LMKCDEY Revisited: Speeding Up Blind Rotation with Signed Evaluation Keys

Abstract

Recently, Lee et al. introduced a novel blind rotation technique utilizing ring automorphisms also known as LMKCDEY. Among known prominent blind rotation methods, LMKCDEY stands out because of its minimal key size and efficient runtime for arbitrary secret keys, although Chillotti et al.’s approach, commonly referred to as CGGI, offers faster runtime when using binary or ternary secrets. In this paper, we propose an enhancement to LMKCDEY’s runtime by incorporating auxiliary keys that encrypt the negated values of secret key elements. Our method not only achieves faster execution than LMKCDEY but also maintains a smaller key size compared to the ternary version of CGGI. Moreover, the proposed technique is compatible with LMKCDEY with only minimal adjustments. Experimental results with OpenFHE demonstrate that our approach can improve bootstrapping runtime by 5–28%, depending on the chosen parameters.

1. Introduction

Homomorphic encryption (HE) is an encryption scheme that enables computations on encrypted data without requiring decryption. HE is widely used as a cryptographic back-end for privacy-preserving computations in various applications, such as secure multi-party computation, private set retrieval, and privacy-preserving machine learning [1,2,3].

Advances in lattice-based cryptography have enabled the practical construction of HE schemes based on the learning with errors (LWE) and ring LWE (RLWE) problems [4,5]. LWE encryption relies on the hardness of the LWE problem, which involves distinguishing the noisy inner product of a secret key and a random vector from a uniform distribution. Decryption in LWE-based schemes is noisy, and the message is typically recovered by rounding the decryption result to the nearest encoded value. However, as the number of homomorphic operations increases, the noise accumulates, and decryption may fail if the noise exceeds a certain threshold.

The bootstrapping technique has made fully homomorphic encryption (FHE) feasible on a practical scale [6]. The bootstrapping technique is crucial for reducing noise in ciphertexts, making FHE practical. Currently, there are five main HE algorithms in use: Ducas–Micciancio (DM or FHEW) [7], Chillotti–Gama–Georgieva–Izabachene (CGGI or TFHE) [8], Brakerski–Gentry–Vaikuntanathan (BGV) [9], Cheon–Kim–Kim–Song (CKKS) [10], and Brakerski/Fan–Vercauteren (B/FV) [11,12].

Ducas and Micciancio first proposed a practical HE scheme with bootstrapping in under a second [7]. The FHEW scheme is based on (R)LWE encryption, and bootstrapping is performed using a novel blind rotation technique derived from the ring version of the Gentry–Sahai–Waters (GSW) HE [13]. Chillotti et al. significantly improved the bootstrapping runtime and key size by introducing a new blind rotation algorithm, which is the core FHEW-like HE bootstrapping [8,14]. FHEW-like HE supports arbitrary logical gate operations, while BGV and B/FV support addition and multiplication in ${\mathbb{Z}}_p$, and CKKS supports these operations in $\mathbb{C}$. Thus, FHEW-like HE is more versatile and can be used in more general applications. For example, non-arithmetic operations like ReLU cannot be directly implemented in CKKS, BGV, and B/FV but are simple in FHEW-like HE. Additionally, FHEW benefits from smaller ciphertext and key sizes, minimizing operational overhead on the client side.

Recently, Lee, Micciancio, Kim, Choi, Deryabin, Eom, and Yoo (LMKCDEY) proposed a new blind rotation technique using ring automorphisms [15]. The existing methods, DM and CGGI, have clear advantages and disadvantages: DM supports arbitrary secret keys but requires a large key size, while CGGI has a smaller key size and faster runtime but is limited in the secret key distributions it can handle. (There are generalizations of CGGI for larger secrets, but these lead to rapid increases in key size and runtime as the key distribution broadens [16,17]). LMKCDEY combines the best features of both DM and CGGI: it offers a small key size like CGGI does and supports arbitrary secret key distributions like DM does.

1.1. Contribution

In this paper, we propose an improved blind rotation technique using ring automorphisms, building on the LMKCDEY method. Our approach offers faster runtime and lower failure probability than LMKCDEY while maintaining a smaller key size than the ternary GINX scheme. In LMKCDEY, the encryption of $X^{s_i}$ is used as an evaluation key (or bootstrapping key), where $s_i$ represents each element of the secret key. We introduce auxiliary evaluation keys, which are the encryption of $X^{-s_i}$, thereby reducing the number of costly homomorphic automorphism operations by up to half.

The proposed method has been implemented using OpenFHE [18] and achieves performance comparable to ternary GINX, the fastest blind rotation technique implemented in OpenFHE. As shown in Section 5, our method achieves the best runtime performance among existing methods when the secret keys follow a Gaussian distribution. We also demonstrate that the windowing technique, an optimization originally for LMKCDEY, can be effectively applied to our method. Experimental results show that runtime improves by 5–28% depending on the window size parameter.

1.2. Organization

The rest of the paper is organized as follows. Preliminaries for basic (R)LWE encryption and homomorphic operations are presented in Section 2. The proposed blind rotation algorithm and the application of the windowing technique are described in Section 3. A theoretical analysis of the time complexity, key size, and noise of the proposed method is provided in Section 4. In Section 5, we present the implementation results of the proposed method and compare it with state-of-the-art techniques. Finally, Section 6 concludes the paper with remarks and directions for future work.

2. Preliminaries

2.1. Notation

Let N be a power of two. The $2N$-th cyclotomic ring is defined as $\mathcal{R}:=\mathbb{Z}\left[X\right]/(X^N+1)$, and its quotient ring as ${\mathcal{R}}_Q:=\mathcal{R}/Q\mathcal{R}$. Elements within the ring $\mathcal{R}$ are represented in boldface; for instance, $\mathit{a}=\mathit{a}\left(X\right)$. For two vectors $\overrightarrow{a}$ and $\overrightarrow{b}$, their inner product is denoted by $\langle \overrightarrow{a},\overrightarrow{b}\rangle$. All logarithms are base 2 unless specified otherwise. The floor, ceiling, and round functions are denoted by $⌊·⌋$, $⌈·⌉$, and $⌊·⌉$, respectively. For $q\in \mathbb{Z}$ and $q>1$, the ring ${\mathbb{Z}}_q$ is identified with the interval $[-q/2,q/2)$ as its representative, and for $x\in \mathbb{Z}$, the centered remainder of x modulo q is written as ${\left[x\right]}_q\in {\mathbb{Z}}_q$. These notations are extended to elements of $\mathcal{R}$ by applying them to each coefficient individually. Uniform sampling from a set $\mathsf{S}$ is denoted by $\mathit{a}\leftarrow \mathsf{S}$, while sampling according to a distribution $\chi$ is indicated by $\mathit{a}\leftarrow \chi$.

2.2. Basic Learning with Errors (LWE) Encryption and Homomorphic Operations

The basic LWE encryption of a message $m\in {\mathbb{Z}}_q$ for a secret key $\overrightarrow{s}\leftarrow {\chi }_{\mathtt{key}}$ with parameters of positive integers n and q is defined as

$${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(m\right)=\left(\beta ,\overrightarrow{\alpha }\right)=\left(-\langle \overrightarrow{\alpha },\overrightarrow{s}\rangle +e+m,\overrightarrow{\alpha }\right)\in {\mathbb{Z}}_q^{n+1},$$

where $\overrightarrow{\alpha }\leftarrow {\mathbb{Z}}_q^n$, and the error term $e\leftarrow {\chi }_{\mathtt{err}}$. We call parameters n and q the dimension and (ciphertext) modulus of the LWE encryption, respectively. We may omit the subscripts q and $\overrightarrow{s}$ when they are clear from the context. A ciphertext $\mathtt{ct}={\mathsf{LWE}}_{q,\overrightarrow{s}}\left(\mathit{m}\right)=\left(\beta ,\overrightarrow{\alpha }\right)\in {\mathbb{Z}}_q^{n+1}$ is approximately decrypted by computing

$${\mathsf{LWE}}_{q,\overrightarrow{s}}^{-1}\left(\beta ,\overrightarrow{\alpha }\right):=\langle \overrightarrow{\alpha },\overrightarrow{s}\rangle +\beta =m+e\in {\mathbb{Z}}_q.$$

We use the shorthand notation $\mathtt{ct}\left(\overrightarrow{s}\right):={\mathsf{LWE}}_{q,\overrightarrow{s}}^{-1}\left(\mathtt{ct}\right)$.

