Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cheon–Kim–Kim–Song (CKKS) Encryption Scheme

Updated 7 July 2026
  • CKKS is an approximate homomorphic encryption scheme that supports encrypted computation on real and complex numbers using packed SIMD operations and leveled configurations.
  • It facilitates practical applications such as encrypted neural inference, reinforcement learning updates, and secure scientific computations via polynomial approximations.
  • CKKS performance is governed by multiplicative depth, scale management, and parameter selection, with ongoing research addressing decryption noise and latency challenges.

Searching arXiv for recent CKKS papers to ground the article. arXiv Search Query: all:CKKS homomorphic encryption

Cheon–Kim–Kim–Song (CKKS) is an approximate homomorphic encryption scheme used for computation on encrypted real-valued or complex-valued data. In the recent literature, it is consistently treated as the homomorphic substrate for workloads in which approximate arithmetic is acceptable and floating-point-like computation is required, including encrypted neural inference, reinforcement learning updates, biometric similarity scoring, scientific vector and matrix kernels, and numerical aggregation in transportation systems (Duc et al., 14 Jul 2025, Suh et al., 2021, Rahulamathavan, 2022, Maloney et al., 2023, Khan et al., 2023, Mamun et al., 4 Aug 2025). Across these settings, CKKS is characterized by packed SIMD evaluation, finite multiplicative depth in leveled configurations, and approximate decoding after decryption rather than exact arithmetic semantics (Suh et al., 2021).

1. Approximate-arithmetic identity

CKKS is repeatedly selected when the target computation is inherently numerical rather than exact-integer. A UAV face-inference system states that it uses CKKS because the scheme “supports encrypted calculation on real (floating-point) numbers, making it suitable to integrate with deep learning models,” and the same work emphasizes approximate arithmetic, SIMD-style batching, and compatibility with polynomialized activations as the main scheme-selection criteria (Duc et al., 14 Jul 2025). In secure reinforcement learning, CKKS is positioned as a middle ground between partially homomorphic encryption, which is too limited for reinforcement-learning updates, and fully homomorphic encryption with bootstrapping, which is more computationally heavy than the intended architecture requires (Suh et al., 2021).

This approximate-numerical profile also explains why CKKS appears in speaker verification and scientific computing. Encrypted speaker matching requires matrix-vector products, inner products, and inverse square-root normalization over real-valued embeddings, which the literature treats as a natural fit for CKKS rather than exact schemes (Rahulamathavan, 2022). In scientific computation, CKKS is studied specifically because many workloads operate on floating-point or real-valued vectors and matrices; the reported emphasis is on whether the decrypted outputs remain close enough to plaintext computation to be practically usable (Khan et al., 2023).

A common misconception is that CKKS is merely an encrypted transport mechanism. The UAV paper rejects that framing explicitly: CKKS is not used as a generic secure-channel primitive, but as the execution substrate for the neural network itself, so that the edge server evaluates the model directly on ciphertexts and only the key owner decrypts the final result (Duc et al., 14 Jul 2025). Another misconception is that CKKS is an exact floating-point replacement. The literature instead treats it as an approximate HE scheme whose semantics are governed by encoding approximation, encryption noise, arithmetic noise growth, and scale management (Suh et al., 2021, Khan et al., 2023).

2. Ciphertext model and primitive operations

A concise mathematical summary of CKKS used in encrypted reinforcement learning writes the plaintext space as

P=ZQ[X]/(XN+1),\mathcal P=\mathbb Z_{\mathcal Q}[\mathcal X]/(\mathcal X^{\mathcal N}+1),

with N\mathcal N a power of two, and states that CKKS encodes a vector of N/2\mathcal N/2 complex numbers into a plaintext polynomial mPm\in\mathcal P (Suh et al., 2021). A V2X-oriented presentation uses the ring

Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),

and writes a ciphertext component as

b=as+m+e(mod(xn+1,q)),b = -as + m + e \pmod{(x^n+1,q)},

where mm is an encoded approximate plaintext polynomial rather than an exact integer plaintext (Mamun et al., 4 Aug 2025). A fault-sensitivity study adopts the complementary operational notation

c=(c0(X),c1(X)),c = (c_0(X), c_1(X)),

with decryption

m=[c0+c1×s]Q,m' = [c_0 + c_1 \times s]_Q,

which is then used to explain why corruption in c1(X)c_1(X) is more dangerous than corruption in N\mathcal N0 (Mazzanti et al., 9 Jun 2025).

Application papers expose CKKS through standard encryption, decryption, addition, multiplication, plaintext-ciphertext multiplication, and rotation APIs. For example, the UAV system uses

N\mathcal N1

together with ciphertext addition, plaintext-ciphertext multiplication, and left rotations for packed convolution and linear layers (Duc et al., 14 Jul 2025). The reinforcement-learning paper makes the approximate nature of decryption explicit by modeling

N\mathcal N2

with N\mathcal N3 a bounded noise polynomial and N\mathcal N4 the remaining multiplicative level (Suh et al., 2021).

These descriptions are consistent in one important respect: CKKS supports homomorphic addition and multiplication over packed approximate numbers, but deeper or non-polynomial functionality must be engineered around that core arithmetic. Comparison and maximization are difficult under HE, so secure value iteration decrypts encrypted N\mathcal N5-values at the client before applying N\mathcal N6 (Suh et al., 2021). Division, reciprocal, square root, inverse square root, and non-polynomial activations likewise require approximation or architectural workarounds (Rahulamathavan, 2022, Duc et al., 14 Jul 2025).

3. Packed SIMD evaluation and linear-algebra structure

The defining systems property of CKKS in these papers is packed SIMD evaluation. In the UAV inference pipeline, CKKS ciphertexts are treated as 1D slot vectors with

N\mathcal N7

where N\mathcal N8 is the ciphertext size or batch size and N\mathcal N9 is the ring dimension (Duc et al., 14 Jul 2025). The input image is transformed into an HE-oriented im2col representation

N/2\mathcal N/20

then flattened and zero-padded to the slot capacity. The kernel is encoded as a replicated plaintext vector aligned with those slots, so that a single plaintext-ciphertext multiplication computes all local products for all sliding windows in SIMD style (Duc et al., 14 Jul 2025).

A broader CNN systems treatment extends this logic to high-resolution data that do not fit in one ciphertext. There, RNS-CKKS ciphertexts encode N/2\mathcal N/21 real-valued slots, image channels are packed in row-major order, and tensors that exceed slot capacity are split across multiple ciphertexts called shards (Maloney et al., 2023). The work distinguishes image sharding, where full channels fit but the full tensor does not, from channel sharding, where even a single channel exceeds capacity. Convolution is realized through masked rotations and plaintext multiplications; batch normalization is folded into convolution; average pooling is reworked to preserve row-major packing; and polynomial GELU replaces non-polynomial activation functions (Maloney et al., 2023).

The same packed-arithmetic logic appears in other domains. Speaker verification computes encrypted dot products by elementwise multiplication followed by repeated rotations and additions, with zero-padding when necessary so that vector length is a power of two (Rahulamathavan, 2022). The UAV paper uses the Halevi–Shoup diagonal method for encrypted fully connected layers, while the speaker-verification paper uses diagonal packing of a plaintext scoring matrix N/2\mathcal N/22 to implement encrypted-vector/plaintext-matrix multiplication (Duc et al., 14 Jul 2025, Rahulamathavan, 2022). Scientific-computing experiments likewise assume SIMD-style packed vector arithmetic for multidimensional vectors and matrix multiplication, even though they do not provide a detailed slot-layout derivation (Khan et al., 2023).

4. Levels, scale, parameters, and software ecosystems

CKKS is operationally governed by multiplicative depth, scale, and parameter selection. In a leveled formulation, each ciphertext carries a level N/2\mathcal N/23 indicating how many multiplications can be performed before decryption fails; the reinforcement-learning paper identifies this as a key limitation relative to bootstrapped FHE and explicitly avoids bootstrapping by decrypting intermediate results on the client side (Suh et al., 2021). In contrast, deep CNN inference on ImageNet-scale workloads uses bootstrapping to restore ciphertext level, and the reported runtime tables show that bootstrap time is a dominant fraction of total latency (Maloney et al., 2023).

Scale is equally central. The fault-characterization study treats the scale factor N/2\mathcal N/24 as a core CKKS variable and reports that larger values,

N/2\mathcal N/25

improve resilience to single-bit coefficient faults (Mazzanti et al., 9 Jun 2025). The V2X paper states that CKKS includes Encode and Decode algorithms that map vectors of floating-point numbers to integer polynomials using a scaling factor N/2\mathcal N/26 to preserve some precision accuracy (Mamun et al., 4 Aug 2025). In scientific computation, the reported conclusion is that global scale and polynomial modulus degree are the two parameters that matter most for floating-point accuracy, and degree N/2\mathcal N/27 “seems to consistently produce the highest number of matching decimal points” in the reported experiments (Khan et al., 2023).

Recent application papers use a range of security and ring-dimension choices rather than a single canonical configuration. The UAV face-detection work experiments with ring dimensions N/2\mathcal N/28, N/2\mathcal N/29, and mPm\in\mathcal P0, claims 256-bit security, and notes the trade-off between stronger security and higher computational overhead (Duc et al., 14 Jul 2025). The reinforcement-learning study uses SEAL-generated default 128-bit security parameters, with mPm\in\mathcal P1 or mPm\in\mathcal P2 depending on the algorithm (Suh et al., 2021). The V2X study fixes CKKS at ring dimension mPm\in\mathcal P3 under 128-bit post-quantum security and associates its higher overhead with larger parameters, rescaling, and approximate arithmetic (Mamun et al., 4 Aug 2025).

Software support is concentrated in a small set of libraries. TenSEAL is used in the UAV system, speaker verification, and scientific-computing experiments (Duc et al., 14 Jul 2025, Rahulamathavan, 2022, Khan et al., 2023). OpenFHE is the implementation basis for high-resolution encrypted CNN inference, the fault-sensitivity study, and the V2X experiments (Maloney et al., 2023, Mazzanti et al., 9 Jun 2025, Mamun et al., 4 Aug 2025). Microsoft SEAL appears either as the underlying library for TenSEAL-based systems or as the source of default parameter generation in the reinforcement-learning paper (Rahulamathavan, 2022, Suh et al., 2021).

5. Application domains and scheme-specific reformulations

The literature describes CKKS less as a monolithic cryptographic primitive than as a design space for approximate encrypted numerical computation. The recurring pattern is to reformulate the target algorithm so that it becomes a shallow circuit of additions, multiplications, rotations, and polynomial approximations.

Domain Encrypted workload CKKS-specific reformulation
UAV edge inference CNN-based face detection 2DCol encoding, plaintext kernel replication, Chebyshev activations
Reinforcement learning Value iteration, TD(0), SARSA(0), Z-learning Client-side decryption of max, shallow multiply-add updates
Speaker verification Normalized similarity score Newton–Raphson inverse square root, SIMD dot products
High-resolution CNNs ResNet-style image inference Row-major packing, sharding, Chebyshev-basis GELU
Scientific computation Matrix multiplication, encrypted ML Packed vector arithmetic, parameter tuning for precision
V2X analytics Encrypted sums and average speed Addition-only aggregation or add-then-multiply averaging

In UAV edge computing, CKKS enables end-to-end encrypted inference: face crops are encoded on the UAV, encrypted with the customer’s public key, processed by an untrusted edge AI server, and decrypted only by the customer, with the best encrypted result reported at mPm\in\mathcal P4 accuracy versus mPm\in\mathcal P5 for the unencrypted baseline on DroneFace (Duc et al., 14 Jul 2025). In reinforcement learning, the cloud computes encrypted Bellman-style arithmetic while the client decrypts intermediate outputs when unsupported operations such as mPm\in\mathcal P6 are needed; the paper derives

mPm\in\mathcal P7

for synchronous encrypted value iteration under bounded per-iteration CKKS error (Suh et al., 2021).

