BFV bootstrapping vs leveled scheme

Question

I am trying to understand how BFV leveled scheme is different from BGV leveled scheme? Is the difference in the noise management techniques? Do we have modulus chain for BFV as well? how do we do bootstrapping in BFV? Any pointers to these questions are appreciated

score 0 · Answer 1 · answered Feb 07 '25 at 12:03

Yes, there are quite a few differences.

The basic idea of leveled FHE is, as you are probably aware of, that the scheme supports a restricted multiplicative depth. If this is exceeded, we get a noise overflow, and decryption will return a chaotic result. Even though it is related, this is not the same as the modulus-chain in BGV.

In particular, BFV does not have a modulus chain. All ciphertexts work over the same modulus $q$, which remains unchanged during the whole scheme. Instead, the noise inherent in BFV ciphertexts increases during operations, and thus we can only perform a limited number of multiplications - well, we could perform as many as we want, but once we exceed a certain point, results become completely random.

In principle, this is the same as for BGV. However, due to its internal structure, when using BGV, one should regularly perform a modulus switch. This will not not decrease the noise (strictly speaking, the relative noise remains constant), but reduce the noise growth caused by subsequent multiplications. The modulus switch will reduce the ciphertext modulus $q$ to a smaller ciphertext modulus $q'$. Hence, we need a chain of moduli $q > q' > q'' > ...$ that we "walk down" whenever we perform modulus switches. It is reasonable to choose the length of the modulus chain in correlation with the maximum multiplicative depth the scheme parameters support, however not strictly necessary:

If the modulus chain is too short, at some point we cannot modulus-switch anymore. This means that all multiplications beyond that point will cause (progressively) higher noise growth than necessary
If the modulus chain is too long, this works fine, but will waste performance - since we perform operations modulo larger ciphertext moduli than necessary, which is more expensive.

Note that modulus-switching is also possible in BFV, but usually not necessary when used as a leveled scheme.

Mathematical Details

BFV encrypts a message as $$ (a, -as + e + q/t m) $$ for an RLWE sample $(a, as + e)$. During homomorphic multiplication of two ciphertexts $(c_1, c_0)$ and $(c_1', c_0')$, we first compute an intermediate 3-component ciphertext $$ (c_2'', c_1'', c_0'') \quad \text{such that} \quad c_2 s^2 + c_1 s + c_0 \approx q/t \cdot mm' $$ For the noise analysis, it is sufficient to consider the noise of this ciphertext, and ignore relinearization. In particular, we compute it as $$ (c_2'', c_1'', c_0'') = (\lfloor t c_0 c_0' / q \rceil, \lfloor t (c_0 c_1' + c_1 c_0') / q \rceil, \lfloor t c_1 c_1' / q \rceil) $$ Note that to make sense of the scaling by $t/q$, we actually work with the shortest lifts of $c_0, c_1, c_0', c_1'$, i.e. don't consider them modulo $q$. Hence, we find $$ c_0 + c_1 s = e + q/t m + qr $$ where $r$ takes care of the wrapping around $q$.

For a noise estimate, we ignore the roundings, and find $$ c_2'' s^2 + c_1'' s + c_0'' = t/q (c_1c_1' s^2 + c_0c_1' s + c_1c_0' s + c_0c_0') = t/q (c_1 s + c_0)(c_1's + c_0') \\ = t/q (e + q/t m + qr)(e' + q/t m' + qr')$$ Multiplying this out gives $$ q/t mm' + t/q ee' + me' + m'e + ter' + te'r + qmr' + qm'r + qrr' $$ The term $qmr' + qm'r + qrr'$ becomes zero once we reduce modulo $q$, and the sum $t/q ee' + ter' + te'r + me' + m'e$ has only terms of size $\approx t \| s \| (\| e \| + \| e' \|)$ - because $r$, $r'$ are approximately of size $\|s\|$.

BGV multiplication, on the other hand, is actually simpler. In particular, we encrypt $m$ as $$ (a, m - as + te) $$ We can then perform a three-component multiplication just as $$ (c_2'', c_1'', c_0'') = (c_1c_1', c_1c_0' + c_0c_1', c_0c_0')$$ However, plugging this in gives $$ c_2''s^2 + c_1''s + c_0'' = (m + te)(m' + te') = mm' + tme' + tm'e + t^2ee' $$ This means, we have a "problem": The error increases quadratically, i.e. we get the error term $tee'$, which has size approximately $\| t \| \| e\| \|e'\|$ - so the size of the errors is multiplied, and not added. Hence, the relative error (i.e. size of $e$ compared to $q$) of the result depends not on the relative error of the input, but on absolute error (i.e. size of $e$) of the input. Fortunately, we can perform modulus-switching, which keeps the relative noise constant, but decreases the absolute noise. Hence, when using BGV, one usually performs modulus-switching so as to keep $\|e\|$ constant and very small, but the relative noise $\|e\|/q$ still increases, because $q$ becomes smaller due to modulus-switching.

If you want to do more reading, I actually found the original BGV paper https://ia.cr/2011/277 quite helpful.

BFV bootstrapping vs leveled scheme

1 Answers1

Mathematical Details