F1: A Fast and Programmable Accelerator
for Fully Homomorphic Encryption (Extended Version)
Axel Feldmann1⇤ , Nikola Samardzic1⇤ , Aleksandar Krastev1 , Srini Devadas1 ,
Ron Dreslinski2 , Karim Eldefrawy3 , Nicholas Genise3 , Chris Peikert2 , Daniel Sanchez1
1 Massachusetts Institute of Technology
{axelf, nsamar, alexalex, devadas, sanchez}@csail.mit.edu {dreslin, cpeikert}@umich.edu
3 SRI International
{karim.eldefrawy, nicholas.genise}@sri.com
arXiv:2109.05371v2 [cs.CR] 25 Sep 2021
ABSTRACT
Fully Homomorphic Encryption (FHE) allows computing on en-
crypted data, enabling secure o�oading of computation to un-
trusted servers. Though it provides ideal security, FHE is expensive
when executed in software, 4 to 5 orders of magnitude slower than
computing on unencrypted data. These overheads are a major bar-
rier to FHE’s widespread adoption.
We present F1, the �rst FHE accelerator that is programmable,
i.e., capable of executing full FHE programs. F1 builds on an in-
depth architectural analysis of the characteristics of FHE compu-
tations that reveals acceleration opportunities. F1 is a wide-vector
processor with novel functional units deeply specialized to FHE
primitives, such as modular arithmetic, number-theoretic trans-
forms, and structured permutations. This organization provides so
much compute throughput that data movement becomes the key
bottleneck. Thus, F1 is primarily designed to minimize data move-
ment. Hardware provides an explicitly managed memory hierarchy
and mechanisms to decouple data movement from execution. A
novel compiler leverages these mechanisms to maximize reuse and
schedule o�-chip and on-chip data movement.
We evaluate F1 using cycle-accurate simulation and RTL synthe-
sis. F1 is the �rst system to accelerate complete FHE programs, and
outperforms state-of-the-art software implementations by gmean
5,400⇥ and by up to 17,000⇥. These speedups counter most of FHE’s
overheads and enable new applications, like real-time private deep
learning in the cloud.
1 INTRODUCTION
Despite massive e�orts to improve the security of computer systems,
security breaches are only becoming more frequent and damaging,
as more sensitive data is processed in the cloud [43, 69]. Current
encryption technology is of limited help, because servers must
decrypt data before processing it. Once data is decrypted, it is
vulnerable to breaches.
Fully Homomorphic Encryption (FHE) is a class of encryption
schemes that address this problem by enabling generic computation
on encrypted data. Fig. 1 shows how FHE enables secure o�oading
of computation. The client wants to compute an expensive function
5 (e.g., a deep learning inference) on some private data G. To do
⇤ A. Feldmann and N. Samardzic contributed equally to this work.
This is an extended version of a paper that will appear in the Proceedings of
the 54th Annual IEEE/ACM International Symposium on Microarchitecture
(MICRO), 2021 [29].
1
2 University of Michigan
Encrypted(x)
x Encrypt
3
Trust barrier
1 2
Server F1 FHE
5 4 Accelerator
Client
f(x) Decrypt
Encrypted(f(x))
Figure 1: FHE allows a user to securely o�load computation
to an untrusted server.
this, the client encrypts G and sends it to an untrusted server, which
computes 5 on this encrypted data directly using FHE, and returns
the encrypted result to the client. FHE provides ideal security prop-
erties: even if the server is compromised, attackers cannot learn
anything about the data, as it remains encrypted throughout.
FHE is a young but quickly developing technology. First real-
ized in 2009 [33], early FHE schemes were about 109 times slower
than performing computations on unencrypted data. Since then,
improved FHE schemes have greatly reduced these overheads and
broadened its applicability [2, 59]. FHE has inherent limitations—
for example, data-dependent branching is impossible, since data
is encrypted—so it won’t subsume all computations. Nonetheless,
important classes of computations, like deep learning inference [17,
25, 26], linear algebra, and other inference and learning tasks [40]
are a good �t for FHE. This has sparked signi�cant industry and
government investments [4, 9, 23] to widely deploy FHE.
Unfortunately, FHE still carries substantial performance over-
heads: despite recent advances [15, 25, 26, 61, 66], FHE is still
10,000⇥ to 100,000⇥ slower than unencrypted computation when
executed in carefully optimized software. Though this slowdown is
large, it can be addressed with hardware acceleration: if a special-
ized FHE accelerator provides large speedups over software execution,
it can bridge most of this performance gap and enable new use cases.
For an FHE accelerator to be broadly useful, it should be pro-
grammable, i.e., capable of executing arbitrary FHE computations.
While prior work has proposed several FHE accelerators, they do
not meet this goal. Prior FHE accelerators [20, 21, 27, 65, 66, 71]
target individual FHE operations, and miss important ones that they
leave to software. These designs are FPGA-based, so they are small
and miss the data movement issues facing an FHE ASIC accelerator.
These designs also overspecialize their functional units to speci�c
parameters, and cannot e�ciently handle the range of parameters
needed within a program or across programs.
In this paper we present F1, the �rst programmable FHE ac-
celerator. F1 builds on an in-depth architectural analysis of the
characteristics of FHE computations, which exposes the main chal-
lenges and reveals the design principles a programmable FHE ar-
chitecture should exploit.
Harnessing opportunities and challenges in FHE: F1 is tai-
lored to the three de�ning characteristics of FHE:
(1) Complex operations on long vectors: FHE encodes informa-
tion using very large vectors, several thousand elements long, and
processes them using modular arithmetic. F1 employs vector pro-
cessing with wide functional units tailored to FHE operations to
achieve large speedups. The challenge is that two key operations
on these vectors, the Number-Theoretic Transform (NTT) and au-
tomorphisms, are not element-wise and require complex data�ows
that are hard to implement as vector operations. To tackle these
challenges, F1 features specialized NTT units and the �rst vector
implementation of an automorphism functional unit.
(2) Regular computation: FHE programs are data�ow graphs of
arithmetic operations on vectors. All operations and their depen-
dences are known ahead of time (since data is encrypted, branches
or dependences determined by runtime values are impossible). F1
exploits this by adopting static scheduling: in the style of Very Long
Instruction Word (VLIW) processors, all components have �xed
latencies and the compiler is in charge of scheduling operations and
data movement across components, with no hardware mechanisms
to handle hazards (i.e., no stall logic). Thanks to this design, F1 can
issue many operations per cycle with minimal control overheads;
combined with vector processing, F1 can issue tens of thousands of
scalar operations per cycle.
(3) Challenging data movement: In FHE, encrypting data in-
creases its size (typically by at least 50⇥); data is grouped in long
vectors; and some operations require large amounts (tens of MBs)
of auxiliary data. Thus, we �nd that data movement is the key chal-
lenge for FHE acceleration: despite requiring complex functional
units, in current technology, limited on-chip storage and memory
bandwidth are the bottleneck for most FHE programs. Therefore, F1
is primarily designed to minimize data movement. First, F1 features
an explicitly managed on-chip memory hierarchy, with a heavily
banked scratchpad and distributed register �les. Second, F1 uses
mechanisms to decouple data movement and hide access latencies
by loading data far ahead of its use. Third, F1 uses new, FHE-tailored
scheduling algorithms that maximize reuse and make the best out of
limited memory bandwidth. Fourth, F1 uses relatively few functional
units with extremely high throughput, rather than lower-throughput
functional units as in prior work. This reduces the amount of data
that must reside on-chip simultaneously, allowing higher reuse.
In summary, F1 brings decades of research in architecture to bear,
including vector processing and static scheduling, and combines
them with new specialized functional units (Sec. 5) and scheduling
algorithms (Sec. 4) to design a programmable FHE accelerator. We
implement the main components of F1 in RTL and synthesize them
in a commercial 14nm/12nm process. With a modest area budget of
151 mm2 , our F1 implementation provides 36 tera-ops/second of 32-
bit modular arithmetic, 64 MB of on-chip storage, and a 1 TB/s high-
bandwidth memory. We evaluate F1 using cycle-accurate simulation
running complete FHE applications, and demonstrate speedups of
1,200⇥–17,000⇥ over state-of-the-art software implementations.
These dramatic speedups counter most of FHE’s overheads and
enable new applications. For example, F1 executes a deep learning
2
inference that used to take 20 minutes in 240 milliseconds, enabling
secure real-time deep learning in the cloud.
2 BACKGROUND
Fully Homomorphic Encryption allows performing arbitrary arith-
metic on encrypted plaintext values, via appropriate operations
on their ciphertexts. Decrypting the resulting ciphertext yields the
same result as if the operations were performed on the plaintext
values “in the clear.”
Over the last decade, prior work has proposed multiple FHE
schemes, each with somewhat di�erent capabilities and performance
tradeo�s. BGV [14], B/FV [13, 28], GSW [35], and CKKS [17] are
popular FHE schemes.∗ Though these schemes di�er in how they
encrypt plaintexts, they all use the same data type for ciphertexts:
polynomials where each coe�cient is an integer modulo &. This
commonality makes it possible to build a single accelerator that
supports multiple FHE schemes; F1 supports BGV, GSW, and CKKS.
We describe FHE in a layered fashion: Sec. 2.1 introduces FHE’s
programming model and operations, i.e., FHE’s interface; Sec. 2.2
describes how FHE operations are implemented; Sec. 2.3 presents
implementation optimizations; and Sec. 2.4 performs an architec-
tural analysis of a representative FHE kernel to reveal acceleration
opportunities.
For concreteness, we introduce FHE using the BGV scheme, and
brie�y discuss other FHE schemes in Sec. 2.5.
2.1 FHE programming model and operations
FHE programs are data�ow graphs: directed acyclic graphs where
nodes are operations and edges represent data values. Data values
are inputs, outputs, or intermediate values consumed by one or
more operations. All operations and dependences are known in
advance, and data-dependent branching is impossible.
In FHE, unencrypted (plaintext) data values are always vectors;
in BGV [14], each vector consists of # integers modulo an integer
C. BGV provides three operations on these vectors: element-wise
addition (mod C), element-wise multiplication (mod C), and a small
set of particular vector permutations.
We stress that this is BGV’s interface, not its implementation:
it describes unencrypted data, and the homomorphic operations
that BGV implements on that data in its encrypted form. In Sec. 2.2
we describe how BGV represents encrypted data and how each
operation is implemented.
At a high level, FHE provides a vector programming model with
restricted operations where individual vector elements cannot be
directly accessed. This causes some overheads in certain algorithms.
For example, summing up the elements of a vector is non-trivial,
and requires a sequence of permutations and additions.
Despite these limitations, prior work has devised reasonably
e�cient implementations of key algorithms, including linear alge-
bra [38], neural network inference [15, 36], logistic regression [39],
and genome processing [11]. These implementations are often
coded by hand, but recent work has proposed FHE compilers to
automate this translation for particular domains, like deep learn-
ing [25, 26].
∗ Thesescheme names are acronyms of their authors’ last names. For instance, BGV is
Brakerski-Gentry-Vaikuntanathan.
 Finally, note that not all data must be encrypted: BGV provides
versions of addition and multiplication where one of the operands
is unencrypted. Multiplying by unencrypted data is cheaper, so
algorithms can trade privacy for performance. For example, a deep
learning inference can use encrypted weights and inputs to keep
the model private, or use unencrypted weights, which does not
protect the model but keeps inputs and inferences private [15].
2.2 BGV implementation overview
We now describe how BGV represents and processes encrypted
data (ciphertexts). The implementation of each computation on
ciphertext data is called a homomorphic operation. For example,
the homomorphic multiplication of two ciphertexts yields another
ciphertext that, when decrypted, is the element-wise multiplication
of the encrypted plaintexts.
