Integer-Wise Functional Bootstrapping on TFHE: Applications in Secure Integer Arithmetics †

†

One notable application is secure computation in order to protect the secrecy of data against computation servers.An example of secure computation services is privacypreserving machine learning as a service (MLaaS) [14,15].In such a service, users want to hide sensitive data (e.g., genomic, anamnesis data, etc.) from the server and the server does not want to provide its cognitive models to users.FHE should be a fundamental component of secure multi-party computation (MPC).However, most applications are constructed without FHE operations because the MPC may require FHE operations many times and the run time of the operations would be substantial due to the inefficiency of FHE schemes.
Most FHE schemes consist of bit-wise or integer-wise encryption operations; the plaintext space is Z 2 in bit-wise encryption, and the plaintext space is Z p for some p > 2 in integer-wise encryption [16][17][18].Some schemes have been executed via integer arithmetics, but bit-wise integer addition and multiplication are not practical even though the bit-wise integer comparison algorithm is efficient [19].In particular, the full adder algorithm has to execute homomorphic multiplication l times for an l-bit length integer.Thus, homomorphic integer multiplication based on the full adder must execute approximately l 2 [18] operations.
On the other hand, integer-wise FHE schemes can efficiently perform addition and multiplication because the construction of those calculations in a homomorphic manner is merely integer addition and multiplication.Recent studies [14,15,20,21] on secure MLaaS used integer-wise homomorphic encryption.Secure integer-wise comparison [22] and integer-wise division [23] have recently been proposed; however, arithmetic operations such as division are remain impractical.The design of efficient algorithms for basic arithmetic operations is an open issue required to reduce computational costs of the operations.
HElib [24], HEAAN [25], PALISADE [26], SEAL [27], and TFHE [6][7][8] are open-source implementations of homomorphic encryption.TFHE is a variant of the FHEW scheme [28] in which the bootstrapping procedure can be performed in less than 0.1 seconds, which is a major bottleneck of FHE.TFHE successfully improved the overall performance of arithmetic operations, although TFHE does not explicitly provide integer-wise arithmetics.Moreover, the number of bootstrapping operations required is equal to the number of bits.Bourse et al. [14] modified TFHE to enable integer-wise encryption, which only supports homomorphic integer addition and homomorphic evaluation of the sign function.

Contribution
In this paper, we present an approach where an arbitrary function is executed during a bootstrap procedure in the integer-wise TFHE scheme with a generalization of the constant variable "test vector" in the bootstrapping.Our bootstrapping procedure is applicable to homomorphic operations of fundamental arithmetics, where specific settings of the value of test vector are given: We propose the homomorphic equality test (Eq, Algorithm 6) and its variant, which test the equality between a ciphertext and a plaintext (ConstEq, Algorithm 7); the homomorphic multiplication between an integer and a binary number (MultbyBin, Algorithm 8); and homomorphic division, where the dividend is a ciphertext and the divisor is a constant plaintext (DivbyConst, Algorithm 9).Based on these building blocks, we propose a homomorphic algorithm for integer division (Div, Algorithm 10).Our implementation of Divruns approximately 3.4 times faster than the fastest existing work.We also generalize the Divalgorithm to a homomorphic evaluation of an any 2-variable function.

Notation
We write the security parameter as λ.We denote by T the torus of real numbers modulo 1, R/Z.For any ring R, polynomials of the variable X with coefficients in R are denoted by R which are the ring of polynomials of variable X with quotient X N + 1 and real coefficients modulo 1.Let B := {0, 1} be a set, and we write vectors in bold.We write s $ ← S when s is uniformly random sampled from S. We denote by U (S) the uniform distribution over the set S, and we denote by e ← χ the process of sampling e according to the distribution χ.

Learning with Errors
The learning with errors (LWE) problem is a computational problem introduced by Regev [29].We use the torus variant of LWE, as in [6,30].Let n ∈ N, and let χ be a statistical distribution on R. The torus LWE distribution for a fixed uniformly random secret vector s $ ← B n is defined as follows: The search-LWE problem is to find the secret vector s from LWE samples {(a i , a i • s + e i )} m i=1 sampled from LWE n,s,χ .The decision-LWE problem is to distinguish whether samples {(a i , s • a i + e i )} m i=1 are drawn from LWE n,s,χ or U (T n+1 ).
TFHE uses a sub-Gaussian distribution for the error distribution.A distribution χ σ over R such that ∀t ∈ R, E(e tX ) ≤ e σ 2 t 2 /2 is called σ-sub-Gaussian.Let Y and Z be independent random variables that are σ-and σ -sub-Gaussian, respectively.Then, for all k, l ∈ R,

Bit-Wise LWEEncryption
We briefly explain bit-wise Regev's encryption [29], which is a building block of the (bit-wise) TFHE.Let m ∈ B be a plaintext.The encryption scheme works as follows: We explain later in Section 2.4 that this scheme can be extended to integer-wise encryptions.

