Binary Variant of CKKS
- Binary Variant of CKKS is a fully homomorphic encryption scheme that converts standard CKKS coefficients into binary representations while retaining approximate complex arithmetic.
- It encodes messages via canonical embeddings, then binarizes polynomial coefficients and applies BCH error-correcting codes to ensure reliable decryption.
- The framework provides reduced noise growth and unbounded-depth computations, though it trades off increased ring dimensions and heavier multiplication overhead.
The binary variant of CKKS is a fully homomorphic encryption framework that preserves the core algebraic structure of CKKS—canonical embedding, RLWE security, SIMD packing, and approximate arithmetic on complex numbers—while replacing the usual large-integer coefficient rings with binary-coefficient polynomial rings and eliminating the modulus chain plus rescaling procedure. In the formulation presented in "A Non-leveled and Reliable Approximate FHE Framework through Binarized Polynomial Rings" (Chen et al., 4 Aug 2025), messages remain vectors in and are first encoded exactly as in CKKS, after which each ring coefficient is binarized and placed into a larger binary ring. Homomorphic computation then proceeds in that binary ring, with noise controlled by a lightweight Refresh operation and decryption reliability strengthened by BCH error-correcting codes.
1. Position within the CKKS family
Standard CKKS is an RLWE-based, leveled homomorphic encryption scheme designed for approximate arithmetic on real and complex vectors. It is built over a cyclotomic ring for power-of-two cyclotomic index, packs vectors in through the canonical embedding, and manages multiplicative depth through a modulus chain and rescaling (Pathak, 2022). In that setting, ciphertexts are pairs in at level , and decryption is structured so that the plaintext occupies the most significant part of the decrypted value while the noise remains small relative to the scaling factor.
The binary variant retains this CKKS semantics at the message level but changes the coefficient representation. Rather than storing ciphertext polynomials with large coefficients modulo , it maps those coefficients into binary expansions and carries out the homomorphic computation in a binary-coefficient polynomial ring. The stated design goals are binary coefficients, avoidance of CKKS rescaling and modulus switching, control of noise growth in the binary setting, and unbounded-depth computation through periodic Refresh.
A common misconception is that “binary CKKS” means a bit-encryption scheme in the sense of BFV, BGV, or TFHE. The construction in (Chen et al., 4 Aug 2025) does not redefine CKKS as exact Boolean arithmetic. Instead, it keeps CKKS-style approximate arithmetic over complex vectors and introduces a binary representation layer for encoded ring elements. The paper itself contrasts CKKS with integer-oriented schemes, noting that exact arithmetic on integers or bits is more naturally aligned with BGV/BFV-style designs (Pathak, 2022). The binary variant therefore occupies a distinct position: approximate SIMD arithmetic remains the target semantics, while coefficient binarization and BCH coding are used to improve reliability and simplify noise management.
2. Algebraic construction and binary embedding
As in CKKS, let be a cyclotomic index with cyclotomic polynomial of degree , and define
The canonical embedding is
0
where 1 is a primitive 2-th root of unity. A message 3 is embedded into the Hermitian subspace 4, scaled by 5, rounded to the lattice 6, and mapped back by 7 to a polynomial in 8. This is precisely the CKKS encoding stage (Chen et al., 4 Aug 2025).
The binary step begins by fixing an upper bound 9 on the absolute value of coefficients in 0 and setting
1
For a polynomial
2
with binary decomposition
3
the binary expansion map is defined by
4
A coefficient at position 5 in 6 thus becomes a block of 7 bits in 8.
The full encoding chain is
9
Decoding reverses the process: the inverse binary map 0 regroups bits into coefficients in 1, and the resulting polynomial is interpreted through the CKKS decoding map. The paper also defines a norm on 2 by pulling back to 3,
4
so that noise analysis remains tied to the CKKS canonical representation.
The significance of this construction is that the message space, canonical embedding, scaling factor, and RLWE-based cryptographic structure are unchanged, while the operational ring is transformed into a binary polynomial ring. The paper describes this as preserving the CKKS algebraic core while encrypting the binary expansion of encoded coefficients rather than the coefficients themselves.
3. Ciphertexts, homomorphic operations, and refresh
Ciphertexts live in 5 with a binary secret key 6 of small Hamming weight 7. Key generation samples
- 8,
- 9 uniformly,
- 0 and then maps it to binary via 1,
and sets
2
For relinearization, one samples 3 and defines
4
For Refresh, the scheme also generates a refresh key by encrypting each coefficient 5 of 6 under the public key (Chen et al., 4 Aug 2025).
