Papers
Topics
Authors
Recent
Assistant
AI Research Assistant
Well-researched responses based on relevant abstracts and paper content.
Custom Instructions Pro
Preferences or requirements that you'd like Emergent Mind to consider when generating responses.
Gemini 2.5 Flash
Gemini 2.5 Flash 186 tok/s
Gemini 2.5 Pro 48 tok/s Pro
GPT-5 Medium 34 tok/s Pro
GPT-5 High 32 tok/s Pro
GPT-4o 65 tok/s Pro
Kimi K2 229 tok/s Pro
GPT OSS 120B 441 tok/s Pro
Claude Sonnet 4.5 38 tok/s Pro
2000 character limit reached

Homomorphic Encryption Bootstrapping

Updated 22 October 2025
  • Homomorphic encryption bootstrapping is the process of refreshing noisy ciphertexts by homomorphically evaluating the decryption circuit to support unbounded computations.
  • It employs reencryption along with recursive majoritarian correction and expander-based boosting to effectively mitigate the accumulation of encryption errors.
  • The framework distinguishes proto-homomorphic operations from fully homomorphic ones, providing a foundation for secure, scalable FHE designs.

Homomorphic encryption bootstrapping is the process by which a fully homomorphic encryption (FHE) scheme “refreshes” a noisy ciphertext, thereby enabling unbounded encrypted computation by repeatedly restoring ciphertexts to a state where future homomorphic operations will not exceed the permissible noise threshold. Bootstrapping is the defining technique that enables FHE, realized via the homomorphic evaluation of the encryption scheme's own decryption circuit, so that the scheme can support arbitrarily deep circuits without decryption failure.

1. Underlying Code-Based Homomorphic Encryption Scheme

The foundational construction (Bogdanov et al., 2011) is a code-based homomorphic encryption scheme using affine code families. The message mFqm \in \mathbb{F}_q is mapped into the affine part of a codeword via

c=Px+m1+ec = P x + m \mathbf{1} + e

where

  • P=MRP = M R is a public matrix (encoding a hidden subset SS via scrambling),
  • xx is a random vector,
  • 1\mathbf{1} is the all-ones vector,
  • ee is an error vector with support predominantly outside SS.

Decryption exploits a secret selector vector yy satisfying

iSyiMi=0andiSyi=1\sum_{i \in S} y_i M_i = 0 \quad \text{and} \quad \sum_{i \in S} y_i = 1

to produce m=yTcm = y^T c, ensuring linear decryption in the absence of noise. For homomorphism (in particular, multiplication), the decryption vector is required to satisfy even stricter linear and quadratic constraints.

Homomorphic operations are defined proto-homomorphically via entrywise addition and multiplication:

cc:=c+c,cc:=ccc \oplus c' := c + c', \qquad c \odot c' := c \circ c'

where the decryption vector yy selectively “sifts out” the correct result from the coordinatewise operation.

2. Bootstrapping via Reencryption

Bootstrapping is performed by homomorphically evaluating the decryption circuit itself, “refreshing” a ciphertext cc so that it regains the structure of an ideally fresh encryption. The key element is the protocol for reencryption. Assuming yy is the secret key selector corresponding to cc (with m=yTcm = y^T c), reencryption is accomplished as

ReEnc(c)=i=1ncizi\text{ReEnc}(c) = \sum_{i=1}^n c_i \cdot z_i

where each ziz_i is a fresh encryption—under a new public key—of yiy_i.

In the absence of error, this produces an output under a new public key that encrypts mm, i.e., the very process of evaluating the simple, linear decryption circuit homomorphically on ciphertext and encrypted key material transfers the plaintext to a fresh ciphertext. This realizes bootstrapping because the refreshed ciphertext's noise is decoupled from the noise of cc, enabling arbitrary-depth computation chains.

3. Management of Encryption Errors

Bootstrapping in this scheme faces a distinctive challenge: the code-based encryption does not strictly hide messages in noise, but still suffers from error accumulation due to non-negligible encryption errors. The authors introduce two critical error-handling mechanisms:

  • Homomorphic Correction Using Recursive Majority (CORR):

In the “length-preserving” reencryption, each secret key coefficient yiy_i is bit-decomposed and each bit encrypted redundantly via 2d2^d copies. The recursively defined CORR circuit (effectively a NAND/majority tree) is then homomorphically evaluated. The output bit is “cleaned” as long as 7/8\geq 7/8 of the encrypted copies are correct, and error analysis shows that with d=8d=8 and input error rate η\eta, the output error probability is bounded (e.g., O(n0.5)O(n^{-0.5}) per coordinate).

