Skip to main content

Better Bootstrapping for Approximate Homomorphic Encryption

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2020 (CT-RSA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12006))

Included in the following conference series:


After Cheon et al. (Asiacrypt’ 17) proposed an approximate homomorphic encryption scheme, HEAAN, for operations between encrypted real (or complex) numbers, the scheme is widely used in a variety of fields with needs on privacy-preserving in data analysis. After that, a bootstrapping method for HEAAN is proposed by Cheon et al. (Eurocrypt’ 18) with modulus reduction being replaced by a sine function. In this paper, we generalize the Full-RNS variant of HEAAN proposed by Cheon et al. (SAC, 19) to reduce the number of temporary moduli used in key-switching. As a result, our scheme can support more depth computations without bootstrapping while ensuring the same level of security.

We also propose a new polynomial approximation method to evaluate a sine function in an encrypted state, which is specialized for the bootstrapping for HEAAN. Our method considers a ratio between the size of a plaintext and the size of a ciphertext modulus. Consequently, it requires a smaller number of non-scalar multiplications, which is about half of the Chebyshev method.

With our variant of the Full-RNS scheme and a new sine evaluation method, we firstly implement bootstrapping for a Full-RNS variant of approximate homomorphic encryption scheme. Our method enables bootstrapping for a plaintext in the space \({\mathbb {C}}^{16384}\) to be completed in 52 s while preserving 11 bit precision of each slot.

K. Han—This work was done when the first author was in Seoul National University (SNU).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    After version 3.2, they use one temporary modulus instead of bit-decomposition as in [17].

  2. 2.

    In practice, \(p_i\)’s are chosen to have maximum sizes within the word size (<64 bits). On the other hand, sizes of \(q_j\)’s are depend on the precision of applications, and usually they are 40–45 bits.

  3. 3.

    In the case of SEAL v3.2, they use the bit-decomposition technique with the RNS-decomposition to reduce the noise growth. But, this method also has a drawback. It increases the length of the public key vector for key-switching further, which is directly related to the complexity of the process.

  4. 4.

    In Step 1, inverse NTT transform is needed for the next step (modulus raising).

  5. 5.

    Here, SEAL v.3.3 and HEAAN-RNS indicate the scheme corresponding to each paper and library.

  6. 6.

    Previous method uses a sine function and double angle formula for a sine function needs both \(\cos (t)\) and \(\sin (t)\) to compute \(\sin (2t)\).

  7. 7.

    The code for finding an approximate polynomial for the cosine function can be found at [15].

  8. 8.

    In fact, they use the nodes \(t_i = K \cos \left( {i\pi /n}\right) \) for \(0 \le i \le n\) instead of nodes \(t_i = K \cos \left( (2i-1)\pi / (2n+2) \right) \) for \(1 \le i \le n+1\). But, there is no big difference.

  9. 9.

    Here, SEAL v.3.3 and HEAAN-RNS indicate the schemes corresponding to each library and paper.

  10. 10.

    \(|t-\sin {t}|<O(t^3)\) for t near the origin.


  1. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  2. Bajard, J.-C., Eynard, J., Hasan, M.A., Zucca, V.: A full RNS variant of FV like somewhat homomorphic encryption schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 423–442. Springer, Cham (2017).

    Chapter  Google Scholar 

  3. Boemer, F., Lao, Y., Wierzynski, C.: nGraph-HE: a graph compiler for deep learning on homomorphically encrypted data. arXiv preprint arXiv:1810.10121 (2018)

  4. Carpov, S., Gama, N., Georgieva, M., Troncoso-Pastoriza, J.R.: Privacy-preserving semi-parallel logistic regression training with Fully Homomorphic Encryption. Cryptology ePrint Archive, Report 2019/101 (2019).

  5. Chen, H., Chillotti, I., Song, Y.: Improved bootstrapping for approximate homomorphic encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 34–54. Springer, Cham (2019).

    Chapter  Google Scholar 

  6. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 347–368. Springer, Cham (2018).

    Chapter  Google Scholar 

  7. Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018).

    Chapter  Google Scholar 

  8. Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017).

    Chapter  Google Scholar 

  9. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, vol. 9, pp. 169–178 (2009)

    Google Scholar 

  10. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012).

    Chapter  Google Scholar 

  11. Halevi, S., Polyakov, Y., Shoup, V.: An improved RNS variant of the BFV homomorphic encryption scheme. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 83–105. Springer, Cham (2019).

