Bootstrapping is a term used very often in the context of Fully Homomorphic Encryption (FHE). Anyone who has read any introductory material on FHE already knows that bootstrapping is the most sophisticated and compute-intensive component of an FHE scheme. Very few, beyond cryptographers working in the field, understand what the bootstrapping operation really is and that there are various bootstrapping methods, each with its own tradeoffs. Our goals in this document are to demystify the concept of bootstrapping, correct misperceptions that seem to be common in the field and provide a high-level comparison of bootstrapping methods available in common FHE schemes, so that a reader of this document can make well-informed decisions about choosing when and how to deploy FHE implementations.
We start with a brief introduction to homomorphic encryption, highlighting key concepts and historical milestones. Homomorphic encryption (HE) is a type of encryption that enables computations on encrypted data without having access to the secret key. Fully homomorphic encryption is its most general form that can be used to evaluate arbitrary programs/computations on encrypted data. The idea of an FHE capability was first described by Rivest, Adleman, and Dertouzos back in 1978 (note that the first two were co-authors of the famous RSA scheme introduced around that time). To describe homomorphic encryption, they used the term privacy homomorphisms and formulated the following problem: “it remains to be seen whether it is possible to have a privacy homomorphism with a large set of operations which is highly secure”.
This problem could not be solved for 30 years, until at the end of 2008 Craig Gentry, a Ph.D. student at Stanford then, proposed the first FHE scheme. This was a monumental breakthrough not just in cryptography, but also in theoretical computer science; and bootstrapping was its key ingredient.
To introduce bootstrapping, we will try to answer three basic questions: “what is it?,” “why do we need it?,” and “how does it work?”
A good starting point is to look at the definition of bootstrapping in the Oxford Dictionary: bootstrap is defined as “pulling yourself up by your (own) bootstraps”. When we say an HE scheme is bootstrappable, it means that it can homomorphically evaluate its own decryption procedure in addition to at least one extra operation. As shown in Fig. 1, evaluating the decryption procedure in the classical sense requires a ciphertext and secret key as input and ensures the plaintext as output. In FHE, however, we deal with a homomorphic evaluation of the decryption procedure, i.e., bootstrapping, which uses an encrypted secret key and a ciphertext to generate an “equivalent” ciphertext that we can further compute on. The encrypted secret key, also called a bootstrapping or refreshing key, is provided by the secret key holder as part of the public key material.
All common FHE schemes are based on noisy encryptions (the noise is what guarantees the security of fresh encryption) in which evaluating homomorphic operations increases the noise magnitude and lowers the quality, i.e., computational budget, of ciphertexts. The primary usage of bootstrapping is to convert an exhausted ciphertext into an “equivalent” refreshed ciphertext. Exhausted ciphertexts contain high noise and cannot be operated on further, whereas refreshed ciphertexts can support further homomorphic operations. A secondary purpose of bootstrapping is to evaluate a function on the encrypted message during the bootstrapping operation. In this case, the output ciphertext of bootstrapping encrypts a function of the plaintext message rather than the message itself, in addition to reducing the noise in the input ciphertext. This form of bootstrapping is known as functional or programmable bootstrapping.
All common bootstrapping methods follow the same blueprint introduced by Craig Gentry, that is, homomorphic evaluation of their own decryption procedure. However, the bootstrapping mechanisms vary across FHE schemes. In our in-depth whitepaper, we describe the bootstrapping mechanisms in DM (FHEW) / CGGI (TFHE), CKKS, and BGV/BFV FHE schemes. We highlight the key differences between the methods, and evaluate their performance based on timing experiments using the OpenFHE library and results reported in peer-reviewed scientific literature. Based on this analysis, we provide some practical guidelines. Note that as of the time of writing this paper, OpenFHE includes bootstrapping for CKKS, DM, and CGGI schemes. Bootstrapping for BFV/BGV is currently under development and will be included in a future release of OpenFHE.
We summarize our performance analysis of bootstrapping for CGGI, CKKS, and BGV schemes. More detailed analysis of the performance results is provided in the white paper. We chose CGGI over DM because the former is slightly faster than DM for the typical security setting of uniform ternary secret distribution. The complexity of BGV and BFV bootstrapping is very similar, so it is sufficient to consider only BGV here. We use the CGGI and CKKS implementations in OpenFHE to run our experiments. For BGV, we use reported results from. Security parameters are chosen to correspond to the 128-bit security level.
Many applications may require both large problem sizes (where CKKS works well) and arbitrary function evaluation (where CGGI performs well), e.g., decision tree training. In this case, scheme switching from CKKS to CGGI and back may be beneficial. The OpenFHE team is currently adding this capability to the library and will make it available in 2023.
To learn more about bootstrapping in fully homomorphic encryption in-depth, read our white paper: Demystifying Bootstrapping in Fully Homomorphic Encryption.