Bootstrapping Optimization Techniques for the FINAL Fully Homomorphic Encryption Scheme

Abstract

With the advent of cloud computing and the era of big data, there is an increasing focus on privacy computing. Consequently, homomorphic encryption, being a primary technique for achieving privacy computing, is held in high regard. Nevertheless, the efficiency of homomorphic encryption schemes is significantly impacted by bootstrapping. Enhancing the efficiency of bootstrapping necessitates a dual focus: reducing the computational burden of outer product operations integral to the process while rigorously constraining the noise generated by bootstrapping within predefined threshold limits. The FINAL scheme is a fully homomorphic encryption scheme based on the number theory research unit (NTRU) and learning with errors (LWE) assumptions. The performance of the FINAL scheme is better than that of the TFHE scheme, with faster bootstrapping and smaller bootstrapping and key-switching keys. In this paper, we introduce ellipsoidal Gaussian sampling to generate keys $\mathit{f}$ and $\mathit{g}$ in the bootstrapping of the FINAL scheme, so that the standard deviations of keys $\mathit{f}$ and $\mathit{g}$ are different and reduce the bootstrapping noise by 76%. However, when q is fixed, the boundary for bootstrapping noise remains constant. As a result, larger decomposition bases are used in bootstrapping to reduce the total number of polynomial multiplications by 47%, thus improving the efficiency of the FINAL scheme. The optimization scheme outperforms the original FINAL scheme with 33.3% faster bootstrapping, and the memory overhead of blind rotation keys is optimized by 47%.

1. Introduction

FHE is an encryption scheme that evaluates encrypted data without decrypting it, and the decrypted results are the same as the outputs of the corresponding operations on the plaintext. Fully homomorphic encryption can achieve ciphertext protection of the whole life cycle of data. It has a wide range of application requirements in artificial intelligence, privacy computing, cloud computing, blockchain security, anonymous authentication and other fields.

In 2009, Gentry presented the first feasible homomorphic encryption scheme, and also presented a theoretical framework for constructing homomorphic encryption schemes. The theoretical framework constructs a somewhat homomorphic encryption scheme, and then implements fully homomorphic encryption through bootstrapping. Considering the security of the scheme, some homomorphic encryption schemes need to introduce noise. The noise reduces the security of the encryption scheme to computationally hard mathematical problems (e.g., LWE), thereby preventing the secret key from being easily compromised. The noise grows slightly during homomorphic addition, and explosively during homomorphic multiplication, and once the noise exceeds a certain threshold, a decryption error will occur. Therefore, we must carry out noise reduction operations to ensure proper decryption. Bootstrapping is the most effective operation to reduce ciphertext noise. In his groundbreaking work, Gentry established the following fundamental theorem: If a scheme can homomorphically evaluate its own decryption circuit (i.e., supports bootstrapping), then it can be transformed into a fully homomorphic encryption (FHE) scheme. This theorem demonstrates that bootstrapping serves as a sufficient condition for achieving FHE. Critically, no known techniques—such as modulus-switching or key-switching—can fully eliminate noise accumulation without relying on bootstrapping. However, bootstrapping computation is expensive and becomes the bottleneck of computation performance of all homomorphic encryption algorithms.

There are two major lines of FHE schemes. The first is BGV and its variants [1,2,3,4,5]. These works encrypt a vector of N messages using an RLWE ciphertext. The somewhat homomorphic encryption scheme used in the schemes enable leveled fully homomorphic encryption (leveled FHE) by introducing noise reduction techniques (modulus-switching and the rescale technique), that is, the circuit can homomorphically execute any bounded depth of the circuit with the circuit depth as the input parameter. Therefore, in the process of bootstrapping, the security assumption of the sparse subsets sum is no longer relied on to compress the decryption circuit. In this way, the security of schemes are based on lattice problems with quasi-polynomial approximation factors. Since the ciphertext of the schemes is a vector form, it is necessary to introduce the “evaluation key” in the process of homomorphic evaluation. Moreover, this kind of scheme supports packaging and parallel operation, enabling the simultaneous processing of multiple plaintext bits, thereby possessing significant application potential. At present, the open-source libraries HElib, SEAL and HEAAN based on BGV, BFV and CKKS, are widely used.

The second line of work starts with FHEW [6] and TFHE [7,8] and is later improved by FINAL [9]. These works are based on GSW and its variants and support bootstrapping in tens of milliseconds. The noise growth in the homomorphic evaluation is asymmetric. And this makes previous noise reduction techniques no longer applicable. Therefore, Gentry et al. [10] proposed a flattening technique to achieve leveled fully homomorphic encryption. Moreover, according to the characteristics of noise growth, Alperin-Sheriff et al. designed a fast bootstrapping algorithm [11]. At present, the open source libraries designed based on this kind of scheme mainly include FHEW and TFHE. Among them, TFHE only takes 13 ms to bootstrap one bit of information. In 2022, Charlotte Bonte et al. [9] proposed an NTRU-based GSW-like scheme (NGS) and constructed a FINAL fully homomorphic encryption scheme. The FINAL scheme outperformed TFHE with 28% faster bootstrapping.

At present, bootstrapping is the only way to achieve homomorphic encryption, and it is also the main reason for the low efficiency of homomorphic encryption. Therefore, bootstrapping is the core and key of the whole homomorphic encryption scheme.

Notably, schemes such as TFHE and FHEW present stronger optimization incentives compared to BGV-type frameworks. This is primarily due to their inherently frequent bootstrapping requirements in practical applications (e.g., deep circuit evaluations), where even marginal reductions in the per-bootstrap overhead yield significant cumulative gains. Furthermore, TFHE’s and FHEW’s noise growth profiles are more sensitive to parameter adjustments, amplifying the impact of noise optimizations on overall feasibility and performance. In contrast, BGV’s leveled architecture inherently limits bootstrapping frequency, diminishing the relative urgency of optimizing its bootstrap mechanics. Critically, the FINAL bootstrapping scheme—specifically designed as an optimized variant of TFHE’s bootstrapping—demonstrates even greater potential for refinement.

In this work, our contributions are as follows.

(1) We adopt the ellipsoidal Gaussian sampling method to select keys f and g for the NGS basic encryption scheme. In the original FINAL scheme, the standard deviations of keys f and g are the same, while the bootstrapping noise is more dependent on the standard deviation of key g. The larger the standard deviation of g, the larger the bootstrapping noise. Hence, in the optimization scheme, the bootstrapping optimization technique based on the ellipsoidal Gaussian is used to make the standard deviation of key f and g samples expand and shrink by the same multiple, respectively, and as the standard deviation of g becomes smaller, the bootstrapping noise becomes smaller. Therefore, we can better adjust the parameters of the FINAL scheme within a certain noise bound.

(2) We adjust the parameters of the FINAL scheme to analyze the influence of different decomposition bases and their weights on the bootstrapping noise and efficiency, and propose an optimization scheme based on the FINAL scheme. The optimization scheme was 33.3% faster than the original FINAL scheme.

The organizational structure of this paper is as follows. Section 3 introduces preliminary knowledge. Section 4 describes the bootstrapping procedure of the FINAL scheme and provides a more detailed analysis of the bootstrapping noise. Then, we propose the bootstrapping optimization technique based on the ellipsoidal Gaussian. Section 5 explains the effects of different parameters on the FINAL scheme and how to optimize the parameters of the FINAL scheme, and introduces a bootstrapping optimization technique based on the ellipsoidal Gaussian. Section 6 shows the security analysis of the scheme, and Section 7 summarizes this paper.

2. Related Work

In recent years, research on lattice-based fully homomorphic encryption (FHE) schemes has flourished and numerous schemes have been proposed, and there have been improvements and innovations based on them.

Gentry [12] constructed the first fully homomorphic encryption algorithm in 2009, which was truly groundbreaking and opened the curtain on research into fully homomorphic encryption. In 2013, Gentry et al. [10] proposed a GSW for fully homomorphic encryption based on approximate eigenvectors without the key-switching technique for dimensional reduction. Brakerski et al. [2] proposed the BGV fully homomorphic encryption algorithm in 2014, based on the learning with errors (LWE) assumption, which uses dimension reduction and modulus reduction to control noise, breaking the original Gentry compression circuit to control noise. In 2015, Ducas and Micciancio [6] proposed the FHEW scheme, which uses a variant of the GSW scheme as an accumulator and uses this accumulator to refresh the (bootstrapping) ciphertexts, which improves the bootstrapping efficiency. Chillotti et al. [7] proposed the TFHE scheme at Asiacrypt 2016, which replaced the product of TGSW ciphertext (matrix) and TGSW ciphertext (matrix) in the FHEW scheme with the external product of TGSW ciphertext (matrix) and TLWE ciphertext (vector). The time required for bootstrapping decreases from less than 1 s to less than 0.1 s, and the size of the bootstrapping key reduces from 1 GB to 24 MB. In 2017, Chillotti et al. [8] proposed a blind rotation algorithm and used two different techniques (called horizontal packing and vertical packing) to improve the evaluation of parity circuits. Charlotte Bonte et al. [9] proposed an NTRU-based GSW-like scheme (NGS) and constructed a FINAL fully homomorphic encryption scheme by combining the LWE encryption scheme with the NGS bootstrapping scheme in 2022. The FINAL scheme outperforms TFHE with 28% faster bootstrapping and 45% smaller bootstrapping and key-switching keys.

