Bootstrapping BGV Ciphertexts with a Wider Choice of p and q

We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient” methods such as that of Gentry et al (PKC 2012) required a ciphertext modulus q which was close to a power of the plaintext modulus p. This enables our method to be applied in a larger number of situations. Also unlike previous methods our depth grows only asO(log p+log log q) as opposed to the log q of previous methods. Our basic bootstrapping technique makes use of a representation of the group Zq over the finite field Fp (either based on polynomials or elliptic curves), followed by polynomial interpolation of the reduction mod p map over the coefficients of the algebraic group. This technique is then extended to the full BGV packed ciphertext space, using a method whose depth depends only logarithmically on the number of packed elements. This method may be of interest as an alternative to the method of AlperinSheriff and Peikert (CRYPTO 2013). To aid efficiency we utilize the ring/field switching technique of Gentry et al (SCN 2012, JCS 2013).

Introduction: Fully Homomorphic Encryption (FHE) allows for arbitrary computation on encrypted data.All currently known FHE schemes have followed Gentry's original paradigm [16,17], and one of the main open questions in the field has been how to efficiently "bootstrap" a Somewhat Homomorphic Encryption (SHE) scheme into a FHE scheme.Recall an SHE scheme is one which can evaluate circuits of a limited multiplicative depth, whereas an FHE scheme is one which can evaluate circuits of arbitrary depth.Gentry's bootstrapping technique is the only known way of obtaining unbounded FHE.
The ciphertexts of all known SHE schemes include some noise to ensure security, and unfortunately this noise grows as more and more homomorphic operations are performed, until it is so large that the ciphertext will no longer decrypt correctly.In a nutshell, bootstrapping "refreshes" a ciphertext that can not support any further homomorphic operation by homomorphically decrypting it, and obtaining in this way a new encryption of the same plaintext, but with smaller noise.This is possible if the underlying SHE scheme has enough homomorphic capacity to evaluate its own decryption algorithm.Bootstrapping is computationally very expensive and it represents the main bottleneck in FHE constructions.
Several SHE schemes, with different bootstrapping procedures, have been proposed in the past few years [1,2,15,4,6,7,8,16,17,11,20,21,35].The most efficient are ones which allow SIMD style operations, by packing a number of plaintext elements into independent "slots" in the plaintext space.The most studied of such "SIMD friendly" schemes being the BGV scheme [9] based on the Ring-LWE Problem [27].
Prior Work on Bootstrapping.Since the decryption algorithm of an SHE scheme can be represented as a function of the secret key, the idea of bootstrapping is that, instead of evaluating it on the ciphertext and the secret key as in a standard decryption step, one homomorphically evaluates the decryption function on the encryption of the secret key, in such a way that the result is not the plaintext, but another ciphertext for the same plaintext but with smaller noise, if the degree of the decryption function is small enough.
In almost all the SHE schemes supporting bootstrapping, decryption is performed by evaluating some linear function D, dependent on the ciphertext c, on the secret key sk modulo some integer q, and then reducing the result modulo some prime p, i.e. dec(c, sk) = ((D C (sk) mod q) mod p).Hence, given an encryption of the secret key, bootstrapping consists in evaluating the above decryption formula homomorphically.One can divide the bootstrapping of all efficient currently known SHE schemes into three distinct sub-problems.
1 The first problem is to homomorphically evaluate the reduction (mod p)-map on the group Z + q (see Fig. 1), where for the domain one takes representatives centered around zero.To do this the group Z + q is first mapped to a set G in which one can perform operations native to the A preliminary version of this paper appears in Proceedings of 18th International Conference on Practice and Theory in Public-Key Cryptography, PKC 2015.homomorphic cryptosystem.In other words we first need to specify a representation, rep : Z + q −→ G, which takes an integer in the range (−q/2, . . ., q/2] and maps it to the set G. The group operation on Z + q needs to induce a group operation on G which can be evaluated homomorphically by the underlying SHE scheme.Then we describe the induced map red : G −→ Zp as a algebraic operation, which can hence be evaluated homomorphically. 2 The second problem is to encode the secret key in a way that one can publicly, using a function dec-eval (decryption evaluation), create a set of ciphertexts which encrypt the required input to the function red. 3 And thirdly one needs a method to extend this to packed ciphertexts.
To solidify ideas we now expand on these problems in the context of the BGV scheme [9].Recall for BGV we have a set of L + 1 moduli, corresponding to the levels of the scheme, q 0 < q 1 < . . .< q L , and a (global) ring R, which is often the ring of integers of a cyclotomic number field.We let p denote the (prime) plaintext modulus, i.e. the plaintexts will be elements in Rp (the localisation of R at the prime p), and to ease notation we set q = q 0 .The secret key sk is a small element in After the evaluation of L levels of multiplication one obtains a ciphertext ct = (c 0 , c 1 ) in R 2 q , encrypting a plaintext µ, such that At this point to perform further calculations one needs to bootstrap, or recrypt, the ciphertext to one of a higher level.Assume for the moment that each plaintext only encodes a single element of Zp, i.e. each plaintext is a constant polynomial in a polynomial basis for Rp.To perform bootstrapping we need to place a "hint" in the public key pk (usually an encryption of sk at level L), which allows the following operations.Firstly, we can evaluate homomorphically a function dec-eval which takes ct and the "hint", and outputs a representation of the Zq element corresponding to the constant term of the element c 0 + sk • c 1 (mod q).This representation is an encryption of an element in G, i.e. dec-eval also evaluates the rep map as well as the decryption map.Then we apply, homomorphically, the function red to this representation to obtain a fresh encryption of the plaintext.Since to homomorphically evaluate red we need the input to red to be defined over the plaintext space, this means the representation of Zq must be defined over Fp.One is then left with the task of extending such a procedure to packed ciphertexts.
In the original bootstrapping technique of Gentry [17], implemented in [18], the function dec-eval is obtained from a process of bitdecomposition.Thus the representation G of Zq is the bit-representation of an integer in the range (−q/2, . . ., q/2], i.e. we use a representation defined over F 2 .The function to evaluate red is then the circuit which performs reduction modulo 2. The extension of this technique to packed ciphertexts, in the context of the Smart-Vercauteren SIMD optimisations [32] of Gentry's SHE scheme, was given in [33].Due to the use of bit-decomposition techniques this method is mainly suited to the case of p = 2, although one can extend it to other primes by applying a padic decomposition and then using an arithmetic circuit to evaluate the reduction modulo p map. In [20] the authors present a bootstrapping technique, primarily targeted at the BGV scheme, which does away with the need for evaluating the "standard" circuit for the reduction modulo p map.This is done by choosing q close to a power of p, i.e. one selects q = p t ± a for some t and a small value of a, typically a ∈ {−1, 1}.The paper [20] expands on this idea for the case of p = 2, but the authors mention it can be clearly extended to arbitrary p.The advantage is that the mapping red can now be expressed as an algebraic formula, more precisely as a formula of multiplicative depth log 2 q.The operation dec-eval obtains the required representation for Zq by mapping it into Z p t+1 .The resulting technique requires the extension of the modulus of the plaintext ring to p t+1 (for which all the required properties of Rp carry over, assuming that p does not ramify).The extension to packed ciphertexts is performed using an elaborate homomorphic evaluation of the Fourier Transform.
To enable the faster evaluation of this Fourier Transform step from [20], a method for ring/field switching is presented in [19].The technique of ring/field switching also enables general improvements in efficiency as ciphertext noise grows.This enables the ring R to be changed to a sub-ring S (both for the ciphertext and plaintext spaces).In [1] this use of field switching is combined with the red map from [20] to obtain an asymptotically efficient bootstrapping method for BGV style SHE schemes, although the resulting technique does not fully map to our blueprint, as q = p v for some value of v.In [31] this method is implemented, with surprisingly efficient runtimes, for the case of plaintext space F 2 , i.e. p = 2 and no plaintext SIMD-packing is supported.
In another line of work, the authors of [2] and [8] present a bootstrapping technique for the GSW [23] homomorphic encryption scheme.The GSW scheme is one based on matrices, and this property is exploited in [2] by taking a matrix representation of Zq and then expressing the map red via a very simple algebraic relationship on the associated matrices.In particular the authors represent elements of Zq by matrices (of some large dimension) over Fp.