For a positive integer Q and a power of two N, the basic RLWE encryption of $\mathit{m}\in \mathcal{R}$ with a secret key $\mathit{z}\leftarrow {\chi }_{\mathtt{key}}$ is defined as

$${\mathsf{RLWE}}_{Q,\mathit{z}}\left(\mathit{m}\right):=(\mathit{b},\mathit{a})=(-\mathit{a}·\mathit{z}+\mathit{e}+\mathit{m},\mathit{a})\in {\mathcal{R}}_Q^2,$$

where $\mathit{a}\leftarrow {\mathcal{R}}_Q$, and each coefficient $e_i$ of $\mathit{e}$ is sampled independently from $e_i\leftarrow {\chi }_{\mathtt{err}}$ for $i\in \left[0,N-1\right]$. Parameters N and Q are called the degree of the ring and (ciphertext) modulus of the RLWE encryption, respectively. We may sometimes drop the subscripts Q and $\mathit{z}$ for simplicity. The notation ${\mathsf{RLWE}}_{Q,\mathit{z}}^0\left(\mathit{m}\right)$ is used when the error $\mathit{e}$ is zero. A ciphertext $\mathtt{ct}={\mathsf{RLWE}}_{Q,\mathit{z}}\left(\mathit{m}\right)=(\mathit{b},\mathit{a})\in {\mathcal{R}}_Q^2$ is (approximately) decrypted by computing

$${\mathsf{RLWE}}_{Q,\mathit{z}}^{-1}(\mathit{b},\mathit{a}):=\mathit{a}·\mathit{z}+\mathit{b}=\mathit{m}+\mathit{e}\in {\mathcal{R}}_Q.$$

We use the shorthand notation $\mathtt{ct}\left(\mathit{z}\right):={\mathsf{RLWE}}_{Q,\mathit{z}}^{-1}\left(\mathtt{ct}\right)$.

We define $({\mathit{t}}_0,\cdots ,{\mathit{t}}_{d_g-1})$ as a gadget decomposition of $\mathit{t}\in {\mathcal{R}}_Q$ if $\mathit{t}={\sum }_{i=0}^{d_g-1}{g}_i·{\mathit{t}}_i$, where $\overrightarrow{g}=(g_0,\cdots ,g_{d_g-1})$ is a gadget vector, and ${∥{\mathit{t}}_i∥}_{\infty }<B_g$. Following the definitions in [16], we adapt ${\mathsf{RLWE}}^{\prime }$ and $\mathsf{RGSW}$ as follows. For a gadget vector $\overrightarrow{g}$, we define ${\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left(\mathit{m}\right)$ and ${\mathsf{RGSW}}_{\mathit{z}}\left(\mathit{m}\right)$ by:

$$\begin{array}{cc}\hfill {\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left(\mathit{m}\right)& :=\left({\mathsf{RLWE}}_{\mathit{z}}(g_0·\mathit{m}),{\mathsf{RLWE}}_{\mathit{z}}(g_1·\mathit{m}),\cdots ,{\mathsf{RLWE}}_{\mathit{z}}(g_{d_g-1}·\mathit{m})\right)\in {\mathcal{R}}_Q^{2d}\hfill \\ \hfill {\mathsf{RGSW}}_{\mathit{z}}\left(\mathit{m}\right)& :=\left({\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left(\mathit{m}\right),{\mathsf{RLWE}}_{\mathit{z}}^{\prime }(\mathit{z}·\mathit{m})\right)\in {\mathcal{R}}_Q^{2\times 2d}.\hfill \end{array}$$

The scalar multiplication between an element in ${\mathcal{R}}_Q$ and an ${\mathsf{RLWE}}^{\prime }$ ciphertext

$$\odot :{\mathcal{R}}_Q\times {\mathsf{RLWE}}^{\prime }\to \mathsf{RLWE}$$

is defined as:

$$\begin{array}{cc}\hfill \mathit{t}\odot {\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left(\mathit{m}\right)& =\langle ({\mathit{t}}_0,\cdots ,{\mathit{t}}_{d_g-1}),\left({\mathsf{RLWE}}_{\mathit{z}}(g_0·\mathit{m}),\cdots ,{\mathsf{RLWE}}_{\mathit{z}}(g_{d_g-1}·\mathit{m})\right)\rangle \hfill \\ \hfill & =\sum _{i=0}^{d_g-1}{\mathit{t}}_i·{\mathsf{RLWE}}_{\mathit{z}}(g_i·\mathit{m})={\mathsf{RLWE}}_{\mathit{z}}\left(\sum _{i=0}^{d_g-1}{g}_i·{\mathit{t}}_i·\mathit{m}\right)\hfill \\ \hfill & ={\mathsf{RLWE}}_{\mathit{z}}(\mathit{t}·\mathit{m})\in {\mathcal{R}}_Q^2.\hfill \end{array}$$

For each error ${\mathit{e}}_i$ in ${\mathsf{RLWE}}_{\mathit{z}}(g_i·\mathit{m})$, the resulting error after multiplication is ${\sum }_{i=0}^{d_g-1}{\mathit{t}}_i·{\mathit{e}}_i$, which remains small if both ${\mathit{t}}_i$ and ${\mathit{e}}_i$ are small.

The multiplication operation between RLWE and $\mathsf{RGSW}$ ciphertexts

$$⊛:\mathsf{RLWE}\times \mathsf{RGSW}\to \mathsf{RLWE}$$

is defined as:

$$\begin{array}{cc}\hfill {\mathsf{RLWE}}_{\mathit{z}}\left({\mathit{m}}_1\right)⊛{\mathsf{RGSW}}_{\mathit{z}}\left({\mathit{m}}_2\right)& =(\mathit{b},\mathit{a})⊛\left({\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left({\mathit{m}}_2\right),{\mathsf{RLWE}}_{\mathit{z}}^{\prime }(\mathit{z}·{\mathit{m}}_2)\right)\hfill \\ \hfill & =\mathit{b}\odot {\mathsf{RLWE}}_{\mathit{z}}^{\prime }\left({\mathit{m}}_2\right)+\mathit{a}\odot {\mathsf{RLWE}}_{\mathit{z}}^{\prime }(\mathit{z}·{\mathit{m}}_2)\hfill \\ \hfill & ={\mathsf{RLWE}}_{\mathit{z}}(\mathit{b}·{\mathit{m}}_2)+{\mathsf{RLWE}}_{\mathit{z}}(\mathit{a}·\mathit{z}·{\mathit{m}}_2)\hfill \\ \hfill & ={\mathsf{RLWE}}_{\mathit{z}}({\mathit{m}}_1·{\mathit{m}}_2+{\mathit{e}}_1·{\mathit{m}}_2)\in {\mathcal{R}}_Q^2.\hfill \end{array}$$

This operation results in an RLWE encryption of the product ${\mathit{m}}_1·{\mathit{m}}_2$ with an additional error term ${\mathit{e}}_1·{\mathit{m}}_2$. To ensure that ${\mathsf{RLWE}}_{\mathit{z}}\left({\mathit{m}}_1\right)⊛{\mathsf{RGSW}}_{\mathit{z}}\left({\mathit{m}}_2\right)\approx {\mathsf{RLWE}}_{\mathit{z}}({\mathit{m}}_1·{\mathit{m}}_2)$, it is important to minimize the error term ${\mathit{e}}_1·{\mathit{m}}_2$. This can be achieved using monomials ${\mathit{m}}_2=\pm X^{\upsilon }$ as messages.

2.3. Modulus Switching

Modulus switching is a technique used to reduce the modulus of a ciphertext while maintaining the same plaintext (the plaintext can be scaled by a constant). For an LWE ciphertext ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(m\right)=(\beta ,\overrightarrow{\alpha })$, the modulus switching operation is defined as

$${\mathsf{M}ᴏᴅ\mathsf{S}ᴡɪᴛᴄʜ}_{q\to q^{\prime }}\left({\mathsf{LWE}}_{q,\overrightarrow{s}}\left(m\right)\right)={\mathsf{LWE}}_{q^{\prime },\overrightarrow{s}}(m·{\displaystyle \frac{q^{\prime }}{q}})=\left(⌊\beta ·{\displaystyle \frac{q^{\prime }}{q}}⌉,⌊\overrightarrow{\alpha }·{\displaystyle \frac{q^{\prime }}{q}}⌉\right)mod{q}^{\prime }.$$

The rounding on $\beta$ and $\overrightarrow{\alpha }$ introduces an additive error term, and by LWE assumption [4], $\beta$ and $\overrightarrow{\alpha }$ are uniformly random; thus, the rounding noise is uniformly distributed in $[-1/2,1/2)$. Thus, the error introduced during modulus switching is estimated as

$${\sigma }_{\mathtt{ms}}^2={\displaystyle \frac{\parallel \overrightarrow{s}{\parallel }_2+1}{12}}.$$

The modulus switching can naturally extend to RLWE ciphertexts.

