Papers
Topics
Authors
Recent
Search
2000 character limit reached

Binary Variant of CKKS

Updated 7 July 2026
  • Binary Variant of CKKS is a fully homomorphic encryption scheme that converts standard CKKS coefficients into binary representations while retaining approximate complex arithmetic.
  • It encodes messages via canonical embeddings, then binarizes polynomial coefficients and applies BCH error-correcting codes to ensure reliable decryption.
  • The framework provides reduced noise growth and unbounded-depth computations, though it trades off increased ring dimensions and heavier multiplication overhead.

The binary variant of CKKS is a fully homomorphic encryption framework that preserves the core algebraic structure of CKKS—canonical embedding, RLWE security, SIMD packing, and approximate arithmetic on complex numbers—while replacing the usual large-integer coefficient rings with binary-coefficient polynomial rings and eliminating the modulus chain plus rescaling procedure. In the formulation presented in "A Non-leveled and Reliable Approximate FHE Framework through Binarized Polynomial Rings" (Chen et al., 4 Aug 2025), messages remain vectors in CN/2\mathbb{C}^{N/2} and are first encoded exactly as in CKKS, after which each ring coefficient is binarized and placed into a larger binary ring. Homomorphic computation then proceeds in that binary ring, with noise controlled by a lightweight Refresh operation and decryption reliability strengthened by BCH error-correcting codes.

1. Position within the CKKS family

Standard CKKS is an RLWE-based, leveled homomorphic encryption scheme designed for approximate arithmetic on real and complex vectors. It is built over a cyclotomic ring R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1) for power-of-two cyclotomic index, packs vectors in CN/2\mathbb{C}^{N/2} through the canonical embedding, and manages multiplicative depth through a modulus chain and rescaling (Pathak, 2022). In that setting, ciphertexts are pairs in Rq2R_{q_\ell}^2 at level \ell, and decryption is structured so that the plaintext occupies the most significant part of the decrypted value while the noise remains small relative to the scaling factor.

The binary variant retains this CKKS semantics at the message level but changes the coefficient representation. Rather than storing ciphertext polynomials with large coefficients modulo qq, it maps those coefficients into binary expansions and carries out the homomorphic computation in a binary-coefficient polynomial ring. The stated design goals are binary coefficients, avoidance of CKKS rescaling and modulus switching, control of noise growth in the binary setting, and unbounded-depth computation through periodic Refresh.

A common misconception is that “binary CKKS” means a bit-encryption scheme in the sense of BFV, BGV, or TFHE. The construction in (Chen et al., 4 Aug 2025) does not redefine CKKS as exact Boolean arithmetic. Instead, it keeps CKKS-style approximate arithmetic over complex vectors and introduces a binary representation layer for encoded ring elements. The paper itself contrasts CKKS with integer-oriented schemes, noting that exact arithmetic on integers or bits is more naturally aligned with BGV/BFV-style designs (Pathak, 2022). The binary variant therefore occupies a distinct position: approximate SIMD arithmetic remains the target semantics, while coefficient binarization and BCH coding are used to improve reliability and simplify noise management.

2. Algebraic construction and binary embedding

As in CKKS, let MM be a cyclotomic index with cyclotomic polynomial ΦM(X)\Phi_M(X) of degree N=φ(M)N=\varphi(M), and define

R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.

The canonical embedding is

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)0

where R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)1 is a primitive R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)2-th root of unity. A message R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)3 is embedded into the Hermitian subspace R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)4, scaled by R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)5, rounded to the lattice R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)6, and mapped back by R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)7 to a polynomial in R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)8. This is precisely the CKKS encoding stage (Chen et al., 4 Aug 2025).

