A Regev-Type Fully Homomorphic Encryption Scheme Using Modulus Switching

A critical challenge in a fully homomorphic encryption (FHE) scheme is to manage noise. Modulus switching technique is currently the most efficient noise management technique. When using the modulus switching technique to design and implement a FHE scheme, how to choose concrete parameters is an important step, but to our best knowledge, this step has drawn very little attention to the existing FHE researches in the literature. The contributions of this paper are twofold. On one hand, we propose a function of the lower bound of dimension value in the switching techniques depending on the LWE specific security levels. On the other hand, as a case study, we modify the Brakerski FHE scheme (in Crypto 2012) by using the modulus switching technique. We recommend concrete parameter values of our proposed scheme and provide security analysis. Our result shows that the modified FHE scheme is more efficient than the original Brakerski scheme in the same security level.


Introduction
A fully homomorphic encryption (FHE) scheme allows arbitrary functions on certain data (referred to as plaintexts) to be performed via their ciphertexts (the encrypted version of the plaintexts) without decrypting the ciphertexts first; therefore, performing these functions does not require one to hold the secret decryption key corresponding to the encryption algorithm. This cryptographic primitive has shown a variety of attractive applications both in theory and in practice. A typical application example is to outsource a computational job to a mistrusted remote server without compromising data privacy.
Since Gentry constructed the first FHE scheme in 2009 [1], a number of FHE schemes including various optimizations of the Gentry original scheme have been proposed. Gentry and colleagues developed several FHE schemes with different improvement, for example, [2][3][4][5][6]; one of them is how to bootstrap "packed" ciphertexts [6]. Smart and Vercauteren modified the Gentry scheme with the purpose of reducing the key and ciphertext sizes [7]. Stehlé and Steinfeld provides two improvements, respectively, on more aggressive analysis and probabilistic decryption algorithm in order to make the Gentry type of FHE schemes faster [8]. Brakerski et al. made a number of important contributions to this research field, such as [9][10][11][12][13], the details of which will be discussed more in the late part of this paper. Furthermore, van Dijk et al. proposed a new FHE construction over the integers [14], and Coron et al. further suggested on how to optimize this idea with shorter keys [15,16]. López-Alt et al. constructed a multikey FHE scheme, which allows multiple ciphertexts under different keys to be decrypted jointly [17]. Alperin-Sheriff and Peikert introduced a method to achieve practical bootstrapping in Quasilinear time [18].
One critical challenge when constructing a FHE scheme is managing the noise growth in the process of homomorphic additions and multiplications. To our best knowledge, so far, 2 The Scientific World Journal there exist three techniques to manage the noise growth as follows.
The first technique is bootstrapping that was used in the first FHE scheme introduced by Gentry. Bootstrapping means to evaluate its own decryption circuit homomorphically. One can use a bootstrapping process to get a new ciphertext after each homomorphic addition or homomorphic multiplication. The noise level in the new ciphertext is maintained in a fixed level. As long as this noise level permits, one can handle the next homomorphic addition or multiplication. By recursing this process a leveled FHE scheme can be developed, and the number of levels (although say the depth of the levels) for a computational circuit could be arbitrary with an assumption of circular security. A FHE scheme with the property of having an arbitrary depth of leveled circuits is referred to as a "pure" FHE scheme.
The second technique is modulus switching. This technique was developed by Brakerski and Vaikuntanathan in [10] and improved in [11]. The main idea of modulus switching is to scale down the ciphertext vector c over Z or a factor after each multiplication, which results in a new ciphertext vector c/ over Z / . A scaling process switches the first modulus to the second modulus / and also reduces the noise in the ciphertext vector c to the new noise / in the new ciphertext vector c/ . By following this process, the absolute magnitude of the new noise in the new ciphertext actually decreases. Modulus switching therefore can be used to manage noise at the cost of sacrificing the size of modulus. A leveled FHE scheme without bootstrapping can be achieved by modulus switching. In this technique, the depth of leveled computational circuits is prearranged before the computation starts. The depth is presented as a polynomial. For any prearranged polynomial denoted by , one can evaluate circuits of depth by carefully choosing the ladder of decreasing modulus.
The third technique is called Flatten, developed by Gentry et al. in [19]. It is designed for the case that an encryption key is presented as a vector and a ciphertext is presented as a matrix. It makes the coefficients of a vector or matrix small by using a flattening technique.
