CKKS Homomorphic Encryption Scheme
- CKKS is a lattice-based homomorphic encryption scheme that enables approximate arithmetic on vectors of real or complex numbers with tunable precision via rescaling.
- It leverages SIMD operations and scale-invariant encoding to securely offload high-performance numerical tasks such as optimization and machine learning.
- Key techniques include noise budgeting, key-switching, and parameter tuning, offering practical trade-offs between accuracy, efficiency, and security.
The Cheon–Kim–Kim–Song (CKKS) homomorphic encryption scheme provides native approximate arithmetic over vectors of real or complex numbers via a lattice-based cryptosystem rooted in the Ring Learning with Errors (RLWE) assumption. CKKS is distinguished by its support for vectorized SIMD computation, precise control over arithmetic error via rescaling, and by its suitability for privacy-preserving protocols in domains demanding high-performance floating-point or complex-number manipulation. This scheme’s design enables the secure offloading of numerical workloads—including optimization, linear algebra, and machine learning—to untrusted servers with end-to-end confidentiality and tunable accuracy guarantees. CKKS’s pivotal innovation is a scale-invariant encoding that balances noise growth and functional depth, making it fundamentally different from integer-only schemes such as BFV and BGV.
1. Algebraic Foundations and Encoding
CKKS operates over cyclotomic polynomial rings of the form , with a power of two and an integer modulus, often implemented as a product of RNS primes. Plaintext data—typically a vector —is embedded into via the canonical embedding , pairing each coefficient with a complex conjugate to ensure real representability.
The encoding procedure consists of three steps:
- Map the desired vector to a length vector via (inverse FFT/interpolation).
- Multiply by a large scaling factor to shift the fractional data into the integer domain.
- Round each coefficient to the nearest integer, yielding 0.
The choice of scaling factor 1 determines the maximal achievable precision under noise propagation and sets the normalization for all subsequent homomorphic operations (Bertolace et al., 2023).
2. Key Generation and Cryptographic Primitives
Key material includes a secret key 2—a small ternary or Gaussian polynomial 3—and a public key 4 with 5 and 6 for uniform 7 and error 8 sampled from a discrete Gaussian distribution. To enable multiplicative depths beyond one, the scheme requires evaluation keys for relinearization and Galois automorphisms (“rotation keys”) for slot-wise vector rotations.
The cryptosystem’s security relies on the hardness of RLWE in 9, with the concrete parameter choices (ring degree 0, modulus chain 1, error width) designed to ensure IND-CPA security against quantum adversaries and to control both ciphertext expansion and the noise budget (Pathak, 2022).
3. Encryption, Decryption, and Message Recovery
Encryption of message polynomial 2 is performed by:
- Sampling a fresh error 3 and random 4.
- Outputting ciphertext 5.
Decryption involves computing 6, then dividing by 7 and applying the canonical embedding 8 to recover the plaintext vector. Correctness requires that the total noise—composed of encoding rounding error and RLWE noise—remains below 9 at every modulus level (Bertolace et al., 2023, Chen et al., 4 Aug 2025).
4. Homomorphic Operations: Addition, Multiplication, Rotation, and Scale Management
CKKS implements the following core SIMD operations on packed vectors:
- Addition: For ciphertexts 0, 1 of the same scale, summation is performed componentwise. Resulting noise grows additively, and the scale remains unchanged.
- Multiplication: Ciphertext multiplication yields a three-component result, increasing the plaintext scale from 2 to 3 and the noise by terms proportional to both operands' noise and the scaling factor. Relinearization (via evaluation keys) collapses the result back to CKKS’s two-component form, and rescaling divides ciphertext coefficients by the current modulus 4, dropping to 5, restoring the scale to 6. This prevents exponential growth in magnitude and ensures that the relative error remains bounded across multiplicative layers (Bae et al., 20 Mar 2025, Chen et al., 4 Aug 2025).
- Rotation: Precomputed Galois keys enable cyclic slot-wise rotations without changing scale, crucial for implementing vectorized inner products and reductions in SIMD-packed data.
Rescaling is triggered precisely after each multiplication, consuming one modulus in the chain and bounding noise-to-scale ratio. Practical parameter selection ensures that the modulus chain length matches the algorithm’s required multiplicative depth, and that 7 is large enough to preserve required precision even after repeated noise accumulation (Bertolace et al., 2023).
5. Parameter Selection, Noise Growth, and Performance
Critical parameters and their impact:
- Ring dimension 8: Controls both post-quantum security and packing capacity. Higher 9 increases the number of SIMD slots and the noise tolerance but results in higher computational cost per operation (Pathak, 2022).
