s\cdot a)+{\sf RLWE}(\mu_2\cdot b)\\ &={\sf RLWE}(\mu_2(b+as))\\ &={\sf RLWE}(\mu_1\mu_2) \end{aligned} Decomp(b)⋅A=(a1,...,aℓ,b1,...,bℓ)⋅⎝⎜⎜⎜⎜⎜⎜⎜⎜⎛RLWE(1/Bg⋅μ2⋅s)⋮RLWE(1/Bgℓ⋅μ2⋅s)RLWE(1/Bg⋅μ2)⋮RLWE(1/Bgℓ⋅μ2)⎠⎟⎟⎟⎟⎟⎟⎟⎟⎞=1≤i≤ℓ∑RLWE(1/Bgi⋅μ2⋅s⋅ai)+ℓ+1≤i≤2ℓ∑RLWE(1/Bgi⋅μ2⋅bi)=RLWE(μ2⋅s⋅a)+RLWE(μ2⋅b)=RLWE(μ2(b+as))=RLWE(μ1μ2)
有了外积的定义可以看一下内积:
⊠ : R G S W × R G S W ⟶ R G S W ( A , B ) ⟼ A ⊠ B = [ A ⊡ b 1 ⋮ A ⊡ b 2 ℓ ] = [ D e c o m p ( b 1 ) ⋅ A ⋮ D e c o m p ( b 2 ℓ ) ⋅ A ] \begin{aligned} \boxtimes: {\sf RGSW} \times {\sf RGSW} & \longrightarrow {\sf RGSW} \\ (A, B) & \longmapsto A \boxtimes B=\left[\begin{array}{c} A \boxdot b_{1} \\ \vdots \\ A \boxdot b_{2 \ell} \end{array}\right]=\left[\begin{array}{c} Decomp\left(\boldsymbol{b}_{1}\right) \cdot A \\ \vdots \\ Decomp\left(\boldsymbol{b}_{2 \ell}\right) \cdot A \end{array}\right] \end{aligned} ⊠:RGSW×RGSW(A,B)⟶RGSW⟼A⊠B=⎣⎢⎡A⊡b1⋮A⊡b2ℓ⎦⎥⎤=⎣⎢⎡Decomp(b1)⋅A⋮Decomp(b2ℓ)⋅A⎦⎥⎤
他其实每一行都是一个 R G S W ⊡ R L W E {\sf RGSW} \boxdot {\sf RLWE} RGSW⊡RLWE,而
在FHEW类型的Bootstrapping中,他计算了一个 R G S W ⊠ R G S W → R G S W {\sf RGSW} \boxtimes {\sf RGSW}\to{\sf RGSW} RGSW⊠RGSW→RGSW但结果中有用的只有一行,所以完全可以用 R L W E ⊡ R G S W {\sf RLWE} \boxdot {\sf RGSW} RLWE⊡RGSW来代替,可以节省很大的计算并缩小密钥大小。
这里TFHE作者定义了两种KeySwitch,一种是Public,一种是Private。这里的KeySwitch和原来其他文章中的有点区别,他们在替换密钥的时候还会运行一个函数 f f f,我感觉这个函数一般来说可以使identity function。其中PublicKeySwitch将 f f f作为一个公共的输入,privateKeySwitch中 f f f是直接内嵌在KeySwitchKey中,即不可输入。
形式化来说,对于 f : R p → R [ X ] f:\R^p\to \R[X] f:Rp→R[X]:有 p p p个LWE密文 L W E s ( μ z ) 1 ≤ z ≤ p {\sf LWE}_s(\mu_z)_{1\le z \le p} LWEs(μz)1≤z≤p。 K e y S w i t c h ( { L W E s ( μ z ) } , f , K S K ) → R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf KeySwitch}(\{{\sf LWE}_s(\mu_z)\},f,{\sf KSK})\to {\sf RLWE}_S(f(\mu_1,...,\mu_p)) KeySwitch({LWEs(μz)},f,KSK)→RLWES(f(μ1,...,μp))。其中 K S K \sf KSK KSK是KeySwitchKey,一般来说是用密钥 S S S对密钥 s s s的加密。
这边我把 f : R p → R [ X ] f:\R^p\to \R[X] f:Rp→R[X]具体化成了这样,令 μ 0 , . . . , μ p − 1 ∈ R p \mu_0,...,\mu_{p-1} \in \R^p μ0,...,μp−1∈Rp, f ( μ 0 , . . . , μ p − 1 ) = μ 0 + μ 1 X + μ 2 X 2 + ⋯ + μ p − 1 X p − 1 + 0 X p + ⋯ + 0 X N − 1 ∈ R [ X ] f(\mu_0,...,\mu_{p-1})=\mu_0 + \mu_1X+\mu_2X^2+\cdots+\mu_{p-1}X^{p-1}+0X^p+\cdots+0X^{N-1}\in \R[X] f(μ0,...,μp−1)=μ0+μ1X+μ2X2+⋯+μp−1Xp−1+0Xp+⋯+0XN−1∈R[X]。
输入为:
输出为:
R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf RLWE}_S(f(\mu_1,...,\mu_p)) RLWES(f(μ1,...,μp))
过程为:
for i ∈ [ 1 , n ] i\in [1,n] i∈[1,n]:
a i = f ( a i ( 1 ) , . . . , a i ( p ) ) a_i=f(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)}) ai=f(ai(1),...,ai(p))
分解为 a i ≈ ∑ j = 1 t a i , j ⋅ 2 − j a_i\approx \sum_{j=1}^{t}a_{i,j}\cdot 2^{-j} ai≈∑j=1tai,j⋅2−j。
返回 ( 0 , f ( b ( 1 ) , … , b ( p ) ) ) − ∑ i = 1 n ∑ j = 1 t a i , j ⋅ K S K i , j \left(0, f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot {\sf KSK}_{i, j} (0,f(b(1),…,b(p)))−∑i=1n∑j=1tai,j⋅KSKi,j
正确性:
记结果为 c c c,计算 φ S ( c ) \varphi_S(c) φS(c):(忽略噪声)
φ S ( c ) = f ( b ( 1 ) , … , b ( p ) ) − ∑ i = 1 n ∑ j = 1 t a i , j ⋅ φ S ( K S K i , j ) = f ( b ( 1 ) , … , b ( p ) ) − ∑ i = 1 n ∑ j = 1 t a i , j ⋅ s i 2 j = f ( b ( 1 ) , … , b ( p ) ) − ∑ i = 1 n a i ⋅ s i = f ( b ( 1 ) , … , b ( p ) ) − ∑ i = 1 n f ( a i ( 1 ) , . . . , a i ( p ) ) ⋅ s i = f ( ( b ( 1 ) , … , b ( p ) ) − ∑ i = 1 n s i ( a i ( 1 ) , . . . , a i ( p ) ) ) = f ( μ 1 , . . . μ p ) \begin{aligned} \varphi_S(c)&=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot \varphi_S({\sf KSK}_{i, j})\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} \sum_{j=1}^{t} a_{i, j} \cdot \frac{s_i}{2^j}\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} a_{i} \cdot {s_i}\\ &=f\left(\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)}\right)-\sum_{i=1}^{n} f(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)}) \cdot {s_i}\\ &=f\left((\mathfrak{b}^{(1)}, \ldots, \mathfrak{b}^{(p)})- \sum_{i=1}^{n} s_i(\mathfrak{a}_i^{(1)},...,\mathfrak{a}_i^{(p)})\right)\\ &=f(\mu_1,...\mu_p) \end{aligned} φS(c)=f(b(1),…,b(p))−i=1∑nj=1∑tai,j⋅φS(KSKi,j)=f(b(1),…,b(p))−i=1∑nj=1∑tai,j⋅2jsi=f(b(1),…,b(p))−i=1∑nai⋅si=f(b(1),…,b(p))−i=1∑nf(ai(1),...,ai(p))⋅si=f((b(1),…,b(p))−i=1∑nsi(ai(1),...,ai(p)))=f(μ1,...μp)
所以最后能得到一个 R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf RLWE}_S(f(\mu_1,...,\mu_p)) RLWES(f(μ1,...,μp))。
输入为:
可以看到输入和PublicKeySwitch区别就在于没有公开的 f f f,而是把 f f f嵌入了 K S K \sf KSK KSK中
输出为:
R L W E S ( f ( μ 1 , . . . , μ p ) ) {\sf RLWE}_S(f(\mu_1,...,\mu_p)) RLWES(f(μ1,...,μp))
过程为:
for z ∈ [ 1 , p ] z\in[1,p] z∈[1,p]
for i ∈ [ i , n + 1 ] i\in[i,n+1] i∈[i,n+1]
c i ( z ) ≈ c i , j ( z ) ⋅ 2 − j \mathfrak{c}_i^{(z)}\approx c_{i,j}^{(z)}\cdot 2^{-j} ci(z)≈ci,j(z)⋅2−j
返回 − ∑ z = 1 p ∑ i = 1 n + 1 ∑ j = 1 t c i , j ( z ) ⋅ K S K z , i , j -\sum_{z=1}^p\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}\cdot {\sf KSK}_{z,i,j} −∑z=1p∑i=1n+1∑j=1tci,j(z)⋅KSKz,i,j。
正确性:
φ S ( c ) = − ∑ z = 1 p ∑ i = 1 n + 1 ∑ j = 1 t c i , j ( z ) ⋅ φ S ( K S K z , i , j ( f ) ) = − ∑ z = 1 p ∑ i = 1 n + 1 ∑ j = 1 t c i , j ( z ) f ( 0 , . . . , s i 2 j , . . . , 0 ) = − ∑ z = 1 p ∑ i = 1 n + 1 f ( 0 , . . . , ∑ j = 1 t s i 2 j c i , j ( z ) , . . . , 0 ) = − ∑ z = 1 p ∑ i = 1 n + 1 f ( 0 , . . . , s i c i ( z ) , . . . , 0 ) = − ∑ i = 1 n + 1 s i f ( c i ( 1 ) , . . . , c i ( p ) ) = f ( − ∑ i = 1 n + 1 s i c i ( 1 ) , . . . , − ∑ i = 1 n + 1 s i c i ( p ) ) = f ( μ 1 , . . . , μ p ) \begin{aligned} \varphi_S(c)&=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}\cdot \varphi_S({\sf KSK}_{z,i,j}^{(f)})\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}\sum_{j=1}^{t}c_{i,j}^{(z)}f(0,...,\frac{s_i}{2^j},...,0)\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}f(0,...,\sum_{j=1}^t\frac{s_i}{2^j}c_{i,j}^{(z)},...,0)\\ &=-\sum_{z=1}^{p}\sum_{i=1}^{n+1}f(0,...,s_i\mathfrak{c}_i^{(z)},...,0)\\ &=-\sum_{i=1}^{n+1}s_if(\mathfrak{c}_i^{(1)},...,\mathfrak{c}_i^{(p)})\\ &=f\big( -\sum_{i=1}^{n+1}s_i\mathfrak{c}_i^{(1)},..., -\sum_{i=1}^{n+1}s_i\mathfrak{c}_i^{(p)}\big)\\ &=f(\mu_1,...,\mu_p) \end{aligned} φS(c)=−z=1∑pi=1∑n+1j=1∑tci,j(z)⋅φS(KSKz,i,j(f))=−z=1∑pi=1∑n+1j=1∑tci,j(z)f(0,...,2jsi,...,0)=−z=1∑pi=1∑n+1f(0,...,j=1∑t2jsici,j(z),...,0)=−z=1∑pi=1∑n+1f(0,...,sici(z),...,0)=−i=1∑n+1sif(ci(1),...,ci(p))=f(−i=1∑n+1sici(1),...,−i=1∑n+1sici(p))=f(μ1,...,μp)
PublicKeySwitch和PrivateKeySwitch的主要区别在于 f f f是作为输入还是作为 K S K \sf KSK KSK包含的一部分信息。
效率上的比较来说
PublicKeySwitch的效率是普通KeySwitch的 n n n倍。
PrivateKeySwitch的效率是普通KeySwitch的 ( n + 1 ) ⋅ p (n+1)\cdot p (n+1)⋅p倍。
一个很重要的观察是 R G S W {\sf RGSW} RGSW是由多个 R L W E {\sf RLWE} RLWE组合而成的,因此可以通过构造 2 ℓ 2\ell 2ℓ个 R L W E {\sf RLWE} RLWE的方法来组合成 R G S W {\sf RGSW} RGSW
因为有了LWE-to-LWE的bootstrapping,可以通过PBS来对某个 L W E ( μ ) \sf LWE(\mu) LWE(μ)进行运算,得到 L W E ( 1 B g i ⋅ μ ) {\sf LWE}(\frac{1}{B_g^i}\cdot \mu) LWE(Bgi1⋅μ),然后通过一个PrivateKeyswitch将执行LWE-to-RLWE,就可以得到多个 R L W E {\sf RLWE} RLWE密文 R L W E ( 1 B g i ⋅ μ ⋅ s ) , R L W E ( 1 B g i ⋅ μ ) {\sf RLWE}(\frac{1}{B_g^i}\cdot \mu \cdot s),{\sf RLWE}(\frac{1}{B_g^i}\cdot \mu) RLWE(Bgi1⋅μ⋅s),RLWE(Bgi1⋅μ),然后将他们组合起来得到 R G S W {\sf RGSW} RGSW。总体思路就是这个样子,细节部分没有去深究。