## Abstract

After Cheon et al. (Asiacrypt’ 17) proposed an approximate homomorphic encryption scheme, HEAAN, for operations between encrypted real (or complex) numbers, the scheme is widely used in a variety of fields with needs on privacy-preserving in data analysis. After that, a bootstrapping method for HEAAN is proposed by Cheon et al. (Eurocrypt’ 18) with modulus reduction being replaced by a sine function. In this paper, we generalize the Full-RNS variant of HEAAN proposed by Cheon et al. (SAC, 19) to reduce the number of temporary moduli used in key-switching. As a result, our scheme can support more depth computations without bootstrapping while ensuring the same level of security.

We also propose a new polynomial approximation method to evaluate a sine function in an encrypted state, which is specialized for the bootstrapping for HEAAN. Our method considers a ratio between the size of a plaintext and the size of a ciphertext modulus. Consequently, it requires a smaller number of non-scalar multiplications, which is about half of the Chebyshev method.

With our variant of the Full-RNS scheme and a new sine evaluation method, we firstly implement bootstrapping for a Full-RNS variant of approximate homomorphic encryption scheme. Our method enables bootstrapping for a plaintext in the space \({\mathbb {C}}^{16384}\) to be completed in 52 s while preserving 11 bit precision of each slot.

K. Han—This work was done when the first author was in Seoul National University (SNU).

## Access this chapter

Tax calculation will be finalised at checkout

Purchases are for personal use only

### Similar content being viewed by others

## Notes

- 1.
After version 3.2, they use one temporary modulus instead of bit-decomposition as in [17].

- 2.
In practice, \(p_i\)’s are chosen to have maximum sizes within the word size (<64 bits). On the other hand, sizes of \(q_j\)’s are depend on the precision of applications, and usually they are 40–45 bits.

- 3.
In the case of SEAL v3.2, they use the bit-decomposition technique with the RNS-decomposition to reduce the noise growth. But, this method also has a drawback. It increases the length of the public key vector for key-switching further, which is directly related to the complexity of the process.

- 4.
In Step 1, inverse NTT transform is needed for the next step (modulus raising).

- 5.
Here, SEAL v.3.3 and HEAAN-RNS indicate the scheme corresponding to each paper and library.

- 6.
Previous method uses a sine function and double angle formula for a sine function needs both \(\cos (t)\) and \(\sin (t)\) to compute \(\sin (2t)\).

- 7.
The code for finding an approximate polynomial for the cosine function can be found at [15].

- 8.
In fact, they use the nodes \(t_i = K \cos \left( {i\pi /n}\right) \) for \(0 \le i \le n\) instead of nodes \(t_i = K \cos \left( (2i-1)\pi / (2n+2) \right) \) for \(1 \le i \le n+1\). But, there is no big difference.

- 9.
Here, SEAL v.3.3 and HEAAN-RNS indicate the schemes corresponding to each library and paper.

- 10.
\(|t-\sin {t}|<O(t^3)\) for

*t*near the origin.

## References

Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol.

**9**(3), 169–203 (2015)Bajard, J.-C., Eynard, J., Hasan, M.A., Zucca, V.: A full RNS variant of FV like somewhat homomorphic encryption schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 423–442. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_23

Boemer, F., Lao, Y., Wierzynski, C.: nGraph-HE: a graph compiler for deep learning on homomorphically encrypted data. arXiv preprint arXiv:1810.10121 (2018)

Carpov, S., Gama, N., Georgieva, M., Troncoso-Pastoriza, J.R.: Privacy-preserving semi-parallel logistic regression training with Fully Homomorphic Encryption. Cryptology ePrint Archive, Report 2019/101 (2019). https://eprint.iacr.org/2019/101

Chen, H., Chillotti, I., Song, Y.: Improved bootstrapping for approximate homomorphic encryption. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 34–54. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_2

Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: A full RNS variant of approximate homomorphic encryption. In: Cid, C., Jacobson Jr., M. (eds.) SAC 2018. LNCS, vol. 11349, pp. 347–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_16

Cheon, J.H., Han, K., Kim, A., Kim, M., Song, Y.: Bootstrapping for approximate homomorphic encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 360–384. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_14

Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15

Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, vol. 9, pp. 169–178 (2009)

Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49

Halevi, S., Polyakov, Y., Shoup, V.: An improved RNS variant of the BFV homomorphic encryption scheme. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 83–105. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_5

Han, K., Hhan, M., Cheon, J.H.: Improved homomorphic discrete Fourier transforms and FHE bootstrapping. IEEE Access

**7**, 57361–57370 (2019)Han, K., Hong, S., Cheon, J.H., Park, D.: Efficient logistic regression on large encrypted data. Cryptology ePrint Archive, Report 2018/662 (2018)

Jiang, Y., Wang, C., Wu, Z., Du, X., Wang, S.: Privacy-preserving biomedical data dissemination via a hybrid approach. In: AMIA Annual Symposium Proceedings, vol. 2018, p. 1176. American Medical Informatics Association (2018)

Ki, D.: (2019). https://github.com/DohyeongKi/better-homomorphic-sine-evaluation

Kim, A., Song, Y., Kim, M., Lee, K., Cheon, J.H.: Logistic regression model training based on the approximate homomorphic encryption. BMC Med. Genomics

**11**(4) (2018). Article number: 83Kim, M., Song, Y., Li, B., Micciancio, D.: Semi-parallel logistic regression for GWAS on encrypted data. Cryptology ePrint Archive, Report 2019/294 (2019). https://eprint.iacr.org/2019/294

Kim, M., Song, Y., Wang, S., Xia, Y., Jiang, X.: Secure logistic regression based on homomorphic encryption: Design and evaluation. JMIR Med. Inform.

**6**(2), e19 (2018)Paterson, M.S., Stockmeyer, L.J.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput.

**2**(1), 60–66 (1973)

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## A Correctness and Noise Growth of Homomorphic Multiplication

### A Correctness and Noise Growth of Homomorphic Multiplication

Before proving the correctness of the homomorphic multiplication, first remind the properties of \(\texttt {ModUp} \) and \(\texttt {ModDown} \) with the following three equations:

where \({\mathcal {B}}=\{p_0,\dots ,p_{k-1}\}\) and \({\mathcal {C}}=\{q_0,\dots ,q_\ell \}\). With the above three equations and properties of RNS-Decompose and RNS-Power, we can prove the correctness of the homomorphic multiplication in our scheme.

### Theorem 2

The algorithm such that

where . Here, \(\textsf {ct} _i=(b_i(x),a_i(x)) \in {R}_Q^2\), and \(b_i(x)+a_i(x)\cdot s(x) = M_i(x) + e_i(x)\) for \(i = 0, 1\).

### Proof

*For simplicity, we assume that* \(\ell = L\) *and* \((\ell +1)\) *is a multiple of* \(\alpha \). *First, a vector* \((d_0(x),d_1(x),d_2(x))\) *which satisfies*

*is obtained after Step 1.*

*In Step 2, since* \(\ell = L\) and \((L+1)\) *is a multiple of* \(\alpha \), \(\beta \) *equals to* \({\texttt {\textit{dnum}}}\) *and the zero-padding part can be omitted. Then,*

*is returned after RNS-Decompose step.*

*Also, Modulus-Raise step returns vectors of length* \(k+\ell +1\),

*where* \(\tilde{d}^{(i)}_2(x) \in {R}_{PQ}\), *for* \(0\le i < {\texttt {\textit{dnum}}}\). *From Eqs.* A.1–A.2, *we can check that* \(\tilde{d}_2(x)\) *satisfies the following equations:*

*Note that the norm of* \(\tilde{d_2}^{(i)}(x)\) *is still much smaller than* *PQ*, *and for this reason*, \(\texttt {ModUp} \) *does not harm the functionality of* \({\texttt {\textit{RNS-Decompose}}}\) *and* \({\texttt {\textit{RNS-Power}}}\).

*Next, we suppose that evaluation keys* *which satisfy* \(B_i(x) + A_i(x) \cdot s(x) = P \cdot \hat{Q}_i \cdot s^2(x) + E_i(x) \in {R}_{PQ}\), *where* \(\left\Vert E_i(x)\right\Vert _\infty < e_\texttt {fresh}\), *are generated in the key generation step. Then, the inner product step returns* \((B'(x),A'(x)) = \sum _{i=0}^{\beta -1}\left[ \tilde{d_2}^{(i)}(x) \cdot (B_i(x),A_i(x)) \right] \) *and it satisfies the following equation:*

*where* *and* *N* *is the dimension of the ring.*

*After that, we apply modulus-down process to revert the modulus space from* \({R}_{PQ}\) to \({R}_Q\) *and to reduce the size of* \(E'(x)\). *Let* \((\tilde{B}(x),\tilde{A}(x))\) *be the return of modulus-down step with CRT decomposed representation. From the modulus switching technique and Equation* A.3, *we can see that* \((\tilde{B}(x),\tilde{A}(x))\) *has the following property:*

*where* \(\left\Vert \epsilon (x)\right\Vert _\infty < \left\Vert s(x)\right\Vert _1\). *Since* , *each coefficient of* \({E'(x)}/{P}\) *is in the range* \((-0.5,0.5)\), *and thus rounding of the polynomial becomes a zero polynomial. Therefore, it follows that* \(\tilde{B}(x)+\tilde{A}(x)\cdot s(x) = d_2(x)\cdot s(x)^2 + \epsilon (x) \in {R}_Q\).

*At the last step, we compute and return* \((b_3(x),a_3(x)) = (d_0(x)+\tilde{B}(x),d_1(x)+\tilde{A}(x))\). *Then, from the equation*

*the correctness of homomorphic multiplication is followed. Furthermore, the size of the noise after multiplication is given by* \(M_0(x)\cdot e_1(x) + M_1(x)\cdot e_0(x) + e_0(x) \cdot e_1(x) + \epsilon (x)\), *where* \(\left\Vert \epsilon (x)\right\Vert _\infty < \left\Vert s(x)\right\Vert _1\). \(\square \)

## Rights and permissions

## Copyright information

© 2020 Springer Nature Switzerland AG

## About this paper

### Cite this paper

Han, K., Ki, D. (2020). Better Bootstrapping for Approximate Homomorphic Encryption. In: Jarecki, S. (eds) Topics in Cryptology – CT-RSA 2020. CT-RSA 2020. Lecture Notes in Computer Science(), vol 12006. Springer, Cham. https://doi.org/10.1007/978-3-030-40186-3_16

### Download citation

DOI: https://doi.org/10.1007/978-3-030-40186-3_16

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-40185-6

Online ISBN: 978-3-030-40186-3

eBook Packages: Computer ScienceComputer Science (R0)