Based on a recent, more detailed analysis of the FINAL scheme [9], we find that the bootstrapping noise of the FINAL scheme is more dependent on the standard deviation of key g of the NGS scheme, and the scheme still has space for optimization in the choice of parameters. Based on this, we can perform optimization to improve the efficiency of bootstrapping of the FINAL scheme.

3. Preliminaries

3.1. Symbols and Parameters

The mathematical notations used in this paper are described in

Table 1. Mathematical notations.

Notation	Description
$\mathbf{a}$	Lowercase bold letters represent vectors
$\mathbf{A}$	Capital bold letters represent matrices
$\mathbb{Z}$	Ring of integers
$\mathbb{N}$	The set of natural numbers
$\mathbb{R}$	The set of real numbers
N	A power of two
$\mathbf{0}$	Zero vector
$\epsilon ,{\epsilon }^{\prime }$	The rounding error, $\left|\epsilon \right|,\left|{\epsilon }^{\prime }\right|\le 1/2$
${\mathrm{col}}_i\left(\mathbf{A}\right)$	The $i+1$-th column of a matrix $\mathbf{A}$
${\mathrm{row}}_i\left(\mathbf{A}\right)$	The $i+1$-th row of a matrix $\mathbf{A}$
$\mathbf{a}·\mathbf{b}$	The inner product of $\mathbf{a}$ and $\mathbf{b}$
$\mathbf{a}\otimes \mathbf{b}$	The external product of $\mathbf{a}$ and $\mathbf{b}$
$∥\mathbf{a}∥$	The infinite norm of $\mathbf{a}$
$\mathbb{M}$	$\mathbb{M}=\{\pm b·X^k:b\in \{0,1\},k\in \mathbb{N}\}$
R	$R=\mathbb{Z}\left[X]\right./<X^N+1>$
$R_Q$	$R/QR={\mathbb{Z}}_Q\left[X\right]/<X^N+1>$
$\Phi \left(f\right)\in {\mathbb{Z}}^{N\times N}$	The matrix reverse circulation of f
$\varphi \left(f\right)\in {\mathbb{Z}}^N$	f of the coefficient vector

.

3.2. Gaussian Distribution and Sub-Gaussian Distribution

Definition 1 

(Discrete Gaussian distribution [13]). For $\forall c\in \mathbb{R}$, c is the center of the Gaussian distribution, and the Gaussian parameter is $\sigma \in {\mathbb{R}}^{+}$. The discrete Gaussian distribution is defined as follows:

$$\begin{array}{c}\hfill {\rho }_{\sigma ,c}\left(x\right)=\exp (-{\displaystyle \frac{{\left|x-c\right|}^2}{2·{\sigma }^2}})\end{array}$$

(1)

where $\sigma ,c\in \mathbb{R}>0$ is the standard deviation, and c is the mean. Therefore, ${\rho }_{\sigma ,c}\left(\mathbb{Z}\right)={\sum }_{i=-\infty }^{\infty }{\rho }_{\sigma ,c}\left(i\right)$. The probability of $x\in \mathbb{Z}$ is given by ${\rho }_{\sigma ,c}\left(x\right)/{\rho }_{\sigma ,c}\left(\mathbb{Z}\right)$, and if $c=0$, then the distribution is represented by ${\chi }_{\sigma }$.

Definition 2 

(Sub-Gaussian distribution). The random variable V over $\mathbb{R}$ is $\alpha \text{—}$sub-Gaussian when it satisfies the condition of

$$\begin{array}{c}\hfill \mathbb{E}\left[\exp (t·V)\right]\le {\displaystyle \frac{1}{2}}\exp ({\alpha }^2·t^2)\end{array}$$

(2)

where $\forall t\in \mathbb{R}$. From the definition, it can be seen that $Var\left(V\right)\le {\alpha }^2$.

Lemma 1 

([14]). If $\mathbf{x}$ is a discrete random vector over ${\mathbb{R}}^n$, let the component of $\mathbf{x}$ be $x_i$, and $x_i$ be ${\alpha }_i\text{—}$sub-Gaussian; then, $\mathbf{x}$ is said to be an $\alpha \text{—}$sub-Gaussian distribution, where $\alpha ={\max }_{i\in \left[n\right]}{\alpha }_i$.

3.3. Digital Decomposition

Given the integer q and the decomposition base B, let $l=⌈{\log }_{B}q⌉$, and define ${\mathfrak{g}}_{q,B}=(B^0,\cdots ,B^{l-1})$; for $\forall k\in {\mathbb{Z}}_q$, define its decomposition under base B as ${\mathfrak{g}}^{-1}\left(k\right)=(k_0,\cdots ,k_{l-1})$, and obtain

$$\begin{array}{c}\hfill {\mathfrak{g}}^{-1}\left(k\right)·\mathfrak{g}=k_0·B^0+\cdots +k_{l-1}·B^{l-1}=k\end{array}$$

(3)

For $\forall f\in R_Q$, define ${\mathfrak{g}}^{-1}\left(f\right)={\sum }_{i=0}^{N-1}{\mathfrak{g}}^{-1}\left(f_i\right)X^i$, and obtain

$$\begin{array}{c}\hfill {\mathfrak{g}}^{-1}\left(f\right)·\mathfrak{g}={\sum }_{i=0}^{N-1}{\mathfrak{g}}^{-1}\left(f_i\right)·\mathfrak{g}·X^i={\sum }_{i=0}^{N-1}\left(f_{i,0},\cdots ,f_{i,l-1}\right)·\left(B^0,\cdots ,B^{l-1}\right)·X^i={\sum }_{i=0}^{N-1}{f}_i·X^i=f\end{array}$$

(4)

The digital decomposition ${\mathfrak{g}}^{-1}$ can be deterministic or randomized [14,15].

3.4. NTRU Problems

Definition 3 

(NTRU [9]). Let $N>0$ and $Q>1$ be integers, $R:=\mathbb{Z}\left[X\right]/<X^N+1>$. Let the real number $\sigma >0$, $g,f\leftarrow {\chi }_{\sigma }^N$ and f be invertible in $R_Q$.

The $(n,q,\sigma )-\mathit{NTRU}$ computational problem aims to recover f and g under a given $h=g·f^{-1}\mathrm{mod}Q$.

The $(n,q,\sigma )-\mathit{NTRU}$ decision problem aims to distinguish between ${\chi }_{\sigma }^N$ distribution and uniform random distribution on $R_Q$.

Damien Stehlé and Ron Steinfeld [16] showed that if the secret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain at Eurocrypt 2011. Pellet-Mary et al. [17] reduced the worst-case approximate Shortest Vector Problem over ideal lattices to an average-case search variant of the NTRU problem at Asiacrypt 2021. Therefore, the cryptographic scheme based on the NTRU problem also has provable security.

3.5. LWE Problems

Definition 4 

(LWE [18]). Let $N>0$ and $q>1$ be integers, and χ be an error probability distribution on ${\mathbb{Z}}_q$. Secret vector $\mathbf{s}\in {\mathbb{Z}}_q^n$, random vector $\mathbf{a}\in {\mathbb{Z}}_q^n$, error vector $e\leftarrow \chi$, and output LWE distribution: $(\mathbf{a},b=\mathbf{a}·\mathbf{s}+e\mathrm{mod}q)\in {\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$.

The $(n,q,\chi ,m)-\mathit{LWE}$ computational problem aims to solve the secret vector $\mathbf{s}$ given $(\mathbf{a},b)$.

The $(n,q,\chi ,m)-\mathit{LWE}$ decision problem aims to distinguish between LWE distribution and uniform distribution on ${\mathbb{Z}}_q^n\times {\mathbb{Z}}_q$.

More detailed descriptions are as follows.

Error Distribution ($\chi$): Typically a discrete Gaussian distribution centered at 0 with standard deviation $\sigma$. The error magnitude is bounded to ensure decryptability in encryption schemes.

Parameters and Hardness: Dimension (n): Higher n increases security but reduces efficiency. Modulus (q): A prime or power-of-two, balancing noise growth and security. Hardness Reduction: LWE is as hard as solving worst-case lattice problems (e.g., GapSVP, SIVP).

Decision-to-Search Reduction: The decisional LWE problem is polynomially equivalent to the search variant under certain parameter conditions [18]. This equivalence underpins the semantic security of LWE-based cryptosystems.

3.6. LWE-Based Encryption Scheme

$\mathrm{LWE}.\mathrm{SercretKeygen}\left(1^{\lambda }\right)$: randomly and uniformly select the vector $\mathbf{s}\in {\mathbb{Z}}_q^n$, and output key $\mathbf{s}$.

