We continue our discussion on the fully homomorphic encryption scheme of van Dijk, Gentry, Halevi, and Vaikuntanathan [vDGHV10]. Last week we constructed a weakly homomorphic encryption scheme such that for any pair of properly generated ciphertexts c ← Enc(b), c ← Enc(b), the sum or product of c, c yields a value that decrypts to the sum (resp, product) of the original underlying plaintexts. That is, Dec(Add(c, c)) = b ⊕ b and Dec(Mult(c, c)) = b · b. However, the scheme suffered from two problems: 1) the cipertext formed as the output of the Add or Mult operation does not have the same distribution as a ciphertext properly generated via the Enc algorithm, and 2) if we try to perform too many Add and Mult operations, we are no longer guaranteed decryption to the correct value (indeed, in the scheme, the noise in the ciphertext grows larger in each operation and will eventually lead to a nonempty intersection of the set of encryptions of 0 and 1). As we discussed last week, these two problems will be solved if we can construct the following two operations: • ReRand(X): takes as input any encryption of a bit b with noise ≤ 2n0.4 (for example, in our scheme this includes the bit b itself!) and outputs a ciphertext with noise ≤ 2n0.5 with the correct distribution ReRand(X) ≈s Enc 2n0.