A Central Limit Approach for Ring-LWE Noise Analysis

. This paper develops Central Limit arguments for analysing the noise in ciphertexts in two homomorphic encryption schemes that are based on Ring-LWE. The ﬁrst main contribution of this paper is to present an average-case noise analysis for the BGV scheme. Our approach builds upon the recent work of Costache et al. that gives the approximation of a polynomial product as a multivariate Normal distribution. We show how this result can be applied in the BGV context and experimentally verify its improvement over prior, worst-case, approaches. Our second main contribution is to develop a Central Limit framework to analyse the noise growth in the homomorphic Ring-LWE cryptosystem of Lyubashevsky, Peikert and Regev (Eurocrypt 2013, full version). Our approach is very general: apart from ﬁnite variance, no assumption on the distribution of the noise is required (in particular, the noise need not be subgaussian). We show that our approach leads to tighter bounds for the probability of decryption failure than have been obtained in prior work.


Introduction
The Learning with Errors or LWE problem [30,31] has become a standard hard problem in cryptology that is at the heart of lattice-based cryptography [25,28].The Ring Learning with Errors or Ring-LWE problem [33,21] is a generalisation of the LWE problem from the ring of integers to certain other number field rings that potentially give far better efficiency.
A key application area of lattice-based cryptography is (fully, somewhat or levelled) homomorphic encryption [14].Homomorphic encryption enables an untrusted party to operate meaningfully on encrypted data belonging to a different party, without requiring access to the secret key.A large number of homomorphic encryption schemes have been proposed in the literature, for example [4,12,17,22,6,5], many of which [4,12,22,5] are based on Ring-LWE.To illustrate the ideas of this paper, we first consider the widely-used BGV scheme [4], that has been implemented in (e.g.) [19,32].We also consider the symmetric key homomorphic cryptosystem given by Lyubashevsky, Peikert and Regev in Section 8.3 of [22] (the full version of [23]), which we term the SymHom cryptosystem.
Ciphertexts in all homomorphic encryption schemes contain an inherent noise that is needed for security.As more homomorphic evaluation operations are performed, the noise grows, and if it exceeds a certain threshold, then decryption will fail.It is thus essential to understand the noise growth behaviour in order to choose secure and correct parameters.Ideally, we would model the noise growth as tightly as possible, so that the most performant parameters that meet the security and correctness requirements can be selected.
Prior approaches for noise analysis in BGV [15,16,10,9] have been 'worstcase': that is, they have modelled the noise growth after every BGV evaluation operation using heuristic worst-case bounds.By tracing through the bounds after each operation, the noise growth incurred by the overall evaluation can also be bounded.However, there can be an unsatisfying gap between the final noise bound and the typical size of the noise as observed in experiments [9], with the gap growing as more computations are performed.In this work, we present for the first time an 'average-case' noise analysis for BGV, where average case is meant in the sense of the noise analysis for the TFHE scheme [6] as presented in [7].That is, we show how for each homomorphic evaluation operation, the input and output noises can be modelled as a Gaussian random variable.This enables us to trace through the variances of the noise at each operation, and eventually arrive at the variance of the noise after the evaluation.We therefore only need to resort to a bound after the evaluation, where the Gaussian distribution of the given variance implies a certain tail bound on the noise (holding with a certain probability).This enables us to set parameters that are still large enough to ensure correctness, but, due to the tighter analysis, may be smaller (and thus more performant) than those that would be chosen under a worst-case analysis.
The fundamental issue with modelling the noise growth in schemes like BGV or the SymHom cryptosystem is that the noise growth in multiplication is nonlinear.In more detail, if two BGV ciphertexts having noise polynomials v 1 and v 2 are multiplied, then the resulting ciphertext has noise polynomial v 1 • v 2 .In particular, if X 1 and X 2 are subgaussian random variables arising from such noise polynomials, then the product X 1 • X 2 is not necessarily subgaussian and indeed can have a much heavier tail [27].For this reason, an average-case noise analysis for BGV, and related schemes, such as CKKS [5] and BFV [13], was believed until recently to be a challenging open question [9].
In this work, we demonstrate that a Central Limit approach can, under certain assumptions, be used to approximate the output noise of all BGV or SymHom operations as a Gaussian.We now expand in more detail on our approach for each scheme.

A Central Limit Approach for BGV
The first main contribution of this paper is to present an average-case noise analysis for BGV, based on a Central Limit argument.
Average-case analyses for noise growth in FHE schemes have been presented previously, for example for the TFHE scheme [6].The approach, as presented in [7], is as follows.It is assumed that the coefficients of a fresh TFHE ciphertext are independent subgaussians, and that the coefficients of a ciphertext output of the gate bootstrapping operation are also independent subgaussians.The latter assumption is experimentally verified [7,Figure 10].It is shown that every TFHE operation can be implemented via gate bootstrapping on a linear combination of ciphertexts.Thus, by linearity and by the assumption on gate bootstrapping, every TFHE ciphertext noise coefficient can be modelled as a subgaussian, thus permitting an average-case analysis.
Our approach is built upon the recent work of [8] that develops an averagecase noise analysis for the CKKS scheme [5].To this end, the analysis relies on Theorem 1, developed in [8], that gives the approximation of a polynomial product as a multivariate Normal distribution.Our analyses for the noise polynomials resulting from each BGV homomorphic operation follow from repeated applications of this result and is summarised in Figure 4. We expect that a similar approach could yield an average-case analysis for the BFV homomorphic encryption scheme [13].Indeed, an analysis of the distributional properties of the multiplication of two polynomial ring elements could also be applicable in wider contexts, such as in analysis of lattice-based key encapsulation mechanisms [2,11].
We additionally present an experimental verification of the analysis by comparing with practical noise growth in HElib [19] and SEAL [32].The results are presented in Tables 1, 2, 3 and 4 and show that the average-case approach more tightly models the noise growth.Moreover, we demonstrate the applicability of our analysis by exhibiting specific computations for which the average-case approach predicts lower parameters to support the computation than the worstcase approach, and confirm this by successfully implementing these computations with the smaller parameter set.