In biometric matching, CKKS is used to redesign the back-end of speaker verification so that the server operates on encrypted feature vectors and returns only an encrypted score. The critical normalization term is implemented by the Newton–Raphson iteration

mPm\in\mathcal P8

which the authors choose specifically because it uses only additions and multiplications and can fit within the available multiplicative depth (Rahulamathavan, 2022). In large-scale encrypted vision, CKKS supports ResNet-50 inference at ImageNet resolution by combining row-major packing, sharding, bootstrapping, and degree-59 Chebyshev-basis GELU evaluation; the paper reports mPm\in\mathcal P9 top-1 accuracy on ImageNet-1k at Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),0 resolution (Maloney et al., 2023).

Scientific-computing and transportation studies emphasize a different aspect of CKKS: numerical utility under encryption rather than elaborate model architectures. Matrix multiplication under CKKS is reported with marginal Euclidean-distance differences and near-zero mean squared error across the tested matrix sizes (Khan et al., 2023). In V2X communication, CKKS is the only evaluated scheme used for homomorphic average-speed computation because BFV and BGV were excluded from that scenario due to their lack of native support for efficient fixed-point multiplication and ciphertext rescaling (Mamun et al., 4 Aug 2025).

6. Limitations, controversies, and open problems

The central limitation of CKKS is that its approximate semantics are both a strength and a source of engineering difficulty. Non-polynomial functions must be approximated: the UAV paper uses Chebyshev approximations for ReLU and SiLU, while square activation is used directly because Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),1 is already polynomial (Duc et al., 14 Jul 2025). Speaker verification must approximate inverse square root with Newton–Raphson, and encrypted Z-learning replaces Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),2 with a Taylor-series approximation (Rahulamathavan, 2022, Suh et al., 2021). Scientific-computing experiments state that division was infeasible in the implementation context they studied (Khan et al., 2023).

Depth and runtime remain major constraints. The UAV paper motivates efficiency through SIMD packing, plaintext-ciphertext multiplication, and edge offloading, but openly states that it does not report latency, throughput, energy consumption, actual edge-hardware runtime, or stage-wise timing for encryption, transmission, inference, and decryption (Duc et al., 14 Jul 2025). By contrast, the high-resolution CNN paper shows that when CKKS is pushed to deep ImageNet-scale inference, bootstrapping dominates runtime and total latency reaches thousands of seconds (Maloney et al., 2023). The V2X study identifies a different bottleneck: communication dominates overall cost because CKKS ciphertexts are large, highly fragmented, and pacing-limited in network transport, yielding end-to-end latencies on the order of tens of seconds for encrypted speed aggregation (Mamun et al., 4 Aug 2025).

Reliability has also emerged as a distinct concern. A recent error-sensitivity study argues that hardware- and software-induced bit faults can evade traditional error detection in CKKS, causing silent data corruption because fault-induced error can be camouflaged by the scheme’s normal approximation and noise budget (Mazzanti et al., 9 Jun 2025). The same study finds that higher-order bit flips are far more damaging than low-order flips, that faults in Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),3 are more harmful than faults in Rq=Zq[x]/(xn+1),R_q = \mathbb{Z}_q[x]/(x^n+1),4, and that RNS and NTT—essential for efficiency—can amplify and spread faults (Mazzanti et al., 9 Jun 2025).

Open problems are correspondingly broad. The reinforcement-learning literature calls for rigorous analytical guarantees for encrypted model-free RL and schemes that avoid periodic decryption (Suh et al., 2021). The UAV work calls for deployment on practical edge platforms and stage-wise latency measurement (Duc et al., 14 Jul 2025). Scientific-computing work highlights missing tooling for noise-budget computation in TenSEAL and points to GPU acceleration as a future direction (Khan et al., 2023). V2X experiments suggest hardware acceleration, better scalability, and real-world trials with C-V2X and mobile edge platforms (Mamun et al., 4 Aug 2025). Taken together, these studies portray CKKS as a mature-enough approximate HE substrate for substantial encrypted numerical workloads, but not as a solved systems problem.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cheon-Kim-Kim-Song (CKKS).