Abstract
With the rapid development of Internet of Things (IoT), grave questions of privacy protection are raised. This greatly impacts the largescale applications of IoT. Fully homomorphic encryption (FHE) can provide privacy protection for IoT. But, its efficiency needs to be greatly improved. Nowadays, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. And it is also the key for the low efficiency of FHE scheme due to the complexity homomorphic decryption. In this paper, the bootstrapping technique of Halevi and Shoup (EUROCRYPT 15) is improved. Firstly, by introducing a definition of “load capacity”, we optimize the parameter range for which their bootstrapping technique works. Next we generalize their ciphertext modulus from closing to a power of two to more general situations. This enables the method to be applied in a larger number of situations. Moreover, this paper also shows how to introduce SIMD homomorphic computation techniques into the new method, to improve the efficiency of recryption.
1. Introduction
Nowadays, the IoT is becoming an attractive system paradigm to drive a substantive leap on goods and services through physical, cyber, and social spaces. It covers from traditional equipment to general household equipment, which bring more efficiency and convenience to the users and change current ways of life greatly [1]. See Figure 1.
However, the application of IoT involves mass private information about users, such as healthcare, location, etc. For the users, they want service providers to process the data accurately and efficiently and extract the contained valuable information with keeping user data unknown by others (including themselves). All these problems are difficult to achieve by traditionally encryption schemes. Homomorphic encryption technology is a good choice to solve all these problems [2, 3].
FHE permits a worker to perform arbitrarily complex programs on encrypted data without knowing the secret key [4]. And FHE has been the focus of extensive study [5–13], since the first candidate scheme was introduced by Gentry [14]. But its efficiency needs to be greatly improved.
Since bootstrapping technology is the essential technology to obtain a “pure” FHE at present. Meanwhile, it is also the main bottleneck in any practical implementation due to the complexity homomorphic decryption. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to fast lowcircuit implementation of decryption function. Without loss of generality, the decryption function for LWE (Learning with Errors) based FHE can be computed by evaluating some linear operation between ciphertext and secret key, then reducing the result modulo a big odd modulus and then reducing the result modulo a small modulus , to get the plaintext , namely, . For the decryption function, the modularreduction operation of () affects the depth of decryption circuit most.
The past few years have seen an intensive study of bootstrapping technique. In the original bootstrapping technique of Gentry [14], he put forward an idea of “squash the decryption circuit” to transform modularreduction operation into summing operation. This got a moderate polynomial runtime. By proposed an amortized bootstrapping method, Brakerski, Gentry, and Vaikuntanathan (BGV) reduced the runtime to [10]. However, these results applied only to “nonpacked” ciphertexts (i.e., ones that encrypt just one bit each).
Gentry, Halevi, and Smart (GHS, PKC2012) reached a major milestone of a bootstrapping algorithm concentrating on the BGV ringLWEbased scheme (ideal latticebased FHE) [15]. They proposed a simpler decryption formula. This is done by choosing a prime plaintext modulus and a ciphertext modulus close to a power of . Besides, they utilized packed ciphertexts and Fourier Transform to aid efficiency. To improve the Fourier Transform step of [15], [16] presented a ring/field switching technique. This obtained an asymptotically efficient bootstrapping method for BGV style SHE scheme. Orsini, Pol, and Smart (PKC15) proposed a bootstrapping BGV ciphertexts with a wider choice of and , but their decryption formula was not simple as GHS’s work. Halevi and Shoup (HS, EUROCRYPT 15) generalized the plaintext modulus in [17] to more general situations and got a better efficiency by improving the bitextraction way. This is asymptotically optimal space and time so far.
In another line of work, [18–22] present a bootstrapping technique for the GSWFHE [13] scheme. They get significant progress in improving the bootstrapping technique on standard latticebased FHE. And their progress mainly relies on the characteristic that noise in ciphertexts of GSWFHE grows asymmetrically. Since compared with standard LWEbased FHE schemes, ringLWEbased FHE schemes always have more efficient homomorphic operations. And among all the ringLWEbased FHE schemes, BGV ringLWEbased FHE scheme is optimal (note that GSWFHE scheme is better than BGVFHE scheme only in standard LWEbased FHE schemes). Note that, in this paper, the aim is to provide practical FHE scheme for the privacy protection of IoT. Thus, it concentrates on improving the bootstrapping technique of BGV ringLWEbased FHE schemes in this paper.
The starting point of this paper is the HS’s work [17], where decryption procedure consists of a linear algebra step and a modular reduction step . When and , modular reduction step can be converted to simple bit operations. This greatly reduces the circuit depth of modular reduction. When homomorphically performed above simple decryption formula, the deepest part is homomorphic bitextraction procedure, and its complexity (both time and depth) increases with the mostsignificant extracted bit. In [17], by adding to ciphertext multiples of and also multiples of , they proposed a lowerdegree homomorphic bitextraction procedure. And the bigger the parameter range of for the simple formula of modular reduction, the better the performance for the improved homomorphic bitextraction procedure. See [17] for further details.