Torus LWE(TLWE)
The General-LWEproblem (GLWE) proposed by Brakerski, Gentry, and Vaikuntanathan [31] is a general problem that includes the LWE problem, and the Ring-LWE problem proposed by Lyubashevsky, Peikert, and Regev in [32].TLWE is a torus analogue of the GLWE problem.Let k be a positive integer, N be a power of 2, and χ be a probability distribution over R N [X].A TLWE secret key s is a vector of k polynomials over Z N [X] with binary coefficients, denoted as s Notice that the coefficients of the TLWE sample is an LWE ciphertext of the constant term of the polynomial message µ.We define the function SampleExtract that simply extracts the coefficients vector of the TLWE sample, and we denote the vector of coefficients of a polynomial a ∈ T N (X) by coefs(a(X)).Then, we can obtain the extracted LWE ciphertext as (a , b ) := SampleExtract((a, b)), where a = (coefs(a 1 (1/X)), . . ., coefs(a k (1/X))) and b is the constant term of the polynomial b.This is the ciphertext encrypted with an extracted key s := KeyExtract(s) := (coefs(s 1 (X)), . . ., coefs(s k (X))) ∈ Z kN .
As mentioned before, TLWE includes the LWE problem and the Ring-LWE problem.When N > 1 is large and k = 1, TLWE is the (binary-secret) Ring-LWE.Conversely, when N = 1 and k is large, TLWE is the (binary-secret) LWE.Note that, in the TFHE library [33], N = 1024 and k = 1 by default; thus, TLWE is simply a Ring-LWE in the library, i.e., we can simple consider the TLWE samples as Ring-LWE samples (a, b) ∈ T N [X] × T N [X] in this paper.

TGSW
TGSW is a generalized variant of the GSW FHE scheme proposed by Gentry, Sahai, and Waters [10].TGSW can be regarded as the matrix extension of TLWEbecause GSW is the matrix extension of LWE.Each row of a TGSW sample is a TLWE sample.As with TFHE [6], an external product that maps : TGSW × TLWE → TLWE can be defined.
The product of the TGSW ciphertext of a polynomial message µ TGSW ∈ T N [X] and the TLWE ciphertext of a polynomial message µ TLWE ∈ T N [X] becomes a TLWE ciphertext of a polynomial message (µ TGSW • µ TLWE ) ∈ T N [X].We refer the readers to [6] for more details.

Overview of TFHE Bootstrapping
We refer to the bootstrapping procedure of the TFHE in [6].We present the bootstrapping algorithm in Algorithm 1.As we mentioned before, in the default settings of the TFHE library [33], the dimension of the TLWE sample is set as k = 1.This means that the TLWE sample is simply the Ring In the rest of this paper, we set k = 1: we also consider the TLWE sample to be the Ring-LWEsample Algorithm 1: TFHE bootstrapping [6] for binary arithmetics.
The input for the bootstrapping is an LWE ciphertext of message binary message The noise e is sampled according to the distribution such that |e| < 1 4 to satisfy the condition for correct decryption of the LWE encryption.

Rounding
After the rounding operation in line 2, we obtain an rounded LWE ciphertext (a, b) ∈ and e ACC := ξ 0 − ∑ n i=1 ξ i s i and ξ 0 , . . .ξ n are rounding errors that are uniformly distributed over (− 1 2 , 1 2 ).Note that e ACC = 0 when the coefficients (a, b) are in 1 2N Z/Z; thus, we can ignore e ACC when we use the default parameter setting in the TFHE library of N = 1024.