A Central Limit Approach for SymHom
The second main contribution of this paper is to develop a statistical framework, based on a Central Limit argument, for analysing the noise in SymHom ciphertexts.To illustrate the utility of this approach, we present in Theorem 2 and Corollary 2 new, tighter bounds for the probabilities of incorrect decryption in degree-1 and degree-2 SymHom ciphertexts.Our analysis can similarly be applied for higher-degree ciphertexts [27].
In more detail, the Central Limit framework is essentially based on approximating the mean vector and the covariance matrix of the noise of a ciphertext when embedded into the complex space H and transformed with respect to an appropriate "decoding" basis, that is required during decryption [22].We show that the approximate Normality of this embedded noise when expressed in a decoding basis is fundamentally a Central Limit phenomenon arising from the weighted sum of many random variables, where the weights arise from a change of basis matrix to the decoding basis.
For example, if C (pΓ ) is a vector of dimension n expressing the noise in a ciphertext with respect to the decoding pΓ -basis for H (Definition 8) and C (T ) is a vector of dimension n expressing the noise in a ciphertext with respect to the original T -basis for H (Section 2.4), then C (pΓ ) = p∆C (T ) for an appropriate real-valued n × n change of basis matrix ∆ and "scaling prime" p (which is the plaintext modulus in SymHom).In particular, this means that we can express a component c of a noise vector in the pΓ -basis is a weighted sum of uncorrelated and in general independent identically distributed random variables.We will show that the weightings ∆ j1 , . . ., ∆ jn are of comparable size, which suggests that a Central Limit argument can be invoked to give a Normal approximation for a component c (pΓ ) j . For successful decryption, we require each component of C (pΓ ) to be bounded by an appropriate threshold.A Central Limit approach enables us to bound the probability of incorrect decryption using bounds on the tails of Normal distributions.
Theorem 2 and Corollary 2 demonstrate the improvement that can be obtained by using a Central Limit approach in comparison with prior bounds, such as those of [22], obtained using δ-subgaussian random variables [24,26].For example, if η 1 (n, q, ρ) = 1 2 (n 1 2 ρ) −1 q is moderate or large, Theorem 2 gives a decryption failure probability bound of This is tighter than the equivalent δ-subgaussian decryption failure probability bound of 2n exp(− 1 2 η 2 1 ) which is obtained by using the tail bound of [26,Lemma 18] in the manner of [22,Lemma 6.5].
No concrete parameter recommendations for SymHom are specified in [22], so in contrast to the situation with BGV, it is difficult to quantify the concrete improvement.Asymptotically, ignoring constants, we tighten the bound by a factor of ω( √ log n), for power-of-two n and q following [22, Lemma 8.5].However, we emphasise that using such a Central Limit approach in analysing SymHom has a number of advantages over other possible approaches, such as the subgaussian approach used in [22].These advantages are listed below and expressed in terms of the above discussion.
1.A Central Limit approach makes no substantive distributional assumption for the components c (T ) k beyond finite variance, so is potentially applicable to c (T ) k that are chosen from heavy-tailed distributions.Thus a Central Limit approach is more generally applicable than other approaches that for example have a subgaussian requirement for such random variables.

A Central Limit approach gives an explicit approximating distribution for
the cryptographic random variable of interest which can be directly used for general calculation or simulation purposes of use in cryptography.By contrast, a subgaussian approach can never give a explicit approximating distribution and can only give tail bounds.These tail bounds are generally weaker, as is evidenced by comparing our Theorem 2 with the bound that would be obtained following [22].
3. A Central Limit approach gives not only asymptotically an approximation to a Normal distribution, but also a close approximation concretely, for practically relevant Ring-LWE dimensions n.

Structure of the Paper
We recall relevant background and introduce new tools in Section 2. We outline our Central Limit approach for BGV in Section 3. We then outline our Central Limit approach for the SymHom cryptosystem in Section 4.

Notation
The value or more formally the coset representative of (r mod q) nearest to 0 is denoted by r q = r − q[q −1 r], and we use the same notation for a coset of Z q .We can also extend this idea componentwise to vectors, and we write • B q to indicate such an extension with respect to a basis B. We use † to denote the complex conjugate transpose of a matrix, so T † = T T .

Central Limit Approximations
Encryption and decryption in Ring-LWE-based cryptography are inherently statistical processes, and we are giving Central Limit approximations to the distributions of cryptographic random variables of interest.Thus we use the notation ∼ to denote either "is exactly distributed as" or "is approximately distributed as" in the sense that we may use the approximating distribution for practical purposes without significant error, as is typically done by taking a Central Limit Normal distribution approximation in statistical analysis.Furthermore, whilst Central Limit results are formally asymptotic results concerning sums or means of random variables, such Central Limit approximations usually apply in practice with relatively few summands (except perhaps for pathological distributions) as illustrated by the Berry-Esseen conditions [34] and related multidimensional versions [35].For example, the simplest form of these Berry-Esseen conditions occurs for independent and identically distributed random variables X 1 , X 2 , . . .with mean E(X i ) = 0.In this case, if and Φ is the distribution function of a standard Normal random variable Z ∼ N(0, 1), then We therefore typically use the phrasing "for moderate or large . .." in such a Central Limit context to emphasise the usual applicability of Central Limit approximations with relatively few summands.

Cyclotomic Number Fields
We consider the ring R = Z[X]/(Φ m (X)), where Φ m (X) is the m th cyclotomic polynomial of degree n = φ(m), and we let R a denote R/aR for an integer a.
We let ζ m denote a (primitive) m th root of unity.The m th cyclotomic number field K = Q(ζ m ) is the field extension of the rational numbers Q obtained by adjoining this m th root of unity ζ m , so K has degree n.The tensor product There are n ring embeddings σ 1 , . . ., σ n : , and such ring embeddings occur in conjugate pairs.The canonical embedding σ : The ring of integers O K of a number field is the ring of all elements of the number field which are roots of some monic polynomial with coefficients in Z.The ring of integers of the m th cyclotomic number field K is The canonical embedding σ embeds R as a lattice σ(R).The conjugate dual of this lattice corresponds to the embedding of the dual fractional ideal

The Complex Space H
The ring embeddings σ 1 , . . ., σ n from K into C occur in complex conjugate pairs with σ k = σ m−k .Accordingly, much of the analysis of Ring-LWE takes place in a space H of conjugate pairs of complex numbers.
Definition 1.The conjugate pairs matrix is the complex unitary n × n matrix T , so T −1 = T † , given by The complex conjugate pair space H = T (R n ), where T is the conjugate pairs matrix.
Definition 3. The I-basis for H is given by the columns of the n × n identity matrix I, that is to say the I-basis is the standard basis.
Definition 4. The T-basis for H is given by the columns of the conjugate pairs matrix T .
An element of H is expressed via the I-basis as a vector of n = 1 2 n conjugate pairs.Such an element of H can also be expressed (by construction) in the Tbasis as a real-valued vector, giving the isomorphism between H and R n as an inner product space.