  • Boosting via Expander-based Majority Circuits (Boost):

Even after correction, some key error may remain. The booster circuit repeats reencryption kk times independently and then uses expander-based approximate majority circuits (APXMAJ) to amplify correctness: if at least $15/16$ copies are good, Boost yields $31/32$ good outputs with exponentially small error. After dd such booster layers, the cumulative error can be made exponentially small in kk, ensuring that bootstrapping reliably produces fresh ciphertext with acceptably small failure probability.

These techniques are essential since, unlike many lattice-based schemes, the underlying code-based construction introduces error already at encryption.

4. Abstract Definitional Framework

The work introduces an “encryption space” abstraction, making the following distinctions:

  • EncPK(m)Ξ\text{Enc}_\text{PK}(m)\subset \Xi is the set of all valid encryptions of mm under key PK\text{PK};
  • DecSK(m)Ξ\text{Dec}_\text{SK}(m)\subset \Xi is the set of all ciphertexts guaranteed to decrypt to mm under SK\text{SK};
  • EncPK(m)DecSK(m)\text{Enc}_\text{PK}(m)\subset\text{Dec}_\text{SK}(m).

Binary operations on ciphertexts are classified as:

  • Homomorphic for operation \circ if: EncPK(m)EncPK(m)EncPK(mm)\text{Enc}_\text{PK}(m)\ast \text{Enc}_\text{PK}(m') \subset \text{Enc}_\text{PK}(m\circ m');
  • Proto-homomorphic if: EncPK(m)EncPK(m)DecSK(mm)\text{Enc}_\text{PK}(m)\ast \text{Enc}_\text{PK}(m') \subset \text{Dec}_\text{SK}(m\circ m').

This separation allows precise reasoning about when ciphertext operations authentically yield ciphertexts versus only guaranteeing correct decryption, distinguishing functional properties from probabilistic guarantees of error.

5. Realization and Implications of Bootstrapping

Bootstrapping is thus realized in this code-based scheme as follows:

Step Operation/Technique Significance
Homomorphic evaluation Proto-homomorphic add/mul (entrywise) Ensures at least correct decryption, not always ciphertext structure
Reencryption ReEnc(c)=cizi\text{ReEnc}(c) = \sum c_i z_i Homomorphic evaluation of decryption followed by fresh encryption
Correction Recursive majorities (CORR) Reduces per-bit error probability exponentially in number of redundancy
Boosting Expander-based majority circuits (Boost) Amplifies correctness in the presence of residual key-level error

This bootstrapping process enables arbitrary circuit depth by allowing ciphertexts to be “refreshed” at any point, with error rates controlled through combinatorial correction and boosting mechanisms.

The authors' definitional framework, and its explicit distinction between proto-homomorphic and true homomorphic properties, is applicable to a broad class of cryptosystems, including lattice-based FHE, and clarifies the structural conditions for bootstrappability.

6. Connections and Broader Applications

The bootstrapping mechanism presented is not limited to code-based schemes but provides:

  • A model for bootstrapping when homomorphic operations are proto-homomorphic rather than strictly homomorphic.
  • A set of design principles: simple, linear decryption circuits are highly desirable since they minimize the depth and complexity of the bootstrapping procedure.
  • Error management strategies (recursive correction, expander-based boosting) that are potentially useful even in lattice-based or other error-prone cryptographic settings.
  • A unifying abstraction (encryption space, proto-homomorphism) that can facilitate both theoretical analysis and the engineering of future FHE constructions regardless of underlying mathematical structure.

Scenarios benefiting from these contributions include secure delegated computation, privacy-preserving protocols with limited error budgets, and implementations where explicit separation of functionality and error-handling is essential.

7. Summary

The code-based homomorphic encryption scheme (Bogdanov et al., 2011) achieves bootstrapping by means of proto-homomorphic ciphertext operations, reencryption via homomorphic evaluation of a linear decryption procedure, and two new error-management constructs: recursive majoritarian correction and expander-graph-based boosting. This enables arbitrarily deep homomorphic evaluation despite the inherent presence of encryption error, by ensuring that each round of bootstrapping returns ciphertexts to a “fresh” state with high probability. The presented definitional framework and error-handling techniques generalize beyond the immediate construction and serve as a foundation for analyzing and engineering secure, bootstrappable FHE in both code-based and lattice-based cryptosystems.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)
Forward Email Streamline Icon: https://streamlinehq.com

Follow Topic

Get notified by email when new papers are published related to Homomorphic Encryption Bootstrapping.

Add Bell Notification Streamline Icon: https://streamlinehq.com Sign Up to Follow Topic by Email