Dynamic Multi-Key Block Binary Ring-Compact Bootstrapping

Abstract

Multi-Key Fully Homomorphic Encryption (MK-FHE) is essential for secure multi-party computation but currently faces significant scalability bottlenecks due to linear computational growth and low bootstrapping throughput. To address these limitations, we propose DMBB-RCB, a novel fully homomorphic, bit-wise Dynamic Multi-Key Block-Binary Ring-Compact Bootstrapping scheme. Our contribution is threefold. First, we integrate the Block Binary Distribution into the dynamic setting, reducing the complexity of the core blind rotation operation from O(P⋅n) to O(p⋅k) (where k ≪ n) by leveraging key sparsity. Second, we implement an amortized ring packing strategy that aggregates multiple Learning with Errors (LWE) ciphertexts into the coefficients of a single Ring Learning with Errors (RLWE) polynomial, enabling the parallel refreshing of messages. Third, we introduce a Ring-Compact extraction architecture that natively translates RLWE states into Multi-Key Regev–Gentry–Sahai–Waters (RGSW) ciphertexts via scheme switching. Unlike traditional pipelines that suffer from severe network latency due to interactive multi-party key-switching after each bootstrapping, our architecture keeps the data entirely within the ring domain. This completely eliminates intermediate interaction rounds, enabling depth-unbounded homomorphic evaluations with zero interaction between participants during the computation phase (interaction is strictly reserved for the final joint decryption step). The proposed scheme supports the dynamic addition of participants without parameter re-generation. Theoretical analysis confirms that DMBB-RCB significantly reduces latency and enhances throughput compared to existing dynamic MKHE solutions.

1. Introduction

Fully Homomorphic Encryption (FHE) is considered the “holy grail” of cryptography, allowing arbitrary computations to be performed on encrypted data without access to the secret decryption key. Since Gentry’s first feasible construction [1], FHE has evolved significantly, with the Torus FHE (TFHE) scheme [2,3] emerging as a leading candidate for practical applications. TFHE relies on the hardness of the Learning With Errors (LWE) problem [4] and allows for the evaluation of exact logic gates with constant-time noise refreshing via fast gate-by-gate bootstrapping.

However, in the era of cloud computing and collaborative privacy-preserving analytics, single-key FHE is often insufficient. Real-world scenarios, such as secure genome analysis or financial auditing, typically involve multiple mutually distrusting parties who wish to compute jointly on their private data. This necessitates Multi-Key Homomorphic Encryption (MKHE) [5,6], which extends FHE to support operations on ciphertexts encrypted under different independent keys. The resulting ciphertext can only be decrypted if all involved parties collaborate. While theoretical constructions for MKHE exist [7,8], adapting them to the efficient TFHE framework presents significant challenges. Current state-of-the-art Multi-Key TFHE (MK-TFHE) schemes [9,10] suffer from three severe scalability bottlenecks:

• High Computational Complexity of Blind Rotation: The core blind rotation step requires iterating through every bit of the expanded multi-user key. As the number of participants $p$ grows, the required external product operations increase linearly or even quadratically, leading to prohibitive latency [9]. The computational complexity typically scales as $O(p\cdot n)$, where $n$ is the LWE dimension.
• Low Amortized Throughput: Standard TFHE bootstrapping refreshes only one LWE ciphertext per execution. For Boolean circuits requiring massive parallelism, this bit-wise processing is highly inefficient. Although packing techniques (SIMD) [11] exist for BGV [12]/CKKS [13] schemes, applying them to TFHE’s accumulation-based bootstrapping remains non-trivial [14].
• Expensive Format Conversion Overhead: Traditional MKHE pipelines require frequent Sample Extraction operations at the end of bootstrapping. This forces the data out of the ring domain, meaning it must be key-switched back to a format suitable for the accumulator, wasting computational cycles and hindering deep circuit evaluations.

To address these limitations, we propose the Dynamic Multi-Key Block-Binary Ring-Compact Bootstrapping (DMBB-RCB) scheme. Our construction synthesizes three advanced optimization strategies into a unified, scalable framework:

• Block Binary Keys for Accelerated Blind Rotation: We adopt a Block Binary Distribution [15] for the LWE secret keys. By structuring the key as a concatenation of $\mathit{k}$ blocks (each with a Hamming weight of at most one), we redesign the blind rotation algorithm to iterate over $\mathit{k}$ blocks rather than $\mathit{n}$ bits. This structural sparsity reduces the core complexity from $\mathit{O}(\mathit{p}\cdot \mathit{n})$ to $\mathit{O}(\mathit{p}\cdot \mathit{k})$ (where $\mathit{k}\ll \mathit{n}$), providing a theoretical speedup proportional to the block length $\mathit{l}$.
• Amortized Ring Packing: We implement a PackLWE algorithm [15] tailored for the multi-key setting. This enables the packing of multiple scalar LWE ciphertexts into the coefficients of a single RLWE polynomial. Consequently, a single execution of our bootstrapping circuit refreshes multiple messages simultaneously, significantly increasing the amortized throughput.
• Dynamic Ring-Compact Architecture: Instead of extracting LWE samples at the end of bootstrapping, we utilize a Scheme Switching technique inspired by recent dynamic MKHE frameworks [16,17] to output Multi-Key RGSW ciphertexts directly. This keeps the data entirely within the Ring domain, enabling seamless, continuous homomorphic evaluation without intermediate LWE-to-RLWE conversions. Furthermore, our scheme supports the dynamic addition of participants without requiring a global parameter reset, making it highly suitable for flexible Multi-Party Computation (MPC) environments.

Recently, the rapid evolution of MKHE has led to several notable advancements in 2024 and 2025. For instance, Kwak et al. [10] introduced parallelizable techniques to reduce quasi-linear complexity, and recent hardware/algorithmic co-designs and algorithmic optimizations [18,19,20] have attempted to optimize circuit bootstrapping and automorphism evaluations. While these contemporary works significantly improve specific TFHE bottlenecks, they predominantly operate within static configurations or still incur the expensive LWE-to-RLWE format conversion overhead. In contrast, our DMBB-RCB framework uniquely synthesizes block-binary sparsity with a dynamic ring-compact architecture, addressing both latency and dynamic participant scalability simultaneously—a gap not fully resolved by the most recent 2024–2025 literature.

2. Preliminaries

In this section, we establish the mathematical notations, algebraic structures, probability distributions, and the fundamental cryptographic primitives underlying the Dynamic Multi-Key Block-Binary Ring-Compact Bootstrapping (DMBB-RCB) scheme.

2.1. Notation

Let $\mathbb{Z}$ and $\mathbb{R}$ denote the set of integers and real numbers, respectively. We define the real torus as $\mathbb{T}=\mathbb{R}/\mathbb{Z}$ (modulo 1), and the integer ring modulo $\mathit{q}\ge \mathbf{1}$ as ${\mathbb{Z}}_{\mathit{q}}=\mathbb{Z}/\mathit{q}\mathbb{Z}.$ Vectors and matrices are denoted by bold lowercase (e.g., $\mathbf{a},\mathbf{s}$) and bold uppercase (e.g., $\mathbf{A},\mathbf{G}$) letters, respectively. For two vectors $\mathbf{u},\mathbf{v}$, their inner product is denoted by $⟨\mathbf{u},\mathbf{v}⟩=\sum {\mathit{u}}_{\mathit{i}}{\mathit{v}}_{\mathit{i}}$. The operations $\lfloor \cdot \rceil ,\lfloor \cdot \rfloor$, and $\lceil \cdot \rceil$ denote the nearest-integer rounding, floor, and ceiling functions, respectively. For a finite set $\mathit{S},\mathit{x}\leftarrow \mathcal{U}(\mathit{S})$ denotes sampling $\mathit{x}$ uniformly at random from $\mathit{S}$. Let $\mathit{N}$ be a power of 2. We define the cyclotomic polynomial rings $\mathrm{𝓡}=\mathbb{Z}\left[\mathit{X}\right]/({\mathit{X}}^{\mathit{N}}+\mathbf{1})$ and ${\mathrm{𝓡}}_{\mathit{q}}={\mathbb{Z}}_{\mathit{q}}\left[\mathit{X}\right]/({\mathit{X}}^{\mathit{N}}+\mathbf{1})$.

2.2. Probability Distributions

The security of our scheme relies on properties of specific error distributions and structured sparse keys.

Definition 1

(Error Distributions). Discrete Gaussian (${\mathrm{𝓓}}_{\mathbb{Z},\mathit{\sigma }}$): A discrete Gaussian distribution defined over the integers $\mathbb{Z}$ with standard deviation $\mathit{\sigma }>\mathbf{0}$, where the probability of sampling an integer $\mathit{x}\in \mathbb{Z}$ is proportional to $\mathbf{e}\mathbf{x}\mathbf{p}(-\mathit{\pi }|\mathit{x}{|}^{\mathbf{2}}/{\mathit{\sigma }}^{\mathbf{2}})$.

• Modular Gaussian ( ${\mathrm{𝓓}}_{\mathbb{T},\mathit{\alpha }}$): A Gaussian error distribution defined over the real torus $\mathbb{T}=\mathbb{R}/\mathbb{Z}$ with standard deviation $\mathit{\alpha }$, concentrated around $\mathbf{0}(\mathit{m}\mathit{o}\mathit{d}\mathbf{1})$.
• Polynomial Error Distribution ( ${\mathrm{𝓓}}_{\mathrm{𝓡},\mathit{\beta }}$): A distribution of polynomials in the ring $\mathrm{𝓡}=\mathbb{Z}\left[\mathit{X}\right]/({\mathit{X}}^{\mathit{N}}+\mathbf{1})$. A polynomial $\mathit{e}(\mathit{X})\leftarrow {\mathrm{𝓓}}_{\mathrm{𝓡},\mathit{\beta }}$  is generated by sampling each of its $\mathit{N}$ integer coefficients independently from the discrete Gaussian distribution ${\mathrm{𝓓}}_{\mathbb{Z},\mathit{\beta }}$.

Definition 2

(Block Binary Distribution). Let $\mathit{l}\in {\mathbb{Z}}^{+}$ be the block length and $\mathit{k}\in {\mathbb{Z}}^{+}$ be the number of blocks, such that the total dimension is $\mathit{n}=\mathit{l}\cdot \mathit{k}$. The block distribution ${\mathrm{𝓑}}_{\mathit{l}}$ over ${\mathbb{Z}}^{\mathit{l}}$ outputs a vector $\mathbf{b}\in \{\mathbf{0,1}{\}}^{\mathit{l}}$ with a Hamming weight $\parallel \mathbf{b}{\parallel }_{\mathbf{1}}\le \mathbf{1}$ uniformly at random. The Block Binary Distribution ${\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$ over ${\mathbb{Z}}^{\mathit{n}}$ is defined as the concatenation of $\mathit{k}$ independent samples from ${\mathrm{𝓑}}_{\mathit{l}}$. Formally, for $\mathbf{s}\leftarrow {\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$, we have $\mathbf{s}=({\mathbf{s}}_{\mathbf{0}}\parallel {\mathbf{s}}_{\mathbf{1}}\parallel \cdots \parallel {\mathbf{s}}_{\mathit{k}-\mathbf{1}})$, where ${\mathbf{s}}_{\mathit{j}}\leftarrow {\mathrm{𝓑}}_{\mathit{l}}$ for $\mathbf{0}\le \mathit{j}<\mathit{k}$.

2.3. Cryptographic Primitives

We recall the fundamental definitions of the LWE and RLWE encryption schemes, along with the gadget decomposition mechanism utilized in TFHE.

Definition 3

(Gadget Decomposition). Let $\mathit{B}\ge \mathbf{2}$ be an integer base and ${\mathit{d}}_{\mathit{g}}\ge \mathbf{1}$ be the decomposition depth such that ${\mathit{B}}^{{\mathit{d}}_{\mathit{g}}}\ge \mathit{q}$. The gadget vector is defined as $\mathbf{g}=(\mathbf{1},\mathit{B},{\mathit{B}}^{\mathbf{2}},\dots ,{\mathit{B}}^{{\mathit{d}}_{\mathit{g}}-\mathbf{1}})\in {\mathbb{Z}}^{{\mathit{d}}_{\mathit{g}}}$. We define the decomposition function ${\mathbf{Dec}}_{\mathbf{g}}:{\mathrm{𝓡}}_{\mathit{q}}\to {\mathrm{𝓡}}^{{\mathit{d}}_{\mathit{g}}}$. For any input polynomial $\mathit{a}\in {\mathrm{𝓡}}_{\mathit{q}}$, the function outputs a vector of polynomials $\mathbf{u}=({\mathit{u}}_{\mathbf{0}},{\mathit{u}}_{\mathbf{1}},\dots ,{\mathit{u}}_{{\mathit{d}}_{\mathit{g}}-\mathbf{1}}{)}^{\mathbf{\top }}\in {\mathrm{𝓡}}^{{\mathit{d}}_{\mathit{g}}}$ such that:

$$\mathit{a}=⟨\mathbf{u},\mathbf{g}⟩=\sum _{\mathit{i}=\mathbf{0}}^{{\mathit{d}}_{\mathit{g}}-\mathbf{1}} {\mathit{u}}_{\mathit{i}}{\mathit{B}}^{\mathit{i}}(\mathbf{m}\mathbf{o}\mathbf{d}\mathit{q})$$

where every integer coefficient of each polynomial ${\mathit{u}}_{\mathit{i}}\in \mathrm{𝓡}$ is bounded within the interval

$$[-\mathit{B}/\mathbf{2},\mathit{B}/\mathbf{2}).$$

Definition 4

(LWE Encryption). For dimension $\mathit{n}=\mathit{l}\cdot \mathit{k}$, a secret key $\mathbf{s}\leftarrow {\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$. To encrypt a message $\mathit{\mu }\in \mathbb{T}$, sample a mask vector $\mathbf{a}\leftarrow \mathit{U}({\mathbb{T}}^{\mathit{n}})$ and an error term $\mathit{e}\leftarrow {\mathit{D}}_{\mathit{\alpha }}$. The ciphertext is ${\mathbf{L}\mathbf{W}\mathbf{E}}_{\mathbf{s}}(\mathit{\mu })=(\mathbf{a},\mathit{b})\in {\mathbb{T}}^{\mathit{n}+\mathbf{1}}$, where $\mathit{b}=-⟨\mathbf{a},\mathbf{s}⟩+\mathit{\mu }+\mathit{e}(\mathbf{m}\mathbf{o}\mathbf{d}\mathbf{1})$.

Remark 1

(Practical Message Encoding and Discretization). While theoretical formulations define the message $\mathit{\mu }$ over the continuous torus $\mathbb{T}$, practical implementations cannot process arbitrary real numbers (e.g., $\mathbf{1}/\sqrt{\mathbf{3}}$) due to finite machine precision. In practice, we utilize a discrete message space and encode it into $\mathbb{T}$.

Let ${\mathbb{Z}}_{\mathit{p}}$ be the finite plaintext space (e.g., $\mathit{p}=\mathbf{2}$ for standard Boolean circuits).

• Encoding: A discrete message $\mathit{m}\in {\mathbb{Z}}_{\mathit{p}}$ is encoded into the torus $\mathbb{T}$ via the function $\mathit{\mu }=\mathrm{Encode}(\mathit{m})={\displaystyle \frac{\mathit{m}}{\mathit{p}}}(\mathbf{m}\mathbf{o}\mathbf{d}\mathbf{1})$.
• Decoding: During decryption, the recovered noisy phase ${\mathit{\mu }}^{\mathbf{*}}=\mathit{\mu }+\mathit{e}\in \mathbb{T}$ is decoded back to the exact message by rescaling and rounding to the nearest integer: $\mathit{m}=\mathrm{Decode}({\mathit{\mu }}^{\mathbf{*}})=\lfloor \mathit{p}\cdot {\mathit{\mu }}^{\mathbf{*}}\rceil (\mathbf{m}\mathbf{o}\mathbf{d}\mathit{p})$.

In our software implementation, the continuous torus $\mathbb{T}=\mathbb{R}/\mathbb{Z}$ is discretized and mapped to standard unsigned integer data types (e.g., 32-bit or 64-bit integers), where the interval $[\mathbf{0,1})$ is represented by the range $[\mathbf{0},{\mathbf{2}}^{\mathbf{32}}-\mathbf{1}]$ or $[\mathbf{0},{\mathbf{2}}^{\mathbf{64}}-\mathbf{1}]$, effectively handling the modulo $\mathbf{1}$ arithmetic via natural CPU integer overflow.

Definition 5

(RLWE Encryption [21]). Let the secret key be a polynomial $\mathit{z}(\mathit{X})\in \mathrm{𝓡}$. To encrypt a message polynomial $\mathit{m}(\mathit{X})\in {\mathrm{𝓡}}_{\mathit{q}}$, sample $\mathit{a}(\mathit{X})\leftarrow \mathit{U}({\mathrm{𝓡}}_{\mathit{q}})$ and $\mathit{e}(\mathit{X})\leftarrow {\mathit{P}}_{\mathit{\beta }}$. The ciphertext is ${\mathbf{R}\mathbf{L}\mathbf{W}\mathbf{E}}_{\mathit{z}}(\mathit{m})=(\mathit{a},\mathit{b})\in {\mathrm{𝓡}}_{\mathit{q}}^{\mathbf{2}}$, defined as $\mathit{b}(\mathit{X})=-\mathit{a}(\mathit{X})\cdot \mathit{z}(\mathit{X})+\mathit{m}(\mathit{X})+\mathit{e}(\mathit{X})(\mathbf{m}\mathbf{o}\mathbf{d}{\mathit{X}}^{\mathit{N}}+\mathbf{1})$.

Definition 6

(RGSW Encryption [22]). Let $\mathbf{H}=\mathrm{diag}(\mathbf{g},\mathbf{g})\in {\mathrm{𝓡}}_{\mathit{q}}^{\mathbf{2}{\mathit{d}}_{\mathit{g}}\times \mathbf{2}}$ be the gadget matrix. An RGSW ciphertext encrypting a message $\mathit{m}\in {\mathrm{𝓡}}_{\mathit{q}}$ under secret key $\mathit{z}$ is a matrix $\mathbf{C}=\mathbf{Z}+\mathit{m}\cdot \mathbf{H}\in {\mathrm{𝓡}}_{\mathit{q}}^{\mathbf{2}{\mathit{d}}_{\mathit{g}}\times \mathbf{2}}$. Here, $\mathbf{Z}$ is a matrix where each row is a valid RLWE encryption of 0.

2.4. Standard TFHE Operations

The homomorphic evaluation logic is built upon the External Product and the CMUX gate:

• External Product ($\mathbf{\odot }$): Let $\mathbf{C}\in {\mathrm{𝓡}}_{\mathit{q}}^{\mathbf{2}{\mathit{d}}_{\mathit{g}}\times \mathbf{2}}$ be an RGSW ciphertext encrypting $\mathit{\mu }\in \left\{\mathbf{0,1}\right\}$ and $\mathbf{c}=(\mathit{a},\mathit{b}{)}^{\mathit{T}}\in {\mathrm{𝓡}}_{\mathit{q}}^{\mathbf{2}}$ be an RLWE ciphertext encrypting $\mathit{m}(\mathit{X})$. The external product is computed as $\mathbf{C}\mathbf{\odot }\mathbf{c}={\mathrm{Dec}}_{\mathbf{g}}(\mathbf{c}{)}^{\mathit{T}}\cdot \mathbf{C}$. The result is a valid RLWE ciphertext encrypting $\mathit{\mu }\cdot \mathit{m}(\mathit{X})$.
• CMUX Gate: The Controlled Multiplexer (CMUX) acts as a homomorphic “if-then-else” gate. For an RGSW ciphertext $\mathbf{C}$ encrypting a selection bit $\mathit{\mu }\in \left\{\mathbf{0,1}\right\}$ and two RLWE ciphertexts ${\mathbf{c}}_{\mathbf{0}},{\mathbf{c}}_{\mathbf{1}}$ encrypting ${\mathit{m}}_{\mathbf{0}},{\mathit{m}}_{\mathbf{1}}$, the CMUX operation is defined as $\mathrm{CMUX}(\mathbf{C},{\mathbf{c}}_{\mathbf{0}},{\mathbf{c}}_{\mathbf{1}})={\mathbf{c}}_{\mathbf{0}}+\mathbf{C}\mathbf{\odot }({\mathbf{c}}_{\mathbf{1}}-{\mathbf{c}}_{\mathbf{0}})$. This outputs an RLWE ciphertext encrypting ${\mathit{m}}_{\mathit{\mu }}$.

3. Construction of the DMBB-RCB Scheme

In this section, we present the formal construction of the Dynamic Multi-Key Block-Binary Ring-Compact Bootstrapping (DMBB-RCB) scheme. The protocol is composed of five distinct phases: Setup and Key Generation, Amortized Input Preparation (Packing), Block-Binary Dynamic Blind Rotation, Ring-Compact Extraction, and Distributed Decryption.

3.1. Advanced Building Blocks

Before detailing the main protocol, we formally define the advanced cryptographic primitives tailored for our multi-key and ring-compact setting.

• Amortized Packing ($\mathsf{P}\mathsf{a}\mathsf{c}\mathsf{k}\mathsf{L}\mathsf{W}\mathsf{E}$): This procedure aggregates a set of scalar LWE ciphertexts $\{\mathit{c}{\mathit{t}}_{\mathit{i}}{\}}_{\mathit{i}=\mathbf{0}}^{\mathit{\nu }-\mathbf{1}}$ into the coefficients of a single RLWE ciphertext using a set of key-switching keys ${\mathrm{𝓚}}_{\mathit{P}}$. The algorithm evaluates the decryption circuit homomorphically in the ring domain:

  $${\mathsf{C}}_{\mathit{p}\mathit{a}\mathit{c}\mathit{k}\mathit{e}\mathit{d}}=\mathsf{P}\mathsf{a}\mathsf{c}\mathsf{k}\mathsf{L}\mathsf{W}\mathsf{E}(\{{\mathsf{c}\mathsf{t}}_{\mathit{i}}\},{\mathrm{𝓚}}_{\mathit{P}})={\sum }_{\mathit{i}} \mathsf{K}\mathsf{e}\mathsf{y}\mathsf{S}\mathsf{w}\mathsf{i}\mathsf{t}\mathsf{c}\mathsf{h}({\mathsf{c}\mathsf{t}}_{\mathit{i}},{\mathrm{𝓚}}_{\mathit{P}})\cdot {\mathit{X}}^{{\mathit{p}}_{\mathit{i}}}$$
• Homomorphic Trace ($\mathsf{H}\mathsf{o}\mathsf{m}\mathsf{T}\mathsf{r}\mathsf{a}\mathsf{c}\mathsf{e}$): To isolate a specific message encrypted in a packed RLWE ciphertext $\mathsf{c}\mathsf{t}(\mathit{X})$, we define the trace map relative to the sub-ring $\mathbb{Z}\left[\mathit{X}\right]/({\mathit{X}}^{\mathit{N}}+\mathbf{1})$ via the sum of automorphisms. Let ${\mathit{\psi }}_{\mathit{j}}:\mathit{X}\mapsto {\mathit{X}}^{\mathit{j}}$ be automorphisms of the ring $\mathrm{𝓡}$.

  $${\mathsf{C}}_{\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{e}}=\mathsf{H}\mathsf{o}\mathsf{m}\mathsf{T}\mathsf{r}\mathsf{a}\mathsf{c}\mathsf{e}(\mathsf{c}\mathsf{t})={\sum }_{\mathit{j}\in \mathrm{Gal}} {\mathit{\psi }}_{\mathit{j}}(\mathsf{c}\mathsf{t})$$
• Scheme Switching ($\mathsf{S}\mathsf{c}\mathsf{h}\mathsf{e}\mathsf{m}\mathsf{e}\mathsf{S}\mathsf{w}\mathsf{i}\mathsf{t}\mathsf{c}\mathsf{h}$): This algorithm converts an RLWE ciphertext $\mathbf{c}$ directly into an RGSW ciphertext ${\mathbf{C}}_{\mathit{o}\mathit{u}\mathit{t}}$ using a scheme-switching key ${\mathrm{𝓚}}_{\mathit{S}\mathit{S}}$. It applies the gadget decomposition $\mathbf{u}={\mathrm{Dec}}_{\mathbf{g}}(\mathbf{c})$ and reconstructs the matrix format:

  $${\mathbf{C}}_{\mathit{o}\mathit{u}\mathit{t}}=\mathsf{S}\mathsf{c}\mathsf{h}\mathsf{e}\mathsf{m}\mathsf{e}\mathsf{S}\mathsf{w}\mathsf{i}\mathsf{t}\mathsf{c}\mathsf{h}(\mathbf{c},{\mathrm{𝓚}}_{\mathit{S}\mathit{S}})$$

3.2. Setup and Key Generation

Let $\mathit{S}\mathit{u}\mathit{b}$ denote the set of active participants in the dynamic MPC environment:

• $\mathsf{S}\mathsf{e}\mathsf{t}\mathsf{u}\mathsf{p}({\mathbf{1}}^{\mathit{\lambda }},\mathit{l},\mathit{k})\to \mathsf{p}\mathsf{p}$: Given the security parameter $\mathit{\lambda }$, block length $\mathit{l}$, and block count $\mathit{k}$, output the public parameters $\mathsf{p}\mathsf{p}=\{\mathit{n},\mathit{N},\mathit{q},\mathit{Q},\mathit{B},{\mathit{d}}_{\mathit{g}},{\mathit{a}}_{\mathit{p}\mathit{u}\mathit{b}},\mathit{l},\mathit{k}\}$, where $\mathit{n}=\mathit{l}\cdot \mathit{k}$ is the LWE dimension, $\mathit{N}\ge \mathit{n}$ is the polynomial modulus, and ${\mathit{a}}_{\mathit{p}\mathit{u}\mathit{b}}\leftarrow \mathit{U}({\mathrm{𝓡}}_{\mathit{Q}})$ is the common reference string.
• $\mathsf{K}\mathsf{e}\mathsf{y}\mathsf{G}\mathsf{e}\mathsf{n}(\mathsf{p}\mathsf{p},\mathit{u})\to ({\mathbf{s}}^{(\mathit{u})},{\mathit{z}}^{(\mathit{u})}(\mathit{X}),{\mathsf{P}\mathsf{K}}_{\mathit{u}})$: Each participant $\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}$ samples an LWE secret key ${\mathbf{s}}^{(\mathit{u})}\leftarrow {\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$. The corresponding RLWE key ${\mathit{z}}^{(\mathit{u})}(\mathit{X})\in \mathrm{𝓡}$ is constructed to embed ${\mathbf{s}}^{(\mathit{u})}$:

$${\mathit{z}}^{(\mathit{u})}(\mathit{X})={\sum }_{\mathit{i}=\mathbf{0}}^{\mathit{n}-\mathbf{1}} {\mathit{s}}_{\mathit{i}}^{(\mathit{u})}{\mathit{X}}^{\mathit{i}}+{\sum }_{\mathit{i}=\mathit{n}}^{\mathit{N}-\mathbf{1}} {\mathit{r}}_{\mathit{i}}{\mathit{X}}^{\mathit{i}}$$

where ${\mathit{r}}_{\mathit{i}}\leftarrow \mathit{U}(\{-\mathbf{1,0},\mathbf{1}\})$ are small random ternary coefficients. The public key is generated as ${\mathsf{P}\mathsf{K}}_{\mathit{u}}={\mathsf{R}\mathsf{L}\mathsf{W}\mathsf{E}}_{{\mathit{z}}^{(\mathit{u})}}(\mathbf{0})=({\mathit{b}}^{(\mathit{u})},{\mathit{a}}_{\mathit{p}\mathit{u}\mathit{b}})$:

• $\mathsf{E}\mathsf{v}\mathsf{a}\mathsf{l}\mathsf{K}\mathsf{e}\mathsf{y}\mathsf{G}\mathsf{e}\mathsf{n}(\mathsf{p}\mathsf{p},{\mathbf{s}}^{(\mathit{u})},{\mathit{z}}^{(\mathit{u})})\to ({\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u}},{\mathrm{𝓚}}_{\mathit{P}}^{(\mathit{u})},{\mathrm{𝓚}}_{\mathit{S}\mathit{S}}^{(\mathit{u})})$: Participant $\mathit{u}$ generates Blind Rotation Keys ${\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u},\mathit{i}}\leftarrow \mathsf{M}\mathsf{K}-\mathsf{R}\mathsf{G}\mathsf{S}\mathsf{W}.\mathsf{E}\mathsf{n}\mathsf{c}({\mathit{s}}_{\mathit{i}}^{(\mathit{u})},{\mathit{z}}^{(\mathit{u})})$, Packing Keys ${\mathrm{𝓚}}_{\mathit{P}}^{(\mathit{u})}$ (for LWE to RLWE key-switching), and a Scheme Switching Key ${\mathrm{𝓚}}_{\mathit{S}\mathit{S}}^{(\mathit{u})}\leftarrow \mathsf{R}\mathsf{G}\mathsf{S}\mathsf{W}({\mathit{z}}^{(\mathit{u})})$.

Remark 2

(Symmetry and Asymmetry in DMBB-RCB). It is worth noting that our framework employs a hybrid cryptographic architecture that leverages both symmetric and asymmetric properties to optimize overall performance. Specifically, the initial encryption of private user data is strictly symmetric (Secret-Key LWE, as per Definition 4) to minimize client-side computational overhead and ciphertext expansion before transmission. In contrast, the homomorphic evaluation phase relies on an asymmetric (Public-Key) paradigm; the evaluation materials, including the Blind Rotation Keys (BRK) and Packing Keys, are published as Public-Key RLWE/RGSW ciphertexts. This allows any untrusted third-party server to process the data without access to the secret keys. Finally, the decryption process is structured as a distributed threshold protocol, where the publicly evaluated ciphertext is jointly decrypted using the participants’ individual symmetric secret keys.

Remark 3

(Cost of Dynamic Participant Addition). A significant advantage of our CRS-based dynamic setup is the minimal overhead required when a new participant joins the computation. Because the global public parameters $\mathit{p}\mathit{p}$ and the common reference string ${\mathit{a}}_{\mathit{p}\mathit{u}\mathit{b}}$ remain static, existing participants incur zero computational and communication overhead; they do not need to update, regenerate, or re-broadcast their keys. The new participant ${\mathit{u}}_{\mathit{n}\mathit{e}\mathit{w}}$ only needs to locally execute KeyGen and EvalKeyGen once. The cost for ${\mathit{u}}_{\mathit{n}\mathit{e}\mathit{w}}$ strictly consists of generating one LWE/RLWE key pair and producing their local evaluation keys ($\mathit{B}\mathit{R}\mathit{K},\mathit{K}\mathit{P}$, and $\mathit{K}\mathit{S}\mathit{S}$). The server simply appends these newly broadcasted keys to its storage without halting ongoing independent computations.

3.3. The DMBB-RCB Evaluation Protocol

High-Level Overview of the DMBB-RCB Pipeline:

Before detailing the specific algorithms, we outline how the cryptographic primitives smoothly transition through our evaluation pipeline.

First, users encrypt their private inputs using standard Secret-Key LWE to minimize client-side overhead.

To initiate the bootstrapping, the Amortized Input Preparation phase homomorphically packs multiple such LWE ciphertexts into a single Public-Key RLWE accumulator polynomial.

Subsequently, the Blind Rotation is executed homomorphically over this RLWE accumulator using the users’ public RGSW evaluation keys.

Instead of reverting to LWE via key-switching, our Ring-Compact Extraction natively transforms the RLWE output into a Multi-Key RGSW ciphertext, keeping the data entirely within the ring domain.

Finally, when the computation is complete, the parties invoke the Distributed Decryption protocol to jointly decrypt the resulting ring-based ciphertext using their secret RLWE key shares.

3.3.1. Amortized Input Preparation

To amortize the bootstrapping cost, we aggregate $\mathit{\nu }$ independent scalar multi-key LWE ciphertexts $\{{\mathsf{c}\mathsf{t}}_{\mathit{\tau }}=({\mathbf{a}}_{\mathit{\tau }},{\mathit{b}}_{\mathit{\tau }}){\}}_{\mathit{\tau }=\mathbf{0}}^{\mathit{\nu }-\mathbf{1}}$ into a single RLWE polynomial. The target polynomial slots are defined by a mapping function $\mathit{p}(\mathit{\tau })$. The initialized accumulator ${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\in {\mathrm{𝓡}}_{\mathit{Q}}\times {\mathrm{𝓡}}_{\mathit{Q}}$ is constructed by homomorphically subtracting the secret-dependent parts using the aggregate Packing Keys ${\mathrm{𝓚}}_{\mathit{P}}=\{{\mathrm{𝓚}}_{\mathit{P}}^{(\mathit{u})}{\}}_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}}$:

$${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}={\sum }_{\mathit{\tau }=\mathbf{0}}^{\mathit{\nu }-\mathbf{1}} \left({\mathit{b}}_{\mathit{\tau }}-{\sum }_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}} {\sum }_{\mathit{j}=\mathbf{0}}^{\mathit{n}-\mathbf{1}} {\mathit{a}}_{\mathit{\tau },\mathit{j}}^{(\mathit{u})}{\mathit{s}}_{\mathit{j}}^{(\mathit{u})}\right){\mathit{X}}^{\mathit{p}(\mathit{\tau })}$$

This results in a valid multi-key RLWE encryption ${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\approx {\mathsf{R}\mathsf{L}\mathsf{W}\mathsf{E}}_{\sum {\mathit{z}}^{(\mathit{u})}}({\sum }_{\mathit{\tau }=\mathbf{0}}^{\mathit{\nu }-\mathbf{1}} {\mathit{m}}_{\mathit{\tau }}{\mathit{X}}^{\mathit{p}(\mathit{\tau })})$.

3.3.2. Block-Binary Dynamic Blind Rotation

The core innovation reduces the external product complexity from $\mathit{O}(|\mathit{S}\mathit{u}\mathit{b}|\cdot \mathit{n})$ to $\mathit{O}(|\mathit{S}\mathit{u}\mathit{b}|\cdot \mathit{k})$ by exploiting the block sparsity. The algorithm computes ${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{o}\mathit{u}\mathit{t}}={\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\cdot {\mathit{X}}^{-{\sum }_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}} ⟨{\mathbf{a}}^{(\mathit{u})},{\mathbf{s}}^{(\mathit{u})}⟩}$.

3.3.3. Ring-Compact Extraction

To extract a specific target message ${\mathit{m}}_{\mathit{k}}$ from the packed accumulator without leaving the ring domain, we execute the Ring-Compact sequence. First, a trivial rotation $\mathit{A}\mathit{C}\mathit{C}\leftarrow \mathit{A}\mathit{C}\mathit{C}\cdot {\mathit{X}}^{-\mathit{p}({\mathit{\tau }}^{\mathit{*}})}$ shifts ${\mathit{m}}_{\mathit{k}}$ to the constant term.

$${\mathsf{C}}_{\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{e}}=\mathsf{H}\mathsf{o}\mathsf{m}\mathsf{T}\mathsf{r}\mathsf{a}\mathsf{c}\mathsf{e}(\mathsf{A}\mathsf{C}\mathsf{C})=\sum _{\mathit{i}\in (\mathbb{Z}/\mathbf{2}\mathit{N}\mathbb{Z}{)}^{\times }} {\mathit{\psi }}_{\mathit{i}}(\mathsf{A}\mathsf{C}\mathsf{C})$$

Subsequently, we convert the isolated RLWE ciphertext into a multi-key RGSW ciphertext using Scheme Switching:

$${\mathsf{C}\mathsf{T}}_{\mathit{o}\mathit{u}\mathit{t}}=\mathsf{S}\mathsf{c}\mathsf{h}\mathsf{e}\mathsf{m}\mathsf{e}\mathsf{S}\mathsf{w}\mathsf{i}\mathsf{t}\mathsf{c}\mathsf{h}({\mathsf{C}}_{\mathit{t}\mathit{r}\mathit{a}\mathit{c}\mathit{e}},\{{\mathrm{𝓚}}_{\mathit{S}\mathit{S}}^{(\mathit{u})}{\}}_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}})$$

This closed-loop design ensures ${\mathsf{C}\mathsf{T}}_{\mathit{o}\mathit{u}\mathit{t}}$ can be directly fed into subsequent CMUX gates.

3.4. Distributed Decryption

To recover the computation result while preserving circuit privacy, we apply a distributed decryption protocol with smudging noise [23].

First, a representative multi-key RLWE sample is extracted: ${\mathsf{c}\mathsf{t}}_{\mathit{r}\mathit{l}\mathit{w}\mathit{e}}=(\mathit{b},\mathbf{a})\leftarrow \mathsf{S}\mathsf{a}\mathsf{m}\mathsf{p}\mathsf{l}\mathsf{e}\mathsf{E}\mathsf{x}\mathsf{t}\mathsf{r}\mathsf{a}\mathsf{c}\mathsf{t}({\mathbf{C}\mathbf{T}}_{\mathit{o}\mathit{u}\mathit{t}})$. Each participant $\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}$ computes a partial decryption share ${\mathit{\mu }}_{\mathit{u}}(\mathit{X})$ by masking the exact key multiplication with an independent Gaussian smudging noise ${\mathit{e}}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}^{(\mathit{u})}\leftarrow {\mathit{D}}_{{\mathit{\sigma }}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}}$:

$${\mathit{\mu }}_{\mathit{u}}(\mathit{X})=\mathbf{a}(\mathit{X})\cdot {\mathit{z}}^{(\mathit{u})}(\mathit{X})+{\mathit{e}}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}^{(\mathit{u})}(\mathit{X})(\mathbf{m}\mathbf{o}\mathbf{d}\mathit{Q})$$

To guarantee statistical indistinguishability, the standard deviation must satisfy ${\mathit{\sigma }}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}\ge {\mathbf{2}}^{{\mathit{\lambda }}_{\mathit{s}\mathit{t}\mathit{a}\mathit{t}}}\cdot {\mathit{B}}_{\mathit{n}\mathit{o}\mathit{i}\mathit{s}\mathit{e}}$. The shares are aggregated to cancel the public mask:

$${\mathit{M}}_{\mathit{n}\mathit{o}\mathit{i}\mathit{s}\mathit{y}}(\mathit{X})=\mathit{b}(\mathit{X})+\sum _{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}} {\mathit{\mu }}_{\mathit{u}}(\mathit{X})(\mathbf{m}\mathbf{o}\mathbf{d}\mathit{Q})$$

Finally, the exact message ${\mathit{m}}_{\mathit{d}\mathit{e}\mathit{c}}$ is recovered by rounding the constant term of ${\mathit{M}}_{\mathit{n}\mathit{o}\mathit{i}\mathit{s}\mathit{y}}(\mathit{X})$ relative to the scaling factor $\mathbf{\Delta }$.

4. Correctness and Security Analysis

In this section, we formally establish the mathematical correctness of the Block-Binary Blind Rotation, derive the strict noise propagation bounds required for correct decryption, and prove the IND-CPA security and circuit privacy of the DMBB-RCB scheme.

4.1. Correctness Analysis

The correctness of DMBB-RCB hinges on the accurate homomorphic evaluation of the decryption phase within the accumulator. We first prove the correctness of the block selectors.

Theorem 1

(Correctness of Block Selectors). Let ${\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}$ be the $\mathit{j}$-th block of user ${\mathit{u}}^{\mathbf{\prime }}\mathit{s}$ secret key sampled from ${\mathrm{𝓑}}_{\mathit{l}}$, and let ${\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u},\mathit{i}}$ encrypt the bits of this block. The block selector ${\mathit{H}}_{\mathit{u},\mathit{j}}$ constructed in Algorithm 1 accurately isolates the active rotation factor such that:

$${\mathit{H}}_{\mathit{u},\mathit{j}}{\approx }_{\mathbf{noise}}\mathsf{T}\mathsf{R}\mathsf{G}\mathsf{S}\mathsf{W}\left({\mathit{X}}^{-⟨{\mathbf{a}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})},{\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}⟩}-\mathbf{1}\right)$$

Algorithm 1: Block-Binary Dynamic Blind Rotation.

Input$: \mathrm{Initialized} \mathrm{accumulator} \mathit{A}\mathit{C}{\mathit{C}}_{\mathit{i}\mathit{n}}\in {\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}}$, $\mathrm{discretized} \mathrm{mask} \mathrm{vectors} \{{\mathbf{a}}^{(\mathit{u})}{\}}_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}}$$,\mathrm{where} {\mathbf{a}}^{(\mathit{u})}\in {\mathbb{T}}^{\mathit{n}}$ $\mathrm{Blind} \mathrm{Rotation} \mathrm{Keys} \mathsf{B}\mathsf{R}\mathsf{K}=\left\{{\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u},\mathit{i}}\right\}$$,\mathrm{where} \mathit{B}\mathit{R}{\mathit{K}}_{\mathit{u},\mathit{i}}\in {\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}{\mathit{d}}_{\mathit{g}}\times \mathbf{2}}$ Output$: \mathrm{Rotated} \mathrm{accumulator} \mathit{A}\mathit{C}{\mathit{C}}_{\mathit{o}\mathit{u}\mathit{t}}\in {\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}}$. $\mathit{A}\mathit{C}\mathit{C}\in {\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}}\leftarrow \mathit{A}\mathit{C}{\mathit{C}}_{\mathit{i}\mathit{n}}$ $\mathbf{for} \mathit{j}\leftarrow \mathbf{0} \mathbf{to} \mathit{k}-\mathbf{1} \mathbf{do}$ (Global Block Iteration) $\mathbf{for} \mathbf{each} \mathit{u}\in \mathit{S}\mathit{u}\mathit{b} \mathbf{do}$ (User Contribution Loop) ${\mathit{I}}_{\mathit{j}}\leftarrow \{\mathit{j}\cdot \mathit{l},\dots ,\mathit{j}\cdot \mathit{l}+\mathit{l}-\mathbf{1}\}$ $\mathbf{Construct} \mathbf{Block} \mathbf{Selector}: {\mathit{H}}_{\mathit{u},\mathit{j}}\in {\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}{\mathit{d}}_{\mathit{g}}\times \mathbf{2}}\leftarrow {\sum }_{\mathit{i}\in {\mathit{I}}_{\mathit{j}}} \mathit{B}\mathit{R}{\mathit{K}}_{\mathit{u},\mathit{i}}\mathbf{\odot }\mathbf{const}({\mathit{X}}^{-{\mathbf{a}}_{\mathit{i}}^{(\mathit{u})}}-\mathbf{1})$ $\mathbf{Accumulator} \mathbf{Update}: \mathsf{A}\mathsf{C}\mathsf{C}\leftarrow \mathsf{A}\mathsf{C}\mathsf{C}+(\mathsf{A}\mathsf{C}\mathsf{C}\mathbf{\odot }{\mathit{H}}_{\mathit{u},\mathit{j}})$ $\mathbf{end} \mathbf{for}$ $\mathbf{end} \mathbf{for}$ $\mathbf{return} \mathsf{A}\mathsf{C}\mathsf{C}$

Proof. 

By definition of the Block Binary Distribution, the Hamming weight satisfies $\parallel {\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}{\parallel }_{\mathbf{1}}\le \mathbf{1}$. We analyze the two possible cases for the selector construction ${\mathit{H}}_{\mathit{u},\mathit{j}}={\sum }_{\mathit{i}\in {\mathit{I}}_{\mathit{j}}} {\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u},\mathit{i}}{\mathbf{\odot }}_{\mathit{c}\mathit{o}\mathit{n}\mathit{s}\mathit{t}}({\mathit{X}}^{-{\mathit{a}}_{\mathit{i}}^{(\mathit{u})}}-\mathbf{1})$:

• Case 1 ($\parallel {\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}{\parallel }_{\mathbf{1}}=\mathbf{0}$): For all $\mathit{i}\in {\mathit{I}}_{\mathit{j}}$, ${\mathit{s}}_{\mathit{i}}^{(\mathit{u})}=\mathbf{0}$. Consequently, all ${\mathsf{B}\mathsf{R}\mathsf{K}}_{\mathit{u},\mathit{i}}$ encrypt $\mathbf{0}$. The linear combination homomorphically yields $\mathbf{0}$, which trivially satisfies ${\mathit{X}}^{-⟨\mathbf{a},\mathbf{0}⟩}-\mathbf{1}=\mathbf{1}-\mathbf{1}=\mathbf{0}$.
• Case 2 ($\parallel {\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}{\parallel }_{\mathbf{1}}=\mathbf{1}$): There exists a unique index $\mathit{\kappa }\in {\mathit{I}}_{\mathit{j}}$ such that ${\mathit{s}}_{\mathit{\kappa }}^{(\mathit{u})}=\mathbf{1}$, and ${\mathit{s}}_{\mathit{i}}^{(\mathit{u})}=\mathbf{0}$ for all $\mathit{i}\ne \mathit{\kappa }$. The homomorphic sum collapses to the single non-zero term corresponding to $\mathit{\kappa }$:

$${\mathit{H}}_{\mathit{u},\mathit{j}}{\approx }_{\mathrm{noise}}\mathbf{1}\cdot ({\mathit{X}}^{-{\mathit{a}}_{\mathit{\kappa }}^{(\mathit{u})}}-\mathbf{1})+\sum _{\mathit{i}\ne \mathit{\kappa }} \mathbf{0}={\mathit{X}}^{-{\mathit{a}}_{\mathit{\kappa }}^{(\mathit{u})}}-\mathbf{1}$$

Since $⟨{\mathbf{a}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})},{\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}⟩={\mathit{a}}_{\mathit{\kappa }}^{(\mathit{u})}$, the theorem holds. □

Theorem 2

(Correctness of Blind Rotation). Algorithm 1 transforms the initialized accumulator ${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}$ into ${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{o}\mathit{u}\mathit{t}}{\approx }_{\mathrm{noise}}{\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\cdot {\mathit{X}}^{-{\sum }_{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}} ⟨{\mathbf{a}}^{(\mathit{u})},{\mathbf{s}}^{(\mathit{u})}⟩}$.

Proof. 

