Floating-Point Homomorphic Encryption

Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song

Department of Mathematical Sciences, Seoul National University,Republic of Korea

jhcheon, kimandrik, alfks500, lucius05@snu.ac.kr

Abstract. Our paper suggests a general method to construct a Floating-Point Homomor-phic Encryption (FPHE) scheme that allows the floating-point arithmetics of ciphertexts,thus computing encryptions of most significant bits of m1+m2 and m1m2, given encryptionsof floating-point numbers m1 and m2. Our concrete construction of leveled FPHE based onBGV scheme is almost optimal in the sense of noise growth and precision loss. More precisely,given encryptions of d messages with η bits of precision, our scheme of depth dlog de securelycomputes their product with η−dlog de bits of precision similarly to the case of unencryptedfloating-point computation. The required bit size of the largest modulus grows linearly inthe depth. We also describe algorithms for evaluating some floating-point arithmetic circuitscontaining polynomial, multiplicative inverse, and even exponential function, and analyzetheir complexities and output precisions. With the security parameter λ = 80, our rudimen-tary implementation takes 315ms and 168ms to compute a product of 16 ciphertexts anda multiplicative inverse of a ciphertext, respectively, when given ciphertexts have 20 bits ofprecision.

Keywords. Homomorphic Encryption, Floating-point Arithmetic, BGV Scheme, SomewhatHomomorphic Encryption

1 Introduction

The floating-point is the most common way to approximately represent real numbers in computers,and has been widely used in computer system and intensive scientific computations. A floating-point number is represented in terms of four integers as x = ±s · be−k, where b is the base, eis the exponent, k is the precision (the number of significant digits in significand), and s is thesignificand satisfying 0 ≤ s ≤ bk− 1. The floating-point arithmetic consists of the usual arithmeticand rounding step to the significand. It allows us to represent real numbers using fixed number ofbits, and supports a trade-off between range (size of representation) and precision.

Homomorphic encryption (HE) is a cryptographic scheme that allows homomorphic operationson encrypted data without decryption. Since Gentry discovered the first plausible construction offully homomorphic encryption scheme [Gen09], many other HE schemes have been suggested follow-ing Gentry’s blueprint (e.g., [DGHV10,BV11a,BV11b,Bra12,BGV12,GSW13,CLT14,CS15,DM15]).Most of existing schemes encode the messages into a fixed modulus space, a product of severalmodulus spaces, or a polynomial ring over modulus space. However, HE schemes have not beenused in many practical applications because of their inefficiency of real number computations,especially floating-point arithmetic.

Floating-Point Homomorphic Encryption. In this paper, we propose a general idea to con-struct a Floating-Point Homomorphic Encryption (FPHE) scheme supporting floating-point ad-dition and multiplication of ciphertexts which output encryptions of some most significant bits(MSBs) of m1 + m2 and m1m2 respectively, upon input encryptions of two messages m1 andm2. Our concrete construction of a leveled FPHE scheme comes from the classical LWE-basedscheme [BGV12] by modifying some operations such as modulus-switching procedure.

2

First of all, we place an encryption noise in the rightmost position together with a plaintext asin Figure 1, i.e., an encryption c of m encrypted by s satisfies 〈c, s〉 = m + e (mod q) for somesmall e. We cannot recover the exact value m from the ciphertext c, but the inserted noise e can beconsidered as an error occurred during floating-point computations. This approximate value m+ emay substitute the original message in floating-point arithmetics with almost the same precisionwhen |e| is sufficiently small. If the input data is too small or large, then one may encode andregulate the magnitude of message by multiplying a scaling factor, and store the scaling factor(or exponent) independently. The homomorphic operations of our scheme output the ciphertextscadd and cmult satisfying 〈cadd, s〉 mod q ≈ m1 + m2 and 〈cmult, s〉 mod q ≈ m1m2. We use thekey-switching technique [BV11a,BGV12] for multiplication procedure.

The modulus-switching technique was suggested in [BV11a,BGV12] to reduce the magnitudeof inserted error, but it has a completely different role in our scheme. It rounds up some leastsignificant bits (LSBs) of message to maintain the size of significand after homomorphic operations.The composition of this modulus-switching procedure and homomorphic operation (as in Figure 1)mimics the ordinary (unencrypted) floating-point computations. Our scheme is almost optimal inthe sense of precision: precision of resulting message is lost by about one bit similar to the case ofunencrypted floating-point arithmetic.

e1

m1

q

e2

m2

q×

emult

m1m2

q

MSB LSB

ModSwitch

e′

q′q m1m2

q′

Fig. 1. Ciphertext after a homomorphic multiplication

FPHE Arithmetics. Based on our construction of FPHE, we homomorphically evaluate sometypical circuits containing (real) constant addition/multiplication, product, polynomial, and multi-plicative inverse. We describe algorithms to minimize the circuit depth and complexity, and analyzetheir noise and precision loss during homomorphic evaluation.

In our scheme, every integer is a trivial encryption of itself without error. Hence, the constantaddition procedure almost does not change the absolute error of the ciphertext (fraction part canbe added to noise). In addition, the constant multiplication process with suitable choice of scalingalmost does not change the relative error of the input ciphertext. Given encryptions of messagesm1, . . . ,md with η bits of precision, our leveled FPHE scheme of depth dlog de computes theirproduct with (η − dlog de) bits of precision in (d− 1) homomorphic multiplications of ciphertexts.The magnitude of significands is invariably maintained, so the required bit size of the largestmodulus is linear in depth dlog de. For example, given 16 ciphertexts with 20 bits of precision, wecan compute their product with 15 bits of precision in about 315ms. We get a similar result forthe evaluation of polynomials, and extend the case to analytic functions such as exponential andlogistic functions using Taylor decomposition.

3

Table 1. Summary of FPHE arithmetics

FunctionBit precision

Depth #(HM)of output

Constant addition a+ x ≥ η 0 0

Constant multiplication a · x η 0 0

Product∏di=1 xi η − dlog de dlog de d− 1

Power function xd η − dlog de dlog de dlog dePolynomial

∑di=0 aix

i η − dlog de dlog de d− 1

Multiplicative inverse x−1 η − 1 dlog ηe 2blog ηcExponential ex η − dlog ηe dlog ηe η − 1

η: bit precision of inputs

HM: homomorphic multiplications of ciphertexts

Let x = 1 − x for a given real number x with 1/2 ≤ x ≤ 1. From the equality x(1 + x)(1 +

x2) · · · (1 + x2k−1

) = (1− x2k), x−1 can be approximated by (1 + x)(1 + x2) · · · (1 + x2k−1

) with aprecision of 2k bits. We transform this equality to securely compute the multiplicative inverse. Moreprecisely, given a ciphertext with η bits of precision, our FPHE scheme of depth log η can computeits multiplicative inverse with (η−1) bits of precision in 2blog ηc multiplications of ciphertexts. Forexample, upon inputs the 20 bits of precision, one can compute an encryption of its multiplicativeinverse with 19 bits of precision with only 8 multiplications of FPHE scheme of depth 5, and ourimplementation with the security parameter λ = 80 takes about 168ms.

Related Works. There have been a substantial number of studies concerned with processingreal numbers over encryption. The obvious method is to scale them to integers, but a plaintextmodulus is exponential in the length of message. For example, Bos et al. [BLN14] described howto privately predict the likelihood of having a heart attack by evaluating the logistic regressionfunction with scaled input data. On the other hand, Dowlin et al. [DGL+15] presented an efficientmethod to represent fixed-point numbers − it is encoded as a polynomial with coefficients in therange [−(B − 1)/2, (B − 1)/2] using its base-B representation for an odd integer B ≥ 3. However,when the number of significant bits is large, it results in large degree of the polynomial ring.

On the other hand, division is an essential operation for real-world applications such as the med-ical, financial, advertising domains, and machine learning algorithms. Algesheimer et al. [ACS02]introduced a problem of solving a secure integer division such that given two encryptions of a andb, determine an encryption of bab c without leaking any information about inputs. Their solutionwas based on Newton iteration using secure multiparty computation protocol. The protocols werelater implemented by Jakobsen in the passively secure three-party setting [Jak06]. In [DNT12],they proposed secure computation protocols to solve the problem in a two-party setting. Theircomputation cost is tractable, but the protocols still require a lot of interactions. Recently, Cetinet al. [cDSM15] described new ideas for comparison and homomorphic division given word-basedencrypted data. They found approaches by using approximation techniques, but there was noaccurate explanation of the precision for the approximation.

Road-map. Section 2 briefly introduces notations and some preliminaries about floating-pointarithmetics and the LWE problem. Then Section 3 presents a floating-point homomorphic encryp-tion scheme and analyze the noise growth during basic homomorphic operations. In Section 4, wesuggest some algorithms to evaluate typical circuits homomorphically, and compute the precisionof outputs. Finally, in Section 5 we provide an implementation and performance of our scheme.

4

2 Preliminaries

Notation. All logarithms are base 2 unless otherwise indicated. We denote vectors in bold, e.g., a,and matrices in upper-case bold, e.g., A. Every vector in this paper is a column vector. We denoteby 〈·, ·〉 the usual dot product of two vectors. For a real number r, bre denotes the nearest integerto r, rounding upwards in case of a tie.

For an integer q, we use Z∩ (−q/2, q/2] as a representative of Zq. We use x← D to denote thesampling x according to distribution D. It denotes the uniform sampling when D is a finite set.For a set S, U(S) denotes the uniform distribution on S.

Throughout the paper, we let λ denote the security parameter: all known valid attacks againstthe cryptographic scheme under scope should take Ω(2λ) bit operations.

2.1 Floating-Point Arithmetic

Floating-point is the formulaic representation that approximates a real number so as to supporta trade-off between range and precision. A number is, in general, represented approximately to afixed number of significant digits (significand), so real numbers can be approximated with the finiteword length in a computer. The term floating refers to the fact that a number’s radix point canfloat: it can be placed anywhere relative to the significant digits of the number. More precisely, afloating-point number x can be represented in terms of four integers as x = ±s ·be−k, where b is thebase or radix, e is the exponent, k is the precision (the number of significant digits in significand),and s is the significand satisfying 0 ≤ s ≤ bk − 1.

Let x∗ be a real number. We use the notation x = fl(x∗) to represent the floating-point valueof x∗ (nearest number in the floating-point system). The most useful measures of the accuracyof x are its absolute error Eabs(x) = |x − x∗| and its relative error Erel(x) = |x− x∗|/|x∗|. Todetermine accuracy, we define the quantity u = 1

2 · b1−k, called the unit round-off. It is the furthest

distance relative to unity between a real number and the nearest floating-point number. It boundsthe relative error in representing as x = x∗(1 + ε) such that Erel(x) = |ε| ≤ u [Hig02].

A simple method to add (resp. subtract) floating-point numbers is to first proceed with theusual addition (resp. subtraction). Then it is rounded to a precision of the same bits, which makesround-off error. To multiply, the significands are multiplied while the exponents are added, and thenthe result is rounded. For example, if we are given two floating-point numbers x = 1101(2) · 22 andy = 1001(2) ·2−3 with 4 bits of precision, we first get the true product value x ·y = 1110101(2) ·2−1and then it is rounded to fl(x · y) = 1111(2) · 22 with 4 bits of precision.

Small errors may accumulate as floating-point operations are performed in succession. Dealingwith these errors incurred in the floating-point operations is one of the main topics in error analysis.In particular, we focus on the forward errors which are concerned with how close the computedresult is to the exact value of an algorithm. For more explicit overview, we recommend to referto [Gol91,Hig02,Ein05]. Here is the standard model of floating-point arithmetic, introduced byWilkinson [Wil61]: if x and y are floating-point numbers, then fl(x ? y) = (x ? y)(1 + ε) for some|ε| ≤ u, where ? ≡ +,−, ·, or /.

2.2 Learning With Errors (LWE)

The LWE problem was introduced by Regev as a generalization of learning parity with noise [Reg05].For positive integers n, and q ≥ 2, t ∈ Znq and a distribution χ over Z, we define ALWE

q,χ (t) as thedistribution obtained by sampling a← Znq and e← χ, and returning c = (〈a, t〉+ e,a) ∈ Zq ×Znq .

Definition 1 (LWE). Let D be a distribution on Znq . The (decision) learning with errors problem,denoted by LWEn,q,χ(D), is to distinguish arbitrarily many independent samples chosen accordingto ALWE

q,χ (t) for a fixed t← D, from the uniform distribution over Zq × Znq .

5

The LWE problem is self-reducible, that is, LWEn,q,χ(D) can be reduced to LWEn,q,χ(U(Znq ))for any distribution D. Moreover, one can efficiently reduce LWEn,q,χ(U(Znq )) to LWEn,q,χ(χ) whenχ is a Gaussian distribution with an appropriate parameter [ACPS09].

It was shown that the hardness of LWE can be established by a quantum reduction to approxi-mate short vector problems in ideal lattices [Reg05]. Peikert also showed there is a classical reduc-tion between LWE and worst-case lattice problems [Pei09]. We refer the readers to [Reg05,Pei09]for these results in more details.

3 Floating-Point Homomorphic Encryption

In this section, we describe a new leveled homomorphic encryption scheme based on the hardnessof LWE problem which allows to carry out floating-point computations of ciphertexts. Given en-cryptions of m1 and m2, the floating-point addition (resp. multiplication) outputs an encryptionof some MSBs of m1 + m2 (resp. m1m2) upon input encryptions of two integers m1 and m2. Itcan be applied to compute an approximate value of product of integers, multiplicative inverse, andpower series. Our concrete construction in this section is based on the BGV scheme [BGV12], butthis idea can be adapted to other (Ring) LWE-based HE schemes such as [GHS12b].

3.1 Basic Encryption Scheme

We first describe a basic public-key homomorphic encryption scheme in this subsection. Thisscheme is IND-CPA secure under the assumption that (n, q, χ)-LWE problem is hard. The schemeconsists of the following algorithms.

• E.Setup(1λ). Take a modulus q = q(λ). Choose the parameters n = n(λ, q) and a Berr-boundederror distribution χ = χ(λ, q) appropriately for LWEn,q,χ that achieves at least 2λ security.Take τ = 2(n+ 1)dlog qe. Output the parameters params = (n, q, χ, τ).

• E.SecretKeyGen(params). Sample a vector t ← χn and set the secret key sk = s ← (1,−t) ∈Zq × Znq .

• E.PublicKeyGen(params, sk). Generate and output a (n + 1) × τ matrix pk = A ← ALWEq,χ (t)τ

(Each column of A is sampled independently from the distribution ALWEq,χ (t)).

• E.Encpk(m). Given a message m ∈ Z, sample a vector r ← 0, 1τ and let m← (m, 0, . . . , 0).Output c←m + A · r mod q.

• E.Decsk(c). Output m′ ← 〈c, s〉 mod q.

Apart from the most of existing schemes (e.g., [Bra12,GHS12b,BLLN13]), our scheme doesnot have a fixed or separate plaintext space from an inserted error. This floating-point encryptionscheme may seem strange, because the output m′ = m + e of its decryption circuit is slightlydifferent from the original message m. However, they can be considered to be actually the same infloating-point computation sense if e is small enough. More precisely, if the input message m hasa precision of η bits to its true value m∗ and |e| ≤ 2−η|m∗|, then m′ is also an approximation tom∗ with (η − 1) bits of precision.