    Chapter  Google Scholar 

  12. Han, K., Hhan, M., Cheon, J.H.: Improved homomorphic discrete Fourier transforms and FHE bootstrapping. IEEE Access 7, 57361–57370 (2019)

    Article  Google Scholar 

  13. Han, K., Hong, S., Cheon, J.H., Park, D.: Efficient logistic regression on large encrypted data. Cryptology ePrint Archive, Report 2018/662 (2018)

    Google Scholar 

  14. Jiang, Y., Wang, C., Wu, Z., Du, X., Wang, S.: Privacy-preserving biomedical data dissemination via a hybrid approach. In: AMIA Annual Symposium Proceedings, vol. 2018, p. 1176. American Medical Informatics Association (2018)

    Google Scholar 

  15. Ki, D.: (2019).

  16. Kim, A., Song, Y., Kim, M., Lee, K., Cheon, J.H.: Logistic regression model training based on the approximate homomorphic encryption. BMC Med. Genomics 11(4) (2018). Article number: 83

    Google Scholar 

  17. Kim, M., Song, Y., Li, B., Micciancio, D.: Semi-parallel logistic regression for GWAS on encrypted data. Cryptology ePrint Archive, Report 2019/294 (2019).

  18. Kim, M., Song, Y., Wang, S., Xia, Y., Jiang, X.: Secure logistic regression based on homomorphic encryption: Design and evaluation. JMIR Med. Inform. 6(2), e19 (2018)

    Article  Google Scholar 

  19. Paterson, M.S., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2(1), 60–66 (1973)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Kyoohyung Han .

Editor information

Editors and Affiliations

A Correctness and Noise Growth of Homomorphic Multiplication

A Correctness and Noise Growth of Homomorphic Multiplication

Before proving the correctness of the homomorphic multiplication, first remind the properties of \(\texttt {ModUp} \) and \(\texttt {ModDown} \) with the following three equations:

$$\begin{aligned}&\left\Vert \texttt {CRT} _{{\mathcal {C}}\cup {\mathcal {B}}}(\texttt {ModUp} ([a(x)]_{q_0},[a(x)]_{q_1},\dots ,[a(x)]_{q_\ell }))\right\Vert _\infty \le (\ell + 1) \cdot Q, \end{aligned}$$
$$\begin{aligned} \texttt {CRT} _{{\mathcal {C}}\cup {\mathcal {B}}}(\texttt {ModUp} ([a(x)]_{q_0},[a(x)]_{q_1},\dots ,[a(x)]_{q_\ell })) \equiv a(x) \bmod Q, \end{aligned}$$
$$\begin{aligned} \left\Vert \texttt {CRT} _{{\mathcal {C}}}(\texttt {ModDown} ([a(x)]_{q_0},\dots ,[a(x)]_{q_\ell },[a(x)]_{p_0},\dots ,[a(x)]_{p_{k-1}})) - \left\lfloor \dfrac{a(x)}{P} \right\rceil \right\Vert _\infty < k, \end{aligned}$$

where \({\mathcal {B}}=\{p_0,\dots ,p_{k-1}\}\) and \({\mathcal {C}}=\{q_0,\dots ,q_\ell \}\). With the above three equations and properties of RNS-Decompose and RNS-Power, we can prove the correctness of the homomorphic multiplication in our scheme.

Theorem 2

The algorithm such that

$$ b_3(x)+a_3(x)\cdot s(x) = M_1(x) \cdot M_2(x) + M_0(x) \cdot e_1(x) + M_1(x) \cdot e_0(x) + \epsilon (x), $$

where . Here, \(\textsf {ct} _i=(b_i(x),a_i(x)) \in {R}_Q^2\), and \(b_i(x)+a_i(x)\cdot s(x) = M_i(x) + e_i(x)\) for \(i = 0, 1\).


For simplicity, we assume that \(\ell = L\) and \((\ell +1)\) is a multiple of \(\alpha \). First, a vector \((d_0(x),d_1(x),d_2(x))\) which satisfies

$$\begin{aligned}&d_0(x) + d_1(x) \cdot s(x) + d_2(x) \cdot s(x)^2 = (M_0(x)+e_0(x)) \cdot (M_1(x)+e_0(x))\\&= M_0(x) \cdot M_1(x) + M_0(x) \cdot e_1(x) + M_1(x) \cdot e_0(x) + e_0(x) \cdot e_1(x)\\&= M_0(x) \cdot M_1(x) + e_2(x) \in {R}_Q. \end{aligned}$$

is obtained after Step 1.

In Step 2, since \(\ell = L\) and \((L+1)\) is a multiple of \(\alpha \), \(\beta \) equals to \({\texttt {\textit{dnum}}}\) and the zero-padding part can be omitted. Then,

$$ ([d_2(x)\cdot \hat{Q}_0^{-1}]_{Q_0}, \dots , [d_2(x)\cdot \hat{Q}_{{\texttt {\textit{dnum}}}-1}^{-1}]_{Q_{{\texttt {\textit{dnum}}}-1}}) = {\texttt {\textit{RNS-Decomp}}}_{{\mathcal {C}}'}(d_2(x)) $$

is returned after RNS-Decompose step.