- Scaling factor 0: Typically set in the 1 to 2 range in practical deployments; larger values allow more decimal precision but incur faster noise level increases per multiplication.
- Modulus chain 3: Each multiplication/rescale step reduces the chain’s length by one level; multiplicative circuit depth 4 is bounded by chain length.
- Noise budget: Each addition increases noise additively; multiplication increases noise approximately as 5 (where 6 are operand noise magnitudes) (Chen et al., 4 Aug 2025).
Benchmarking reveals that the number of allowed sequential multiplications is tightly constrained by noise saturation (the “multiplicative depth”). For instance, in a CPU-based MS-SEAL implementation, homomorphic multiplicative depth was capped at 18, permitting 9 gradient steps in homomorphically encrypted gradient descent for QP (Bertolace et al., 2023). Empirical studies consistently report 7–8 decimal digits of accuracy after several (6–9) iterations; further operations degrade precision below acceptable levels (Bertolace et al., 2023, Khan et al., 2023).
Performance overhead is considerable: each multiplication takes milliseconds to tens of milliseconds in CPU settings, with additional costs for key switching and rotation. GPU-optimized libraries achieve significant speedups—up to 9—especially for bootstrapping and slot-wise SIMD primitives (Agulló-Domingo et al., 7 Jul 2025).
6. Applications and Practical Significance
CKKS is uniquely positioned among lattice FHE schemes for privacy-preserving real-valued iterative algorithms. It supports native real and complex arithmetic, facilitating:
- Encrypted gradient descent for quadratic and convex optimization, where arbitrary real-valued step sizes are critical for convergence and analysis. Standard integer or fixed-point schemes (BFV, BGV) are fundamentally inadequate for practical step sizes due to rapid noise explosion or insufficient granularity (Bertolace et al., 2023).
- Large-scale linear algebra, with vectorized matrix–vector and matrix–matrix multiplication mapped to a small number of cleartext modular matrix products via BLAS integration, improving throughput by factors of 0–1 compared to cleartext (Bae et al., 20 Mar 2025).
- Encrypted value iteration and TD learning in reinforcement learning, where approximate linear updates (encoded as polynomials) remain feasible provided the noise budget is carefully managed; analytic noise-propagation bounds are available (Suh et al., 2021).
- General machine learning protocols—including KNN, linear regression, and inference in shallow neural-net architectures—where performance is empirically close to plaintext baselines with careful parameter tuning and polynomial approximations for non-linearities (Marques et al., 25 Apr 2026, Khan et al., 2023).
7. Limitations, Trade-offs, and Recent Extensions
CKKS’s main challenge is aggressive noise growth, especially from multiplicative layers and rescaling operations:
- Multiplicative depth remains the bottleneck for deeply iterative or high-degree circuits. Bootstrapping can refresh the noise budget but incurs its own computational cost. Recent binary-ring CKKS variants propose lightweight bootstrapping (“Refresh”) replacing modulus switching and employing BCH error correction, yielding unbounded depth at the cost of higher ciphertext size and modest overhead (Chen et al., 4 Aug 2025).
- The absence of native non-polynomial operations (e.g., division, comparison, modular reduction) restricts supported workloads. Polynomial approximations (e.g., Chebyshev for mod) are deployed for extended functionality but increase circuit depth (Zhou, 23 Dec 2025).
- Encrypted control pipelines for multi-agent and cyber-physical systems are feasible with explicit error budgeting (e.g., periodic bootstrapping as an impulsive disturbance), making it possible to derive precise privacy–accuracy trade-offs in closed-loop scenarios (Damera et al., 5 Jun 2026).
- Parameter selection and scheme tuning require balancing security, throughput, and numerical precision, and depend on the structure of the target workload.
Recent efforts focus on efficient packing, better hardware utilization (notably GPU and multi-GPU backends), multi-input multiplication, and more expressive data representations through optimized tensor packing and einsum abstractions (Akherati et al., 21 Jan 2026, Garimella et al., 10 Jul 2025, Bae et al., 20 Mar 2025).
CKKS thus constitutes the state-of-the-art for privacy-preserving, approximate arithmetic in polynomially encoded SIMD vectors, enabling secure offload of high-value numerical workloads that would otherwise be intractable with integer-only or exact-arithmetic homomorphic schemes. Its efficient error management, tunable parameter space, and compatibility with both CPU and GPU-accelerated backends establish it as the principal enabling technology for modern encrypted scientific and ML computation (Bertolace et al., 2023, Bae et al., 20 Mar 2025, Suh et al., 2021, Chen et al., 4 Aug 2025, Damera et al., 5 Jun 2026).