 of Borkarski and Vajkutanatan, and then a variation of that construction with Gentry that they're doing. So I'll start by talking about the Borkarski-Vajkutanatan scheme, and then move to the other one, to the variant. What this is an upcoming Fox paper, what they do is they do fullyomorphic encryption without squashing when the security is based on either the learning with errors problem or a variant of it called ring LWE. The main striking point about their system is that they deviate from that blueprint in that they do support multiplication, but there is no underlying ring structure. Well, it's not that there really isn't at all ring structure there, but it's not in the same way as it was in the first part of this tutorial. And then they have a host of new techniques and tricks that can be used to do further improvements. So before I talk about their system, let's talk a little bit about learning with errors. Learning with errors in this formulation is a problem that was introduced by Riga a couple of years ago. And the basic premise is that it's hard to solve linear equations with noise. There are several alternative equivalent formulations of this problem. The one that I'm going to work with here, most convenient for me is the following. You are given a matrix A and another vector B. The matrix A is short and wide, and the vector B is the wide thing. And your goal is to decide whether the matrix A is always random. Your goal is to decide whether the vector is also just a random vector independent of everything else or whether it is close to the row space of A. By close to the row space of A, I mean that we obtained it as some linear combination of the rows of A plus a little bit of error. There are several parameters here. There is N, which is the dimension. This is the number of rows in this matrix. Then there is the modulus Q. So all of these equations are happening mod Q. Then there is the noise magnitude parameter, which is at most a polynomial fraction. Maybe we would need to work with even smaller noise. And M is the number of columns. So again, we have a random matrix in ZQ to the N by M. Then another vector in ZQ to the M. And our goal is to decide whether B is a random vector or whether B was obtained as S times A plus E, where S is random and E is short. E is chosen at random from some distribution such that with high probability E is short. So these are two well-defined probabilities. Our goal is to distinguish between them. And the premise that this is hard, Regev showed when he introduced that a quantum reduction and then Pecker later showed a classical reduction, showing that for some range of these parameters, you can prove that this problem is as hard as solving some lattice problems in dimension N, but any lattice problem, worst case lattice problem in dimension N. So we have reasons to believe that this problem is really hard. So for now, we're just going to go on the premise that this is a hard problem and see what we can do with it. It was used already extensively in the last couple of years in crypto to do anything that you can imagine, public encryption, circular secure leakage, resilient, and everything else. Now BV showed that you can also do a homomorphic encryption with it. So let's start covering the BV construction slowly. I mean, there are going to be many steps. And at the end of the day, we're going to have a homomorphic encryption scheme. But let's start slowly. Again, bit by bit encryption, this plain text is a bit B. Let's start by thinking about it as a symmetric encryption. The public key will show up at some point. Let's not worry about it now. The secret key is a vector S. Cypher text is a vector C. These are vectors in zq to the power m. So this is the wide thing. And we're going to have a simplifying, no, n. It's a mistake. It's the length. It's not the width. It has to be zq to the n. You know what? I'm not sure. I'm not sure anymore. Never mind. We'll see. We're going to have a simplifying assumption that the first entry in S is 1. So S is of the form 1 concatenate with t. That would come into play later. And the decryption formula would be the inner product between the cypher text and the secret key. Reduced mode q, reduced mode 2, or the reduction mode q, as usual, is into the symmetric interval between minus q over 2 plus q over 2. And the additional property, the additional variant that we're going to keep, is that the inner product mode q is a small number, an absolute value smaller than this noise magnitude, beta times q. In other words, the secret key in this system is vector S. Cypher text in the system are close to the space orthogonal to S. The plain text is encoded in the parity of the distance. Now, for distance here, we really mean the inner product between C and S. So it's not really a distance. It's more like a syndrome. But I'm going to keep calling it a distance no matter what. The first thing that I want to say about it, that this is really an instance of encryption from error correcting code. So the space orthogonal to S is a code. And this thing is close to the code. And you encode your plain text in the parity of the distance. So this really is an instance of the encryption from error correcting codes. So you do get additive homophism, essentially, for free, as long as things remain close to your code. But now, the first question we ask ourselves is, how do you multiply? These are vectors. I mean, multiplication of two vectors. How do you do that? They're not ring elements. So it's not that we don't have something to multiply vectors. We can do things. So the thought of using tensor product to multiply vectors had occurred to people previously. And I'm going to run with it for a little bit to show you what the problems we are. Because people looked at it so, oh, there's an obvious problem. And then went to look at the blueprint instead. So I'm going to run with this idea. I'll show you what the problem is, and then we'll see what we do. So let's try to use tensor product, OK? We have two vectors. We want to compute. We want to multiply them homomorphically. I mean, inside each one of these vectors, there's a plain text bit. So let's use the outer product. The outer product, or tensor product, is just a matrix where the ijth element of the matrix is the product of the ith entry in u times the jth entry in v mod luq. And I can claim that if you have the secret key, you can still decrypt that matrix. Why? Because if you take this matrix and multiply it on the left by s and on the right by s transpose, what you're going to get is equal to the inner product of u times s of u and s times the inner product of v and s mod q. Now, if these two things were small enough, then you don't get a wrap around. And therefore, that equality actually holds over the integer, not just mod q. And then when you reduce it to mod 2, what you're going to get is that this thing, mod q mod 2, is really the same as the decryption of u times the decryption of v. So far, so good. We started from two ciphertext. We multiply them in this weird format. And we got something that we can decrypt to the product. That's great. What if you want to multiply more than once? Yeah, well, are you going to multiply the matrices? Turns out that that actually doesn't work. Here is something that does work. Think of this operation as a mapping from s to the plaintext. So this is a bilinear form in s. So in particular, it means that it's also linear in the tensor product of s with itself. What that means is if you look at that thing, this is a matrix. There is a linear combination of the entries of that matrix that gives you that. What is that linear combination? Well, it turns out that if you open both u times v and s times s, if you open them into vector, let's say just spread them one row after the other. I'm not sure. There is some arranging of the entries that you need to take care of. But there is some arranging of the entries that would work. Then the inner product between these two larger vectors would actually give you the same thing as that. So we're going to denote by s star our extended secret key. This is what you get when you take the tensor product of s with itself and then write it in a vector form and similarly the extended secret key. And now all of a sudden, we have another instance of the same cryptosystem. We have a vector for a secret key, a vector for a ciphertext, and the decryption procedure is inner product mode q, mode 2. Excellent. More over that thing, the inner product is exactly the same as that thing. So if your parameters are set correctly, this thing is still quite small. If the original thing was smaller than beta time q in absolute value, then now it's smaller than that thing squared, which is still smaller than q. That's very nice. Now we can repeat this process. So we can encrypt, we can multiply, we can arrange it, and then we can multiply again. Excellent. There is problem. Fairly acute one, actually. The dimension grow quite fast. So we started from an m vector, or an n vector, I forget which is which. And now we multiply. So we get a matrix. So it's m squared. And next time it's m to the fourth. And next time it's m to the eighth. This thing grow quite fast. And in fact, if you want to keep this thing polynomial, then you can't do more than a constant number of multiplication. So that's a bummer. And this, I think up to this point, people got before. And that it was obvious that there's no way you can make this thing work. So the first really, really nice idea that Bakersky and Rekontonathan had is the following. So what we have is an extended ciphertext C star. That is a valid cipher to respect to an extended secret key S star. And what we really want is a low dimension C prime so that's a valid ciphertext with respect to some S prime. That's also low dimension. So maybe it's the original S or maybe it's a different S. Never mind that. We wanted to have low dimension. We can't afford to get such a high dimension so far. So fast. And the key idea was we can actually publish maybe an encryption of S star under S prime. And then use something maybe similar to bootstrapping in order to enable the translation. We have an encryption under one key. We want to do an encryption under the other key. Let's encrypt the first key under the second key and then do something like bootstrapping. But we really would like to get something much faster than full bootstrapping. Let's hope that we can get something like that. We want to have a high dimension C star. We want a low dimension C prime. Let's publish a matrix that would allow us to translate S star ciphertext into S prime ciphertext. And the dimensions of this matrix would be such that the number of columns would be the size of S star. The number of rows would be the size of S prime. And when we multiply, we get something at the lower dimension. Let's see if we can do something like that. Here is what we do. This is almost the construction. There is one piece that's going to come later. Here is something that looks very much like a LWE matrix. We have a random matrix A and another vector B, which belongs to the row space of A. It's a linear combination of the rows of A, except that it has a little bit more. What's the little bit more here? There's a little bit of noise, small and short and even, and also our S star. This is how we sort of encrypt our S star under S prime. Moreover, the actual combination of the rows of A is exactly our secret key. So our secret keys of the form 1 concatenated with some secret vector. And this secret vector is the combination of the rows of A. Notice that if you take S prime and multiply it by M, what you get is that minus T times A here and plus T times A here cancel out. And you're left with just 2E plus S prime. So let's see what happens if we take our extended ciphertext and multiply it by M. So first of all, we're going to get something of the correct dimensions. We're going to get something of dimension the same as S prime. And then mode Q we have, well, the inner product is the same as M times star multiplied by S prime. And then if we take the parenthesis of these two, the left two, then we get the inner product between C star and 2E plus S, which is the inner product between C prime and S prime, C star and S star. This is what we wanted. This is our decryption there, plus some error term. And that looks promising because the error term is even. So maybe if we can reduce things, it will go away. Well, almost except C star is not small and that number is not small. So there's no reason to think that you will not get a wrap around. So it's true that you get this, but this equality holds mode Q. And once you reduce things, mode Q maybe the mode Q will go away unless you can ensure that this thing is small and you don't get a wrap around. And you can't. If only C star was short, then this was small so we have this inequality over the integer and we take it mode 2, you get what you want. It would be really nice, but it's not. So we need to fix it. We have a long vector, C star, and we want to represent it by low L2 norm. It's very hard to go long and short in this talk because we're talking about higher and lower dimension and things. So I'll try to be as much as I can. I'll try to say small L2 norm. But usually when I say short vector, I mean L2 norm. I will really try hard not to refer to low dimension vectors as short. This is not what we mean. So short vectors are low L2 norm. And we have a vector with high L2 norm and we want to represent it as a vector with low L2 norm. And here is one way of doing that. So here is a vector. It has L2 norm of about 90,000. It has entries of a couple of tens of thousands. And we can represent it, for example, by writing down the digits. So this is a vector of higher dimension, but much lower L2 norm. It does represent this other vector in some way. And actually, well, later we're going to use binary rather than decimal because it works better. And one thing that you need to note is that these vectors are linearly related to each other. I mean, you can take the entries of these vector and multiply them by the corresponding powers of two, and you're going to get your original vector. So these are linearly related, and somehow. So with this in mind, let's see what we do. We have our extended vector C star, and it has k entries. Let's say, so C star i is the i-th entry. And we're going to write down the binary representation of each of these entries. So we have now a sequence of bits, C i is 0 through C i L, and C i star is just the sum of them with the corresponding powers of two, and the C i j's are bits. Let B j be the vector of the j-th bits. So B 0 is the vector of all the least significant bits, and B 1 is the vector of all the 1 bits, et cetera. So C star is just a linear combination of the B j's with the appropriate powers of two. And similarly, the inner product that we're interested in is just the inner product of the B j's with S with these powers of two. And now let's look at the following thing. So we have a redundant description, redundant representation of our secret key, which is the secret key, the secret key times two, up to the secret key times two to the L. This is a vector of dimension log Q times larger than what we started from. And then we have the bit, the composition, but this is four times S mod Q, okay? So this is a vector mod Q still. And then we have the bit, the composition of C, which is just the concatenation of all the B i's, and look what happens when you do inner product. You do inner product, you get S times B 0 plus twice S times B 1, et cetera. This is exactly that thing here, which is equal to what we wanted. So we took our large L2 norm vector C star. We represented by a small but higher dimension, a short but higher dimension vector C double star. And we still have our extended, doubly extended now, secret key such that if we inner product them, we get what we need. And yeah, C double star is short because it's a zero one vector. Excellent, so this is what we're going to do now. Instead of publishing this matrix that lets us translate S star to S prime, we're gonna publish a matrix that lets us translate S double star to S prime. So the dimension, well, the number of rows is the small thing N and the number of columns is the large thing, which is by now, I'm guessing N square times log key or something. And now we're giving them expanded ciphertext and we want to make together low dimension ciphertext. So first we're gonna increase the dimension even farther, get the doubly expanded C double prime double star and then multiply by this translation matrix. Okay, let's see what we have. The inner product that we want, C star, S star, is the same as the inner product of the doubly expanded versions. This is what I had in the slide previous time. Also the inner product, the new inner product, the prime thing, the low dimension things is the same as the inner product of the doubly expanded versions plus twice this error. But now the inner product, the original inner product we know was small, therefore also this thing is small model of Q because it's the same thing. That thing, that error term that we have here is also small because C double star is a zero one vector. It