feat: breaking change (unstable) (#198)

* [PUBLISHER] upload files #175 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md * [PUBLISHER] upload files #177 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryptio.md * [PUBLISHER] upload files #178 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #179 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #180 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #181 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #182 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #183 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #184 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #185 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #186 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #187 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #188 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * chore: remove files * [PUBLISHER] upload files #197 * PUSH NOTE : 수학 공부에 대한 고찰.md * PUSH NOTE : 09. Lp Functions.md * PUSH ATTACHMENT : mt-09.png * PUSH NOTE : 08. Comparison with the Riemann Integral.md * PUSH ATTACHMENT : mt-08.png * PUSH NOTE : 04. Measurable Functions.md * PUSH ATTACHMENT : mt-04.png * PUSH NOTE : 06. Convergence Theorems.md * PUSH ATTACHMENT : mt-06.png * PUSH NOTE : 07. Dominated Convergence Theorem.md * PUSH ATTACHMENT : mt-07.png * PUSH NOTE : 05. Lebesgue Integration.md * PUSH ATTACHMENT : mt-05.png * PUSH NOTE : 03. Measure Spaces.md * PUSH ATTACHMENT : mt-03.png * PUSH NOTE : 02. Construction of Measure.md * PUSH ATTACHMENT : mt-02.png * PUSH NOTE : 01. Algebra of Sets and Set Functions.md * PUSH ATTACHMENT : mt-01.png * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 블로그 이주 이야기.md * PUSH NOTE : Secure IAM on AWS with Multi-Account Strategy.md * PUSH ATTACHMENT : separation-by-product.png * PUSH NOTE : You and Your Research, Richard Hamming.md * PUSH NOTE : 10. Digital Signatures.md * PUSH ATTACHMENT : mc-10-dsig-security.png * PUSH ATTACHMENT : mc-10-schnorr-identification.png * PUSH NOTE : 9. Public Key Encryption.md * PUSH ATTACHMENT : mc-09-ss-pke.png * PUSH NOTE : 8. Number Theory.md * PUSH NOTE : 7. Key Exchange.md * PUSH ATTACHMENT : mc-07-dhke.png * PUSH ATTACHMENT : mc-07-dhke-mitm.png * PUSH ATTACHMENT : mc-07-merkle-puzzles.png * PUSH NOTE : 6. Hash Functions.md * PUSH ATTACHMENT : mc-06-merkle-damgard.png * PUSH ATTACHMENT : mc-06-davies-meyer.png * PUSH ATTACHMENT : mc-06-hmac.png * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH ATTACHMENT : mc-05-ci.png * PUSH ATTACHMENT : mc-05-etm-mte.png * PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md * PUSH ATTACHMENT : mc-01-prg-game.png * PUSH ATTACHMENT : mc-01-ss.png * PUSH NOTE : 4. Message Authentication Codes.md * PUSH ATTACHMENT : mc-04-mac.png * PUSH ATTACHMENT : mc-04-mac-security.png * PUSH ATTACHMENT : mc-04-cbc-mac.png * PUSH ATTACHMENT : mc-04-ecbc-mac.png * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH ATTACHMENT : mc-02-block-cipher.png * PUSH ATTACHMENT : mc-02-feistel-network.png * PUSH ATTACHMENT : mc-02-des-round.png * PUSH ATTACHMENT : mc-02-DES.png * PUSH ATTACHMENT : mc-02-aes-128.png * PUSH ATTACHMENT : mc-02-2des-mitm.png * PUSH NOTE : 18. Bootstrapping & CKKS.md * PUSH NOTE : 17. BGV Scheme.md * PUSH NOTE : 16. The GMW Protocol.md * PUSH ATTACHMENT : mc-16-beaver-triple.png * PUSH NOTE : 15. Garbled Circuits.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 13. Sigma Protocols.md * PUSH ATTACHMENT : mc-13-sigma-protocol.png * PUSH ATTACHMENT : mc-13-okamoto.png * PUSH ATTACHMENT : mc-13-chaum-pedersen.png * PUSH ATTACHMENT : mc-13-gq-protocol.png * PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md * PUSH ATTACHMENT : mc-12-id-protocol.png * PUSH NOTE : 11. Advanced Topics.md * PUSH NOTE : 0. Introduction.md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * PUSH NOTE : 09. Transport Layer Security.md * PUSH ATTACHMENT : is-09-tls-handshake.png * PUSH NOTE : 08. Public Key Infrastructure.md * PUSH ATTACHMENT : is-08-certificate-validation.png * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH NOTE : 04. Modular Arithmetic (1).md * PUSH NOTE : 01. Security Introduction.md * PUSH ATTACHMENT : is-01-cryptosystem.png * PUSH NOTE : Search Time in Hash Tables.md * PUSH NOTE : 랜덤 PS일지 (1).md * chore: rearrange articles * feat: fix paths * feat: fix all broken links * feat: title font to palatino
2025-12-06 22:53:51 +00:00 · 2024-11-13 14:28:45 +09:00
parent c9f7af5f3d
commit 23aeb29ad8
78 changed files with 2105 additions and 2030 deletions
--- a/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-12-08-bootstrapping-ckks.md
@@ -40,18 +40,18 @@ Then $f(\bf{s}) = m$.
 Let $\bf{s}' \in \braces{0, 1}^n$ be a new secret key. Generate the **bootstrapping keys**

 $$
-BK = \braces{\bf{k}_i}_{i=1}^n, \qquad  \bf{k}_i = E(\bf{s}', s_i).
+BK = \braces{\bf{k} _ i} _ {i=1}^n, \qquad  \bf{k} _ i = E(\bf{s}', s _ i).
 $$

 Then by the homomorphic property of $f$,

 $$
-f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n) = f\big( E(\bf{s}', s_1), \dots, E(\bf{s}', s_n) \big) = E\big( \bf{s}', f(s_1, \dots, s_n) \big) = E(\bf{s}', m).
+f(\bf{k _ 1}, \bf{k} _ 2, \dots, \bf{k} _ n) = f\big( E(\bf{s}', s _ 1), \dots, E(\bf{s}', s _ n) \big) = E\big( \bf{s}', f(s _ 1, \dots, s _ n) \big) = E(\bf{s}', m).
 $$

 #### Example with BGV

-Technically, the expression $f(\bf{k_1}, \bf{k}_2, \dots, \bf{k}_n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.
+Technically, the expression $f(\bf{k _ 1}, \bf{k} _ 2, \dots, \bf{k} _ n)$ doesn't make sense, but it works. Consider a message $m$ encrypted with secret $\bf{s}$ in the BGV scheme.

 $$
 \bf{c} = (b, \bf{a}), \quad b = -\span{\bf{a}, \bf{s}} + m + 2e \pmod q.
@@ -60,15 +60,15 @@ $$
 The decryption is $r = b + \span{\bf{a}, \bf{s}} \pmod q$, and then taking the least significant bit. Consider it as a function

 $$
-f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum_{i=1}^n a_is_i.
+f(\bf{s}) = b + \span{\bf{a}, \bf{s}} = b + \sum _ {i=1}^n a _ is _ i.
 $$

-For a new key $\bf{s}' = (s_1', \dots, s_n')$, generate bootstrapping keys $\bf{k}_i = E(\bf{s}', s_i)$ and plugging it in forcefully gives
+For a new key $\bf{s}' = (s _ 1', \dots, s _ n')$, generate bootstrapping keys $\bf{k} _ i = E(\bf{s}', s _ i)$ and plugging it in forcefully gives

 $$
 \begin{aligned}
-f(\bf{k}_1, \dots, \bf{k}_n) &= b + \sum_{i=1}^n a_i E(\bf{s}', s_i) = b + \sum_{i=1}^n E(\bf{s}', a_is_i) \\
-&=b + E\paren{\bf{s}', \sum_{i=1}^n a_is_i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
+f(\bf{k} _ 1, \dots, \bf{k} _ n) &= b + \sum _ {i=1}^n a _ i E(\bf{s}', s _ i) = b + \sum _ {i=1}^n E(\bf{s}', a _ is _ i) \\
+&=b + E\paren{\bf{s}', \sum _ {i=1}^n a _ is _ i} = b + E\paren{\bf{s}', \span{\bf{a}, \bf{s}}}.
 \end{aligned}
 $$

@@ -81,7 +81,7 @@ b' &=b -\span{\bf{a}', \bf{s}'} + \span{\bf{a}, \bf{s}} + 2e' \\
 \end{aligned}
 $$

-Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}_1, \dots, \bf{k}_n)$.[^1]
+Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k} _ 1, \dots, \bf{k} _ n)$.[^1]

 ### Bootstrapping Procedure

@@ -89,13 +89,13 @@ Indeed, decrypting $b'$ will give $m$. So we have $E(\bf{s}', m)$ from $f(\bf{k}
 > 
 > **Bootstrapping Key Generation**
 > - Choose a new secret key $\bf{s}' \in \braces{0, 1}^n$.
-> - Generate *bootstrapping key* $BK = \braces{\bf{k}_i}_{i=1}^n$ where $\bf{k}_i = E(\bf{s}', s_i)$.
+> - Generate *bootstrapping key* $BK = \braces{\bf{k} _ i} _ {i=1}^n$ where $\bf{k} _ i = E(\bf{s}', s _ i)$.
 > 
 > **Bootstrapping**
 > - Generate a circuit representation $f : \braces{0, 1}^n \ra \braces{0, 1}$ of the decryption function $D(\cdot, \bf{c})$.
-> - Compute and output $\bf{c}' = f(\bf{k}_1, \dots, \bf{k}_n)$.
+> - Compute and output $\bf{c}' = f(\bf{k} _ 1, \dots, \bf{k} _ n)$.

-The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k}_i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.
+The bootstrapping procedure returns an encryption of $m$ under $\bf{s}'$, as shown above. The key idea here is that $\bf{k} _ i$ are *fresh* ciphertexts at level $L$. Even though a few levels are consumed during the evaluation of $f$, the resulting ciphertext $\bf{c}'$ is not at level $0$ anymore, allowing us to do more computation.

 > Suppose that the homomorphic evaluation of $f$ requires depth $d$, consuming $d$ levels. Then we say that the BGV scheme is **bootstrappable** if $d < L$. The output ciphertext $\bf{c}'$ will have level $l = L - d > 0$, which we call **remaining level**.

@@ -111,13 +111,13 @@ $$
 \bf{s} \ra \bf{s}' \ra \bf{s}'' \ra \cdots
 $$

-Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s_i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.
+Currently, we set $\bf{s}' = \bf{s}$ and make the chain **circular**, so the bootstrapping keys are $E(\bf{s}, s _ i)$. $\bf{s}$ is being encrypted by itself. We wonder if this is secure, but there is no known proof for this. This is used as an assumption called the **circular security assumption**.

 Designing an FHE scheme without the circular security assumption is currently an open problem.

 ## CKKS Scheme

-The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z_p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.
+The [BGV scheme](../2023-11-23-bgv-scheme/#the-bgv-scheme) operates on $\Z _ p$, so it doesn't work on real numbers. **Cheon-Kim-Kim-Song** (CKKS) scheme works on real numbers using approximate computation.

 ### Approximate Computation

@@ -129,7 +129,7 @@ $$

 Here, $2.9979$ is the **significand**, $10$ is the base and $8$ is the exponent. We also call $10^8$ the **scaling factor**.

-Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z_p$, there are $2$ methods to do this.
+Floating point operations involve **rounding**, but rounding is not easy in homomorphic encryption. Using the BGV scheme on $\Z _ p$, there are $2$ methods to do this.

 - Bit-wise Encryption
 	- $32$-bit integer results in $32$ ciphertexts.
@@ -139,7 +139,7 @@ Floating point operations involve **rounding**, but rounding is not easy in homo
 - Integer Encryption
 	- To encrypt the significant, use a modulus large enough, such as $p > 2^{32}$.
 	- For multiplication, use $p > 2^{64}$.
-	- But rounding is hard in $\Z_p$.
+	- But rounding is hard in $\Z _ p$.

 So our wish is to design an HE scheme that natively supports rounding operation!