$\mathrm{LWE}.\mathrm{Enc}(\mathbf{s},m)$: $m\in \left\{0,1\right\}$, randomly and uniformly select the vector $\mathbf{a}\in {\mathbb{Z}}_q^n$, select the error vector $e\leftarrow \chi$, calculate $b\leftarrow \mathbf{a}·\mathbf{s}-e$, and output ${\mathbf{c}}_{\mathbf{1}}=\mathbf{a},c_2=(\Delta ·m-b)\in {\mathbb{Z}}_q$, i.e., (${\mathbf{c}}_{\mathbf{1}},c_2)$. Among them, $\Delta :=\lfloor q/4\rceil$.

$\mathrm{LWE}.\mathrm{Dec}(\mathbf{s},c)$: input $(\mathbf{s},c)$, and output $\frac{4}{q}\left(\right(c_2+{\mathbf{c}}_{\mathbf{1}}·\mathbf{s}\left)\mathrm{mod}q\right)\mathrm{mod}2$.

Here, $\lfloor \rceil$ represents the rounding symbol.

3.7. FHE

The essence of fully homomorphic encryption is homomorphic evaluation, i.e., the results of plaintext calculations are equivalent to the results of ciphertext calculations after decryption. A homomorphic encryption scheme consists of four algorithms: a key generation algorithm, an encryption algorithm, a decryption algorithm and an evaluation algorithm.

$\mathrm{KeyGen}\left(1^{\lambda }\right)$: Input security parameter $\lambda$, and output public key pk, evaluation key evk for ciphertext calculation, and private key sk.

$\mathrm{Enc}(\mathrm{pk},m)$: Given $m\in \left\{0,1\right\}$, use the public key to encrypt message m and output ciphertext c.

$\mathrm{Dec}(\mathrm{sk},c)$: Use private key sk to decrypt ciphertext c and recover message m.

$\mathrm{Eval}(\mathrm{evk},\mathcal{F},c_1,\cdots ,c_l)$: Use the evaluation key evk, and input $c_1,\cdots ,c_l$ and $\mathcal{F}$ to evaluation algorithm Eval, where $\mathcal{F}:{\{0,1\}}^l\to \{0,1\}$, and output ciphertext c.

3.8. Bootstrapping

All common FHE schemes are based on noise encryption (noise guarantees the security of the fresh encryption), where the evaluation of homomorphic operations increases the noise magnitude and reduces the quality, i.e., calculates the budget. The primary use of bootstrapping is to convert exhausted ciphertexts into “equivalent” refreshed ciphertexts. Exhausted ciphertexts contain high noise and cannot be operated on further, whereas refreshed ciphertexts can support further homomorphic operations.

As shown in Figure 1, in a fully homomorphic encryption scheme, we deal with a homomorphic evaluation of the decryption procedure, i.e., bootstrapping, which uses an encrypted secret key and a ciphertext to generate an equivalent ciphertext that we can further compute on. The encrypted secret key, also called a bootstrapping or refreshing key, is provided by the secret key holder as part of the public key material. Bootstrapping strategies are divided into gate bootstrapping [6], circuit bootstrapping [8] and programmable bootstrapping [19].

Gate bootstrapping refers to the fact that this fast bootstrapping is performed to refresh the ciphertext after every gate evaluation. And circuit bootstrapping allows us to execute a larger leveled circuit between each bootstrapping [8]. This paper focuses exclusively on gate bootstrapping.

3.9. Key Circular and Key Circular Security

Encrypt key $sk$ to generate a bootstrapping key, and if the key is still secure after being encrypted by the corresponding public key, then the encryption scheme can achieve circular security. The circular secure encryption scheme can resist related-key attacks. Given the security parameter $\lambda$, let $\mathcal{K}$ be the key space and $f$ be the function from $\mathcal{K}$ to $\mathcal{C}$. A homomorphic encryption scheme $HE=\left\{KeyGen,Enc,Dec,Eval\right\}$ about f satisfies circular security if for all polynomial-time adversaries $\mathcal{A}$, the probability of adversary $\mathcal{A}$ winning the following game is negligible:

(1) The challenger computes $\left(pk,sk,evk\right)\leftarrow KeyGen\left(\lambda \right)$ and randomly chooses a bit $\mathrm{b}\leftarrow \left\{0,1\right\}$.

(2) Let $f_{+}:\mathcal{M}\times \mathcal{M}\to \mathcal{M}$ be a function, and compute $f_{+}\left(x,y\right)=x+y\in \mathcal{M}$. The challenger computes challenge ciphertext c* and sends it to adversary $\mathcal{A}$.

$$\begin{array}{c}\hfill {\mathrm{c}}^{*}=\left\{\begin{array}{cc}Eva{l}_{evk}\left(f_{+},En{c}_{pk}\left(0\right),f\left(sk\right)\right)& b=0\\ En{c}_{pk}\left(0\right)\in \mathcal{C}& \mathrm{otherwise}\end{array}\right.\end{array}$$

(5)

(3) Adversary $\mathcal{A}$ guesses a bit then outputs ${\mathrm{b}}^{\prime }\in \left\{0,1\right\}$. The advantage of adversary $\mathcal{A}$ is defined as $Adv\left(\mathcal{A}\right)=\mathrm{Pr}\left[\mathrm{b}=\mathrm{b}\prime \right]-1/2$. For the FHE scheme based on LWE, $Eva{l}_{evk}\left(f_{+},En{c}_{pk}\left(0\right),f\left(sk\right)\right)$ can be viewed as the ciphertext of $f\left(sk\right)$ [20,21].

This paper assumes that the improvement scheme based on FINAL is key circular security.

3.10. NGS: NTRU-Based GSW-like Scheme

The NGS scheme, inspired by the simplified variant of GSW proposed in [6], has the same quasi-additive noise growth as the GSW scheme and is used as a bootstrapping accumulator. Meanwhile, in order to accelerate bootstrapping, the NGS scheme defines an external product that is the product of scalar NTRU ciphertexts and vector NTRU ciphertexts. Due to the fact that the NGS ciphertexts are never decrypted in the bootstrapping pipeline, we omit the decryption procedure.

The NGS [9] encryption scheme based on NTRU has two encryption functions. The first one encrypts a plaintext m which is a ternary polynomial as an element of $R_Q$, and the other encrypts it as a vector over $R_Q$. To simplify the noise analysis, the scheme assumes that all vector ciphertexts encrypted messages belong to the monomial set $\mathbb{M}$.

3.10.1. Algorithm Description

$\mathrm{NGS}.\mathrm{ParamGen}\left(1^{\lambda }\right)$: Input security parameter $\lambda$, and output ($N,Q,\varsigma ,B,\mathcal{l}$), where B is the decomposition base of the decomposed ciphertext, $\mathcal{l}=\lceil {\log }_B\left(Q\right)\rceil$.

$\mathrm{NGS}.\mathrm{KeyGen}$: Input ($N,Q,\varsigma ,B,\mathcal{l}$), and output $\mathbf{sk}:=f=1+4·f^{\prime }$, where $f=1+4·f^{\prime }$, $f^{\prime }\leftarrow {\chi }_{\varsigma }^N$ and $f^{-1}\in R_Q$;

$\mathrm{NGS}.\mathrm{EncS}(m,\mathbf{sk})$: Input ($m,\mathbf{sk}$), and output $c=g/f+\Delta ·m\in R_Q$, where m is the plaintext of the ternary polynomial to be encrypted, $g\leftarrow {\chi }_{\varsigma }^N$, $\Delta :=\lfloor Q/4\rceil$, and c denotes a scalar encryption of m.$\mathrm{NGS}.\mathrm{EncVec}(m,\mathbf{sk})$: Input ($m,\mathbf{sk}$), and output $\mathbf{c}=\mathbf{g}/f+\mathfrak{g}·m\in R_Q^l$, where $m\in \mathbb{M}=\left\{\pm b·X^k:b\in \left\{0,1\right\},k\in \mathbb{N}\right\}$ is a monomial, defined as $\mathbf{g}:=({\mathrm{g}}_0,\cdots ,{\mathrm{g}}_{\mathcal{l}-1})$, ${\mathrm{g}}_i\leftarrow {\chi }_{\varsigma }^N$($0\le i\le \mathcal{l}-1$), and $\mathbf{c}$ is a vector encryption of m.

3.10.2. External Product

Let a scalar ciphertext be $c=g/f+\Delta ·\mu \in R_Q$, where $\mu$ is a ternary polynomial, and a vector ciphertext is $\mathbf{c}=\mathbf{g}/f+\mathfrak{g}·\nu \in R_Q^l$, where $\nu \in \mathbb{M}$ defines the external product of c and $\mathbf{c}$:

$$\begin{array}{c}\hfill c\otimes \mathbf{c}={\mathfrak{g}}^{-1}\left(c\right)·\mathbf{c}\in R_Q\end{array}$$

(6)

i.e., $c\otimes \mathbf{c}={\mathfrak{g}}^{-1}\left(c\right)·\mathbf{g}/f+{\mathfrak{g}}^{-1}\left(c\right)·\mathfrak{g}·\nu =({\mathfrak{g}}^{-1}\left(c\right)·\mathbf{g}+g·\nu )/f+\Delta ·\mu ·\nu$.

