In this section, we briefly review the construction and the correctness of the SHE scheme proposed by Brakerski and Vaikuntanathan [4]. The security of the scheme relies on the polynomial LWE assumption defined below, which can be regarded as a simplified version of the ringLWE assumption of Lyubashevsky, Peikert and Regev [14] (see [4], Section 2 for details of the assumption).
Definition1 (Polynomial LWE assumption).
For a security parameter λ, let f(x)=x^{n}+1 be the cyclotomic polynomial for an integer n=n(λ) of 2power. Let q=q(λ) be an integer and set \(R= \mathbb {Z}[\!x]/(\,f(x))\) and R_{
q
}=R/qR. Let χ=χ(λ) be a distribution over R. Then the polynomial LWE assumption PLWE_{n,q,χ} is that it is infeasible to distinguish the following two distributions:

1.
One samples (a,b) uniformly from (R_{
q
})^{2}.

2.
One draws s←χ uniformly and samples (a,b) by sampling a←R_{
q
} uniformly, e←χ and setting b=as+e.
2.1 Construction of the SHE scheme
The following four parameters are needed for the scheme construction:

n: an integer of 2power, which defines the base ring \(R = \mathbb {Z}[\!x]/(\,f(x))\) with the cyclotomic polynomial f(x)=x^{n}+1 of degree n as in Definition 1. This degree n is often called the lattice dimension.

q: a prime number with q≡1 mod 2n, which defines the base ring \(R_{q} = \mathbb {F}_{q}[\!x]/(\,f(x))\) of ciphertext space. The condition q≡1 mod 2n is not necessary for the scheme construction, but it is required to discuss the provable security [4], Theorem 1.

t: an integer with t<q to determine a plaintext space \(R_{t} = (\mathbb {Z}/t\mathbb {Z})[x]/(\,f(x))\) (t is not necessarily prime).