Encryption of 7 samples a one-bit mask vector 8 and errors 9, binarizes the errors via 0, and outputs
1
that is,
2
Decryption computes
3
so the decrypted form remains the CKKS-style affine relation 4 with a small error polynomial.
Addition is componentwise,
5
with noise bound
6
Multiplication first forms the schoolbook product
7
and then relinearizes:
8
Under the secret key, decryption yields the product of the decrypted ciphertexts plus a new noise term.
The paper gives explicit noise bounds. For encryption noise,
9
If 0, decoding is robust. For the CKKS-style encoding error,
1
which is negligible if 2 is large. For multiplication in the binary scheme,
3
The comparison to standard CKKS is central. Standard CKKS multiplication noise includes a rescaling term
4
whereas the binary scheme has no such term. Under standard SEAL parameters 5 primes of roughly 6 bits, 7, the paper estimates
8
so the multiplicative noise is about 9 times smaller (Chen et al., 4 Aug 2025).
Instead of modulus switching and rescaling, the scheme uses Refresh. Given 0, it homomorphically reconstructs an encryption of 1 by using encrypted secret-key shares,
2
It then adds flooding noise 3 with 4, and re-encrypts with fresh one-time randomness:
5
where 6. The Thresh function checks whether current noise exceeds 7 and invokes Refresh when needed. This is the basis for the scheme’s “non-leveled” or “unbounded-depth” character: depth need not be fixed in advance, because noise is periodically reset to the fresh-encryption level.
4. Reliability layer through BCH coding
The binary representation introduces a reliability problem that standard CKKS does not directly address. Since encoded values are represented as bit patterns in 8, logical errors manifest as bit flips in the binary coefficients. The paper identifies several sources: rounding errors, accumulated decryption noise exceeding half the distance between neighboring lattice points, and potential hardware faults such as fault injection attacks (Chen et al., 4 Aug 2025). For workloads involving keys, counters, or decisions, the paper states that any bit error is unacceptable.
To obtain bit-exact decryption with high probability, the construction layers a binary BCH code over the binary plaintext. It uses a cyclic 9 code of length 0, dimension 1, and error-correction capacity 2, with generator polynomial
3
where 4 are minimal polynomials of 5 over 6. Systematic encoding is
7
where 8 encodes 9 data bits.
In the FHE workflow, the message bits 0 are padded to length 1, partitioned into blocks 2 of length 3, encoded blockwise into codewords 4 of length 5, and concatenated into a bit string 6 of length 7. A fixed permutation 8 is then applied before packing into a polynomial
9
The purpose of 00 is to spread out errors that tend to cluster in the least significant bits of ring coefficients, so that BCH error-correction capacity is used more effectively across blocks.
The pre-processing and post-processing stages are explicit. BCH-Pre-Encode takes 01, pads it, blocks it, encodes each block, concatenates the codewords, applies 02, packs the resulting bits into 03, and encrypts with Binary CKKS. BCH-Post-Decode decrypts to 04, unpacks the bits, applies 05, blocks the recovered codewords, and decodes them via BCH syndrome computation, Berlekamp–Massey, and Chien search. The decoded bits are then mapped back through 06, 07, and 08 to recover the approximate complex vector.
The paper highlights 09, 10, and the extended 11. For a concrete example with SEAL-like parameters 12, after inverse binary expansion each ring coefficient has 13 bits, the empirical per-coefficient flip probability is 14, and the per-bit flip probability is 15. For 16, the expected flips per block are
17
the probability of at least 18 flips is approximately 19, and with 20 such blocks the overall failure probability remains negligible. The paper therefore characterizes the BCH layer as improving reliability to essentially cryptographic levels.
The BCH layer is purely public pre/post-processing. Because it is deterministic, invertible, and external to the encrypted computation itself, the paper states that it preserves IND-CPA security when composed with the underlying Binary CKKS scheme.
5. Security model and conceptual boundaries
The security basis remains RLWE over the original cyclotomic ring 21. Public keys have the form
22
with sparse secret 23 drawn from a HWT distribution and error from a discrete Gaussian. The binary ring 24 is treated as a representation layer, and the security proof maps back to an RLWE instance in 25 through the inverse map 26 (Chen et al., 4 Aug 2025).
The paper states three security consequences. First, the base Binary CKKS scheme is IND-CPA secure under decisional RLWE. Second, the BCH-wrapped scheme is also IND-CPA secure because the BCH transformation is public, deterministic, and invertible. Third, Refresh provides circuit privacy: owing to flooding noise, each refreshed ciphertext is statistically close to a fresh encryption of randomness, and a simulator can replace refresh outputs with fresh encryptions of random values, so the evaluator learns nothing about intermediate states.
Parameter choices are CKKS-like: typical 27, scaling factor 28, Gaussian standard deviation 29, and secret Hamming weight 30 in large-dimension examples. The paper states that security levels are analogous to standard CKKS in the same dimensions, with about 128-bit security around 31, because the underlying RLWE problem is the same.
The relation to neighboring HE schemes is delicate. Standard CKKS uses approximate arithmetic and rescaling; BFV/BGV-style schemes are more naturally suited to exact integer or binary arithmetic (Pathak, 2022). The binary variant does not erase that distinction. It still uses CKKS-style encoding, scaling, and approximate message semantics, and the paper’s reliability claims are achieved by adding BCH coding on top of the approximate FHE layer rather than by redefining the scheme as exact modular-bit arithmetic. This suggests a technical boundary: the construction remains CKKS-compatible in semantics while borrowing bit-level redundancy mechanisms usually associated with exact reliability requirements.
6. Parameters, implementation, performance, and limitations
The binary expansion increases ring size. If the CKKS ring uses dimension 32 and 33, then the binary ring has dimension
34
For example, if 35, then 36 and 37. Binary CKKS operations cost
38
dominated by polynomial multiplications via NTT, while standard CKKS is described as
39
where 40 is the total modulus bit-length (Chen et al., 4 Aug 2025).
Memory use scales accordingly. Assuming 64-bit storage per coefficient, the paper gives
41
It notes that for 42, Binary CKKS ciphertexts are larger in RAM.
Empirical evaluation uses a dimension-normalized speedup
43
with 44 the ring dimension. The reported observations are specific. Key generation is faster for small dimensions, with 45 speedup at 46 and 47 at 48, but it slows relatively at larger dimensions as 49 grows. Encryption is slower because of binary expansion overhead. Decryption is substantially faster, with speedups up to 50 at dimension 51 and 52 at 53. Addition shows 54–55 speedup. Multiplication is approximately 56 faster at 57, about 58 at 59, and about 60 at 61 when compared at the same ring dimension. Once the larger binary ring 62 is fully accounted for, multiplication becomes the main bottleneck.
The BCH layer is comparatively cheap. For 63 and plaintext length 64, the total cost of pre-encode, permute, decode, and inverse permute is about 65 ms at 66, which the paper states is much smaller than a single homomorphic multiplication.
The implementation is an extension of HElib. It introduces new files simple_binary_ckks.h and .cpp, defines a SimpleBinaryCKKS class with its own key, ciphertext, and polynomial types, and leaves the HElib core mostly untouched, with only about 67 lines changed in utilities such as binio.h and io.h. Polynomial arithmetic reuses HElib’s NTT/FFT infrastructure. Benchmarks were run on an AMD Ryzen 7 with 32GB RAM under Ubuntu 22.04 and timed with std::chrono.
The suitable applications listed in the paper are approximate numerical computations that require CKKS-like semantics but prefer a non-leveled scheme with simpler noise management via Refresh, or require bit-exact decryption protected by error-correcting codes. The examples given are ML inference and analytics under stricter correctness guarantees, linear programs or low-degree polynomial computations where BCH codes are particularly effective, and fault-resilient HE deployments where hardware fault attacks are a concern.
The limitations are equally explicit. Binary expansion enlarges the ring degree by 68, increasing memory use and the cost of some operations. Multiplication is currently less optimized than CKKS in HElib and becomes the main bottleneck at high dimensions. Computing 69 is expensive, though the paper states that it is amortizable and optimizable with lookup tables. Plaintext packing capacity per ciphertext is reduced because bits are spread out in the larger ring. Future work listed in the paper includes Double-CRT, bit-sliced storage, lookup-based binary expansion, faster binary polynomial multiplication exploiting ring homomorphisms, hardware acceleration for bit-level operations, and integration with lightweight CKKS bootstrapping and TFHE-style techniques.