3.10.3. Noise Analysis

Assuming that for all $a\in R_Q$, ${\mathfrak{g}}_{q,B}^{-1}\left(a\right)$ is $\gamma \text{—}$sub-Gaussian, where $\gamma =O\left(B\right)$.

Definition 5 

(Noise of scalar ciphertext [9]). Let a scalar ciphertext be $c=g/f+\Delta ·m\in R_Q$, and define the noise of c as $err\left(c\right)=c·f-\Delta ·m\in R_Q$.

Definition 6 

(Noise of vector ciphertext [9]). Let a vector ciphertext be $\mathbf{c}=\mathbf{g}/f+\mathfrak{g}·m\in R_Q^l$, and define the noise of $\mathbf{c}$ as $err\left(\mathbf{c}\right)=\mathbf{c}·f-\mathfrak{g}·m·f\in R_Q$, which is treated as a polynomial with coefficients in $[-Q/2,Q/2]$ over $\mathbb{Z}\left[X\right]$.

Lemma 2 

(Bound on the noise of a scalar ciphertext [9]). Let a scalar ciphertext be $c=g/f+\Delta ·m\in R_Q$ if m is a monomial in the form of $\pm b·X^k$ (where $b\in \{0,1\}$); then,

$$\begin{array}{c}\hfill Var\left(err\left(c\right)\right)\le Var\left(g\right)+4·{\varsigma }^2\end{array}$$

(7)

If m is a ternary polynomial of $N-1$ degree, then

$$\begin{array}{c}\hfill Var\left(err\left(c\right)\right)\le Var\left(g\right)+4·N·{\varsigma }^2\end{array}$$

(8)

Lemma 3 

(Bound on the noise of a vector ciphertext [9]). Let a vector ciphertext be $\mathbf{c}=\mathbf{g}/f+\mathfrak{g}·m\in R_Q^l$,

$$\begin{array}{c}\hfill err\left(\mathbf{c}\right)=(\mathbf{g}/f+\mathfrak{g}·m)·f-\mathbf{g}·m·f=\mathbf{g}\end{array}$$

(9)

Then, according to Lemma 1, we have $Var\left(\mathbf{c}\right)\le {\sigma }_g^2$.

Lemma 4 

(Noise growth of external product [9]). Assuming that a scalar ciphertext is $c=g/f+\Delta ·\mu \in R_Q$ and a vector ciphertext is $\mathbf{c}=\mathbf{g}/f+\mathfrak{g}·\nu \in R_Q^l$, $\nu \in \mathbb{M}$, define $c_{mult}=c\otimes \mathbf{c}$; then,

$$\begin{array}{c}\hfill Var\left(err\left(c_{mult}\right)\right)\le N·\mathcal{l}·{\gamma }^2·Var\left(\mathbf{g}\right)+4·{\varsigma }^2+{∥\nu ∥}_2^2·Var\left(g\right)\le N·\mathcal{l}·{\gamma }^2·Var\left(err\left(\mathbf{c}\right)\right)+Var\left(c\right)\end{array}$$

(10)

Lemma 5 

(Noise of a sequence of external products [9]). Let $c=g/f+\Delta ·m\in R_Q$ (m is a ternary polynomial). Let ${\mathbf{c}}_i={\mathbf{g}}_i/f+\mathfrak{g}·m_i\in R_Q^l$ ($m_i\in \mathbb{M}$). If $c^{\prime }=c{\otimes }_{i=1}^k{\mathbf{c}}_i$, then

$$\begin{array}{c}\hfill Var\left(err\left(c^{\prime }\right)\right)\le N·\mathcal{l}·{\gamma }^2·\sum _{i=1}^{k}Var\left({\mathbf{g}}_i\right)+Var\left(g\right)+4·{\varsigma }^2\end{array}$$

(11)

3.10.4. Modulus-Switching

Definition 7 

(ModSwitch). Let $Q,q\in \mathbb{Z}$ and $1<q<Q$, and the randomized rounding function ${\left[·\right]}_{Q:q}:{\mathbb{Z}}_Q\to {\mathbb{Z}}_q$, i.e., ${\left[z\right]}_{Q:q}:=\lfloor q·z/Q\rfloor +B$, where $B\in \{0,1\}$ is a Bernoulli random variable, $\mathrm{Pr}\left[B=1\right]=(q·z/Q)-\lfloor q·z/Q\rfloor \in [0,1]$. Note that $\epsilon :={\left[z\right]}_{Q:q}-(q·z/Q)$ is a 1-Gaussian distribution. The above definition can be extended to the form of polynomials, vectors and matrices, i.e.,

$$\begin{array}{c}\hfill \mathit{ModSwitch}\left(c\right)={{\sum }_{i=0}^{N-1}\left[c_i\right]}_{Q:q}{X}^i\in R_q\end{array}$$

(12)

Lemma 6 

([9]). If $c=g/f+\Delta ·m\in R_Q$, then $\mathit{ModSwitch}(c)$ is a scalar encryption of m under $R_q$ and

$$\begin{array}{c}\hfill Var\left(err\left(\mathit{ModSwitch}\left(c\right)\right)\right)\le {(q/Q)}^2·Var\left(err\left(c\right)\right)+1+16·N·{\varsigma }^2\end{array}$$

(13)

3.10.5. Key-Switching from the NGS to the Base Scheme

After modulus-switching, the generated NTRU ciphertext $c=g/f+\epsilon +\Delta ·m\in R_q$ needs to conduct key-switching in order to obtain the ciphertext in LWE form. Key-switching is divided into a key generation algorithm and a key-switching algorithm.

Key-switching key generation algorithm: Let $(\mathbf{A},\mathbf{b})$ be the LWE sample after the encryption of key $\mathbf{s}$, and $c=g/f+\epsilon +\Delta ·m\in R_Q$ be the scalar NGS ciphertext after the encryption of key f, where $\epsilon$ is the rounding error after modulus-switching. The key-switching key is defined as follows:

$$\begin{array}{c}\hfill \mathrm{ks}{\mathrm{k}}_{\mathrm{NTRU}\to \mathrm{LWE}}:=(\mathbf{A},\mathbf{b}:=\mathbf{A}·\mathbf{s}+\mathbf{e}+\mathbf{P}·{\mathbf{f}}_0)\end{array}$$

(14)

where $\mathbf{A}\in {\mathbb{Z}}_q^{(N·L)\times n}$, $\mathbf{e}\leftarrow {\chi }_{{\sigma }_e}^{N·L}$, ${\mathbf{f}}_0:={\mathrm{col}}_0(\Phi \left(f\right))\in {\mathbb{Z}}^N$, $\mathbf{P}:={\mathbf{I}}_N\otimes {\mathfrak{g}}_{q,B_{ksk}}\in {\mathbb{Z}}^{(N·L)\times N}$.

Key-switching algorithm: During key-switching from NTRU to LWE, i.e., given the NTRU ciphertext $c=g/f+\epsilon +\Delta ·m\in R_Q$, the ciphertext is converted into LWE ciphertext through key-switching—$\mathrm{KeySwitc}{\mathrm{h}}_{\mathrm{NTRU}\to \mathrm{LWE}}(c,\mathrm{ks}{\mathrm{k}}_{\mathrm{NTRU}\to \mathrm{LWE}}):$

• $\mathrm{ks}{\mathrm{k}}_{\mathrm{NTRU}\to \mathrm{LWE}}:=(\mathbf{A},\mathbf{b}:=\mathbf{A}·\mathbf{s}+\mathbf{e}+\mathbf{P}·{\mathbf{f}}_0)$.
• $\mathbf{a}\leftarrow \mathrm{KeySwitch}(c,\mathbf{A})$
• $b\leftarrow \mathrm{KeySwitch}(c,\mathbf{b})$
• output ${\mathbf{c}}^{\prime }:=(\mathbf{a},b)$

That is, we decompose the coefficient vector of c and multiply it by both components of $\mathrm{ks}{\mathrm{k}}_{\mathrm{NTRU}\to \mathrm{LWE}}$. Thus, we define $\mathbf{y}:={\mathfrak{g}}^{-1}\left(\varphi \left(c\right)\right)\in {\mathbb{Z}}^{N·L}$, i.e., ${\mathbf{c}}^{\prime }:=(\mathbf{a},b)=(\mathbf{y}·\mathbf{A},\mathbf{y}·\mathbf{b})\in {\mathbb{Z}}_q^{n+1}$,

$$\begin{array}{c}\hfill b=\mathbf{a}·\mathbf{s}+\mathbf{y}·\mathbf{e}+g_o+\epsilon ·((1,\mathbf{0})+4·\varphi \left(f^{\prime }\right))+4·{\epsilon }^{\prime }·\varphi \left(m\right)·\varphi \left(f^{\prime }\right)+\Delta ·m_0\end{array}$$

(15)

where $\epsilon \in \left(-1/2,1/2\right]$, $m_0$ is the constant term of m.