σ: the parameter to define a discrete Gaussian error distribution \(\chi = D_{\mathbb {Z}^{n}, \sigma }\) with the standard deviation σ, namely, we select each entry in an ndimensional vector by sampling from a Gaussian distribution N(0,σ), and then round it to the nearest integer. In practice, we choose relatively small value such as σ=4∼8.
Key generation We first choose an element R∋s←χ, and sample a uniformly random element a_{1}∈R_{
q
} and an error R∋e←χ. Then set pk=(a_{0},a_{1}) with a_{0}=−(a_{1}s+te) as the public key and sk=s as the secret key.
Encryption For a plaintext m∈R_{
t
} and the public key pk=(a_{0},a_{1}), the encryption samples R∋u,f,g←χ and computes the “fresh ciphertext” given by
$$\begin{array}{*{20}l} \mathsf{Enc}(m, \mathsf{pk}) & = (c_{0}, c_{1}) \in (R_{q})^{2} \\ & = (a_{0}u + tg + m, a_{1}u + tf), \end{array} $$
((2))
where m∈R_{
t
} is considered as an element of R_{
q
} in the natural way due to the condition t<q.
Homomorphic operations While the above encryption algorithm generates ciphertexts with only two ring elements, the homomorphic multiplication defined below makes the ciphertext length longer. Therefore we need to define homomorphic operations for ciphertexts of any length as follows: Let ct^{′}=(c0′,…,cξ′)∈(R_{
q
})^{ξ+1}, \(\mathsf {ct}^{\prime \prime }= (c_{0}^{\prime \prime }, \ldots, c_{\eta }^{\prime \prime }) \in (R_{q})^{\eta + 1}\) be two ciphertexts. The homomorphic addition “\(\dotplus \)” is computed by componentwise addition of ciphertexts, namely, we have
$$\mathsf{ct}' \dotplus \mathsf{ct}^{\prime\prime} = (c_{0}'+c_{0}^{\prime\prime}, \ldots, c'_{\max (\xi, \eta)} + c^{\prime\prime}_{\max (\xi, \eta)}), $$
by padding with zero if necessary. Similarly, the homomorphic subtraction is computed by componentwise subtraction. On the other hand, the homomorphic multiplication “ ∗” is computed by
$$\mathsf{ct}' \ast \mathsf{ct}^{\prime\prime} = (\hat{c}_{0}, \ldots, \hat{c}_{\xi + \eta}), $$
where we consider ciphertexts ct^{′},ct^{′′} as elements of R_{
q
}[ z] by an embedding map \((R_{q})^{r} \ni (v_{0}, \ldots, v_{r1}) \mapsto \sum _{i = 0}^{r1} v_{i} z^{i} \in R_{q}[\!z]\) for any r≥1, and compute
$$\sum_{i=0}^{\xi + \eta} \hat{c}_{i} z^{i} = \left(\sum_{i=0}^{\xi} c'_{i} z^{i} \right) \cdot \left(\sum_{i=0}^{\eta} c_{i}^{\prime\prime} z^{i} \right) \in R_{q}[\!z]. $$
Decryption For any (fresh or nonfresh) ciphertext ct^{′}=(c0′,…,cξ′)∈(R_{
q
})^{ξ+1}, the decryption with the secret key sk=s is computed by
$$\mathsf{Dec}(\mathsf{ct}', \mathsf{sk}) = \;[\!\tilde{m}]_{q} \bmod t \in R_{t}, $$
where \(\tilde {m} = \sum _{i = 0}^{\xi } c_{i}' s^{i} \in R_{q}\). For the vector \(\vec {s} = (1, s, s^{2}, \ldots)\) (called the secret key vector), we can also rewrite
$$\mathsf{Dec}(\mathsf{ct}', \mathsf{sk}) = [\!\langle \mathsf{ct}', \vec{s} \rangle]_{q} \bmod t. $$
Let ct=(c_{0},c_{1}) be a fresh ciphertext given by (2). Since a_{0}+a_{1}s=−te, we have
$$\begin{array}{*{20}l} \langle \mathsf{ct}, \vec{s} \rangle &= (a_{0}u +tg + m) + s\cdot (a_{1}u + tf) \\ &= m + t\cdot (g + sf ue) \end{array} $$
in the ring R_{
q
}. If the value m+t·(g+sf−ue) does not wrap around mod q (i.e., all errors R∋e,f,g,u←χ must be sufficiently small), we have
$$[\!\langle \mathsf{ct}, \vec{s} \rangle]_{q} = m + t \cdot (g + sf ue) $$
in the ring “R” (see also Lemma 2 below for the condition of successful decryption). In this case, we can recover the correct plaintext m by mod toperation, which shows the decryption mechanism for fresh ciphertexts. Furthermore, for two fresh ciphertexts ct_{1},ct_{2}, we clearly have
$$\begin{aligned} \langle \mathsf{ct}_{1} \dotplus \mathsf{ct}_{2}, \vec{s} \rangle & = \langle \mathsf{ct}_{1}, \vec{s} \rangle + \langle \mathsf{ct}_{2}, \vec{s} \rangle \\ \langle \mathsf{ct}_{1} \ast \mathsf{ct}_{2}, \vec{s} \rangle & = \langle \mathsf{ct}_{1}, \vec{s} \rangle \cdot \langle \mathsf{ct}_{2}, \vec{s} \rangle \end{aligned} $$
in the ring R_{
q
}. These two equations help us to understand the construction and the correctness of homomorphic operations in the encryption scheme, but please refer ([4], Section 1.1) for details. Here we also give a lemma on the “cryptographic security” of the scheme constructed above (see [4] for details).
Lemma1 (security).
Given (n,q,t,σ), the scheme is provably secure in the sense of INDCPA under the polynomial LWE assumptionPLWE_{n,q,χ}with\(\chi = D_{\mathbb {Z}^{n}, \sigma }\)(see Definition 1 for the definition ofPLWE_{n,q,χ}).
2.2 Correctness of the SHE scheme
By correctness, we mean that the decryption can recover the operated result over plaintexts after some homomorphic operations over ciphertexts. For the scheme constructed above, the homomorphic operations over ciphertexts correspond to the ring structure of the plaintext space R_{
t
}, namely, we have

(Addition) \(\mathsf {Dec}(\mathsf {ct} \dotplus \mathsf {ct}', \mathsf {sk}) = m + m' \in R_{t}\), and

(Multiplication) Dec(ct∗ct^{′},sk)=m×m^{′}∈R_{
t
}
for ciphertexts ct,ct^{′} corresponding to plaintexts m,m^{′}, respectively. However, the scheme merely gives an SHE scheme (not FHE), and its correctness holds under the following condition (see the proof of [16], Lemma 3.3):
Lemma2 (Condition for successful decryption).
For a ciphertextct, the decryptionDec(ct,sk)recovers the correct result if\(\langle \mathsf {ct}, \vec {s} \rangle \in R_{q}\)does not wrap around modq, namely, if the condition
$$ \langle \mathsf{ct}, \vec{s} \rangle _{\infty} < \frac{q}{2} $$
((3))
is satisfied, where for\(a = \sum a_{i}x^{i} \in R_{q}\)let a_{
∞
}= maxa_{
i
}denote the∞norm of its coefficient representation.