Hi all,

I wanted to double check whether my understanding of CKKS is sound.

Given a ciphertext c = (c_0,c_1) (encryption of m) and a plaintext m', their product is given by (c_0 m', c_1 m'), as c_0 m' + c_1 m' s = m' (c_0 + c_1 s) = m' (m + e) \approx m'm for some noise e and secret key s.

If the plaintext m' has no scale, for instance being an integer (-coeff. polynomial), then the ciphertext (c_0 m', c_1 m') does not need to be rescaled in order to get a correct decryption, is that right?

1 Like

Correct, as long as the integer coefficients are not large (close to unity or so in the coefficient representation). For instance, if the coefficients are 2^{30}, then the effective scale of the product will get increased and rescaling would still be needed at some point. Note that we use products like this, e.g., `MultByMonomial`

, in the CKKS bootstrapping implementation of OpenFHE.

One has to keep in mind that multiplying by a bit-mask vector in CKKS still requires a rescale since the bit-mask vector after inverse FFT gets non-integer values (that need to be scaled up and rounded).

1 Like