Thus we see almost all bootstrapping techniques require us to come up with a representation G of Zq for which there is an algebraic method over Fp to evaluate the induced mapping red from the said representation of Zq to Zp.Since SHE schemes usually have add and multiply operations as their basic homomorphic operations, this implies we are looking for representations of Z + q as a subgroup of an algebraic group over Fp.
Our Contribution.We return to consider the Ring-LWE based BGV scheme, and we present a new bootstrapping technique with small depth growth, compared with previous methods, and which supports a larger choice of p and q.Instead of concentrating on the case of plaintext moduli p such that a power of p is close to q, we look at a much larger class of plaintext moduli.Recall the most efficient prior technique, based on [1] and [20], requires a method whose multiplicative depth is O(log q), and for which q is close to a power of p.As p increases the ability to select a suitable modulus q which is both close to a power of p, is of the correct size for most efficient implementation (i.e. the smallest needed to ensure security), and has other properties related to efficiency (i.e. the ring Rq has a double-CRT representation as in [22]) diminishes.
To allow a wider selection for p we utilize a "new (for bootstrapping) representations of the ring Zq", in much the same way as [2] used an Fp-matrix representation (a.k.a. a linear algebraic group) of Z + q .This representation is based on a polynomial representation for Z + q over Fp.The evaluation of the mapping red using these representations can then be done in expected multiplicative depth O(log p + log log q + log n), i.e. a much shallower circuit than used in prior works, using polynomial interpolation of the red map over the coefficients of the algebraic group.
To ensure this technique works, and is efficient, we do not have completely free reign in selecting q for the first polynomial representation.Whilst [20] required q = p t ± a, for a small value of a, we instead will require that q divides lcm " for some pairwise co-prime values k i .Even with this restriction, the freedom on selecting q is much greater than for the method in [20], especially for large values of p.
Note also that one does not have complete freedom on selecting the i then the depth of the circuit (which is approximately log 2 log 2 q − log 2 log 2 E) to evaluate red will decrease as E grows, but the number of multiplications required, which is a monotonically increasing function of M , will increase.Note, we can asymptotically make M = O( ) using Karatsuba based techniques, but in practice the k i will be too small to make such optimization fruitful.
Our method permits to bootstrap a certain number of packed ciphertexts in parallel, using a form of p-adic decomposition and a matrix representation of the ciphertext ring, combined with ring switching.The resulting depth depends only logarithmically on the number of packed ciphertexts.
In [30] we give a different representation of the ring Zq based on elliptic curves, however it results in a less efficient, in terms of multiplicative depth, bootstrapping procedure.
Preliminaries: Throughout this work vectors are written using bold lower-case letters, whereas bold upper-case letters are used for matrices.We denote by M a×b (K) the set of a × b dimensional matrices with entries in K.For an integer modulus q, we let Zq = Z/qZ denote the quotient ring of integers modulo q, and Z + q its additive group.This notation naturally extends to the localisation Rq of a ring R at q.

Algebraic Background
For a positive integer m, we define the mth cyclotomic field to be the field K = Q[X]/(Φm(X)), where Φm(X) is the mth cyclotomic polynomial.Φm(X) is a monic irreducible polynomial over the rational, and K is a field extension of degree N = φ(m) over Q since Φm(X) has degree N and φ is the Euler's totient function.Let ζm be an abstract primitive mth roots of unity, we have that K ∼ = Q(ζm) by identifying ζm with X.In the same way, let us denote by R the mth cyclotomic ring

The complex embeddings of
Concretely, these embeddings map ζm into each of its conjugates, and they are the only field homomorphisms from K to C that fix every element of Q.The canonical embedding σ : K → C N is the concatenation of all the complex embeddings, i.e. σ(a) = (σ i (a)) i∈Z * m , a ∈ K. Looking ahead, we will use the ring R and its localisation Rq, for some modulus q.Given a polynomial a ∈ R, we denote by a ∞ = max 0≤j≤N −1 |a j | the standard l∞-norm.All estimates of noise are taken with respect to the canonical embedding norm a can ∞ = σ(a) ∞, a ∈ R. When considering short elements in Rq, we define short in terms of the following quantity: To map from norms in the canonical embedding to norms on the coefficients of the polynomial defining the elements of R, we have ∞ , where cm is the ring constant.For more details about cm see [14].Note, if the dual basis techniques of [28] are used, then one can remove the dependence on cm.However, for ease of exposition we shall use only the polynomial basis in this work.