The BGV scheme
In this section we introduce the BGV scheme [4].We generally follow the description of BGV given in [9], reproduced in Figure 1, that restricts to a power- for n a power of two.The plaintext space is given by R and the ciphertext space is given by R . We generally regard a polynomial element of R q as having coeffi- where this polynomial may also be interpreted as vector h = (h 0 , . . ., h n−1 ) of coefficients in an appropriate context.
We now describe in our notation the relevant parts of the BGV scheme in order to define the noise in a BGV ciphertext.
The BGV scheme.BGV is a (levelled) FHE scheme parameterised by n, q, t, χ, S, w, and λ.Let w be a base, then + 1 = log w q + 1 is the number of terms in the decomposition into base w of an integer in base q.The Ring-LWE error distribution is denoted χ and is typically a discrete gaussian with standard deviation σ = 3.2 [1].The underlying Ring-LWE problem is parameterised by n, q, σ and S, where the parameter S denotes the secret key distribution.In implementations (e.g [19, 32]), S is often chosen as a polynomial that has coefficients in {−1, 0, 1}.The security parameter is λ.
SecretKeyGen.For emphasis, we write the secret key as s ∈ {−1, 0, 1} n , a ternary vector of length n, which can more generally be regarded as a polynomial of degree n − 1.We regard s as a constant vector known to the genuine receiver.More generally, s can be regarded as a polynomial of degree n − 1.
PublicKeyGen.The public key (p 0 , p 1 ) consists of two parts, with the first part p 0 a multivariate random variable and the second part p 1 a constant vector.For the second part p 1 , a constant vector a ∈ {− 1 2 (q − 1), . . ., 1 2 (q − 1)} n is chosen and p 1 is set to a, so p 1 = a.For the first part p 0 with secret key s ∈ {−1, 0, 1} n , we have p 0 = −as − t 0 , where 0 ∼ N(0; is a spherically symmetric multivariate Normal random variable with component variance σ 2 , where as denotes the appropriate polynomial product of a and s. The distribution of the public key (p 0 , p 1 ) is therefore given by p 0 ∼ N(−as; t 2 σ 2 I n ) and p 1 = a.
Noise in BGV.In our analysis, we will give distributions for the multivariate random variables arising in BGV before any reduction modulo q.For convenience, we approximate discrete random variables in BGV by the obvious appropriate continuous random variable.
For a BGV ciphertext (c 0 , c 1 ) encrypting a message m, our analysis considers the BGV Critical Value, W given by where sc 1 denotes the appropriate polynomial product of s and c 1 .This BGV Criticial Value is (we will show) an n-dimensional multivariate Normal random variable that arises during BGV decryption with secret key s.The Noise V is then given from the Critical Value W by subtracting m.
Modulus switching.The key technical tool for noise management in BGV is modulus switching.In Lemma 1 we give an alternative expression for the BGV ModSwitch operation to that given in Figure 1 that will be more convenient for our analysis.Lemma 1 can be seen as giving an explicit implementation of the Scale operation described in earlier analyses of BGV [10,15].Lemma 1. Suppose that (c 0 , c 1 ) is a BGV ciphertext with respect to a modulus q and consider a ModSwitch operation with respect to a new modulus p < q.The BGV ModSwitch operation maps an input ciphertext part c i to the nearest integer polynomial to p q c i having the same value modulo t as c i .More formally, this output ciphertext (c 0 , c 1 ) after the ModSwitch operation can be expressed as Proof.We let r = q p , so the integer r = 1 mod t.The ModSwitch operation uses δ i = −c i mod r and δ i = 0 mod t for i = 0, 1.The Chinese Remainder Theorem shows that δ 0 and δ 1 are uniquely defined modulo rt, so have coefficients lying between − 1 2 rt and 1 2 rt.This specification for δ i also gives In addition, the Chinese Remainder Theorem shows that c 0 + δ 0 and that c 1 + δ 1 have unique solutions modulo rt given by The parts of output ciphertext (c 0 , c 1 ) after the ModSwitch operation therefore satisfy so the output ciphertext parts have the same values modulo t as the input ciphertext parts.The output ciphertext parts c 0 and c 1 are "modulo p" polynomials with coefficients lying in {− 1 2 (p − 1), . . ., 1 2 (p − 1)} obtained as the direct contractions of "modulo q" polynomials as We note that these new ciphertext parts can also be expressed as where δ 0 r and δ 1 r are polynomials with coefficients between − 1 2 t and 1 2 t.Thus the BGV ModSwitch operation maps an input ciphertext part c i to an output ciphertext part c i , where c i is the nearest integer polynomial to c i r = p q c i having the same value modulo t as c i , which gives the expression in the statement of the Lemma.

The SymHom scheme
In this section we introduce the SymHom cryptosystem.In order to do so, we first need two definitions.A description of SymHom cryptosystem, in the notation of [22], is then given in Figure 2.