3.11. Ellipsoidal Discrete Gaussian Sampling

Yu Yang et al. [22] proposed that it is beneficial to replace spherical discrete Gaussian sampling with suitable ellipsoidal discrete Gaussian sampling when obtaining GPV signatures at Crypto 2022. Making the half that actually occurs in signatures shorter reduces signature size at essentially no security loss (in a suitable range of parameters).

For the NTRU encryption scheme, ellipsoidal Gaussian sampling is compared to spherical sampling by changing the original standard deviation $({\sigma }_f,{\sigma }_g)$ of the key $(f,g)$ sample to $(\beta ·{\sigma }_f,{\beta }^{-1}·{\sigma }_g)$, where ${\sigma }_f={\sigma }_g$, $\beta \in \mathbb{R}$ and $\beta >1$. This makes the effect on security after ellipsoidal Gaussian sampling 4 or 5 contrasts lower than that of spherical Gaussian sampling, which is negligible, and the second component of key $(f,g)$ is shortened to the original ${\beta }^{-1}$. Where $\beta$ is the distortion factor and twisted paradigm for ellipsoidal Gaussian sampling.

4. Bootstrapping Optimization of FINAL Scheme

In FINAL [9], two fully homomorphic encryption schemes are mentioned, one based on the MNTRU basic encryption scheme and the other based on the LWE basic encryption scheme, both of which use the NGS scheme to bootstrap, where the latter is more efficient than the former.

Therefore, this paper focuses on a fully homomorphic encryption scheme based on the LWE basic encryption scheme and denoted by the FINAL scheme.

Figure 2 shows a graphical representation of the FINAL bootstrapping, with a detailed description as follows.

The LWE key is binary. During the bootstrapping, by using a binary CMux encryption gate, at the end of the main loop of the refresh procedure, we obtain NTRU ciphertexts in the form of $c=g/f+\epsilon +\Delta ·m\in R_Q$. Then, the NTRU ciphertexts are converted into LWE ciphertexts through modulus-switching and key-switching. Below is the definition of the binary CMux gate ($\epsilon$ is the rounding error after modulus-switching).

Definition 8 

(The binary CMux gate). For a given $f_i\in \{0,1\}$, we define key $bs{k}_i$:

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\hfill & s_i=0\Rightarrow bs{k}_i:=NGS.EncVec\left(0\right)\hfill \\ \hfill & s_i=1\Rightarrow bs{k}_i:=NGS.EncVec\left(1\right).\hfill \end{array}\right.\end{array}$$

(16)

Then, our CMux gate is defined as

$${\mathit{CMux}}_i\left({\mathrm{c}}_i\right)=\mathbf{1}+(X^{{\mathrm{c}}_i}-1)·bs{k}_i.$$

(17)

4.1. Bootstrapping

Bootstrapping consists of two parts: the bootstrapping key generation algorithm (Algorithm 1) and the bootstrapping algorithm (Algorithm 2). The algorithms are described as follows.

Algorithm 1 Bootstrapping Key Generation

Input: Secret key $\mathbf{s}\in {\mathbb{Z}}_q^n$ of LWE basic encryption scheme Output: Bootstrapping key $bsk$ 1: $(s_0,\cdots ,s_{n-1})\leftarrow \varphi \left(\mathbf{s}\right)$ 2: for $i\leftarrow 0$ to $n-1$ do 3:     Compute $bs{k}_i$ according to Equation (1) 4: end for 5: Return $bsk:=\{bs{k}_i:0\le i\le n-1\}$

Algorithm 2 Bootstrapping Algorithm

Input: LWE ciphertext $\mathbf{ct}=(\mathrm{ct}.\mathrm{a},\mathrm{ct}.\mathrm{b})\in {\mathbb{Z}}_q^{n+1}$ encrypting $m\in \{0,1\}$, bootstrapping keys ${\left\{bs{k}_i\right\}}_{0\le i\le n-1}$ and key-switching key ${\mathrm{ksk}}_{\mathrm{NTRU}\to \mathrm{LWE}}$. Output: LWE ciphertext ${\mathbf{ct}}^{\prime }\in {\mathbb{Z}}_q^{n+1}$ encrypting the same m.   1: $({\mathrm{c}}_0,\dots ,{\mathrm{c}}_{n-1},{\mathrm{c}}_n)\leftarrow ⌊{\displaystyle \frac{2·N·\mathbf{ct}}{q}}⌉$   2: $AC{C}_0\leftarrow {\displaystyle \frac{Q}{8}}·X^{N/2}·{\sum }_{i=0}^{N-1}{X}^i$   3: for $i\leftarrow 0$ to $n-1$ do   4:     $c_{\mathrm{Mux}}\leftarrow {\mathrm{CMux}}_i\left({\mathrm{c}}_i\right)$   5:     $ACC\leftarrow ACC\odot c_{\mathrm{Mux}}$   6: end for   7: $ACC\leftarrow ACC+\left[{\displaystyle \frac{Q}{8}}\right]·{\sum }_{i=0}^{N-1}{X}^i$   8: $ACC\leftarrow \mathit{ModSwitch}\left(ACC\right)$   9: ${\mathbf{ct}}^{\prime }\leftarrow \mathrm{KeySwitch}(ACC,{\mathrm{ksk}}_{\mathrm{NTRU}\to \mathrm{LWE}})$ 10: return  ${\mathbf{ct}}^{\prime }$

4.2. Bootstrapping Noise Analysis

The noise generated by bootstrapping affects the correctness of decryption. When the noise exceeds this noise bound (≥$q/8$), the scheme cannot decrypt properly. The analysis of the noise generated by bootstrapping is as follows.

The first step of bootstrapping, i.e., $({\mathrm{c}}_0,\cdots ,{\mathrm{c}}_{n-1},{\mathrm{c}}_n)\leftarrow \lfloor \frac{2·N·\mathbf{ct}}{q}\rceil$, is to change the components of $\mathbf{ct}\in {\mathbb{Z}}_q^{n+1}$ from module q to module $2·N$, and use $\mathbf{c}{\mathbf{t}}_{2N}$ to represent the result vector, i.e., $\mathbf{c}{\mathbf{t}}_{2N}=\lfloor \frac{2·N·\mathbf{ct}}{q}\rceil$,

$$\begin{array}{c}\hfill \left|\mathbf{ct}·(\varphi \left(\mathbf{s}\right),1)-\frac{q}{2·N}·\mathbf{c}{\mathbf{t}}_{2N}·(\varphi \left(\mathbf{s}\right),1)\right|=\left|\frac{q}{2·N}·\epsilon ·\mathbf{ct}·(\varphi \left(\mathbf{s}\right),1)\right|,\end{array}$$

(18)

where $\epsilon \le 1/2$. Therefore,

$$\begin{array}{c}\hfill \left|\mathbf{ct}·(\varphi \left(\mathbf{s}\right),1)-\frac{q}{2·N}·\mathbf{c}{\mathbf{t}}_{2N}·(\varphi \left(\mathbf{s}\right),1)\right|\le \left|\frac{q}{4·N}·\epsilon ·\mathbf{ct}·(\varphi \left(\mathbf{s}\right),1)\right|.\end{array}$$

(19)

The second step of bootstrapping is to assign values to the test vector, $AC{C}_0=\lfloor \frac{Q}{8}\rceil ·X^{N/2}·{\sum }_{i=0}^{N-1}{X}^i$, without involving error analysis.

The third step of bootstrapping is to perform the following loop on i from 0 to $n-1$: $c_{\mathrm{Mux}}\leftarrow {\mathrm{CMux}}_i\left({\mathrm{c}}_i\right)$, $ACC\leftarrow ACC\odot c_{\mathrm{Mux}}$. Among them, the noise generated by $c_{\mathrm{Mux}}\leftarrow {\mathrm{CMux}}_i\left({\mathrm{c}}_i\right)$, combined with Equation (2), can be obtained as follows:

$$\begin{array}{c}\hfill \mathrm{Var}\left(\mathrm{err}\left({\mathrm{CMux}}_i\right)\right)\le {∥X^{c_i}-1∥}_2^2·\mathrm{Var}\left(\mathrm{err}\left(bs{k}_i\right)\right)\le 2·\mathrm{Var}\left(\mathrm{err}\left(bsk\right)\right),\end{array}$$

(20)

where $\mathrm{err}\left({\mathrm{CMux}}_i\right)$ represents the noise in the CMux gate and err(bsk) represents the noise in the NGS vector ciphertext. Regarding $ACC\leftarrow ACC\odot c_{\mathrm{Mux}}$, from Lemma 5 and Equation (20), the noise introduced by this sequence of external products can be obtained as follows:

$$\begin{array}{c}\hfill Var\left(err\left(ACC\right)\right)\le n·N·\mathcal{l}·{\gamma }^2·Var(err\left(c_{\mathrm{Mux}}\right)+Var\left(err\left(AC{C}_0\right)\right).\end{array}$$

(21)

And from $AC{C}_0=\frac{Q}{8}·X^{N/2}·{\sum }_{i=0}^{N-1}{X}^i$ and Lemma 2, it follows that

$$\begin{array}{c}\hfill Var\left(err\left(ACC\right)\right)\le 2n·N·\mathcal{l}·{\gamma }^2·Var\left(err\left(bsk\right)\right)+4·N·{\sigma }_f^2.\end{array}$$

(22)

where ${\sigma }_f$ is the standard deviation of f.

The fourth step of bootstrapping involved performing polynomial addition without involving the generation of noise.

The fifth step of bootstrapping, $AC{C}^{\prime }\leftarrow ModSwitch\left(ACC\right)$: From Lemma 6 and Equation (22), the noise after modulus-switching is as follows: $Var(err\left(AC{C}^{\prime }\right)\le 2·{(q/Q)}^2·n·N·\mathcal{l}·{\gamma }^2·Var\left(err\left(bsk\right)\right)+2·{(q/Q)}^2·N·{\varsigma }^2+1+16·N·{\varsigma }^2$. Then, from Lemma 3, we obtain

$$\begin{array}{c}\hfill Var(err\left(AC{C}^{\prime }\right)\le 2·{(q/Q)}^2·N·{\sigma }_f^2+1+2n·{(q/Q)}^2·N·\mathcal{l}·{\gamma }^2·{\sigma }_g^2+16·N·{\sigma }_f^2.\end{array}$$

(23)

In the sixth step of bootstrapping, ${\mathbf{c}}^{\prime }\leftarrow \mathrm{KeySwitc}{\mathrm{h}}_{\mathrm{NTRU}\to \mathrm{LWE}}(AC{C}^{\prime },\mathrm{ks}{\mathrm{k}}_{\mathrm{NTRU}\to \mathrm{LWE}})$: we see that the noise of the resulting LWE encryption equals $\mathbf{y}·\mathbf{e}+g_o+\epsilon +4·\epsilon ·\varphi \left(f^{\prime }\right)+4·{\epsilon }^{\prime }·\varphi \left(m\right)·\varphi \left(f^{\prime }\right)$, as defined in [7]. Combined with Equation (23), the variance of the noise is as follows:

$$\begin{array}{cc}& Var\left(err\left({\mathbf{c}}^{\prime }\right)\right)=Var(\mathbf{y}·\mathbf{e})+Var\left(g_o\right)+Var(4·\epsilon ·\varphi \left(f^{\prime }\right))+Var(4·{\epsilon }^{\prime }·\varphi \left(m\right)·\varphi \left(f^{\prime }\right))+Var\left(\epsilon \right)\hfill \\ & \le N·L·Var\left(\mathbf{y}\right)·Var\left(\mathbf{e}\right)+Var\left(g\right)+1+16·N·Var\left(\epsilon \right)·Var\left(f^{\prime }\right)+4·{∥m∥}_2^2·{\sigma }_f^2\hfill \\ & \le 2·{(q/Q)}^2·N·{\sigma }_f^2+1+16·N·{\sigma }_f^2+N·L·{\gamma }_{B_{ksk}}^2·{\sigma }_e^2+2·{(q/Q)}^2·n·N·\mathcal{l}·{\gamma }^2·{\sigma }_g^2.\hfill \end{array}$$

where ${\sigma }_f$, ${\sigma }_g$ and ${\sigma }_e$ are the standard deviations of f, g and e sampling, respectively, and ${\gamma }_{B_{ksk}}=O\left(B_{ksk}\right)$. Due to the use of two decomposition bases $B_1,B_2$ in the bootstrapping procedure, the noise becomes

$$\begin{array}{c}\hfill Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le NL{\gamma }_{B_{ksk}}^2{\sigma }_e^2+2{(q/Q)}^{2}N{\sigma }_f^2+1+2{(q/Q)}^2{n}_{1}N{\mathcal{l}}_1{\gamma }_{B_1}^2{\sigma }_g^2+16N{\sigma }_f^2+2{(q/Q)}^2{n}_{2}N{\mathcal{l}}_2{\gamma }_{B_2}^2{\sigma }_g^2.\end{array}$$

(24)

where ${\gamma }_{B_i}=O\left(B_i\right)$ and ${\mathcal{l}}_i=⌈{\log }_{B_i}\left(Q\right)⌉$, $i\in \{1,2\}$.

According to Equation (24), we find that the larger the decomposition bases, the larger the bootstrapping noise. And the noise introduced by the bootstrapping depends more on the standard deviation of g than on the standard deviation of f. However, the standard deviation of f and g is the same in the FINAL scheme. Hence, we introduce a bootstrapping optimization technique based on the ellipsoidal Gaussian to optimize the FINAL scheme.

4.3. Bootstrapping Optimization Technique Based on Ellipsoidal Gaussian

Combined with the noise analysis in the above section and reference [22], the sampling of f and g selects an ellipsoidal Gaussian distribution, i.e., the standard deviations of the Gaussian distribution of f and g sampling are denoted as $\beta ·{\sigma }_f$ and ${\beta }^{-1}·{\sigma }_g$, respectively. This greatly reduces the noise generated in the bootstrapping procedure while ensuring that the impact on safety can be ignored. Combined with Equation (24), the bootstrapping noise becomes:

$$\begin{array}{c}\hfill Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le NL{\gamma }_{B_{ksk}}^2{\sigma }_e^2+16N{\beta }^2{\sigma }_f^2+2{(q/Q)}^2{n}_{1}N{\mathcal{l}}_1{\gamma }_{B_1}^2{\beta }^{-2}{\sigma }_g^2+2{(q/Q)}^2{n}_{2}N{\mathcal{l}}_2{\gamma }_{B_2}^2{\beta }^{-2}{\sigma }_g^2+2{(q/Q)}^{2}N{\beta }^2{\sigma }_f^2+1.\end{array}$$

(25)

We calculate the bootstrapping noise when $\beta$ is different. We refer to the parameter settings in the FINAL scheme as shown in

Table 2. Parameter settings.

Scheme	n	q	N	Q	${\mathit{B}}_{\mathit{k}\mathit{s}\mathit{k}}$	${\mathit{\sigma }}_{\mathit{f}}={\mathit{\sigma }}_{\mathit{g}}$	$({\mathit{B}}_1,{\mathit{n}}_1,{\mathit{l}}_1)$	$({\mathit{B}}_2,{\mathit{n}}_2,{\mathit{l}}_2)$
FINAL	610	92,683	1024	912,829	3	$\sqrt{{\displaystyle \frac{2}{3}}}$	$(8,140,7)$	$(16,470,5)$

. ${\sigma }_f={\sigma }_g=\sqrt{{\displaystyle \frac{2}{3}}}$, ${\sigma }_e=4.39$, $B_{ksk}=3$, $L:=⌈{\log }_{B_{ksk}}\left(q\right)⌉=⌈{\log }_{3}92683⌉=11$, $n_1=140$, $n_2=470$,${\mathcal{l}}_i:=⌈{\log }_{B_i}\left(Q\right)⌉$, $l_1=7$, $l_2=5$, $B_1=8$, $B_2=16$. Because $\gamma =O\left(B\right)$, assuming ${\gamma }_{B_1}=B_1=8$, ${\gamma }_{B_2}=B_2=16$ and ${\gamma }_{B_{ksk}}=B_{ksk}=3$. The bootstrapping noise at different $\beta$ values is obtained as follows.

As can be seen from Figure 3 and

Table 3. Noise reduction ratio.

Scheme	$\mathit{\beta }$	Variance of Bootstrapping Noise	Reduction Ratio
FINAL	1	$Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le 11,315,220$	0
Ours	2	$Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le 4,335,115$	61.7%
Ours	3	$Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le 3,091,111$	72.7%
Ours	4	$Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le 2,713,127$	76%
Ours	5	$Var\left(err\left({\mathrm{ct}}^{\prime }\right)\right)\le 2,601,170$	77%

, when other parameters are the same, the larger the disturbance factor $\beta$, the less noise is introduced by the bootstrapping and the less noise reduction is caused by the bootstrapping. When $\beta$ changes from 3 to 4, the size of bootstrapping noise reduction is already small, and when $\beta$ changes from 4 to 5, the reduction ratio of the variance of bootstrapping noise is less than 1%. The significance of optimization is minimal. However, with the increase in $\beta$, key g becomes more sparse, and the scheme becomes more vulnerable to key recovery attacks. Therefore, in this paper, we set $\beta =4$ as the optimal case for analysis.

The distortion factor $\beta$ is introduced during bootstrapping; it only reduces the size of the bootstrapping noise, and does not affect the noise bound, i.e., the optimization scheme can be decrypted normally as long as the bootstrapping noise is within the noise bound.

From this section and Equation (25), we know that the optimization scheme can adopt larger decomposition bases than the original FINAL scheme. In the next section, we analyze the impact of different parameters on the bootstrapping noise and efficiency of the scheme, where the impacts of the decomposition bases are analyzed in detail.

