Basic notation

In this paper, boldface lowercase letters represent vectors, such as $\mathit{v}$. Boldface uppercase letters denote matrices, such as $\mathit{M}$. The inner product of two vectors is denoted by $⟨·,·⟩$. The functions $\lceil ·\rfloor$, $\lceil ·\rceil$, and $\lfloor ·\rfloor$ represent rounding to the nearest integer, ceiling, and floor operations, respectively. For an integer m, ${[m]}_q$ denotes the modulo q operation. The notation $x\leftarrow \mathcal{D}$ indicates that x is sampled from the distribution $\mathcal{D}$. The discrete Gaussian distribution is denoted as $\mathcal{D}\mathcal{G}({\sigma }^2)$, where $\sigma$ is the standard deviation.

The infinity norm of a vector $\mathit{v}$ is represented by ${\Vert \mathit{v}\Vert }_{\infty }$. ${\Phi }_M(X)=X^N+1$ denotes the M-th cyclotomic polynomial, where the degree $N=M/2$ when M is a power of 2. Let $\mathcal{R}=\mathbb{Z}/({\Phi }_M(X))$ be the ring of integer polynomials, and ${\mathcal{R}}_q=\mathcal{R}/q\mathcal{R}$ be the finite field of polynomials over $Z_q$.

For $m(X)\in \mathcal{R}$, we define the canonical embedding $\mathsf{emd}$ as a mapping from the polynomial m(X) to a vector in ${\mathbb{C}}^N$, obtained by evaluating m(X) at the M-th roots of unity $m({\zeta }_M^j)$. ${\mathsf{emd}}^{-1}$ denotes the inverse of $\mathsf{emd}$. We define ${|m|}^{\mathsf{can}}\infty ={\Vert \mathsf{emd}(m)\Vert }_{\infty }$. For a polynomial $m(X)=m_0+m_{1}X+\cdots +m_{N-1}{X}^{N-1}$, we denote its coefficient representation as $\mathit{m}=(m_0,m_1,...,m_{N-1})$. For simplicity, we sometimes write m(X) as m throughout the paper. The multiplication of two polynomials $m_1$ and $m_2$ is denoted as $m_1·m_2$, sometimes $m_1{m}_2$ for simplicity. $\odot$ marks the Hadamard product of two vectors.

Table 1. Essential notations and definitions

Table 1 summarizes the essential notations and definitions used throughout this paper, including mathematical spaces, operators, ciphertext types, parameters, and homomorphic operations.

CKKS scheme

The CKKS scheme (Cheon et al. 2017) enables approximate homomorphic operations on complex and real numbers. Its security is based on the Ring Learning With Error (RLWE) problem. The plaintext space of CKKS is the polynomial ring $m(X)\in R$. Using canonical embedding and approximate scaling, N/2 complex numbers can be mapped to $\mathcal{R}$. Operations on $\mathcal{R}$ are equivalent to element-wise operations on vectors in ${\mathbb{C}}^{N/2}$. Thus, the CKKS scheme can pack N/2 complex numbers into a single polynomial and perform Single Instruction Multiple Data (SIMD) operations on this polynomial. We refer to $m(X)\in \mathcal{R}$ as the plaintext and its corresponding ${\mathbb{C}}^{N/2}$ vector as plaintext slots.

CKKS defines an encoding function $\mathsf{Ecd}(\mathit{z})$ that encodes a vector $\mathit{z}\in {\mathbb{C}}^{N/2}$ of length N/2 into a polynomial $m(X)\in R$, and a decoding function $\mathsf{Dcd}(m)$ that decodes the polynomial m(X) back to the vector $\mathit{z}$.

The Residual Number System (RNS)-based CKKS scheme sets the modulus as $Q_l=q_0·{\prod }_{i=1}^l{q}_i$. To support Number Theoretic Transform (NTT) operations, each $q_i$ must satisfy $q_i=1(mod2N)$, ensuring that modulo $q_i$ contains a 2N-th root of unity. We refer to $0\le l\le L$ as the level of the ciphertext. After each multiplication, the ciphertext modulus changes from $Q_l$ to $Q_{l-1}$, with level l indicating support for l layers of multiplication. The RNS-CKKS scheme achieves higher performance than the original CKKS by avoiding the use of large moduli. The CKKS algorithms are as follows (described in symmetric encryption form):

• $\mathsf{KeyGen}(1^{\lambda }):$ Key generation. Given security parameter $\lambda$, select a ring $\mathcal{R}$, key sparsity coefficient h, integer P, and Gaussian distribution parameter $\sigma$. Choose the key s as a polynomial with Hamming weight h, with coefficients selected from $\{\pm 1,0\}$. Output the private key $\mathsf{sk}=(1,s)$.

• $\mathsf{KSGen}(s^{\prime }):$ Key switching key generation. For $s^{\prime }\in \mathcal{R}$, sample $a^{\prime }\leftarrow {\mathcal{R}}_{P·Q_L}$, $e^{\prime }\leftarrow \mathcal{D}\mathcal{G}({\sigma }^2)$, and output the key switching key $\mathsf{swk}\leftarrow ({\mathsf{swk}}_0,{\mathsf{swk}}_1)\in {\mathcal{R}}_{P·Q_L}^2$, where ${\mathsf{swk}}_1=a^{\prime },{\mathsf{swk}}_0=-a^{\prime }s+e^{\prime }+P·s^{\prime }(modP·Q_L)$.