2.4. LWE Key Switching

Key switching is the process of transforming a ciphertext ${\mathsf{LWE}}_{{\overrightarrow{s}}_1}\left(m\right)$ encrypted with one secret key ${\overrightarrow{s}}_1$ into a ciphertext ${\mathsf{RLWE}}_{{\overrightarrow{s}}_2}\left(m\right)$ encrypted under a different secret key ${\overrightarrow{s}}_2$. In FHEW-like HE, we use LWE key switching to transform an LWE ciphertext of a large parameter into a smaller parameter to improve the runtime performance of blind rotation.

• $\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜ\mathsf{G}ᴇɴ({\overrightarrow{s}}_1,{\overrightarrow{s}}_2)$: Generates a key switching key

  $${\left\{{\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(\nu B_{\mathtt{ks}}^j{s}_{1,i}\right)\right\}}_{\nu \in [0,B_{\mathtt{ks}}-1],j\in [0,d_{\mathtt{ks}}-1],i\in [0,n-1]},$$

  where integer parameters $B_{\mathtt{ks}}$ and $d_{\mathtt{ks}}$ satisfy $B_{\mathtt{ks}}^{d_{\mathtt{ks}}}\ge n$.
• $\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜh_{{\overrightarrow{s}}_1\to {\overrightarrow{s}}_2}({\mathsf{LWE}}_{{\overrightarrow{s}}_1}\left(m\right),{\mathtt{ksk}}_{\mathsf{LWE}})$: Given a ciphertext ${\mathsf{LWE}}_{{\overrightarrow{s}}_1}\left(m\right)=(\beta ,\overrightarrow{\alpha })$, it decomposes $\overrightarrow{\alpha }$ into $d_{\mathtt{ks}}$ blocks ${\left\{{\overrightarrow{\alpha }}_j\right\}}_{j\in [0,d_{\mathtt{ks}}-1]}$ of size ${∥{\overrightarrow{\alpha }}_j∥}_{\infty }\le B_{\mathtt{ks}}$ and outputs the ciphertext

  $$\begin{array}{cc}\hfill {\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(m\right)& =(\beta ,0)+\sum _{i=0}^{n-1}\sum _{j=0}^{d_{\mathtt{ks}}-1}{\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left({\alpha }_{j,i}{B}^j{s}_{1,i}\right)\hfill \\ \hfill & =(\beta ,0)+{\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(\sum _{i=0}^{n-1}\sum _{j=0}^{d_{\mathtt{ks}}-1}{\alpha }_{j,i}{B}^j{s}_{1,i}\right)\hfill \\ \hfill & =(\beta ,0)+{\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(\sum _{i=0}^{n-1}{\alpha }_i{s}_{1,i}\right)\hfill \\ \hfill & ={\mathsf{LWE}}_{{\overrightarrow{s}}_2}(\beta +\sum _{i=0}^{n-1}{\alpha }_i{s}_{1,i})\approx {\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(m\right)(modq).\hfill \end{array}$$

The key switching key ${\left\{{\mathsf{LWE}}_{{\overrightarrow{s}}_2}\left(\nu B_{\mathtt{ks}}^j{s}_{1,i}\right)\right\}}_{\nu ,j,i}$ produced by the $\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜ\mathsf{G}ᴇɴ$ function is a public key that facilitates the key switching process. The error introduced during key switching is equivalent to the error from the multiplication and is estimated as

$${\sigma }_{\mathtt{ks}}^2=d_{\mathtt{ks}}n{\sigma }_{\mathtt{err}}^2,$$

where ${\sigma }_{\mathtt{err}}$ is the standard deviation of the error distribution ${\chi }_{\mathtt{err}}$.

2.4.1. Key Switching in RLWE

Key switching can also be defined for RLWE ciphertext as in LWE; it is the process of transforming a ciphertext ${\mathsf{RLWE}}_{{\mathit{z}}_1}\left(\mathit{m}\right)$ encrypted with one secret key ${\mathit{z}}_1$ into a ciphertext ${\mathsf{RLWE}}_{{\mathit{z}}_2}\left(\mathit{m}\right)$ encrypted under a different secret key ${\mathit{z}}_2$. Various approaches to RLWE key switching exist; for a comprehensive overview, see sources such as [19]. In this paper, we focus on the BV key switching method introduced in [20]:

• $\mathsf{RLWE}\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜ\mathsf{G}ᴇɴ({\mathit{z}}_1,{\mathit{z}}_2)$: Generates a key switching key $\mathtt{ksk}={\mathsf{RLWE}}_{{\mathit{z}}_2}^{\prime }\left({\mathit{z}}_1\right)$.
• $\mathsf{RLWE}{\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜ}_{{\mathit{z}}_1\to {\mathit{z}}_2}({\mathsf{RLWE}}_{{\mathit{z}}_1}\left(\mathit{m}\right),\mathtt{ksk})$: Given a ciphertext ${\mathsf{RLWE}}_{{\mathit{z}}_1}\left(\mathit{m}\right)=(\mathit{b},\mathit{a})$, it outputs the ciphertext

  $${\mathsf{RLWE}}_{{\mathit{z}}_2}\left(\mathit{m}\right)=(\mathit{b},0)+\mathit{a}\odot {\mathsf{RLWE}}_{{\mathit{z}}_2}^{\prime }\left({\mathit{z}}_1\right)(modQ).$$

The key switching key ${\mathsf{RLWE}}_{{\mathit{z}}_2}^{\prime }\left({\mathit{z}}_1\right)$ is a public key that facilitates the key switching process. The error introduced during key switching is equivalent to the error from the multiplication of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$.

2.4.2. Automorphisms in RLWE

Automorphisms of the ring $\mathcal{R}$ are utilized to perform certain operations in HE. There are N distinct automorphisms ${\psi }_t:\mathcal{R}\to \mathcal{R}$ defined by $\mathit{a}\left(X\right)\mapsto \mathit{a}\left(X^t\right)$ for $t\in {\mathbb{Z}}_{2N}^{\ast }$. These automorphisms are naturally extended to ${\mathcal{R}}^2$, enabling their application to RLWE ciphertexts.

Automorphisms are implemented using the following procedure, which employs a special set of switching keys ${\mathtt{ak}}_t={\mathsf{RLWE}}_{\mathit{z}\left(X\right)}\left(\mathit{z}\left(X^t\right)\right)$:

• ${\mathsf{A}ᴜᴛᴏ}_t\left({\mathsf{RLWE}}_{\mathit{z}}\left(\mathit{m}\right),{\mathtt{ak}}_t\right)$: Given a ciphertext ${\mathsf{RLWE}}_{\mathit{z}}\left(\mathit{m}\left(X\right)\right)=(\mathit{b}\left(X\right),\mathit{a}\left(X\right))$ and a switching key ${\mathtt{ak}}_t$, the automorphism ${\psi }_t$ is applied to $\mathit{a}\left(X\right)$ and $\mathit{b}\left(X\right)$, yielding $(\mathit{b}\left(X^t\right),\mathit{a}\left(X^t\right))$, which is an RLWE encryption of $\mathit{m}\left(X^t\right)$ under the new secret key $\mathit{z}\left(X^t\right)$. The resulting ciphertext ${\mathsf{RLWE}}_{\mathit{z}\left(X^t\right)}\left(\mathit{m}\left(X^t\right)\right)$ is then transformed back to ${\mathsf{RLWE}}_{\mathit{z}\left(X\right)}$$\left(\mathit{m}\left(X^t\right)\right)$ using the key switching function $\mathsf{RLWE}{\mathsf{K}ᴇʏ\mathsf{S}ᴡɪᴛᴄʜ}_{\mathit{z}\left(X^t\right)\to \mathit{z}\left(X\right)}$.

It is important to note that the automorphism ${\psi }_t$ is a permutation of the coefficients within $\mathcal{R}$ and can be computed efficiently. Moreover, as a norm-preserving map, ${\psi }_t$ does not introduce any additional errors during its application.

2.4.3. LWE Extraction from RLWE

We can extract an LWE ciphertext encrypting $m_0$ from an ${\mathsf{RLWE}}_{\mathit{z}}\left(\mathit{m}\right)$ ciphertext encrypting $\mathit{m}$ publicly. This process, if used in FHWE bootstrapping as the output of blind rotation, is an RLWE ciphertext, but the input of the next bootstrapping is an LWE ciphertext. Recall that $\mathit{m}\approx \mathit{b}+\mathit{a}·\mathit{z}$, and thus, in particular, we have the following:

$$\begin{array}{cc}\hfill m_0& \approx b_0+{(\mathit{a}·\mathit{z})}_0\hfill \\ \hfill & =b_0+a_0{z}_0-\sum _{i=1}^{N-1}{a}_{N-i}{z}_i.\hfill \end{array}$$

A small trick here is that ${\mathit{a}}^{\prime }=\mathit{a}\left(X^{-1}\right)=a_0-a_{N-1}X-a_{N-2}{X}^2-\cdots -a_1{X}^{N-1}$, and thus $a_0{z}_0-{\sum }_{i=1}^{N-1}{a}_{N-i}{z}_i=\langle {\overrightarrow{a}}^{\prime },\overrightarrow{z}\rangle$. Finally, an LWE ciphertext $(b_0,{\overrightarrow{a}}^{\prime })$, encrypting $m_0$ under secret key $\overrightarrow{z}$, can be extracted from ${\mathsf{RLWE}}_{\mathit{z}}\left(\mathit{m}\right)=(\mathit{b},\mathit{a})$.

2.4.4. Secret Key Distribution in LWE-Based HE

In both LWE-based and RLWE-based schemes, the entries of the secret vector or the coefficients of the secret polynomial are sampled from specific distributions as recommended by the Homomorphic Encryption Security Standard [21].

Gaussian (theoretical): A Gaussian distribution with a standard deviation $\sigma \approx \sqrt{N}$, as proposed in [4,5], offers the strongest theoretical security, closely resembling the security of a uniform secret key distribution.

Gaussian (practical): A more practical alternative is a Gaussian distribution with $\sigma \approx 3.19$, which is often used to enhance efficiency while maintaining reasonable security. A Gaussian distribution with $\sigma \approx 3.19$ is commonly used in lattice cryptography, as it provides a good balance between security and efficiency.

Ternary: This is a uniform distribution over the set $\{-1,0,1\}$. It is commonly employed in lattice-based HE schemes because it introduces relatively low error, making it a popular choice.

Binary: This uniform distribution over the set $\{0,1\}$ results in minimal error and supports more efficient algorithms, but it may be less secure compared to other distributions [22].

The choice of secret key distribution typically depends on the desired security level and performance characteristics of the scheme [16]. Smaller distributions, such as binary and ternary, are advantageous for many schemes because they can simplify certain algorithms and minimize error accumulation. However, in the context of threshold homomorphic encryption [1,23,24], it is advisable to use a broader distribution, even if the initial secret key distribution is narrow. Thus, when considering general cases, it is important to carefully evaluate the use of larger distributions like the Gaussian. Use of the Gaussian secret for FHEW-like HE is proposed in LMKCDEY [15], and it is also used in the proposed method.

2.5. FHEW-like HE and Blind Rotation

There are five well-known HE schemes: BGV [9], B/FV [11,12], FHEW [7], TFHE [8], and CKKS [10]. BGV, B/FV, and CKKS are well-suited for arithmetic operations and naturally support single instruction multiple data operations, while FHEW and TFHE are designed for bitwise operations, with each ciphertext typically representing a single message. In particular, BGV and B/FV operate on ${\mathbb{Z}}_p$, and CKKS operates on $\mathbb{C}$. The CKKS scheme is distinct for its efficient bootstrapping performance. A clear benefit of BGV, B/FV, and CKKS is their high throughput, making them efficient for large-scale data processing. However, the packing structure that enables this efficiency also introduces overhead and requires fine-tuning for optimal performance. Thus, developing algorithms for general-purpose computation using these schemes is not straightforward. Additionally, to support bootstrapping, the key sizes are typically several gigabytes, which poses a significant drawback for resource-constrained clients, such as IoT devices. On the other hand, FHEW and TFHE, designed for bitwise operations, are more efficient for small-scale computations, with key sizes of only a few megabytes, making them more suitable for small clients. Since there is no specific packing structure, they can leverage a good compiler for binary logic, and algorithms for general-purpose computation are more straightforward to implement. Furthermore, the theoretical noise analysis for these schemes is simpler, making them well-suited for reliable systems. While each scheme has its own advantages and disadvantages, this paper focuses on FHEW-like HE.

An overview of bootstrapping for FHEW-like HE is illustrated in Figure 1. During the bootstrapping process, known as functional bootstrapping, two input ciphertexts, $m_0$ and $m_1$, are combined to produce a new ciphertext representing $m_0\ast m_1$ with reduced noise, where ∗ denotes a logical gate operation such as AND, OR, or NAND.

The bootstrapping process involves both LWE and RLWE ciphertexts, where LWE parameters are denoted by q and n and RLWE parameters by Q and N, with the condition $q|2N$. The secret keys for LWE and RLWE are $\overrightarrow{s}\in {\mathbb{Z}}^n$ and $\mathit{z}\in \mathcal{R}$, respectively. Micciancio and Polyakov introduced an intermediate key switching technique to reduce noise during bootstrapping and to maintain a consistent standard deviation (a common and practical choice is $\sigma =8/\sqrt{2\pi }\simeq 3.19$ [21,25,26]) across all error distributions [16].

Initially, we add two given ciphertexts, ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(q/4·m_0\right)$ and ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(q/4·m_1\right)$, resulting in ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(q/4·(m_0+m_1)\right)$. The next step involves mapping $m_0+m_1$ to $m_0\ast m_1$ while reducing the noise. For instance, in the case of an NAND gate, the truth table is such that $0⊼0=1$, $1⊼0=0⊼1=1$, and $1⊼1=0$. This necessitates a mapping process for $m_0+m_1$ such that:

$$M(m_0+m_1)=\left\{\begin{array}{cc}0\hfill & \mathrm{if}{m}_0+m_1=2,\hfill \\ 1\hfill & \mathrm{if}{m}_0+m_1=0\mathrm{or}1,\hfill \\ \perp \hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

This mapping is achieved by applying a blind rotation to the ciphertext ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(q/4·(m_0+m_1)\right)$. Lee et al. defined blind rotation as follows [15].

Definition 1

(Blind Rotation). For $q|2N$, let $Y=X^{{\displaystyle \frac{2N}{q}}}$. Blind rotation is an algorithm that takes as input a ring element $\mathit{f}=\sum f_i{X}^i\in {\mathcal{R}}_Q$, an ${LWE}_{q,\overrightarrow{s}}$ ciphertext $\left(\beta ,\overrightarrow{\alpha }\right)\in {\mathbb{Z}}_q^{n+1}$, and blind rotation keys ${\mathtt{brk}}_{\mathit{z},\overrightarrow{s}}$ corresponding to secrets $\mathit{z}$ and $\overrightarrow{s}$, and outputs an RLWE ciphertext

$${RLWE}_{Q,\mathit{z}}\left(\mathit{f}·Y^{\beta +\langle \overrightarrow{\alpha },\overrightarrow{s}\rangle }\right)\in {\mathcal{R}}_Q^2.$$

Different bootstrapping algorithms for FHEW-like HE, including AP, GINX, and LMKCDEY, implement this blind rotation in various ways [7,8,15,16]. Let $\beta +\langle \overrightarrow{\alpha },\overrightarrow{s}\rangle =(m_0+m_1)·q/4+e=u$. Extracting the constant term of the message from ${\mathsf{RLWE}}_{Q,\mathit{z}}\left(\mathit{f}·Y^{\beta +\langle \overrightarrow{\alpha },\overrightarrow{s}\rangle }\right)$ yields an LWE ciphertext ${\mathsf{LWE}}_{Q,\overrightarrow{z}}\left(f_{-u}\right)$, where $f_{-i}=-f_{N-{\displaystyle \frac{2N}{q}}i}$, based on the fact that $X^N=-1$ in $\mathcal{R}$. When the message in the extracted ciphertext is $Q/4·(m_0\ast m_1)$, the blind rotation is deemed successful. Each coefficient of $\mathit{f}$ is chosen carefully to align with the gate being evaluated, ensuring that the resulting value $f_{-u}$ corresponds to the output of the gate. In essence, the blind rotation maps the input $m_0+m_1$ to the output $m_0\ast m_1$ in a manner similar to a table look-up.

