Papers
Topics
Authors
Recent
Search
2000 character limit reached

BGV: Leveled RLWE Homomorphic Encryption

Updated 7 July 2026
  • BGV is a leveled fully homomorphic encryption scheme based on Ring-LWE that enables exact integer arithmetic, batching, and SIMD operations.
  • It controls noise growth through modulus-switching and relinearization, allowing evaluation of circuits up to a predetermined depth without bootstrapping.
  • BGV underpins diverse applications—from secure search to encrypted neural network training—and serves as a baseline for post-quantum homomorphic computation systems.

Searching arXiv for recent and foundational BGV-related papers to ground the encyclopedia entry. Brakerski–Gentry–Vaikuntanathan (BGV) is a leveled fully homomorphic encryption (FHE) scheme in the (R)LWE-based family. It encrypts messages in polynomial residue rings, supports homomorphic addition and multiplication, and controls noise growth through modulus-switching and relinearization so that arbitrary circuits up to a publicly chosen depth can be evaluated without bootstrapping; when bootstrapping is added, it yields unbounded FHE. In the literature, BGV is routinely treated as a workhorse exact-arithmetic scheme, a canonical platform for SIMD batching, and a baseline for both software and hardware realizations of post-quantum homomorphic computation (Acar et al., 2017, Biasioli et al., 24 Apr 2025).

1. Historical and conceptual position

BGV belongs to the “second generation” FHE line introduced by Brakerski and Vaikuntanathan and refined by Gentry, Halevi, and Smart. Relative to Gentry’s original ideal-lattice construction, this line replaces ideal-lattice machinery with Ring-LWE samples, yielding a simpler public-key structure and substantially improved efficiency. In its standard form, BGV is usually deployed as a leveled-FHE scheme: one fixes a maximum circuit depth LL in advance, chooses a chain of ciphertext moduli, and evaluates all circuits up to that depth without invoking bootstrapping (Acar et al., 2017).

Conceptually, BGV sits at the exact-arithmetic end of the FHE design space. The scheme operates over a finite plaintext modulus rather than the approximate semantics associated with CKKS, and this makes it natural for integer arithmetic, exact aggregation, comparison subroutines, database-style workloads, and quantized machine-learning pipelines. A recurring theme across applications is that BGV’s performance envelope is shaped less by the abstract existence of homomorphic addition and multiplication than by how efficiently one exploits batching, automorphisms, key-switching, and modulus management.

A common classification in the recent systems literature distinguishes “arithmetic” FHE from “non-arithmetic” FHE. In that terminology, BGV is an arithmetic FHE scheme that natively excels at word-wise additions, multiplications, and rotations. More recent work extends that role by adding direct word-wise comparison primitives, positioning BGV as a candidate “universal FHE” engine for mixed arithmetic and comparison workloads (Yudha et al., 2024).

2. Algebraic structure, encryption, and correctness

BGV is defined over cyclotomic quotient rings. General expositions use

R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),

while many implementations adopt the power-of-two specialization

R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).

Plaintexts live in RtR_t for a small plaintext modulus tt, while ciphertext components live in RqR_q for a much larger ciphertext modulus qq or a modulus chain q0<q1<<qL1q_0<q_1<\cdots<q_{L-1} (Geelen et al., 2022, Biasioli et al., 24 Apr 2025).

In a standard public-key presentation, one samples a secret key ss from a small-coefficient distribution and forms a public key (b,a)(b,a) with

R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),0

where R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),1 is uniform and R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),2 is a small error polynomial. To encrypt R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),3 at level R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),4, one draws fresh randomness and sets

R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),5

The ciphertext is R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),6, and the critical decryption quantity is

R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),7

Decryption succeeds provided the noise term does not wrap around modulo R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),8; the cited correctness criterion is

R=Z[x]/Φm(x),n=φ(m),R=\mathbb{Z}[x]/\langle \Phi_m(x)\rangle,\qquad n=\varphi(m),9

or more precisely

R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).0

This framing makes clear why ciphertext modulus selection is inseparable from both efficiency and correctness: if R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).1 is too small, decryption fails; if R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).2 is too large, ciphertexts and arithmetic become unnecessarily expensive (Biasioli et al., 24 Apr 2025).

The underlying hardness assumption is RLWE. Survey treatments state that recovering the secret from noisy ring samples is as hard as standard worst-case ideal-lattice problems under the usual reductions, and recent parameter-selection work treats BGV explicitly as one of the significant RLWE-based FHE schemes (Acar et al., 2017, Biasioli et al., 24 Apr 2025).

3. Homomorphic operations, relinearization, and modulus-switching

Homomorphic addition in BGV is component-wise. If R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).3 and R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).4, then

R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).5

The new noise is essentially the sum of the input noises. This operation is therefore comparatively cheap and is often the dominant primitive in aggregation-style applications (Geelen et al., 2022).

Homomorphic multiplication is structurally more involved. A raw product of two two-component ciphertexts produces a three-component ciphertext,

R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).6

which encrypts under R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).7 rather than R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).8. BGV therefore applies relinearization, also described as key-switching, to map the enlarged ciphertext back to two components. This uses an evaluation key containing encryptions of higher powers of the secret key or their decomposed representations. Relinearization is indispensable: without it, ciphertext dimension would grow with multiplicative depth (Acar et al., 2017, Geelen et al., 2022).

Rotations and slot permutations are implemented via ring automorphisms. BASALISC describes the operation as

R=Z[X]/(XN+1).R=\mathbb{Z}[X]/(X^N+1).9

for odd RtR_t0 coprime to RtR_t1. In batched mode, such automorphisms permute SIMD slots and are followed by key-switching because the ciphertext becomes encrypted under RtR_t2 rather than under RtR_t3. In practice, these operations are central to reductions, prefix computations, convolutions, and comparison circuits (Geelen et al., 2022).

Noise growth is the central algorithmic constraint. After multiplication, the noise grows roughly multiplicatively; in leveled BGV, one counteracts this by interleaving evaluation with modulus-switching. Survey expositions write modulus-switching from RtR_t4 to RtR_t5 as

RtR_t6

which scales the ciphertext and its noise while dropping one level in the modulus chain. This is the key mechanism that lets leveled BGV evaluate all circuits up to a predetermined depth without bootstrapping (Acar et al., 2017).

Bootstrapping remains available when arbitrary depth is required. Recent hardware work emphasizes that arbitrary-depth computation requires periodically refreshing the ciphertext by homomorphically evaluating decryption and a rounding step, thereby resetting the noise. That work also makes explicit that multiplication and automorphisms are the operations that stress noise most severely and therefore dominate bootstrapping-oriented architectures (Geelen et al., 2022).

4. Batching, SIMD, and the arithmetic-circuit viewpoint

One of BGV’s defining practical features is ciphertext batching. When the plaintext modulus has suitable structure, Chinese Remainder Theorem decompositions yield a slot representation

RtR_t7

so that a single ciphertext encrypts an RtR_t8-tuple and homomorphic additions and multiplications act coordinate-wise. This SIMD model reduces bandwidth and amortizes expensive ring operations across many data lanes (Geelen et al., 2022).

The software literature illustrates this with concrete but implementation-specific slot counts. In HELib-based secure search, the “EncryptedArray” abstraction packs many plaintext slots into one ciphertext, and the reported implementation processes roughly 100–200 database entries in parallel, with about 122 plaintext integers per ciphertext under default parameters. In Glyph, the chosen BGV instantiation uses RtR_t9 with tt0, and the CRT decomposition yields 60 slots; a single homomorphic multiply-plaintext or multiply-ciphertext therefore performs 60 parallel 8-bit multiplications (Akavia et al., 2017, Lou et al., 2019).

The arithmetic-circuit perspective follows directly from this packing model. Linear transformations are reduced to ciphertext additions, public-scalar multiplications, and rotations. In secure search, row-sparse binary matrix multiplications are realized as sums of tt1 slots using additions and rotations, with ciphertext–ciphertext multiplication appearing mainly inside the tt2 subroutine. In Glyph, fully connected layers are matrix–vector products in packed form, while convolution is implemented by the standard rotate-and-scale pattern over encrypted feature maps (Akavia et al., 2017, Lou et al., 2019).

A plausible implication is that much of BGV engineering is really slot-management engineering. The abstract homomorphic interface is stable, but practical efficiency depends on how aggressively a system reuses rotations, compacts live slots, and arranges computations so that most work stays in linear or ciphertext–plaintext form.

5. Systems, software, hardware, and applications

BGV has been used as a substrate for secure search, encrypted training, hardware acceleration, comparison-intensive universal FHE, and post-quantum communication experiments. The examples below illustrate the breadth of that deployment spectrum.