Contributions. In this paper, we optimize the parameters of bootstrapping algorithm proposed in EUROCRYPT 2015 by Halevi and Shoup. Firstly, by introducing a definition of load capacity, we optimize the parameters range for which their bootstrapping technique works for the first time. Next we generalize their ciphertext modulus to more general situations. This makes our method applicable to more cases. Moreover, we also show how to introduce SIMD technique into our new method, to improve the efficiency of bootstrapping technique.
Organization. Section 2 presents the notations and some background on the BGV cryptosystem. Section 3 optimizes the parameter range for which bootstrapping technique of Halevi and Shoup works. Next, the ciphertext modulus is generalized from closing to a power of two to more general situations in Section 4. Moreover, it also shows how to introduce SIMD homomorphic computation techniques into the new method to get an efficient bootstrapping method. And in Section 5, an implementation is made of BGV ringLWEbased scheme based on our efficient bootstrapping method. Finally, Section 6 concludes.
2. Preliminaries
Basic Notations. Set , and the notation is referred to as mod , with coefficients being reduced into the range . For an integer (positive or negative), we consider the base representation of and denote its digits by .
2.1. Homomorphic Encryption Schemes
Let be the message space and be the ciphertext space. A homomorphic encryption scheme is as follows:(i): output public key , secret key , and evaluation key .(ii): output ciphertext encrypted by plaintext with public key .(iii): recover the message encrypted in the ciphertext by secret key .(iv): output ciphertext which is obtained by applying evaluation key and the function to .
Suppose that and are two keypairs of scheme . Let be a ciphertext of plaintext under . Let be a ciphertext of the th bit of the first secret key under the second public key . is a decryption circuit. See Algorithm 1 for the “Bootstrapping” algorithm.

It can be found that only when scheme can compactly evaluate its decryption circuit. However, most of the existing schemes do not satisfy this condition naturally. It needs some extra operations, such as “squashing the decryption circuit”, which cause the low efficiency of FHE. Thus, it is very meaningful for lowerdepth circuit implementation of decryption function.
3. Analysis of HS Recryption Procedure
We start by introducing the HS recryption procedure [17] on that how to homomorphically compute the modularreduction operation in a lowerdepth circuit. The specifics are in Lemma 1.
Lemma 1 (see [17]). Let , , and be integers, and also let be an integer such that and .(i)If is odd then .(ii)If then .
Lemma 1 transforms complex modular operations into simple bit operation, to get a lowerdepth circuit of decryption function. But it is still not easy to execute a homomorphic bitextraction operation. Next, [17] proposed a fast bitextraction procedure. As stated in the former introduction, the performance of fast bitextraction procedure is dependent on the parameter range of in Lemma 1. That is, the bigger parameter range of , the better performance of fast bitextraction procedure. Thus, next we analyse whether the parameter range of in Lemma 1 is optimal. In order to do so, we introduce a new concept called “load capacity”.
Definition 2 (load capacity). Let , . Suppose the formula of modular reduction converted to simple bit operations works when , and . Then the load capacity is defined by the product of two span lengths of and , namely, .
Next Theorem 3 presents the general relationship between the value and for the formula of modular reduction converted to simple bit operations.
Theorem 3. Let , , and be integers, and also let be an integer such that , and let . Then(i)if is odd then ;(ii)if then .
Proof. It starts with the odd case. Let and with . ThenSince , we can get thatBesides, sincethenAnd since , thenThus, combined with formula (2), we can get thatwhere and are mod representation. Then it follows that The proof for the case is similar. The details can be referred to in the proof of [17]. It is omitted here.
Next we discuss how to choose the value of in order to obtain the maximum “load capacity”. Load capacity is denoted by , then Let , then . The concrete relations are as shown in Figure 2
It can be easily seen from Figure 2 that the load capacity takes the maximum value when . That is, the load capacity for HS work is only related to the span length, not to the value of and . Then Corollary 4 presents the optimal choice of and for the formula of modular reduction converted to simple bit operations.
Corollary 4. Let , , , and be integers, and also let be an integer such that , and .(i)If is odd then .(ii)If then .The conclusion is obvious; the proof is omitted here.
Note that, when , namely, , it is the same as HS’s work. But, the load capacity of this paper is bigger than that of HS’s work, since of ours has a bigger span length, namely, . The details are present in Table 1.