has very small L2 norm and E was chosen as a small error vector so it's also has a small short vector, therefore also has a small L2 norm. And so we multiply it by two, it's still rather small. So this whole thing is small model of Q so you don't get any wrap around so therefore this equality holds over the integer. Therefore when you take at mode two, this error term goes away and you're left with the inner product between C prime and S prime mode Q is the same as the original inner product between the star version mode Q, it's not the same, it just has the same party, it's the same mode two. This happens over the integer and mode two you get the decryption of the new thing under S prime is the same as the decryption of the old thing under S prime. So this is how you do dimension reduction. Do I have it on the next slide? No, not yet, so let me stop for a second and take stock of what we have so far. We start with vectors that are ciphertext and vectors that are secret keys. Decryption is essentially inner product mode Q, mode two. We want to multiply two vectors. We take the tensor product and open it to a vector, that's a vector, but it has high dimension. We're gonna make it even higher dimension by representing it by it's beat the composition. Then we're gonna multiply it by this translation matrix, get back a vector of low dimension with the property that decrypting the new vector under the new public key S prime is the same as the decryption of the old vector under the old set. So we managed to do one multiplication step. We switched a key in the process. We started from S then S star then S double star now we S prime. So we were working with respect to a different key now but we still have low dimension ciphertext that now encrypts the product of the two beats that we started from. That's what we want. Let's talk about security for a little bit, one slide. Why is this secure? Why didn't I give too much information by publishing this matrix? And the idea is that under LW you cannot distinguish this matrix from just a random matrix that has nothing to do with anything around there. That's almost true. It would have been true if we added an error e to the top row of this matrix. In fact, we added twice an error e to that matrix. So you need to prove something but when your modulus is odd you can show easily that that doesn't matter. Here is the proof. This is LW, it says that given a random a it's hard to distinguish r but from 2a plus e then also twice that thing are indistinguishable of course. But for odd modulus take a random matrix and multiply by two or take just a random matrix it's the same distribution similarly for that and also these distributions are the same. So if this thing cannot be distinguished then so these things cannot be distinguished either and then when you add s prime to it it still cannot be distinguished. So our matrix has this random thing and then that thing that has s star in it but it's masked by that other thing that looks random. So that's, there's actually a proof here even though I didn't read it all the way through. With that we already have the first part of the BV construction. This is a leveled somewhat homomorphic encryption. Leveled mean that we work level by level because we need to change keys every level and moreover the public key size grows. So for every level that we want to evaluate for every level of multiplications we need to publish one of these translation matrices. So the size of our public key depends on the depth of the circuit that we want to evaluate. So we imagine a circuit that consists of addition gates, multiplication gates, addition gates, multiplication gates. Additions you can do just by adding things but multiplication we need to publish these translation matrices. So the size of our public key depends on the depth of the number of multiplication layers in our circuit. So the secret key you just choose all of these random vectors, the first entry in each one of them is just one. The public key has all of these translation matrices and now comes, and initially I said don't worry about the initial public key. So the public key that lets you encrypt actually has the same format except it's a translation matrix from zero to the first secret key. And then SI times the matrix MI is just twice, is just the two I error vector plus this previous level secret key that was hidden there and S0 times M0 is just twice the error vector. If you want to encrypt what you do is you just choose a random zero one vector of dimension M and you multiply it by M0, add your bit with many zeros on it. So this is an M vector, this is an N vector. This is an N vector, okay. So finally it's resolved, the size of the ciphertext is N. This is an N vector, you add just your bit to the first entry of it. In order to decrypt ciphertext at the IF level then you just do inner product with the corresponding secret key mode, Q mode too. Why does decryption work? So let's see why it works for level zero ciphertext. Well, if you inner product the ciphertext with the secret key, what you get is the secret key times M times R plus B. And the reason it's plus B is because S begins with a one. S begins with a one and this one is getting inner product with this B. Now S zero times M zero is twice E. Twice E inner product with R is a small number because R is a zero one vector and E zero was chosen as small. So you get a small number so you don't, all of this thing happens mode Q but since there's no wrap around it's also true over the integer and therefore when you take it mode two you're left with your B to B. So this is why decryption at the first level works and the reason decryption in the higher level works is all of the things we did before. We show that the inner product mode Q mode too remains the same. So if it works for decrypting level zero ciphertext then it would work for decrypting all of the others as well. If you want to add ciphertext that belong to the same level then you just add them. If you want to multiply ciphertext that belong to the same level then you compute the extended ciphertext c star by doing tensor product opening to a vector, compute the double extended c double star which is the bit the composition multiply by the appropriate MI and you get a ciphertext with respect to the next level secret key. Why is it secure? Well, it's secure because under LWE all of these MI's look just as if they were random matrices. This is essentially the proof that I had like last slide or two slides ago. And if they really were random matrices then the ciphertext would give absolutely no information about the bits that are encrypted. This you need to use the leftover hash lemma. I'm not gonna show that but it's a fairly standard argument by now. So we have our somewhat homomorphic encryption. The public key size need to grow but that's okay. The other thing that grows is the noise. So all the time I said, well you take this thing, you multiply the noise, it's still small. Yeah, it is small but it is larger than it was before. So roughly it doubles on addition and gets squared on multiplication and then you add this extra noise terms when you switch from one level to the next. So things keep growing. And since it roughly gets squared on multiplication, the absolute value of the noise, then you can't do more than log levels. After more than log levels, this thing grows beyond polynomial and then it exceeds your Q. So what do you need to do if you want to evaluate deeper circuits? So one thing that you can do is to squash and bootstrap. This crypto system has the same general structure as all the previous somewhat homomorphic encryption in terms of how the decryption looks. So you can squash the decryption circuit just as you did with all the previous schemes. That's one way. You can chimeric thing the decryption system just like you could with all the other previous systems. Or you can do something else. So for now, after we realize that now we have a new somewhat homomorphic encryption scheme that built without underlying green structure, which is a marvel in itself, let's go to the next marvel and see how you can get it to a fully homomorphic encryption without actually doing any of this fun activities like squashing it. And the trick that makes it happen is something that really shouldn't have worked and it's called modulo switching. All of the things we did were over ZQ. The observation again in BV was that you can actually switch to a different modulus and still be able to decrypt things and stuff. That really shouldn't work, I mean. But it does. So we have our CNRS and we want to convert them now to a C prime and an S prime such that for some other modulus P, which is smaller than our current modulus Q, it would happen that the inner product of the new stuff, mod P, and the inner product of the old stuff, mod Q, happens to have the same less significant bit. Okay? If you could do that, and I will show how to do that in a bit, if you can do that, then this is one thing that you could have done with it. And this is what the BV construction was doing actually. They used it with P, which was much smaller than Q. And do that in order to reduce the decryption complexity. So notice, this is decryption. You do that and then you take the less significant bit. So the main operation that you need to do here is multiply two numbers mod P versus multiplying two numbers mod Q here. And if P is much smaller than Q, then complexity of multiplying mod P would similarly be much smaller than multiplying mod Q. So the homomorphic properties of your scheme would depend on Q, but the decryption complexity would depend on P. And if you make P sufficiently smaller than Q, then you get something that can evaluate its own decryption circuit and you're happy. It uses the modulo switching and the key switching in a combined way. So you don't, but in order to get that, you need to publish again one of these key switching matrices and do things and multiply with it, et cetera. What I'm going to show now, on the other hand, is this. This is the work of Barkalski Gentry and Venkutanathan. They use it again with P smaller than Q, but not so much smaller, just a little bit of smaller, and show that when you do that, not only you get the decryption to still work, you actually get the noise to be smaller. So all you do is you take this, you turn it into that, and all of the sudden, not only decryption still works, but also your noise gets smaller, and actually you do things, it's very, very simple. All you do is you take your ciphertext and you scale it down, and then you need to round it. Well, it's not integer anymore, you need to round it in an appropriate way, and that works. So here is why it works. This is the main lemma that makes it work. We have P smaller than Q, both of them are odd, and we have our original CNS, and we have the premise that the inner product mode Q is smaller than Q over two, but actually significantly smaller than Q over two, by some additive factor that depends on the L1 norm of S. So notice, in order for that to hold, S must be a short vector. You cannot have this premise hold if S is long. So later on, we're gonna have to worry about how to make S a short vector. But for now, let's just assume that it is. So this thing has to be smaller than Q over two by a factor, which is not only the L1 norm of S, it's actually scaled up version of the L1 norm of S, times Q over P. So suppose we have those, and let C prime be the scaled down version of C