SoK: Fully Homomorphic Encryption over the [Discretized] Torus

. First posed as a challenge in 1978 by Rivest et al. , fully homomorphic encryption—the ability to evaluate any function over encrypted data—was only solved in 2009 in a breakthrough result by Gentry ( Commun. ACM , 2010). After a decade of intense research, practical solutions have emerged and are being pushed for standardization. This paper explains the inner-workings of TFHE, a torus-based fully homomorphic encryption scheme. More exactly, it describes its implementation on a discretized version of the torus. It also explains in detail the technique of the programmable bootstrapping. Numerous examples are provided to illustrate the various concepts and deﬁnitions.

Dealing with noise: The bootstrapping trick Most solutions for fully homomorphic encryption rely on hard lattice problems. Accordingly, the resulting ciphertexts must Encrypt(x) valid ciphertext incorrect decryption contain a certain level of noise to guarantee the security of the encryption. The issue however is that computing homomorphically increases the noise level in the ciphertext. As long as the noise is below a certain threshold, the ciphertext can be decrypted. But if the noise grows too much, it can overflow on the data itself, rendering decryption impossible.
To prevent this from happening, a special noise-reduction operation called bootstrapping-a concept introduced in [Gen09]-can be applied to the ciphertext, effectively resetting the noise to a nominal level.
Programmable bootstrapping and functional circuits Although originally designed for boolean circuits, the TFHE encryption scheme can be extended to support more than booleans as an input format, such as integers [CJL + 20]. Remarkably, it enjoys a relatively fast bootstrapping. In addition, bootstrapping in TFHE and the likes can be programmed to evaluate a univariate function for free, at the same time as the noise is reduced. This is referred to as programmable bootstrapping (PBS). PBS is a powerful technique to homomorphically evaluate non-linear functions, such as activation functions in a neural network [CJP21]. (It is worth remarking that the regular bootstrapping corresponds to the programmable bootstrapping with the identity function.) The PBS operation enables more than the homomorphic evaluation of univariate functions and can be used to compute multivariate functions. For example the max function, max(x, y), can be rewritten as max(x, y) = y +max(0, x−y). More generally, Kolmogorov's superposition theorem [Kol57] states that any multivariate function can be expressed as a linear combination of univariate functions. This gives rise to the computational paradigm of functional circuits, where an encryption scheme can be fully homomorphic as long as it implements homomorphic addition and univariate functions. Univariate functions can be evaluated homomorphically using the programmable bootstrapping while the addition of ciphertexts is evaluated in a leveled way.
x 1 x 2 . . .   Application to neural networks Neural networks it turns out are just a special case of a functional circuit, where activation functions are non-linear univariate functions, taking as input the sum of weighted inputs from previous layers. Computing the activation function has been notoriously hard in FHE, as non-linearities cannot be as precisely represented using simple additions and multiplications versus using programmable bootstrapping.
Programmable bootstrapping along with the original TFHE features are available as part of Concrete [CJL + 20], 1 an open source FHE framework. As an illustration, a series of numerical experiments were conducted to assess the performance against the MNIST data-set [LCB98] for depth-20, 50, 100 neural networks, respectively noted NN-20, NN-50 and NN-100; see [CJP21]. These networks all include dense and convolution layers with activation functions; every hidden layer possesses at least 92 active neurons. Experiments were performed on two different types on machine: a personal computer with 2.6 GHz 6-Core Intel ® Core ™ i7 processor, and a 3.00 GHz Intel ® Xeon ® Platinum 8275CL processor with 96 vCPUs hosted on AWS. The two machines are referred to as PC and AWS. Cryptographic parameters are selected to meet the standard 128-bit security level. The running times are given in Table 1. For reference, the times for an unencrypted inference are also included. It is important to note that the given times correspond to the evaluation of a single inference run independently; in particular, the times are not amortized over a batch of inferences. The AWS implementation takes advantage of the 96 vCPUs; in particular, the neurons in the hidden layers are processed in parallel.

