# GLWE Homomorphic Multiplication by a Constant

After homomorphic addition, the next “linear” operation you can do on a GLWE ciphertext is:

> **Multiply an encrypted message by a known (public) constant polynomial** $$\Lambda$$, without decrypting.

This is still a **leveled / linear** operation (not ciphertext–ciphertext multiplication). It’s simple, fast, and shows up everywhere in TFHE-style constructions.

***

## 1) Setup recap: a GLWE ciphertext encrypting `M`

Let $$p \le q$$ and define the encoding scale:

$$\Delta = \frac{q}{p}$$

A GLWE ciphertext encrypting a message polynomial $$M \in \mathcal{R}p$$ *under secret key* $$\vec{S}=(S\_0,\ldots,S{k-1})\in\mathcal{R}^k$$ is:

$$C = (A\_0,\ldots,A\_{k-1},B)\in GLWE\_{\vec{S},\sigma}(\Delta M)\subseteq \mathcal{R}\_q^{k+1}$$

with:

$$B=\sum\_{i=0}^{k-1} A\_i\cdot S\_i + \Delta M + E \in \mathcal{R}\_q$$

and $$E$$ is a small noise polynomial.

***

## 2) What “constant” means here: a small public polynomial $$\Lambda$$

We take a **public** (unencrypted) polynomial:

$$\Lambda = \sum\_{j=0}^{N-1}\Lambda\_j X^j \in \mathcal{R}$$

The blog emphasizes **small** constant polynomials here because the noise growth depends on the size of $$\Lambda$$’s coefficients.

* “Small $$\Lambda$$” = coefficients like $$-1,0,1,2$$, etc.
* “Large $$\Lambda$$” = big coefficients → noise blows up faster (handled later with extra techniques).

***

## 3) The homomorphic multiplication rule

To multiply the encrypted message by $$\Lambda$$, just multiply **every component of the ciphertext** by $$\Lambda$$ inside $$\mathcal{R}\_q$$:

$$C^{(\cdot)} = \Lambda \cdot C = (\Lambda A\_0,\ldots,\Lambda A\_{k-1},\Lambda B)$$

Result:

$$C^{(\cdot)} \in GLWE\_{\vec{S},\sigma^{\prime\prime}}(\Delta(\Lambda\cdot M))$$

So it encrypts $$\Lambda\cdot M \in \mathcal{R}\_p$$ under the same secret key, with updated (larger) noise.

***

## 4) Why it works (correctness in one expansion)

Start with:

$$B=\sum A\_iS\_i+\Delta M+E$$

Multiply both sides by $$\Lambda$$:

$$\Lambda B = \sum (\Lambda A\_i)S\_i ;+; \Delta(\Lambda M);+;\Lambda E$$

Now the new ciphertext is:

* masks: $$A\_i^{(\cdot)}=\Lambda A\_i$$
* body: $$B^{(\cdot)}=\Lambda B$$

When decrypting $$C^{(\cdot)}$$, you compute:

$$B^{(\cdot)}-\sum A\_i^{(\cdot)}S\_i = \Delta(\Lambda M)+\Lambda E$$

Then decoding (round/divide by $$\Delta$$) gives $$\Lambda M$$ as long as the new noise $$\Lambda E$$ is still small enough for rounding.

Same structure, same secret key, correct plaintext multiplication by $$\Lambda$$.

***

## 5) Noise growth (the “cost” of multiplying by $$\Lambda$$)

For addition, noise grows *additively*.

For multiplying by $$\Lambda$$, the blog explains:

* the noise grows **proportionally to the size of** $$\Lambda$$**’s coefficients**.
* If $$\Lambda$$’s coefficients are small, $$\Lambda E$$ stays manageable.
* If $$\Lambda$$’s coefficients are large, $$\Lambda E$$ can become large quickly → rounding fails sooner.

That’s why this section is specifically about **multiplication by a small constant polynomial** $$\Lambda$$.

***

## 6) A concrete “decode check” pattern (what you verify after multiplying)

After you build $$C^{(\cdot)}$$, the decryption check looks exactly like GLWE decryption:

$$T^{(\cdot)} = B^{(\cdot)} - \sum\_{i=0}^{k-1} A\_i^{(\cdot)} S\_i \in \mathcal{R}\_q$$

Then decode:

$$\left\lfloor \frac{T^{(\cdot)}}{\Delta} \right\rceil \in \mathcal{R}\_p$$

In the toy example shown in the post, they explicitly decrypt by computing $$B^{(\cdot)} - \sum A\_i^{(\cdot)}S\_i$$, then divide/round by $$\Delta$$, and recover exactly the expected product polynomial.

They also highlight the usual “rounding safety” condition: decryption succeeds when the error coefficients remain smaller than $$\Delta/2$$ in absolute value.

***

<figure><img src="/files/XZgnasZmamsnnjMLgLA5" alt=""><figcaption><p>*image credit: <a href="https://www.zama.org/post/tfhe-deep-dive-part-2">zama</a></p></figcaption></figure>

## 7) Toy example idea

To better understand GLWE multiplication by a small constant polynomial, we use the same parameters and ciphertext as in the addition example.

### Parameters

* **Moduli:** $$q = 64$$, $$p = 4$$
* **Scale:** $$\Delta = q / p = 16$$
* **Polynomial degree:** $$N = 4$$
* **Dimension:** $$k = 2$$

### Secret Key

$$\vec{S} = (S\_0, S\_1) = (X + X^2, 1 + X^2 + X^3) \in \mathcal{R}^2$$

### Initial Ciphertext

We use the same ciphertext $$C$$ encrypting message $$M = -2 + X - X^3$$: $$C = (A\_0, A\_1, B) = (17 - 2X - 24X^2 + 9X^3, -14 - X^2 + 21X^3, -31 + 5X - 21X^2 + 30X^3) \in \mathcal{R}\_q^3$$

* **Error:** $$E = -1 + X + X^3 \in \mathcal{R}\_q$$

### Constant to Multiply

We choose a small constant polynomial $$\Lambda$$:

&#x20;$$\Lambda = -1 + 2X^2 + X^3 \in \mathcal{R}$$

The multiplication between the original message $$M$$ and $$\Lambda$$ in $$\mathcal{R}\_p$$ is: $$M^{(\cdot)} = M \cdot \Lambda = 1 + X + X^2 + X^3 \in \mathcal{R}\_p$$

### Homomorphic Multiplication

To perform the operation, we multiply every component of the ciphertext $$C$$ by the polynomial $$\Lambda$$ in $$\mathcal{R}\_q$$

1. **Multiply Components:** $$A\_0^{(\cdot)} = \Lambda \cdot A\_0 = (-1 + 2X^2 + X^3) \cdot (17 - 2X - 24X^2 + 9X^3) = -31 + 8X - 15X^2 + 4X^3 \in \mathcal{R}\_q$$

   $$A\_1^{(\cdot)} = \Lambda \cdot A\_1 = (-1 + 2X^2 + X^3) \cdot (-14 - X^2 + 21X^3) = 16 + 23X + 16X^2 + 29X^3 \in \mathcal{R}\_q$$

   $$B^{(\cdot)} = \Lambda \cdot B = (-1 + 2X^2 + X^3) \cdot (-31 + 5X - 21X^2 + 30X^3) = 4 + 20X - 7X^2 + 13X^3 \in \mathcal{R}\_q$$
2. **Resulting Ciphertext:** $$C^{(\cdot)} = (A\_0^{(\cdot)}, A\_1^{(\cdot)}, B^{(\cdot)}) \in \mathcal{R}\_q^3$$

### Decryption and Verification

To verify the result, we decrypt the resulting ciphertext:

1. **Phase Calculation:** $$B^{(\cdot)} - \sum\_{i=0}^{k-1} A\_i^{(\cdot)} \cdot S\_i = 16 + 13X + 13X^2 + 16X^3 \in \mathcal{R}\_q$$
2. **Rescaling and Rounding:** $$\lfloor (16 + 13X + 13X^2 + 16X^3) / 16 \rceil = 1 + X + X^2 + X^3 \in \mathcal{R}\_p$$

This result matches exactly $$M^{(\cdot)}$$.

The decryption worked because the error coefficients were all smaller (in absolute value) than $$\Delta / 2 = 8$$. The new error was in fact equal to $$E^{(\cdot)} = -3X - 3X^2$$.

***

## 8) ELI5 (Explain Like I’m 5)

* A GLWE ciphertext is like a locked box with several polynomial pieces.
* If you want to multiply the hidden message by a known number/polynomial $$\Lambda$$, you multiply **every piece of the box** by $$\Lambda$$.
* When you unlock it, the hidden message has been multiplied by $$\Lambda$$ too—just with slightly more fuzz (noise).

***

## 9) Quick summary

* You can multiply a GLWE ciphertext by a **public polynomial** $$\Lambda$$ by multiplying each ciphertext component by $$\Lambda$$ in $$\mathcal{R}\_q$$.
* The result encrypts $$\Lambda\cdot M$$ under the same secret key.
* Noise grows roughly like $$\Lambda E$$, i.e., **proportional to** $$\Lambda$$**’s coefficient sizes**, so “small $$\Lambda$$” matters.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sabanaku77.gitbook.io/fhe-handbook-for-beginners/glwe-homomorphic-multiplication-by-a-constant.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.