Definition 6 ([26]
).Let B be a (column) basis matrix for the n-dimensional lattice Λ in H.If R is the Balanced Reduction function, then the coordinatewise randomised rounding discretisation or CRR discretisation X B Λ+c of the random variable X on H to the lattice coset Λ+c with respect to the basis matrix B is the random variable We now describe in our notation the relevant parts of the SymHom cryptosystem in order to define the noise in a SymHom ciphertext.We first recall that the SymHom secret key is an element s ∈ R, the plaintext space is R p , and a plaintext µ ∈ R p is encrypted to give a linear polynomial over R ∨ q .The first step of the encryption process is to generate a random input for a discretisation process to a coset depending on the plaintext µ.Accordingly, we The SymHom cryptosystem.Let ψ be a continuous LWE error distribution over K R , and let • denote any valid discretisation to cosets of some scaling of R ∨ (e.g. using the decoding basis of R ∨ ).The cryptosystem is defined formally as follows.
-Gen: choose s ← ψ R ∨ , and output s = t • s ∈ R as the secret key. - q for uniformly random c1 ← R ∨ q , and output the ciphertext c(S) = c0 + c1S.The noise in c(S) is defined to be e.
-Decs(c(S)) for c of degree k: compute c(s) ∈ (R ∨ ) k q , and decode it to e = c(s) For ciphertexts c, c of arbitrary degrees k, k , their homomorphic product is the degree- , that is to say standard polynomial multiplication.The noise in the result is defined to be the product of the noise terms of c, c .Similarly, for ciphertexts c, c of equal degree k, their homomorphic sum is c(S) c (S) = c(S) + c (S), and the noise in the resulting ciphertext is the sum of those of c, c .let Y be a random variable on H such that T Y ∼ N(0; p 2 ρ 2 I n ) is a spherically symmetric n-dimensional Normal random variable with component variance p 2 ρ 2 for an appropriately chosen ρ 2 .We term Y the Underlying Noise, and Y is a complex-valued random vector expressed in the I-basis for H.
Specifically, we discretise Y to the coset σ(pR ∨ ) + σ(t −1 µ) of the lattice σ(pR ∨ ) obtained by the canonical embedding of the scaled dual fractional ideal pR ∨ .We consider the coordinate-wise randomised rounding discretisation with respect to the pΓ -basis for H, and following Definition 6 we denote this discretisation of Y by Y (µ) = Y pΓ σ(pR ∨ )+σ(t −1 µ) .The Noise random variable Y (µ) in the encryption of the plaintext µ is then defined to be Y (µ) = σ −1 (Y (µ)), and is an element of a coset of pR ∨ +t −1 µ containing information about µ.For obvious reasons, we refer to Y (µ) = σ(Y (µ)) as the Embedded Noise, and we note that Y (µ) expresses the Embedded Noise in the I-basis of H.We summarise this discussion in Figure 3.
In the next step of encryption, we form the ciphertext from the Noise Y (µ) and the secret key s in the following way.We choose A uniformly in R ∨ q , and we let A We note that this polynomial can be expressed directly in terms of the Noise Y (µ) and the secret key s as C(θ; µ) = A(θ − s) + Y (µ).A fresh ciphertext is defined to be a degree-1 ciphertext, since the polynomial C(θ; µ) is linear.
The output ciphertext of a homomorphic multiplication of two degree-1 ciphertext polynomials is obtained simply by multiplying these polynomials together.Thus we can obtain the degree-2 ciphertext polynomial over R ∨ q corresponding to the product µ 1 µ 2 of plaintexts µ 1 and µ 2 as Fig. 3. Notation for the Noise-related quantities used in encryption of the plaintext µ.
, which is given in terms of the secret key s and its constituent Noises Y 1 (µ) and Y 2 (µ) by The Noise in this degree-2 output ciphertext C(θ; µ 1 , µ 2 ) is defined to be the product Y 1 (µ 1 )Y 2 (µ 2 ) of the Noises Y 1 (µ 1 ) and Y 2 (µ 2 ) of the degree-1 input ciphertexts.This process extends in the obvious way to give ciphertexts of higher degree.
3 A CLT approach to BGV noise analysis

BGV Polynomial Multiplication
Many BGV operations involve polynomial multiplication in R or R q , that is to say modulo X n + 1, and we express such a polynomial multiplication using a modified Sign function ξ on the integers given by ξ(z) = Sign(z) for z = 0 with ξ(0) = 1.A term of (hh ) can then be specified as and the subscripts are interpreted modulo n to lie in {0, . . ., n − 1}.
BGV requires to construct the polynomial product in R or R q of a constant or scalar and a (discretised) multivariate Normal random variable or of two multivariate Normal random variables.We use the following result, developed for the CKKS context in [8].
Theorem 1. Suppose that Z ∼ N(µ; ρ 2 I n ) and Z ∼ N(µ ; ρ 2 I n ), then the polynomial product ZZ (modulo X n + 1) is well-approximated as a multivariate Normal distribution for large n given by Following the approach of [8], we make the Small-S assumption: that this off-diagonal matrix S is negligible compared to ρ 2 * I N and we disregard it.This assumption is reasonable in many circumstances of interest in BGV as the message vector length is generally bounded.
Corollary 1. Suppose that Z ∼ N(µ; ρ 2 I n ) and Z ∼ N(µ ; ρ 2 I n ) are independent, λ is a constant vector and the Small-S assumption is valid.Approximations to the distribution of λZ, ZZ , Z 2 are then given by: We also add a further variant of these results, as adapted in a special case for general (i.e., not necessarily Normal) distributions Z and Z , which we use when considering the BGV ModSwitch operation.
Lemma 2. Suppose that Z = (Z 0 , . . ., Z n−1 ) T and Z = (Z 0 , . . ., Z n−1 ) T are independent vectors of independent and identically distributed components with mean E(Z i ) = E(Z i ) = 0 and respective variances Var(Z i ) = ρ 2 and Var(Z i ) = ρ 2 .The polynomial product ZZ is well-approximated as a multivariate Normal distribution for large n given by Proof.The proof is similar to that given for Theorem 1 given in [8].A component (ZZ ) i of ZZ is the sum of n summands of the form ±Z j Z j with mean E(±Z i Z i ) = 0 and variance Var(±Z i Z i ) = ρ 2 ρ 2 .Thus the Central Limit Theorem shows that the distribution of this component (ZZ ) i and be approximated for large n as (ZZ ) i ∼ N(0, nρ 2 ρ 2 ).Furthermore, distinct components (ZZ ) i and (ZZ ) i (i = i ) have covariance Cov((ZZ ) i , (ZZ ) i ) = 0 (as they have 0 means), which gives the result.

BGV Noise Analysis
We now give a series of results showing how the noise in a ciphertext output from each BGV operation follows a Gaussian distribution with zero mean and a specified component variance.We begin with Lemma 3 about the noise of a fresh BGV ciphertext, and we note that a similar result can be inferred from Lemma 1 of [9].

Lemma 3. [Fresh]
The noise random variable V fresh for a fresh BGV ciphertext has a Normal distribution given by V fresh ∼ N(0; ρ 2 fresh I N ), where the component variance ρ 2 fresh can be accurately approximated with high probability as Proof.The first part of the public key p 0 = [−(as + te)] q (in the notation of Figure 1) can be expressed as p 0 = −as − te + qα for an appropriate integer vector α.For the second part of the public key p 1 = a, we therefore have p 0 + sp 1 = −te + qα.The BGV Critical Value W fresh used for decryption of the fresh ciphertext (c 0 , c 1 ) given by c 0 = m + p 0 u + te 1 and c 1 = p 1 u + te 2 corresponding to message m is given by If the standard deviation of t(−ue + e 1 + se 2 ) is not too large, reducing the BGV Critical Value W modulo q and then modulo t gives the message m.Thus the noise random variable corresponding to the BGV Critical Value W fresh is Corollary 1 shows that −ue ∼ N(0; |u| 2 σ 2 I n ) and that se 2 ∼ N(0; |s| 2 σ 2 I n ), so the distribution of the fresh noise random variable V fresh is The random vectors u and s have independent Uniform distributions on {−1, 0, 1} n , so squared components u 2 i and s 2 i take the value 1 with probability 2  3 and 0 with probability 3 ) have Binomial distributions, so can be approximated by independent Normal N( 23 n, 2 9 n) distributions for large n.The distribution of ρ 2 fresh = (1 + |u| 2 + |s| 2 )t 2 σ 2 can therefore be approximated as a Normal N(( 43 n + 1) , which is small compared to the mean ( 43 n + 1)t 2 σ 2 of ρ 2 fresh .Thus ρ 2 fresh can be accurately approximated by ( 43 n + 1)t 2 σ 2 with high probability.If the corresponding component standard deviation ( 43 n + 1) 2 tσ is small compared to q, so it does not generally affect any modular reduction, then the fresh ciphertext noise is V fresh ∼ N(0; ρ 2 fresh I n ), with noise variance ρ 2 fresh ≈ ( 4 3 n + 1)t 2 σ 2 .We now give a series of results about the noise distribution resulting from the application of BGV operations to BGV ciphertexts.We start with Lemma 4 giving the distribution of the noise random variable following the application of the BGV Add operation to two BGV ciphertexts.