@@ -150,12 +150,12 @@ In the LWE problem, error was added for security. This can be exploited, since c
 > Let $n, q, \sigma$ be parameters for LWE and set a scaling factor $\Delta > 0$.
 > 
 > **Key Generation**
-> - A secret key is chosen as $\bf{s} = (s_1, \dots, s_n) \in \braces{0, 1}^n$, with its linearization gadget.
+> - A secret key is chosen as $\bf{s} = (s _ 1, \dots, s _ n) \in \braces{0, 1}^n$, with its linearization gadget.
 > 
 > **Encryption**: message $m \in \R$.
-> - Randomly sample $\bf{a} = (a_1, \dots, a_n) \la \Z_q^n$ and $e \la D_\sigma$.
+> - Randomly sample $\bf{a} = (a _ 1, \dots, a _ n) \la \Z _ q^n$ and $e \la D _ \sigma$.
 > - Compute $b = -\span{\bf{a}, \bf{s}} + \round{\Delta \cdot m} + e \pmod q$.
-> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$.
+> - Output ciphertext $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$.
 > 
 > **Decryption**
 > - Compute $\mu = b + \span{\bf{a}, \bf{s}} \pmod q$.
@@ -191,18 +191,18 @@ $$

 ### Addition in CKKS

-> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c}_\rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.
+> Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then, $\bf{c} _ \rm{add} = \bf{c} + \bf{c}'$ is an encryption of $m + m'$.

-*Proof*. Decrypt $\bf{c}_\rm{add} = (b + b', \bf{a} + \bf{a}')$.
+*Proof*. Decrypt $\bf{c} _ \rm{add} = (b + b', \bf{a} + \bf{a}')$.

 $$
-\mu_\rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
+\mu _ \rm{add} = \mu + \mu' = (b + b') + \span{\bf{a} + \bf{a}', \bf{s}} \pmod q.
 $$

 If $\abs{\mu + \mu'} < q/2$, then

 $$
-\mu_\rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
+\mu _ \rm{add} = \mu + \mu' = \Delta \cdot (m + m'),
 $$

 so the decryption results in $\Delta\inv \cdot (\mu + \mu') \approx m + m'$.
@@ -214,7 +214,7 @@ We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and the
 > Let $\bf{c} = (b, \bf{a})$ and $\bf{c}' = (b', \bf{a}')$ be encryptions of $m, m' \in \R$. Then,
 > 
 > $$
-> \bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
+> \bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')
 > $$
 > 
 > is an encryption of $mm'$ with $(1, \bf{s}, \bf{s} \otimes \bf{s})$.
@@ -223,7 +223,7 @@ We also use [tensor products](../2023-11-23-bgv-scheme/#tensor-product), and the

 $$
 \begin{aligned}
-\mu_\rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
+\mu _ \rm{mul} &= \mu\mu' = (b + \span{\bf{a}, \bf{s}})(b' + \span{\bf{a}', \bf{s}}) \\
 &= bb' + \span{b\bf{a}' + b' \bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}'} \pmod q
 \end{aligned}
 $$
@@ -231,10 +231,10 @@ $$
 if $\abs{\mu\mu'} < q/2$. Then

 $$
-\mu_\rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
+\mu _ \rm{mul} = \mu\mu' \approx (\Delta \cdot m) \cdot (\Delta \cdot m') = \Delta^2 \cdot mm'.
 $$

-So $mm' \approx \Delta^{-2} \cdot \mu_\rm{mul}$.
+So $mm' \approx \Delta^{-2} \cdot \mu _ \rm{mul}$.

 We have issues with multiplication, as we did in BGV.

@@ -246,42 +246,42 @@ We have issues with multiplication, as we did in BGV.

 The relinearization procedure is almost the same as in [BGV relinearization](../2023-11-23-bgv-scheme/#relinearization).

-For convenience, let $a_{i, j} = a_i a_j'$.
+For convenience, let $a _ {i, j} = a _ i a _ j'$.

 > **Relinearization Keys**: for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, perform the following.
-> - Sample $\bf{u}_{i, j, k} \la \Z_q^{n}$ and $e_{i, j, k} \la D_\sigma$.
-> - Compute $v_{i, j, k} = -\span{\bf{u}_{i, j, k}, \bf{s}} + 2^k \cdot s_i s_j + e_{i, j, k} \pmod q$.
-> - Output $\bf{w}_{i, j, k} = (v_{i, j, k}, \bf{u}_{i, j, k})$.
+> - Sample $\bf{u} _ {i, j, k} \la \Z _ q^{n}$ and $e _ {i, j, k} \la D _ \sigma$.
+> - Compute $v _ {i, j, k} = -\span{\bf{u} _ {i, j, k}, \bf{s}} + 2^k \cdot s _ i s _ j + e _ {i, j, k} \pmod q$.
+> - Output $\bf{w} _ {i, j, k} = (v _ {i, j, k}, \bf{u} _ {i, j, k})$.
 > 
-> **Linearization**: given $\bf{c}_\rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w}_{i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
+> **Linearization**: given $\bf{c} _ \rm{mul} = (bb', b\bf{a}' + b' \bf{a}, \bf{a} \otimes \bf{a}')$, $\bf{w} _ {i, j, k}$ for $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$, output the following.
 > 
 > $$
-> \bf{c}_\rm{mul}^\ast = (b_\rm{mul}^\ast, \bf{a}_\rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum_{i=1}^n \sum_{j=1}^n \sum_{k=0}^{\ceil{\log q}} a_{i, j}[k] \bf{w}_{i, j, k} \pmod q.
+> \bf{c} _ \rm{mul}^\ast = (b _ \rm{mul}^\ast, \bf{a} _ \rm{mul}^\ast) = (bb', b\bf{a}' + b'\bf{a}) + \sum _ {i=1}^n \sum _ {j=1}^n \sum _ {k=0}^{\ceil{\log q}} a _ {i, j}[k] \bf{w} _ {i, j, k} \pmod q.
 > $$

 Correctness can be checked. The bounds for summations are omitted for brevity. They range from $1 \leq i, j \leq n$ and $0 \leq k < \ceil{\log q}$.

 $$
 \begin{aligned}
-b_\rm{mul}^\ast + \span{\bf{a}_\rm{mul}^\ast, \bf{s}} &= bb' + \sum_{i, j, k} a_{i, j}[k] \cdot v_{i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \span{\bf{u}_{i, j, k}, \bf{s}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \cdot \paren{v_{i, j, k} + \span{\bf{u}_{i, j, k}, \bf{s}}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j, k} a_{i, j}[k] \paren{2^k \cdot s_is_j + e_{i, j, k}} \\
-&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum_{i, j} a_{i, j}s_i s_j + \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \\
+b _ \rm{mul}^\ast + \span{\bf{a} _ \rm{mul}^\ast, \bf{s}} &= bb' + \sum _ {i, j, k} a _ {i, j}[k] \cdot v _ {i, j, k} + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \span{\bf{u} _ {i, j, k}, \bf{s}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \cdot \paren{v _ {i, j, k} + \span{\bf{u} _ {i, j, k}, \bf{s}}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j, k} a _ {i, j}[k] \paren{2^k \cdot s _ is _ j + e _ {i, j, k}} \\
+&= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \sum _ {i, j} a _ {i, j}s _ i s _ j + \sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \\
 &= bb' + \span{b\bf{a}' + b'\bf{a}, \bf{s}} + \span{\bf{a} \otimes \bf{a}', \bf{s} \otimes \bf{s}} + e\conj \\
-&= \mu_\rm{mul} + e\conj\pmod q.
+&= \mu _ \rm{mul} + e\conj\pmod q.
 \end{aligned}
 $$

 Since

 $$
-e\conj = \sum_{i, j, k} a_{i, j}[k] \cdot e_{i, j, k} \ll q,
+e\conj = \sum _ {i, j, k} a _ {i, j}[k] \cdot e _ {i, j, k} \ll q,
 $$

 we have

 $$
-\mu_\rm{mul}^\ast = \mu_\rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
+\mu _ \rm{mul}^\ast = \mu _ \rm{mul} + e\conj \approx \mu\mu' \approx \Delta^2 \cdot mm'.
 $$

 Note that the proof is identical to that of BGV linearization, except for missing constant factor $2$ in the error.
@@ -290,12 +290,12 @@ Note that the proof is identical to that of BGV linearization, except for missin

 In BGV, we used modulus switching for [noise reduction](../2023-11-23-bgv-scheme/#noise-reduction). It was for reducing the error and preserving the message. We also use modulus switching here, but for a different purpose. The message can have small numerical errors, we just want to reduce the scaling factor. This operation is called **rescaling**.

-Given $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.
+Given $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ such that $b + \span{\bf{a}, \bf{s}} = \mu \pmod q$ and $\mu \approx \Delta^2 \cdot m$, we want to generate a new ciphertext of $m' \approx m$ that has a scaling factor reduced to $\Delta$. This can be done by dividing the ciphertext by $\Delta$ and then rounding it appropriately.

-> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z_q^{n+1}$ be given.
+> **Modulus Switching**: let $\bf{c} = (b, \bf{a}) \in \Z _ q^{n+1}$ be given.
 > 
 > - Let $q' = \Delta \inv \cdot q$.[^2]
-> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z_{q'}^{n+1}$.
+> - Output $\bf{c}' = \round{\Delta\inv \cdot \bf{c}} \in \Z _ {q'}^{n+1}$.

 Note that the modulus has been switched to $q'$. Constant multiplication and rounding is done component-wise on $\bf{c}$.

@@ -304,23 +304,23 @@ We check that $\bf{c}'$ has scaling factor $\Delta$. We know that $\mu' = b' + \
 Let $k \in \Z$ such that $b + \span{\bf{a}, \bf{s}} = \mu + kq$. By the choice of $b'$ and $\bf{a}'$, we have

 $$
-b' = \Delta\inv \cdot b + \epsilon_0, \quad a_i' = \Delta\inv \cdot a_i + \epsilon_i
+b' = \Delta\inv \cdot b + \epsilon _ 0, \quad a _ i' = \Delta\inv \cdot a _ i + \epsilon _ i
 $$

-for some $\epsilon_i$ such that $\abs{\epsilon_i} \leq 0.5$. So we have
+for some $\epsilon _ i$ such that $\abs{\epsilon _ i} \leq 0.5$. So we have

 $$
 \begin{aligned}
-\mu' &= \Delta\inv \cdot \paren{b + \sum_{i=1}^n a_i s_i} + \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i \\
+\mu' &= \Delta\inv \cdot \paren{b + \sum _ {i=1}^n a _ i s _ i} + \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i \\
 &= \Delta\inv \cdot (\mu + kq) + \epsilon \approx \Delta \inv \cdot (\Delta^2 \cdot m) + kq' = \Delta \cdot m \pmod{q'},
 \end{aligned}
 $$

-since $\epsilon = \epsilon_0 + \sum_{i=1}^n \epsilon_i s_i$ is small.
+since $\epsilon = \epsilon _ 0 + \sum _ {i=1}^n \epsilon _ i s _ i$ is small.

 ### Modulus Chain

-Using modulus switching, we can set $q_L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q_{k-1} = q_k / \Delta$.
+Using modulus switching, we can set $q _ L = \Delta^{L+1}$ where $L$ is the maximal level for multiplication. After each multiplication, the modulus is switched to $q _ {k-1} = q _ k / \Delta$.

 Multiplication increases the scaling factor to $\Delta^2$, and then rescaling operation reduces the scaling factor back to $\Delta$.

@@ -330,19 +330,19 @@ $$
 \Delta^{L+1} \ra \Delta^L \ra \cdots \ra \Delta.
 $$

-When we reach $q_0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.
+When we reach $q _ 0 = \Delta$, we cannot perform any multiplications, so we apply [bootstrapping](../2023-12-08-bootstrapping-ckks/#bootstrapping) here.

 ### Multiplication in CKKS (Summary)

- Set up a modulus chain $q_k = \Delta^{k+1}$ for $k = 0, \dots, L$.
- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z_{q_k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z_{q_k}^{n+1}$ with modulus $q_k$ and **scaling factor** $\Delta$.
+- Set up a modulus chain $q _ k = \Delta^{k+1}$ for $k = 0, \dots, L$.
+- Given two ciphertexts $\bf{c} = (b, \bf{a}) \in \Z _ {q _ k}^{n+1}$ and $\bf{c}' = (b', \bf{a}') \in \Z _ {q _ k}^{n+1}$ with modulus $q _ k$ and **scaling factor** $\Delta$.

- (**Tensor Product**) $\bf{c}_\rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q_k}$.
+- (**Tensor Product**) $\bf{c} _ \rm{mul} = \bf{c} \otimes \bf{c}' \pmod{q _ k}$.
 	- Now we have $n^2$ dimensions and scaling factor $\Delta^2$.
 - (**Relinearization**)
 	- Back to $n$ dimensions and scaling factor $\Delta^2$.
 - (**Modulus Switching**; **Rescaling**)
-	- Modulus is switched to $q_{k-1}$ and scaling factor is back to $\Delta$.
+	- Modulus is switched to $q _ {k-1}$ and scaling factor is back to $\Delta$.

 [^1]: The noise hasn't gone away since we didn't *fully evaluate* the decryption circuit, which takes the remainders from dividing by $q$ and $2$.
 [^2]: No rounding...?