Finally, modulus switching is applied to the ciphertext ${\mathsf{LWE}}_{Q,\overrightarrow{z}}\left(Q/4·(m_0\ast m_1)\right)$ to obtain ${\mathsf{LWE}}_{Q_{\mathtt{ks}},\overrightarrow{z}}\left(Q_{\mathtt{ks}}/4·(m_0\ast m_1)\right)$. LWE key switching is then performed on the ciphertext to produce ${\mathsf{LWE}}_{Q_{\mathtt{ks}},\overrightarrow{s}}\left(Q_{\mathtt{ks}}/4·(m_0\ast m_1)\right)$, where the dimension n is smaller than the original N. A final modulus switching step yields ${\mathsf{LWE}}_{q,\overrightarrow{s}}\left(q/4·(m_0\ast m_1)\right)$. It should be noted that, when using a large secret key distribution such as a Gaussian secret key, the noise introduced by the final modulus switching step typically dominates the total noise.

2.5.1. DM/AP Blind Rotation

The essence of blind rotation lies in the homomorphic evaluation of the inner product of $\overrightarrow{\alpha }$ and $\overrightarrow{s}$ in the exponent of X. This technique was first introduced by Ducas and Micciancio [7] using the technique developed by Alperin-Sheriff and Peikert (AP) [27]. The core idea of AP blind rotation involves gadget decomposition of the elements in $\overrightarrow{\alpha }$ and multiplying the corresponding $\mathsf{RGSW}$ keys with the accumulator ciphertext, $\mathtt{acc}$. Specifically, ${\alpha }_i$ is decomposed into $({\alpha }_{i,0},\cdots ,{\alpha }_{i,d_r-1})$, where ${\alpha }_i={\sum }_j{\alpha }_{i,j}{B}_r^j$, where $B_r^{d_r}>q$. For a given accumulator $\mathtt{acc}=\mathsf{RLWE}\left(\mathit{g}\right)$, we have

$$\mathsf{RLWE}\left(\mathit{g}·X^{{\alpha }_i{s}_i}\right)=\mathsf{RLWE}\left(\mathit{g}\right)⊛\mathsf{RGSW}\left(X^{{\alpha }_{i,0}{B}_r^0{s}_i}\right)⊛\cdots ⊛\mathsf{RGSW}\left(X^{{\alpha }_{i,d_r-1}{B}_r^{d_r-1}{s}_i}\right).$$

Thus, the blind rotation keys for AP blind rotation are given as

$${\{{\mathtt{brk}}_{\ell ,i,j}=\mathsf{RGSW}\left(X^{\ell B^j{s}_i}\right)\}}_{\ell \in [0,B_r-1],i\in [0,n],j\in [0,d_r-1]},$$

where the parameter $d_r$ allows for a trade-off between key size and runtime. A practical choice for $d_r$ is 2, although this results in a large key size [16,18].

2.5.2. CGGI/GINX Blind Rotation

Chillotti et al. proposed a more efficient blind rotation technique [8] using the Gama, Izabachene, Nguyen, and Xie (GINX) method. Unlike AP blind rotation, GINX blind rotation operates on decomposed values of secret key elements and computes $\mathsf{RGSW}\left(X^{{\alpha }_i{s}_i}\right)$ using a weighted sum of $\mathsf{RGSW}$ keys. Specifically, for binary secret keys (i.e., $s_i=0$ or 1), GINX blind rotation uses the following decomposition:

$$\mathsf{RGSW}\left(X^{{\alpha }_i{s}_i}\right)=1+(X^{{\alpha }_i}-1)·\mathsf{RGSW}\left(s_i\right).$$

The accumulation is performed as

$$\mathtt{acc}\leftarrow \mathtt{acc}+\left((X^{{\alpha }_i}-1)·\mathtt{acc}\right)⊛\mathsf{RGSW}\left(s_i\right).$$

Kim et al. later generalized GINX blind rotation for ternary secret keys [28] in their preprint, with a concurrent work proposing the same method for NTRU-based HE [29]. For ternary secrets, i.e., $s_i=-1,0$, or 1, the technique uses the following equation:

$$\mathsf{RGSW}\left(X^{{\alpha }_i{s}_i}\right)=1+(X^{{\alpha }_i}-1)·\mathsf{RGSW}(s_i\equiv 1)+(X^{-{\alpha }_i}-1)·\mathsf{RGSW}(s_i\equiv -1).$$

Although GINX has been extended to larger secret distributions [16,17], its performance deteriorates as the secret key distribution increases. In this paper, we focus on ternary GINX, as ternary and Gaussian secret keys are typically recommended for better security [26].

2.5.3. LMKCDEY

Recently, Lee et al. introduced a new type of blind rotation using ring automorphisms [15]. In AP and GINX blind rotations, multiplication on the exponent of X cannot be performed directly. As a workaround, AP requires many keys multiplied by possible constants, and GINX uses decomposition of secret keys. This is why AP has a large key size and GINX is limited in secret key distribution. The LMKCDEY method overcomes these limitations by performing constant multiplication on the exponent of X using ring automorphisms.

Assuming all elements of $\overrightarrow{\alpha }$ are odd (in LMKCDEY, the round-to-odd technique in the final modulus switching step forces every ${\alpha }_i$ to be odd; other variants are also provided in [15]), so we can exploit the fact that $\{g,-1\}$ (a common choice is $g=5$) generates ${\mathbb{Z}}_{2N}^{\ast }$. The main equation for LMKCDEY blind rotation is as follows:

$$\sum _i{\alpha }_i{s}_i=\left({\sum }_{j\in I_0^{+}}{s}_j+\cdots +g\left({\sum }_{j\in I_{N/2-1}^{+}}{s}_j-g\left({\sum }_{j\in I_0^{-}}{s}_j+\cdots +g\left({\sum }_{j\in I_{N/2-1}^{-}}{s}_j\right)\right)\right)\right)(mod2N),$$

(1)

where $I_j^{\pm }$ is the set of indices of ${\alpha }_i$ such that ${\alpha }_i=\pm g^j$. Here, the addition of $s_j$ in the exponent is achieved by multiplying $\mathsf{RGSW}\left(X^{s_j}\right)$, and multiplication by g and $-g$ is done by applying the automorphisms ${\mathsf{A}ᴜᴛᴏ}_g$ and ${\mathsf{A}ᴜᴛᴏ}_{-g}$, respectively. The blind rotation keys for LMKCDEY blind rotation are:

$${\left\{{\mathtt{brk}}_i\right\}}_{i\in [0,n-1]},\left\{{\mathtt{ak}}_g,{\mathtt{ak}}_{-g}\right\}.$$

This results in a blind rotation key size that is much smaller than AP blind rotation and comparable to binary GINX.

When some of the $I_{\ell }^{\pm }$ sets are empty, Lee et al. proposed a technique to reduce the number of automorphisms by combining them into a single application. This approach requires storing a larger set of automorphism keys ${\mathtt{ak}}_{g^u}$ for possible values of u. However, it has been shown that storing a small number of keys ${\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]}$, corresponding to a parameter w known as the window size, is sufficient. The blind rotation keys are then given as:

$${\left\{{\mathtt{brk}}_i\right\}}_{i\in [0,n-1]},{\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]},{\mathtt{ak}}_{-g}.$$

The full algorithm for the core part of LMKCDEY is provided in Algorithm 1.