5. Parameter Optimization of FINAL Scheme

5.1. Computation Overhead

The performance of the fully homomorphic encryption scheme is impacted by polynomial multiplications, and the number of polynomial multiplications in the FINAL scheme [9] is closely related to the decomposition bases of the bootstrapping, as follows:

In the FINAL scheme, formula $((X^{{\mathrm{c}}_i}-1)·ACC)\odot bs{k}_i+ACC$ is used to compute $ACC\odot {\mathrm{CMux}}_i\left({\mathrm{c}}_i\right)$ in the bootstrapping algorithm (Algorithm 2). Assuming that the bootstrapping keys are fast Fourier transformed in advance, the external product requires $l_i+1$ FFTs and $l_i$ Hadamard vector products, where $l_i$ is the length of $bs{k}_i$.

Let $n_1=140,n_2=470,l_1=7,l_2=5$; then, we require $l_1·n_1+l_2·n_2=3330$ ring multiplications and $(l_1+1)·n_1+(l_2+1)·n_2=3940$ FFTs per bootstrapping, where the ring is a polynomial ring.

From the relationship between the total number of ring multiplications and the total number of FFTs, it is clear that the total number of FFTs is always $n=n_1+n_2=610$ more than the total number of ring multiplications (therefore, in this paper, we only consider the total number of ring multiplications).

5.2. Memory Overhead

In terms of the memory overhead, the bootstrapping key consists of blind rotation keys (n NGS vector ciphertexts) and a key-switching key. The optimized scheme modifies only the dimensions of the blind rotation keys, which can be represented by the number of ring polynomials ($R_Q$)—specifically quantified as $n_1\times l_1+n_2\times l_2$. Since this dimension aligns with the number of ring polynomial multiplications required for computation, the memory overhead of blind rotation keys can equivalently be characterized by the count of such ring polynomial multiplications.

5.3. Optimization of Parameters

The smaller $l_1,l_2$ are, the smaller the total number of ring multiplications for fixed $n_1,n_2$. And $l_i:=⌈{\log }_{B_i}\left(Q\right)⌉$, so when $n_1$ and $n_2$ are fixed, the larger the decomposition bases $B_1,B_2$ are, the smaller the total number of ring multiplications.

Similarly, when the decomposition bases $B_1,B_2$ are fixed, i.e., $l_1,l_2$ are fixed, the smaller $n_1,n_2$ are, the smaller the total number of ring multiplications, and the more efficiently the scheme runs (where $n_1,n_2$ is the number of NGS ciphertexts corresponding to the decomposition bases $B_1,B_2$, respectively). Therefore, we need to choose $B_1,B_2$ and $n_1,n_2$ values that make the total number of polynomial products as small as possible.

In summary, in order to improve the efficiency of bootstrapping, we choose the the largest decomposition bases $B_1,B_2$ and $n_2$ as possible within the noise bound (where $B_1<B_2$).

This section proposes the adaptive adjustment technique on the decomposition bases, combined with the bootstrapping optimization technique based on the ellipsoidal Gaussian mentioned in Section 3; finally, we can obtain the optimization scheme. Firstly, the disturbance factor $\beta$ was introduced to reduce the noise introduced by the bootstrapping, and then, based on $\beta$, adaptively adjusted the decomposition bases $B_1$, $B_2$ and the corresponding $n_1$, $n_2$, respectively. Finally, the efficiency of the scheme was improved.

The decomposition basis of the blind rotation key in this article is chosen as a power of 2. The core motivation for this choice lies in the synergy between hardware-friendly design and simplification in number theory. By reducing the complexity of modular arithmetic, optimizing storage architecture and leveraging inherent binary properties, they significantly enhance the practical efficiency of integer factorization algorithms.

5.4. Result

When $\beta =1$, i.e., under the original FINAL scheme, we run 1000 tests, and the scheme runs normally when the noise generated by bootstrapping is <$q/8$. And when the noise exceeds this noise bound (≥$q/8$), the scheme cannot decrypt properly.

As can be seen from Figure 4, when $\beta =1,B_1=8,B_2=16,32,64$, the noise is almost always within the noise bound, regardless of the value of $n_1,n_2$. When $n_1=140,n_2=470,B_1=8,B_2=16$, the average bootstrapping time is 41.4 ms, and the total number of ring multiplications is 3330; when $n_1=140,n_2=470,B_1=8,B_2=64$, the average bootstrapping time is 38.3 ms, and the total number of ring multiplications is 2860.

From Figure 5, when $\beta =1,B_1=8,B_2=128,n_1=470,n_2=140$, the bootstrapping noise is within the noise bound, so the scheme can use these parameters, and the average bootstrapping time is 44.8 ms, and the total number of ring multiplications is 3710. On the contrary, when $n_1=140,n_2=470$, the bootstrapping noise exceeds the noise bound, and the scheme does not decrypt properly.

From Figure 6, it can be seen that when $\beta =2,B_1=8,B_2=128$, whatever the value of $n_1,n_2$ is, it is within the noise bound. The average bootstrapping times are 44.5 ms and 33.1 ms when $n_1=470,n_2=140$ and $n_1=140,n_2=470$, respectively.

Since the decomposition size $l_i$ is the same when the decomposition base $B_i$ is 128, 256 and 512, it can be considered to be one case. From Figure 7, when $\beta =2,B_1=128,B_2=1024$, the optimal value of $n_i$ is $n_1=605,n_2=5$. Meanwhile, the average time is 27.85 ms, and the total number of ring multiplications is 1825. When $\beta =3,B_1=128,B_2=1024$, the optimal value of $n_i$ is $n_1=590,n_2=20$, the average running time is 27.81 ms and the total number of ring multiplications is 1810 at this time. When $\beta =4,B_1=128,B_2=1024$, the optimal value of $n_i$ is $n_1=550,n_2=60$, the average running time is 27.6 ms and the total number of ring multiplications is 1770.

In summary, we can see that changing the value of $\beta$ only affects the noise introduced by bootstrapping, and the larger $\beta$, the smaller the bootstrapping noise. The optimization scheme reduces the bootstrapping noise by increasing $\beta$, and then selects a larger decomposition base $B_i$ and its corresponding $n_i$ to reduce the total number of ring multiplications and improve the bootstrapping efficiency of the scheme.

Table 4. Average time to perform 1000 bootstraps with different parameters.

Scheme	$\mathit{\beta }$	$({\mathit{B}}_1,{\mathit{n}}_1,{\mathit{l}}_1)$	$({\mathit{B}}_2,{\mathit{n}}_2,{\mathit{l}}_2)$	Mult. on ${\mathit{R}}_{\mathit{Q}}$	Run. Time	Faster
FINAL	1	$(8,140,7)$	$(16,470,5)$	3330 $(\times 1)$	41.4 ms $(\times 1)$	0
Ours	1	$(8,140,7)$	$(64,470,4)$	2860 $(\times 0.86)$	38.3 ms $(\times 0.925)$	7.5%
Ours	2	$(8,140,7)$	$(64,470,4)$	2860 $(\times 0.86)$	38.1 ms $(\times 0.92)$	8%
Ours	2	$(8,140,7)$	$(128,470,3)$	2390 $(\times 0.72)$	33.1 ms $(\times 0.8)$	20%
Ours	2	$(128,605,3)$	$(1024,5,2)$	1825 $(\times 0.55)$	27.9 ms $(\times 0.674)$	32.6%
Ours	3	$(128,590,3)$	$(1024,20,2)$	1810 $(\times 0.54)$	27.8 ms $(\times 0.671)$	32.9%
Ours	4	$(128,550,3)$	$(1024,60,2)$	1770 $(\times 0.53)$	27.6 ms $(\times 0.667)$	33.3%

illustrates the time required for bootstrapping schemes with different parameters and their corresponding optimization ratios, measured on a 13th Gen Intel(R) Core(TM) i7-13700F processor within an Ubuntu 20.04 virtual machine environment. The experiment shows that in the case of $\beta =4$, when $B_1=128,B_2=1024,n_1=553$ and $n_2=57$, the bootstrapping noise is just within the noise bound. In view of the bootstrapping noise we calculated being larger than the actual value, we take $n_1=550$ as the optimal parameter. That is to say, when $n_1>550$, the total number of ring multiplications becomes larger and the efficiency becomes lower. When $n_1<550$, the bootstrapping noise exceeds the noise bound and does not meet the requirements. To sum up, in the case of $\beta =4$, when $B_1=128,B_2=1024,n_1=550$ and $n_2=60$, the bootstrapping of the optimization scheme is the fastest, at 33.3% faster than the original FINAL scheme, and the memory overhead of blind rotation keys have been optimized by 47%.

6. Security Analysis

The optimized FINAL scheme retains the architectural framework of its original counterpart, modifying only the parameter configurations and the standard deviation criteria for key selection. Crucially, since the original FINAL scheme demonstrates circular security—a property ensuring resilience against key-dependent cryptographic attacks—the optimized variant inherently preserves this security guarantee. This preservation arises directly from the structural invariance of the framework, where parameter adjustments and key distribution refinements operate within the original scheme’s security-proven boundaries, thereby avoiding perturbations to its cyclic security invariants. The following sections analyze different attacks [22,23,24,25,26,27].

6.1. Key-Recovery Attacks

The most efficient attacks come from lattice reduction, aiming at finding a relatively short vector in the spanned lattice. Lattice reduction consists of constructing the algebraic lattice over R spanned by the vectors $(Q,0)$ and $(g/f,1)$. After using lattice reduction on this basis, we enumerate all lattice points in a ball of radius $\sqrt{2N}·{\sigma }_{\{f,g\}}$, centered on the origin. With significant probability, we are therefore able to find $(f,g)$.

Classically, sieving on this projected lattice will recover all vectors of a norm smaller than $\sqrt{4/3}·\lambda$, where $\lambda$ is the norm of the $(2N-b)$th Gram–Schmidt vector of the reduced basis, where b represents the BKZ blocksize.

The projection of the key is among them; when

$$\begin{array}{c}\hfill \sqrt{b}·{\sigma }_{\{f,g\}}⩽\sqrt{4/3}·\lambda .\end{array}$$

(26)

we can recover the secret key vector $(f,g)$ with high probability.

For the best known lattice reduction algorithm, DBKZ [28], we obtain

$$\begin{array}{c}\hfill \lambda ={\left({\displaystyle \frac{b}{2\pi e}}\right)}^{1-N/b}\sqrt{q}.\end{array}$$

(27)

and

$$\begin{array}{c}\hfill {(b/2\pi e)}^{1-N/b}\sqrt{q}=\sqrt{(3/4)·b}·{\sigma }_{\{f,g\}}.\end{array}$$

(28)

It is then easy to deduce the BKZ blocksize b and, therefore, to derive the security level.

However, in reference [22], when we introduce the ellipsoid Gaussian sampling technique, the standard deviation of key g becomes ${\beta }^{-1}·{\sigma }_g$, so the sparsity of key g can be used for further attacks, and we can guess the position of some zeros in the vector with a reasonable probability.

If such a guess of positions, say, $\mathcal{L}\subseteq \{1,\cdots ,2n\}$, appears to be correct, we can intersect the NTRU lattice with ${\mathbb{Z}}^{\overline{\mathcal{L}}}$, where $\overline{\mathcal{L}}$ refers to the complement of the set $\mathcal{L}$ in the overset $\{1,\cdots ,2n\}$. The dimension of the lattice changes from $2n$ to $2n-\left|\mathcal{L}\right|$. As such, this final lattice reduction part is now easier and thus faster.

The volume in the twisted norm ${∥·∥}_{\beta }$: the volume is scaled by the determinant of the intersected Gram matrix $G=Diag\left(\overline{\mathcal{L}}\right)Q_{\beta }Diag\left(\overline{\mathcal{L}}\right)$, which is exactly ${\beta }^k$ (where $k=\left|\mathcal{L}\right|$, $Q_{\beta }={\mathrm{T}}_{\beta }^t{\mathrm{T}}_{\beta }$ and ${\mathrm{T}}_{\beta }=\left[\begin{array}{cc}\beta {\mathrm{I}}_d& \\ & {\beta }^{-1}{\mathrm{I}}_d\end{array}\right]$).

All in all, the (normalized) volume of the intersected lattice for the twisted norm is $q^{\frac{d}{2d-k}}{\beta }^{\frac{k}{2d-k}}$.

Therefore, Equation (28) becomes

$$\begin{array}{c}\hfill {(b/2\pi e)}^{1-N/b}{q}^{\frac{d}{2d-k}}{\beta }^{\frac{k}{2d-k}}=\sqrt{(3/4)·b}·{\sigma }_{\{f,g\}}\end{array}$$

(29)

The concrete security is shown in

Table 5. Security with different $\beta$ values.

Scheme	$\mathit{\beta }$	k	Q	N	b	Security
FINAL	1	–	92,683	1024	559	163
Ours	2	40/60	92,683	1024	546/539	159/157
Ours	3	40/60	92,683	1024	545/537	159/156
Ours	4	40/60	92,683	1024	544/537	158/156

.

k denotes the number of guessed zero positions, and there exists a trade-off between the probability of guessing correctly (the more zeroes there are to guess, the harder it becomes to correctly guess their positions) and the time required by the lattice reduction [22]. Therefore, the value of k should be chosen within a moderate range, and k should neither be too small nor excessively large. For experimental validation, we suggest testing $k=40$ and $k=60$, respectively. As can be seen from Table 5, the ellipsoidal Gaussian sampling method, that is, adding disturbance factor $\beta$ to samples f and g, the bootstrapping noise is greatly reduced at essentially no security loss.

Table 5 demonstrates that the optimized FINAL scheme resists key-recovery attacks. Further rigorous analysis in Section 6.2 and Section 6.3 establishes its resilience against algebraic attacks, as well as dense, high-rank sublattice, and subfield lattice attacks, thereby addressing its adversarial robustness in practical settings.

6.2. Dense, High-Rank Sublattice and Subfield Lattice Attacks

The overstretched parameters of NTRU are vulnerable against subfield lattice attacks. Ducas and van Woerden [29] showed that the concrete prediction put the fatigue point at $q\approx 0.004·n^{2.484}$ for $n>100$ at Asiacrypt 2021. In this paper, we take Q = 912,829, $N=1024$, satisfying $Q<0.004·N^{2.484}$. In our optimization scheme, the NTRU parameters lie outside the overstretched range.

6.3. Algebraic Attacks

The bootstrapping schemes are defined over algebraic lattices, which have a rich structure that could, in principle, lead to improved attacks. However, there is no known way to improve attack algorithms for their general lattice equivalent by more than polynomial factors in an asymptotic sense, and they do not affect our concrete security levels.

6.4. The Choice of Polynomial Rings

In this paper, we choose rings of the form $R_Q=R/QR={\mathbb{Z}}_Q\left[X\right]/<X^N+1>$, with N being a power of 2, and do not choose prime cyclotomic rings of the form ${\mathbb{Z}}_Q\left[X\right]/<X^{n-1}+\cdots +n+1>$, with n being a prime. This is because compared with prime cyclotomic rings, although ${\mathbb{Z}}_Q\left[X\right]/<X^N+1>$ rings are very scarce, there are limitations on the selection of rings, but the operations of the rings are simpler and more efficient, so we choose rings of the form ${\mathbb{Z}}_Q\left[X\right]/<X^N+1>$.

6.5. Security Comparisons with TFHE Bootstrapping

The optimized FINAL scheme integrates NTRU (approximate GCD problem over polynomial rings) and LWE (learning with errors), with security relying on the NTRU assumption of the computational hardness of decomposing short vectors in polynomial lattices, and the LWE/RLWE assumption of Indistinguishability between noisy linear equations and random ones. The advantage is that NTRU’s compact key properties may help reduce the risks of key exposure.

TFHE hinges on RLWE (Ring-LWE) and RGSW (ring-based Gentry–Sahai–Waters encryption), with security derived from RLWE hardness and the resilience of blind rotation against cryptanalysis. Its advantage is that it has been extensively studied with no critical vulnerabilities reported.

The optimized FINAL bootstrapping and TFHE bootstrapping each have their own pros and cons in terms of security. FINAL’s dual assumptions (NTRU + LWE) theoretically enhance security by requiring adversaries to compromise both. TFHE’s reliance on a single RLWE assumption ensures clearer security bounds but lacks NTRU’s key compactness benefits.

7. Conclusions

In this paper, we analyzed the FINAL scheme and optimized it accordingly.

Firstly, we optimized the bootstrapping procedure using the ellipsoidal Gaussian. By analyzing the noise introduced by bootstrapping, it was found that the standard deviation of the Gaussian distribution of key g has a greater impact on the bootstrapping noise compared to that of key f, where f and g are the secret keys of the basic NGS encryption scheme. Therefore, ellipsoidal Gaussian sampling was performed on f and g, where the standard deviations of the Gaussian distribution of f and g were denoted as $\beta ·{\sigma }_f$ and ${\beta }^{-1}·{\sigma }_g$. Meanwhile, from Table 5 and Figure 2, we find that upon adding the disturbance factor $\beta$ to samples f and g, the security of the scheme is only reduced by a few bits, but the noise generated by bootstrapping is greatly reduced.

Secondly, we performed the adaptive adjustment technique on the decomposition bases. Since the efficiency of the fully homomorphic encryption scheme is mainly limited by ring multiplication and FFTs, the FINAL scheme changes the number of ring multiplications and FFTs by changing the decomposition bases $B_1,B_2$ of NGS and their corresponding values of $n_1,n_2$, thus affecting the efficiency of the bootstrapping. Meanwhile, the decomposition bases of the FINAL scheme are limited by the bootstrapping noise. Therefore, we combine the bootstrapping optimization technique based on the ellipsoidal Gaussian to reduce the bootstrapping noise and expand the selection range of decomposition bases by selecting an appropriate $\beta$ value. Finally, based on $\beta$, we adaptively adjust the decomposition bases $B_1,B_2$ and $n_2$, so that they are as large as possible within the noise bound. This method reduces the total number of ring multiplications and FFTs. This greatly improves the efficiency of the bootstrapping, with 33.3% faster bootstrapping than the original FINAL scheme.