Use of Galois Automorphisms in Homomorphic Encryption

Question

The SEAL (Simple Encrypted Arithmetic Library) uses Galois Automorphisms to enable batch computations (i.e., the addition and multiplication of many ciphertexts in parallel in one single operation).

The batching procedure is described in sections 5.6 Galois Automorphisms and 7.4 CRT Batching of the SEAL 2.3.1 manual.

In particular, the two sections above state that the following rings are isomorphic.

\prod_{i=0}^{n} \mathbb{Z}_t \cong \prod_{i=0}^{n} \mathbb{Z}_t[\zeta^{2i+1}] \cong \mathbb{Z}_t[x]/(x^n+1)

where \zeta is a primitive 2n-th root of unity modulo t.

An image of the above equation can found here (Stackoverflow does not allow me display images for now)

The same sections also state that mapping plaintext tuples in \prod_{i=0}^{n} \mathbb{Z}_t to \mathbb{Z}_t[x]/(x^n+1) can be done using Galois Automorphims.

More precisely, a n-dimensional \mathbb{Z}_t-vector plaintext can be thought of as a 2-by-(n/2) matrix, and the Galois Automorphisms would correspond to rotations of the columns and rows of that matrix.

Following the application of the Galois Automorphisms on the plaintext vector (rotations of the rows and columns), one can obtain a corresponding element in \mathbb{Z}_t[x]/(x^n+1), which will be used for batch computations.

My questions are the following.

1- Why is \mathbb{Z}_t[\zeta^{2i+1}] isomorphic to \mathbb{Z}_t ?

2- How are the Galois Automorphisms used precisely to map n-dimensional \mathbb{Z}_t-vector plaintexts to elements in \mathbb{Z}_t[x]/(x^n+1)? Or stated differently, how does the Compose operation work? And how do you use Galois Automorphisms (row and column rotations) to compute it?

========================================================================

Answer 1

1. The isomorphism simply evaluates a polynomial at a root of unity to obtain an element of Z_t. Note that this works because the relevant root of unity is itself in Z_t. The entire batching system is just a big old Chinese Remainder Theorem: the batching slots are the reductions of the plaintext polynomial modulo x-zeta²ⁱ⁺¹ for different i. Going back requires a standard CRT reconstruction.

2. In practice the CRT is implemented through the Number Theoretic Transform (FFT over a finite field) and its inverse. The Galois automorphism acts on the roots of unity by permuting them, forming two orbits. If we order the plaintext matrix slots in a way that the batching slot value corresponding to the next Galois conjugate of a primitive root is always to the left (or right) of the slot value corresponding to that primitive root, then the Galois action will permute the rows of the matrix cyclically. The two orbits can also be interchanged, which corresponds to the column rotation (swap).

Matters are further complicated by the fact that the NTT algorithm that SEAL uses results in a so-called "bit reversed" output order. This needs to be taken into account when the correct ordering of the batching values is determined before any NTT or inverse NTT can be performed.