Let m be a positive integer such that m |m.As before we define It is trivial to show that K and R are a field and a ring extension of K and R , respectively, both of dimension N/n.In particular we can see S as a subring of R via the ring embedding that maps , and that all the K -linear maps L : K → K are exactly the maps of the form Tr K/K (r • a), for some r ∈ K.

Plaintext Slots
Let p be a prime integer, coprime to m, and Rp the localisation of R at p.The polynomial Φm(X) factors modulo p into (R) irreducible factors, i.e.Φm(X) ≡ , where d (R) is the multiplicative order of p in Z * m .Looking ahead, each of these (R) factors corresponds to a "plaintext slot", i.e. .
More precisely, we have (R)  (R) , that allow to represent (R) plaintext elements of ) as a single element in Rp.By the Chinese Remainder Theorem, addition and multiplication correspond to SIMD operations on the slots and this allows to process (R) input values at once.

Ring Switching
As mentioned in the introduction, our technique uses a method for ring/field switching from [19] so as to aid efficiency.We use two different cyclotomic rings R and S such that S ⊆ R.This procedure permits to transform a ciphertext ct ∈ (Rq) 2 corresponding to a plaintext µ ∈ Rp with respect to a secret key sk ∈ R, into a ciphertext ct ∈ (Sq) 2 corresponding to a plaintext µ ∈ Sp with respect to a secret key sk ∈ S. The security of this method relies on the hardness of the ring-LWE problem in S ( [27]).At a high level the ring switching consists of three steps.Given an input ciphertext ct ∈ (Rq) 2 : • First, it switches the secret key; it uses the "classical" key-switching ( [6], [9]), getting a ciphertext ct ∈ (Rq) 2 , still encrypting µ ∈ Rp, but with respect to a secret key sk ∈ S. • Second, it multiplies ct by a fixed element r ∈ R, which is determined by an S-linear function L : Rp → Sp corresponding to the induced projection function P : (F (S) (see [19] for details).• Finally, it applies to ct the trace function Tr R/S : R → S. In such a way that the output of the ring-switching is a ciphertext ct ∈ S with respect to the secret key sk and encrypting the plaintext µ = L(µ).
We conclude this section noting that, while big-ring ciphertexts correspond to (R) plaintext slots, small-ring ciphertexts only correspond to (S) ≤ (R) plaintext slots.The input ciphertexts to our bootstrapping procedure are defined over (Sq) 2 , and so are of degree n and contain (S) slots.We take (R) /n of these ciphertexts and use the dec-eval map to encode the coefficients of the plaintext polynomials in the slots of a single big-ring ciphertext.Eventually, via ring switching and polynomial interpolation, we return to (R) /n ciphertexts which have been bootstrapped and are at level one (or more).These fresh ciphertexts may be defined over the big ring or the small ring (depending when ring switching occurs).However, our parameter estimates imply that ring switching is best performed at the lowest level possible, and so our bootstrapped ciphertexts will be in the big ring.We could encode all of the slots of the bootstrapped ciphertexts in a big-ring single ciphertext, or not, depending on the application, since slot manipulation is a linear operation.
The BGV Somewhat Homomorphic Encryption Scheme: In this section we outline what we need about the BGV SHE scheme [9].As anticipated in the previous section, we present the scheme with the option of utilizing two rings, and hence at some point we will make use of the ring/field switching procedure from [19].We first define two rings R = Z[X]/F (X) and S = Z[X]/f (X), where F (X) (resp.f (x)) is an irreducible polynomial over Z of degree N (resp.n).In practice both F (X) and f (X) will likely be cyclotomic polynomials.We assume that n divides N , and so there is an embedding ι : S −→ R which maps elements in S to their appropriate equivalent in R. The map ι can be expressed as a linear mapping on the coefficients of the polynomial representation of the elements in S to the coefficients of the polynomial representation of the elements in R. In this way we can consider S to be a subring of R.