Among the three techniques for noise management, bootstrapping is a general technique that can be used to manage noise in any FHE scheme, but it is very costly! The technique of Flatten is only used in the case where ciphertexts are matrices and the secret keys are vectors. Modulus switching is a lightweight and very powerful way to manage noise and one can efficiently evaluate an arithmetic circuit with an arbitrary polynomial size without resorting to bootstrapping. In this paper, we will focus on modulus switching for noise management and consider the case that ciphertexts and the secret keys are both vectors.
In terms of noise growth, the noise grows from to 2 with every multiplication in most of the existing FHE schemes, where denotes the noise magnitude in ciphertext. However, in the FHE scheme [12] by Brakerski in 2012 (we call it Bra12 for short), each homomorphic multiplication does not square the noise, and instead of the noise grows from to poly( ) ⋅ after each homomorphic multiplication. From this point of view, it looks like that the Bra12 scheme is more efficient, but in fact it is not true. Since the Bra12 scheme makes use of bootstrapping to manage noise, it requires modulus must be big in order to achieve the result that the scheme has a circuit with enough depth to evaluate its own decryption circuit, for example, =̃(2 /2 ). The security of the scheme depends on the ratio / , where is an initial magnitude of noise; therefore, cannot be small. These reasons result in the secret key s sampled uniformly from Z rather than from the error distribution in the Bra12 scheme. In addition, the noise mainly depends on one norm of s writing as ‖s‖ 1 in homomorphic multiplication in the Bra12 scheme. In order to reduce the noise, the scheme uses binary decomposition of the secret key s to reduce the norm ‖s‖ 1 . This means that a ciphertext c under the key s is converted into a new form of ciphertext, denoted by Powerof2(c) under key BitDecomp(s). Although the new form of the ciphertext and the secret key can effectively reduce the noise, it increases the dimension of ciphertext and the secret key. In particular, the dimension of the ciphertext and secret key can further blow up in homomorphic multiplication and key switching, which lead to a fatal result when evaluating deep circuits, since it may need too much memory to compute. This feature considerably affects efficiency in the Bra12 scheme.
In this paper, we use modulus switching and an additional technique to improve the efficiency of the Bra12 scheme. Our scheme has the following properties: (1) There is lower dimension of the ciphertext and the secret key in homomorphic multiplication and key switching than in the Bra12 scheme. The ciphertext for homomorphic multiplication is defined as ⌊2/ ⋅ (c 1 ⊗ c 2 )⌉ that corresponds to the secret key s ⊗ s in our scheme, while the ciphertext for homomorphic multiplication is defined as ⌊2/ ⋅ (Poweof2(c 1 ) ⊗ Powerof2(c 2 ))⌉ that corresponds to the secret key BitDecomp(s) ⊗ BitDecomp(s) in the Bra12 scheme.
(2) The secret key s is sampled from a Gaussian distribution in our scheme, which can enable us to get small coefficients of s. In the Bra12 scheme, the secret key s is sampled uniformly from Z .
(3) Our scheme uses modulus switching to manage noise, while the Bra12 scheme uses bootstrapping to manage noise.
(4) In our scheme the initial modulus is that ≈ 2 for every < 1, while in the Bra12 scheme the modulus is that ≈̃(2 /2 ). The small modulus makes our scheme considerably efficient.
For a FHE scheme using modulus switching, it is very important to choose a ladder of gradually decreasing moduli { }. However, so far there has not been a concrete method to tell how to choose these parameters in terms of a certain security level, even in the BGV scheme [11] that just provided a general method to choose moduli { }. In this paper, we provide a solution to this problem. We first derive a function between the lower bound on the dimension of the LWE problem and the security level. Then we can choose every The Scientific World Journal 3 concrete modulus and other parameters for a certain security level (e.g., the security level is 80 bit) according to this function.
The rest of this paper is organized as follows. Section 2 defines notational conventions, introduces the LWE assumption, and defines homomorphic encryption and its related terms. Section 3 introduces the Regev encryption scheme that our scheme is based on and defines invariant structure. There is a minor change in the Regev encryption scheme that we describe here. We sample the secret key from a Gauss distribution rather than sample uniformly from Z in the Regev encryption scheme. Section 4 analyzes the homomorphic properties by the opinion of invariant structure and the noise growth in homomorphic addition and multiplication. Section 5 introduces key switching and modulus switching. Our FHE scheme based on the modified Regev encryption scheme is presented in Section 6. We analyze how to enable the correctness of our scheme in Section 7. The security and the parameters of our scheme are presented in Section 8. We conclude the paper with a performance comparison between our scheme and the Bar12 scheme in Section 9.
We use ← D to denote that is a sample from a distribution D. We define -bounded distributions as ones whose magnitudes never exceed .
The inner product of two vectors v, u of dimension is denoted by ⟨v, u⟩, recalling that ⟨v, u⟩ = v ⋅ u. The tensor product of two vectors v, u of dimension , denoted by v ⊗ u, is the 2 dimensional vector containing all elements of the form v[ ]u[ ]. Note that ⟨v ⊗ u, x ⊗ y⟩ = ⟨v, x⟩ ⋅ ⟨u, y⟩.
A lattice is defined as the set of all integer combinations The two kinds of -ary lattices are dual to each other, namely, Λ (A) = ⋅ Λ ⊥ (A) * and Λ ⊥ (A) = ⋅ Λ (A) * .

Learning with Errors (LWE).
The learning with errors (LWE) problem was introduced by Regev [20]. This problem was later generalized as the ring learning with errors (RLWE) problem by Lyubashevsky et al. [21]. For security parameter , let = ( ) be an integer dimension, let = ( ) ⩾ 2 be an integer, a vector s ∈ Z n q , and let = ( ) be a distribution over Z. Let A S, be the distribution obtained by choosing a vector a from Z uniformly at random and a noise term ← , and outputting (a, ⟨a, s⟩ + ) ∈ Z × Z . The LWE problem includes the search-LWE problem and the decision-LWE problem. The search-LWE problem is giving an arbitrary number of independent samples from A S, , output s with a high probability. We are primarily interested in the decision-LWE (DLWE) problem for cryptographic applications. The DLWE problem is defined as follows.
Definition 1 (DLWE). For an integer = ( ) and an error distribution = ( ) over Z, the decision-LWE problem, denoted by DLWE , , , is to distinguish the following two distributions: in the first distribution, one sample from A S, ; in the second distribution, one sample uniformly from Z +1 . The DLWE , , assumption is that solving DLWE , , is computationally infeasible.
Two kinds of reductions are known, namely, the quantum reduction [20] and classical [22,23] reduction, between DLWE , , and approximating short vector problems in lattices. Particularly, a probability distribution is taken to be the Gaussian distribution, which is statistically indistinguishable from the -bound distribution for an appropriate value .
Note that the DLWE problem can be seen as a bound distance decoding problem in -ary lattices. The second component of LWE instance can be seen as a perturbed lattice point in Λ (A ), to be decoded.
We now state the quantum reduction from worst-case lattice problems to the LWE problem introduced in [20].

Theorem 2. For any integer dimension , prime integer = ( ), and = ( ) ⩾ 2 , there is an efficiently samplable -bound distribution such that if there exists an efficient (possibly quantum) algorithm that solves
, , , then there is an efficient quantum algorithm for solving̃( ⋅ 1.5 / )approximate worst-case SIVP and gapSVP.
There are other forms of (see [24,25]). In addition, if the vector s is sampled from the distribution , then the LWE problem is still hard. We sample s from the Gaussian distribution in our scheme.

Leveled Fully Homomorphic Encryption.
A homomorphic encryption scheme HE = (Keygen, Enc, Dec, Eval) includes a quadruple of PPT algorithms. For the definition of full homomorphic encryption, readers can refer to these papers [1,12].
At present, there are two types of fully homomorphic encryption schemes. One is leveled fully homomorphic encryption schemes, in which the parameters of a scheme depend on the depth of the circuits that the scheme can evaluate. In that case any circuit with a polynomial depth can be evaluated. The other is pure fully homomorphic 4 The Scientific World Journal encryption schemes, which can be built from a leveled fully homomorphic encryption scheme with the assumption of circular security. A pure fully homomorphic encryption scheme can evaluate the circuit whose depth is not limited. The following definitions are taken from [12].
Definition 4 (compactness, full homomorphism, and leveled full homomorphism). A homomorphic scheme is compact if its decryption circuit is independent of the evaluated function. A compact scheme is fully homomorphic if it ishomomorphic for any polynomial . The scheme is leveled fully homomorphic if it takes 1 as additional input in key generation.

The Basic Encryption Scheme
As same as the Bra12 scheme, our scheme is based on Regev's encryption scheme [20]. We now describe the Regev encryption scheme, but we sample the secret key s from a Gauss distribution while it was sampled uniformly from Z in the Regev encryption scheme. This modification allows us to achieve our goal that the error distribution can be set to be as small as possible in our scheme. We call this modified Regev encryption scheme the basic encryption scheme. Let = ( ) be the dimension of lattice, an odd modulus = ( ), and an error distribution = ( ). The basic encryption scheme is described as follows. The basic encryption scheme above is semantic security based on the hardness of the LWE problem. The proof of this statement follows the proof of security of the original Regev encryption scheme given in [20].
A FHE scheme needs to maintain an invariant structure in decryption that is composed of plaintext and noise. The scheme must keep the invariant structure in the process of homomorphic addition and homomorphic multiplication in order to achieve homomorphism. Next, we define the invariant structure in the above basic encryption scheme and explain the relationship between the correctness of decryption and the noise magnitude in ciphertext.

Lemma 5.
Let c ∈ Z +1 and s ∈ Z +1 be two vectors such that where Dec(s, c).

Proof. By definition
Since the coefficients of e are taken from a Gaussian distribution , = ⟨r, e⟩ is also subject to a Gaussian distribution according to the standard fact from the Gaussian distribution. The Claim 5.2 in [20] showed that | | < ⌊ /2⌋/2 with high probability. Consider an encryption of 0 now; it is closer to 0 than to ⌊ /2⌋ in this case and therefore the decryption is correct. The proof for an encryption of 1 is similar. The term is called the noise. ⌊ /2⌋ ⋅ + (mod ) is called the invariant structure. The above Lemma 5 shows that the invariant structure will be hold as long as | | < ⌊ /2⌋/2, which can ensure the correctness of decryption. Note that it is very important to keep the invariant structure in ciphertexts generated in homomorphic evaluation.

Homomorphic Properties and Noise Analysis
We take the definition of homomorphic addition and homomorphic multiplication from the Bra12 scheme, but here we analyze the homomorphic properties of the above scheme by the approach of the invariant structure. Now we analyze the noise growth in the homomorphic addition and multiplication. Let c 1 and c 2 be two ciphertexts under the same secret key s for modulus such that for some 1 and 2 .
The Scientific World Journal 5 4.1. Homomorphic Addition. Let c add = c 1 + c 2 . If the invariant structure ⟨c 1 + c 2 , s⟩ = ⌊ /2⌋ ⋅ ( 1 + 2 ) + (mod ) can be held during the decryption of c add for some , the decryption would be correct such that homomorphic addition is obtained. By definition Let add = 1 + 2 . According to the Lemma 5, if | add | < ⌊ /2⌋/2, then 1 + 2 ← E.Dec(sk,c 1 +c 2 ). It also means that the invariant structure ⌊ /2⌋ ⋅ ( 1 + 2 ) + 1 + 2 ( mod ) can be kept in the decryption of c add . We note that the noise term of output is the sum of input noises.

Homomorphic Multiplication.
Multiplicative homomorphism cannot be straightforwardly achieved. We need to construct a form of the two input ciphertexts to represent the homomorphic multiplication such that we can get the product of the two plaintexts with respect to the input ciphertexts after decrypting the homomorphic multiplication. For this purpose, we now focus on the invariant structure in the process of decryption. If the invariant structure ⌊ /2⌋ ⋅ ( 1 ⋅ 2 ) + for some is kept in the decryption of the homomorphic multiplication, we could achieve multiplicative homomorphism. Next, we describe how to achieve multiplicative homomorphism by the approach of the invariant structure.
The ciphertext for multiplication can thus be defined as ⌊2/ ⋅ (c 1 ⊗ c 2 )⌉ that can be decrypted using a tensored secret key s ⊗ s. The invariant structure in the decryption of the homomorphic multiplication is ⌊ /2⌋ ⋅ 1 2 + mult 1 + mult 2 . If | mult 1 + mult 2 | < ⌊ /2⌋/2, according to Lemma 5, the invariant structure can be kept such that the correctness of decryption can hold. So we have 1 2 ← E.Dec(sk, ⌊2/ ⋅ (c 1 ⊗ c 2 )⌉), where sk is s ⊗ s. So far, we have finished the construction for the ciphertext for multiplication. We have achieved homomorphic addition and homomorphic multiplication. However, the noise growth is caused in the homomorphic addition and homomorphic multiplication.
The problem of noise growth in the homomorphic evaluation affects directly the homomorphic ability of the above 6 The Scientific World Journal basic encryption scheme, so it is critical to manage noise growth for constructing the FHE scheme. Before we solve the problem of noise growth, we in the next subsection analyze the noise growth in a homomorphic addition and homomorphic multiplication. Note that our analysis method for the noise growth is different from the one used in the Bra12 scheme, as the secret key s is sampled from a Gaussian distribution which results in the secret key s is -bounded. In addition, we give a tighter noise analysis than it in [12].
Analysis for Multiplication. By (10) We first analyze the bound of mult 1 . The magnitude of mult 1 mainly depends on the term 2( 1 2 + 1 2 ), so we check the bound of the absolute value of 1 (the same bound also holds for 2 ): The absolute value of 1 depends on ‖s‖ 1 from above inequality, then the bound of 1 is ( ⋅ ‖s‖ 1 ). The tighter bound is described as follows: Next, we analyze the bound of mult 2 . According to the definition of an error r = ⌊2/ ⋅(c 1 ⊗c 2 )⌉−2/ ⋅(c 1 ⊗c 2 ) and the secret key sampled from a -bounded Gaussian distribution, we get ‖r‖ ∞ ⩽ 1/2 and |s ⊗ s| ⩽ ( + 1) 2 2 . Then Putting these together, we get mult 1 We see that the significant noise term in the homomorphic multiplication depends on ‖s‖ 1 from Lemma 6, which also happens in the Bra12 scheme. In order to reduce the norm, the secret key s is expressed in the form of binary, namely, BitDecomp(s), then the ciphertext corresponding to the s is expressed in Powerof2(c). The side effect is to produce the ciphertext vector and the secret key vector of a high dimension. In particularly, the ciphertext is the form of ⌊2/ ⋅ ( 2(c 1 ) ⊗ 2(c 2 ))⌉ under the key BitDecomp(s 1 ) ⊗ BitDecomp(s 2 ) after homomorphic multiplication, which results in a large amount of computation that requires a large memory. The process cannot be practical. However, our scheme does not have this result. Since we sample the secret key from a Gaussian distribution that enables the coefficients of the secret key to be as small as possible, the secret key s needs not to be expressed in the form of binary, so the ciphertext. That is the reason why it can improve performance.
Under the above definition of homomorphic addition and homomorphic multiplication, we can perform only The Scientific World Journal 7 a bounded number of homomorphic operations (namely, a somewhat homomorphic encryption scheme), because the noise and the dimension grow as a result of performing homomorphic operations. Therefore, there are two problems that should be solved in order to achieve a FHE scheme based on the somewhat homomorphic encryption scheme.
First, we need to control the dimension of the ciphertext that increases from + 1 to ( + 1) 2 after a homomorphic multiplication. We use the key switching technique to solve this problem.
Second, we need to manage the noise growth in homomorphic operations. We use modulus switching to solve this problem.