As seen from Table 1, compared to HS’ work, it can be seen that our scheme has a better load capacity. Note that, while on the surface, it appears to obtain a tiny improvement in a nondominant term, i.e., where the load capacity of the choice in HS is , this is improved to , it is actually a meaningful job when you carefully analyse the principle of the trick of the fast bitextraction procedure in [17]. That is, add to the coefficients of multiples of and , making them divisible by for some without increasing them too much and also without increasing the noise too much. This means that bitextraction can be implemented using only polynomials of degree at most , smaller than . Since the load capacity of this paper is bigger than that of HS’s work, it means our work allows adding more multiples of and to the coefficients of . That is, bitextraction can be implemented using polynomials of lower degree to get a faster implementation. Besides, our variant of HS is more flexible and general on parameters.
4. Generalize Modulus to More General Situations
In this section, it extends HS recryption procedure to have a wider choice of ciphertext modulus. The specifics are in Theorem 5.
Theorem 5. Let , , , and with and , , , also let be an integer such that , andThen,(i)if is odd then ,(ii)if then , where “”refers to scalar multiplication.
Proof. We begin with the odd case. Let and with . ThenSince , we can get thatBesides, sincethenAnd since , thenThus, combined with formula (11), we can get that Thus,The proof for the case is similar. We omit it here.
Next we discuss how to choose the value of in order to obtain the maximum “load capacity”. Load capacity is denoted by , then Let , then
It is easy to get that takes the maximum value whenThat is, the load capacity is also only related to the span length, not to the value of and .
Then Corollary 6 presents the optimal choice of and for the formula of modular reduction converted to simple bit operations.
Corollary 6. Let , , and with and , , , also let be an integer such that , andThen(i)if is odd then ;(ii)if then . The conclusion is obvious; the proof is omitted here.
To get a homomorphic implementation of the simple decryption formula from above, firstly a homomorphic bitextraction procedure (Algorithm 2) is presented, which is slightly varied from the bitextraction procedure of [17].

uses native homomorphic multiplication to multiply by itself times. To aid exposition, this code assumes that the modulus and secret key remain fixed; otherwise modulusswitching and keyswitching should be added (and the level should be increased correspondingly to some ).
Then Algorithm 3 shows how to combine our optimized “bootstrapping” techniques with the SIMD homomorphic computation techniques of SmartVercauteren [23], to get a bootstrapping method that works in time quasilinear in the security parameter.

5. Implementation and Performance
In this section, an implementation of BGV ringLWEbased scheme is made, since it offers nearly the most efficient homomorphic operations. This scheme is defined over a ring , where is the th cyclotomic polynomial. Let be a prime or a prime power, and . Specifically, assume , where each has the same degree , which is equal to the order of modulo . Then, by the Chinese Remainder Theorem, it has the isomorphism . Besides, suppose is the secretkey, where is an integer polynomial with small coefficients. is the secretkey. is the ciphertext.
First, several groups are chosen which satisfy . For each triple , a test is run separately based on our work and HS’ work. These tests were run on a fouryearold IBM System x3850 server, with two 64bit 4core Intel Xeon E5450 processors, and 35MB L2 cache and 32GB of RAM at 3.0 GHz. And the implementation was mainly based on Shoup’s NTL library [23] version 9.10.0 and GNU’s GMP library [24]. The former is used for highlevel numeric algorithms, and the latter is used for the underlying integer arithmetic operations. Besides, the code was compiled using the gcc compiler (version 4.9.1). Table 2 summarizes the results from our experiments based on our work and HS’.
The first column gives cyclotomic ring m and its factorization into prime powers. The second column gives the plaintext space, i.e., the field/ring that is embedded in each slot. The third column gives the number of slots packed into a single ciphertext. The fourth column gives the effective security level, computed using the formula that is used in HElib taken from [15, Eqn. ]. The total recrypt gives the total time for a single recryption, while the previous two rows give a breakdown of that time (note that the time for the linear transforms includes some trivial preprocessing time, as well as the less trivial unpacking/repacking time). The last two rows give the memory used (in gigabytes).
As seen from Table 2, compared to HS’ work, it can be easy seen that the variant of HS has advantages both in efficiency and in storage space. Besides the variant of HS is more flexible and general on parameters. This enables our method to be applied in a larger number of situations.
6. Conclusions
Up to now, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. Meanwhile it is also the key for the low efficiency of FHE scheme. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to lowerdepth circuit implementation of decryption function. In this paper, it improves the “load capacity” of HS’s work with a better efficiency for bootstrapping and to generalize to more general situations in a similar simple way. This enables our method to be applied in a larger number of situations, such as privacy protection of IoT.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work was sponsored in part by the National Natural Science Foundation of China (Grants nos. 61272041, 61202491, 61272488, and 61601515) and was also supported by the Foundation of Science and Technology on Information Assurance Laboratory (no. KJ15006).