Data types: BGV encodes each plaintext vector as a polynomial
with # coe�cients mod C. We denote the plaintext space as 'C , so
a = 0 0 + 0 1G + ... + 0 # 1G # 1 2 'C
is a plaintext. Each plaintext is encrypted into a ciphertext con-
sisting of two polynomials of # integer coe�cients modulo some
& C. Each ciphertext polynomial is a member of '& .
Encryption and decryption: Though encryption and decryption
are performed by the client (so F1 need not accelerate them), they
are useful to understand. In BGV, the secret key is a polynomial
s 2 '& . To encrypt a plaintext m 2 'C , one samples a uniformly
random a 2 '& , an error (or noise) e 2 '& with small entries, and
computes the ciphertext 2C as
2C = (a, b = as + Ce + m).
Ciphertext 2C = (a, b) is decrypted by recovering e 0 = Ce + m =
b as mod &, and then recovering m = e 0 mod C. Decryption is
correct as long as e 0 does not “wrap around” modulo &, i.e., its
coe�cients have magnitude less than &/2.
The security of any encryption scheme relies on the ciphertexts
not revealing anything about the value of the plaintext (or the se-
cret key). Without adding the noise term e, the original message
m would be recoverable from 2C via simple Gaussian elimination.
Including the noise term entirely hides the plaintext (under crypto-
graphic assumptions) [49].
As we will see, homomorphic operations on ciphertexts increase
their noise, so we can only perform a limited number of operations
before the resulting noise becomes too large and makes decryption
fail. We later describe noise management strategies (Sec. 2.2.2) to
keep this noise bounded and thereby allow unlimited operations.
2.2.1 Homomorphic operations.
Homomorphic addition of ciphertexts 2C 0 = (a0, b0 ) and 2C 1 =
(a1, b1 ) is done simply by adding their corresponding polynomials:
2C add = 2C 0 + 2C 1 = (a0 + a1, b0 + b1 ).
Homomorphic multiplication requires two steps. First, the four
input polynomials are multiplied and assembled:
2C ⇥ = (l2, l1, l0 ) = (a0 a1, a0 b1 + a1 b0, b0 b1 ).
This 2C ⇥ can be seen as a special intermediate ciphertext encrypted
under a di�erent secret key. The second step performs a key-switch-
ing operation to produce a ciphertext encrypted under the original
secret key s. More speci�cally, l2 undergoes this key-switching
3
process to produce two polynomials (u1, u0 ) = KeySwitch(l2 ). The
�nal output ciphertext is 2C mul = (l1 + u1, l0 + u0 ).
As we will see later (Sec. 2.4), key-switching is an expensive
operation that dominates the cost of a multiplication.
Homomorphic permutations permute the # plaintext values
(coe�cients) that are encrypted in a ciphertext. Homomorphic
permutations are implemented using automorphisms, which are
special permutations of the coe�cients of the ciphertext polynomi-
als. There are # automorphisms, denoted f: (a) and f : (a) for all
positive odd : < # . Speci�cally,
f: (a) : 08 ! ( 1)B 08: mod # for 8 = 0, ..., # 1,
where B = 0 if 8: mod 2# < # , and B = 1 otherwise. For example,
f5 (a) permutes a’s coe�cients so that 0 0 stays at position 0, 0 1 goes
from position 1 to position 5, and so on (these wrap around, e.g.,
with # = 1024, 0 205 goes to position 1, since 205 · 5 mod 1024 = 1).
To perform a homomorphic permutation, we �rst compute an
automorphism on the ciphertext polynomials: 2Cf = (f: (a), f: (b)).
Just as in homomorphic multiplication, 2Cf is encrypted under
a di�erent secret key, requiring an expensive key-switch to pro-
duce the �nal output 2C perm = (u1, f: (b) + u0 ), where (u1, u0 ) =
KeySwitch(f: (a)).
We stress that the permutation applied to the ciphertext does not
induce the same permutation on the underlying plaintext vector.
For example, using a single automorphism and careful indexing, it
is possible to homomorphically rotate the vector of the # encrypted
plaintext values.