Key Switching and Modulus Switching
We describe the two techniques: key switching and modulus switching. Our notation is adopted from [11].

Key Switching.
Key switching can transform a ciphertext c 1 under a secret key s 1 to a new ciphertext c 2 under a secret key s 2 , in which c 1 and c 2 encrypt the same message. If the dimension of c 2 and s 2 is lower than the dimension of c 1 and s 1 , the dimension of the key and ciphertect vectors is reduced by key switching.
Key switching consists of two procedures. The first procedure is denoted by SwitchKeyGen(s 1 , s 2 , 1 , 2 , ), which takes as input the two secret key vectors, the respective dimension of these vectors, the corresponding modulus , and outputs some auxiliary information that is a matrix. The second procedure is denoted by SwitchKey( , c 1 , 1 , 2 , ), which takes as input the auxiliary information , a ciphertext c 1 , and its dimension 1 , the dimension of the output ciphertext 2 , and the modulus , and outputs a new ciphertext c 2 whose dimension is 2 .
SwitchKeyGen(s 1 ∈ Z 1 , s 2 ∈ Z 2 ): , which means to add the Powerof2(s 1 ) ∈ Z to −A 's first column and add b to −A 's second column. Output s 1 → s 2 = B.
Key switching is essentially the product of a high dimension vector and a high dimension matrix. Next, we describe the correctness of key switching; namely, the decryption of the new ciphertext can preserve correctness. The proof is based on the definition (see [11]).
The next lemma shows that it is possible to transform a ciphertext c that encrypts under key s for modulus into a ciphertext c that encrypts under the same key s for modulus . Since our basic encryption scheme is different from the basic scheme in the BGV scheme [11], the proof of Lemma 9 is slightly different from the proof in [11].
The following corollary follows immediately from Lemma 9.
Since the noise magnitude in the ciphertext c depends on the length of the key vector s, we must make the length of the key vector s short in order to use modulus switching to reduce the magnitude of the noise. For this purpose, we sample the key s from Gaussian distribution that is set to be as small as possible.

A Regev-Type FHE Scheme Using Modulus Switching
Next, we use modulus switching to construct a Regev-type FHE. This scheme is a leveled FHE scheme, in which the th level needs a modulus . The parameters in our scheme includes a ladder of decreasing modulus { } ( = −1, . . . , 0), where a parameter indicates the depth that a circuit can be evaluated. It is very important to choose reasonable modulus from to 0 , and we will focus on the details on how to choose reasonable modulus in Section 8. Since the magnitude of is related to the security parameter and different circuit depths result in different magnitude values of , the performance of our scheme depends on the security parameter and the circuit depth .   In order to enable the correctness of the above leveled FHE scheme, we must choose the correct parameters. Next, we describe how to enable the correctness of this scheme.

Correctness
The correctness of the above leveled FHE scheme comes from the correctness of each step in homomorphic operations, that is, each step in FHE.Add and FHE.Mult. If the noise magnitude in ciphertext is below −1 /4 or /4 after each step in homomorphic operations, correct decryption is guaranteed.
The Scientific World Journal 9
Proof. The proof can be obtained easily from Lemma 6.
The procedure of FHE.Mult consists of three steps, namely, the multiplication, and then the key switching and modulus switching. Next, we analyze the correctness of each step. Proof. The proof can be obtained easily from Lemma 6.
We note that the noise after multiplication is 12 rather than 2 like in many of the previous FHE schemes.

Security and Parameters Settings
For a FHE scheme using modulus switching, it is most important to set up a reasonable ladder of decreasing modulus. The size of modulus is related to the dimension of the LWE problem and the circuit depth . Furthermore, the underlying security parameter is related to the dimension of the LWE problem. However, it does not provide the concrete connection between the underlying security parameter and the dimension of the LWE problem in Regev's paper, nor the concrete parameters setting on its encryption scheme. It also does not provide the concrete method to set a concrete ladder of decreasing modulus based on a concrete security level and other parameters in the BGV scheme, even though BGV scheme is the first FHE scheme using modulus switching.
In this section, we will analyze the function between the lower bound in the dimension of the LWE problem and the security level. Then we will give the method how to set the concrete ladder of decreasing modulus based on a certain security level and other parameters in our scheme.