Lemma 4. [Add]
Suppose that the noise random variables V and V for two independent BGV ciphertexts have 0-mean multivariate Normal distributions given by V ∼ N(0; ρ 2 I n ) and V ∼ N(0; ρ 2 I n ).Let V add be the noise random variable for the ciphertext output from the BGV Add operation applied to these two ciphertexts, then V add ∼ N(0; ρ 2 add I n ), where the component variance ρ 2 add is given by ρ 2 add = ρ 2 + ρ 2 .Proof.Suppose that (c 0 , c 1 ) and (c 0 , c 1 ) are the independent BGV ciphertexts having respective underlying messages m and m respectively and having the given noise random variables The BGV Add operation gives the new ciphertext (c 0 + c 1 , c 0 + c 1 ) with message m + m and noise random variable The BGV Add operation can also be used to add a ciphertext to itself.For competeness, we also give (without proof) the distribution of the noise random variable for such an integer multiple of a ciphertext in Lemma 5.

Lemma 5. [Integer Multiple]
Suppose that the noise random variable V of a BGV ciphertext (c 0 , c 1 ) has 0-mean multivariate Normal distribution given by V ∼ N(0; ρ 2 I n ).The noise random variable of the integer multiple k(c 0 , c 1 ) of the BGV ciphertext (c 0 , c 1 ) for an integer k is kV ∼ N(0; k 2 ρ 2 I n ).
The application of the BGV Multiply operation to the BGV ciphertexts (c 0 , c 1 ) and (c 0 , c 1 ) gives a 3-part ciphertext This 3-part ciphertext can potentially be decrypted by considering the 3-part Multiply Critical Value where W = c 0 +sc 1 and W = c 0 +sc 1 are the BGV Critical Values of the original ciphertexts (c 0 , c 1 ) and (c 0 , c 1 ).If m and m are the messages corresponding to the ciphertexts (c 0 , c 1 ) and (c 0 , c 1 ), then the message m•m corresponding to this 3-part ciphertext can be found by reducing this Critical Value W mult modulo q and then modulo t.The distribution of the noise random variable following the application of the BGV Multiply operation is given in Lemma 6.

Lemma 6. [Multiply]
Suppose that the noise random variables V and V for two independent BGV ciphertexts have 0-mean multivariate Normal distributions given by V ∼ N(0; ρ 2 I n ) and V ∼ N(0; ρ 2 I n ).Further suppose that the Small-S assumption is valid for the distributions m + V and m + V , where m and m are the underlying messages.Let V mult be the noise random variables for the ciphertext output from the BGV Multiply operation applied to these two ciphertexts, then V mult ∼ N(0; ρ 2 mult I n ), where the component variance ρ 2 mult is given by Proof.Suppose that (c 0 , c 1 ) and (c 0 , c 1 ) are the independent BGV ciphertexts having respective underlying messages m and m respectively and having the given noise random variables The BGV multiplication operation gives the new 3-part ciphertext The corresponding BGV Critical Value is The corresponding noise random variable V mult therefore has the same covariance matrix as the product of m + V ∼ N(m; ρ 2 I n ) and m + V ∼ N(m ; ρ 2 I n ).The result then follows from Theorem 1 and Corollary 1.
Remark 1.In practice, to use Lemma 6, we need to approximate |m| 2 and |m | 2 .
If the components of m and m can be regarded as being independently and uniformly distributed on The BGV Relinearize operation is used to convert a 3-part ciphertext arising after a BGV Multiply operation to a standard 2-part BGV ciphertext.The distribution of the Noise random variable following the application of a BGV Relinearize operation of the form described in Figure 1 is given in Lemma 7. The result is analogous to prior results [9,20,29] about the BGV and BFV Relinearize operations.
We note that well-known implementations of BGV use more extensively optimised variants of this basic BGV Relinearize operation, so this result may need adapting for such optimised variants.

Lemma 7.
[Relinearize] Suppose that a 3-part BGV ciphertext arising from a BGV Multiply operation has a 0-mean multivariate Normal noise random variable given by V ∼ N(0; ρ 2 I n ).Consider a BGV Relinearize operation with + 1 terms in the decomposition into base w of an integer in base q with = log w q in which a coefficient in {− 1 2 (q − 1), . . ., 1 2 (q − 1)} is represented as vector with ( + 1) components lying between − 1 2 w and 1 2 w.Let V relin be the noise random variable for the ciphertext output from such a BGV Relinearize operation, then V relin ∼ N(0; ρ 2 relin I n ), where the component variance ρ 2 relin is given by Proof.We consider the 3 arising from the application of the BGV Multiply operation to the ciphertext (c 0 , c 1 ) and the ciphertext (c 0 , c 1 ).For a BGV scheme with parameter , the ciphertext component c * 2 , a polynomial with coefficients between 1 2 (q − 1) and 1 2 (q − 1), is expressed as The integer coefficients g ij of these decomposition polynomials g i can be regarded as independent random variables lying uniformly between − 1 2 w and 1 2 w, so we have E(g ij ) = 0 and Var(g ij ) = 1  12 w 2 .The BGV Relinearize operation transforms this 3-part ciphertext into a standard 2-part BGV ciphertext by using the Evaluation Keys where β 0 , . . ., β are independent random elements of R q and d 0 , . . ., d are independent random variables with the error distribution χ, and we note that α i + sβ i = s 2 w i − td i The output of the BGV Relinearize operation is the 2-part ciphertext (c 0 , c 1 ) given by The BGV Critical Value W relin of this 2-part ciphertext (c 0 , c 1 ) is given by where . Thus the BGV Relinearize operation has noise random variable V relin given by V relin = V − t i=0 d i g i bounds as developed in [9] following Iliashenko [20].Our experiments use HElib version 2.2.1 and SEAL version 4.0.We show that our average-case analysis can tightly estimate the practical noise growth, thus closing the gap between worstcase predicted noise and practically observed noise highlighted in [9].To do so, we consider the homomorphic evaluation of two circuits.The results for HElib are displayed in Tables 1 and 2 respectively.The results for SEAL are displayed in Tables 3 and 4 respectively.The first circuit considered is the same circuit as was used in [9].The evaluation is as follows in the i-th trial.First, fresh ciphertexts ct 1 and ct 2 encrypting i + 1 and i are generated.Next, ct 3 is generated as the homomorphic addition of ct 1 and ct 2 .Next, ct 4 is generated as the homomorphic multiplication of ct 3 and ct 2 .For n > 2048, ct 5 is generated by modulus switching ct 4 down to the next prime in the chain (for n = 2048 the parameters are too small to support this operation).We measure the noise budget after each operation and output an average over 10000 trials.The results for HElib and SEAL are presented in Table 1 and Table 3 respectively.
We also explore the noise growth in a second deeper circuit, using the same parameter settings as the previous experiment.The evaluation is as follows in the i-th trial.First, fresh ciphertexts ct 1 , . . ., ct 8 encrypting i + 1, . . ., i + 8 respectively are generated.Next, ciphertexts ct 9 , . . ., ct 12 are generated as the multiplication of ct 1 and ct 2 ; . . .; ct 7 and ct 8 respectively.Next ciphertexts ct 13 and ct 14 are generated as the multiplication of ct 9 and ct 10 ; and ct 11 and ct 12 respectively.Finally, ciphertext ct 15 is generated as the multiplication of ct 13 and ct 14 .We measure the noise budget after each multiplication and output an average over 10000 trials.The results for HElib and SEAL are presented in Table 2 and Table 4 respectively.
For both circuits, the HElib parameters were chosen as follows.The standard deviation of the error distribution was set to σ = 3.2, the ring dimension was set to n ∈ {2048, 4096, 8192, 16384} and the corresponding maximal ciphertext modulus q was set so that log q ∈ {54, 109, 218, 438}.The plaintext modulus was set as t = 3.Other parameters are set according to HElib default parameter settings, detailed in [9].The parameter set n = 2048 is omitted in Table 2 as it is too small to support the homomorphic evaluation of the circuit.
For both circuits, the SEAL parameters were chosen as follows.The standard deviation of the error distribution was set to σ = 3.2, the ring dimension was set to n ∈ {4096, 8192, 16384, 32768} and the corresponding maximal ciphertext modulus q was set so that log q ∈ {109, 218, 438, 881}.The plaintext modulus was set to be a suitable integer of 20 bits, a default choice in the SEAL examples.In SEAL, the parameter sets with n ∈ {4096, 8192} were too small to support the deeper circuit.
We present average case bounds for each operation as follows: we trace through the component variance of the noise polynomial after each operation, using the formulae in Figure 4. We model the variance after multiplication as in Remark 1.We then translate the variance after each operation into a bound on the noise after each operation following the approach described in [8].That is, we allow an error tolerance α (we set α = 0.001 in the experiments), such that our noise bound is exceeded with probability α.Lemma 9 ([8]).Suppose a noise polynomial is distributed as N(0, ρ 2 I n ).For a threshold T > 0, the error tolerance α = P( Z ∞ > T ) satisfies We express our results in terms of the noise budget (Definition 7).Loosely speaking, the noise budget is the number of bits left for homomorphic computation before a wraparound modulo q that would lead to decryption failure.

Definition 7 ([9]
).Let ct be a BGV ciphertext with respect to modulus q having Critical Value W modulo q.The noise budget for this ciphertext is defined as The HElib results in Tables 1 and 2 show that the average-case approach much more closely models the observed noise growth for fresh ciphertexts, addition, and multiplication.While the average-case modelling does not completely close the heuristic-to-practical gap identified in [9], the improvement is still significant.For example, the gap is reduced by as much as 25 bits in the case of the deeper circuit.
The SEAL results of Tables 3 and 4 are even more promising and show that the average-case heuristics tightly model the observed noise growth for fresh ciphertexts, addition, and multiplication, including deeper multiplication.In most cases, the heuristic-to-practical gap is reduced to only 3-5 bits.
There are some discrepancies between the SEAL implementation and the heuristic estimates that may account for differences between the observed and predicted behaviour.For example, in Table 4, for n = 16384, after the third multiplication, the average-case heuristic overestimates the remaining noise budget by one bit.We do not relinearize (in doing so, diverging from the SEAL recommendations), so by the third multiplication in the second circuit, the ciphertexts are much larger.This introduces additional noise not accounted for in the heuristics.We would expect such an additional noise to increase as n increases, and this expectation is confirmed by the results for n = 32768.Moreover, modifying our experiments to relinearize inputs before the next multiplication significantly reduces (but does not totally account for) the overestimation.
For modulus switching, in both libraries, the remaining noise budget is overestimated by the average-case approach.This may also be due to specificities in the libraries.For example, in our HElib implementation we modulus switch to the 'natural' prime set following the expected usage of the library, whereas the heuristic analyses are for a general situation of modulus switching to any p.Modifying HElib to explore this further is beyond the scope of this work.
Both our worst-case and average-case heuristic estimates assume that the secret distribution is uniform ternary, as is done in our analysis of Section 3.  1.The column x gives the observed mean of the noise budget in HElib ciphertexts over 10000 trials of the homomorphic evaluation described in the first circuit and in [9] for parameter sets with dimension n ∈ {2048, 4096, 8192, 16384}.The column W gives an estimate of the noise budget using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget using an average case approach.2. The column x gives the observed mean of the noise budget in HElib ciphertexts over 10000 trials of the homomorphic evaluation described above in the second circuit for parameter sets with dimension n ∈ {4096, 8192, 16384}.The column W gives an estimate of the noise budget using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget using an average case approach.
in HElib is also ternary, but with a slightly different variance1 .We found that this discrepancy impacts the heuristic-to-practical gap only minimally.Indeed, adapting the heuristics for the HElib secret distribution made no difference in the predicted remaining average-case noise budget in low-depth computation, while for larger n, and after two or more multiplications, the predicted remaining noise budget was 2 bits closer to the observed remaining noise budget.
The results for n = 4096 in Table 3 give an interesting example where the worst-case approach predicts that there is no remaining noise budget after the multiplication, suggesting that the parameter set is too small to support the evaluation of this circuit.In contrast, the average-case analysis predicts there are 6 bits remaining, and indeed there is an observed average remaining noise budget of 8 bits.To further illustrate the utility of the average-case approach, we now exhibit additional specific computations for which the average-case approach predicts lower parameters to support the computation than the worst-case approach.The examples here are illustrative and we expect that many other such circuits could be found.To characterise a broad range of circuits, we focus on an L-level circuit with ζ additions and one multiplication at each level.We fix ciphertext moduli q that achieve 128-bit security according to the Homomor-  3. The column x gives the observed mean of the noise budget in SEAL ciphertexts over 10000 trials of the homomorphic evaluation described in the first circuit and in [9] for parameter sets with dimension n ∈ {2048, 4096, 8192, 16384}.The column W gives an estimate of the noise budget using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget using an average case approach.4. The column x gives the observed mean of the noise budget in SEAL ciphertexts over 10000 trials of the homomorphic evaluation described above in the second circuit for parameter sets with dimension n ∈ {4096, 8192, 16384}.The column W gives an estimate of the noise budget using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget using an average case approach.
phic Encryption Security Standard [1] for error distribution standard deviation σ = 3.2, uniform ternary secret, and n ∈ {4096, 8192, 16384}; and allow to vary the plaintext modulus t.Given a circuit parameterised by L, ζ and t, we investigate the predicted noise growth for different parameter sets according to the average-case and worst-case approaches.
We exhibit in Table 5 an example for L = 3, ζ = 8, and t = 256, following parameter choices in [9].It can be seen that the worst-case approach indicates that the n = 16384 parameter set is required, while the average-case approach indicates that n = 8192 suffices.In Table 6, we see another example, for L = 2, ζ = 3, and t = 257.In this situation, the average-case approach predicts that the n = 4096 parameter set suffices to support the computation, while the worst-case approach suggests n = 8192 is required.We implemented this latter circuit in HElib, and found indeed that the computation could be supported with n = 4096.