When the input data is too small or large, we should encode the message and regulate itsmagnitude before encryption procedure to maintain the precision. For example, in order to encryptthe floating-point number x = 1001(2) · 2−3 with 4 bits of precision, one may move the radix point(multiplied by the constant 25) and use the scaled value m = 100100(2) as an input message ofencryption procedure. If the encryption error e bounded by |e| ≤ 22, then m′ = m + e is anapproximation of x · 25 with 9 bits of precision. The scaling factors of input data should be storedand managed independently for correct understanding of computing results.

6

This notion of approximate encryption has been partially used in previous work, for example,additional information for multiplication in [BV11a,Bra12,BGV12,CS15] and intermediate valuesin squashed decryption circuit in [DGHV10,CLT14] are encrypted in the same way. Note that theseciphertexts were used in approximate computations allowing small errors.

For homomorphic operations, one should take a larger parameter depending on the circuitcomplexity and also the size of input messages. We analyze the suitable parameters for variouscircuits in Section 4.

Security. The security of basic encryption scheme is directly obtained from the security proof ofleveled floating-point HE scheme that will be described in next subsection.

3.2 Leveled Floating-Point Homomorphic Encryption Scheme

We start by adapting some notations from [BGV12] to our context and recalling the key switchingand modulus reduction techniques in [BV11a,BGV12] for homomorphic operations of LWE-basedencryption schemes.

Let q be a positive integer. Given a vector x ∈ Znq , its bit decomposition and power of two

are defined by BD(x) = (u0, . . . ,ublog qc) ∈ 0, 1n(1+blog qc) with x =∑blog qci=0 2iui, and P2(x) =

(x, . . . , 2blog qcx). Then we can see that 〈BD(x),P2(y)〉 = 〈x,y〉. We also recall the definition oftensor product u⊗ v = (u1v1, u1v2, . . . , u1vm, . . . , unv1, . . . , unvm) on the vector space Rn × Rm,and its relation with the inner product 〈u⊗ v,u′ ⊗ v′〉 = 〈u,u′〉 · 〈v,v′〉.

For i = 1, 2, let ci be ciphertexts ofmi encrypted by the secret s ∈ Zq×Znq . They satisfy 〈ci, s〉 =mi + ei mod q for some small ei’s. Consider the quadratic equation Qc1,c2

(x) := 〈c1,x〉 · 〈c2,x〉 =〈c1⊗c2,x⊗x〉. If m′i = mi+ei’s are small enough, we obtain Qc1,c2

(s) mod q = m′1m′2 = m1m2+e

for some small e, as desired, and c ← c1 ⊗ c2 is an encryption of m1m2 with the secret s ⊗ s.However, this comes at a cost of increasing the dimension of ciphertexts and the complexity ofhomomorphic multiplication. Brakerski and Vaikuntanathan [BV11a] use a key-switching techniqueto convert a LWE ciphertext under the long secret key s ⊗ s into another LWE ciphertext of thesame plaintext under a different secret key s of smaller dimension. Roughly speaking, this processpublishes auxiliary information s⊗s = (s′i)i encrypted by a new secret s, and converts a ciphertextc = (ci)i into a new ciphertext c′ ←

∑i ci · Encs(s′i). Hence, we need a chain of L secret keys in

order to evaluate up to L multiplicative levels while keeping the same ciphertext size. In this paper,we assume the circular security for convenience, so it is safe to encrypt the leveled HE secret keyunder its own public key. This allows us to use the same secret key for all the levels.

Brakerski, Gentry and Vaikuntanathan [BV11a,BGV12] developed the modulus-switching tech-nique to manage the size of errors in LWE-based HE schemes. It converts a ciphertext c modulusq with an error e into a ciphertext c′ of the same message in a new modulus q′ and an error

e′ ≈ q′

q e. The ratio e/q of the noise to the modulus size maintains almost the same, but it reducesthe magnitude of the noise and the error growth in the next operation. As a result, the bit-size oflargest modulus grows linearly with the multiplicative depth instead of exponentially. We apply themodulus-switching technique to floating-point HE but for a completely different purpose. Roughlyspeaking, we scale c by a factor q′/q, and then round appropriately to get back an integer ciphertextto discard the LSBs (erroneous part) of messages and control the magnitude of significands.

• FP.Setup(1λ, 1L). Take a base modulus p = p(λ, L). Let q` = p` for ` = 1, . . . , L. Choose theparameters n = n(λ, qL) and a Berr-bounded error distribution χ = χ(λ, qL) appropriately for(n, qL, χ)-LWE problem that achieves at least 2λ security. Let τ = 2(n+1)dlog qLe. Output theparameters params = (n, qL, χ, τ).

• FP.SecretKeyGen(params). Run sk = s← E.SecretKeyGen(params).• FP.PublicKeyGen(params, sk). Run pk ← E.PublicKeyGen(params, sk).

7

• FP.Encpk(m). Run c← E.Encpk(m).• FP.Decsk(c). Run m′ ← E.Decsk(c).

• FP.SwitchKeyGen(params, sk). Generate a matrix A′L ← ALWEqL,χ(t)(n+1)2dlog qLe and set the

switching key swk = AL ← P2(s ⊗ s)T + A′L (Add the vector P2(s ⊗ s)T to the first row ofA′L). For 0 < ` < L, let A` be the (n + 1) × (n + 1)2dlog q`e matrix consisting of the first(n+ 1)2dlog q`e columns of AL.

• FP.Add(c1, c2). For two ciphertexts c1, c2 in the same level `, output cadd ← c1 + c2 mod q`.• FP.Multswk(c1, c2). For two ciphertexts c1, c2 in the same level `, output cmult ← A` ·BD(c1⊗c2) mod q`.

• FP.ModSwitch`→`′(c). For a ciphertext c in level `, output c′ ←⌊q`′q`· c⌉.

• FP.ModEmbed`→`′(c). For a ciphertext c in level `, output c′ ← c mod q`′ .

Let LWEs,`(m,B) be the set of `-level encryptions of m under s whose error is bounded byB, i.e., a vector c ∈ Zq × Znq` is contained in LWEs,`(m,B) if 〈c, s〉 ≡ m + e (mod q`) for some|e| ≤ B. We omit s and shortly denote LWE`(m,B) when it is clear from the context.

There is a natural embedding FP.ModEmbed : c (mod q`) 7→ c (mod q`′) from LWE`(m,B) toLWE`′(m,B) for any ` > `′. The converted ciphertext c′ ← FP.ModEmbedq`→q`′ (c) has exactlythe same message and error as c, so this procedure does not change the scale of message. Thisembedding can be used to carry out operations between ciphertexts in different levels.

Security. Let params = (n, qL, χ, τ) ← FP.Setup(1λ, 1L) so that the (n, qL, χ)-LWE problemachieves at least 2λ security and τ = 2(n+1)dlog qLe. If we generate sk ← E.SecretKeyGen(params),pk ← E.PublicKeyGen(params, sk) and swk ← FP.SwitchKeyGen(params, sk), then (pk, swk) is

computationally indistinguishable from the uniform distribution over Z(n+1)×τqL ×Z(n+1)×(n+1)2dlog qLe

qL

from the hardness of (n, qL, χ) and the assumption of circular security. If pk is chosen in Z(n+1)×τqL

uniformly, then the statistical distance of (pk,FP.Encpk(0)) from the uniform distribution on

Z(n+1)×τqL × Zn+1

qL is negligible from the leftover hash lemma [DGHV10]. Thus, our floating-pointHE scheme described above is IND-CPA secure.

We analyze the noise growth of our basic scheme at encryption and addition, and provide asufficient condition for decryption correctness.

Lemma 1 (Encryption Noise). Let c← FP.Enc(m) for a message m. Then the initial ciphertextc is in LWEL(m,Bclean) for Bclean = τ ·Berr with overwhelming probability.

Proof. By definition, we have 〈c, s〉 = 〈m + A · r, s〉 = m + rT · (ATs). Since each column ofA is a LWE sample, the infinite norm of vector e := AT · s is less than Berr with overwhelmingprobability. This lemma follows from |〈r, e〉| ≤ τ ·Berr. ut

Lemma 2 (Addition/Multiplication Noise). Let ci ∈ LWE`(mi, Bi) be encryptions of mi

satisfying |mi| ≤Mi for i = 1, 2. Let cadd ← FP.Add(c1, c2) and cmult ← FP.Mult(c1, c2). Then, wehave cadd ∈ LWE`(m1 +m2, B1 +B2) and cmult ∈ LWE`(m1m2,M1B2 +M2B1 +B1B2 +BKS.`) forBKS,` = (n+ 1)2dlog q`e ·Berr with overwhelming probability.

Proof. The bound of addition noise is obvious. The definition of FP.Mult circuit implies 〈cmult, s〉 =〈P2(s⊗s),BD(c1⊗c2)〉+ 〈A′` ·BD(c1⊗c2), s〉. From a property of tensor product, we get 〈P2(s⊗s),BD(c1 ⊗ c2)〉 = 〈c1, s〉 · 〈c2, s〉 = (m1 + e1)(m2 + e2) for some |e1| ≤ B1 and |e2| ≤ B2. Wenote that the infinite norm of vector e := A′T` · s is less than Berr with overwhelming probability.Therefore, 〈cmult, s〉 = m1m2 + emult for emult = m1e2 + m2e1 + e1e2 + 〈e,BD(c1 ⊗ c2)〉, whichsatisfies |emult| ≤M1B2 +M2B1 +B1B2 + (n+ 1)2dlog q`eBerr. ut

8

We now consider the modulus-switching noise and explain its role in our scheme. As mentionedbefore, we roughly scale a ciphertext by the factor q`′/q` to change the current modulus from q`to q`′ .

Lemma 3 (Modulus-Switching Noise). Let c ∈ LWE`(m,B) be an encryption of m and letc′ ← FP.ModSwitch`→`′(c). Then c′ ∈ LWE`′(

q`′q`m, q`′q` B +BMS) for BMS = n+1

2 Berr.

Proof. Let e be the error of ciphertext c. Then 〈c′, s〉 = q`′q`〈c, s〉 + 〈u, s〉 = q`′

q`(m + e) + 〈u, s〉

(mod q`′) for a vector u := c′ − q`′q`c with ||u||∞ ≤ 1/2. The new error e′ = q`′

q`e + 〈u, s〉 satisfies

|e′| ≤ q`′q`B + 1

2 ||s||1 ≤q`′q`B +BMS. ut

Effect of Modulus-Switching. As noted before, our modulus-switching technique is similarto one of Brakerski, Gentry and Vaikuntanathan [BV11a,BGV12]. However, in our paper, theprocedure FP.ModSwitch changes the message from m to a different and smaller message q`′

q`m =

p`′−`m. It does not mean that the message is ruined, but we just and change the representation

(scale) of message. More precisely, if we express numbers in the floating-point system with basep, the modulus-switching procedure rounds up the least (` − `′)-digits of message and shifts theradix point to the left while the exponent part is increased by (`− `′). As a result, most significantdigits of message are invariant over this modulus-switching procedure, but only the magnitude ofsignificand is reduced.

Ciphertext Format with Auxiliary Information. For a practical usage of our scheme, it isrecommended to keep additional information in a full ciphertext of the form (c, `,M,B, exp) inorder to remember the position of radix point and compute the bounds of message and error duringhomomorphic evaluation. Here, `,M,B and exp denote the level, the bounds of message and error,and exponent part of message of the ciphertext c, respectively. Then our scheme can be describedas follows:

FP.Enc : (m,M) 7→ (c, L,M,Bclean, 0),

FP.Dec : (c, `,M,B, exp) 7→ (m,B, exp),

FP.Add : ((c1, `,M1, B1, exp), (c2, `,M2, B2, exp)) 7→(cadd, `,M1 +M2, B1 +B2, exp),

FP.Mult : ((c1, `,M1, B1, exp1), (c2, `,M2, B2, exp2)) 7→(cmult, `,M1M2,M1B2 +M2B1 +B1B2 +BKS.`, exp1 + exp2),

FP.ModSwitch `→`′ : (c, `,M,B, exp) 7→ (c, `′, p`′−`M,p`

′−`B +BMS, exp + (`− `′)),FP.ModEmbed `→`′ : (c mod q`, `,M,B, exp) 7→ (c mod q`′ , `

′,M,B, exp).

Homomorphic Operations of Ciphertexts in Different Levels. To multiply a ciphertext cin LWE`(m,B) with a ciphertext in lower level `′, we first should convert c into a ciphertext inlevel `′. The modulus-switching procedure FP.ModSwitch`→`′ changes the message to p`

′−`m withadditional noise, while the modulus-embedding procedure FP.ModEmbed`→`′ does not. Therefore,the modulus-switching procedure storages smaller message p`

′−`m which makes it more spaceefficient, and the modulus-embedding procedure does not create additional noises to initial messagewhich makes calculations more careful and precise. See Figure 2 for an illustration.

In the rest of our paper, if the two ciphertexts c1, c2 do not belong to the same level, FP.Add(c1, c2)and FP.Mult(c1, c2) denote the homomorphic operations after performing the modulus-embeddingprocedure to the lower level.

9

e

m

q`

e

m

q`

ModSwitch ModEmbedp`′−` ·m

q′`

m

q′`

Fig. 2. Modulus-switching and modulus-embedding operations

Let c be a ciphertext in LWE`(m,B) of a message |m| ≤M and m′ ← FP.Dec(c). The absoluteerror e = m′ −m is bounded by B, but sometimes it is convenient to consider the relative error ofmessage in floating-point arithmetics as we mentioned in Subsection 2.1. However, the definition ofrelative error in floating-point arithmetics cannot be used directly in homomorphic evaluation ofcircuits since one cannot see the intermediate values during secure evaluation of circuits. Instead,we suggest a slightly different definition of relative error α := B/M in this paper using the boundsof message and error. The following theorem gives an upper bound of relative error after theevaluation of circuit corresponding to the ordinary floating-point multiplication: rounding aftermultiplication of significands.

Theorem 1. Let ci ∈ LWE`(mi, Bi) be encryptions of mi such that |mi| ≤ Mi and Bi = αiMi

for i = 1, 2. Let ε = dlog qLe−1 and ∆ = 1 + ε. If (1) p ≥ 2(n + 1)dlog qLe, (2) αi ≤ ε, and (3)pk ·Bclean ≤ (α1 + α2)M1M2, then

c← FP.ModSwitch`→(`−k)(FP.Mult(c1, c2))

is contained in LWE`−k( 1pkm1m2, αM) for α = ∆(α1 + α2) and M = 1

pkM1M2.

Proof. It follows from Lemmas 1 and 2 that the vector c′ ← FP.Mult(c1, c2) is in LWE`(m1m2, B′)

for B′ = M1B2 +M2B1 +B1B2 +BKS,`. From Lemma 3, the output c← FP.ModSwitch`→(`−k)(c′)

of modulus switching procedure belongs to LWE`−k( 1pkm1m2, B) for B = 1

pkB′ +BMS.

Dividing B by M = 1pkM1M2, we obtain

B

M= α1 + α2 + α1α2 +

BKS,` + pk ·BMS

M1M2

≤ α1 + α2 + α1α2 +

(n+ 1

2+

pk

4dlog qLe

)Bclean

M1M2.

By making use of the inequalities α1α2 ≤ ε2 (α1 + α2) from (2), and (n+1

2 + pk

4dlog qLe )Bclean

M1M2≤

ε2 (α1 + α2) from (1) and (3), we get the desired bound B/M ≤ ∆(α1 + α2). ut

For convenience, we use the notations ε = dlog qLe−1 and ∆ = 1 + ε in the rest of our paper.Note that ε ≈ (L log p)−1 and ∆L ≈ (1+ 1

L log p )L ≈ e1/ log p is very close to 1. After a homomorphic

multiplication with modulus switching procedure, the relative error becomes α = ∆(α1 + α2). Inother words, the result ciphertext has a significand with logα−1 ≈ −1 + logα−1i bits of preci-sion. Hence, this process decreases the precision of message about one bit similar to the case ofunencrypted floating-point computation.

The condition (1) only depends on the scheme parameters p, n and L from FP.Setup, andmost of parameters used in leveled HE schemes satisfy this condition. Hence, we assume that

10

the condition (1) always hold in this paper. We have (α1 + α2)M1M2 = M1B2 + M2B1 in thecondition (3). Under the assumption that Bi ≥ Bclean for i = 1, 2, this condition can be relaxedto maxM1,M2 ≥ pk. In addition, the error bound of ciphertext c in Theorem 1 satisfies B =αM ≥ (α1 + α2)M = (α1 + α2) 1

pkM1M2 ≥ Bclean again. Therefore, we only need to consider the

relaxed condition maxM1,M2 ≥ pk when the error bound of ciphertexts are not smaller thanBclean.

4 Homomorphic Evaluation of Floating-Point Arithmetics

We now show that noise growth in our FPHE is almost same as in unencrypted floating-pointcomputations. We start with evaluating some typical floating-point circuits homomorphically- ad-dition and multiplication by constants, monomial and power polynomial. We also extend thesefacts to general polynomial, inverse, exponent, and analytic function. We deduce bounds on thenoise growth that occurs during evaluation and analyze the precision of results.

4.1 Addition and Multiplication by Constants

We start with presenting simple operations to evaluate the functions f(x) = x+ a and f(x) = axfor a real number a ∈ R. Briefly speaking, we add a ∈ R to the first component of a ciphertext forconstant addition, and multiply a ciphertext by a ∈ R for constant multiplication.

Lemma 4 (Addition by Constant). Let c ∈ LWE`(m,B) be an encryption of m and a ∈ Rbe a real number. Then, c′ ← c + (bae , 0, . . . , 0) (mod q`) is contained in LWE`(m + bae , B) ⊆LWE`(m+ a,B + 1/2).

Proof. It is obvious from 〈c′, s〉 = bae+ 〈c, s〉 = (bae+m) + e (mod q`) for some |e| ≤ B. ut

In the case of an integer a ∈ Z, the constant addition procedure does not change the errorbound B but change the message bound to M + a. As a result, the relative error also changes.

Lemma 5 (Multiplication by Constant). Let c ∈ LWE`(m,B) be an encryption of m suchthat |m| ≤ M , and a ∈ R be a real number. Then, the vector c′ ← bpu · ae c is contained inLWE`(p

u · am,B′) for B′ = (pu · |a|+ 12 )B + 1

2M .

Proof. From the fact that 〈c, s〉 = m+e (mod q`) for some |e| ≤ B, we have 〈c′, s〉 = bpu · ae (m+e) = pu · am+ e′ such that |e′| ≤ (pu · |a|+ 1

2 )B + 12M . ut

In the previous lemma, let α = B/M be the relative error of given ciphertext c. The vector

c′ ← bpu · ae c has the message bound M ′ = pu · |a|M , and the relative error α′ = B′

M ′ = α +B+M

2pu·|a|M ≤ α+ 1pu·|a| . We may choose an integer u large enough so that the relative error does not

increase too much. In particular, if the scalar a ∈ R is of the form p−u · a for some integers u anda, then the relative error remains the same after constant multiplication.

4.2 Monomial and Power Polynomial

We introduce some algorithms to evaluate the power function xd and the monomial∏di=1 xi in

this subsection. We start from the simplest case f(x) = x2k

, the power polynomial of a power oftwo degree. For simplicity, we assume that the bound M of message m is equal to the base p.

Algorithm 1 performs the modulus switching procedure repeatedly after each squaring step to

maintain the size of significand. The output of Algorithm 1 is thus not an encryption of f(m) = m2k ,

but an encryption of the scaled value p · f(m/p) = m2k/p2k−1. The following lemma checks the

correctness of Algorithm 1 and computes the relative error of output ciphertext.

11

Algorithm 1 Power polynomial f(x) = xd of power-of-two degree

1: procedure Power(c ∈ Zq` × Znq` , d = 2k))2: c0 ← c3: for i = 1 to k do4: ci ← FP.ModSwitch(`−i+1)→(`−i)(FP.Mult(ci−1, ci−1))5: end for6: return ck7: end procedure

Lemma 6 (Power Polynomial of Power-of-Two Degree). Let c ∈ LWE`(m,B) be an en-cryption of m such that |m| ≤ p and B = α0p. If α0 ≤ (2∆)−(k−1) · ε and B ≥ Bclean, then

the output ck ← Power(c, 2k) of Algorithm 1 is contained in LWE`−k(m2k/p2k−1, αkp) where

αk = (2∆)k · α0.

Proof. Let αi = 2∆ · αi−1 for i = 1, . . . , k. From Theorem 1, we can inductively show that ci ←FP.ModSwitch(`−i+1)→(`−i)(FP.Mult(ci−1, ci−1)) belongs to LWE`−i(m

2i/p2i−1, αip) for all i. Thus,

after k iterations, ck is contained in LWE`−k(m2k/p2k−1, αkp) where αk = (2∆)k · α0. ut

Algorithm 1 is used as a subroutine of the following extended algorithm which evaluates apower polynomial f(x) = xd for any degree d.

Algorithm 2 Power polynomial f(x) = xd

1: procedure Power(c ∈ Zq × Znq` , d)

2: Let d = 2k1 + · · ·+ 2kr where 0 ≤ k1 < · · · < kr = blog dc.3: c1 ← Power(c, 2k1)4: v1 ← c15: for i = 2 to r do6: ci ← Power(ci−1, 2

ki−ki−1)7: vi ← FP.ModSwitch(`−ki)→(`−ki−1)(FP.Mult(ci,vi−1))8: end for9: return vr

10: end procedure

Similar to the previous case, Algorithm 2 outputs an encryption of the scaled value p ·f(m/p) =md/pd−1. We show the correctness and analyze the relative error in the following theorem.

Theorem 2 (Power Polynomial). Let c ∈ LWE`(m,B) be an encryption of m such that |m| ≤ pand B = α0p. Let d be a positive integer with binary representation d = 2k1 +· · ·+2kr for an integerr and some integers 0 ≤ k1 < · · · < kr. Let k = dlog de. If α0 ≤ (2∆)−(k−1) · ε and B ≥ Bclean, thenthe output v ← Power(c, d) of Algorithm 2 is in LWE`−k(md/pd−1, αkp) for αk = (2∆)k · α0.

Proof. The case r = 1 is obvious by Lemma 6, so assume that r ≥ 2. Let αi = 2∆ · αi−1 for

i = 1, · · · , k. From the proof of Lemma 6, the vector c1 is contained in LWE`−k1(m2k1/p2

k1−1, αk1p).

Using the induction on i, we may show that ci ∈ LWE`−ki(m2ki/p2

ki−1

, αkip) and vi ∈LWE`−ki−1(m2k1+···+2ki

/p2k1+···+2ki−1, αki+1p) for all i = 1, · · · , r. Therefore, the output of Algo-

rithm 2 is contained in LWE`−k(md/pd−1, αkp) for k = kr + 1 = dlog de. ut

12

One may homomorphically evaluate a monomial f(x1, . . . , xd) =∏i xi using the binary tree

structure, and its relative error can be computed similarly to Theorem 2. Let k = dlog de. For givenlevel-` ciphertexts ci ∈ LWE`(mi, αip) : 1 ≤ i ≤ d such that |mi| ≤ p and αi ≤ (2∆)−(k−1) · ε,one may compute their product by (d − 1)-number of multiplications in depth k. The resulting

ciphertext is contained in LWE`−k(∏di=1mi/p

d−1, αp) for α = ∆k ·∑di=1 αi. Comparing this result

to the unencrypted case in Section 2.1, our scheme achieves almost optimal precision of floating-point computation.

4.3 Polynomial and Approximating Power Series

The goal of this subsection is to evaluate polynomial and analytic functions and analyze the relativeerror of output ciphertext during homomorphic evaluation. We start by presenting an algorithmfor evaluating polynomial functions.

Algorithm 3 Polynomial function f(x) =∑di=0 aix

i

1: procedure Polynomial(c ∈ Zq` × Znq` , f(x) =∑di=0 aix

i ∈ R[x], u ∈ Z)

2: v ← (⌊pu+1 · a0

⌉, 0, . . . , 0)

3: for i = 1 to d do4: v ← FP.Add(v, bpu · aie ·Power(c, i))5: end for6: return v7: end procedure

Theorem 3 (Polynomial Evaluation). Let f(x) =∑di=0 aix

i ∈ R[x] be a real polynomial ofdegree d with k = dlog de, and c ∈ LWE`(m,B) be an encryption of m such that |m| ≤ p andB = α0p. If α0 ≤ (2∆)−(k−1) · ε, Then, the output v ← Polynomial(c, f(x), u) of Algorithm 3 is

in LWE`−k(pu+1 · f(m/p), αfpu+1) where αf =

(∑di=1 |ai|

)· (2∆)kα0 + (d+ 1)p−u.

Proof. From Theorem 2 and Lemma 5, for all i = 1, . . . , d, the ciphertexts Power(c, i) andbpu · aie·Power(c, i) are contained in LWE`−dlog ie(m

i/pi−1, Bi) and LWE`−dlog ie(pu+1·aimi/p

i, B′i)for Bi = (2∆)iα0p and B′i = pu · |ai|Bi + p, respectively.

Therefore, the output v of Algorithm 3 is an encryption of pu+1 · f(m/p) with the error bound

1/2 +∑di=1B

′i = 1/2 +

(∑di=1 |ai| · (2∆)i

)· α0p

u+1 + dp, which is less than αfpu+1 for αf =(∑d

i=0 |ai|)· (2∆)kα0 + (d+ 1)p−u. ut

The resulting ciphertext of above theorem is an encryption of pu+1 · f(m/p), with the message

bound pu+1 ·(∑d

i=0 |ai|)

and the relative errorαf∑d

i=0 |ai|= (2∆)kα0 + (d+1)

pu·∑d

i=0 |ai|, which is almost

equal to (2∆)kα0 for a sufficiently large integer u.By storing some intermediate computation results, we can compute the encryptions of m,m2/p,

. . . ,md/pd−1 simultaneously in d homomorphic multiplications and so reduce the complexity ofAlgorithm 3 to d. The evaluation point m/p is in the interval [−1, 1] in Theorem 3, but it canbe extended to general cases by taking an alternative polynomial (for example, g(x) such thatg(x) = f(px)).

Now consider an analytic function f(x) and its Taylor decomposition f(x) = Td(x) + Rd(x)

for Td(x) =∑di=0

f(i)(0)i! xi and Rd(x) = f(x)− Td(x). If Rd(x) goes to zero as d→∞, then Td(x)

13

converges to f(x). Assume that we are given an encryption of m such that |m| ≤ p with relativeerror α0. One may use previous theorem to evaluate the function f(x) at m/p by computing itsTaylor polynomial Td(x) for a sufficiently large d and obtaining an encryption of pu+1 · Td(m/p),which is an approximate value of pu+1 ·f(m/p) with a small error pu+1 ·Rd(m/p). The size of total

error is bounded by (αT + |Rd(m/p)|) · pu+1 for αT =(∑d

i=0 |f(i)(0)i! |

)· (2∆)dlog deα0 + (d+ 1)p−u

by Theorem 3.Consider the exponential function f(x) = ex as a concrete example. It has the Taylor polynomial

Td(x) =∑di=0

xi

i! and the remainder Rd(x) is bounded by |Rd(x)| ≤ e(d+1)! when |x| ≤ 1. For an

encryption of m such that |m| ≤ p with relative error α0, take two integers u and d such thatpu ≥ 2α−10 and d(d + 1)! ≥ 2α−10 . Note that the choice of d = dlogα−10 e holds the requiredcondition. Then Algorithm 3 outputs an encryption of pu+1 · Td(m/p) with an error boundedby αT p

u+1 for αT ≤ e · (2∆)dlog deα0 + (d + 1)p−u, and it can be also viewed as an encryptionof pu+1 · em/p with the message bound epu+1 and the relative error 2(2∆)dlog deα0. Hence, theprecision of ciphertext is decreased by dlog de + 1 = dlog logα−10 e + 1 bits compared to the inputciphertext.

Now consider another example f(x) = ex

1+ex . The logistic function is widely used in medicine asa predictive equation in logistic regression. For example, logistic regression was used for predictionthe likelihood to have a heart attack in an unspecified period for men in [BLN14]. It was also usedas a predictive equation to screen for diabetes in [TH02]. One can evaluate the logistic functionex

1+ex = 1 − (1 + ex)−1 by combining the constant addition, the exponential function and themultiplicative inverse, that will be described in the next subsection.

4.4 Multiplicative Inverse

We may refer the previous subsection to compute its Taylor decomposition and apply Theorem 3,to securely compute the multiplicative inverse. However, we will use another method, which ismore easy to investigate, and almost preserves the precision of floating-point computation. Wereview the approximate method using a convergence algorithm [cDSM15]. Given x ∈

[12 , 1], let

x = 1− x ∈[0, 12]. Then we see that

x(1 + x)(1 + x2)(1 + x22

) · · · (1 + x2k−1

) = 1− x2k

. (1)

Note that this product is in the interval[1− 2−2

k

, 1]

and converges to one as k goes to infinity.

Hence,∏k−1i=0 (1 + x2

i

) = x−1(1− x2k) can be considered as an approximate multiplicative inverse

of x with an relative error bounded by 2−2k

.We now return to our subject. Assume that an integer m has a range of [p/2, p] and denote

m = p−m. The standard approach starts by normalizing those numbers to be in the unit intervalby setting x = m/p ∈

[12 , 1]. Since we cannot multiply fractions over encrypted data, the precision

point has to move to the left for each term of (1). We multiply both sides of the equation (1) by

p2k

, and then it yields

m(p+ m)(p2 + m2)(p22

+ m22) · · · (p2k−1

+ m2k−1

) = p2k

− m2k .

Therefore,∏k−1i=0 (p2

i

+ m2i)/p2k

can be seen as approximate inverse of m with an relative error

bounded by (m/p)2k ≤ 2−2

k

. We first suggest an algorithm for evaluating this circuit, and analyzethe resulting relative error and optimal number of iterations in the following theorem.

Theorem 4 (Inverse Function). Let c ∈ LWE`(m,B0) be an encryption of m such that p/2 ≤m ≤ p and B0 = α0p/2. If α0 ≤ (2∆)−(k−1) · ε and B0 ≥ 22

k−1−(k−1) ·Bclean, then the output vk ←

14

Algorithm 4 Inverse function f(x) = x−1

1: procedure Inverse(c ∈ Zq × Znq` , k)2: p← (p, 0, . . . , 0)3: c0 ← p− c4: v1 ← FP.ModEmbed`→(`−1)(p + c0)5: for i = 1 to k − 1 do6: ci ← FP.ModSwitch(`−i+1)→(`−i)(FP.Mult(ci−1, ci−1))7: vi+1 ← FP.ModSwitch(`−i)→(`−i−1)(FP.Mult(vi,p + ci))8: end for9: return vk

10: end procedure

Inverse(c, k) of Algorithm 4 is contained in LWE`−k (m′, α · 2p) where m′ = (p2

m )(

1− (1− mp )2

k)

and α = ∆k ·α0. In particular, with the input k = dlog logα−10 e, this algorithm outputs a ciphertextin LWE`−k(p2/m, 2α · 2p).

Proof. Let m = p−m. From Lemma 4, the ciphertexts c0 and v1 are contained in LWE`(m,B0) andLWE`−1(p + m,B0), respectively. Note that they have the same error bound B0 = α0(2−1p), butdifferent message bounds 2−1p and (1+2−1)p, and different relative errors α0 and α′0 = (2+1)−1α0.

Let αi = (2∆)i · α0 for i = 1, . . . , k− 1. From Theorem 1, it is easy to check that ci belongs to

LWE`−i(m2i/p2

i−1, αi(2−2ip)) for all i. By Lemma 4, the vector p+ci is contained in LWE`−i((p

2i +

m2i)/p2i−1, αi(2

−2i)p), and it has the increased message bound (1+2−2i

)p and the reduced relative

error α′i = 1

(22i+1)αi = (2∆)i

22i+1α0.

Let α′′1 = ∆ · α′0 and α′′i = ∆(α′i−1 + α′′i−1) for i = 2, · · · , k. Using the induction on i, we canshow that vi is contained in

LWE`−i

i−1∏j=0

(p2j

+ m2j )/p2i−2, α′′i ·

i−1∏j=0

(1 + 2−2j

)p

,

that is, vi can be seen as an encryption of∏i−1j=0(p2

j

+ m2j )/p2i−2 = (p2/m)(1− (m/p)2

i

) with the

message bound∏i−1j=0(1 + 2−2

j

)p = (1− 2−2i

)(2p) ≤ 2p and the relative error

α′′i =

i−1∑j=0

∆i−j · α′j = ∆i ·

i−1∑j=0

2j

22j + 1

α0 ≤ ∆i · α0,

from the fact that∑∞j=0

2j

22j+1

= 1. Therefore, the output of Algorithm 4 is contained in LWE`−k(m′,

α · 2p) for m′ = (p2/m)(1− (m/p)2k

) and α = ∆k · α0.

In the case of k = dlog logα−10 e, the difference of m′ and (p2/m) is bounded by 2−2k

(p2/m) ≤α · 2p also, and this algorithm outputs an encryption of (p2/m) with the message bound 2p andthe relative error 2α = 2∆k · α0.

ut

This algorithm outputs a ciphertext whose relative error is 2α = 2∆k · α0 ≈ 2α0, so it losesabout one bit of precision. The optimal number of iterations can be changed when we knowmore/less information about the magnitude of m. Assume that the message m is contained inthe interval ((1 − β)p, p) for some value 0 < β < 1. Let m = p − m ∈ [0, βp]. Then we have

15∏k−1i=0 (p2

j

+ m2i) = (p2k

/m) · (1− (m/p)2k

), which is an approximation of p2k

/m with 2k · log β−1

bits of precision. Therefore, the optimal number of iteration is k ≈ log logα−10 − log log β−1 ingeneral case.

The condition B0 ≥ 22k−1−(k−1) ·Bclean in Theorem 4 is stronger than our general assumption

B0 ≥ Bclean. However, we may use a simple transformation ciphertexts to make them satisfy therequired condition. For a given encryption c ∈ LWE`(m,B0) of m ∈ [p/2, p] such that B0 ≥ Bclean

and B0 = α0p, let c∗ = p · c (mod q`),m∗ = p · m,B∗0 = p · B0 and p∗ = p · p. Then c∗ is an

encryption of m∗ ∈ [p∗/2, p∗] with error bound B∗0 and relative error α0. After this transformation,we can use Theorem 4 and compute the multiplicative inverse of m homomorphically since B∗0 =

p ·B0 ≥ 22(k−1)−(k−1)Bclean.

5 Comparison and Implementation

In this section, we provide a theoretical comparison of our FPHE scheme and previous HE schemefor evaluating arithmetic circuits described in Section 4. We also adapted our method to BGVscheme with Shoup-Halevi’s HE library [HS13] (called HElib). All experiments reported in ourpaper were performed on a machine with an Intel Xeon 2.6 GHz processor running a Linux 3.16.0operating system.

5.1 Comparison with previous HE schemes

Gentry, Halevi and Smart [GHS12b] constructed an efficient BGV-type somewhat HE scheme. Thesecurity of this scheme is based on the (decisional) Ring Learning With Errors (RLWE) assumption,which was first introduced by Lyubashevsky, Peikert and Regev [LPR10]. This scheme has a chainof ciphertext moduli by a set of primes of roughly the same size, p0, · · · , pL, that is, the i-thmodulus qi is defined as qi =

∏ik=0 pk. For simplicity, assume that P is the approximate size

of the pi’s. We choose an integer m that defines the m-th cyclotomic polynomial Φm(x). For apolynomial ring R = Z[x]/(Φm(x)), set the plaintext space to Rt := R/tR for some fixed t ≥ 2and the ciphertext space to Rq := R/qR for an integer q.

Assume that we are given encryptions of messages m1, . . . ,md with η bits of precision. Tosecurely compute a product of mi’s, we can consider three distinct message encoding possibilitieswith BGV-type schemes: The first two naive methods are called scalar encoding method, where eachinput (bit or large integer) is encoded as a constant polynomial. The last one is called balancedbase-B encoding method for an odd integer B ≥ 3, which represents a fixed-point number withbase B and encodes as a polynomial with coefficients in the range [−(B − 1)/2, (B − 1)/2].

• All the messages are encrypted bit-wise. We represent the entire functions as binary circuits,which correspond to arithmetic on bits in Z2. Note that η-bit multiplication is computableby boolean circuits of depth O(log η) with O(η2) complexity [Vol13]. Now suppose that weonly obtain the most significant η bits. Then the total depth amount to O(log η · log d) andit requires O(d · η2) homomorphic multiplication in total. So the approximate bit size of theciphertext modulus qL is (L+ 1) · logP = O(log η · log d). We note that it is encrypted as a setof d · η ciphertexts.

• The second method is to use a large integer ring as a message space instead of a binary field. Itallows us to evaluate with only (d−1) homomorphic multiplications. We first choose sufficientlylarge t so that no reductions modulo t occurs in the plaintext space, so we take t as the smallestinteger which satisfies log t > η · d. Next, given the Hamming weight h of the secret key, it

follows from Section 5.1 in [KL15] that L = log d·⌈ log(h·φ(m)·t4)

2 logP

⌉+ 1 = O(η · d log d). Thus the

bit size of the ciphertext modulus qL is approximately (L+1)·logP = O(η ·d log d) and we only

16

have d ciphertexts. The reader can consider another method which is based on decompositionmodulus W .1

• Dowlin et al. [DGL+15] suggested a balanced base-B encoding method of fixed-point numbers

for an odd integer B ≥ 3. If a fixed-point number b is represented as b =∑I+

i=I− biBi for

some bi ∈ [−(B − 1)/2, (B − 1)/2], it is encoded as a polynomial b(X) = XI− · (∑I+

i=0 biXi) +∑I−

i=1 b−iX−i. It follows from [CSVW16] that when computing the encryption of product of

mi’s homomorphically, the size of t is needed to ensure correctness as follows: t > (B−12 ·blogB 2ηc)d. Thus the bit size of the largest modulus is approximately O(log d · log t) = O(log η ·d log d), and we also only need d ciphertexts.

In case of our scheme, we may take p = 2η and L = log d for the correctness of decryptionprocedure after product of ciphertexts of mi’s. Then total computation cost is (d − 1) and thebit size of the ciphertext modulus is log qL = log p · (L + 1) = η · (log d + 1). Even though ourscheme only computes an encryption of arithmetic solution with (η−dlog de) bits of precision, thecircuit depth is logarithm in d, and the numbers of homomorphic multiplications and ciphertextsare linear in d. We provide a better description of comparison in Table 2.

Table 2. Product of d ciphertexts

Circuit#(HM)

Size of modulus#(ctx)

Depth (log qL)

Previous

Bit ptx O(log η log d) O(dη2) O(log η log d) dη

Large ptx log d d− 1 O(ηd log d) d

Balanced log d d− 1 O(log η · d log d) d

Ours log d d− 1 η(log d+ 1) d

5.2 Our Implementation with Concrete Parameters

In Table 3, we present the parameter setting and performance results for multiplying 16 integersof 20 bits and computing the multiplicative inverse of 20-bit integer with our scheme. All theparameters provide 80-bit security level. When we measured the average running times, we excludedcomputing times used in data encryption and decryption.

To evaluate the arithmetic circuit∏16i=1 xi homomorphically, BGV-type scheme requires huge

computation cost with bit-wise encryption or at least 320-bit plaintext space, so it is impossible tobe evaluated in practice. Meanwhile, our scheme can compute the approximate value with 15 bitsof precision in about 315ms. Moreover, upon input with 20 bits of precision of x for 1/2 ≤ x ≤ 1,we may compute its multiplicative inverse x−1 with only 8 homomorphic multiplications and depth5, and its implementation takes about 168ms.

1 For an integer W , we first decompose our messages modulo W and then evaluate the function over theintegers. More precisely, an initial message can be represented as mi =

∑rj=0mi,j ·W j for mi,j ∈ [0,W )

and r = blogW 2ηc. Assume that it is encrypted as a set of (r + 1) · d ciphertexts of mi,j , denote byEnc(mi,j). One can perform

∑j1+j2=l

Enc(mi1,j1) ·Enc(mi2,j2) for 0 ≤ l ≤ 2r, which corresponds to themultiplication of mi1 and mi2 . After log d steps, we obtain a set of ciphertexts of the form cti0≤i≤d·rand then compute

∑d·ri=0 Dec(cti) · W

i as desired. This method provides some parameter/complexitytradeoff, since obtaining a smaller value of t (i.e., log t = d · logW ) makes parameters small but requiresmore number of homomorphic multiplications.

17

Table 3. Implementation results for η = 20 with 80 bits security

FunctionBit precision Circuit

#(HM)Size of modulus Timing

of output depth (log qL) (ms)∏16i=1 xi 15 4

1576

315

x16 4 84

x−1 18 5 8 76 168

References

[ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitivesand circular-secure encryption based on hard learning problems. In Advances in Cryptology-CRYPTO 2009, pages 595–618. Springer, 2009.

[ACS02] Joy Algesheimer, Jan Camenisch, and Victor Shoup. Efficient computation modulo a shared se-cret with application to the generation of shared safe-prime products. In Advances in Cryptology- CRYPTO 2002, pages 417–432. Springer, 2002.

[BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic en-cryption without bootstrapping. In Proc. of ITCS, pages 309–325. ACM, 2012.

[BLLN13] Joppe W Bos, Kristin Lauter, Jake Loftus, and Michael Naehrig. Improved security for aring-based fully homomorphic encryption scheme. In Cryptography and Coding, pages 45–64.Springer, 2013.

[BLN14] Joppe W Bos, Kristin Lauter, and Michael Naehrig. Private predictive analysis on encryptedmedical data. Journal of biomedical informatics, 50:234–243, 2014.

[Bra12] Zvika Brakerski. Fully homomorphic encryption without modulus switching from classicalGapSVP. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 ofLecture Notes in Computer Science, pages 868–886. Springer, 2012.

[BV11a] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (stan-dard) LWE. In Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations ofComputer Science, FOCS’11, pages 97–106. IEEE Computer Society, 2011.

[BV11b] Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from Ring-LWEand security for key dependent messages. In Phillip Rogaway, editor, CRYPTO 2011, volume6841 of Lecture Notes in Computer Science, pages 505–524. Springer, 2011.

[cDSM15] Gizem S. Cetin, Yarkın Doroz, Berk Sunar, and William J. Martin. An investigation of com-plex operations with word-size homomorphic encryption. Cryptology ePrint Archive, Report2015/1195, 2015. http://eprint.iacr.org/2015/1195.

[CLT14] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi. Scale-invariant fully homo-morphic encryption over the integers. In Public-Key Cryptography–PKC 2014, pages 311–328.Springer, 2014.

[CS15] Jung Hee Cheon and Damien Stehle. Fully homomophic encryption over the integers revisited.In Advances in Cryptology–EUROCRYPT 2015, pages 513–536. Springer, 2015.

[CSVW16] Anamaria Costache, Nigel P. Smart, Srinivas Vivek, and Adrian Waller. Fixed point arithmeticin she schemes. Cryptology ePrint Archive, Report 2016/250, 2016. http://eprint.iacr.org/2016/250.

[DGHV10] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphicencryption over the integers. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 ofLecture Notes in Computer Science, pages 24–43. Springer, 2010.

[DGL+15] Nathan Dowlin, Ran Gilad, Kim Laine, Kristin Lauter, Michael Naehrig, and John Werns-ing. Manual for using homomorphic encryption for bioinformatics. 2015. http://research.

microsoft.com/pubs/258435/ManualHE.pdf.[DM15] Leo Ducas and Daniele Micciancio. Fhew: Bootstrapping homomorphic encryption in less than

a second. In Advances in Cryptology–EUROCRYPT 2015, pages 617–640. Springer, 2015.

18

[DNT12] Morten Dahl, Chao Ning, and Tomas Toft. On secure two-party integer division. In FinancialCryptography and Data Security, pages 164–178. Springer, 2012.

[Ein05] Bo Einarsson. Accuracy and reliability in scientific computing, volume 18. SIAM, 2005.[Gen09] Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009.

http://crypto.stanford.edu/craig.[GHS12a] Craig Gentry, Shai Halevi, and Nigel P. Smart. Better bootstrapping in fully homomorphic

encryption. In Public Key Cryptography–PKC 2012, pages 1–16. Springer, 2012.[GHS12b] Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic evaluation of the AES circuit.

In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012,volume 7417 of Lecture Notes in Computer Science, pages 850–867. Springer, 2012.

[Gol91] David Goldberg. What every computer scientist should know about floating-point arithmetic.ACM Computing Surveys (CSUR), 23(1):5–48, 1991.

[GSW13] Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with er-rors: Conceptually-simpler, asymptotically-faster, attribute-based. In Advances in Cryptology–CRYPTO 2013, pages 75–92. Springer, 2013.

[Hig02] Nicholas J Higham. Accuracy and stability of numerical algorithms. Siam, 2002.[HS13] Shai Halevi and Victor Shoup. Design and implementation of a homomorphic-encryption library.

IBM Research (Manuscript), 2013.[HS15] Shai Halevi and Victor Shoup. Bootstrapping for helib. In Advances in Cryptology–

EUROCRYPT 2015, pages 641–670. Springer, 2015.[Jak06] Thomas Jakobsen. Secure multi-party computation on integers. PhD thesis, Master Thesis

University of Aarhus, Denmark, 2006.[KL15] Miran Kim and Kristin Lauter. Private genome analysis through homomorphic encryption.

BMC medical informatics and decision making, 15(Suppl 5):S3, 2015.[LPR10] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors

over rings. In Advances in Cryptology - EUROCRYPT 2010, pages 1–23, 2010.[Pei09] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: Extended

abstract. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing,STOC ’09, pages 333–342, New York, NY, USA, 2009. ACM.

[Reg05] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. InProceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, STOC’05, pages 84–93, New York, NY, USA, 2005. ACM.

[TH02] Bahman P Tabaei and William H Herman. A multivariate logistic regression equation to screenfor diabetes development and validation. Diabetes Care, 25(11):1999–2003, 2002.

[Vol13] Heribert Vollmer. Introduction to circuit complexity: a uniform approach. Springer Science &Business Media, 2013.

[Wil61] James H. Wilkinson. Error analysis of direct methods of matrix inversion. pages 281–330, 1961.http://dl.acm.org/citation.cfm?id=321076.