System Role of BGV Representative reported result
Secure search (Akavia et al., 2017) HELib-based leveled FHE for a coreset-plus-sketch search circuit retrieve the first match in a database of millions of entries in less than an hour using a single machine
Glyph (Lou et al., 2019) BGV for vectorial arithmetic, TFHE for activations reduces the training latency by tt3 over the prior FHE-based technique
BASALISC (Geelen et al., 2022) ASIC architecture for BGV, including fully-packed bootstrapping speedup of more than 5,000 times over HElib
BoostCom (Yudha et al., 2024) CPU+GPU acceleration for BGV word-wise comparisons geometric mean end-to-end speedup is tt4
V2X evaluation (Mamun et al., 4 Aug 2025) OpenFHE BGV for addition-only encrypted aggregation BGV total end-to-end latency tt5 s for 100 vehicles over Wi-Fi

These systems highlight distinct facets of the scheme. Secure search uses BGV as a leveled engine with total multiplicative depth kept polylogarithmic in database size, avoiding bootstrapping by parameterizing around a depth on the order of a few dozen levels. Glyph exploits BGV’s “vectorial-arithmetic-friendly” character for multiply–accumulate operations while delegating nonlinear activations to TFHE. BASALISC exposes BGV primitives directly in hardware, including add, multiply, key-switch, permutation, and bootstrap instructions. BoostCom targets a longstanding weak point—word-wise comparison—through GPU-aware NTT, FFT, and slot-compaction techniques. The V2X study, by contrast, uses only addition circuits and shows that even shallow BGV deployments can be dominated by ciphertext transport rather than homomorphic arithmetic itself (Akavia et al., 2017, Lou et al., 2019, Geelen et al., 2022, Yudha et al., 2024, Mamun et al., 4 Aug 2025).

A recurrent systems lesson is that BGV’s practical bottleneck is highly workload-dependent. For secure search and comparison-heavy workloads, multiplicative depth and rotations dominate. For encrypted neural-network training, activation handling is the bottleneck unless one uses a hybrid design. For vehicular aggregation, the dominant cost is communication of approximately 398 kB ciphertexts, fragmented into 284 UDP packets in the reported configuration (Mamun et al., 4 Aug 2025).

6. Parameter selection, security margins, and recurrent misconceptions

BGV parameter selection is governed by a three-way constraint: correctness requires that noise remain below the decryption threshold, security requires that tt6 resist RLWE attacks, and efficiency pushes toward the smallest feasible modulus chain and ring dimension. Recent work argues that traditional worst-case noise bounds are often overly conservative, while earlier average-case analyses understated post-multiplication noise because they ignored dependencies induced by shared secret and public-key terms. The new average-case analysis models a generic noise polynomial as

tt7

introduces correction functions tt8 and tt9 for secret- and error-dependent terms, and derives variance recurrences that are reported to track experiment closely without underestimation. The practical outcome is a recipe for choosing the smallest RqR_q0-chain compatible with a target depth and failure probability (Biasioli et al., 24 Apr 2025).

Security levels in deployed BGV systems vary with application requirements. HELib-based secure search and Glyph are described at the 80-bit level in the cited experiments, while BASALISC and the V2X study target 128-bit security. BASALISC supports RqR_q1 from RqR_q2 to RqR_q3, plaintext modulus RqR_q4, and ciphertext modulus RqR_q5 up to RqR_q6 bits; the V2X configuration fixes RqR_q7, plaintext modulus RqR_q8, and a ciphertext modulus chosen as a product of 3 primes with total bit-length approximately 220 bits (Geelen et al., 2022, Mamun et al., 4 Aug 2025).

Several recurrent misconceptions are addressed by the recent literature. One is that BGV always requires bootstrapping. In fact, many practical deployments are explicitly leveled: secure search keeps total multiplicative depth to RqR_q9 so that no explicit bootstrapping is needed, and Glyph reports networks shallow enough that no BGV bootstrap is triggered during training (Akavia et al., 2017, Lou et al., 2019). A second misconception is that BGV is restricted to “pure arithmetic” and therefore unsuitable for comparisons or selection. The universal-FHE line discussed by BoostCom shows that BGV can support direct word-wise comparison primitives, although these operations remain far more expensive than standard arithmetic and thus become the new bottleneck (Yudha et al., 2024). A third misconception is that homomorphic computation necessarily dominates end-to-end cost. The V2X measurements show the opposite regime: communication latency near 9 seconds dwarfs the reported sub-2-second computation totals for addition-only aggregation (Mamun et al., 4 Aug 2025).

The current limitations are correspondingly clear. Leveled BGV has a fixed depth unless bootstrapping is added; packing can be rigid and parameter-dependent; comparison circuits are still substantially slower than arithmetic; communication overhead can dominate in networked deployments; and hardware-specialized designs may restrict prime shapes or maximum ring sizes. This suggests that BGV’s continuing evolution will depend not only on asymptotic cryptographic improvements but also on tighter parameter analysis, faster key-switching and bootstrapping, and better integration of compiler, memory, and transport layers.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Brakerski-Gentry-Vaikuntanathan (BGV).