Multi-Key CKKS Homomorphic Encryption

Updated 5 December 2025

Multi-Key CKKS homomorphic encryption is a scheme that enables secure collaborative computations over ciphertexts encrypted under different public keys without sharing private keys.
It employs RLWE-based rings, ciphertext extension, joint key aggregation, and relinearization to manage noise growth and maintain efficiency in approximate real-number arithmetic.
MK-CKKS underpins privacy-preserving applications such as secure multiparty machine learning and federated analytics while balancing computational complexity and security guarantees.

Multi-Key CKKS (MK-CKKS) Homomorphic Encryption enables homomorphic computations over ciphertexts encrypted under different public keys, supporting secure, collaborative computation of approximate real-number arithmetic without requiring key sharing among participants. The MK-CKKS framework generalizes the single-key CKKS scheme by introducing mechanisms for ciphertext extension, multi-party key management, joint evaluation, and distributed decryption, with additional complexity arising from noise growth and relinearization. MK-CKKS serves as a foundation for secure multiparty machine learning, privacy-preserving federated analytics, and other aggregate-data scenarios where parties cannot or will not unify under a common public key.

1. Algebraic Foundations and System Parameters

All MK-CKKS constructions utilize RLWE-based rings for security and arithmetic operations. Let $R = \mathbb{Z}[x]/(x^N + 1)$ denote a cyclotomic ring of degree $N$ , with the modulus $q \gg t$ for ciphertext and plaintext arithmetic, respectively. The CKKS encoding embeds complex (or real) vectors as elements of $R_t$ , using a canonical embedding and scaling parameter $\Delta$ (typically $\Delta \approx 2^{40}$ ).

For circuits of multiplicative depth $L$ , a chain of moduli $q_L \gg \cdots \gg q_0$ supports modulus switching and noise management. The RLWE assumption over $R_q$ underpins semantic security, with discrete Gaussian or uniform binary distributions for secret and error sampling. The CRS (common reference string) includes the ring dimension, modulus chain, error distributions, and a random public vector $\mathbf{a}$ in $R_q^d$ for gadget decompositions (Ma et al., 2021, Wu et al., 25 Jun 2025, Aloufi et al., 2020).

2. Key Generation, Aggregation, and Ciphertext Structures

Each party $i$ samples secret $s_i \leftarrow \chi$ and corresponding error $e_i \leftarrow \chi$ , generating public key $\text{pk}_i = (b_i = -a \cdot s_i + e_i, a)$ and secret $s_i$ . To enable ciphertext operations involving multiple key owners, several aggregation techniques are employed:

Slotwise ciphertext extension embeds a fresh ciphertext, originally in $R_q^2$ , into a vector $(c_0, \ldots, c_K) \in R_q^{K+1}$ , directly associating each slot with a key index (Aloufi et al., 2020).
Aggregated/threshold keys: Protocols such as xMK-CKKS aggregate parties' public keys into a joint public key $\mathbf{b}_{\mathrm{agg}} = \sum_{i=1}^N \mathbf{b}_i$ that supports compact ciphertexts and reduction in communication/computation overhead (Ma et al., 2021, Aloufi et al., 2019).
Joint threshold secret: For decryption of the computation result under the joint model, each party holds partial knowledge of the aggregate secret and releases only a partial decryption share, ensuring that no strict subset of the parties can recover the plaintext (Aloufi et al., 2019).
Evaluation/relinearization keys: Each party generates auxiliary evaluations (e.g., RGSW encryptions of the secret's bits) to enable relinearization/key-switching after multiplication, generalizing CKKS’s single-key relinearization (Aloufi et al., 2019, Aloufi et al., 2020, Wu et al., 25 Jun 2025).

3. Encryption, Homomorphic Operations, and Relinearization

Encryption of a plaintext $m \in R_t$ under $\text{pk}_i$ follows CKKS principles: $c_0 = w \cdot b_i + m + e_0, \quad c_1 = w \cdot a + e_1 \quad \bmod Q,$ outputting $(c_0, c_1)$ and key index $i$ (Aloufi et al., 2020, Wu et al., 25 Jun 2025). Single-key ciphertexts are extended to multi-key vectors or matrices, with zeros in slots for non-owning parties.

Homomorphic addition is componentwise across the $(K+1)$ -element vector structure. Multiplication forms the outer product $(K+1) \times (K+1)$ tensor, followed by a joint relinearization step—implemented via RGSW or RNS gadget decompositions—to compress back to the $(K+1)$ -slot structure. For example, SMHE uses the RNS-external-product formulas to absorb cross-terms and enforce ciphertext compactness (Wu et al., 25 Jun 2025).

Efficient dimension-reduction protocols, such as forming a joint key for $N$ owners and combining with the client key, enable constant-size ciphertexts (e.g., $2 \times 2$ matrices rather than $2(N+1)$-dimensional vectors), providing a linear speedup in both storage and operations (Aloufi et al., 2019).