Outline of the paper
The rest of this paper is organized as follows. The next section introduces the real torus, its discretized version, its application to polynomials, and the underlying arithmetic. It also reviews related complexity assumptions and suggests typical cryptographic parameters. Section 3 and Section 4 respectively show how to build encryption schemes using torus elements and torus polynomials or, more specifically, from their discretized version. The encoding and decoding for various message spaces is also addressed. Implementation tips and tricks are discussed. Section 5 explains how to operate on ciphertexts. In particular, the operations of addition, multiplication by a constant, and (external) product of ciphertexts are presented. For the latter operation, in order to control the noise growth, the important technique of gadget decomposition is detailed. The so-called CMux operator is also presented. Section 6 covers the bootstrapping and its extension to programmable bootstrapping. The different steps and involved operations are detailed. Notably, it shows that the bootstrapping on the discretized torus is simply an application of Gentry's original recryption technique. Decryption mainly involves two steps: a linear combination and a (non-linear) rounding operation. The difficult operation is the rounding, which is achieved using a rotation with polynomials. More techniques and related works are also surveyed. Finally, Section 7 concludes the paper. (Algorithms in pseudo-code are provided in appendix.) of digits. Elements are expanded up to some finite precision. With a fixed-point approach, a torus element t is written as for some w ≥ 1. This representation limits the torus to the subset Example 4. Suppose B = 10. We have √ 2 mod 1 = 0.4142 . . . = 4 • 10 −1 +1 • 10 −2 +4 • 10 −3 +2 • 10 −4 +· · · . With w = 3 digits, √ 2 mod 1 ≈ 414 10 3 is approximated by the torus element 4 • 10 −1 + 1 • 10 −2 + 4 • 10 −3 .
Remark 2. In radix 2, letting w = Ω, Parameter Ω is called the bit-precision. Furthermore, the leading bit (i.e., t 1 ) is sometimes called the sign bit. Indeed, elements of T are real numbers modulo 1. They can be viewed as unsigned real numbers in the range [0, 1) or as signed real numbers in the range . Hence, if the leading bit is set, the corresponding torus element can be interpreted as a negative number; i.e., as a number in [− 1 2 , 0). Modern architectures typically have a bit-precision of 32 or 64 bits; i.e., Ω = 32 or 64. On such architectures, torus elements are restricted to elements of the form Essentially, the effect of working with a finite precision boils down to replacing T with the submodule Note that the discretization modulo q of the torus is indicated by the subscript q in T q . The submodule T q ⊂ T forms what is called a discretized torus.
Remark 3. For practical reasons, torus elements are not implemented with fractions, but rather as elements modulo q by identifying T q = 1 q Z/Z with Z/qZ. In more detail, given two torus elements t = a q , u = b q ∈ T q , if v := t + u = c q ∈ T q then c ≡ a + b (mod q). Likewise, for a torus element t = a q ∈ T q and a scalar k ∈ Z, if w := k • t = d q ∈ T q then d ≡ k a (mod q). Computations over T q can therefore be carried out entirely with arithmetic modulo q, taking only the numerator into account.
Likewise, on the discretized torus T q , we similarly define We also define Z N,q [X] := Z q [X]/(X N + 1) with Z q = Z/qZ. Viewing 1 q as an element in T N,q [X], any polynomial p ∈ T N,q [X] can be written as p = p • 1 q for some polynomial p ∈ Z N,q [X]. Addition and external multiplication in T N,q [X] are respectively denoted with '+' and ' • '.