A CLT approach to SymHom noise analysis
In this section, we present a Central Limit approach to SymHom noise analysis.For simplicity, we restrict our discussion to the situation where m is prime, though our arguments apply more generally.5.The column W gives an estimate of the noise budget for the circuit parameterised by L = 3, ζ = 8, t = 256, for the parameter set determined by the ring dimension n, using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget for the same circuit using an average case approach.
n W A 4096 0 19 8192 105 124 Table 6.The column W gives an estimate of the noise budget for the circuit parameterised by L = 2, ζ = 3, t = 257, for the parameter set determined by the ring dimension n, using worst-case heuristic bounds following [9].The column A gives an estimate of the noise budget for the same circuit using an average case approach.

Additional background
In this section, we introduce some relevant definitions.Definition 8 specifies the pΓ -basis for H in which elements of H are expressed as real-valued vectors.The pΓ -basis arises as the embedding of a basis of conjugate pairs for R ∨ .The pΓbasis is a more convenient basis for H in the case when m is prime, and is a suitable basis for decryption.Definition 8.The pΓ -basis for H is given by the columns of the matrix pΓ (for p prime), where In Figure 5, we summarise our notation for elements of H expressed with respect to the various bases.If Z is a vector expressing an element of H as a vector of conjugate pairs in the I-basis (or standard basis) for H, then we have real-valued vectors Z ‡ = T † Z and Z * = (pΓ ) −1 Z expressing this element as a vector in the T -basis and the pΓ -basis for H respectively.
The change of basis transformations between the T -basis and the pΓ -basis are summarised in Figure 6, and the relevant properties of the (scaled) changeof-basis matrix ∆ = Γ T −1 are given in Lemma 10.H with T -basis H with pΓ -basis Proof.It is clear that ∆ = Γ −1 T is invertible as both Γ −1 and T are invertible.The matrix so ∆ −1 and hence ∆ are real matrices.Thus we have We note that Γ † jk = m The noise in a SymHom ciphertext obtained as the output of a homomorphic multiplication of two fresh ciphertexts is the product of the noises in the input ciphertexts.We will therefore be interested in the ⊗-product (Definition 9) of two elements of H expressed in the T -basis.Definition 9.The ⊗-product of two real vectors u = (u 11 , u 12 , . .
The ⊗-product of two vectors in H expressed in the T -basis is the expression in the T -basis of the componentwise product of those two vectors when expressed in the I-basis.

A Central Limit approach to approximate the distribution of C (pΓ )
To obtain a Normal approximation for a weighted sum n j=1 a j X j of the form encountered in SymHom, we need a general form of the Central Limit Theorem formally given by the Lindeberg condition [3,34].We state such a Central Limit result in Lemma 11.However, Lemma 11 can be informally expressed as that the weighted sum n j=1 a j X j of the form encountered in Ring-LWE has an approximate Normal distribution for moderate or large n provided that the absolute weights a j are not dominated by just a few values.Lemma 11.Suppose X 1 , X 2 , . . .are independent and identically distributed continuous random variables that are symmetric about 0 with mean E(X j ) = 0 and variance Var(X j ) = 1, and that have common density function f Xj , and suppose that for constants a 1 , a 2 , . . . the sum l j=1 a j X j has variance function a(l) 2 = l j=1 a 2 j , and that the functions a j are defined by a j (l) = |a j | a(l) .In this case, Lindeberg's condition is that for any given > 0, the sum If Lindeberg's condition is satisfied, then a(l) −1 l j=1 a j X j tends in distribution to a standard Normal N(0, 1) distribution as l → ∞.
Proposition 1 gives a Central Limit approximation to a weighted multivariate sum of the form for independent and identically distributed random variables X 1 , . . ., X n .This proposition is a summary of the Lindeberg condition for a Central Limit Theorem and essentially states that a good Normal approximation exists for the weighted sum if enough of the largest (in absolute value) weights are of comparable size.Concretely, in a typical parameter situation of Ring-LWE where we have n > 10 2 , (or n > 10 3 in the case of homomorphic encryption), we can expect Proposition 1 to give a good approximation when as few as (for example) about 20 of the largest weights are comparable.Proposition 1. Suppose that X = (X 1 , . . ., X n ) has components X 1 , . . ., X n that are independent and identically distributed random variables with mean E(X j ) = 0 and finite variance Var(X j ) = ρ 2 , so X has covariance matrix ρ 2 I n .If A is a n × n matrix whose entries A jk are not dominated by just a few of these entries, then the transformed random variable AX ∼ N(0, ρ 2 AA T ) can be approximated as a multivariate Normal distribution for moderate or large n.
In Proposition 2, we apply Proposition 1 to approximate the distribution of the noise in a SymHom ciphertext expressed in an appropriate decryption basis.We note the proof of Proposition 2 is complicated by the fact that a pair of random variables in the T -basis arising as the image of a conjugate pair in the I-basis are uncorrelated but not independent (see for example Lemma 10).
Proposition 2. Suppose that C (T ) is a vector expressing the noise in a Ring-LWE ciphertext in the T -basis for H, so a component c = ρ 2 .Suppose further that the S-basis given by the columns of the n × n matrix S is an appropriate basis of H for decryption, and that Ψ = ST −1 is the change of basis matrix from the T -basis to the S-basis for H.If the entries Ψ jk of Ψ are not dominated by just a few values, then the distribution of the noise C (S) in this ciphertext in the (decryption) S-basis for H can be approximated as for moderate or large n.
In particular, the pΓ -basis for H yields C (pΓ ) ∼ N(0; p 2 ρ 2 (mI − J)). of C (T ) are independent and identically distributed with mean 0 and variance ρ 2 , so Proposition 1 gives Ψ C (T ) ∼ N(0; ρ 2 Ψ Ψ T ), and we similarly have Ψ C ) is the sum of two uncorrelated approximate multivariate Normal random variables, so has an approximate Normal distribution with covariance matrix The Central Limit Theorem is formally a statement about the convergence (in distribution) of an appropriate weighted sum of random variables to a Normal distribution in the limit as the number of summands n tends to infinity.When such a result is applied in a concrete setting with a fixed finite n, it is reasonable to question the speed of this convergence, and in particular how accurate the approximation is.This issue is made more precise in a companion work [27], and can be verified empirically.