Algorithm 1: LMKCDEY Blind Rotation Sub Algorithm for odd ${\alpha }_i$

1: procedure BlindRotateCore$\left(\mathtt{acc},\overrightarrow{\alpha },{\left\{{\mathtt{brk}}_i\right\}}_{i\in [0,n-1]},{\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]},{\mathtt{ak}}_{-g}\right)$ 2:     $v\leftarrow 0$ 3:     for $(\ell =N/2-1;\ell >0;\ell =\ell -1)$ do 4:         for $j\in I_{\ell }^{-}$ do 5:            $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_j$ 6:         $v\leftarrow v+1$ 7:         if $(I_{\ell -1}^{-}\ne \varnothing$ or $v=w$ or $l=1)$ then 8:            $\mathtt{acc}\leftarrow {\mathsf{A}ᴜᴛᴏ}_{g^v}(\mathtt{acc},{\mathtt{ak}}_{g^v})$ 9:            $v\leftarrow 0$ 10:     for $j\in I_0^{-}$ do 11:         $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_j$ 12:     $\mathtt{acc}\leftarrow Aut{o}_{-g}(\mathtt{acc},{\mathtt{ak}}_{-g})$ 13:     for $(\ell =N/2-1;\ell >0;\ell =\ell -1)$ do 14:         for $j\in I_{\ell }^{+}$ do 15:            $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_j$ 16:         $v\leftarrow v+1$ 17:         if $(I_{\ell -1}^{+}\ne \varnothing$ or $v=w$ or $l=1)$ then 18:            $\mathtt{acc}\leftarrow Aut{o}_{g^v}(\mathtt{acc},{\mathtt{ak}}_{g^v})$ 19:            $v\leftarrow 0$ 20:     for $j\in I_0^{+}$ do 21:         $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_j$ 22: return $\mathtt{acc}$

3. Proposed Scheme

3.1. Core Algorithm

The LMKCDEY evaluates Equation (1) on the exponent as a core algorithm for the blind rotation:

$${\sum }_i{\alpha }_i{s}_i=\left({\sum }_{j\in I_0^{+}}{s}_j+\cdots +g\left({\sum }_{j\in I_{N/2-1}^{+}}{s}_j-g\left({\sum }_{j\in I_0^{-}}{s}_j+\cdots +g\left({\sum }_{j\in I_{N/2-1}^{-}}{s}_j\right)\right)\right)\right)(mod2N).$$

Evaluating Equation (1) on the exponent requires two types of homomorphic operations: $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplications and $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ for automorphisms. The number of $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplications is n, and the number of automorphisms is $N-1$ ($N-2$ are are for g and 1 for $g^{-1}$.) We modify the equation to reduce the number of automorphism operations to $N/2-1$ by using the following equation:

$${\sum }_i{\alpha }_i{s}_i=\left({\sum }_{j\in I_0^{+}}{s}_j-{\sum }_{j\in I_0^{-}}{s}_j\right)+g\left(\left({\sum }_{j\in I_1^{+}}{s}_j-{\sum }_{j\in I_1^{-}}{s}_j\right)+\cdots +g\left({\sum }_{j\in I_{N/2-1}^{+}}-{\sum }_{j\in I_{N/2-1}^{-}}{s}_j\right)\right)(mod2N).$$

(2)

We can see that it requires only $N/2-1$ of multiplication by g in Equation (2); in other words, the number of automorphism operations is $N/2-1$. Additionally, the revised equation is simpler, as it does not require automorphism by $g^{-1}$. This core algorithm reduces the number of automorphism operations by half, and thus it can also reduce the noise introduced by the blind rotation, which results in a lower probability of bootstrapping failure.

However, to evaluate $-{\sum }_{j\in I_{\ell }^{-}}{s}_j$, we need a blind rotation key $\mathsf{RGSW}\left(X^{-s_j}\right)$ for all j, as well as $\mathsf{RGSW}\left(X^{s_j}\right)$ for ${\sum }_{j\in I_{\ell }^{+}}{s}_j$ Thus, the number of $\mathsf{RGSW}$ keys required is doubled. On the other hand, the number of automorphism keys is reduced, as we do not need ${\mathtt{ak}}_{-g}$. The trade-off between the number of automorphism keys and the number of $\mathsf{RGSW}$ keys is discussed in Section 4.

3.2. Windowing Technique

A technique to reduce the number of automorphisms is proposed in [15], the so-called windowing technique. We can minimize the number of automorphisms when some of the $I_{\ell }^{\pm }$ are empty by combining the automorphisms into a single application. However, this approach requires storing a large set of automorphism keys ${\mathtt{ak}}_{\pm g^u}$ for every possible value of u. To enhance efficiency, we opt to store only a limited number of keys ${\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]}$ corresponding to a parameter w referred to as the window size. It is proven in [15] that, even with a relatively small window size ($\approx logN$,) we can achieve nearly the same benefits as when storing keys for all N possible automorphisms.

The windowing technique can also be applied to our proposed schemes. It is discussed in Section 4 how the windowing technique can be applied to our proposed scheme; as in the original scheme, a small window size achieves nearly the same benefits of storing all possible automorphism keys, although the number of all possible automorphisms is reduced by half in our case. The core algorithm with windowing technique is given in Algorithm 2.

Algorithm 2: Core of Proposed Blind Rotation Sub Algorithm for odd ${\alpha }_i$

1: procedure BlindRotateCore$\left(\mathtt{acc},\overrightarrow{\alpha },{\left\{{\mathtt{brk}}_{\pm ,i}=\mathsf{RGSW}\left(X^{\pm s_j}\right)\right\}}_{i\in [0,n-1]},{\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]},{\mathtt{ak}}_{-g}\right)$ 2:     $v\leftarrow 0$ 3:     for $(\ell =N/2-1;\ell >0;\ell =\ell -1)$ do 4:         for $j\in I_{\ell }^{+}$ do 5:            $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_{+,j}$ 6:         for $j\in I_{\ell }^{-}$ do 7:            $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_{-,j}$ 8:         $v\leftarrow v+1$ 9:         if $(I_{\ell -1}^{-}\cup I_{\ell -1}^{+}\ne \varnothing$ or $v=w$ or $l=1)$ then 10:            $\mathtt{acc}\leftarrow {\mathrm{Auto}}_{g^v}(\mathtt{acc},{\mathtt{ak}}_{g^v})$ 11:            $v\leftarrow 0$ 12:     for $j\in I_0^{+}$ do 13:         $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_{+,j}$ 14:     for $j\in I_0^{-}$ do 15:         $\mathtt{acc}\leftarrow \mathtt{acc}⊛{\mathtt{brk}}_{-,j}$ 16: return $\mathtt{acc}$

Theorem 1

([15]). With window size w, the number of automorphism operations required for LMKCDEY is bounded by $(1-1/w)n+(1/w)N$ and is on average $N(1-(1-1/w)·e^{-n/N})$.

Proof of Theorem 1.

Please refer to [15] for the proof.    □

Theorem 2.

With window size w, the number of automorphism operations required for Algorithm 2 is bounded by $(1-1/w)n+(1/w)N/2$, and the average number of automorphisms is approximately $N/2(1-(1-1/w)·e^{-2n/N})$.

Proof of Theorem 2.

In the worst case, the number of automorphisms is $N/2-1$, where there is no empty set among $I_{\ell }^{\pm }$. As with the windowing technique, we can use a similar analysis on the number of automorphisms as in LMKCDEY [15]. In the proposed algorithm, we consider if $I_{\ell }^{+}\cup I_{\ell }^{-}$ is empty or not, while LMKCDEY considers the number of non-empty $I_{\ell }^{+}$ and $I_{\ell }^{-}$ separately.

First, observe that the number of non-empty sets $U_{\ell }=I_{\ell }^{+}\cup I_{\ell }^{-}$ is always limited to $min(N/2,n)$ due to the fact that there are $N/2$ total sets and their union consists of n elements, representing the total number of terms ${\alpha }_i{s}_i$. The count may be smaller than n if multiple $s_i$ share the same coefficient ${\alpha }_i$.

We assess the average count of non-empty $U_{\ell }$ under the assumption that the LWE coefficients ${\alpha }_i$ are random and independent. This assumption holds true for freshly encrypted messages, since ${\alpha }_i$ are uniformly selected by the encryption process. It is also reasonable to expect this to remain true even for ciphertexts produced by homomorphic operations [15].

Each specific set $U_{\ell }$ will be empty if none of the ${\alpha }_i$ belong to it. Given that the ${\alpha }_i$ are uniformly distributed and independent, this occurs with a probability of ${(1-1/(N/2))}^n\approx e^{-2n/N}$. Consequently, the probability that $U_{\ell }$ is non-empty is $1-{(1-1/(N/2))}^n\approx 1-e^{-2n/N}$. By applying the linearity of expectation, the expected number of non-empty sets is $N/2(1-{(1-1/(N/2))}^n)\approx N/2(1-e^{-2n/N})$.

