Practical Randomized Lattice Gadget Decomposition with Application to FHE

Abstract

Gadget decomposition is widely used in lattice based cryptography, especially homomorphic encryption (HE) to keep the noise growth slow. If it is randomized following a subgaussian distribution, it is called subgaussian (gadget) decomposition which guarantees that we can bound the noise contained in ciphertexts by its variance. This gives tighter and cleaner noise bound in average case, instead of the use of its norm. Even though there are few attempts to build efficient such algorithms, most of them are still not practical enough to be applied to homomorphic encryption schemes due to somewhat high overhead compared to the deterministic decomposition. Furthermore, there has been no detailed analysis of existing works. Therefore, HE schemes use the deterministic decomposition algorithm and rely on a Heuristic assumption that every output element follows a subgaussian distribution independently.

In this work, we introduce a new practical subgaussian gadget decomposition algorithm which has the least overhead (less than 14%) among existing works for certain parameter sets, by combining two previous works. In other words, we bring an existing technique based on an uniform distribution to a simpler and faster design (PKC’ 22) to exploit parallel computation, which allows to skip expensive parts due to pre-computation, resulting in even simpler and faster algorithm. When the modulus is large (over 100-bit), our algorithm is not always faster than the other similar work. Therefore, we give a detailed comparison, even for large modulus, with all the competitive algorithms for applications to choose the best algorithm for their choice of parameters.

A Proof of Lemma 4

Lemma (The general version of Lemma 2.2 in [19]). Let \(\textbf{x}\) be a discrete random vector over \({\mathbb R}^n\) such that each coordinate \(x_i\) is \(\delta _i\)-subgaussian with parameter \(s_i\) given the previous coordinates take any values. Then \(\textbf{x}\) is a \(\sum \delta _i\)-subgaussian vector with parameter \(\max _i\{s_i\}\).

Proof. The moment generating function of \(\langle \textbf{x},\textbf{u} \rangle \) is

$$\begin{aligned} \begin{aligned} \mathbb {E}[\exp (2\pi t\langle \textbf{x},\textbf{u} \rangle )] &= \mathbb {E}[\exp (2\pi t\sum x_i u_i)]\\ &\le \exp (\sum \delta _i)\exp (\pi t^2\sum s_i^2 u_i^2) (\because \text {Lemma}~3 )\\ &\le \exp (\sum \delta _i)\exp (\pi t^2 (\max s_i)^2\sum u_i^2)\\ &= \exp (\sum \delta _i)\exp (\pi t^2 (\max s_i)^2||\textbf{u}||^2)\\ &= \exp (\sum \delta _i)\exp (\pi t^2 (\max s_i)^2 (\because \text {unit vector } \textbf{u}). \end{aligned} \end{aligned}$$