Let Rq (resp.Sq) denote the localisation of R (resp.S) at q, i.e.Zq[X]/F (X) (resp.Zq[X]/f (X)), which can be constructed for any positive integer q.Let p be a prime number, which does not ramify in either R or S. Since the rings are Galois, the ring Rp (resp.Sp) splits into (R) (resp. (S) ) "slots"; with each slot being a finite field extension of Fp of degree ).We make the assumption that n divides (R) .This is not strictly necessary but it ensures that we can perform bootstrapping of a single ciphertext with the smallest amount of memory.In fact our method will support the bootstrapping of (R) /n ciphertexts in parallel.
There will be two secret keys for our scheme; depending on whether the ciphertexts/plaintexts are associated with the ring R or the ring S. We denote these secret keys by sk (R) and sk (S) , which are "small" elements in the ring R (resp.S).The modulus q = q 0 = p 0 will denote the smallest modulus in the set of BGV levels.Fresh ciphertexts are defined for the modulus Q = q L = Q L i=0 p i and live in the ring R 2 Q (thus at some point we not only perform modulus switching but also ring switching).We assume L 1 levels are associated with the big ring R and L 2 levels are associated with the small ring S, hence L 1 + L 2 = L (level zero is clearly associated with the small ring S, but we do not count it in the number of levels in L 2 ).Thus we encrypt at level L; perform standard homomorphic operations down to level zero, with a single field switch at level L 2 + 1.
For ease of analysis we assume no multiplications are performed at level L 2 + 1.This means that we can evaluate a depth L − 1 circuit.
A ciphertext at level i > L 2 , encrypting a message µ ∈ Rp, is a pair We let Enc pk (µ) denote the encryption of a message µ ∈ Rp, this produces a ciphertext at level L. A similar definition holds for ciphertexts at level i < L 2 , for messages in Sp and secret keys/ciphertext elements in Sq i .When performing a ring switching operation between levels L 2 + 1 and L 2 , the (R) plaintext slots, associated with the input ciphertext at level L 2 + 1, become associated with (R) / (S) distinct ciphertexts at level L 2 .We want to "bootstrap" a set of BGV ciphertexts.Each of these ciphertexts is a pair ct j = (c q , for j = 1, . . ., (R) /n, such that " c (mod q) " (mod p) = µ j , for j = 1, . . ., (R) /n.
Evaluating the Map red • rep : Z + q −→ Fp: As explained in the introduction at the heart of most bootstrapping procedures is a method to evaluate the induced mapping red • rep : Z + q −→ Fp.In this section we present our technique for doing this based on polynomials over Fp, in [30] we present a more general (and complicated in terms of depth) technique based on elliptic curves.The key, in this and in all techniques, is to find a representation G for Z + q for which the reduction modulo p map can be evaluated algebraically over Fp.This means that the representation of Zq must be defined over Fp.Prior work has looked at the bit-representation (when p = 2), the p-adic representation and a matrix representation; we use a polynomial representation.
We select a coprime factorization q = Q t i=1 e i (with the e i not necessarily prime, but pairwise coprime), such that e i divides p k i − 1 for some k i .Since F * p k i is cyclic we know that F * p k i has a subgroup of order e i .We fix a polynomial representation of F p k i , i.e. an irreducible By the Chinese Remainder Theorem we therefore have a group embedding rep : where a i = a (mod e i ).Without loss of generality we can assume that the k i are also coprime, by modifying the decomposition of q into coprime e i s.Given this group representation of Z + q in G, addition in Z + q translates into multiplication in G.With one addition in Z + q translating into M = P t i=1 k 2 i multiplications in Fp (and a comparable number of additions; assuming school book multiplication is used).Each element in the image of rep requires E = P t i=1 k i elements in Fp to represent it.There will be a map red : G → Fp, such that red • rep is the reduction modulo p map; and red can be defined algebraically from the coefficient representation of G to Fp.Here algebraically refers to algebraic operations over Fp.An arbitrary algebraic expression on E variables of degree d will contain d+E C d terms.Thus, by interpolating, we expect the degree d of the map red to be the smallest d such that d+E C d > q, which means we expect d ≈ E • (2 log(q)/E − 1).Thus the larger E is, the smaller d will be.This interpolating function needs to be created once and for all for any given set of parameters, thus we ignore the cost in generating it in our analysis.