• ${\mathsf{Enc}}_{\mathsf{sk}}(m):$ Encryption. Sample $a\in {\mathcal{R}}_{Q_L}$, $e\in \mathcal{D}\mathcal{G}({\sigma }^2)$, and output the ciphertext $\mathsf{ct}=(b,a)(mod{Q}_L)$, where $b=-as+e+m$.

• ${\mathsf{Dec}}_{\mathsf{sk}}(ct):$ Decryption. Given $\mathsf{ct}=(b,a)(mod{Q}_L)$, output plaintext $m+e=b+as(mod{Q}_L)$.

• $\mathsf{Add}({\mathsf{ct}}_1,{\mathsf{ct}}_2):$ Homomorphic addition. Compute ${\mathsf{ct}}_{\mathsf{add}}={\mathsf{ct}}_1+{\mathsf{ct}}_2(mod{Q}_l)$.

• $\mathsf{Mult}({\mathsf{ct}}_1,{\mathsf{ct}}_2):$ Homomorphic multiplication. For ${\mathsf{ct}}_1=(b_1,a_1)$, ${\mathsf{ct}}_2=(b_2,a_2)\in {\mathcal{R}}_{Q_l}^2$, compute $${\mathsf{ct}}_{\mathsf{mult}}=(b_1{b}_2,a_1{b}_2+a_2{b}_1,a_1{a}_2)(mod{Q}_l),$$ The resulting ciphertext has three terms, which can be converted back to two terms through relinearization $\mathsf{Relin}$.

• ${\mathsf{KS}}_{\mathsf{swk}}({\mathsf{ct}}^{\prime }):$ Key switching. For a ciphertext ${\mathsf{ct}}^{\prime }=(b,a)\in {\mathcal{R}}_{Q_l}^2$ encrypted under $s^{\prime }$, and key switching key $\mathsf{swk}=({\mathsf{swk}}_0,{\mathsf{swk}}_1)\leftarrow \mathsf{KSGen}(s^{\prime })$, compute and output $$\begin{array}{c}\hfill {\mathsf{ct}}_{\mathsf{KS}}=\left(b,+,\lceil ,\frac{a·{\mathsf{swk}}_0}{P},\rfloor ,,,\lceil ,\frac{a·{\mathsf{swk}}_1}{P},\rfloor \right)(mod{Q}_l),\end{array}$$ where ${\mathsf{ct}}_{\mathsf{KS}}$ is a ciphertext encrypted under s.

• ${\mathsf{Relin}}_{\mathsf{rlk}}({\mathsf{ct}}_{\mathsf{mult}}):$ Relinearization. For a ciphertext ${\mathsf{ct}}_{\mathsf{mult}}=(d_0,d_1,d_2)$ resulting from multiplication, and relinearization key $\mathsf{rlk}=\mathsf{KSGen}(s^2)$, compute and output ${\mathsf{ct}}_{\mathsf{relin}}=(d_0,d_1)+{\mathsf{KS}}_{\mathsf{rlk}}((0,d_2))$.

• $\mathsf{cAdd}({\mathsf{ct}}_1,\mathit{a}):$ Ciphertext-plaintext addition. For a ciphertext ${\mathsf{ct}}_1=(b_1,a_1)$ and a plaintext vector $\mathit{a}$, output ${\mathsf{ct}}_{\mathsf{cadd}}=(b_1+\mathsf{Ecd}(\mathit{a}),a_1)$.

• $\mathsf{cMult}({\mathsf{ct}}_1,\mathit{a}):$ Ciphertext-plaintext multiplication. For a ciphertext ${\mathsf{ct}}_1=(b_1,a_1)$ and a plaintext vector $\mathit{a}$, compute $m=\mathsf{Ecd}(\mathit{a})$, and output ${\mathsf{ct}}_{\mathsf{cmult}}=(b_1·m,a_1·m)$.

• ${\mathsf{Rot}}_k(\mathsf{ct}):$ Homomorphic rotation. For ciphertext $\mathsf{ct}=(b,a)$, the rotation operation shifts elements in its plaintext slots left by k positions. Define an automorphism ${\phi }_k:X\to X^{5^k}$, with rotation key ${\mathsf{rk}}_k=\mathsf{KSGen}({\phi }_k(s))$, compute and output ${\mathsf{ct}}_{\mathsf{rk}}={\mathsf{KS}}_{{\mathsf{rk}}_k}({\phi }_k(b),{\phi }_k(a))$.

• $\mathsf{Conj}(\mathsf{ct}):$ Homomorphic conjugation. For ciphertext $\mathsf{ct}=(b,a)$, the conjugation operation takes the complex conjugate of elements in its plaintext slots. Define an automorphism ${\phi }^{\prime }:X\to X^{-1}$, with conjugation key $\mathsf{cjk}=\mathsf{KSGen}({\phi }^{\prime }(s))$, compute and output ${\mathsf{ct}}_{\mathsf{conj}}={\mathsf{KS}}_{\mathsf{cjk}}({\phi }^{\prime }(b),{\phi }^{\prime }(a))$.

• $\mathsf{RS}(\mathsf{ct}):$ Rescaling. For a ciphertext $\mathsf{ct}\in {\mathcal{R}}_{Q_l}^2$ at level l, output ${\mathsf{ct}}_{\mathsf{RS}}=\lceil p_l^{-1}\mathsf{ct}\rfloor (mod{Q}_{l-1})$.

The rotation algorithm can be used to define a multiplication between a plaintext matrix and a ciphertext vector. For a matrix $\mathit{A}$ of size $N/2\times N/2$, to perform matrix–vector multiplication with a ciphertext $\mathsf{ct}$,$$\begin{array}{c}\hfill \mathit{A}=\left[\begin{array}{cccc}{A}_{0,0}& A_{0,1}& \cdots & A_{0,N/2-1}\\ A_{1,0}& A_{1,1}& \cdots & A_{1,N/2-1}\\ ⋮& ⋮& \ddots & ⋮\\ A_{N/2-1,0}& A_{N/2-1,1}& \cdots & A_{N/2-1,N/2-1}\end{array}\right],\end{array}$$Let the diagonal elements of $\mathit{A}$ be ${\mathit{a}}_i={\{A_{0,i},A_{1,i+1},...,A_{N/2-1,i-1}\}}_{0\le i\le N/2-1}$. For a vector $\mathit{z}$, we have $\mathit{A}·\mathit{z}={\sum }_{0\le i<N/2}({\mathit{a}}_i\odot {\rho }_i(\mathit{z}))$.

Based on the plaintext algorithm, we can derive the matrix–vector multiplication for ciphertext $\mathsf{ct}$, as shown in Algorithm 1:

[See PDF for image]

Algorithm 1

Matrix-Vector Ciphertext Multiplication $\mathsf{Matmul}(\mathit{A},\mathsf{ct})$

The $\mathsf{Matmul}$ algorithm facilitates the computation of a matrix–vector product between a plaintext matrix and a ciphertext $\mathsf{ct}$ (containing a plaintext vector). This algorithm proves particularly useful in bootstrapping, as it enables the linear transformation of ciphertext coefficients into slots.

General bootstrapping framework for CKKS

Optimizations for homomorphic modular reduction

Cheon et al. (2018) observed that the approximating function is a trigonometric function, allowing for effective utilization of double-angle formulas and Euler’s formula properties. Leveraging CKKS’s ability to compute complex numbers, they calculated $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)$ using the double-angle formula. Specifically, $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)=\frac{q}{4\pi }\left(exp,\left(\frac{2\pi it}{q}\right),-,exp,\left(\frac{-2\pi it}{q}\right)\right),exp\left(\frac{2\pi it}{q}\right)=exp{\left(\frac{2\pi it}{2q}\right)}^2$. Therefore, by computing $P_0(t)={\sum }_{k=0}^{d_0}\frac{1}{k!}{\left(\frac{2\pi it}{2^r·q}\right)}^k\approx exp\left(\frac{2\pi it}{2^r·q}\right)$, and then $P_i(t)=P_{i-1}{(t)}^2$, one obtains $P_r(t)\approx exp\left(\frac{2\pi it}{q}\right)$. Since $P_0(t)$ has a small range, it can be approximated using a Taylor series expansion of order $d_0=O(1)$, followed by $r=O(log\mathit{Kq})$ squaring operations, resulting in a total of $O(log\mathit{Kq})$ multiplication layers. Cheon et al. (2018) achieved a remaining precision of 20 bits after bootstrapping.

Chen et al. (2019) recognized that the double-angle formula introduces larger errors with each iteration. They proposed using Chebyshev interpolation to directly approximate $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)$ in the $[-Kq,Kq]$ interval, reducing both the number of multiplications and the error in the approximation. Their work focused on decreasing the number of multiplication layers in polynomial approximation, resulting in an overall efficiency improvement of about 50 times compared to Cheon’s original approach (Cheon et al. 2018), while maintaining a post-bootstrapping precision of 20 bits.

Han and Ki (2020) noted that approximating ${[t]}_q$ over the entire $[-Kq,Kq]$ interval is unnecessary since $m\ll q$. They proposed Chebyshev interpolation of $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)$ only near multiples of q, requiring fewer multiplications. This method achieved a twofold efficiency improvement over Chen’s work Chen et al. (2019). Moreover, Han and Ki (2020) was the first to implement an RNS-based CKKS bootstrapping circuit. However, their precision remained relatively low, not exceeding 20 bits.

The aforementioned works focused on optimizing the approximation of the $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)$ function, which inherently has an $O(q{ϵ}^3)$ error compared to ${[t]}_q$. Subsequent works (Jutla and Manohar 2020; Lee et al. 2022e, 2020; Jutla and Manohar 2022; Lee et al. 2021b) aimed to circumvent this error by directly approximating ${[t]}_q$.

Recent works by Lee et al. (2020, 2021b) and Jutla and Manohar (2020) employed algorithmic search methods to directly approximate the modular function. Lee et al. (2020) used a least squares algorithm for approximation, while Jutla and Manohar (2020) utilized Lagrange Interpolation to approximate the Mod function. However, these methods resulted in large coefficients for the approximating polynomials, which reduced the precision of multiplication operations, limiting the achievable bootstrapping precision.

Lee et al. (2021b) employed inverse trigonometric functions to approximate the modular function, using the Remez method to effectively reduce polynomial coefficient sizes. This approach achieved a precision of 32.6 bits. Their subsequent work Lee et al. (2022e) further optimized efficiency by using Baby-Step Giant-Step ($\mathsf{BSGS}$) operations for polynomial computation optimization, achieving fewer multiplications. They also delayed relinearization ($\mathsf{Relin}$) and rescaling ($\mathsf{Rescale}$) to reduce their frequency during polynomial operations, resulting in higher efficiency. By approximating a 1625-degree modular function, they successfully increased precision to 100 bits.