rounded. How am I gonna round it? I'm gonna round each entry separately, either up or down, so that C and C prime are gonna be equivalent mode two. So the first entry of C is odd, then I'm gonna have to round the first entry of C prime, either up or down to make it an odd integer. So if you have that, then you get the following two properties. First of all, the encryption still works. The inner product of C prime with your, you don't change your secret key at all, just the ciphertext now. The inner product of C prime modulo P and the inner product of the original C modulo Q are equivalent mode two. As integers, they have the same least significant bit. Again, mod is mapping into the symmetric interval. I just remind everybody. And the second thing, not only that, but the size of your noise went down from what it was before to what it was before times P over Q, plus some additive error that you have here. Okay, so not only the encryption still work, the size of our noise is scaled down roughly by a factor of P over Q with some additive error. How do we prove that? Well, once you state this thing, maybe the proof is not so hard, but it's not so easy either. So here's what we do. So C inner product S mod Q, what does that mean? This means the inner product over the integer minus some multiple of Q. And we know that this is between minus Q over two and plus Q over two, but actually we know that it's in a smaller interval. We have this premise that it's small, much smaller than Q over two by this additional factor of the L one norm scaled up. So let's take the blue part and just multiply it by P over Q, okay? So we get P over Q times S times C inner product with S minus K times Q times P over Q, that's K times P. That's in the interval between minus P over two and plus P over two and actually in a smaller interval. And now when you replace this scaled down thing by it's rounded, well, you didn't introduce that much of a noise, right? I mean, this is just you inner product, the error that you introduced by rounding with S and you get something which can be at most the L one norm of S and you're done. So what we showed here is that you take the inner product of the new C with the same S over the integer and then you subtract from it the same multiple of P as you did before with Q and you get something in the interval between minus P over two and plus two or two, which means that this thing is the inner product mod P. That's the definition of what the inner product mod P is. You take away a product of P until you get into this interval between minus P over two and P. And that actually already proves part two of the lemma because our noise now is exactly the noise that was before times P over Q because you multiply this whole equation by P over two plus the error that you introduced. So that proves part two and it remains to prove just part one. So we know that the original thing mod Q was that inner product over the integers might couple times P and we know that the new thing mod P is the inner product over the integer minus kappa times the new P for the same kappa, P and Q are odds and therefore kappa times P and kappa times Q are the same mod two. C and C prime are equivalent mod two because this is how we define them and therefore their inner product with S is also equivalent mod two. And therefore, when you look at this integer which is the inner product over the integer minus kappa times P it's the same mod two as the inner product of the old thing over the integers minus kappa times Q and this thing equal to the old inner product mod Q. So that proves our part one. So let me repeat what we did before I move on. We showed that if you start from a secret key and a ciphertext such that the inner product is sufficiently small and also the L1 norm of the secret key is sufficiently small then all you need to do in order to switch modulus is just to scale down and round appropriately. And as a result, the encryption would still work and your noise gets smaller. The only thing we need to solve now is how to make S small. So here is the easy way out. If S is random in ZQ then the L1 norm of S is not small and you aren't gonna get anything. But luckily, two years ago, Apple Bomb and Al proved that Lw remains hard even if you choose your secret key as a small vector. In particular you can choose the entries from the same as the error to be as small as the ones from the error vectors. And so we're just gonna choose our secret keys this way and that's how we make them small. So we didn't really need to do anything just choose your secret keys small and you're fine. There is also a hard way to do the same. You're gonna do this, beat the composition and powers of two, that works as well but it makes things a little more complicated. So I'm not gonna show it. I failed obliged to bring at least one example here. So here's an example. So you do modulo switching. Your original Q is a hundred and seven then the smaller one is 29, they're both odd. The cipher text is this vector, the secret key is this short vector and the inner product mode Q you subtract eight times the large modulus and you get minus 30. You scale down, you get this rational vector and now you need to round. So the first entry in C is odd. So you need to run this one down to get 39 odd. The second entry is even, you need to round this one well also down to get 48. So the rounded version is 39 times 48 and when you do the inner product mode P you see that indeed you subtract the same number of 29s as you did before with 175s and the noise is indeed smaller. It was minus 30 before, it's minus 10 now. I mean in absolute value the noise got smaller. One point that I wanna make, yes it did got smaller in absolute value from 30 to 10 but if you look at it