The algebraic circuit which implements the map red can hence be described as a circuit of depth log 2 d which requires D(E, d) = E+d C d − (E + 1) multiplications (corresponding to the number of distinct monomials in E variables of degree between two and d).In particular, by approximating E ≈ log 2 (q)/ log 2 (p), we obtain that the circuit implementing the map red has depth log 2 d = log 2 (p − 1) + log 2 (log 2 (q)) − log 2 (log 2 (p)).
We pause to note the following.By selecting a large finite field it would appear at first glance that one can reduce our degree d even further.This however comes at the cost of having more terms, i.e. a larger value of E. This in turn increases the overall complexity of the method (i.e. the number of multiplications needed) but not the depth.Conversely, we cannot choose a smaller E, because we cannot represent elements of Zq with E elements of Fp when E < log(q)/ log(p).We have that e i ≤ p k i − 1 because it is a divisor, which implies that log(q)/ log(p) = Bootstrapping a Set of Ciphertexts: In this section we describe our bootstrapping operation.We need to introduce another representation, this time more standard.This is the matrix representation of the ring Sq.Since Sq can be considered a vector space over Zq by the usual polynomial embedding, we can associate an element a to its coefficient vector a.We can also associate an element b to a n × n matrix M b over Zq such that the vector is the coefficient vector of c where c = a • b.This representation, which associates an element in Sq to a matrix, is called the matrix representation.
Recall we want to bootstrap (R) /n ciphertexts in one go.We define τ = red • rep to be the reduction modulo p map on Z + q .To do this we can first extend rep and τ to the whole of S + q by linearity, with images in G n and F n p respectively.Similarly, we can extend rep and τ to S (R) /n q to obtain maps rep : p .Again this induces a map red, which is just the SIMD evaluation of red on the image of rep in G (R) .We let rep j,i denote the restriction of rep to the (i − 1)th coefficient of the j-th Sq component, for 1 ≤ i ≤ n and We can then rewrite the decryption equation of our (R) /n ciphertexts as where x is the vector consisting of Sq elements c 1 , for j = 1, . . ., (R) /n.Thus, if we can compute rep(x), then to perform the bootstrap we only need to evaluate (in (R) -fold SIMD fashion) the arithmetic circuit of multiplicative depth log 2 d representing red.Since we have enough slots, (R) , in the large plain text ring, we are able to do this homomorphically on fully packed ciphertexts.The total number of monomials in the arithmetic circuit (i.e. the multiplications we would need to evaluate red) being D(E, d).

Homomorphically Evaluating rep(x)
We wish to homomorphically evaluate rep(x) such that the output is a set of E ciphertexts and if we took the i + (j − 1) • (R) /nth slot of each plaintext we would obtain the E values which represent rep j,i (x).
Now, the entries of x are in Sq and the multiplication in the decryption circuit can be interpreted as a matrix multiplication over Zq, which corresponds to a 'matrix' powering operation in G. Thus, we need to homomorphically compute an exponentiation with exponents of size q.We decompose these exponents in base p, which reduces the size of the exponents but comes at the cost of storing more encrypted multiples of the secret key in the public key.
Let λ = log q/ log p .We add to the public key of the SHE scheme the encryption of rep(p k • sk (S) , . . ., p k • sk (S) ) for k = 0, . . ., λ (where each component is copied (R) /n times).For a given k this is a set of E ciphertexts, such that if we took the i + (j − 1) • (R) /nth slot of each plaintext we would obtain the E values which represent rep j,i (p k • sk (S) ).Let the resulting vector of ciphertexts be denoted ct k , for k = 1, . . ., λ, where ct k is a vector of length E.
Let M c (j) 1 be the matrix representation of the second ciphertext 1 of the j-th ciphertext that we want to bootstrap.We write where is a matrix with coefficients in {0, . . ., p − 1}.By rewriting the decryption equation c in terms of the vectors of coefficients, we have that where sk (S) is the vector of coefficients of the secret key sk (S) .We first consider the case where (R) = n, which means that there is only one set of E ciphertexts and one matrix Mc 1 with corresponding decomposition matrices M (k) 1 .To homomorphically evaluate rep(x), we now apply rep to both sides, which means we need to compute homomorphically the ciphertext which represents In the next section we better explain the meaning of Equation ( 2) and how to homomorphically evaluate it.But what if (R) > n?In this case, we have several matrices and a vector of (R) /n ciphertexts inside rep, such that each ciphertext needs to be taken to the power of its corresponding matrix.This can be computed in SIMD, as will be shown in the next section.
A Product of Powers of SIMD Vectors: We first examine how to homomorphically compute the following function where each v and v k , k = 0, . . ., λ, represents a set of E ciphertexts, each of which encode (in a SIMD manner) n elements in Fp.The multiplication of two such sets of E ciphertexts is done with respect to the multiplication operation in G, and thus requires M homomorphic multiplications (for the variant based on elliptic curves described in [30] the number of ciphertexts and the complexity of the group operation in G increase a little).The values M k are matrices in M n×n (Fp).By the notation u = v M , where M = (m i,j ), we mean the vector with components Notice that each u i and v j is a vector of E elements in Fp representing a single element in G.In what follows we divide this operation into three sub-procedures and compute the number of multiplications, and the depth required, to evaluate the function.

SIMD Raising of an Encrypted Vector to the Power of a Public
Vector: The first step is to take a vector v which is the SIMD encryption of E sets of n elements in Fp, i.e. it represents n elements in G.We then raise v to the power of some public vector c = (c 1 , . . ., cn), i.e. we want to compute In particular v actually consists of E vectors each with n components in their slots.We write v = (v 1,0 , . . ., v 1,k 1 −1 , . . ., v t,0 , . . ., v t,k t −1 ).
Note, multiplying such a vector by another vector of the same form requires M homomorphic multiplications and depth 1.We first write where c i ∈ {0, 1} n .We let c * i denote the bitwise complement of c i .Thus to compute x = v c we use the following three steps: 1) Compute v 2 i for i = 1, . . ., log 2 p , by which we mean every element in v is raised to the power 2 i .This requires log 2 p • M homomorphic multiplications and depth log 2 p .
2) For i ∈ {0, . . ., log 2 p }, j ∈ {1, . . ., t} and k = {0, . . ., kt − 1} compute, Where Enc pk (c i ) means encrypt the vector c i so that the jth component of c i is mapped to the jth plaintext slot of the ciphertext.The above procedure selects the values which we want to include in the final product.This involves a homomorphic multiplication by a constant in {0, 1} and the homomorphic addition of a constant in {0, 1} for each entry, and so is essentially fast (and moderately bad on the noise, so we will ignore this and call it depth 1/2).3) We now compute x as where we think of w (i) as a vector of E SIMD encryptions.This step (assuming a balanced multiplication tree) requires depth log 2 log 2 p and M • log 2 p multiplications.
Executing all three steps above therefore requires a depth of 1 2 + log 2 p + log 2 log 2 p , and 2 • M • log 2 p multiplications.
Computing u = v M : Given the previous subsection, we can now , i = 1, . . ., n, where v is a SIMD vector consisting of E vectors encoding n elements, as is the output u.For this we use a trick for systolic matrix-vector multiplication in [24], but converted into multiplicative notation.
We write the matrix M as n SIMD vectors d i , for i = 1, . . ., n, so that d i,j = m j,(j+i−1) (mod n) for j = 1, . . ., n.We let v ≪ i denote the SIMD vector v rotated left i positions (with wrap around).Since v actually consists of E SIMD vectors this can be performed using time proportional to E multiplications, but with no addition to the overall depth (it is expensive in terms of time, but cheap in terms of noise.See the operations in Table 1 of [24]).
Step 2: All we need now do is compute This requires (assuming a balanced multiplication tree) a depth of log 2 n and n multiplications in G.
Thus far, for the operations previously described and this subsection we have used a total depth of 1 2 + log 2 n + log 2 p + log 2 log 2 p and a cost of n To evaluate our required output we need to execute the above steps λ times, in order to obtain the elements which we then multiply together.This finishes the required steps for the (R) = n case.When (R) > n, the aforementioned rotation of the vector v needs to occur in groups of n, as each group of n entries correspond to one of the (R) /n ciphertexts.As described in [24], this piecewise rotation can be implemented using two rotations, two selection mask multiplications and one addition.This increases the cost of the rotation to 2 • E multiplications, while the depth increases to 1/2.
Thus in total we have a depth of multiplications.
These represent respectively the depth and the multiplicative cost of the homomorphic evaluation of rep(x) (Equation ( 2)).

Repacking
At this point, after the maps red and red, in the bootstrapping procedure (assuming for simplicity that a ring switch has not occured) we have a single ciphertext ct whose (R) slots encode the coefficients (over the small ring) of the (R) /n ciphertexts that we are bootstrapping.Our task is now to extract these coefficients to produce a ciphertext (or set of ciphertexts) which encode the same data.Effectively this is the task of performing (R) /n inverse Fourier transforms (a.k.a interpolations) over S in parallel, and then encoding the result as elements in R via the embedding ι : S −→ R.
There are a multitude of ways of doing this step (bar performing directly an inverse FFT algorithm), for example the general method of Alperin-Sheriff and Peikert [1] could be applied.This makes the observation that the FFT to a vector of Fourier coefficients x is essentially applying a linear operation, and hence we can compute it by taking the trace of a value α • x for some fixed constant α.
We select a more naive, and simplistic approach.Suppose x is the vector which is encoded by the input ciphertext.We first homomorphically compute Where replicate(x) is the Full Replication algorithm from [24].This produces (R) ciphertexts, the ith of which encodes the constant polynomial over Rp equal to the ith slot in x.In [24] this is explained for the case where (R) = N , but the method clearly works when (R) < N .The method requires time O( (R) ) and depth O(log log (R) ).
Given the output b 1 , . . ., b (R) , which encode the coefficients of the (R) /n original plaintext vectors, we can now apply ι (which we recall is a linear map) to obtain any linear function of the underlying plaintexts.For example we could produce (R) /n ciphertexts each of which encodes one of the original plaintexts, or indeed a single ciphertext which encodes all of them.So putting all of the sub-procedures for bootstrapping together, we find that we can bootstrap (R) /n ciphertexts in parallel using a procedure of depth of and a cost of multiplications, where λ = log q/ log p , In the case that (R) = n, the depth is reduced by 1/2 and the number of multiplications is reduced by n • E.
Parameter Calculation: In [22] a concrete set of parameters for the BGV SHE scheme was given for the case of binary message spaces, and arbitrary L. In [13] this was adapted to the case of message space Rp for 2-power cyclotomic rings, but only for the schemes which could support one level of multiplication gates (i.e. for L = 1).In [12] these two approaches were combined, for arbitrary L and p, and the analysis was (slightly) modified to remove the need for a modulus switching upon encryption.In this section we modify again the analysis of [12] to present an analysis which includes a step of field switching from [19].We assume in this section that the reader is familiar with the analysis and algorithms from [22,12,19].
Our analysis will make extensive use of the following fact: If a ∈ R be chosen from a distribution such that the coefficients are distributed with mean zero and standard deviation σ, then if ζm is a primitive mth

Ensuring We Can Evaluate the Required Depth
Recall we have two rings R and S of degree N and n respectively.The ring S is a subring of R and hence n divides N .We require a chain of moduli q 0 < q 1 . . .< q L corresponding to each level of the scheme.We assume (for sake of simplicity) that q i /q i−1 = p i are primes.Thus q L = q 0 • Q i=L i=1 p i .Also note, that as in [12], we apply a SHE.LowerLevel (a.k.a.modulus switch) algorithm before a multiplication operation.This often leads to lower noise values in practice (which a practical instantiation can make use of).In addition it eliminates the need to perform a modulus switch after encryption, which happened in [22].
We utilize the following constants described in [13], which are worked out for the case of message space defined modulo p (the constants in [13] make use of an additional parameter, arising from the key generation procedure.In our case we can take this constant equal to one).In the following h is the Hamming weight of the secret keys sk (R) and sk (S) .need a larger value due to the additional condition that q divides p k − 1, and the ring constant, which is bigger than 1.27 for m = 1271 and m = 1057.

Table 1 :
Lower bounds on N and n

Table 2 :
A concrete set of cyclotomic rings with an estimation of the number of multiplications and the depth required to perform our bootstrapping • 10 14 50637664608480 root of unity, we can use 6 • σ to bound a(ζm) and hence the canonical embedding norm of a.If we have two elements with variances σ 2 1 and σ 2 2 , then we can bound the canonical norm of their product with 16 • σ 1 • σ 2 .