Jutla and Manohar (2022) designed a sine function sequence to better approximate ${[t]}_q$. Specifically, while the Taylor expansion shows an $O(q{ϵ}^3)$ error between $\frac{q}{2\pi }sin\left(\frac{2\pi t}{q}\right)$ and ${[t]}_q$, they discovered that approximating ${[t]}_q$ with the sine function sequence $4/3sint-1/6sin2t$ results in only $O({ϵ}^5)$ error. This improvement allowed their bootstrapping scheme to also achieve 100-bit precision.

In a recent work, Kim et al. (2022) proposed a new CKKS bootstrapping algorithm using $\mathsf{EvalRound}$ instead of the original $\mathsf{EvalMod}$ method. While the original CKKS bootstrapping process used the $\mathsf{EvalMod}$ function to perform homomorphic modular reduction on $(m+qI)$ (by approximating the modular function with a polynomial) to obtain (m), $\mathsf{EvalRound}$ obtains (qI) from $(m+qI)$, effectively rounding to multiples of I. This approach requires smaller polynomial coefficients and allows for smaller scaling factors. The result is a reduction in the number of levels consumed by the bootstrapping step while maintaining a certain precision, thereby increasing the computational capacity of the ciphertext after bootstrapping.

Optimizations for homomorphic encoding and decoding (linear transformations)

In homomorphic encoding ($\mathsf{CoeffToSlot}$) and decoding ($\mathsf{SlotToCoeff}$), directly using matrix multiplication as shown in Algorithm 1 requires O(N) rotation keys ${({\mathsf{rk}}_i)}_{0\le i\le N/2-1}$ and O(N) rotation operations. To address this, Cheon et al. (2018) employed the $\mathsf{BSGS}$ method proposed by Halevi and Shoup (2014, 2021) to perform multiplication between a plaintext matrix and a ciphertext vector. $\mathsf{BSGS}$ reduces both the number of rotation keys and rotation operations to $O(\sqrt{N})$, as shown in Algorithm 2:

[See PDF for image]

Algorithm 2

Baby-Step Giant-Step Matrix-Vector Multiplication ${\mathsf{Matmul}}_{\mathsf{BSGS}}(\mathit{A},\mathsf{ct})$

The matrix multiplication constructed using $\mathsf{BSGS}$ reduces the number of rotations in homomorphic encoding and decoding to $O(\sqrt{N})$, requiring only one multiplication layer.

One disadvantage of using matrix multiplication is that homomorphic encoding requires two ciphertexts to store $N/2\times 2$ plaintext slots for N coefficients, with all subsequent operations performed on these two ciphertexts. An optimization in this regard is to use sparsely packed ciphertexts, utilizing only n out of N/2 plaintext slots, where n|N/2. Sparse packing allows all coefficients to be placed in a single ciphertext during homomorphic encoding ($\mathsf{CoeffToSlot}$), avoiding the generation of two ciphertext terms and reducing the total number of rotations from $O(\sqrt{N})$ to $O(\sqrt{n})$, thereby increasing the overall scheme’s performance.

Chen et al. (2019) proposed using FFT butterfly operations for homomorphic encoding, requiring $O(log(N))$ rotations and $O(log(N))$ multiplication layers. This approach effectively reduces the number of rotations at the cost of consuming more multiplication layers, representing a trade-off between multiplication layers and rotation operations.

Currently, in CKKS bootstrapping schemes, the matrix multiplication method proposed by Cheon et al. (2018) is widely used for constructing homomorphic encoding and decoding, as it consumes only one multiplication layer. The number of remaining multiplication layers after bootstrapping is an important indicator of bootstrapping performance.

Bossuat et al. (2021) observed that when using $\mathsf{BSGS}$ for matrix multiplication in linear transformations, the most time-consuming steps are the $O(\sqrt{N})$ rotation operations $(\mathsf{Rot})$ and conjugation operations $(\mathsf{Conj})$, both constructed using the key switching method $(\mathsf{KS})$. Building upon the Hoisting algorithm proposed by Halevi and Shoup (2014, 2021) to accelerate $\mathsf{KS}$, Bossuat et al. (2021) improved it to a Double Hoisting method, reducing the complexity of the $\mathsf{KS}$ algorithm itself and achieving a twofold efficiency improvement in overall linear transformations.

RGSW-type ciphertexts and FHEW blind rotation

FHEW blind rotation primarily targets Boolean circuits, with security based on the Learning With Error (LWE) problem. It focuses on LWE-type ciphertexts $\mathsf{ct}=(b,\mathit{a})\in {\mathbb{Z}}^{N+1}$, where $b=⟨\mathbf{a},\mathbf{s}⟩+m+e(modQ),m\in \mathbb{Z}$. For convenience, we denote this ciphertext as ${\mathsf{LWE}}_Q(m)$. In contrast, BGV/BFV/CKKS security is based on the Ring Learning With Error (RLWE) problem, employing an encoding function to transform vectors into polynomials, then encrypting them as RLWE-type ciphertexts $\mathsf{ct}=(b,a)\in {\mathcal{R}}_Q^2$, where $b=as+m+e,m\in \mathcal{R}$. We denote this ciphertext as ${\mathsf{RLWE}}_Q(m)$.