as relative to your modulus it actually got increased because we had this added all we did is scale thing and we had this added error. So it is smaller in absolute terms but larger in relative terms and it begs the question of why does that help you any? So here is what you do. You start with a very large modulus Q and a small noise, let's call it eta and after the first multiplication the noise roughly gets squared so you get noise which is roughly eta squared and then you switch to a smaller modulus by a factor of eta. So the noise is similarly reduced to roughly eta. So you started with eta, you increase the noise then you beat it down by doing modulus switching and now you have noise of eta again and you do it again. After the next layer the noise grows again to roughly eta squared and again you reduce your modulus by a factor of eta and the noise gets smaller again and you keep doing that. So here is what you would get in terms of noise versus modulus with and without the modulus switching thing. So let's start with the, without modulus switching. So you start let's say with a modulus of size eta to the fifth just a number and noise eta you do one level of multiplication you're talking about degree two polynomials now. The noise now is eta squared. We do another level of multiplication the noise gets squared again now the noise is eta to the power of four the modulus is still eta to the power of five so it's still much larger than the noise but by the next level the noise now is too large. It's bigger than your modulus so you get decryption error. On the other end if you do do the modulus switching then you start the same way you get a noise eta square which you reduce back to eta by making the modulus smaller so you get another eta and eta to the four. Next time you're talking about degree four polynomials your noise stays the same the modulus gets smaller. Degree eight polynomials the noise is eta the modulus is eta square and the degree 16 polynomial you finally reach to the point where you can't make it anymore. Maybe the noise is still smaller than eta but the next time around you're gonna get decryption error. But notice that here things are nice and linear. You can do number of levels which is essentially linear in the size of the modulus that you started from and here they grow exponentially so you can only do log. So it is and using a modulus switching actually gives you an exponential increase in the number of levels that you can handle. Okay let's put it all together. If we wanna multiply things that are represented by vectors we're gonna do tensor product. Tensor product increases the dimension so we want to beat the dimension down so we're gonna do key switching or re-linearization or dimension reduction. I mean this transformation has at least three names that I'm aware of and you need to do the powers of two versus beat the composition and coding in order to make that step work. Then you reduce the noise by switching the modulus and this works if the secret key s is short and then you keep doing these three steps until the modulus become too short too small but at which point you can't go any further. So that all of that gives you the Vorkersky, Gentry, Vankuntanathan leveled fully homomorphic encryption, still leveled because you still need to publish this public key one for every level of your circuit but now you can handle circuits whose depth is any polynomial that you want. So you start by, you want to evaluate D level circuits. The initial noise which is something that relates to your security, we'll talk about it in a slide or two, is eta and you have this other parameter which is slightly bigger than eta which is the ratio between consecutive moduli. So you choose all of these moduli q0, q1 up to qd where q0 is the largest of them and they get smaller and smaller by a factor of tau, I think. So each one, the qi is roughly tau to the power of d minus i plus one. The key generation is, again, you choose the short secret keys. The first entry is one, the other entries are chosen from the error distribution. For every si you compute the singly expanded si prime and a doubly expanded si double prime. All of that's still modulo qi. And then the public key has all these transformation matrices from si minus one to si. This is a matrix in z qi minus one and the original matrix in z q0. Okay, the short error vector inside of each one of these guys is called ei and it's a vector modulo qi minus one. And you have the same formulas that we had before, s0 m0 is twice the error and si mi is twice the error plus the hidden secret key, except that this one holds mod q0 and each one of those holds mod qi minus one. Encryption, decryption, and homomorphic addition are the same thing as in the level thing where the level i thing is all the operations are done mod qi and then if you wanna multiply two ciphertexts then you do the tensor product, you get an n square vector which still decrypts to the right thing, that is the product, a mod qi. Then you do the bit decomposition, you get a doubly expanded, that's still decrypts to the right thing under the doubly expanded version of the secret key, still mod qi. Then you do the dimension reduction, you get something which decrypts to the correct key, with respect to the next level up secret key, but still modulo qi and then you do the dimension reduction and you get something that's decrypted to the right thing under the new secret key, modulo qi, modulo the next modulo qi plus one. And the noise in your final ciphertext is bounded by eta square plus whatever error terms you have divided by this ratio between the two modulo i theta and you set your parameter so that that thing is still smaller than eta and this is how you choose, how you keep