The Dimension of the LWE Problem and the Security Level.
In order to estimate the hardness of LWE for a concert set of parameters, we first consider the distinguishing attack LWE; namely, the adversary distinguishes (with some noticeable advantage) an LWE instance from uniformly random, which can result in that the semantic security of an LWE-based cryptosystem is to be broken with the same advantage. Given a point b that is either LWE instance or uniformly random. In order to do this attack, the adversary needs to find a short nonzero integral vector v such that Av = 0 mod ; namely, v is a short vector in we have v = ⋅ y, where y is a short vector in the dual of the lattice Λ ⊥ (A ). Then the adversary tries to test whether the inner product ⟨v, b⟩ is close to zero modulo . When b is a uniformly random instance, the test accepts with the probability exactly 1/2. When b = A s + e, where e is sampled from a Gaussian distribution with standard deviation , we have ⟨v, b⟩ = ⟨v, A s⟩ + ⟨v, e⟩ = ⟨ ⋅ y, A s⟩ + ⟨v, e⟩ = ⟨v, e⟩ mod , which is essentially Gaussian with standard deviation ‖v‖ ⋅ . When ‖v‖ ⋅ is not much larger than , the adversary can distinguish the Gaussian from the uniform with advantage of being very close to exp(− ⋅ (‖v‖ ⋅ / ) 2 ).
In general, in order to do the distinguishing attack with high confidence, one needs ‖v‖ ⩽ / (2 ), which need to reduce the basis well enough such that the shortest vector is of size roughly / . We assume that the security depends on the ratio 10 The Scientific World Journal / . Furthermore, we assume that the adversary will spend all the attack running time doing lattice reduction according to the paper [26].
The key point is to compute inner product ⟨v, e⟩ modulo for a enough short vector in the distinguishing attack described above, which do not use the secret s of LWE sample. It means that the distinguishing attack still work whether the secret s is sampled from a Gaussian distribution or uniform. Next, we analyze the relation between the dimension of LWE and the security level.
A short vector used in the distinguishing attack can be got from lattice reduction algorithm. From the analysis of lattice reduction algorithms by Gama and Nguyen [27], the Hermite factor is regarded as the dominant parameter in the runtime of the reduction and the quality of the reduced basis. A reduced basis B(‖b 1 ‖ ⩽ ‖b 2 ‖, . . . , ⩽ ‖b ‖) of andimensional lattice Λ has the Hermite factor for ≥ 1 if ‖b 1 ‖ = ⋅det (Λ) 1/ . The term is called a quality parameter. In addition, Lindner and Peikert perform the experiments in the paper [26], which predict the runtime required to achieve a given root-Hermite factor in random -ary lattices arising from LWE. The result of their experiments show that the logarithm of the runtime should grow roughly linearly in 1/ log( ). In particular, for a random -ary lattices arising from LWE, the time (in seconds) that is spent to compute a reduced basis of quality is conservatively estimated at least as follows: We note that the runtime estimated in (25) can be also applied in here to analyze our scheme. First, the random -ary lattices for experiments in the paper [26] include the randomary lattices arising from LWE where the secret was sampled from a Gaussian distribution. Second, the encryption scheme described in the paper [26] is also based on the same LWE problem like our scheme; namely, the secret is choose from a Gaussian distribution.
Recall that the basis is required to be reduced well enough such that the shortest vector is of size roughly / in the distinguishing attack. Thus the adversary needs to reduce the basis enough so that ‖b 1 ‖ = / . Moreover, for a random -ary lattice of rank , the determinant is with high probability. By the definition of quality parameter , a basis B that has quality parameter has ‖b 1 ‖ = ⋅ det (Λ) 1/ = ⋅ / . From the result in paper [28], when lattice reduction algorithms is applied to Λ ⊥ (A ), the shortest vectors are produced when = ( ⋅ log / log ) 1/2 . For simplicity, we take = 1 such that ‖b 1 ‖ = / = , then we have We can solve for and plug Equation (25) into it, then get = log ⋅ (log(time) + 110)/7.2 which is a function between and / (recall = / ). In order to ensure the time that is spent to reduce the basis at least 10 , we need to set to be at least ⩾ (log ( / ) ⋅ ( + 110)) 7.2 .
We thus obtain the relation between the dimension of LWE and the security level. If we want to get 80 bit security level we need to set ⩾ log( / ) ⋅ 26.4, for 128 bit security level we need to set ⩾ log( / ) ⋅ 33.1.

Setting Concrete Parameters.
Based on our scheme, we first set a concrete ladder of decreasing modulus. For a certain security level, we recommend specific dimension and modulus values for a specific circuit level .

The Upper Bound of Noise.
In order to obtain a suitable modulus, we need to find a common upper bound of noise for each circuit level. Assume that we have a common upper bound on noise magnitude, which means that the noise magnitude is at most for all ciphertexts in all levels. Let c 1 and c 2 be two ciphertexts at level . The noise magnitude is at most 12 after multiplication by following Lemma 11. Then, we apply the key switching, and the noise magnitude is at most 12 + ( + 1) 2 log by following Lemma 12. Finally, we apply modulus switching, and the noise magnitude in this stage is at most ( −1 ) ⋅ (12 + ( + 1) 2 log ) + ( + 1) ⋅ + 1 2 .
We get −1 / < 1/(24 ) from Inequality (29), and we plug it into Inequality (30); then we have We thus set ≈ 8( + 1) ⋅ , which is the approximate common upper bound. We also get the ratio of −1 and that is approximately 1/(24 ). Next we can set a concrete ladder of decreasing modulus.
The Scientific World Journal 11 We first consider the smallest modulus. At the level 0, the noise magnitude is at most 12 after multiplication. In order for the correction of decryption to occur, we need to ensure 12 < 0 /4. We can take 0 ≈ 48 ≈ 384 2 2 , which is approximately the smallest modulus.
is the bound of Gaussian, and we use = 2 from the statement in [20]. We then can obtain the lower bound of the dimension from the circuit depth as well as the security level.
For an 80-bit security level ( = 80) and different circuit depth , we derive the parameters of our scheme, as shown in the Table 1. 8.3. Performance. The computational complexity of our scheme comes from homomorphic multiplication which includes three steps. The computational cost that computes the tensored ciphertext is̃( 2 log 2 ). The computational cost in the step of key switching is̃( 3 log 2 ). The computational cost in the step of modulus switching is̃( log ). As a result, the per-gate computation in our scheme is ( 3 log 2 ) =̃( 3 2 ). As a comparison, in the Bra12 scheme the per-gate computation is̃( 3 log 4 ). This shows that our scheme is more efficient than the Bra12 scheme.

Bootstrapping.
We also can use bootstrapping to achieve a leveled FHE scheme. Furthermore, by using bootstrapping, we can obtain a pure FHE scheme with an assumption of circular security. There is a detailed explanation about bootstrapping in paper [29].
In our scheme the depth of a decryption circuit is (log + log log ). We can regard the above leveled FHE scheme as a somewhat homomorphic encryption scheme. As long as we set the depth of circuit > (log +log log ), our scheme is bootstrappable.

Conclusions
We have constructed a leveled FHE scheme using modulus switching based on the Bra12 scheme, and our scheme improves the efficiency of the Bra12 scheme. The per-gate computation in our scheme is̃( 3 log 2 ) =̃( 3 2 ), while it is̃( 3 log 4 ) in the Bra12 scheme. Furthermore, we have derived a function of the lower bound in the dimension of the LWE problem and the security parameter. For an 80bit security level and several different depth parameters, we have shown the concrete values of the dimension of the LWE problem and the modulus in each level. These concrete values for different parameters are very important in the fully homomorphic scheme that leverages modulus switching technique for noise management, which cannot be solved before.