BFV: Brakerski-Fan-Vercauteren Homomorphic Encryption
- BFV is a fully homomorphic encryption scheme based on ring-LWE that supports exact modular arithmetic for integer computations.
- It embeds plaintexts in polynomial rings using a scaling factor, allowing precise homomorphic addition and multiplication with managed noise growth.
- BFV’s exact arithmetic is ideal for applications like decentralized learning, vehicular aggregation, and privacy-preserving neural inference.
Brakerski–Fan–Vercauteren (BFV) is a ring-LWE based leveled fully homomorphic encryption scheme that supports exact integer arithmetic modulo a plaintext modulus . In BFV, plaintexts live in a polynomial ring , ciphertexts live in a larger ring , and encryption embeds plaintexts through a scaling factor , so that additions and multiplications can be evaluated on ciphertexts while decryption recovers the corresponding result modulo if the accumulated noise remains below a correctness threshold (Ko, 7 Mar 2025). Within the FV-like family, BFV is closely related to BGV and contrasts with CKKS in that BFV targets exact modular arithmetic rather than approximate real/complex arithmetic; this exactness is the property repeatedly exploited in applications such as decentralized learning, vehicular aggregation, privacy-preserving neural inference, and federated model summation (Ko, 7 Mar 2025).
1. Scheme family, scope, and computational model
BFV belongs to the “FV-like” family of schemes and operates over cyclotomic polynomial rings, typically in the power-of-two setting . The base ring is ; the ciphertext ring is ; and the plaintext ring is . Security reduces to the hardness of Ring Learning With Errors (RLWE), with small secrets and small error polynomials masking the scaled plaintext in the ciphertext domain (Ko, 7 Mar 2025).
The defining semantic feature of BFV is exact modular arithmetic on plaintexts. Rather than representing approximate real values as in CKKS, BFV computes exactly modulo . The cited studies repeatedly exploit this property for integer-valued or fixed-point workloads. In decentralized deep learning, BFV is used to preserve “lossless precision” for integer or fixed-point gradients (Xu et al., 2022). In vehicular communication, BFV is used for encrypted vehicle counting and other addition-only integer aggregates (Mamun et al., 4 Aug 2025). In privacy-preserving spiking neural networks, BFV is selected because it “provides exact modular-integer arithmetic,” matching spike-based computation with binary or low-precision integer activations (Nikfam et al., 2023).
The relationship to nearby schemes is also explicit. BFV and BGV both provide exact arithmetic modulo 0, but differ in noise management and modulus-switching style; CKKS provides approximate arithmetic and is suited to workloads where real-valued operations and rescaling dominate; TFHE targets gate-level computation with very fast bootstrapping for Boolean circuits (Ko, 7 Mar 2025). A recurrent practical conclusion is therefore workload-dependent rather than absolute: BFV is a natural fit for exact counting, integer aggregation, thresholding-compatible pipelines, and quantized model updates, whereas approximate linear algebra or large dynamic range can favor CKKS (Xu et al., 2022).
2. Algebraic setting and canonical algorithms
In the power-of-two formulation used throughout the cited literature, BFV takes 1 or 2 and works modulo 3 or 4. The plaintext is lifted from 5 to 6 by the scale
7
An encoded plaintext 8 is represented in ciphertext arithmetic as 9, and decryption rescales by 0 and rounds (Xu et al., 2022).
The standard public-key form samples a small secret 1, a uniform 2, and a small error 3, then sets a public key as either 4 or, in another equivalent sign convention used in the cited systems literature, 5 with a correspondingly negated second ciphertext component (Xu et al., 2022, Meng et al., 27 Sep 2025). With the conventional two-component encryption formula, fresh small randomness 6 yields
7
Decryption computes
8
or an equivalent sign-adjusted variant, and succeeds when the total decryption noise satisfies the standard BFV bound
9
This exact recovery condition is central: the ciphertext carries 0 plus RLWE noise, and the scaling-and-rounding step cancels the noise if the bound is respected (Xu et al., 2022).
Homomorphic addition is component-wise: 1 Homomorphic multiplication first produces a three-component ciphertext,
2
after which relinearization uses an evaluation key encrypting powers of the secret, typically 3, to map the product back to a two-component form (Xu et al., 2022). The cited textbook treatment presents the same operation through mod-raise, rescale by 4, and gadget-based relinearization, emphasizing that multiplication expands both ciphertext dimension and noise, whereas addition grows noise only linearly (Ko, 7 Mar 2025).
The secret and error distributions are small by design. One cited formulation uses ternary secrets with coefficients in 5 and errors from a centered discrete Gaussian truncated to a bounded interval (Xu et al., 2022). Other cited implementations describe small secrets drawn from binary, ternary, or discrete-Gaussian-like distributions, but do not always enumerate the exact sampler parameters (Mamun et al., 4 Aug 2025, Nikfam et al., 2023).
3. Encoding, batching, relinearization, and bootstrapping
A major practical feature of BFV is batching. When 6 is chosen so that 7 splits over 8, the Chinese Remainder Theorem decomposes 9 into a direct product of fields, enabling SIMD-style packing. The cited sources state this condition in closely related forms: 0 prime with 1, or more generally 2, so that primitive roots of unity exist modulo 3 and slotwise encoding/decoding can be realized through CRT or Vandermonde-like transforms (Mamun et al., 4 Aug 2025, Ko, 7 Mar 2025). Under such conditions, one plaintext polynomial can hold up to 4 independent integers.
Efficient polynomial arithmetic is obtained by choosing NTT-friendly ciphertext moduli. If 5, then 6 admits primitive 7-th roots of unity, and the Number Theoretic Transform yields quasi-linear convolution for polynomial multiplication (Mamun et al., 4 Aug 2025). Modern software stacks such as Microsoft SEAL and OpenFHE use RNS/NTT BFV variants, and several of the empirical papers inherit these optimizations directly from the library backend (Xu et al., 2022, Mamun et al., 4 Aug 2025).
Relinearization is the standard mechanism that collapses a multiplication result from three ciphertext components back to two. The textbook treatment expresses this through gadget decomposition and evaluation keys 8 encrypting scaled versions of 9, so that the 0 term can be transformed into a linear term in the secret (Ko, 7 Mar 2025). In practice, however, several application papers are explicitly addition-dominated. The decentralized learning workload in D²-MHE is dominated by aggregation, so multiplications and relinearization are “minimal and not the performance bottleneck” (Xu et al., 2022). The V2X study uses BFV only for additions, so neither multiplication nor modulus switching is exercised experimentally, and no relinearization or rotation keys are required (Mamun et al., 4 Aug 2025).
Bootstrapping occupies a more delicate position. The textbook source presents a BFV bootstrapping method based on homomorphic digit extraction, involving modulus switching, homomorphic decryption, CoeffToSlot, digit extraction polynomials, SlotToCoeff, and scaling reinterpretation (Ko, 7 Mar 2025). D²-MHE also defines a distributed bootstrapping primitive, MBFV.Bootstrap, which refreshes a ciphertext to “fresh-like” noise in the multiparty setting (Xu et al., 2022). Yet the reported deployments also show why BFV is often used in leveled, non-bootstrapped form: when the circuit is shallow or addition-only, noise remains sufficiently small that bootstrapping is unnecessary in most runs (Xu et al., 2022, Mamun et al., 4 Aug 2025). This directly counters the common misconception that BFV necessarily implies frequent bootstrapping in practical systems.
4. Multiparty BFV and application-specific adaptations
A prominent systems extension is the multiparty BFV design used in D²-MHE for decentralized deep learning. Here, the collective secret is additively shared,
1
over a local neighborhood 2, and a collective public key is formed by summing local public-key shares. The scheme introduces four primitives—MBFV.SecKeyGen, MBFV.PubKeyGen, MBFV.Convert, and MBFV.Bootstrap—to support secure aggregation over a graph without reconstructing the joint secret (Xu et al., 2022). The core conversion primitive performs an interactive one-shot key switch from the shared public key to a recipient’s individual key by having each participant contribute masked partials
3
after which the recipient sums them into a new ciphertext decryptable under its own secret key (Xu et al., 2022).
The security model is honest-but-curious with collusion allowance: in any neighborhood 4, up to 5 users can collude. The paper’s simulators for MBFV.PubKeyGen, MBFV.Convert, and MBFV.Bootstrap rely on decisional RLWE together with additive secret sharing and fresh Gaussian masks, and conclude that semantic security is preserved so long as at least one honest party remains in the neighborhood (Xu et al., 2022). The systems consequence is a communication reduction from the quadratic pattern of generic MPC-style secret sharing to linear scaling in the number of users, enabled by one system-wide public key, ciphertext packing, homomorphic local aggregation, and recipient-specific conversion (Xu et al., 2022).
A second adaptation appears in FedBit, which tailors BFV to federated learning through coefficient-level bit-interleaved packing rather than CRT slot packing. In FedBit, multiple quantized weights are embedded into one plaintext coefficient by disjoint bit-fields: 6 Correctness requires both intra-slot carry prevention,
7
and avoidance of coefficient wraparound,
8
where 9 is the worst-case packed coefficient bound defined in the paper (Meng et al., 27 Sep 2025). Because FedBit is aggregation-only, it avoids multiplications, rotations, relinearization, and key-switching; this permits a compact two-component BFV deployment with hardware acceleration on a Xilinx Alveo U250 FPGA (Meng et al., 27 Sep 2025).
These two systems illustrate distinct but complementary ways BFV is adapted. D²-MHE modifies key management and decryption flow to support decentralized secure averaging with neighborhood-majority collusion resistance (Xu et al., 2022). FedBit modifies data representation and hardware dataflow to minimize ciphertext count, communication, and transform overhead in federated aggregation (Meng et al., 27 Sep 2025). A plausible implication is that BFV’s practical flexibility derives less from changing its algebraic core than from controlling how exact integer semantics, packing, and key structure are embedded into the surrounding protocol.
5. Implementations and reported empirical behavior
The recent systems literature evaluates BFV in markedly different environments, but a consistent pattern emerges: exact addition-heavy workloads are the most favorable regime, while multiplication-heavy workloads are constrained by ciphertext growth, wide modular multiplication cost, or both (Mamun et al., 4 Aug 2025, Gupta et al., 2023, Nikfam et al., 2023, Xu et al., 2022, Meng et al., 27 Sep 2025).
| Environment | BFV configuration | Reported findings |
|---|---|---|
| Decentralized deep learning (Xu et al., 2022) | Microsoft SEAL; polynomial degree 2048 and 4096; 1024 slots per ciphertext | MNIST, 50 users: D²-MHE 91.17%; CIFAR-10, 100 users: 68.25%; MNIST communication 56.7 MB per user total vs COPML 707.7 MB |
| V2X encrypted counting (Mamun et al., 4 Aug 2025) | OpenFHE; 0; addition-only; ciphertext size 1 KB | Vehicle count 100 over Wi‑Fi: 5.44 ± 2.14 ms encryption, 347.61 ± 6.80 ms evaluation, 4.73 ± 1.08 ms decryption; communication latency 3072.89 ms; about 95 fragments |
| PIM acceleration (Gupta et al., 2023) | UPMEM PIM; 2; 32-, 64-, 128-bit coefficients | Vector addition: 50–100× over CPU and 2–15× over GPU; vector multiplication: 40–50× over CPU but 10–15× behind GPU |
| Encrypted SNN/DNN inference (Nikfam et al., 2023) | Pyfhel; 3; 4 | SNNs achieve up to 40% higher accuracy than DNNs for low 5; encrypted LeNet-5 totals 31 s per image; Spiking-LeNet-5 totals 930 s |
| Federated learning co-design (Meng et al., 27 Sep 2025) | BFV with 6, 7; FPGA accelerator | Fashion-MNIST: 3.2 ms encryption, 3.1 ms decryption; per-client traffic 2.7 MB vs CKKS 8.68 MB; average communication reduction 60.7% |
The V2X study is particularly explicit about network cost. Under 128-bit post-quantum security with 8, a two-component BFV ciphertext is approximately 132 KB, which at 1400-byte UDP fragmentation yields about 95 fragments per ciphertext. Communication dominates end-to-end latency: round-trip BFV communication is approximately 9–0 s in both Wi‑Fi and Ethernet, largely independent of the number of additions, while the server’s evaluation time grows roughly linearly with the number of additions (Mamun et al., 4 Aug 2025). The same study concludes that BFV and BGV are suitable for latency-tolerant ITS tasks, but none of the tested HE schemes meet stringent sub-second safety-critical deadlines under the tested parameters (Mamun et al., 4 Aug 2025).
The PIM study evaluates only BFV’s core arithmetic kernels on a real UPMEM system rather than a full end-to-end encrypted protocol. Addition maps well to native 32-bit add and add-with-carry, leading to large speedups; multiplication is limited by the lack of native sufficiently wide multiplication support, so GPU remains superior for multiplication-heavy kernels (Gupta et al., 2023). This distinction aligns with the application papers: arithmetic mean and secure summation are favorable for BFV acceleration, whereas variance, linear regression, or deeper neural pipelines move the bottleneck toward multiplications (Gupta et al., 2023).
The encrypted SNN study highlights another empirical axis: plaintext modulus 1. With 2 and Pyfhel-managed 3, the authors sweep 4 from 5 to 6, reporting that SNNs degrade more gracefully than DNNs at low 7, with about 40% higher accuracy at 8, while encrypted inference remains costly—31 s per image for LeNet-5 and about 15.5 minutes for Spiking-LeNet-5 with 9 (Nikfam et al., 2023). This is not an argument that BFV makes spiking models fast; rather, it shows that integer-exact encrypted computation can interact favorably with low-precision spike-based representations.
6. Limitations, misconceptions, and scheme-selection criteria
Several limitations recur across the cited literature. First, ciphertext expansion is substantial. BFV ciphertexts are much larger than plaintext vectors or gradients, and communication latency can dominate end-to-end time even when homomorphic evaluation is addition-only, as the V2X measurements make explicit (Mamun et al., 4 Aug 2025). Second, parameter growth is expensive: larger polynomial modulus degree and larger 0 improve noise margins but increase latency, memory footprint, and in some settings fragmentation overhead (Xu et al., 2022). Third, multiplication remains the difficult operation. Relinearization keys, modulus management, and wide modular multiplication cost are either major performance factors or deliberately avoided by restricting workloads to additions (Gupta et al., 2023, Mamun et al., 4 Aug 2025).
Two misconceptions are directly contradicted by the cited work. One is that BFV is inherently an approximate-arithmetic scheme. It is not: its defining feature is exact modular arithmetic in 1, and this is precisely why it is selected for counting, integer aggregation, quantized updates, and spike-oriented computations (Ko, 7 Mar 2025, Mamun et al., 4 Aug 2025). Another is that BFV is useful only with CRT slot batching. Standard BFV does support CRT-SIMD packing when the plaintext modulus satisfies the requisite splitting conditions, but FedBit shows that practical systems may instead use coefficient-level bit interleaving, avoiding the root-of-unity constraint on 2 and eliminating the need for rotation keys (Meng et al., 27 Sep 2025).
Scheme selection in the cited papers is consistently application-driven. When exact integer semantics matter—vehicle counting, occupancy sums, model-update aggregation, or fixed-point gradients—BFV is repeatedly presented as the better fit (Mamun et al., 4 Aug 2025, Xu et al., 2022). When approximate arithmetic, large dynamic range, or multiplication-heavy linear algebra dominate, the same literature notes that CKKS can be advantageous (Xu et al., 2022). This does not make BFV “better” in the abstract; it means that BFV’s central design decision—exactness modulo 3—is a strength only when the application semantics and protocol structure can exploit it.
A final practical observation is that many empirical BFV papers do not enumerate every cryptographic parameter. Several studies omit exact plaintext modulus values, RNS prime decompositions, or key sizes, especially when the library selects them automatically or when the workload exercises only addition (Mamun et al., 4 Aug 2025, Nikfam et al., 2023). This suggests a separation between two layers of BFV research: one layer develops the algebra, correctness bounds, batching, relinearization, and bootstrapping machinery; the other fixes a narrow workload class and leverages only the portion of BFV needed for that class. The contemporary literature cited here is strongest precisely where those two layers align: shallow, addition-dominated, exact-integer computation under RLWE security.