4. Decryption, Masking, and Security Models

Decryption requires combining the contributions of all involved parties' secrets. Each party $j$ computes a share $\rho_j = c_j s_j$ (possibly adding independent "smudging" noise) and broadcasts $\rho_j$ ; the result is $\mu = c_0 + \sum_{j=1}^K \rho_j \bmod Q$ , followed by CKKS decoding (Aloufi et al., 2020, Wu et al., 25 Jun 2025).

Vulnerability in standard CDKS MK-CKKS: In a distributed setting, if each client's partial decryption share and the matching ciphertext component are visible, plaintext leakage is possible: $m_i = c_0^i + \nu_i \bmod Q$ (Wu et al., 25 Jun 2025).

SMHE masking: To address this, SMHE introduces a masked multi-key decryption flow. Each party produces:

A standard ciphertext $ct_i$ .
A zero-encryption $cz_i = r_i \cdot pk_i + \text{error}$ .
A gadget encryption $\Gamma_i$ of the mask $r_i$ . During aggregation, pairwise mask cancellations ensure that no party or server can isolate $c_0^i + \nu_i$ for any $i$ , thus restoring IND-RLWE security even under honest-but-curious collusions up to $k < N-1$ participants plus server (Wu et al., 25 Jun 2025, Ma et al., 2021).

Security proofs for all major constructions reduce to the RLWE assumption in $R_q$ . Masking introduces additional gadget noise but can be bounded to avoid exceeding the noise budget for typical circuit depths and parameter settings (Wu et al., 25 Jun 2025).

5. Noise Growth, Ciphertext Size, and Computational Complexity

Noise growth mirrors that of single-key CKKS: additive after encryption and addition, multiplicative (and complex) after multiplication, with reduction at each rescale. In multi-key settings:

Ciphertext size is $K+1$ (or $O(1)$ in optimized threshold aggregations) ring elements; the reduction from $2(N+1)$ to $4$ polynomials via threshold joins is empirically significant (Aloufi et al., 2019).
Homomorphic addition complexity is $O(K)$ ring additions; multiplication is quadratic, dominated by $O(K^2)$ ring multiplications and $O(K)$ gadget operations for relinearization (Aloufi et al., 2020).
State-of-the-art schemes (SMHE) add at most a $2\times$ communication and runtime overhead over unmasked CDKS, with runtimes for deep networks on hundreds of slots well within seconds per iteration, and ciphertext sizes $<$ 140 MB even for complex models (AlexNet) (Wu et al., 25 Jun 2025).

6. Applications, Security Guarantees, and Practical Recommendations

MK-CKKS is foundational for privacy-preserving federated learning, multi-party statistics, and secure collaborative machine learning, allowing multiple data owners to contribute encrypted data without cross-key exposure. Deployments such as xMK-CKKS and SMHE demonstrate robust privacy guarantees against party-server collusions, minimal accuracy loss ( $<1\%$ for deep learning tasks), and efficient scaling to $N=50$ parties and large slot counts (Ma et al., 2021, Wu et al., 25 Jun 2025).

A table summarizing representative schemes:

Scheme	Ciphertext Size	Homomorphic Ops	Security Model
CDKS MK-CKKS	$K+1$ ring elements	$O(K^2)$ multiply	RLWE, leaky to parties
SMHE	$K+1$ + mask terms	$O(K^2)$ mult, mask	RLWE, collusion safe
xMK-CKKS	2 ring elements/agg. key	$O(N)$ addition	RLWE, robust to $k<N$

The main trade-offs are between minimal leakage (SMHE, threshold schemes), communication cost, and the ability to support deep circuits or parties dropping/joining dynamically. Optimal parameter selections recommend $N=2^{14}$ , $\Delta \approx 2^{40}$ , gadget dimension $\tau=8$ , and component moduli $\sim 60$ bits for 128-bit LWE security (Wu et al., 25 Jun 2025).

7. Limitations, Open Questions, and Future Directions

Despite their theoretical appeal and demonstrated practicality, MK-CKKS schemes remain challenged by:

Quadratic complexity in multiplication, impeding scalability for large $K$ .
Key management and relinearization overhead, motivating ongoing exploration of compact evaluation and key-switching methods.
Masking mechanisms (e.g., in SMHE) substantially improve security but at increased protocol complexity and marginal computational cost.
Achieving collusion resistance beyond honest-majority remains an open problem for advanced adversary models.

Emerging research focuses on reducing noise-induced multiplicative depth bounds, optimizing masking schemes for dynamic federation scenarios, and integrating MK-CKKS with advanced MPC and threshold cryptographic protocols for secure, large-scale, real-valued data analytics (Wu et al., 25 Jun 2025, Ma et al., 2021, Aloufi et al., 2019, Aloufi et al., 2020).