Notation
It is useful to introduce some notation. If S is a set, a $ ← S indicates that a is sampled uniformly at random in S. If D is a probability distribution, a ← D indicates that a is sampled according to D. For a real number x, x denotes the largest integer ≤ x, x denotes the smallest integer ≥ x, and x denotes the nearest integer to x.
Vectors are viewed as row matrices and are denoted with bold letters. Elements in Z or T (resp. in Z q or T q ) are denoted with roman letters while polynomials are denoted with calligraphic letters. B is the integer subset {0, 1} and, for N a power of 2, B N [X] is the subset of polynomials in Z N [X] with coefficients in B.
We consider below similar definitions, but over the discretized torus.
Definition 1 (LWE problem over the discretized torus). Let q, n ∈ N and let s = (s 1 , . . . , s n ) $ ← B n . Let alsoχ be an error distribution over q −1 Z. The learning with errors (LWE) over the discretized torus problem is to distinguish samples chosen according to the following distributions: The decisional LWE assumption (resp. the decisional GLWE assumption) asserts that solving the LWE problem (resp. GLWE problem) is infeasible for some security parameter λ, where q := q(λ), n := n(λ), andχ :=χ(λ) (resp. N := N (λ), q := q(λ), k = k(λ), and χ :=χ(λ)). Remark 4. Interestingly, identifying T q with Z q = Z/qZ (resp. T N,q [X] with Z N,q [X]), it turns out that the decisional LWE (resp. GLWE) assumption over the discretized torus is equivalent to the standard decisional LWE (resp. GLWE) assumption. There is therefore no loss of security in working over the discretized torus. Table 2 lists typical cryptographic parameters to be used for secure instances for the LWE and GLWE assumptions. The error distributionχ is induced by the normal distribution N (0, σ 2 ), centered in 0 and with variance σ 2 (σ represents the standard deviation) [Riv12].

Cryptographic parameters
We recommend the reader to check the lwe-estimator script 2 to find concrete parameters for a given security level [APS15]. For an equivalent security level, a smaller value for parameter n (resp. for (N, k)) should be compensated with a larger value for σ (i.e., less concentrated noise).

Description
Intuition The LWE assumption over the discretized torus essentially says that a torus element r ∈ T q constructed as r = n j=1 s j • a j + e cannot be distinguished from a random torus element r ∈ T q , even if the torus vector (a 1 , . . . , a n ) ∈ T q n is known. Torus element r = n j=1 s j • a j + e can therefore be used as a kind of one-time pad to conceal a "plaintext message" µ ∈ T q so as to form a ciphertext c = (a 1 , . . . , a n , r + µ) ∈ T q n+1 , where s = (s 1 , . . . , s n ) ∈ B n plays the role of the private encryption key. The reason why secret key s is chosen as a vector of bits is to have an efficient implementation for the bootstrapping; see Section 6.
Only part of the torus is used to input plaintext messages. The plaintext space is chosen as a proper additive subgroup P ⊂ T q ; specifically, for some integer p dividing q, p ≥ 2. This allows for unique decryption, provided that the noise present in the ciphertext is not too large. In particular, with the above choice for P, if c = (a 1 , . . . , a n , b) with b = n j=1 s j • a j + µ + e is an encryption of a plaintext µ ∈ P, plaintext µ can be recovered in two steps as: • return the closest plaintext in P.

TLWE encryption scheme
Given the discretized torus T q , the plaintext space is set as an additive subgroup of T q ; i.e., P := p −1 Z/Z = T p ⊂ T q for some p dividing q. The discretized distributionχ over q −1 Z is induced by an error distribution χ over R: a noise error e ←χ is defined as e = e q with e = round(q e 0 ) ∈ Z for some e 0 ← χ. The mask (a 1 , . . . , a n ) ∈ T q n of a ciphertext is formed by drawing a j $ ← Z/qZ and letting a j = aj q , for 1 ≤ j ≤ n; the corresponding body b is given by b = n j=1 s j • a j + µ + e where e ←χ. The TLWE encryption of µ ∈ P is the vector (a 1 , . . . , a n , b).
Remark 5. A private-key encryption scheme is symmetric: the same key is used for both encryption and decryption. Public-key variants are presented in Appendix A.
Formally, we get the following private-key encryption scheme.
KeyGen(1 λ ) On input security parameter λ, define a positive integer n, select positive integers p and q such that p | q, and define a discretized error distributionχ over The public parameters are pp = {n, σ, p, q} and the private key is sk = s.
Encrypt sk (µ) The encryption of µ ∈ P is given by for a random vector (a 1 , . . . , a n ) $ ← T q n and a "small" noise e ←χ.
Remark 6. To ease the notation, for an integer k and a torus element t ∈ T q ⊂ T, k t denotes the nearest integer to the product of k by t viewed as a real number. Rigorously, one should write k lift(t) where function lift lifts elements of T to R (i.e., views elements of T as elements in R).
It is easily verified that decryption succeeds in recovering plaintext µ if the noise error e satisfies |e| < 1 2p .

Encoding/Decoding
The encryption algorithm takes (discretized) torus elements-or, more exactly, elements in P-on input. Encoding and decoding aim at supporting further input formats. Let M be an arbitrary finite message space of cardinality #M = p with p = 2 ν . The plaintext space is P = T p ⊂ T q with q = 2 Ω . The encoding function, Encode : M → P, maps a message m ∈ M to an element µ ∈ P; the encoding is applied before encryption. The decoding function, Decode : P → M, is applied after decryption.
We discuss below the cases of message spaces consisting of bits, of integers modulo p (with p dividing q), and of fixed-precision torus elements.
Integers modulo p This generalizes the previous case (bits can be seen as integers modulo The encoding and decoding are then respectively given by Fixed-precision torus elements Let p ≥ 2 with p | q. This case is similar to the case of integers modulo p and considers torus elements of the form t = i p with i ∈ Z/pZ. These elements form a subset of fixed-precision torus elements. For x ∈ T p = p −1 Z/Z and µ ∈ T q , we define Remark 7. The second encoding obviously applies to unsigned integers smaller than p; i.e., to integers in {0, . . . , p − 1}. It may also apply to signed integers. In the latter case, the "mod p" returns the signed representative in − p 2 , . . . , p 2 − 1 . Example 7. Suppose p = 4 and q = 64. If µ = 48 64 then Decode(µ) = p µ mod p ≡ 3 ≡ −1 (mod 4), which represents the unsigned integer 3 or the signed integer −1.

Implementation Notes
Batching ciphertexts When a set of m plaintexts (torus elements) need to be encrypted, randomness can be re-used if they are all encrypted under different keys. Specifically, for µ 1 , . . . , µ m ∈ P, we set C = (a 1 , . . . , a n , b 1 , . The security of this variant follows from [BBS03]. Since the randomness is given explicitly in a TLWE ciphertext (namely, the a j 's), it is readily verified that the "reproducibility" criterion [BBKS07, Definition 9.3] is satisfied.
Ciphertext compression TLWE ciphertexts are torus vectors with n + 1 components. With the parameter set of Table 2, if we suppose that torus elements are represented with 64 bits, a TLWE ciphertext typically requires 631 × 64 = 40384 bits (or about 5 kilobytes) for its representation.
Instead of representing a ciphertext c as c = (a 1 , . . . , a n , b), a much more compact way is to define c as c = (θ, b) where θ $ ← {0, 1} λ is a random λ-bit string for security parameter λ. The value of θ is used as a seed to a cryptographically secure pseudo-random number generator (PRNG) to derive the random vector (a 1 , . . . , a n ): (a 1 , . . . , a n ) ← PRNG(θ) .
With the above parameter set (which corresponds to a desired bit-security of 128 bits), the same ciphertext only needs 128 + 64 = 192 bits for its representation.

Key storage
The same trick applies to private key s. Instead of plainly storing s as a n-bit string, we can store it as a λ-bit random seed that is used to generate s through a cryptographic pseudo-random number generator.