your noise from growing. Okay, what did we get? We got a leveled fully homomorphic encryption, the public key size is at least linear in the circuit, they're actually a little more than linear because the modulo i keep growing, but no matter, you can handle circuits of any arbitrary polynomial length and your security is based on LWE, but LWE is a problem with parameters, so what parameters do we get? Well, the size between the largest modulus and the noise, the largest modulus is q zero, the noise is this eta that we had before, this is rough, this is some polynomial to the power of the depth of the circuits that you want to evaluate. So if you want LWE with beta parameter, which is just a polynomial fraction, then you can't do anything more than a constant many levels. If you want to do more than that, you need to assume that LWE is hard even when the noise fraction is much smaller than that, in particular, smaller than a polynomial fraction. The modulus gets smaller as we go up the circuit, so lower levels are somewhat more expensive than higher levels because you need to compute things modulo a larger modulus. Some variance, some optimization, things that you can do. So first of all, once you reach the top level and you're with the smallest modulus and you cannot decrease your modulus anymore, what do you do if you want to keep computing? One thing that you can do is bootstrap it. You can bootstrap back into the largest modulus and do it again. You will still need matrices going up. You need, for every level, you do need this dimension reduction matrix. So even if you do use bootstrapping, at least as per the first bullet, you need translation matrices for the entire depth of your circuit. But you can start now from a smaller q zero and reach the top level faster while you still have some levels to compute and then do bootstrapping to the largest modulus and keep going, it's possible. You can make it into a pure fully homomorphic encryption. Well, you just have a fixed size public key no matter how deep the circuit you evaluate by assuming circular security. So at some point, you go back to one of the keys that you used before and you assume that things remain secure and then you don't need to, then you can reuse this translation matrices that you were using before. You can base security on ring LWE. All of this thing was vectors and things over the integers. You can get the entries of these vectors to come from a different ring than the integers, for example, from polynomial rings. And that lets you use smaller dimensions since the polynomial ring itself, a single element there is represented as a vector, then you can get away with dimension as small as two over the ring. So you have a vector, if you write it down as vector of integers, it's still a high dimension vector, but over the ring it's gonna be a low dimension and are actually good. It lets you compute things faster than it would if these were arbitrary vectors. You don't actually have to use Z2 as a plain text space. The model of switching thing doesn't work as well when the plain text space is not Z2, right? I mean, there was a point where we needed to round either up or down, and if that was because we needed C and C prime to be equivalent mode two, but if you want them to be equivalent mode seven, then you have seven layers and the error keeps growing, and if you wanted to compute things modulo, some exponential thing, then you can't do that. So you need to use a different trick to use larger moduli. It is possible, though. Another thing that you can do is batching. So far, we had a single ciphertext per vector, and it was very wasteful. I mean, we needed that for security, but it was very wasteful, and you can actually do better. You can do Chinese reminder in tricks in order to pack many bits into one vector ciphertext, and if you do that, then whenever you add or multiply two ciphertexts, you would intrinsically add or multiply all the bits that are packed there correspondingly. So the first packed bit would be multiplied by the first packed bit, the second with the second, et cetera, and if you take all of these optimizations, all of them are described in the BGV paper on Eprint, and see how much you can reduce the overhead, then the overhead can asymptotically be reduced from what it was, at least lambda to the 3.5 before, to something quasi-linear. So now for every multiplication, you need to do only roughly a security parameter number of operations, or security parameter time polylog number of operations rather than security parameter to the 3.5. Okay, where we are and where we want to be. So at this point, we have many new ideas on the table. In the last three months, there are a host of new things that we can do, and we're still in the phases of figuring out what works and what doesn't. Moreover, given the rapid development of this, it would not be surprising if we have many, more new ideas soon would actually be quite surprising if we don't. There are implementation effort implementing this scheme that I was talking about for the last hour and something, and the goal is to get usable fully homomorphic encryption. You want a construction with at least for some niche applications, you can actually use it. And I'm actually quite optimistic. I mean, my personal guess that within two or three years for certain applications, we will be able to use the schemes really for real. Of course, there are many open problems that remain one that I'm going to mention is to base it on LWE with polynomially small error rather than super polynomially small error. Oh, that's it. Anybody wants to ask questions? When you talk about multiplying the plain text, this is multiplying to one bit numbers, yes. Okay, thank you for your attention.