Counting the non-empty sets $U_{\ell }$ helps estimate the number of automorphism operations our algorithm needs to perform. The automorphisms corresponding to non-empty sets are combined and replaced by a smaller number of automorphisms with keys in the set ${\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]}$ for a specified window size w.

Let k be the number of non-empty sets $U_{\ell }$, which can be as large as $min(N/2,n)$ in the worst case or $k=N/2(1-e^{-2n/N})$ on average. Let $v_1,\dots ,v_k$ denote the exponents of the k automorphisms $g^{v_i}$ that need to be applied after processing each non-empty set. Each exponent can be expressed as $v_i=v_i^{\prime }+w·v_i^{\prime \prime }$, where $v_i^{\prime }=v_{i}modw\in \{1,\cdots ,w-1\}$, and $v_i^{\prime \prime }=\lfloor v_i/w\rfloor$. (If $v_i$ is a multiple of w, the $v_i^{\prime }$ component can be omitted.)

In Algorithm 2, the application of automorphism $g^{v_i}$ following the multiplication by the i-th set $U_{\ell }$ is replaced with one application of automorphism $g^{v_i^{\prime }}$ and $v_i^{\prime \prime }$ applications of automorphism $g^w$. Therefore, the number of automorphisms of type $g^{v_i^{\prime }}$ is denoted as $\kappa$, where $\kappa \le k$. To limit the number of $g^w$ automorphism applications, we use the fact that the sum ${\sum }_i{v}_i$ is bounded by $N/2$. Hence, ${\sum }_i{v}_i^{\prime \prime }$ is at most ${\displaystyle \frac{N/2-\kappa }{w}}$.

In conclusion, by storing w automorphism keys ${\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]}$, the total number of automorphism applications can be reduced to

$$\kappa +{\displaystyle \frac{N/2-\kappa }{w}}=(1-1/w)\kappa +(1/w){\displaystyle \frac{N}{2}}\le (1-1/w)k+(1/w){\displaystyle \frac{N}{2}}.$$

Given that $n\le N/2$ and, in the worst case, $k\le n$, the number of automorphism applications is bounded by

$$(1-1/w)n+(1/w)N/2.$$

On average, with $k\approx N/2(1-e^{-2n/N})$, the expected number of automorphism applications reduces to

$$N/2(1-(1-1/w)·e^{-2n/N}).$$

   □

4. Theoretical Analysis

4.1. Time Complexity, Key Size, and Noise Analysis

4.1.1. Time Complexity

The AP and GINX blind rotation requires only $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplication and some light operations such as $\mathsf{RLWE}+\mathsf{RLWE}$, while the LMKCDEY and proposed blind rotation has both $\mathcal{R}\odot \mathsf{RLWE}$ and $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplications. To provide a fair comparison with prior work, we analyze the time complexity by the number of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplications. Since an $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplication has approximately two times the cost of an $\mathcal{R}\odot \mathsf{RLWE}$ multiplication, we count it as two $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplications. Operations other than those are multiplication by constants and addition, which do not require NTT, and thus those multiplications are dominant.

In Algorithm 2, the number of $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplications is given as n, as we multiply $\mathsf{RGSW}\left(X^{s_i}\right)$ or $\mathsf{RGSW}\left(X^{-s_i}\right)$ once for each i. This is equivalent to $2n$ of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplications. The number of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplications depends on the input $\overrightarrow{\alpha }$, and we use the upper bound $(1-1/w)n+(1/w)N/2$ provided in Theorem 2. In summary, the total number of blind rotations is

$$2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{2w}}.$$

Another measure of runtime is the number of NTTs. It is noted that each $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplication precisely requires $(d_g+1)$ NTT operations, where $d_g$ is the number of elements of a gadget vector.

4.1.2. Noise

We adopt the methodology from [7,15,16] to estimate the variance of noise introduced by blind rotation ${\sigma }_{\mathtt{acc}}^2$. This estimation allows us to easily compute the total error for algorithms employing blind rotation, such as FHEW bootstrapping [7,14,16]. The error variance introduced by a single ⊙ operation can be expressed as $d_{g}N{\displaystyle \frac{B_g^2}{12}}{\sigma }^2$, where $B_g$ and $d_g$ represent the gadget decomposition parameters used in the $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ multiplication. For simplicity, we denote this as ${\sigma }_{\odot }^2:=d_{g}N{\displaystyle \frac{B_g^2}{12}}{\sigma }^2$.

In AP, LMKCDEY, and our proposed algorithms, each $\mathsf{RLWE}⊛\mathsf{RGSW}$ operation, which involves $\mathsf{RGSW}$ encryption of the monomial, contributes an additive error with variance $2·{\sigma }_{\odot }^2$. Additionally, the automorphism operation due to key switching adds an error with variance ${\sigma }_{\odot }^2$. Consequently, the variance ${\sigma }_{\mathtt{acc}}^2$ can be estimated by multiplying ${\sigma }_{\odot }^2$ by the number of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$ operations. In the ternary GINX variant, due to the preprocessing of $\mathsf{RGSW}$ ciphertexts before performing $\mathsf{RLWE}⊛\mathsf{RGSW}$ multiplications shown in Section 2, each $\mathsf{RLWE}⊛\mathsf{RGSW}$ introduces an additive error with variance $8·{\sigma }_{\odot }^2$.

The variance of noise introduced by the blind rotation operation in the proposed scheme and LMKCDEY is bounded by $\left(2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{w}}\right){\sigma }_{\odot }^2$ and $\left(2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{2w}}\right){\sigma }_{\odot }^2$, respectively. The total noise in FHEW bootstrapping is the sum of the blind rotation noise, key switching noise, and modulus switching noise, as those noises are independent and additive. Let $e_{\mathrm{total}}$ represent the total noise in FHEW bootstrapping, with variance denoted by ${\sigma }_{\mathrm{total}}^2$. Bootstrapping failure occurs when $e_{\mathrm{total}}$ exceeds the noise budget of $q/8$. Therefore, the failure probability is given by $1-\mathrm{erf}\left({\displaystyle \frac{q/8}{2{\sigma }_{\mathrm{total}}}}\right)$ [16].

The recent IND-CPA-D attack proposed by Cheon et al. exploits failed bootstrapping to recover key bits in FHEW-like HE [30]. A lower likelihood of bootstrapping failure corresponds to a reduced security risk against such attacks. Thus, reducing the blind rotation noise in the proposed scheme not only enhances reliability but also contributes to an improvement in security.

4.1.3. Key Size

In the proposed algorithm, we need to store ${\left\{{\mathtt{brk}}_{\pm ,i}=\mathsf{RGSW}\left(X^{\pm s_j}\right)\right\}}_{i\in [0,n-1]}$ and ${\left\{{\mathtt{ak}}_{g^u}\right\}}_{u\in [1,w]}$. The key size of ${\mathtt{brk}}_{\pm ,i}$ is $2n$ of $\mathsf{RGSW}$, and the key size of ${\mathtt{ak}}_{g^u}$ is w of ${\mathsf{RLWE}}^{\prime }$. As an $\mathsf{RGSW}$ ciphertext takes exactly double the size of the ${\mathsf{RLWE}}^{\prime }$ ciphertext, we use the number of ${\mathsf{RLWE}}^{\prime }$ as the unit of key size. The total key size is $4n+w$ of ${\mathsf{RLWE}}^{\prime }$. Similarly, the key size of AP and GINX is $2d_r\left(1-{\displaystyle \frac{1}{B_r}}\right)n$ and $4n$, respectively [7,14,16]. This can be translated into bit size by simply noting that each ${\mathsf{RLWE}}^{\prime }$ ciphertext requires roughly $2d_{g}NlogQ$-bit of space.

4.2. Comparison with Prior Work

Table 1. Complexity, key size, and error variance of each blind rotation technique. Key size (# keys) is the number of ${\mathsf{RLWE}}^{\prime }$ ciphertexts, and computational complexity (# mult) is the number of $\mathcal{R}\odot {\mathsf{RLWE}}^{\prime }$. Runtime for the proposed method and LMKCDEY is for the worst case.

Method	# ⊙ Mult	${\mathit{\sigma }}_{\mathtt{acc}}^2/{\mathit{\sigma }}_{\odot }^2$	# ${\mathsf{RLWE}}^{\prime }$ Keys
AP [7,27]	$2d_r\left(1-{\displaystyle \frac{1}{B_r}}\right)n$	$2d_r\left(1-{\displaystyle \frac{1}{B_r}}\right)n$	$2d_r(B_r-1)n$
Ternary GINX [14,28,29]	$2n$	$8n$	$4n$
LMKCDEY [15]	$2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{w}}$	$2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{w}}$	$2n+w+1$
Proposed	$2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{2w}}$	$2n+{\displaystyle \frac{w-1}{w}}n+{\displaystyle \frac{N}{2w}}$	$4n+w$

provides a summary of the comparisons among the proposed method, AP, ternary GINX, and LMKCDEY. As mentioned earlier, the window size w is typically a small integer, such as 10. The proposed method not only outperforms LMKCDEY in terms of runtime but also introduces lower noise compared to LMKCDEY. However, it requires approximately twice the key size.

As demonstrated in the implementation section, the use of a Gaussian secret allows both the proposed method and LMKCDEY to benefit from a smaller parameter n compared to GINX. Consequently, in practical scenarios, the key size of the proposed method is smaller than that of GINX.

5. Empirical Results

In this section, we present the empirical results of the proposed method and compare them with other bootstrapping methods: LMKCDEY, AP, and GINX. All methods, including the proposed one, are implemented in C++ using the OpenFHE library. The runtime environment consists of Ubuntu 22.04 on a Google Cloud Platform e2-standard instance (2 vCPUs, 8 GB memory), with g++ 11.4.0 as the compiler. The compile options used are WITH_OPENMP=OFF, WITH_NATIVEOPT=ON, and NATIVE_SIZE=32, ensuring single-threaded performance optimized for 32-bit integers.

The parameters used for each method are listed in

Table 2. Parameters used in the implementation.

Method	Key Dist.	$log\mathit{n}$	q	${\mathit{Q}}_{\mathtt{ks}}$	$log\mathit{N}$	$log\mathit{Q}$	${\mathit{B}}_{\mathit{g}}$	${\mathit{B}}_{\mathtt{ks}}$	${\mathit{B}}_{\mathit{r}}$1
STD128	Ternary	503	1024	$16,384$	1024	27	512	32	32
STD128_LMKCDEY	$\sigma =3.19$	446	1024	8192	1024	28	1024	32	32

, based on the configurations provided by the OpenFHE library 1.2.0. For the proposed method, we utilized the same parameters as those used for LMKCDEY.

Table 3. Timing results (average of 50), blind rotation key size, and failure probability for FHEW bootstrapping (NAND gate). The failure probability is estimated by the standard deviation of the noise given by 1000 trials.

Parameter Set	Method	Runtime (ms)	BR Key Size (MB)	Fail. Prob. (log)
STD128 (Ternary)	AP	$147.7$	$1233.43$	$-101.10$
STD128 (Ternary)	GINX	$90.5$	$39.79$	$-86.14$
STD128_LMKCDEY (Gaussian)	AP	$133.9$	$1134.16$	$-26.81$
STD128_LMKCDEY (Gaussian, $w=10$)	LMKCDEY	$99.1$	$18.52$	$-25.02$
STD128_LMKCDEY (Gaussian, $w=7$)	Proposed	93.0	36.71	$-27.61$

displays the timing results for the bootstrapping of a NAND gate for each method, along with key size and failure probability data. Due to the extremely slow performance of GINX with a Gaussian distribution, we only present ternary results for GINX, while the proposed method, AP, and LMKCDEY were tested with a Gaussian secret distribution. The proposed method achieves the fastest runtime in Gaussian secret and has a smaller key size compared to ternary GINX.

The failure probability was estimated by measuring the standard deviation of the noise over 1000 trials. We measured the noise variance experimentally, assumed it to follow a centered Gaussian distribution, and then calculated the probability of the noise exceeding $q/8$ [7]. The results indicate that the failure probability of the proposed scheme is lower than that of LMKCDEY. However, it should be noted that, due to the use of a Gaussian secret distribution, the measured failure probability is within the margin of measurement error; this is because the noise introduced by modulus switching dominates the bootstrapping noise, as discussed in Section 2.

In OpenFHE, for efficiency, we adopt a power-of-two $B_g$. However, in the parameter set STD128_LMKCDEY, $B_g^{d_g}=2^{30}>Q$, making the parameter suboptimal, which leads to higher noise and, consequently, a higher failure probability. By using a tighter parameter, such as $B_g=646$, we can achieve a lower failure probability.

Table 4. Timing results for key generation (average of 50, including LWE key switching key generation).

Parameter Set	Method	Total Runtime (ms)
STD128	AP	401,505
STD128	GINX	56,991
STD128_LMKCDEY	AP	404,320
STD128_LMKCDEY $(w=10)$	LMKCDEY	43,505
STD128_LMKCDEY $(w=7)$	Proposed	46,856

shows the key generation times for each method. LMKCDEY has the shortest key generation time, with the proposed method slightly longer. The reason the key generation time for the proposed method is not approximately double that of LMKCDEY is due to the additional need to generate LWE key switching keys. Since AP requires the largest key size, its key generation time is the slowest among the methods. GINX also has a fast key generation time, but due to the larger n in the STD128 parameter set (to meet 128-bit security in the ternary secret key) compared to STD128_LMKCDEY, its key generation time is longer than that of the proposed method.

Figure 2 illustrates the effect of window size w on the runtime of the proposed method and LMKCDEY. It is evident that the runtime of the proposed method stabilizes at $w\ge 7$, which is faster than LMKCDEY’s stabilization at $w\ge 10$. When using a window size of $w=1$, the NAND gate runtimes for the proposed method and LMKCDEY are 112.59 ms and 155.68 ms, respectively. Although the performance gap narrows with larger window sizes, the proposed method consistently outperforms LMKCDEY.

6. Conclusions

In this paper, we proposed a new blind rotation technique using ring automorphisms, which improves upon the LMKCDEY blind rotation method. Our approach offers faster runtime and lower failure probability compared to LMKCDEY, while maintaining a key size smaller than that of the ternary GINX. We also demonstrated that the windowing technique can be effectively applied to our method, with the optimal window size being smaller than that required for LMKCDEY. The proposed method achieves similar performance to ternary GINX, the fastest blind rotation technique implemented in OpenFHE, and it does so without increasing noise.

The number of keys is increased compared to LMKCDEY but remains asymptotically the same, ensuring that the security level is equivalent to that of LMKCDEY. Since our improvements focus on server-side bootstrapping performance using only public information, no additional threats from side-channel attacks are expected. Furthermore, like other blind rotation techniques, the bootstrapping runtime is independent of the secret value, making timing attacks infeasible. The proposed scheme benefits from using Gaussian secrets, which provide a stronger security foundation. Additionally, with its reduced probability of bootstrapping failure compared to LMKCDEY, the scheme offers enhanced security against the recent IND-CPA-D attack.

The proposed method is a strong candidate for bootstrapping in FHEW-like HE, where a larger secret key is necessary, noise sensitivity is critical, and a larger evaluation key size can be accommodated. Threshold HE is another promising application area for this method. Another compelling application is large-scale computations. Although the proposed scheme doubles the number of keys, it improves bootstrapping runtime by 5–28%, as shown in the experiments. Key generation is a one-time operation and is typically very fast. Table 4 shows that the additional overhead for key generation is less than 10% of the total key generation time. However, homomorphic evaluations can be extensive, such as in large language models or database searches. In such applications, a 5% improvement in runtime (with window sizes of 10 and 7 for LMKCDEY and the proposed scheme, respectively) can be a significant enhancement. Moreover, since the proposed method reduces failure probability, it is particularly suitable for applications requiring high reliability. For example, in large-scale computations with a massive number of binary gates, the total failure probability could be proportional to the number of gates, and when HE is used for robotic control, the failure probability must be negligible.

Future work includes further refinement of the blind rotation technique, aiming for lower noise and faster runtime, possibly at the expense of a larger key size. The bootstrapping key size for FHEW-like HE is significantly smaller than that of other schemes like CKKS, BFV, and BGV. While the flexibility and ease of use of FHEW-like HE are distinct advantages, its low throughput remains a major drawback. It is both interesting and valuable to explore ways to improve the throughput of FHEW-like HE, and the proposed method provides a strong example of such an improvement. While the trade-off in key size can be justified by the performance gains achieved, it would also be beneficial to explore further optimizations that could maintain key size closer to LMKCDEY.