Also, Modulus-Raise step returns vectors of length \(k+\ell +1\),

$$\begin{aligned}&([\tilde{d}^{(i)}_2(x)]_{q_0},\dots ,[\tilde{d}^{(i)}_2(x)]_{q_\ell },[\tilde{d}^{(i)}_2(x)]_{p_0},\dots ,[\tilde{d}^{(i)}_2(x)]_{p_{k-1}})\\&=\texttt {ModUp} _{{\mathcal {C}}_i\rightarrow {\mathcal {C}}\cup {\mathcal {B}}}([d_2(x) \cdot \hat{Q}_{i}^{-1}]_{q_{i\alpha }},\dots ,[d_2(x) \cdot \hat{Q}_{i}^{-1}]_{q_{(i+1)\alpha -1}}), \end{aligned}$$

where \(\tilde{d}^{(i)}_2(x) \in {R}_{PQ}\), for \(0\le i < {\texttt {\textit{dnum}}}\). From Eqs. A.1A.2, we can check that \(\tilde{d}_2(x)\) satisfies the following equations:

$$\begin{aligned} \tilde{d}^{(i)}_2(x) \equiv d_2(x) \cdot \hat{Q}_{i}^{-1} \bmod Q_i \text { and } \left\Vert \tilde{d}^{(i)}_2(x)\right\Vert _\infty \le (\alpha + 1) \cdot Q_i. \end{aligned}$$

Note that the norm of \(\tilde{d_2}^{(i)}(x)\) is still much smaller than PQ, and for this reason, \(\texttt {ModUp} \) does not harm the functionality of \({\texttt {\textit{RNS-Decompose}}}\) and \({\texttt {\textit{RNS-Power}}}\).

Next, we suppose that evaluation keys which satisfy \(B_i(x) + A_i(x) \cdot s(x) = P \cdot \hat{Q}_i \cdot s^2(x) + E_i(x) \in {R}_{PQ}\), where \(\left\Vert E_i(x)\right\Vert _\infty < e_\texttt {fresh}\), are generated in the key generation step. Then, the inner product step returns \((B'(x),A'(x)) = \sum _{i=0}^{\beta -1}\left[ \tilde{d_2}^{(i)}(x) \cdot (B_i(x),A_i(x)) \right] \) and it satisfies the following equation:

$$\begin{aligned} B'(x)+A'(x) \cdot s(x)&= P \sum _{i=0}^{\beta -1}\left( \tilde{d_2}^{(i)}(x) \cdot \hat{Q}_i \cdot s^2(x)\right) + \sum _{i=0}^{\beta -1}\left( \tilde{d_2}^{(i)}(x) \cdot E_i(x)\right) \\&= P \cdot d_2(x) \cdot s^2(x) + E'(x) \in {R}_{PQ}, \end{aligned}$$

where and N is the dimension of the ring.

After that, we apply modulus-down process to revert the modulus space from \({R}_{PQ}\) to \({R}_Q\) and to reduce the size of \(E'(x)\). Let \((\tilde{B}(x),\tilde{A}(x))\) be the return of modulus-down step with CRT decomposed representation. From the modulus switching technique and Equation A.3, we can see that \((\tilde{B}(x),\tilde{A}(x))\) has the following property:

$$\begin{aligned} \tilde{B}(x)+\tilde{A}(x)\cdot s(x)&= d_2(x) \cdot s^2(x) + \left\lfloor \dfrac{E'(x)}{P} \right\rceil + \epsilon (x) \in {R}_Q, \end{aligned}$$

where \(\left\Vert \epsilon (x)\right\Vert _\infty < \left\Vert s(x)\right\Vert _1\). Since , each coefficient of \({E'(x)}/{P}\) is in the range \((-0.5,0.5)\), and thus rounding of the polynomial becomes a zero polynomial. Therefore, it follows that \(\tilde{B}(x)+\tilde{A}(x)\cdot s(x) = d_2(x)\cdot s(x)^2 + \epsilon (x) \in {R}_Q\).

At the last step, we compute and return \((b_3(x),a_3(x)) = (d_0(x)+\tilde{B}(x),d_1(x)+\tilde{A}(x))\). Then, from the equation

$$\begin{aligned} b_3(x) + a_3(x) \cdot s(x)&= d_0(x) + d_1(x) \cdot s(x) + d_2(x) \cdot s(x)^2 + \epsilon (x) \\&= M_0(x) \cdot M_1(x) + e_2(x) + \epsilon (x), \end{aligned}$$

the correctness of homomorphic multiplication is followed. Furthermore, the size of the noise after multiplication is given by \(M_0(x)\cdot e_1(x) + M_1(x)\cdot e_0(x) + e_0(x) \cdot e_1(x) + \epsilon (x)\), where \(\left\Vert \epsilon (x)\right\Vert _\infty < \left\Vert s(x)\right\Vert _1\).    \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Han, K., Ki, D. (2020). Better Bootstrapping for Approximate Homomorphic Encryption. In: Jarecki, S. (eds) Topics in Cryptology – CT-RSA 2020. CT-RSA 2020. Lecture Notes in Computer Science(), vol 12006. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-40185-6

  • Online ISBN: 978-3-030-40186-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics