Faster Homomorphic Encryption: Multiplying Ciphertexts with Greater Efficiency

Author: Denis Avetisyan

New optimizations to ciphertext multiplication are unlocking faster and more practical computations within the realm of homomorphic encryption.

This review details improvements to the CKKS scheme, focusing on streamlined relinearization and rescaling techniques for multi-input ciphertext multiplication.

While homomorphic encryption (HE) promises privacy-preserving computation on encrypted data, practical implementations are often bottlenecked by the complexity of ciphertext multiplication, particularly with more than two inputs. This work, ‘Multi-Input Ciphertext Multiplication for Homomorphic Encryption’, addresses this limitation by introducing optimizations to multi-input ciphertext multiplication for the CKKS scheme, enabling efficient computation through combined relinearization and rescaling techniques. Specifically, the authors demonstrate significant reductions in logic area and latency-up to 45%-through a multi-level rescaling approach and optimized hardware architectures. Could these advancements unlock broader adoption of HE in resource-constrained applications and complex machine learning workflows?

The Illusion of Privacy: Why Encryption Isn’t Enough

The escalating volume of data generated and shared digitally has created a paradox: while data-driven insights are increasingly valuable, so too is the need to protect the sensitive information contained within it. Traditional data processing methods require decryption before analysis, exposing data to potential breaches and compromising privacy. This creates a critical demand for technologies that enable computation without revealing the underlying data. Industries handling personal health information, financial records, or confidential business strategies are particularly vulnerable, and increasingly subject to stringent data protection regulations. The ability to process encrypted data directly – maintaining confidentiality throughout the entire computational pipeline – is no longer a theoretical advantage, but a fundamental necessity for maintaining trust and enabling innovation in the digital age.

Homomorphic Encryption (HE) presents a revolutionary approach to data processing, allowing computations to be performed directly on ciphertext without requiring prior decryption. This capability holds immense promise for safeguarding sensitive information in various applications, from secure cloud computing to privacy-preserving machine learning. However, translating this theoretical potential into practical reality is fraught with challenges. Current HE schemes introduce noise during computations; each operation increases this noise level. If the noise grows too large, the resulting ciphertext becomes corrupted, and decryption yields incorrect results. Consequently, the complexity of computations achievable with HE is currently limited, necessitating the development of innovative techniques to manage noise accumulation and expand the scope of practical applications. Efficient noise control mechanisms are therefore central to unlocking the full potential of HE and realizing its vision of a truly privacy-respecting computational landscape.

A fundamental challenge in homomorphic encryption lies in the inevitable accumulation of noise during computations. Each operation performed on encrypted data introduces a small amount of error, analogous to static on a radio signal. While the encryption scheme is designed to tolerate some noise, successive operations amplify it. This amplification ultimately limits the depth – and therefore the complexity – of calculations that can be performed before the result becomes undecipherable. Researchers are actively exploring techniques, such as bootstrapping and leveled homomorphic encryption, to mitigate this noise accumulation and enable more sophisticated analyses of sensitive data without decryption. Effectively managing this noise is therefore paramount to realizing the full potential of privacy-preserving computation and broadening its applicability to complex real-world problems.

The practical realization of homomorphic encryption’s potential hinges on innovative techniques to mitigate noise accumulation during computation. Each operation performed on encrypted data introduces a degree of noise, and without careful management, this noise quickly overwhelms the signal, rendering the result undecipherable. Researchers are actively exploring diverse approaches – including optimized encryption schemes, bootstrapping techniques to refresh ciphertexts, and specialized hardware acceleration – to constrain noise growth. These advancements aren’t merely theoretical refinements; they directly impact the feasibility of deploying HE in applications like secure machine learning, confidential data analysis, and privacy-preserving cloud services, paving the way for a future where data can be utilized without compromising its confidentiality. Ultimately, breakthroughs in noise management will determine whether homomorphic encryption transitions from a promising concept to a ubiquitous tool for data security.

CKKS: A Pragmatic Compromise in a World of Ideals

The CKKS scheme facilitates computations on encrypted real numbers by representing data as approximations, allowing for a trade-off between computational cost and result precision. Unlike schemes requiring exact arithmetic, CKKS introduces controlled noise during operations; this enables efficient polynomial arithmetic, specifically using techniques like the Number Theoretic Transform (NTT) for fast multiplication in the ring. The level of approximation, and therefore the noise introduced, is configurable, allowing users to balance security-higher noise provides greater confidentiality-with accuracy requirements for the specific application. This approximate nature is crucial for practical implementation, as it avoids the exponential growth of ciphertext sizes and computational complexity associated with exact computations on encrypted data.