BlindRotate
At the line 4, ACC is a trivial TLWE ciphertext (0, ; thus, Error(ACC 1 ) ∞ = 0.After the loop in line 5, from [6] (Theorem 4.6), we have where β = B g /2 and = 1/2B l g are the precision parameters of the gadget decomposition, l ∈ N, B g ∈ N, and α BK is a error size ratio of the bootstrapping key BK.After the loop in line 5, the message of ACC becomes a polynomial X b−as • testv.From (3) and e ACC = 0, we have ψ((a, b) Nm in , and from (2), we obtain 0 < 2Ne + N 2 < N. Therefore, we have the following facts: Note that, here, we used the fact that X −i ≡ −X N+i , which follows the definition X N + 1 ≡ 0.

Extract
The output of SampleExtract in line 6 is simply the coefficients vector of the TLWE sample over the torus (a , b The size of the error of (a , b ) remains Error(ACC) ∞ since SampleExtract adds no extra noise.

KeySwitch
The output of KeySwitchin line 7 is a TLWE sample (a, b) ∈ T n × T of a message m out 2 ∈ T, with the secret key s.We write this TLWE ciphertext as LWE s (m out ) for simplicity of the notation.The KeySwitchprocedure is the same as that in [6].We refer to KeySwitch in Algorithm 2 for completeness of this paper.The keyswitching key is defined as KS s →s,γ,t , where Here, γ ∈ R is a parameter that decides the size of the noise of the key switching key, which satisfies Error(KS i,j ) ∞ ≤ γ, and t ∈ N is a parameter that decides the precision.From [6] (Lemma 4.3), we obtain Therefore, we have the bound on the size of the noise as follows: where the second inequality follows from (4).The bootstrapping outputs a "fresh" LWE ciphertext when the parameters satisfy the following: Algorithm 2: KeySwitch.

Integer-Wise General Functional Bootstrapping
We modify TFHE to a variant that can encrypt the plaintext of an integer and perform any 1-variable function in only one bootstrapping.We highlight this section as follows: • We present our general bootstrapping in Algorithm 3 of Section 3.1, which is built upon the integer-wise LWE encryption Section 2.4.

•
Our key technique to construct the general bootstrapping is generalizing the setting of the coefficients of the test vector, which is used in the BlindRotate part of the bootstrapping procedure, in Algorithm 4.

•
We also discuss the possible security issue that arose after our modification in Section 3.2.

General Functional Bootstrapping
We present our bootstrapping scheme in Algorithm 3. Our bootstrapping is different from that of Chillotti et al.'s Algorithm 1 in the setting of the test vector used in the BlindRotatepart.Our bootstrapping procedure is constructed over the integer-wise LWE encryption described in Section 2.4, where homomorphic evaluation is performed in an integerwise manner.We summarize in Table 1 how the input ciphertext is converted line by line for clarity.Algorithm 3: General functional bootstrapping.

Input
The input for our bootstrapping scheme is an LWE ciphertext (a, b) ∈ T n × T of an integer message m in ∈ {−τ, . . ., τ − 1}, where b = a • s + e + m in /2τ.The noise e is sampled according to the distribution such that (7) holds to satisfy the condition for correct decryption of the LWE encryption.

Rounding (Line 1)
The output of the rounding is an rounded Concretely, we obtain e ACC = 0 when N = 1024, as we mentioned in Section 2.3.

BlindRotate (Line 3 to Line 4)
At line 3, the ACC is a trivial (noiseless) TLWE sample (0, . After the iteration in line 4, the message of ACC becomes a polynomial X b−as • testv.Since e ACC = 0 and from (10), we have ψ((a, b)) := b − as = 2N e + m in 2τ .Thus, we obtain from (7) that Note that we define the test vector in general form testv : , which is the core modification of our scheme.In the following, we explain how to set the value of the testv coefficients for a homomorphic evaluation of the arbitrary input function f in one bootstrapping.We summarize the setting in Algorithm 4 and show its illustration in Figure 1.

