Faster Bootstrapping with Polynomial Error

  • Jacob Alperin-Sheriff
  • Chris Peikert
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8616)


Bootstrapping is a technique, originally due to Gentry (STOC 2009), for “refreshing” ciphertexts of a somewhat homomorphic encryption scheme so that they can support further homomorphic operations. To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitrary unbounded computations.

Over the past few years, several works have dramatically improved the efficiency of bootstrapping and the hardness assumptions needed to implement it. Recently, Brakerski and Vaikuntanathan (ITCS 2014) reached the major milestone of a bootstrapping algorithm based on Learning With Errors for polynomial approximation factors. Their method uses the Gentry-Sahai-Waters (GSW) cryptosystem (CRYPTO 2013) in conjunction with Barrington’s “circuit sequentialization” theorem (STOC 1986). This approach, however, results in very large polynomial runtimes and approximation factors. (The approximation factors can be improved, but at even greater costs in runtime and space.)

In this work we give a new bootstrapping algorithm whose runtime and associated approximation factor are both small polynomials. Unlike most previous methods, ours implements an elementary and efficient arithmetic procedure, thereby avoiding the inefficiencies inherent to the use of boolean circuits and Barrington’s Theorem. For 2 λ security under conventional lattice assumptions, our method requires only a quasi-linear Õ(λ) number of homomorphic operations on GSW ciphertexts, which is optimal (up to polylogarithmic factors) for schemes that encrypt just one bit per ciphertext. As a contribution of independent interest, we also give a technically simpler variant of the GSW system and a tighter error analysis for its homomorphic operations.


  1. 1.
    Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 1–20. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Barrington, D.A.M.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC1. In: STOC, pp. 1–5 (1986)Google Scholar
  4. 4.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325 (2012)Google Scholar
  5. 5.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC, pp. 575–584 (2013)Google Scholar
  6. 6.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS, pp. 97–106 (2011)Google Scholar
  7. 7.
    Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS, p. 1 (2014)Google Scholar
  8. 8.
    Cai, J.-Y., Lipton, R.J.: Subquadratic simulations of circuits by branching programs. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 568–573 (1989)Google Scholar
  9. 9.
    Cleve, R.: Towards optimal simulations of formulas by bounded-width programs. Computational Complexity 1(1), 91–105 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Gentry, C.: A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009),
  11. 11.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  12. 12.
    Gentry, C., Halevi, S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. In: FOCS, pp. 107–109 (2011)Google Scholar
  13. 13.
    Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 1–16. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Jacobson, N.: Basic Algebra I. Dover Publications (2012)Google Scholar
  17. 17.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. Journal of the ACM 60(6), 43:1–43:35 (2013); Preliminary version in Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)Google Scholar
  18. 18.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: Simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC 2009, pp. 333–342 (2009)Google Scholar
  20. 20.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009); Preliminary version in STOC 2005MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Schoenfeld, L.: Sharper bounds for the Chebyshev functions θ(x) and ψ(x). ii. Mathematics of Computation 30(134), 337–360 (1976)MathSciNetzbMATHGoogle Scholar
  22. 22.
    Sinha, R.K.: Some topics in parallel computation and branching programs. PhD thesis, University of Washington (1995)Google Scholar
  23. 23.
    Vershynin, R.: Compressed Sensing, Theory and Applications, ch. 5, pp. 210–268. Cambridge University Press (2012),

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Jacob Alperin-Sheriff
    • 1
  • Chris Peikert
    • 1
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations