Packing HE ciphertexts for coordinate-wise multiplication

Let

X

be an integer, and

(x_{n}, . . ., x_{0})

binary decomposition

Goal: define packing technique so that we can assume that the scheme works over messages that are vectors in

F_{p}^{n}

despite the HE message space are polynomials in

R = F_{p} [X] / (X^{n} + 1)

To this end we want define a bijection

(e n c o d e, d e c o d e)

where

e n c o d e : F_{p}^{n} \to R = F_{p} [X] / (X^{n} + 1))

s.t.

\forall v_{1}, v_{2} \in F_{p}^{n} : v_{1} \cdot v_{2} = d e c o d e (e n c o d e (v_{1}) * e n c o d e (v_{2}))

Let

z

be an integer,

n = 2^{z}

m = 2 \cdot n

, and

p

be a prime such that

p = 1 \mod m

.
In this case,

(X^{n} + 1)

splits over

F_{p}

, i.e.,

(X^{n} + 1) = \prod_{i} F_{i} (X)

, where each

F_{i}

is a linear polynomial.

The

e n c o d e

function can be defined via CRT encoding as follows.

Given

\vec{v}

, build a polynomial

p (X)

of degree

n - 1

by solving the following system of equations

\forall i : p (X) = v_{i} mod F_{i} (X)

The

d e c o d e

function is the one that, on input a polynomial

p (X)

, returns the vector

(p (X) mod F_{1} (X), \dots, p (X) mod F_{n} (X))

Let us briefly see how the homomorphic property holds after a multiplication. Assume

p_{j} (X) = e n c o d e ({\vec{v}}_{j})

for

j = 1, 2

, and that

p (X) = p_{1} (X) \cdot p_{2} (X) mod (X^{n} + 1)

. Namely,

p (X) = p_{1} (X) \cdot p_{2} (X) - t (X) (X^{n} + 1)

for some polynomial

t (X)

Then

p (X) mod F_{i} (X) = p_{1} (X) \cdot p_{2} (X) - t (X) (X^{n} + 1) mod F_{i} (X) =

p_{1} (X) \cdot p_{2} (X) mod F_{i} (X) = v_{1, i} \cdot v_{2, i}

(using the fact that

X^{n} + 1 \mod F_{i} (X) = \prod_{j} F_{j} (X) mod F_{i} (X) = 0

)