•
When m in = 0, we have ψ((a, b)) = 2Ne and (a, b) ∈ {− N 2τ , . . ., N 2τ }.Thus, the constant term of the polynomial We define the value of all elements µ ∈ M 0 as µ := f (0) 2τ ∈ T. Note that, since X N + 1 ≡ 0, we now have X −i ≡ −X N−i or, equivalently, X i ≡ −X −(N−i) .Similar to this case, when m in = −τ, the constant term of the polynomial The elements of this set are the sign inversions of the elements of the set M 0 .Therefore, µ ∈ M −τ are already defined as µ := , and the constant term of the polynomial We define the value of all µ ∈ M m in as µ , and the constant term of the poly- These values are the sign inversions of the previously defined µ ∈ M m in for m in ∈ {1, . . ., τ − 1}.
Algorithm 4: Our setting of the test vector coefficients defined in (9).
The message of the output u := SampleExtract(ACC) in line 5, denoted as msg((a , b )), is the constant term of (X b−as • testv).By our construction of BlindRotate, it is the coefficient ∈ T, where f is defined in (8).
3.1.5.KeySwitch (Line 7) Our scheme uses the same KeySwitchprocedure as the original TFHE, which is mentioned in Section 2.3.5.The output KeySwitch KS (u) of line 6 is a TLWE sample denoted as (a, b) ∈ T n × T. The sample is the encryption of the message m out 2τ ∈ T with the secret key s.We denote this TLWE ciphertext as LWE s (m out ) for simplicity of the notation.Only the difference from the original bit-wise TFHE is the upper bound of (5): From (7), we need to choose the parameters that satisfy the upper bound so that we can obtain a "fresh" LWE sample after the bootstrapping with overwhelming probability.

Security
The security of our scheme largely relies on the original TFHE scheme because we only modify the test vector, and it changes only the bound of the size of noise given in (12).Although the noise bound of TFHE is fixed to 1/4, as in (5), that of our scheme is 1/4τ.Therefore, when we use the larger plaintext space, the bound becomes lower.This means that we need to use the TLWE sample with smaller noise if the bound (12) does not hold.Conversely, we select the security parameters and τ that satisfy (12); then, the security of our scheme relies solely on the original TFHE scheme.We use the same security parameters and noise as those in the original TFHE scheme and choose a value of τ that satisfies (12) in our experiments in Section 5. Notably, the bound in ( 12) is independent of the input function f ; therefore, our scheme can run arbitrary functions with the same parameters and running time.

Applications
We present several basic applications of our integer-wise general TFHE bootstrapping procedure (Algorithm 3): The function Sign(), which is the homomorphic algorithm of sign, was already presented by Bourse et al. in [14].For clarity, we describe Sign() performed in our scheme to show that our general Bootstrapping schemes includes the sign function.Additionally, the integer-wise TFHE proposed by Bourse et al. [14] can evaluate only Sign() bootstrapping; it does not support the homomorphic multiplication of integer ciphertexts.
We show Eqand ConstEqin Section 4.2, MultbyBinin Section 4.3, and DivbyConstin Section 4.4.We propose Divin Section 4.5 using DivbyConst, ConstEq, and MultbyBinas building blocks.We also generalize the Divfunction to the homomorphic algorithm that evaluates any 2-variable function in Section 4.5.
Algorithm 5: Sign(C m in ): Homomorphic sign evaluation in our bootstrapping scheme.

Homomorphic Evaluation of the Sign Function: Sign()
Algorithm 5 shows that our algorithms homomorphically evaluate the sign function.This algorithm is constructed using Bootstrap with an input function f sign .Specifically, we "express" f sign by defining the coefficients µ 0 , . . ., µ N−1 ∈ T of test vector using Algorithm 4, as follows: We illustrate the setting of the test vector coefficients in Figure 2. We can confirm from (8) Note that the plaintext of the output with m in = −τ is the same as that with m in = 0.

Output: C m
Illustration of the slices for the test vector coefficients of sign bootstrapping (when τ = 5).

Homomorphic Equality Test: Eq() and ConstEq()
For clarity, we present that our bootstrapping scheme includes the homomorphic equality test.This concept is similar to the homomorphic comparison on TFHE proposed by Bourse et al. in [34].Note that we require the input plaintext space to be in {0, . . ., τ − 1} (or in {−τ, . . ., −1}), for our equality tests Algorithms 6 and 7.This restriction is required since, if we allowed m 1 and m 2 to be in {−τ, . . ., τ − 1}, we would have m 2 − m 1 = τ and would obtain the trueoutput when Some previous integer-wise homomorphic equality tests were performed based on Fermat's little theorem [35] in other FHE schemes, such as HElib.For example, in HElib (i.e., in the BGV FHE scheme [31]), the plaintext space was Z p for some prime number modulus p, and the equality test was constructed using the fact However, this approach is not efficient because it calls for homomorphic multiplication many (≈ log(p)) times, and thus, some additional bootstrapping are required in order to reduce the increase in noise caused by the homomorphic multiplication.Our homomorphic equality test is efficient because it calls only one bootstrapping procedure.
Algorithm 6 shows Eq(•, •), the equality test between two ciphertexts.The algorithm is based on the integer-wise "zero test" bootstrapping with the function f ztest , where f ztest (x) := τ if x = 0, 0 otherwise.Concretely, we define the test vector coefficients µ 0 , . . . ,µ N−1 ∈ T that correspond to f ztest , based on Algorithm 4, as follows: We show the illustration of the setting of the coefficients of the test vector in Figure 3. Algorithm 7 shows the variant that is performed between a ciphertext and a plaintext.Notice that the second argument of the algorithm is a plaintext m 1 , which is then encoded as a trivial (0, ν m 1 ) LWE ciphertext in line 1.