A key feature of FHEW blind rotation is its use of RGSW ciphertexts (Gentry et al. 2013) to encrypt the private key s as a bootstrapping key, enabling blind rotation operations on ciphertexts. Blind rotation can transform an LWE-type ciphertext ${\mathsf{LWE}}_{2N}(u)$ into ${\mathsf{RLWE}}_Q(f(X)·X^u)$, where $f(X)=f_0+f_{1}X+\cdots +f_{N-1}{X}^{N-1}$. We now elaborate on RGSW and blind rotation.

RGSW Ciphertexts: First, define a decomposition base $\mathit{g}=(g_0,...,g_{d-1})$. For a polynomial $t\in {\mathcal{R}}_q$, decompose it using $\mathit{g}$ into $(t_0,...,t_{d-1})$, satisfying $t={\sum }_{i=0}^{d-1}{g}_i·t_i$. Based on this decomposition property, we can define ${\mathsf{RLWE}}^{\prime }$ and $\mathsf{RGSW}$ ciphertexts:

6

7

8

Blind Rotation Algorithm: Leveraging the property of the external product $\mathsf{RLWE}\times \mathsf{RGSW}=\mathsf{RLWE}$, we can apply it to perform blind rotation on $\mathsf{RLWE}$ ciphertexts. Specifically, we first define the blind rotation key $\mathsf{brk}={\left\{{\mathsf{RGSW}}_Q,\left(s_i^{+}\right),,,{\mathsf{RGSW}}_Q,\left(s_i^{-}\right)\right\}}_{i\in [0,N-1]}$, where

9

[See PDF for image]

Algorithm 3

Blind Rotation $\mathsf{BlindRotate}({\mathsf{LWE}}_{2N}(u),\mathsf{brk},f)$

Upon completion of the algorithm, we obtain $\mathsf{ACC}={\mathsf{RLWE}}_Q(f·X^u)={\mathsf{RLWE}}_Q(f_0{X}^u+f_1{X}^{u+1}+\cdots +f_{N-u}{X}^N+\cdots +f_{N-1}{X}^{N-1+u})$. Given that in $\mathcal{R}=Z[X]/X^N+1$, $X^N=-1$, the constant term of the ciphertext in $\mathsf{ACC}$ is $-f_{N-u}$. The $\mathsf{Extract}$ method proposed by Chen et al. (2021b) can be employed to extract the coefficient of the constant term, yielding ${\mathsf{LWE}}_Q(-f_{N-u})$. This demonstrates that a function can be computed during the blind rotation process.

Negacyclicity in Blind Rotation: The arbitrary specification of coefficients in f(X) allows for the computation of a function with negacyclic properties during blind rotation. Specifically:

Let $g:2N\to Q$ be a function, and define $f=g(0)-g(N-1)X-g(N-2)X^2-\cdots -g(1)X^{N-1}$. Upon executing $\mathsf{BlindRotate}({\mathsf{LWE}}_{2N}(u),\mathsf{brk},f)$, we obtain ${\mathsf{RLWE}}_Q(f·X^u)$. Subsequent application of the $\mathsf{Extract}$ operation yields ${\mathsf{LWE}}_Q(g^{\prime })$, where $g^{\prime }$ represents the constant term of $f·X^u$. For $0\le u<N$, $g^{\prime }=g(u)$; conversely, for $N\le u<2N-1$, $g^{\prime }=-g(u-N)$.

This negacyclic behavior arises from the constraint $X^N=-1$, necessitating that $g(X+N)=-g(X)$ for all X.

The negacyclicity constraint potentially limits the range of functions computable during blind rotation. However, if this constraint can be mitigated, for instance by restricting the domain of u to [0, N), it may become feasible to execute arbitrary functions within the blind rotation process.

Bootstrapping CKKS using blind rotation

Kim et al. (2024a) observed that directly extending the modulus of a ciphertext ${\mathsf{RLWE}}_q(m(X))$ results in ${\mathsf{ct}}^{\prime }={\mathsf{RLWE}}_Q(t(x))$, where $t(x)=m(X)+u(X)·q(modQ)$. Consequently, they proposed first employing an extraction method to obtain ${\mathsf{ct}}_{\mathit{prep}}={\mathsf{RLWE}}_{2N}(u(X))$, then applying blind rotation and scaling to yield ${\mathsf{ct}}_{\mathit{sm}}={\mathsf{RLWE}}_Q(-q·u(X))$. Finally, they compute ${\mathsf{ct}}^{\prime \prime }={\mathsf{ct}}^{\prime }+{\mathsf{ct}}_{\mathit{sm}}$ on the modulus-extended ciphertext to obtain ${\mathsf{ct}}^{\prime \prime }={\mathsf{RLWE}}_Q(m(X))$. The process is as follows:

Extraction: For a ciphertext $\mathsf{ct}=(b,a)$, where $as+b=m(X)+e+q·v(X)\in R$, compute ${\mathsf{ct}}^{\prime }=2N·2t(modq)=({[2N·b]}_q,{[2N·a]}_q)$. This yields ${[2N·b]}_q+{[2N·a]}_q·s=2N·m+2N·e+q·u(X)\in R$. Calculate ${\mathsf{ct}}_{\mathit{prep}}=\left(\frac{2N·\mathsf{ct}-{\mathsf{ct}}^{\prime }}{q}\right)$ to obtain ${\mathsf{ct}}_{\mathit{prep}}={\mathsf{RLWE}}_{2N}(-u(X))$.