SymHom decryption using the pΓ -basis
We now specify a decryption process for the SymHom cryptosystem using the pΓbasis of H (though any appropriate basis can be used).We recall (see Figure 5) that we write Z ‡ and Z * to express an element of H as a vector in the T -basis and the pΓ -basis respectively.
Decryption of a degree-1 ciphertext polynomial C(θ; µ) begins by evaluating this polynomial at the secret s.We obtain information about the Noise since C(s; µ) = Y (µ) mod R ∨ q .If we embed C(s; µ) in H under σ and perform a reduction modulo q with respect to to the pΓ -basis, then we obtain an integer vector σ(C(s; µ)) pΓ q with entries in [− 1 2 q, 1 2 q).The Embedded Noise Y (µ) is expressed in the I-basis for H, so Y (µ) is expressed with respect to the T -basis of H as the real vector Y (µ) ‡ = T † Y (µ).However, the change of basis from this T -basis to the pΓ -basis of H is given by p −1 ∆ = p −1 Γ −1 T , so there is a real transformation Y (µ) * = p −1 ∆Y (µ) ‡ that gives a real vector Y (µ) * specifying the Embedded Noise expressed in the pΓbasis for H.This allows us to write Y (µ) * = σ(C(s, µ)) pΓ q if the Embedded Noise is small enough.In this case, we can recover the real vector Y (µ) * and hence the real Embedded Noise vector Y (µ) ‡ with respect to the T -Basis.This allows us to determine the coset representative σ(t −1 µ) for the coset of the lattice σ(pR ∨ ) corresponding to the plaintext µ ∈ R p .Thus if the Embedded Noise is small enough with high probability, then we can recover the plaintext µ with high probability.

Decryption Failure Probabilities in the SymHom cryptosystem
We now present in Theorem 2 and Corollary 2 our main results of this section, which give (respectively) bounds for the probability of the incorrect decryption of degree-1 and degree-2 SymHom ciphertexts.Both results follow from the fact that SymHom decryption using (for example) the pΓ -basis for H fundamentally involves a change of basis transformation between bases for H ultimately to the pΓ -basis.
In the following, we denote by Q the "Q-function" giving the upper tail probability for a standard Normal N(0, 1) distribution, so This tail probability Q(x) is bounded by its asymptotic expansion, so and we note that this bound is very tight even for moderate values of x > 0.
Theorem 2. If η 1 (n, q, ρ) = 1 2 (n 1 2 ρ) −1 q is moderate or large, then the probability of the incorrect decryption of a SymHom degree-1 ciphertext in the pΓ -basis for H is bounded by

P
Incorrect decryption of SymHom degree-1 ciphertext in pΓ -basis ≤ 2n exp(− 1 2 η 2 1 ) (2π) We can now give a bound for the probability of decryption failure for a degree-1 ciphertext using the Γ -basis.In this case, decryption fails if the absolute size of any component of exceeds 1  2 q, so taking α = 1 2 q for moderate and large η 1 (n, q, ρ) = 1 2 (n  Proof.The decryption of a SymHom degree-2 ciphertext C(θ; µ 1 , µ 2 ) involves processing this ciphertext as σ(C(s; µ 1 , µ 2 )) m −1 pΓ q , that is to say by regarding this Embedded Noise expressed as a vector with respect to the rescaled decoding conjugate pair m −1 pΓ -basis.The processing of a degree-2 ciphertext fundamentally therefore simply involves change of basis transformations for bases for H ultimately to the m −1 pΓ -basis.Thus we can adapt the argument of the proof of Theorem 2 simply by using the appropriate moments, and so we can replace ρ in η 1 with mpρ 1 ρ 2 in to give η 2 = η 1 (n, q, mpρ 1 ρ 2 ) = 1 2 (n n of C (T ) are identically distributed random variables that are uncorrelated and, in general, independent, having zero mean E c (T ) j = 0 and some finite variance Var c (T ) j = ρ 2 .Thus a component c (pΓ ) j

Definition 5 (
[26]).The univariate Balanced Reduction function R on R is the random function R(a) = 1 − ( a − a) with probability a − a −( a − a) with probability 1 − ( a − a).The multivariate Balanced Reduction function R on R l with support on [−1, 1] l is the random function R = (R 1 , . . ., R l ) with component functions R 1 , . . ., R l that are independent univariate Balanced Reduction functions.

Lemma 10 .
The change of basis matrix from the T -basis to the pΓ -basis of H is the real invertible matrix p −1 ∆, where ∆ = Γ −1 T satisfies ∆∆ T = mI − J.

Fig. 5 .
Fig.5.Notation for the expression of an element of H as a vector in the various different vector space bases for H.Note that p is a scaling factor.

Fig. 6 .
Fig. 6.Change of Basis Matrices for the T -basis and pΓ -basis for H in which elements of H are expressed as real-valued vectors.

− 1 ( 1 −
ζ −jk m ) and that n l=1 ζ l = −1 and so on.Thus n l=1 ζ l(j−k) = n if k = j and −1 if k = j (for 1 ≤ k, j ≤ n), which yields of C (T ) has mean E c (T ) j = 0 and finite variance Var c (T ) j

Proof.
We can split Ψ = (Ψ |Ψ ) into two n × n submatrices and we similarly split C (T ) = C (T ) C (T ) T into the first n components C (T ) and the final n components C (T ) .Furthermore, their conjugate pairs origin means that C (T ) and C (T ) are uncorrelated.The components c