Homomorphic Multiplication by a Binary Number: MultbyBin()
Algorithm 8 shows the algorithm used to homomorphically evaluate the multiplication by a binary number (MultbyBin).As mentioned before, integer-wise TFHE cannot perform homomorphic multiplication between integer ciphertexts.MultbyBinhomomorphically multiplies an integer ciphertext by a ciphertext of a binary message.MultbyBinis called as a module in the homomorphic division Div, which we describe later in Algorithm 10. Figure 4 illustrates how the MultbyBinworks.Note that we need restrictions for MultbyBin: (1) τ to be an odd number and (2) m in ∈ {0, . . ., τ − 1}.We explained these restrictions later in this subsection.
B o o t s t r a p Bootstrap We define two functions f id and f half to be used as inputs of Bootstrapto construct MultbyBin.The function f id : {0, . . ., τ − 1} → {0, . . ., τ − 1} is an identity function defined as f id (x) := x.Based on Algorithm 4, we define the test vector coefficients µ 0 , . . ., µ N−1 ∈ T for f id as follows: The function f half is defined as For f half , we define the test vector coefficients µ 0 , . . ., µ N−1 ∈ T based on Algorithm 4, as follows: We now explain Algorithm 8. First, in line 1, we homomorphically multiply a ciphertext of a binary message in {τ, 0}, C m bin and a constant (0, τ 2τ ) to C m int .The output of the bootstrapping of the sum with f id is stored as C tmp .

•
If C m bin is a ciphertext of 0 (which means false), then C m bin + (0, τ 2τ ) is C τ (ciphertext of the constant τ).Thus, the phase of C m int is rotated to a position symmetrical about the origin, as illustrated in Figure 4 by the dashed arrow in the left image.Then, the phase of the ciphertext is rotated to a position symmetrical about the x-axis.After bootstrapping with , and C 0 remains C 0 , as illustrated in Figure 4. Finally, we obtain C m out = C m int when m bin = τ and C 0 when m bin = 0.
As noted before, we need to restrict τ to odd values.If τ is even, when m int = τ 2 and . Therefore, τ needs to be an odd number to homomorphically evaluate the division by 2 with the function Bootstrap(•, f half ).Additionally, we require the input m int to be in {0, . . ., τ − 1} because we cannot perform multiplication with binary values on negative plaintext m int ∈ {−τ + 1, . . ., −1} with MultbyBin.(Although we can perform binary multiplication on m int = −τ or τ, which is equivalent to m int = 0, we omit −τ from the input plaintext space, for simplicity.)ForBit-wise integer division by 2 on TFHE was proposed in [7].The algorithm was constructed based on a right shift over the bits; therefore, it only supports a power of two dividend.Homomorphic division by a (not only 2) constant was proposed in [23] based on HElib.This algorithm uses polynomial interpolation, which needs to homomorphically calculate all powers of the ciphertexts {C a , C 2 a , C 3 a , . . ., C p−1 a }, where p is the modulus of the plaintext space Z p .Thus, it is not efficient since many (p − 1) homomorphic multiplications are needed for a homomorphic polynomial interpolation.Contrary to that, our homomorphic division by a constant on the integer-wise TFHE is efficient because it needs only one bootstrapping.
We now explain Div.First, in line 1, we set a C SUM = C 0 = (0, 0) as a trivial TLWE ciphertext of a message 0. In the iteration on line 2 and 6, we obtain a ciphertext of a/i , denoted as C a/i with DivbyConst, and then, we test if i = d with ConstEq, where d is the plaintext of the input C d .The output is the ciphertext of the Boolean value of the test result C (d=i) .Second, in line 5, we have Therefore, after this loop, we have Generalization to a Two-Variable Function: Func() We now generalize Divto any two-variable function Func(C m 1 , C m 2 ), in Algorithm 11.The algorithm takes the following inputs: two ciphertexts C m 1 and C m 2 ; a two-variable function f (x, y); and sets of test vector coefficients {µ 0,y , . . ., µ N−1,y }, which corresponds to a one-variable function f y (x) := f (x, y) for all fixed y ∈ {0, . . ., τ − 1}.The output of the algorithm is a ciphertext C f (m 1 ,m 2 ) .This algorithm generalizes Divby generalizing the DivbyConstto Bootstrap(C m in , f y ), which is the homomorphic evaluation of a general one-variable function f y (x) := f (x, y) over a ciphertext C x .