The iterative update per block is $\mathsf{A}\mathsf{C}\mathsf{C}\leftarrow \mathsf{A}\mathsf{C}\mathsf{C}+(\mathsf{A}\mathsf{C}\mathsf{C}\mathbf{\odot }{\mathit{H}}_{\mathit{u},\mathit{j}})=\mathsf{A}\mathsf{C}\mathsf{C}\mathbf{\odot }(\mathbf{1}+{\mathit{H}}_{\mathit{u},\mathit{j}})$. Substituting Theorem 1, the multiplier evaluates to ${\mathit{X}}^{-⟨{\mathbf{a}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})},{\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}⟩}$. By the homomorphism of the external product over $\mathit{k}$ blocks and $\left|\mathit{S}\mathit{u}\mathit{b}\right|$ users, the total phase shift perfectly accumulates:

$${\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{o}\mathit{u}\mathit{t}}={\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\cdot \prod _{\mathit{u}\in \mathit{S}\mathit{u}\mathit{b}} \prod _{\mathit{j}=\mathbf{0}}^{\mathit{k}-\mathbf{1}} {\mathit{X}}^{-⟨{\mathbf{a}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})},{\mathbf{s}}_{\mathit{B}\mathit{l}\mathit{o}\mathit{c}{\mathit{k}}_{\mathit{j}}}^{(\mathit{u})}⟩}={\mathsf{A}\mathsf{C}\mathsf{C}}_{\mathit{i}\mathit{n}}\cdot {\mathit{X}}^{-⟨\mathbf{a},\mathbf{s}⟩}$$

This completes the homomorphic evaluation of the decryption phase. □

4.2. Noise Bounding Analysis

We track the worst-case variance bounds of the noise through the protocol to establish the parameter constraints. Let ${\mathit{V}}_{\mathit{L}\mathit{W}\mathit{E}}$, ${\mathit{V}}_{\mathit{K}\mathit{S}}$ and ${\mathit{V}}_{\mathit{e}\mathit{x}\mathit{t}}$ denote the noise variances of a fresh LWE ciphertext, an LWE-to-RLWE key-switching operation, and a TRGSW external product, respectively.

Theorem 3 (Total Error Bound).

For a packing factor $\mathit{\nu }$, block count $\mathit{k}=\mathit{n}/\mathit{l}$, and $\left|\mathit{S}\mathit{u}\mathit{b}\right|$ participants, correct decryption is guaranteed if the final output variance ${\mathit{V}}_{\mathit{o}\mathit{u}\mathit{t}}$ satisfies ${\mathit{V}}_{\mathit{o}\mathit{u}\mathit{t}}\le {\displaystyle \frac{\mathbf{1}}{{\mathbf{6}}^{\mathbf{2}}}}{\left({\displaystyle \frac{\mathit{Q}}{\mathbf{2}\cdot {\mathit{B}}_{\mathit{m}\mathit{s}\mathit{g}}}}\right)}^{\mathbf{2}}$, where

$${\mathit{V}}_{\mathit{o}\mathit{u}\mathit{t}}\le \underset{{\mathit{V}}_{\mathit{p}\mathit{a}\mathit{c}\mathit{k}}}{\underbrace{(\mathit{\nu }{\mathit{V}}_{\mathit{L}\mathit{W}\mathit{E}}+\left|\mathit{S}\mathit{u}\mathit{b}\right|\mathit{n}{\mathit{V}}_{\mathit{K}\mathit{S}})}}+\underset{{\mathit{V}}_{\mathit{d}\mathit{r}\mathit{i}\mathit{f}\mathit{t}}}{\underbrace{(\left|\mathit{S}\mathit{u}\mathit{b}\right|\mathit{k}{\mathit{V}}_{\mathit{e}\mathit{x}\mathit{t}})}}+{\mathit{V}}_{\mathit{S}\mathit{S}}$$

Proof. 

• Packing Noise (${\mathit{V}}_{\mathit{p}\mathit{a}\mathit{c}\mathit{k}}$): Initializing the accumulator via $\mathsf{P}\mathsf{a}\mathsf{c}\mathsf{k}\mathsf{L}\mathsf{W}\mathsf{E}$ aggregates noise linearly with the $\mathit{\nu }$ input ciphertexts and the required $\left|\mathit{S}\mathit{u}\mathit{b}\right|\left[\mathit{c}\mathit{i}\mathit{t}{\mathit{e}}_{\mathit{s}}\mathit{t}\mathit{a}\mathit{r}\mathit{t}\right]\cdot \mathit{n}$ key-switching operations.
• Blind Rotation Drift (${\mathit{V}}_{\mathit{d}\mathit{r}\mathit{i}\mathit{f}\mathit{t}}$): In standard MK-TFHE, noise accumulates additively over $\mathit{n}$ external products per user $({\mathit{V}}_{\mathit{s}\mathit{t}\mathit{d}}\le |\mathit{S}\mathit{u}\mathit{b}|\mathit{n}{\mathit{V}}_{\mathit{e}\mathit{x}\mathit{t}}$). Our block-binary optimization executes only one external product per block. Thus, the drift is bounded by ${\mathit{V}}_{\mathit{d}\mathit{r}\mathit{i}\mathit{f}\mathit{t}}\le |\mathit{S}\mathit{u}\mathit{b}|\mathit{k}{\mathit{V}}_{\mathit{e}\mathit{x}\mathit{t}}=|\mathit{S}\mathit{u}\mathit{b}|[\mathit{c}\mathit{i}\mathit{t}{\mathit{e}}_{\mathit{s}}\mathit{t}\mathit{a}\mathit{r}\mathit{t}]{\displaystyle \frac{\mathit{n}}{\mathit{l}}}{\mathit{V}}_{\mathit{e}\mathit{x}\mathit{t}}$, strictly reducing the dominant noise growth by a factor of $\mathit{l}$.
• Extraction (${\mathit{V}}_{\mathit{S}\mathit{S}}$): The Scheme Switching introduces controlled noise proportional to its gadget decomposition depth. Combining these terms yields the total variance, which must remain below the 6-sigma decoding gap ${\mathit{\sigma }}_{\mathit{g}\mathit{a}\mathit{p}}\approx \mathbf{6}$. □

4.3. Security Analysis

Our security relies on the standard Decision RLWE assumption and the Block-Binary LWE assumption.

Assumption 1

(Block-Binary LWE). Let $\mathbf{s}\leftarrow {\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$. The Block-Binary LWE assumption posits that for appropriate parameters, the distribution of samples $(\mathbf{A},\mathbf{A}\mathbf{s}+\mathbf{e})$ is computationally indistinguishable from uniform over ${\mathbb{Z}}_{\mathit{q}}^{\mathit{m}\times \mathit{n}}\times {\mathbb{Z}}_{\mathit{q}}^{\mathit{m}}$. Recent cryptanalysis confirms its hardness against hybrid dual attacks with minimal security loss for small block lengths (e.g., $\mathit{l}\in \{\mathbf{2,3},\mathbf{4}\}$).

Theorem 4

(IND-CPA Security). Under the RLWE and Block-Binary LWE assumptions, the DMBB-RCB scheme is IND-CPA secure against a probabilistic polynomial-time (PPT) adversary $\mathrm{𝓐}$.

Proof. 

Proof Sketch (Hybrid Argument). Let ${\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathit{i}}}$ be the advantage of $\mathrm{𝓐}$ in Game $\mathit{i}$:

• Game 0 (Real): The standard IND-CPA game.
• Game 1 (Random Public Keys): We replace ${\mathsf{P}\mathsf{K}}_{\mathit{u}}={\mathsf{R}\mathsf{L}\mathsf{W}\mathsf{E}}_{{\mathit{z}}^{(\mathit{u})}}(\mathbf{0})$ with random pairs from $\mathit{U}({\mathrm{𝓡}}_{\mathit{Q}}^{\mathbf{2}})$. By the RLWE assumption, $|{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{0}}}-{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{1}}}|[\mathit{c}\mathit{i}\mathit{t}{\mathit{e}}_{\mathit{s}}\mathit{t}\mathit{a}\mathit{r}\mathit{t}]\le \mathrm{negl}(\mathit{\lambda })$.
• Games 2 & 3 (Simulated Eval Keys): We replace the Packing Keys ${\mathrm{𝓚}}_{\mathit{P}}$ and Blind Rotation Keys $\mathsf{B}\mathsf{R}\mathsf{K}$ with encryptions of 0. Since these keys are valid RLWE/RGSW ciphertexts and their underlying RLWE secret ${\mathit{z}}^{(\mathit{u})}$ is protected (from Game 1), semantic security guarantees $|{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{1}}}-{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{3}}}|[\mathit{c}\mathit{i}\mathit{t}{\mathit{e}}_{\mathit{s}}\mathit{t}\mathit{a}\mathit{r}\mathit{t}]\le \mathrm{negl}(\mathit{\lambda })$. The sparse structure of ${\mathbf{s}}^{(\mathit{u})}$ as the message in the BRK does not compromise the RLWE hardness.
• Game 4 (Random Challenge): We replace the challenge LWE ciphertext $({\mathbf{a}}^{\mathbf{*}},{\mathit{b}}^{\mathbf{*}})$ with a uniform random vector. By Assumption 1, $|{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{3}}}-{\mathrm{Adv}}_{\mathrm{𝓐}}^{\mathit{G}\mathit{a}\mathit{m}{\mathit{e}}_{\mathbf{4}}}|[\mathit{c}\mathit{i}\mathit{t}{\mathit{e}}_{\mathit{s}}\mathit{t}\mathit{a}\mathit{r}\mathit{t}]\le \mathrm{negl}(\mathit{\lambda })$. In Game 4, the adversary’s advantage is exactly 0. Thus, the scheme is IND-CPA secure. □

Theorem 5

(1-Hop Circuit Privacy). If the smudging noise standard deviation satisfies ${\mathit{\sigma }}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}\ge {\mathbf{2}}^{{\mathit{\lambda }}_{\mathit{s}\mathit{t}\mathit{a}\mathit{t}}}\cdot {\mathit{B}}_{\mathit{o}\mathit{u}\mathit{t}}$, the partial decryption shares ${\mathit{\mu }}_{\mathit{u}}$ can be simulated given only the final output, ensuring circuit privacy.

Proof. 

The share computation ${\mathit{\mu }}_{\mathit{u}}=\mathbf{a}\cdot {\mathit{z}}^{(\mathit{u})}+{\mathit{e}}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}^{(\mathit{u})}$ masks the input noise structure. By the Smudging Lemma, the statistical distance between $(\mathbf{a},\mathbf{a}\cdot {\mathit{z}}^{(\mathit{u})}+{\mathit{e}}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}}+{\mathit{e}}_{\mathit{i}\mathit{n}\mathit{p}\mathit{u}\mathit{t}})$ and $(\mathbf{a},\mathbf{a}\cdot {\mathit{z}}^{(\mathit{u})}+{\mathit{e}}_{\mathit{s}\mathit{m}\mathit{u}\mathit{d}\mathit{g}\mathit{e}})$ is bounded by ${\mathbf{2}}^{-{\mathit{\lambda }}_{\mathit{s}\mathit{t}\mathit{a}\mathit{t}}}$. Thus, the joint decryption reveals no information about the secret keys ${\mathit{z}}^{(\mathit{u})}$ beyond the final plaintext result. □

5. Theoretical Performance and Complexity Evaluation

In this section, we evaluate the theoretical performance of the proposed DMBB-RCB scheme. We explicitly note that this section presents an analytical and theoretical evaluation grounded in established cryptographic metrics, rather than an implementation-based software benchmark. We incorporate the complexity analysis deferred from Section 4, establish concrete parameter sets satisfying the derived noise bounds, and compare the asymptotic latency and throughput against existing state-of-the-art Multi-Key FHE schemes.

5.1. Asymptotic Complexity Comparison

The efficiency of a TFHE-style scheme is heavily dominated by the sequence of external products in the Blind Rotation phase. We compare DMBB-RCB against standard Static MK-TFHE and Dynamic MK-TFHE. Let $\mathit{p}=\left|\mathit{S}\mathit{u}\mathit{b}\right|$ be the number of active participants, $\mathit{n}$ be the LWE dimension, $\mathit{l}$ be the block length, and $\mathit{\nu }$ be the packing factor. Let ${\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$ and ${\mathit{T}}_{\mathit{k}\mathit{s}}$ denote the computational cost of a single TRGSW external product and an LWE-to-RLWE key-switching operation, respectively.

Existing schemes mandate iterating through every bit of the expanded multi-key, resulting in a blind rotation complexity of $\mathit{O}(\mathit{p}\cdot \mathit{n}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}})$. Furthermore, standard schemes output a scalar LWE sample, requiring an additional $\mathit{O}(\mathit{n}\cdot {\mathit{T}}_{\mathit{k}\mathit{s}})$ key-switching overhead to return to an RLWE format for subsequent gates.

In contrast, DMBB-RCB strictly reduces the blind rotation complexity to $\mathit{O}(\mathit{p}\cdot {\displaystyle \frac{\mathit{n}}{\mathit{l}}}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}})$ by iterating over $\mathit{k}=\mathit{n}/\mathit{l}$ blocks. Concurrently, the amortized cost per bit is minimized to $\mathit{O}(\mathit{p}\cdot {\displaystyle \frac{\mathit{n}}{\mathit{l}\cdot \mathit{\nu }}}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}})$ via the $\mathsf{P}\mathsf{a}\mathsf{c}\mathsf{k}\mathsf{L}\mathsf{W}\mathsf{E}$ mechanism. The Ring-Compact architecture eliminates the post-bootstrapping key-switching overhead entirely, as summarized in

Table 1. Asymptotic Complexity and Feature Comparison.

Scheme	Blind Rotation Cost	Amortized Cost (Per Bit)	Post-PBS Key Switching	Dynamic Support
Static MK-TFHE [10]	$\mathit{p}\cdot \mathit{n}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	$\approx \mathit{p}\cdot \mathit{n}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	$\mathrm{Required} (\mathit{n}\cdot {\mathit{T}}_{\mathit{k}\mathit{s}}$)	No
Dynamic MK-TFHE [17]	$\mathit{p}\cdot \mathit{n}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	$\approx \mathit{p}\cdot \mathit{n}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	$\mathrm{Required} (\mathit{n}\cdot {\mathit{T}}_{\mathit{k}\mathit{s}}$)	Yes
DMBB-RCB (Ours)	$\mathit{p}\cdot {\displaystyle \frac{\mathit{n}}{\mathit{l}}}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	$\approx {\displaystyle \frac{\mathit{p}\cdot \mathit{n}}{\mathit{l}\cdot \mathit{\nu }}}\cdot {\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$	Eliminated	Yes

.

5.2. Concrete Parameter Selection

To validate the feasibility of DMBB-RCB, we select parameters targeting 128-bit security. According to recent cryptanalysis, the LWE dimension $\mathit{n}$ must be marginally increased compared to standard binary keys to resist hybrid dual attacks when utilizing block-binary keys. Specifically, to maintain a strict 128-bit security level, standard binary keys ($\mathit{l}=\mathbf{1}$) typically require an LWE dimension of $\mathit{n}\approx \mathbf{600}$. Our concrete parameter selection confirms that employing block lengths of $\mathit{l}=\mathbf{2}$ (Set-I) and $\mathit{l}=\mathbf{4}$ (Set-II) necessitates expanding the dimensions to $\mathit{n}=\mathbf{650}$ and $\mathit{n}=\mathbf{720}$, respectively. This precisely accounts for the ~10–15% margin required to offset the structural sparsity. The polynomial modulus parameters $(\mathit{N},\mathit{Q})$ and the standard deviations of the error distributions ($\mathit{\alpha }$ for LWE, $\mathit{\beta }$ for RLWE/RGSW) must carefully balance the noise constraints in Theorem 3 and the standard Lattice Estimator security bounds. Specifically, to guarantee a 128-bit security level against known lattice attacks (e.g., uSVP and dual attacks), the error standard deviations are chosen appropriately relative to the dimensions. In our concrete instantiation, we set the LWE error rate to $\mathit{\alpha }\approx {\mathbf{2}}^{-\mathbf{15}}$ and the RLWE error rate to $\mathit{\beta }\approx {\mathbf{2}}^{-\mathbf{25}}$ for Set-I, and adjust them marginally for Set-II to accommodate the larger packing factor. As presented in

Table 2. Recommended Parameters for 128-bit Security.

Parameter	Symbol	Set-I (Speed)	Set-II (Capacity)
Block Length	$\mathit{l}$	2	4
LWE Dimension	$\mathit{n}$	650	720
Block Count	$\mathit{k}=\mathit{n}/\mathit{l}$	325	180
RLWE Degree	$\mathit{N}$	1024	2048
RLWE Modulus	$\mathit{Q}$	${\mathbf{2}}^{\mathbf{25}}$	${\mathbf{2}}^{\mathbf{25}}$
Packing Factor	$\mathit{\nu }$	1	1024
Gadget Base	$({\mathit{B}}_{\mathit{b}\mathit{r}\mathit{k}},{\mathit{B}}_{\mathit{k}\mathit{s}})$	$({\mathbf{2}}^{\mathbf{6}},{\mathbf{2}}^{\mathbf{4}})$	$({\mathbf{2}}^{\mathbf{9}},{\mathbf{2}}^{\mathbf{6}})$
Error Standard Deviations	$(\mathit{\alpha },\mathit{\beta })$	$({\mathbf{2}}^{-\mathbf{15}},{\mathbf{2}}^{-\mathbf{25}})$	$({\mathbf{2}}^{-\mathbf{16}},{\mathbf{2}}^{-\mathbf{28}})$

, we propose two parameter sets derived from the noise bounds in Theorem 3: Set-I targets low-latency execution, while Set-II maximizes high-throughput packing.

Regarding the packing factor $\mathit{\nu }$, it directly dictates the initial noise accumulation. As defined in Theorem 3, the noise variance from packing grows linearly with $\mathit{\nu }$. To ensure the final noise variance remains below the decoding gap (${\mathit{V}}_{\mathit{o}\mathit{u}\mathit{t}}\le {\mathit{V}}_{\mathit{m}\mathit{a}\mathit{x}}$), the theoretical upper bound for the packing factor is roughly bounded by ${\mathit{\nu }}_{\mathit{m}\mathit{a}\mathit{x}}\approx \lfloor ({\mathit{V}}_{\mathit{m}\mathit{a}\mathit{x}}-{\mathit{V}}_{\mathit{d}\mathit{r}\mathit{i}\mathit{f}\mathit{t}}-{\mathit{V}}_{\mathit{S}\mathit{S}})/{\mathit{V}}_{\mathit{L}\mathit{W}\mathit{E}}\rfloor$. For our Set-II parameters ($\mathit{N}=\mathbf{2048},\mathit{Q}={\mathbf{2}}^{\mathbf{25}}$), $\mathit{\nu }=\mathbf{1024}$ approaches this upper boundary; exceeding it would cause decryption failures due to noise overflow.

5.3. Theoretical Performance Projections

We project the execution time based on standard AVX-512 accelerated CPU single-thread execution, estimating one TRGSW External Product (${\mathit{T}}_{\mathit{e}\mathit{x}\mathit{t}}$) at approximately 10 ms for $\mathit{N}=\mathbf{1024}$ and 35 ms for $\mathit{N}=\mathbf{2048}$. We consider a collaborative group of $\mathit{p}=\mathbf{4}$ participants:

• Latency: For standard MK-TFHE ($\mathit{n}=\mathbf{650}$), evaluating one gate takes $\approx \mathbf{4}\times \mathbf{650}\times \mathbf{10} \mathrm{ms}=\mathbf{26} \mathrm{s}$. Utilizing Set-I ($\mathit{l}=\mathbf{2}$), DMBB-RCB cuts this execution time strictly by half to $\approx \mathbf{4}\times \mathbf{325}\times \mathbf{10} \mathrm{ms}=\mathbf{13} \mathrm{s}$.
• Amortized Throughput: Utilizing Set-II ($\mathit{l}=\mathbf{4}, \mathit{\nu }=\mathbf{1024}, \mathit{N}=\mathbf{2048}$), one bootstrapping execution takes $\approx \mathbf{4}\times \mathbf{180}\times \mathbf{35} \mathrm{ms}=\mathbf{25.2} \mathrm{s}$. However, this single execution refreshes 1024 logic gates simultaneously. The standard scheme achieves an effective throughput of $\approx \mathbf{0.038}$ gates/s, whereas DMBB-RCB achieves $\approx \mathbf{1024}/\mathbf{25.2} \mathrm{s}\approx \mathbf{40.6}$ gates/s. This represents a theoretical throughput improvement of approximately $\mathbf{1000}\times$.

5.4. Storage and Communication Trade-Offs

While computation is highly optimized, the Ring-Compact property necessitates specific storage trade-offs:

• Key Storage: The Blind Rotation Keys ($\mathsf{B}\mathsf{R}\mathsf{K}$) still require encryptions of individual bits to construct the block selector ${\mathit{H}}_{\mathit{u},\mathit{j}}$, maintaining a size of $\mathit{n}\times \left|\mathsf{R}\mathsf{G}\mathsf{S}\mathsf{W}\right|$, comparable to standard schemes. However, embedding the LWE key into the RLWE key (Section 3.2) saves $\approx \mathbf{50}\mathbf{\%}$ of the key generation storage overhead compared to separate key formulations.
• Ciphertext Expansion: The output is an MK-RGSW ciphertext containing $\mathbf{2}{\mathit{d}}_{\mathit{g}}$ RLWE ciphertexts. For a depth of ${\mathit{d}}_{\mathit{g}}=\mathbf{3}$, the output size is $\approx \mathbf{48} \mathrm{KB}$ per user share, compared to $\approx \mathbf{2.5} \mathrm{KB}$ for a scalar LWE sample. While this represents a 19x ciphertext expansion, it is a highly favorable trade-off in realistic MPC scenarios. In modern cloud environments and wide-area networks (WANs), bandwidth is generally abundant, whereas network round-trip latency is the primary bottleneck for distributed systems. Traditional schemes require frequent, interactive key-switching protocols between all parties after each bootstrapping, causing severe latency degradation. By strictly containing the output within the 48 KB MK-RGSW format, DMBB-RCB achieves zero-interaction during the depth-unbounded circuit evaluation phase. Multi-party communication is explicitly deferred to and exclusively required for the final distributed decryption protocol. Exchanging 48 KB of data per share at the very end of the computation is negligible compared to the massive reduction in interactive communication rounds during the evaluation phase.
• Runtime Memory Consumption: Beyond static storage, we must also account for dynamic memory (RAM) consumption during the bootstrapping evaluation. In MK-FHE, the primary memory footprint stems from loading the multi-key Blind Rotation Keys (BRK) and the accumulator states into active memory. For $\mathit{p}$ participants, the total evaluation key size scales as $\mathit{O}(\mathit{p}\cdot \mathit{n}\cdot |\mathit{R}\mathit{G}\mathit{S}\mathit{W}|)$. Using our Set-II parameters ($\mathit{n}=\mathbf{720}, \mathit{N}=\mathbf{2048}$), the BRK size per user is approximately several hundred megabytes. While our block-binary logic reduces the computational iterations, the entire key must still reside in memory. Consequently, evaluating deep circuits for multiple users requires gigabytes of RAM. This memory consumption is entirely manageable for modern cloud servers (the intended environment for DMBB-RCB), but it necessitates proper memory provisioning and precludes deployment on highly memory-constrained edge devices.

5.5. Evaluation Summary

The theoretical evaluation confirms that DMBB-RCB resolves the primary scalability bottlenecks of MK-TFHE. The sparse key structure reduces computational latency by a factor of $\mathit{l}$, while amortized packing increases throughput by a factor of $\mathit{\nu }$. The computational cost grows linearly with $\mathit{p}$ but is strictly bounded by a shallower slope coefficient ($\mathit{n}/\mathit{l}$ vs. $\mathit{n}$), verifying its suitability for large-scale dynamic MPC tasks.

6. Conclusions

In this paper, we addressed the critical scalability and throughput bottlenecks inherent in Multi-Key Homomorphic Encryption (MKHE) by proposing the Dynamic Multi-Key Block-Binary Ring-Compact Bootstrapping (DMBB-RCB) framework.

By abandoning the conventional bit-wise processing paradigm, DMBB-RCB synergizes three advanced cryptographic optimizations: (1) adopting a Block-Binary distribution $({\mathcal{B}}_{l,k}$) for secret keys to strictly reduce the dominant blind rotation complexity from $O(p\cdot n)$ to $O(p\cdot n/l)$; (2) integrating an amortized multi-key $\mathsf{P}\mathsf{a}\mathsf{c}\mathsf{k}\mathsf{L}\mathsf{W}\mathsf{E}$ mechanism to process $\nu$ independent messages in parallel, thereby increasing the amortized throughput by orders of magnitude; and (3) implementing a Ring-Compact extraction architecture via Scheme Switching, which outputs Multi-Key RGSW ciphertexts natively to enable depth-unbounded, closed-loop evaluation without interactive LWE-to-RLWE key-switching.

Consequently, DMBB-RCB bridges the gap between the programmable logic flexibility of TFHE and the SIMD efficiency of leveled FHE schemes [12,24]. The dynamic common reference string (CRS) design and interaction-free extraction during the evaluation phase (with interaction restricted solely to the final decryption step) make this framework highly scalable and communication-efficient, positioning it as a robust cryptographic foundation for dynamic Secure Multi-Party Computation (MPC) environments, such as federated learning and collaborative cloud analytics.

7. Limitations and Future Research

While DMBB-RCB achieves substantial computational optimizations, we acknowledge specific trade-offs that motivate our future research directions:

• Ciphertext Expansion and Bandwidth: The native output of our Ring-Compact scheme is a Multi-Key RGSW ciphertext, which comprises a matrix of polynomials. This is significantly larger than a scalar LWE sample utilized in standard TFHE, necessitating higher transmission bandwidth during the final result retrieval phase.
• Latency vs. Throughput Profile: The initial noise term introduced by polynomial packing grows with the packing factor $\mathit{\nu }$, requiring careful parameter bounds. Furthermore, the overhead of the packing and scheme-switching sub-routines slightly increases the latency of a single bootstrapping execution. Thus, DMBB-RCB is optimized for batched, high-throughput processing rather than ultra-low-latency, real-time control systems.

Building upon these properties, future research will focus on the following trajectories:

• Hardware Acceleration: The structured block-wise external products inherent to our block-binary blind rotation are highly amenable to hardware parallelization. Future implementations will explore distributing these operations across FPGAs or GPUs to further minimize absolute latency.
• Verifiable MKHE (Malicious Security): To secure the protocol against malicious participants who might supply malformed sparse keys or ciphertexts, integrating Zero-Knowledge Proofs (ZKP) to verify the validity of the ${\mathrm{𝓑}}_{\mathit{l},\mathit{k}}$ keys and the packing step remains a crucial open problem.
• Advanced Packing and Hybrid Architectures: We aim to explore automorphism-based slot permutations within the DMBB-RCB accumulator to evaluate complex linear algebra operations directly inside the bootstrapping loop. Additionally, investigating a hybrid framework that switches between DMBB-RCB (for non-linear Boolean logic) and CKKS (for precision arithmetic) could yield a comprehensive solution for Privacy-Preserving Machine Learning as a Service (PPMLaaS).
• Software Engineering and Concrete Implementation: The performance evaluations presented in this manuscript are strictly theoretical projections grounded in empirical baseline metrics. Developing a production-ready, highly optimized multi-party execution framework in low-level languages (such as C++ or Rust) falls outside the mathematical scope of this paper. A full-scale implementation—which must rigorously address memory management, side-channel resistance, and network synchronization—is a massive independent software engineering undertaking. This comprehensive C++/Rust implementation, alongside hardware co-design, constitutes our immediate next step for future work to transition DMBB-RCB from a mathematical protocol to a deployable library.