Right before the PBS there is an operation called the “modulus switch” that should be described in the Handbook. Essentially this step adds a lot of noise but makes it possible to evaluate the blind rotation part of the PBS so cannot be skipped today.
The blind rotation evaluates the decryption of the modulus switched ciphertext, so the constraint for the correctness is that the noise in the modulus switched ciphertext respects the |e| < Delta/2.
Given the above: no, ciphertexts with arbitrary noise levels cannot be refreshed, if they have a high level of noise even before the modulus switch the plaintext is already lost for example, so applying a PBS is going to have a deterministic but random output.
Yes as indicated in 1, the modulus switched ciphertext must respect the same constraint but in the new modulus which is 2 * N, where N is the polynomial size used in the PBS.
Thank you so much, I’d like to delve deeper into the second question.
Assuming that a ciphertext before PBS contains too much noise, and the ciphertext ultimately fails to achieve the desired PBS effect. For example, ct = Encrypt(0) and assuming ideal conditions, PBS would map it to a new ciphertext ct' = Encrypt(3).
Because of the excessive noise, PBS does not run correctly, and instead maps 0 to 1, not 3. Thus, we get a new ciphertext ct'' = Encrypt(1). Although we find that decrypting ct'' results in the message being 1, this ciphertext is still unreliable. Even if PBS happens to correctly map 0 to 3, the result of PBS may still be unreliable, because although the decryption result is correct, the ciphertext may no longer be in the expected phase.
This means that if the ciphertext PBS(ct) is further involved in subsequent operations, it may affect the entire computation path, right? Because we can no longer evaluate the reliability of the ciphertext PBS(ct).
Looking forward to further communication with you.