The binary step begins by fixing an upper bound R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)9 on the absolute value of coefficients in CN/2\mathbb{C}^{N/2}0 and setting

CN/2\mathbb{C}^{N/2}1

For a polynomial

CN/2\mathbb{C}^{N/2}2

with binary decomposition

CN/2\mathbb{C}^{N/2}3

the binary expansion map is defined by

CN/2\mathbb{C}^{N/2}4

A coefficient at position CN/2\mathbb{C}^{N/2}5 in CN/2\mathbb{C}^{N/2}6 thus becomes a block of CN/2\mathbb{C}^{N/2}7 bits in CN/2\mathbb{C}^{N/2}8.

The full encoding chain is

CN/2\mathbb{C}^{N/2}9

Decoding reverses the process: the inverse binary map Rq2R_{q_\ell}^20 regroups bits into coefficients in Rq2R_{q_\ell}^21, and the resulting polynomial is interpreted through the CKKS decoding map. The paper also defines a norm on Rq2R_{q_\ell}^22 by pulling back to Rq2R_{q_\ell}^23,

Rq2R_{q_\ell}^24

so that noise analysis remains tied to the CKKS canonical representation.

The significance of this construction is that the message space, canonical embedding, scaling factor, and RLWE-based cryptographic structure are unchanged, while the operational ring is transformed into a binary polynomial ring. The paper describes this as preserving the CKKS algebraic core while encrypting the binary expansion of encoded coefficients rather than the coefficients themselves.

3. Ciphertexts, homomorphic operations, and refresh

Ciphertexts live in Rq2R_{q_\ell}^25 with a binary secret key Rq2R_{q_\ell}^26 of small Hamming weight Rq2R_{q_\ell}^27. Key generation samples

  • Rq2R_{q_\ell}^28,
  • Rq2R_{q_\ell}^29 uniformly,
  • \ell0 and then maps it to binary via \ell1,

and sets

\ell2

For relinearization, one samples \ell3 and defines

\ell4

For Refresh, the scheme also generates a refresh key by encrypting each coefficient \ell5 of \ell6 under the public key (Chen et al., 4 Aug 2025).

Encryption of \ell7 samples a one-bit mask vector \ell8 and errors \ell9, binarizes the errors via qq0, and outputs

qq1

that is,

qq2

Decryption computes

qq3

so the decrypted form remains the CKKS-style affine relation qq4 with a small error polynomial.

Addition is componentwise,

qq5

with noise bound

qq6

Multiplication first forms the schoolbook product

qq7

and then relinearizes:

qq8

Under the secret key, decryption yields the product of the decrypted ciphertexts plus a new noise term.

The paper gives explicit noise bounds. For encryption noise,

qq9

If MM0, decoding is robust. For the CKKS-style encoding error,

MM1

which is negligible if MM2 is large. For multiplication in the binary scheme,

MM3

The comparison to standard CKKS is central. Standard CKKS multiplication noise includes a rescaling term

MM4

whereas the binary scheme has no such term. Under standard SEAL parameters MM5 primes of roughly MM6 bits, MM7, the paper estimates

MM8

so the multiplicative noise is about MM9 times smaller (Chen et al., 4 Aug 2025).

Instead of modulus switching and rescaling, the scheme uses Refresh. Given ΦM(X)\Phi_M(X)0, it homomorphically reconstructs an encryption of ΦM(X)\Phi_M(X)1 by using encrypted secret-key shares,

ΦM(X)\Phi_M(X)2

It then adds flooding noise ΦM(X)\Phi_M(X)3 with ΦM(X)\Phi_M(X)4, and re-encrypts with fresh one-time randomness:

ΦM(X)\Phi_M(X)5

where ΦM(X)\Phi_M(X)6. The Thresh function checks whether current noise exceeds ΦM(X)\Phi_M(X)7 and invokes Refresh when needed. This is the basis for the scheme’s “non-leveled” or “unbounded-depth” character: depth need not be fixed in advance, because noise is periodically reset to the fresh-encryption level.

4. Reliability layer through BCH coding

The binary representation introduces a reliability problem that standard CKKS does not directly address. Since encoded values are represented as bit patterns in ΦM(X)\Phi_M(X)8, logical errors manifest as bit flips in the binary coefficients. The paper identifies several sources: rounding errors, accumulated decryption noise exceeding half the distance between neighboring lattice points, and potential hardware faults such as fault injection attacks (Chen et al., 4 Aug 2025). For workloads involving keys, counters, or decisions, the paper states that any bit error is unacceptable.