Description
TLWE encryption readily extends to torus polynomials in T N,q [X]. Operations on the torus T q are simply replaced with operations on polynomials modulo X N + 1 (and modulo q). Given two polynomials a, b ∈ T N,q [X], a + b refers to the addition of a and b modulo (X N + 1, q) and, for a ∈ Z N,q [X] and b ∈ T N,q [X], a • b refers to the external product of a and b modulo (X N + 1, q)-remember that the internal product is not defined.
The plaintext space is the subset of polynomials with P = T p = p −1 Z/Z for some p dividing q. Note that this latter condition imposes that This leads to the TGLWE private-key encryption scheme.
KeyGen(1 λ ) On input security parameter λ, define a pair of integers (N, k) with N a power of 2 and k ≥ 1. Select positive integers p and q such that p | q. Define also a discretized error distributionχ over q −1 Z N [X] induced by a normal distribution . Sample uniformly at random a vector s = (s 1 , . . . , s k ) . The public parameters are pp = {k, N, σ, p, q} and the private key is sk = s.
Encrypt sk (µ) The encryption of µ ∈ P N [X] is given by s j • a j and return the closest plaintext µ ∈ P N [X] as the decryption of c.
Remark 8. Since T N,q [X] = T q when N = 1, it turns out that the TLWE encryption (Section 3.1) can be seen as a special instantiation of the TGLWE encryption with parameters (k, N ) = (n, 1).
At this point, the reader may wonder why there are two versions for the encryption: one over T q and one over T N,q [X]. For the encryption of a single torus element µ ∈ P, TLWE should be preferred to TGLWE because the resulting ciphertext is shorter. For the encryption of multiple torus elements, TGLWE can be a better option; see next section. But the main reason of having two different schemes is for the implementation of the (programmable) bootstrapping where both TLWE and TGLWE are needed; see Section 6.

Encoding/Decoding
The TGLWE encryption scheme supports the encryption of an arbitrary polynomial µ ∈ P N [X]. In many applications, µ is restricted to a polynomial of degree 0 and can therefore be seen as an element in P. In this case, the encoding and decoding functions presented in Section 3.2 equally apply.
In the general case, for Φ(X) = X N + 1, let p ∈ Z N,q [X] and q ∈ T N,q [X] given by p(X) = p 0 + p 1 X + · · · + p N −1 X N −1 and q(X) = q 0 + q 1 X + · · · + q N −1 X N −1 . Using the relation X N +i ≡ −X i (mod X N + 1), their product satisfies This requires N 2 external torus products for evaluating p i • q j with 0 ≤ i, j ≤ N − 1. For large values of N , an alternative way is to rely on the fast Fourier techniques [vzGG13,Chapter 8]; see also [Ber01] for an algebraic description.
When p(X) is the monomial X j for some j ∈ {0, . . . , N − 1}, the previous product formula simplifies into or, more concisely, . This relation is known as the negacyclic property.
Example 9. To better exhibit the negacyclic property, we represent polynomials by their vectors of coefficients. Take N = 4 and consider the polynomial q(X) = q 0 + q 1 X + q 2 X 2 + q 3 X 3 . Then , and so on. At each multiplication by X, it turns out that the polynomial coefficients are circularly shifted one position to the right and the entering coefficient is negated.

Working over Encrypted Data
Clearly, TLWE encryption and TGLWE encryption are additively homomorphic. The approach of Gentry-Sahai-Waters [GSW13] using matrix product is employed to turn these encryption schemes into schemes supporting a limited number of multiplications.
Remark 9. Addition of ciphertexts explains why P was chosen as an additive subgroup of T q in the definition of TLWE encryption. Doing so implies that if µ 1 , µ 2 ∈ P then so does µ 3 = µ 1 + µ 2 .

Multiplication by a known constant
Multiplying by a constant can be obtained as a series of additions. As a result, given the TLWE ciphertext c ← TLWE s (µ) with µ ∈ P, the TLWE encryption of K • µ for some known (small) integer K = 0 can be obtained as This boils down to multiplying every vector component of c by K; namely, if c = (a 1 , . . . , a n , b) ∈ T q n+1 then Again, K • c (in T q n+1 ) is a valid encryption of K • µ (in P), provided that the resulting noise (i.e., K e where e is the noise present in c) keeps "small".

Multiplication of ciphertexts
The main challenge in working over encrypted data resides in multiplying ciphertexts. In order to make the Gentry-Sahai-Waters' approach work, ciphertexts in TLWE encryption need to be expressed as matrices.

Gadget matrix
Flattening is a method that modifies vectors without affecting dot products [BGV14,Bra12]. As will become apparent, this technique helps controlling the noise.

TGSW encryption
The gadget matrix gives rise to a torus-based variant of the Gentry-Sahai-Waters (GSW) encryption scheme.
Let an integer p | q where q = 2 Ω . The gadget decomposition over T q supposes integers B and such that B | q. Actually, since all its elements are 0 or of the form B −j with 1 ≤ j ≤ , the gadget matrix G is actually defined over B − Z/Z ⊆ T q . We assume that p = B . In this case, G is defined over T p = p −1 Z/Z.

Proof. From the definition, we have
Let 2 := G −1 (C 2 ) • G − C 2 denote the rounding error matrix. We so get . Assuming the error resulting from the rounding (i.e, m 1 • 2 ) keeps "small" and that the multiplicative noise keeps "small", we can write C 3 = Z 3 + (m 1 m 2 ) • G for some Z 3 ← TGSW s (0).
is a matrix whose rows are TLWE encryptions of 0 then, for any (small) matrix A ∈ Z m×(n+1) , Z = A · Z ∈ T q m×(n+1) is a matrix whose rows are TLWE encryptions of 0 (up to the noise).
Example 11. To see it, suppose m = n = 2. Letting A = α 1,1 α 1,2 α 1,3 α 2,1 α 2,2 α 2,3 and Z = a 1,1 a 1,2 b 1  a 2,1 a 2,2 b 2  a 3,1 a 3,2 Inspecting the proof shows that the resulting error term present in Z 3 comprises three components: (i) one coming from the noise present in Z 1 , which is amplified by G −1 (C 2 ); (ii) one coming from the noise present in Z 2 , which is amplified by m 1 ; and (iii) one coming from the rounding error 2 , which is also amplified by m 1 . The multiplicative noise can grow quickly. The use of the gadget matrix leads however to a favorable situation since by construction G −1 (C 2 ) ∞ ≤ B/2. Furthermore, the two other components can be contained if plaintext m 1 keeps small (for example, if m 1 is restricted to elements in {0, 1}).

TGLWE Ciphertexts
Again, the operations and underlying techniques developed for TLWE and TGSW extend to polynomials. Torus elements are replaced with torus polynomials. Addition and external multiplication are performed modulo X N + 1. The same trick using a gadget matrix (over T N,q [X]) is used to control the noise growth.

Multiplication by a known polynomial
Let µ ∈ P N [X] and let K ∈ Z ⊂ Z N [X] (i.e., viewed as a degree 0 polynomial in Z N [X]). Given the ciphertext c ← TGLWE s (µ), , provided that the resulting noise keeps "small". More generally, for a (small) polynomial k ∈ Z N [X], c = k • c is a valid ciphertext of µ = k • µ (in P N [X]), provided that the resulting noise keeps "small".
Let p = B and such that p | q. Let also s = (s 1 , . . . , s k ) ∈ B N [X] k . The TGGSW encryption of m ∈ P N [X] under private key s is defined as . . .
The external product of a TGGSW ciphertext by a TGLWE ciphertext is defined as The resulting ciphertext c 3 := C 1 c 2 (∈ T N,q [X] k+1 ) is a valid encryption of µ 3 := m 1 • µ 2 (∈ P N [X]), provided that the rounding errors resulting from G −1 (·) and the multiplicative noise keep "small".
CMUX The main application of the external product in TFHE is the "controlled" multiplexer, or CMUX in short. Given two TGLWE ciphertexts c 0 ← TGLWE s (µ 0 ) and c 1 ← TGLWE s (µ 1 ), the CMux operator acts as a selector to choose between c 0 and c 1 according to a TGGSW encryption C b ← TGGSW s (b) of a control bit b ∈ {0, 1}. This can be computed through an external product as The output is a TGLWE encryption of µ b .

Implementation Notes
The encoding for integers modulo p (including bits when p = 2) presented in Section 3.2 respects the addition. In more detail, for any i 1 , i 2 ∈ Z/pZ, letting i 3 = i 1 + i 2 mod p, we have Encode(i 3 ) = Encode(i 1 ) + Encode(i 2 ) (in T p ). The encoding also respects the external product: for any i ∈ Z/pZ and any integer k, letting i k = k · i mod p, we have Encode(i k ) = k • Encode(i) (in T p ). In other words, the encoding is homomorphic and so complies with the homomorphic structure of the encryption.
The same holds true for the encoding for fixed-precision torus elements presented in Section 3.2.

Programmable Bootstrapping
As aforementioned, both TLWE and TGLWE encryptions are needed for implementing certain operations. We will see in this section that their combination is central to refreshing noisy TLWE ciphertexts. Such an operation is known as bootstrapping. Furthermore, this operation can be programmed to evaluate at the same time a selected function.

Gentry's Recryption
For a (symmetric) fully homomorphic encryption algorithm Encrypt, given the encryption of x under private key sk, the homomorphic evaluation of a univariate function f yields the encryption of f (x). This is illustrated in the next figure. f (·) Encrypt sk (f (x)) Gentry's key idea to reduce the noise present in a ciphertext is to homomorphically evaluate the decryption of the ciphertext using a homomorphic encryption of its own decryption key [Gen09,Gen10]. The encryption of the decryption key (matching the encryption key used to produce the ciphertext) forms what is called the bootstrapping key.
Specifically, let c ← Encrypt sk1 (m) denote a noisy ciphertext encrypting a plaintext m and let bsk ← Encrypt sk2 (sk 1 ) denote the bootstrapping key. Assume that function f in the above figure is the decryption function dedicated to ciphertext c, viewed as the univariate function Decrypt(·, c). Then, letting x = sk 1 , the homomorphic evaluation of f yields Encrypt sk2 (f (x)) = Encrypt sk2 (Decrypt(sk 1 , c) The procedure is detailed in Fig. 3.

Decrypt(·, c)
Encrypt sk 2 (sk1) Starting with the noisy ciphertext c ← Encrypt sk1 (m), the recryption process ends up with a new ciphertext Encrypt sk2 (m), encrypting the same plaintext m. Note that the encryption keys are different. The encryption algorithms Encrypt and Encrypt may be distinct or not. In the latter case, the resulting ciphertext can be reverted back into a ciphertext under the initial key sk 1 thanks to a standard key-switching technique.

Bootstrapping
General description Let s = (s 1 , . . . , s n ) ∈ B n . Consider a TLWE encryption of µ ∈ P: we have c ← TLWE s (µ) = (a 1 , . . . , a n , b) ∈ T q n+1 where a j $ ← T q and b = n j=1 s j • a j +µ * ∈ T q with µ * = µ + e for some "small" noise error e. The goal of the bootstrapping procedure is to produce a TLWE ciphertext of the same plaintext but with a reduced amount of noise e , |e | < |e|. So far, the only known way to bootstrap a ciphertext is Gentry's recryption technique. In the case of TFHE, using the previous notations, its application involves two steps: 1. obtaining the noisy plaintext µ * as µ * = b − n j=1 s j • a j ∈ T q ; 2. recovering the plaintext µ by rounding µ * to the closest plaintext as µ = p µ * mod p p ∈ P.
These two steps have to be performed over encrypted data. The first step being linear is easy given an encryption of the s j 's. The second step (i.e., the rounding) is more problematic. This is where polynomials come to the rescue.

Rounding with polynomials Consider polynomial
The formula of the external multiplication in T N,p [X] by a monomial (cf. Section 4.3) teaches that In other words, when 0 ≤ j < N , the constant term of polynomial X −j • v(X) is v j . As we will see, this simple observation provides a way to round a torus element µ * ∈ T q as an element of µ ∈ T p , where p | q.
Since µ * ∈ T q , we can write µ * = µ * /q where µ * := q µ * mod q with 0 ≤ µ * < q. If we suppose for a moment that N ≥ q, we have 0 ≤ µ * < N . It also means that polynomial v has more coefficients than the number of possible values for µ * . We can therefore assign Second, because polynomial v lies in T N,p [X] and thus has N coefficients, at most N values forμ * can be encoded. This can be addressed by ensuring that the most significant bit ofμ * is set to 0. In this case,μ * can take at most N possible values. (Enhanced techniques-applicable to arbitraryμ * ∈ [0, 2N )-are discussed in Section 6.4.) From the above considerations, the so-called test polynomial v is formed as mod p p ∈ P and the relation holds, provided that the drift is contained and that 0 ≤ (μ * mod 2N ) < N . For conciseness, The external product being homogeneous, it follows that This provides an iterative method to get q n = X −b+ n i=1 siãi • v, starting at q 0 = X −b • v and then iterating on j from 1 to n. See Table 3 (left column).
Gentry's recryption does the same but over encrypted data. As the rounding method involves polynomials, we rely on TGLWE encryption. Let s ∈ B N [X] k+1 . We assume that we are given the bootstrapping keys bsk[j] ← TGGSW s (s j ) ∈ T N,q [X] (k+1) ×(k+1) , for 1 ≤ j ≤ n. This is illustrated in the next table (right column).

end for return c n
Clearly, the output ciphertext c := c n is a TGLWE encryption of q n = X −b+ Remark 14. Algorithms in pseudo-code are provided in Appendix C.

Sample extraction
The previous conversion step turns the TLWE encryption of a plaintext µ ∈ P into a TGLWE encryption of a polynomial plaintext µ(X) := X −μ * • v ∈ P N [X] whose constant term is µ. The constant-term component is then extracted to give rise to a refreshed TLWE encryption of µ, but under a different key. This is referred to as sample extraction. We note that, although it is applied to the constant term, the technique readily adapts to extract other components of µ.

Key switching
The loop is almost closed. With the above procedure, ciphertexts c and c ← SampleExtract(BlindRotate bsk (c,c)) both encrypt plaintext µ but they feature a different set of parameters: c ← TLWE s (µ) ∈ T q n+1 and c ← TLWE s (µ) ∈ T q kN +1 . The key switching algorithm converts a ciphertext under a key into a ciphertext under another key. Its implementation requires key-switching keys, i.e., TLWE encryptions of the key bits of s with respect to the original key s. The procedure may seem conceptually very similar to the bootstrapping, but there is a fundamental difference between the two techniques: bootstrapping reduces the noise (and is computationally demanding) whereas the key switching makes the noise increase (but is cheaper to evaluate).
Assume we are given the key-switching keys for some parameters B and defining a gadget decomposition (see Section 5.1.3). On input ciphertext c ← TLWE s (µ) = (a 1 , . . . , a kN

Putting it all together
To sum up, the bootstrapping of a TLWE ciphertext c ← TLWE s (µ) ∈ T q n+1 with s = (s 1 , . . . , s n ) ∈ B n proceeds as a series of 3 steps. Ternary keys and more The blind rotation makes essential the use of binary keys. Following the astute observation of [MP21] that a ternary vector s = (s 1 , . . . , s n ) ∈ {−1, 0, 1} n can be expressed as the difference of two binary vectors, the authors of [JP22] provide a general method extending the programmable bootstrapping with secret keys in higher radices. The cost is essentially only one external product per key digit but the total number of bootstrapping keys increases with the radix size. See [JP22] for an analysis of the different possible trade-offs.

Conclusion
This paper gave a systematized presentation for fully homomorphic encryption over a discretized torus, including ready-to-use algorithms and implementation notes. The various concepts and definitions were illustrated with small examples. Advanced topics like programmable bootstrapping and how it relates to Gentry's recryption were also covered. It is the author's hope that this paper will provide new insights into the topic of fully homomorphic encryption and, in turn, lead to ideas for better implementations and further developments.
KeyGen(1 λ ) On input security parameter λ, define integers N, k, m with N a power of 2 and m, k ≥ 1. Select positive integers p and q such p | q. Define also a discretized error distributionχ over q −1 Z N [X] induced by a normal distribution χ = N (0, σ 2 ) over

B Index to Notations
In the following notations, letters have the following significance:

Formal
Meaning Section symbolism reference