Blind Rotation and Scaling: Noise analysis shows that ${\Vert u(X)\Vert }_{\infty }<\frac{N}{2}$. Therefore, when performing blind rotation on the coefficients of $u(X)=u_0+u_{1}X+\cdots +u_{N-1}{X}^{N-1}$, the negacyclic property of blind rotation becomes negligible. Use $\mathsf{Extract}$ to convert ${\mathsf{ct}}_{\mathit{prep}}$ into N$\mathsf{LWE}$ ciphertexts ${\{{\mathsf{LWE}}_{2N}(-u_i)\}}_{i\in [0,N-1]}$, then apply blind rotation to compute ${\{{\mathsf{LWE}}_Q(-u_i·q)\}}_{i\in [0,N-1]}$. Finally, employ the $\mathsf{Repack}$ method from Chen et al. (2021b) to consolidate these into a single ${\mathsf{ct}}_{\mathit{sm}}={\mathsf{RLWE}}_Q(-q·u(X))$.

Result Computation: Calculate ${\mathsf{ct}}^{\prime \prime }={\mathsf{ct}}_{\mathit{sm}}+{\mathsf{ct}}^{\prime }={\mathsf{RLWE}}_{\mathit{Qp}}(2N·m)$. Multiply by $\frac{p}{2N}$ to obtain ${\mathsf{RLWE}}_{\mathit{Qp}}(p·m)$, then apply $\mathsf{rescale}$ on p to yield ${\mathsf{ct}}_{\mathit{boot}}={\mathsf{RLWE}}_Q(m)$.

Through these extraction, blind rotation scaling, and computation steps, ${\mathsf{RLWE}}_q(m(X))$ is transformed into ${\mathsf{RLWE}}_Q(m(X))$. This method eliminates the need for polynomial approximation of the modulus function and homomorphic linear transformations. Moreover, the scheme designed by Kim et al. (2024a) can bootstrap all $\mathsf{RLWE}$-type ciphertexts, including BGV (Brakerski et al. 2014), BFV (Brakerski 2012; Fan and Vercauteren 2012), and CKKS (Cheon et al. 2017).

Yang et al. (2021) focused on the structure of CKKS ciphertexts, which take the form ${\mathsf{RLWE}}_Q(\Delta m+e)$. From a bit-level perspective, the effective bits of the plaintext occupy high positions (at bit $log\Delta$), while the noise’s effective bits are in low positions (at bit 0). They proposed a novel bootstrapping scheme that extracts low-bit noise through blind rotation and subtracts it from the high-bit plaintext. The key advantage of their approach lies in its ability to reduce the original ciphertext’s noise, a feat unachievable by other CKKS bootstrapping methods. Consequently, while noise eventually overwhelms the plaintext’s effective bits in other methods as computations progress, Yang et al. (2021)’s scheme allows for unlimited computations without compromising plaintext integrity due to noise accumulation.

Yang et al. (2021) designed a $\mathsf{BitExtract}$ method by addressing the negacyclic property of blind rotation, enabling the extraction of specific bits from the ciphertext into a new ciphertext. This bit extraction technique extracts low-bit noise into a new ciphertext and subtracts it from the original ciphertext, thereby reducing noise in CKKS ciphertexts while simultaneously expanding the modulus from q to Q, achieving both modulus extension and noise reduction.

Specifically, certain bits can be extracted from the ciphertext through scaling and modulus operations. However, the negacyclic property of the blind rotation function poses challenges in directly applying blind rotation to construct $\mathsf{BitExtract}$. To address this, Yang et al. (2021) designed a scheme that circumvents the negacyclic constraint of blind rotation. They observed that for ${\mathsf{LWE}}_{2N}(u)$ where $0\le u<2N$, the highest bit of u is its sign bit, and obtaining the sign bit through bootstrapping is feasible as it adheres to the negacyclic property. By using blind rotation once to obtain u’s sign bit, Yang et al. (2021) multiply the sign bit by $-N$ and add it to the original ciphertext, thus constraining the plaintext size in $\mathsf{LWE}$ to $0\le u+kN<N,k\in \{0,-1\}$. In essence, they limit u’s size by invoking blind rotation once, then invoke it again to extract any bit from the ciphertext.

Utilizing this innovative blind rotation approach, they successfully designed the $\mathsf{BitExtract}$ algorithm. By invoking $\mathsf{BitExtract}$ at different positions in the ciphertext to extract specific bits, they performed CKKS bootstrapping by accumulating high-bit plaintext information and subtracting low-bit noise information.

Both aforementioned schemes (Kim et al. 2024a; Yang et al. 2021) can bootstrap CKKS under standard parameters. In contrast, general CKKS bootstrapping frameworks (Cheon et al. 2018), which use polynomial approximation, require a larger number of remaining levels to support high-degree polynomial computations. This necessitates a larger q, and to ensure 128-bit security, N must also be larger, resulting in non-standard security parameters. Although (Kim et al. 2024a; Yang et al. 2021) may be less efficient than general bootstrapping frameworks, they can use smaller, standard homomorphic encryption parameters.

The optimization of CKKS bootstrapping through blind rotation techniques has become increasingly interconnected with advances in FHEW/TFHE bootstrapping methods. Recent research has yielded significant improvements over traditional AP/FHEW bootstrapping (Ducas and Micciancio 2015; Alperin-Sheriff and Peikert 2014b; Pereira 2021b) and GINX/TFHE blind rotation (Gama et al. 2016b; Chillotti et al. 2019). These advances include reduced bootstrapping key sizes, lower computational costs (Liu and Wang 2023a; Lee et al. 2023b), and the capacity for simultaneous bootstrapping of multiple ciphertexts (Liu and Wang 2023a, b, c). Notably, researchers have also demonstrated the viability of constructing blind rotation using NTRU assumptions (Xiang et al. 2023). The ongoing refinements in FHEW/TFHE blind rotation techniques, particularly in key size optimization and amortized computational efficiency, can be directly applied to enhance CKKS bootstrapping performance. This symbiotic relationship between FHEW/TFHE and CKKS bootstrapping suggests that continued advancements in FHEW/TFHE methods will likely drive further improvements in CKKS bootstrapping implementations.

Enhancing precision through multiple bootstrapping invocations

Bae et al. (2022) utilized a method involving multiple bootstrapping invocations to perform CKKS bootstrapping. Specifically, for an initial ciphertext $\mathsf{ct}={\mathsf{RLWE}}_q(m(X))$, bootstrapping yields ${\mathsf{ct}}_{\mathit{boot}}={\mathsf{RLWE}}_Q(m(X)+e_{\mathit{boot}})$, where ${\mathsf{ct}}_{\mathit{boot}}$ contains additional noise $e_{\mathit{boot}}$ introduced by the bootstrapping process compared to the original $\mathsf{ct}$. Subtracting these two ciphertexts results in a new ciphertext ${\mathsf{ct}}_{\mathit{err}}={\mathsf{RLWE}}_q(e_{\mathit{boot}})$, whose plaintext represents the bootstrapping noise. By applying the bootstrapping circuit to this encrypted noise ciphertext, we obtain a modulus-extended noise ciphertext ${\mathsf{ct}}_{\mathit{err}}^{\prime }={\mathsf{RLWE}}_Q(e_{\mathit{boot}})$. Subsequently, subtracting this additional ciphertext from the bootstrapped ciphertext yields ${\mathsf{ct}}_{\mathit{boot}}={\mathsf{ct}}_{\mathit{boot}}-{\mathsf{ct}}_{\mathit{err}}^{\prime }={\mathsf{RLWE}}_Q(m(X))$.

It is important to note that if a k-bit bootstrapping scheme is employed, the precision of ${\mathsf{ct}}_{\mathit{boot}}$ obtained after the first bootstrapping operation is k bits. By executing a second bootstrapping operation to subtract the noise from ${\mathsf{ct}}_{\mathit{boot}}$, an additional k bits of precision are gained, resulting in a total precision of 2k bits. Consequently, by invoking any bootstrapping scheme l times, a bootstrapping precision of kl bits can be achieved.

Privacy-preserving machine learning

Privacy-Preserving Machine Learning (PPML) represents one of the most significant applications of the CKKS scheme, where bootstrapping enables the evaluation of deep neural networks and complex training procedures in the encrypted domain. The bootstrapping operation serves as a crucial component for managing noise growth during iterative computations, allowing for the implementation of sophisticated machine learning algorithms while maintaining data privacy throughout the entire process. Numerous PPML systems have been implemented with secure multi-party computation (MPC) protocols (Mohassel and Rindal 2018; Mohassel and Zhang 2017; Riazi et al. 2018; Rouhani et al. 2018; Lu et al. 2023; Lin et al. 2024; Bhardwaj et al. 2024). While MPC approaches necessitate active multi-party participation, FHE’s distinctive capability for single-party computation offers unique advantages in specific application contexts.

The evolution of privacy-preserving training methodologies has been significantly influenced by practical challenges in healthcare and genomics, particularly through the iDASH Privacy & Security Workshop competition. A notable milestone emerged from the 2017 competition (Wang et al. 2018), where participants tackled the implementation of privacy-preserving logistic regression on genomic data. The winning solution (Chen et al. 2018) demonstrated a groundbreaking application of CKKS with bootstrapping, enabling multiple gradient descent iterations and establishing a foundational framework for managing noise accumulation in iterative computations on encrypted biomedical data.

Further advancing this domain, subsequent research in logistic regression training (Kim et al. 2018) has leveraged bootstrapping to overcome the constraints of noise accumulation in gradient descent iterations. This approach achieves linear computational complexity with respect to iteration count, though ultimately bounded by homomorphic encryption parameter selections.

The landscape of encrypted neural network inference has witnessed substantial evolution, particularly in Machine Learning as a Service (MLaaS) systems. Contemporary MLaaS platforms predominantly employ the CKKS scheme (Cheon et al. 2024; Wood et al. 2020b; Jiang et al. 2018a; Lee et al. 2022b; Zhang et al. 2024b), where efficient bootstrapping mechanisms prove instrumental for practical encrypted inference (Lee et al. 2023a). The field has progressed significantly from early approaches that focused on HE-friendly network architectures (Gilad-Bachrach et al. 2016; Chou et al. 2018), which, while innovative, required substantial model modifications that conflicted with the MLaaS paradigm’s requirement for standard architecture support.

Recent research has marked a paradigm shift towards precise approximation of pre-trained standard CNNs (SCNNs). Significant advances include (Lee et al. 2022b)’s implementation of multiplexed parallel convolutions and optimized bootstrapping techniques in RNS-CKKS, enabling efficient evaluation of standard ResNet architectures while maintaining robust security guarantees. The Channel-By-Channel methodology (Cheon et al. 2024) further refined these capabilities through sophisticated data packing and convolution optimizations.

Contemporary optimization techniques have achieved remarkable efficiency improvements, with recent work (Kim and Guyot 2023) maintaining constant computational complexity independent of kernel dimensions. The NeuJeans framework (Ju et al. 2023) represents a significant advancement through its innovative Coefficients-in-Slot (CinS) encoding, enabling multiple convolution operations within single homomorphic multiplications while eliminating costly permutation operations.

Secure outsourced computation

While CKKS has found widespread adoption in privacy-preserving machine learning due to its natural fit for approximate arithmetic, its role in secure outsourced computation (SOC) has been historically limited by both bootstrapping performance and its approximate nature. However, recent improvements in bootstrapping efficiency are changing this landscape, potentially enabling more general-purpose secure computation services in cloud environments.

In the era of cloud computing, SOC has emerged as a crucial paradigm enabling organizations to delegate computational tasks while protecting sensitive data. The field has evolved from basic encryption schemes to sophisticated protocols, including identity-based encryption (Boneh and Franklin 2001; Unal et al. 2021), attribute-based encryption (Bethencourt et al. 2007), and integrity verification methods (Backes et al. 2013). While these traditional methods primarily focus on protecting data privacy during storage and transmission, homomorphic encryption enables direct computation on encrypted data, addressing the broader challenge of secure data processing in untrusted environments.

Historically, the substantial computational overhead of bootstrapping in FHE schemes led researchers to pursue alternative approaches (Zhao et al. 2022). These alternatives included partially homomorphic encryption (PHE) schemes (Paillier 1999; Rivest et al. 1983), somewhat homomorphic encryption (SWHE) (Brakerski et al. 2014), and multi-server architectures with interactive protocols (Goldreich et al. 2019). While more efficient for specific tasks, these approaches were inherently limited in functionality, typically focusing on singular aspects of SOC such as k-means clustering (Zhang et al. 2022), data aggregation (Marandi et al. 2024), linear algebra (Atallah and Frikken 2010), matrix computation (Jiang et al. 2018b), or face recognition (Wang et al. 2022). None could handle general computation tasks due to the bootstrapping bottleneck. As bootstrapping efficiency improves, SOC applications can potentially transition from these specialized protocols to more general FHE-based solutions.

Some computational tasks inherently require bootstrapping due to their complexity. For instance, comparison operations, despite sophisticated optimization protocols (Cheon et al. 2020; Lee et al. 2021a; Tan et al. 2020; Lee et al. 2022a) minimizing multiplicative depth, still require bootstrapping for extended computational chains. Notable advances in this area include (Hong et al. 2021)’s optimized k-way sorting network, which achieves an improved complexity of $O(k{log}_{k}n)$. Similarly, in search applications, HERS (Engelsma et al. 2022) demonstrates the practical viability of similarity search over encrypted vectors, where bootstrapping proves essential for result aggregation and iterative search procedures.

Encrypted databases represent another significant domain for secure data outsourcing, where both data and queries are processed in encrypted form. However, due to the requirement for exact arithmetic in database operations, these systems typically employ PHE schemes like Paillier (Popa et al. 2012) or SWHE schemes like BFV (Henzinger et al. 2023; Bian et al. 2023; Ren et al. 2022) rather than CKKS. Recent work such as ArcEDB (Zhang et al. 2024c) achieves state-of-the-art performance in encrypted database queries by utilizing exponent encoding of RLWE(BFV) ciphertext and external product of RGSW for homomorphic filtering.

As cloud computing continues to evolve, the improved efficiency of CKKS bootstrapping opens new possibilities for general-purpose secure computation services. Unlike traditional application-specific protocols, CKKS-based solutions could enable cloud providers to offer flexible secure computation services that support arbitrary functions while maintaining data privacy, though careful consideration of performance trade-offs remains necessary.

Bootstrapping other FHE scheme with CKKS

The evolution of FHE schemes has demonstrated significant interconnectivity across different generations and types. Foundational work by Boura et al. (2020) established the interoperability between FHEW-type and BGV/BFV/CKKS-type schemes, while (Chen et al. 2021b) demonstrated the convertibility between RLWE and LWE ciphertexts. This interconnectedness extends to bootstrapping mechanisms, where recent research reveals substantial mutual benefits between different schemes’ bootstrapping approaches.

A significant theoretical advancement has emerged in the form of a novel bootstrapping methodology for BFV (Kim et al. 2024b), which ingeniously leverages CKKS bootstrapping as a fundamental component. This approach, applicable when the BFV plaintext modulus t divides the ciphertext modulus q, enables noise extraction and transformation into the CKKS domain through modulus switching. The methodology achieves remarkable efficiency improvements, reducing both key size and computational overhead by approximately 30-fold compared to traditional approaches, while establishing a valuable bridge where advancements in CKKS bootstrapping directly enhance BFV bootstrapping capabilities.

Particularly noteworthy is the application of CKKS bootstrapping for functional bootstrapping tasks traditionally associated with FHEW/TFHE schemes (Ducas and Micciancio 2015; Chillotti et al. 2019). Alexandru et al. (2024) demonstrated that CKKS-style bootstrapping, combined with trigonometric Hermite interpolation techniques, can achieve functional bootstrapping with efficiency improvements of three orders of magnitude compared to traditional FHEW/TFHE approaches. Building upon this foundation, Bae et al. (2024a, 2024b) further expanded the capabilities of CKKS bootstrapping to evaluate arbitrary functions on bit-level and small integer inputs during the bootstrapping process, marking a significant advancement in the versatility of CKKS-based approaches.