To obtain bit-exact decryption with high probability, the construction layers a binary BCH code over the binary plaintext. It uses a cyclic ΦM(X)\Phi_M(X)9 code of length N=φ(M)N=\varphi(M)0, dimension N=φ(M)N=\varphi(M)1, and error-correction capacity N=φ(M)N=\varphi(M)2, with generator polynomial

N=φ(M)N=\varphi(M)3

where N=φ(M)N=\varphi(M)4 are minimal polynomials of N=φ(M)N=\varphi(M)5 over N=φ(M)N=\varphi(M)6. Systematic encoding is

N=φ(M)N=\varphi(M)7

where N=φ(M)N=\varphi(M)8 encodes N=φ(M)N=\varphi(M)9 data bits.

In the FHE workflow, the message bits R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.0 are padded to length R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.1, partitioned into blocks R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.2 of length R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.3, encoded blockwise into codewords R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.4 of length R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.5, and concatenated into a bit string R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.6 of length R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.7. A fixed permutation R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.8 is then applied before packing into a polynomial

R=Z[X]/(ΦM(X)),Rq=R/qR.R=\mathbb{Z}[X]/(\Phi_M(X)), \qquad R_q = R/qR.9

The purpose of R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)00 is to spread out errors that tend to cluster in the least significant bits of ring coefficients, so that BCH error-correction capacity is used more effectively across blocks.

The pre-processing and post-processing stages are explicit. BCH-Pre-Encode takes R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)01, pads it, blocks it, encodes each block, concatenates the codewords, applies R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)02, packs the resulting bits into R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)03, and encrypts with Binary CKKS. BCH-Post-Decode decrypts to R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)04, unpacks the bits, applies R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)05, blocks the recovered codewords, and decodes them via BCH syndrome computation, Berlekamp–Massey, and Chien search. The decoded bits are then mapped back through R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)06, R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)07, and R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)08 to recover the approximate complex vector.

The paper highlights R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)09, R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)10, and the extended R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)11. For a concrete example with SEAL-like parameters R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)12, after inverse binary expansion each ring coefficient has R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)13 bits, the empirical per-coefficient flip probability is R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)14, and the per-bit flip probability is R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)15. For R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)16, the expected flips per block are

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)17

the probability of at least R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)18 flips is approximately R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)19, and with R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)20 such blocks the overall failure probability remains negligible. The paper therefore characterizes the BCH layer as improving reliability to essentially cryptographic levels.

The BCH layer is purely public pre/post-processing. Because it is deterministic, invertible, and external to the encrypted computation itself, the paper states that it preserves IND-CPA security when composed with the underlying Binary CKKS scheme.

5. Security model and conceptual boundaries

The security basis remains RLWE over the original cyclotomic ring R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)21. Public keys have the form

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)22

with sparse secret R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)23 drawn from a HWT distribution and error from a discrete Gaussian. The binary ring R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)24 is treated as a representation layer, and the security proof maps back to an RLWE instance in R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)25 through the inverse map R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)26 (Chen et al., 4 Aug 2025).

The paper states three security consequences. First, the base Binary CKKS scheme is IND-CPA secure under decisional RLWE. Second, the BCH-wrapped scheme is also IND-CPA secure because the BCH transformation is public, deterministic, and invertible. Third, Refresh provides circuit privacy: owing to flooding noise, each refreshed ciphertext is statistically close to a fresh encryption of randomness, and a simulator can replace refresh outputs with fresh encryptions of random values, so the evaluator learns nothing about intermediate states.

Parameter choices are CKKS-like: typical R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)27, scaling factor R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)28, Gaussian standard deviation R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)29, and secret Hamming weight R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)30 in large-dimension examples. The paper states that security levels are analogous to standard CKKS in the same dimensions, with about 128-bit security around R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)31, because the underlying RLWE problem is the same.

The relation to neighboring HE schemes is delicate. Standard CKKS uses approximate arithmetic and rescaling; BFV/BGV-style schemes are more naturally suited to exact integer or binary arithmetic (Pathak, 2022). The binary variant does not erase that distinction. It still uses CKKS-style encoding, scaling, and approximate message semantics, and the paper’s reliability claims are achieved by adding BCH coding on top of the approximate FHE layer rather than by redefining the scheme as exact modular-bit arithmetic. This suggests a technical boundary: the construction remains CKKS-compatible in semantics while borrowing bit-level redundancy mechanisms usually associated with exact reliability requirements.

6. Parameters, implementation, performance, and limitations

The binary expansion increases ring size. If the CKKS ring uses dimension R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)32 and R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)33, then the binary ring has dimension

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)34

For example, if R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)35, then R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)36 and R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)37. Binary CKKS operations cost

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)38

dominated by polynomial multiplications via NTT, while standard CKKS is described as

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)39

where R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)40 is the total modulus bit-length (Chen et al., 4 Aug 2025).

Memory use scales accordingly. Assuming 64-bit storage per coefficient, the paper gives

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)41

It notes that for R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)42, Binary CKKS ciphertexts are larger in RAM.

Empirical evaluation uses a dimension-normalized speedup

R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)43

with R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)44 the ring dimension. The reported observations are specific. Key generation is faster for small dimensions, with R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)45 speedup at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)46 and R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)47 at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)48, but it slows relatively at larger dimensions as R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)49 grows. Encryption is slower because of binary expansion overhead. Decryption is substantially faster, with speedups up to R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)50 at dimension R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)51 and R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)52 at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)53. Addition shows R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)54–R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)55 speedup. Multiplication is approximately R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)56 faster at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)57, about R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)58 at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)59, and about R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)60 at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)61 when compared at the same ring dimension. Once the larger binary ring R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)62 is fully accounted for, multiplication becomes the main bottleneck.

The BCH layer is comparatively cheap. For R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)63 and plaintext length R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)64, the total cost of pre-encode, permute, decode, and inverse permute is about R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)65 ms at R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)66, which the paper states is much smaller than a single homomorphic multiplication.

The implementation is an extension of HElib. It introduces new files simple_binary_ckks.h and .cpp, defines a SimpleBinaryCKKS class with its own key, ciphertext, and polynomial types, and leaves the HElib core mostly untouched, with only about R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)67 lines changed in utilities such as binio.h and io.h. Polynomial arithmetic reuses HElib’s NTT/FFT infrastructure. Benchmarks were run on an AMD Ryzen 7 with 32GB RAM under Ubuntu 22.04 and timed with std::chrono.

The suitable applications listed in the paper are approximate numerical computations that require CKKS-like semantics but prefer a non-leveled scheme with simpler noise management via Refresh, or require bit-exact decryption protected by error-correcting codes. The examples given are ML inference and analytics under stricter correctness guarantees, linear programs or low-degree polynomial computations where BCH codes are particularly effective, and fault-resilient HE deployments where hardware fault attacks are a concern.

The limitations are equally explicit. Binary expansion enlarges the ring degree by R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)68, increasing memory use and the cost of some operations. Multiplication is currently less optimized than CKKS in HElib and becomes the main bottleneck at high dimensions. Computing R=Z[x]/(xN+1)R = \mathbb{Z}[x]/(x^N+1)69 is expensive, though the paper states that it is amortizable and optimizable with lookup tables. Plaintext packing capacity per ciphertext is reduced because bits are spread out in the larger ring. Future work listed in the paper includes Double-CRT, bit-sliced storage, lookup-based binary expansion, faster binary polynomial multiplication exploiting ring homomorphisms, hardware acceleration for bit-level operations, and integration with lightweight CKKS bootstrapping and TFHE-style techniques.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Binary Variant of CKKS.