Ring Noise Sums (RNS) representation in the CKKS scheme decomposes computations into multiple smaller moduli, effectively replacing a single large modulus operation with several parallel operations on smaller moduli. This decomposition simplifies modular arithmetic, as operations like addition and multiplication become coefficient-wise operations within each modulus. The use of multiple moduli also allows for parallel computation, accelerating the overall process. Specifically, an integer is represented as a tuple of residues $(a_1, a_2, ..., a_n)$ , where $a_i$ is the residue modulo the $i$ -th modulus $m_i$ . This approach mitigates the growth of noise during computations by distributing it across the multiple moduli, contributing to the scheme’s efficiency and practicality.

Ring Noise Sums (RNS) representation in the CKKS scheme utilizes modulus switching to control noise growth during homomorphic encryption operations. Rather than performing all computations with a single, large modulus, RNS decomposes the computation into multiple smaller moduli $\{m_1, m_2, ..., m_k\}$ . Each operation is performed independently on each modulus, and the results are combined using the Chinese Remainder Theorem (CRT). This decomposition significantly reduces the size of intermediate values, thereby limiting noise accumulation. Crucially, the scheme incorporates modulus switching techniques that allow the ciphertext to be converted between different sets of moduli during the computation. This is vital because the noise level varies across moduli, and switching enables the selection of moduli with sufficient space to accommodate the growing noise without causing decryption failures. The careful management of modulus switching is a core component of maintaining accuracy and enabling practical computation with CKKS.

Efficient polynomial multiplication is a core component of the CKKS scheme due to its prevalence in homomorphic encryption operations. Directly multiplying polynomials with encrypted coefficients is computationally expensive. To mitigate this, the Number Theoretic Transform (NTT) is employed. NTT transforms the polynomials from coefficient representation to point-value representation, converting the multiplication of polynomials into element-wise multiplication of their point values. This simplifies the operation significantly, reducing complexity from $O(n^2)$ to $O(n \log n)$ , where ‘n’ represents the degree of the polynomial. Following the multiplication in the point-value domain, an inverse NTT (INTT) is applied to convert the result back to coefficient representation, yielding the encrypted result of the polynomial multiplication.

Squeezing Every Cycle: Optimizations for a Resource-Hungry Future

Ciphertext multiplication is a core operation within numerous cryptographic applications, notably those leveraging homomorphic encryption schemes. These applications include privacy-preserving machine learning, secure multi-party computation, and fully homomorphic encryption (FHE)-based data analytics. The frequency of this operation stems from the need to perform computations directly on encrypted data without decryption, thus preserving data confidentiality. Consequently, the efficiency of ciphertext multiplication significantly impacts the overall performance of these applications, making it a critical area for optimization and hardware acceleration. The demand for faster multiplication arises from the computational intensity of real-world datasets and complex algorithms implemented within these secure computing paradigms.

Three-Input Ciphertext Multiplication represents an optimization over traditional two-input multiplication by processing three ciphertexts simultaneously. This approach reduces the total number of multiplication operations required for a given number of ciphertexts, directly improving computational efficiency. While standard two-input multiplication requires $n-1$ operations for $n$ ciphertexts, a three-input scheme can reduce this to approximately $n/3$ operations. This reduction in operations translates to lower latency and reduced area requirements in hardware implementations, although it introduces increased complexity in the multiplier design itself to accommodate the processing of three inputs concurrently.

Multi-Input Ciphertext Multiplication represents a generalization of two-input and three-input multiplication schemes, enabling the simultaneous multiplication of more than three ciphertexts. However, the performance of multi-input multiplication is constrained by both multiplicative depth and the necessity of combined rescaling. Multiplicative depth, referring to the number of sequential multiplication operations, directly impacts latency. Combined rescaling is required to manage noise growth inherent in homomorphic encryption, but introduces computational overhead; while traditional rescaling operates on individual ciphertexts, combined rescaling must address the accumulated noise from multiple multiplications simultaneously, adding complexity to the process and potentially limiting scalability.

Combined rescaling optimizes traditional rescaling methods used in ciphertext multiplication by reducing computational complexity. This technique is critical because multi-input multiplications accumulate noise with each operation; effective noise management is therefore essential for maintaining accuracy. Recent implementations of combined rescaling have demonstrated performance improvements, achieving up to a 45% reduction in latency and a 32% reduction in hardware area when compared to architectures utilizing binary trees of two-input multipliers.

Polynomial Multiplication: The Engine of Encrypted Computation

The core of many homomorphic encryption (HE) schemes relies heavily on the efficient multiplication of polynomials. These schemes transform data into an encrypted form that allows computations to be performed directly on the ciphertext, and polynomial multiplication is a fundamental operation within these computations. Because HE schemes often involve repeated polynomial multiplications – especially during tasks like decryption or complex function evaluation – the speed of this operation directly impacts the overall performance of the entire encryption process. Consequently, optimizing polynomial multiplication is not merely a performance tweak, but a necessity for realizing practical and scalable HE applications, enabling the processing of sensitive data without exposing it in plaintext. $f(x) * g(x)$ must be performed rapidly and with minimal computational resources to achieve meaningful throughput.

To expedite polynomial multiplication – a core operation in many cryptographic schemes – researchers employ techniques like the Karatsuba algorithm and Barrett reduction. The Karatsuba algorithm cleverly reduces the number of multiplications needed by recursively breaking down the problem into smaller subproblems, moving from a complexity of $O(n^2)$ to $O(n^{log_2 3})$ , where ‘n’ represents the degree of the polynomials. Complementing this, Barrett reduction efficiently computes the remainder of a large number after division, crucial for keeping coefficients within manageable bounds during multiplication and preventing overflow. By minimizing both the number of multiplications and the size of intermediate results, these techniques significantly decrease computational overhead, leading to faster and more practical implementations of polynomial-based cryptography.

Minimizing computational complexity is paramount in polynomial multiplication, and recent advancements demonstrate significant performance gains through algorithmic optimization. The Karatsuba algorithm and Barrett reduction techniques reduce the total number of operations needed, directly translating to lower computational overhead and faster processing times. A newly designed three-input multiplier exemplifies this progress, achieving a notable 15% reduction in circuit area alongside a 50% decrease in latency when contrasted with previous designs. This improvement isn’t merely theoretical; it represents a substantial step toward practical, efficient implementation of homomorphic encryption schemes and enables more complex computations on sensitive, encrypted data with reduced resource demands.

The convergence of optimized polynomial multiplication – leveraging techniques like Karatsuba and Barrett reduction – with efficient rescaling and multi-input multiplication strategies dramatically expands the scope of computations possible on encrypted data. Prior limitations imposed by the computational intensity of these operations are substantially alleviated, fostering practical applications in areas such as secure machine learning, privacy-preserving data analysis, and confidential cloud computing. This synergistic approach not only minimizes processing overhead but also unlocks the potential for complex algorithms to be executed directly on ciphertext, thereby eliminating the need for decryption and significantly bolstering data security. The resultant acceleration and reduction in resource requirements pave the way for wider adoption of homomorphic encryption in real-world scenarios, enabling secure data processing without compromising confidentiality.

The pursuit of efficient homomorphic encryption, as demonstrated in this work with optimized ciphertext multiplication for the CKKS scheme, feels perpetually Sisyphean. Each innovation – the combined relinearization and rescaling, the reduction in NTT complexity – merely delays the inevitable arrival of larger datasets and more complex computations. As Robert Tarjan aptly stated, “The best algorithm is the one that solves the problem.” However, the ‘problem’ invariably expands to consume any gains achieved. This paper diligently addresses the immediate challenges of multi-input computation, yet one suspects production environments will swiftly discover novel ways to expose limitations, confirming the enduring truth that elegant theory often collides with the harsh realities of scale.

What’s Next?

The improvements to ciphertext multiplication detailed within will, predictably, find their limits. Optimizing relinearization and rescaling is a perpetual game of diminishing returns. Each refinement introduces new constants, new dependencies, and eventually, new bottlenecks. Production systems rarely operate on idealized inputs; the inevitable noise accumulation from real-world data will necessitate even more aggressive parameter tuning, further eroding any gains achieved through algorithmic cleverness. The question isn’t whether these techniques are elegant, but rather how much engineering effort will be required to keep them functioning in the face of uncooperative data.

A continued focus on multi-input computation is logical, but the field should acknowledge that reducing complexity often simply shifts it elsewhere. The current trajectory seems fixated on accelerating the mathematics, yet the most significant costs remain the practicalities of key management, parameter selection, and debugging. Any future architecture claiming a breakthrough should include a thorough accounting of these ‘invisible’ expenses. If the code looks perfect, no one has deployed it yet.

Ultimately, the promise of fully homomorphic encryption rests on the assumption that theoretical efficiency can outweigh the inherent overhead. The history of computing suggests a different outcome. It is far more likely that specialized hardware, or perhaps a pragmatic acceptance of limited homomorphic capabilities, will prove more fruitful than endlessly refining the mathematics. This work is a step, certainly, but a small one on a very long, and likely frustrating, road.

Original article: https://arxiv.org/pdf/2601.15401.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The Illusion of Privacy: Why Encryption Isn’t Enough

CKKS: A Pragmatic Compromise in a World of Ideals

Squeezing Every Cycle: Optimizations for a Resource-Hungry Future

Polynomial Multiplication: The Engine of Encrypted Computation

What’s Next?

See also: