Kyoohyung Han is a PhD student in the Department of Mathematical Science at the Seoul National University in Korea. These are the slides from his presentation at EuroCrypt 2018.

1. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Homomorphic Lower Digits Removal and
Improved FHE Bootstrapping
Hao Chen and Kyoohyung Han*
Microsoft Research and Seoul National University
satanigh@snu.ac.kr
April 30, 2018

2. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Homomorphic Encryption
• Homomorphic Encryption (HE) supports operations between
encrypted data
• HE can be used for out-sourced computation (without
revealing private information)

3. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Bootstrapping
• The size of noise in ciphertext of HE becomes large during
homomorphic evaluations.
• If we need large depth computation in encrypted state,
bootstrapping is necessary.

4. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Bootstrapping
• Bootstrapping = ‘Homomorphic Eval of decryption circuit’.
• How can we make bootstrapping more efficient?
1. Express decryption function (or circuit) with lower depth.
> Better Bootstrapping in FHE [GHS12]
> Bootstrapping in HElib [HS15]
> (Batch) FHE over integers for Non-binary Msg Space [NK15]
2. Express decryption function with less non-scalar multiplications.
> Various optimization techniques are related.

5. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Homomorphic Lower Digit Removal
Homomorphic Lower Digit Removal
For a given encryption of a ∈ Zpe , our goal is to return encryption
of b = a − [a]pv ∈ Zpe .
• Homomorphic Lower Digit Removal is used in bootstrapping
for RLWE based FHE.
• Homomorphic Lower Digit Removal can also be used for
homomorphic flooring (which is need for real number
arithmetics).

6. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Homomorphic Lower Digit Removal
Homomorphic Lower Digit Removal
For a given encryption of a ∈ Zpe , our goal is to return encryption
of b = a − [a]pv ∈ Zpe .
• Homomorphic Lower Digit Removal is used in bootstrapping
for RLWE based FHE.
• Homomorphic Lower Digit Removal can also be used for
homomorphic flooring (which is need for real number
arithmetics).
• HE only supports add and mult (i.e polynomial evaluation).
• What is good representation of Homomorphic Lower Digit
Removal using polynomial?

7. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
The Previous Method in [HS15]
Lifting Polynomial
For a given p and e, there exists a polynomial F(X) satisfies
following condition:
F(b) = a ∈ Zpk+1 if b = a ∈ Zpk
for a ∈ {0, . . . , p − 1}. The degree of F(X) is p.

8. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
The Previous Method in [HS15]
Lifting Polynomial
For a given p and e, there exists a polynomial F(X) satisfies
following condition:
F(b) = a ∈ Zpk+1 if b = a ∈ Zpk
for a ∈ {0, . . . , p − 1}. The degree of F(X) is p.
Special Operations
For a given encryption of a ∈ Zpe , MultByP() returns an
encryption of pa ∈ Zpe+1 . For a given encryption of pa ∈ Zpe ,
DivideByP() returns an encryption of a ∈ Zpe−1 .

9. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
The Previous Method
For an encryption of I = d + cp + bp2 + ap3 = a b c d ,
• Lift( a b c d ): 0 d · · · expensive
• Lift( 0 d ): 0 0 d · · · expensive
• MultByP( a b c ): a b c 0 · · · cheap
• DevideByP( a b c 0 ): a b c · · · cheap
Remark
The number of non-scalar multiplication while homomorphic
evaluation of lifting polynomial is O(
√
p) (Paterson-Stockmeyer
Algorithm).

10. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
The Previous Method
GOAL: a b c d ⇒ a b 0 0
a b c d
Lift
−−→ 0 d
Lift
−−→ 0 0 d
Lift
−−→ 0 0 0 d
c 0 and apply DivideByP()
c
Lift
−−→ 0 c
Lift
−−→ 0 0 c
MultByP()
−−−−−−→ 0 0 c 0
Depth and Complexity
Suppose that the input is in Zpe and we want to remove bottom v
digits. The previous method consumes (e log p) depth and
(1
2e2
√
2p) number of non-scalar multiplications.

11. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Our Method
Lowest Digit Removal (LDR) Polynomial
For a given p and e, there exist a polynomial F such that for every
integer 0 ≤ a < pe, we have
F(a) = a − [a]p mod pe
.
The degree of F(X) is at most (e − 1)(p − 1) + 1.
• When p = 2 and e = 4, F(X) = 11X4 + 8X3 + 12X2 + X.
• If we use lifting polynomial, we can get F (X) = X − X8.
• LDR( a b c d ): a b c 0 .
• Lowest Digit Extraction (LDE) can also be done by thinking
G(X) = X − F(X).

12. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Our Method
GOAL: a b c d ⇒ a b 0 0
a b c d
Lift
−−→ 0 d , a b c d
LDE
−−−→ 0 0 0 d
c 0 and apply DivideByP()
c
LDE
−−−→ 0 0 c
MultByP()
−−−−−−→ 0 0 c 0
Depth and Complexity
Suppose that the input is in Zpe and we want to remove bottom v
digits. Our method consumes (v log p + log e) depth and
(
√
2pe · v) number of non-scalar multiplications.

13. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Result
• Our method consumes smaller depth and is faster than
previous one.
• In case of p = 2, 3, lifting polynomial is X2 and X3 resp.
Homomorphic evaluation of those functions have some
optimizations.

14. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Improved Bootstrapping for (B)FV scheme
Decryption Algorithm
1. Inner Product:
c1(x) + c2(x) · s(x) mod q = q/t · m(x) + e(x)
2. Rounding:
t
q
(c1(x) + c2(x) · s(x)) = m(x)
Step 1 is easy to evaluate in encrypted state, but step 2 is hard to
do. To make it easier, we apply a ‘modulus switching’ trick.

15. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Improved Bootstrapping for (B)FV scheme
Let t = pr and ciphertext modulus is switched to q = pe.
1. Inner Product:
c1(x) + c2(x) · s(x) mod pe
= pe−r
· m(x) + e(x)
2. Lower Digit Removal:
Add pe−r
/2 and remove bottom e−r digits of each coefficients.
Bootstrapping can be done using our method for removing e − r
digits in second step.

16. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Slim Bootstrapping for (B)FV scheme
• The plaintext space of
BGV and (B)FV scheme is
a product of finite fields.
• In applications, it is hard
to use those finite field
structures.
• For this reason, we also
proposed efficient
bootstrapping for plaintext
space Zt for t = pr .

17. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
Result
• We implemented our method on Simple Encrypted Arithmetic
Library v2.3. [SEAL]
• Our technique can also be adapted to bootstrapping in HElib.
• When plaintext space is Z64
127, recrypt takes only 6.75 seconds.

18. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE

19. Introduction Homomorphic Lower Digit Removal Improved Bootstrapping for FHE
References
Simple Encrypted Arithmetic Library (SEAL)
https://www.microsoft.com/en-us/research/project/simple-encrypted-
arithmetic-library/
Craig Gentry, Shai Halevi, and Nigel P. Smart
Better Bootstrapping in Fully Homomorphic Encryption
PKC 2012
Shai Halevi and Victor Shoup
Bootstrapping for HElib
EUROCRYPT 2015
Koji Nuida and Kaoru Kurosawa
(Batch) Fully Homomorphic Encryption over Integers for Non-binary
Message Spaces
EUROCRYPT 2015

20. Make sure to check out vpnMentors’
interview with Kyoohyung Han at
EuroCrypt 2018 in Tel Aviv