Results of Homomorphic Division
In this section, we present the implementation results of Div.We implemented our bootstrapping procedure and Divby modifying the TFHE library [33].The parameter values are the same as the defaults of the TFHE library: These choices of parameters achieve at least 128-bit security [6].A single bootstrapping procedure takes approximately 10 msec on our PC with a 3.4-GHz Intel Core i5 CPU.We implemented Divfor a 4-bit integer, which is the same target as that of existing work on homomorphic division algorithms [16][17][18]23].Thus, we set B = 17 to encrypt 4-bit integers.
Table 2 shows our results, including the values taken from the existing works on homomorphic division.We ran Div (Algorithm 10) 1000 times and took the average.Our method is approximately 3.4 times faster than the fastest method ( [23]) shown in the table while achieving a higher level of security (λ > 128) than that of existing methods.For a fair comparison, we also implemented the "non-restorative division algorithm" on the original (bit-wise) TFHE library with the same parameters.The non-restorative division algorithm is a classic bit-wise algorithm for integer division that is used in previous works [16][17][18].We can confirm from Table 2 that our method is approximately 2.2 times faster than nonrestorative division.In the asymptotic analysis, as shown in the "Complexity" column of the table, our division algorithm and that of [23] take exponential time.Thus, our algorithm and that of [23] are asymptotically slower than other works based on the bit-wise nonrestorative division algorithm.The main bottle necks of our algorithm and that in [23] are the exhaustive loop of line 2-6 in Algorithm 10, similar to the part in [23].However, while the method of [23] needs an O(2 2l ) calculation, our algorithm is quadratically faster: it takes a smaller O(2 l ) calculation.This is due to that our bootstrapping being able to evaluate any one-variable function without extra computational costs over the original TFHE, and in contrast, the bootstrapping in [23]   We show in Table 3 the breakdown of the run time of our Div, which was completed in 930 msec in total.The run time for each of MultbyBin, ConstEq, DivbyConst, and Bootstrap(•, f id ) in line 5 of Algorithm 10 are shown in the table.The run times of these subalgorithms account for almost the entire run time.As the single bootstrapping takes approximately 10 msec on our PC, the cost of these functions is dominated by the run time of bootstrapping, i.e., our functions entail minimal additional costs.

Limitations of Correctness
In the parameter setting of this section, the final standard deviation of the noise after bootstrapping is σ = 0.00961, as in [6].The probability of decryption failure, i.e., the probability of the standard deviation of noise after bootstrapping is larger than 1/16 and is bounded by erf(1/16 √ 2σ) < 2 −32 .The condition suffices for the bit-wise TFHE scheme.
However, for our scheme, decryption fails if the size of the noise after bootstrapping is larger than 1/4τ, as shown in (12).The probability of decryption error is bounded by erf(1/4τ √ 2σ) < 2 −4.06 for our scheme.This upper bound appears large, but we empirically observed in our experiment that the decryption error rate is approximately 0.08% (4 decryption errors in 5000 bootstrappings).In other words, there is a trade-off between the size of the plaintext space τ and the decryption error rate.For 5-bit integers, i.e., when B = 33, the upper bound of the decryption failure probability rapidly increases to approximately 30%.Thus, for the parameter setting in this section, our scheme is practical only for ≤ 4-bit integer input.Notably, although the decryption failure rate of our scheme increases as τ increases, the security of the scheme is not affected because τ is independent of the standard deviation σ of the noise [14].

Conclusions
We proposed a technique for performing arbitrary 1-variable functions with only one bootstrapping procedure using the integer-wise variant of TFHE.The core modification is to generalize the test vector used in the bootstrapping and the concrete setting of the values of the test vector coefficients.Based on this general functional bootstrapping procedure, we extended the functionality of the integer-wise TFHE scheme to construct several basic applications, such as homomorphic equality testing, multiplication by a binary number, and a division algorithm.We implemented our homomorphic division algorithm and showed that it can be performed in less than 1 second, which is approximately 3.4 times faster than the fastest division algorithm.However, as a limitation, our scheme is practical only for ≤4-bit integer inputs, when we use the default parameters of TFHE library.In order to use our scheme for larger integer inputs, we need to use a smaller error rate.
Efficient algorithms for basic arithmetic operations are needed to increase the options for optimizing high-level secure computation applications.We believe our bootstrapping scheme can be used to develop a wide variety of homomorphic calculation algorithms.

•
Setup(λ): Let the security parameter be λ.Select and fix public parameters n = n(λ), σ = σ(λ); then, Setup(λ) samples a secret key s $ ← B n and outputs it.• Enc(s, m): a uniformly random vector a $ ← T n and a noise e ← D T N [X],σ are sampled, where D T N [X],σ is the Gaussian distribution over T N [X] with a standard deviation σ.Then, the algorithm outputs a ciphertext (a, b), where b = a • s + e + m/2.(1) • Dec(s, (a, b)): The decryption algorithm returns 2(b − a • s) .It outputs plaintext correctly if the size of noise e is bounded as

•
C sign(a) = Sign(C a ): Homomorphic evaluation of the sign function over a ciphertext (Algorithm 5) • C (a=b) = Eq(C a , C b ): Homomorphic evaluation of the equality test (Algorithm 6) • C (a=b) = ConstEq(C a , b): Homomorphic evaluation of the equality test with a plaintext (Algorithm 7) • C a•b = MultbyBin(C a , C b ): Homomorphic evaluation of multiplication by a binary number (Algorithm 8) • C a/d = DivbyConst(C a , d): Homomorphic evaluation of division by a plaintext (Algorithm 9) • C a/d = Div(C a , C d ): Homomorphic evaluation of division (Algorithm 10)

Figure 3 .
Figure 3. Illustration of the slices for the test vector coefficients of equality test bootstrapping (when τ = 5).

Figure 4 .
Figure 4. Illustration of MultbyBinwhen (m int , m bin ) = (1, 0).The left figure illustrates the procedure in line 1, and the right figure illustrates the procedure in line which means true), the message of C tmp in line 1 is −(τ + m int ), and the output becomes m out = 0 because C tmp + C m bin = C τ for all m int ∈ {−B + 1, . . ., −1} while m bin = τ(true).• If m bin = 0 (which means false), in line 1, the message of C tmp is τ − m int and the output is m out = −τ + m int .Therefore, for negative inputs m int ∈ {−τ + 1, . . ., −1}, MultbyBin does not work as multiplication with binary values; thus, we need the restriction.4.4.Homomorphic Division by a Constant: DivbyConst Algorithm 9 shows that DivbyConsthomomorphically evaluates "division by a constant".DivbyConsttakes a ciphertext C m in and a plaintext m d as inputs, and it outputs a ciphertext of C m in /m d .Note that we need to restrict m in ∈ {0, . . ., τ − and m d ∈ {1, . . ., τ − 1}.

•
The degree of the polynomials in the ring: N = 1024.• The dimensions of the LWE and TLWE: n = 500 and k = 1.• Decomposition basis and length of TGSWciphertexts: B g = 2 10 and l = 2. • Decomposition basis and length of KeySwitch: 2 l and t = 8. • Standard deviation of the noise of the key-switching keys KS: σ KS = 2.44 • 10 −5 .• Standard deviation of the noise of the bootstrapping keys BK: σ BK = 7.18 • 10 −9 .

Table 1 .
Overview of the bootstrapping scheme.

Table 2 .
Results: comparison with existing homomorphic division implementations.We abbreviate the non-restoring division method as NRD.The "Complexity" column shows the asymptotic complexity for a one-bit-length integer input.

Table 3 .
A breakdown of the run time of our Div (Algorithm 10).
Funding: This research received no external funding.