2.2.2 Noise growth and management.
Recall that ciphertexts have noise, which limits the number of oper-
ations that they can undergo before decryption gives an incorrect
result. Di�erent operations induce di�erent noise growth: addition
and permutations cause little growth, but multiplication incurs
much more signi�cant growth. So, to a �rst order, the amount of
noise is determined by multiplicative depth, i.e., the longest chain
of homomorphic multiplications in the computation.
Noise forces the use of a large ciphertext modulus &. For example,
an FHE program with multiplicative depth of 16 needs & to be about
512 bits. The noise budget, and thus the tolerable multiplicative
depth, grow linearly with log &.
FHE uses two noise management techniques in tandem: boot-
strapping and modulus switching.
Bootstrapping [33] enables FHE computations of unbounded depth.
Essentially, it removes noise from a ciphertext without access to the
secret key. This is accomplished by evaluating the decryption func-
tion homomorphically. Bootstrapping is an expensive procedure
that consists of many (typically tens to hundreds) homomorphic
operations. FHE programs with a large multiplicative depth can be
divided into regions of limited depth, separated by bootstrapping
operations.
Even with bootstrapping, FHE schemes need a large noise bud-
get (i.e., a large &) because (1) bootstrapping is computationally
expensive, and a higher noise budget enables less-frequent boot-
strapping, and (2) bootstrapping itself consumes a certain noise
budget (this is similar to why pipelining circuits hits a performance
ceiling: registers themselves add area and latency).
Modulus switching rescales ciphertexts from modulus & to a
modulus & 0 , which reduces the noise proportionately. Modulus
switching is usually applied before each homomorphic multiplica-
tion, to reduce its noise blowup.
For example, to execute an FHE program of multiplicative depth
16, we would start with a 512-bit modulus &. Right before each
multiplication, we would switch to a modulus that is 32 bits shorter.
So, for example, operations at depth 8 use a 256-bit modulus. Thus,
beyond reducing noise, modulus switching reduces ciphertext sizes,
and thus computation cost.
2.2.3 Security and parameters.
The dimension # and modulus & cannot be chosen independently;
# /log & must be above a certain level for su�cient security. In
practice, this means that using a wide modulus to support deep
programs also requires a large # . For example, with 512-bit &,
# = 16 is required to provide an acceptable level of security,
resulting in very large ciphertexts.
2.3 Algorithmic insights and optimizations
F1 leverages two optimizations developed in prior work:
Fast polynomial multiplication via NTTs: Multiplying two poly-
nomials requires convolving their coe�cients, an expensive (naively
$ (# 2 )) operation. Just like convolutions can be made faster with
the Fast Fourier Transform, polynomial multiplication can be made
faster with the Number-Theoretic Transform (NTT) [54], a variant
of the discrete Fourier transform for modular arithmetic. The NTT
takes an # -coe�cient polynomial as input and returns an # -ele-
ment vector representing the input in the NTT domain. Polynomial
multiplication can be performed as element-wise multiplication in
the NTT domain. Speci�cally,
#)) (ab) = #)) (a) #)) (b),
where denotes component-wise multiplication. (For this relation
to hold with # -point NTTs, a negacyclic NTT [49] must be used
(Sec. 5.2).)
Because an NTT requires only $ (# log # ) modular operations,
multiplication can be performed in $ (# log # ) operations by using
two forward NTTs, element-wise multiplication, and an inverse
NTT. And in fact, optimized FHE implementations often store poly-
nomials in the NTT domain rather than in their coe�cient form
across operations, further reducing the number of NTTs. This is
possible because the NTT is a linear transformation, so additions
and automorphisms can also be performed in the NTT domain:
#)) (f: (a)) = f: (#)) (a))
#)) (a + b) = #)) (a) + #)) (b)
Avoiding wide arithmetic via Residue Number System (RNS)
representation: FHE requires wide ciphertext coe�cients (e.g., 512
bits), but wide arithmetic is expensive: the cost of a modular multi-
plier (which takes most of the compute) grows quadratically with
bit width in our range of interest. Moreover, we need to e�ciently
support a broad range of widths (e.g., 64 to 512 bits in 32-bit incre-
ments), both because programs need di�erent widths, and because
modulus switching progressively reduces coe�cient widths.
RNS representation [31] enables representing a single polyno-
mial with wide coe�cients as multiple polynomials with narrower
4
1 def keySwitch (x: RVec[L],
2 ksh0: RVec[L][L], ksh1: RVec[L][L]):
3 y = [INTT(x[i],@8 ) for i in range(L)]
4 u0: RVec[L] = [0, ...]
5 u1: RVec[L] = [0, ...]
6 for i in range(L):
7 for j in range(L):
8 xqj = (i == j) ? x[i] : NTT(y[i], @ 9 )
9 u0[j] += xqj * ksh0[i,j] mod @ 9
10 u1[j] += xqj * ksh1[i,j] mod @ 9
11 return (u0 , u1)
Listing 1: Key-switch implementation. RVec is an # -element
vector of 32-bit values, storing a single RNS polynomial in
either the coe�cient or the NTT domain.
coe�cients, called residue polynomials. To achieve this, the mod-
ulus & is chosen to be the product of ! smaller distinct primes,
& = @ 1@ 2 · · · @! . Then, a polynomial in '& can be represented as
! polynomials in '@1 , . . . , '@! , where the coe�cients in the 8-th
polynomial are simply the wide coe�cients modulo @8 . For exam-
ple, with , = 32-bit words, a ciphertext polynomial with 512-bit
modulus & is represented as ! = log &/, = 16 polynomials with
32-bit coe�cients.
All FHE operations can be carried out under RNS representation,
and have either better or equivalent bit-complexity than operating
on one wide-coe�cient polynomial.
2.4 Architectural analysis of FHE
We now analyze a key FHE kernel in depth to understand how we
can (and cannot) accelerate it. Speci�cally, we consider the key-
switching operation, which is expensive and takes the majority of
work in all of our benchmarks.
Listing 1 shows an implementation of key-switching. Key-switch-
ing takes three inputs: a polynomial x, and two key-switch hint
matrices ksh0 and ksh1. x is stored in RNS form as ! residue poly-
nomials (RVec). Each residue polynomial x[i] is a vector of #
32-bit integers modulo @8 . Inputs and outputs are in the NTT do-
main; only the y[i] polynomials (line 3) are in coe�cient form.
Computation vs. data movement: A single key-switch requires
! 2 NTTs, 2! 2 multiplications, and 2! 2 additions of # -element
vectors. In RNS form, the rest of a homomorphic multiplication
(excluding key-switching) is 4! multiplications and 3! additions
(Sec. 2.2), so key-switching is dominant.
However, the main cost at high values of ! and # is data move-
ment. For example, at ! = 16, # = 16 , each RNS polynomial
(RVec) is 64 KB; each ciphertext polynomial is 1 MB; each cipher-
text is 2 MB; and the key-switch hints dominate, taking up 32 MB.
With F1’s compute throughput, fetching the inputs of each key-
switching from o�-chip memory would demand about 10 TB/s of
memory bandwidth. Thus, it is crucial to reuse these values as much
as possible.
Fortunately, key-switch hints can be reused: all homomorphic
multiplications use the same key-switch hint matrices, and each
automorphism has its own pair of matrices. But values are so large
that few of them �t on-chip.
Finally, note that there is no e�ective way to decompose or tile
this operation to reduce storage needs while achieving good reuse:
tiling the key-switch hint matrices on either dimension produces
many long-lived intermediate values; and tiling across RVec ele- High-Bandwidth Memory Compute cluster
ments is even worse because in NTTs every input element a�ects Vector Register
...
every output element. Mem ctrl Mem ctrl Mem ctrl Mem ctrl File (banked)

Memory hierarchy
Performance requirements: We conclude that, to accommodate
... x128 lanes
...
these large operands, an FHE accelerator requires a memory system Scratchpad

Distributed control
banks (x16) NTT

Vector functional units

that (1) decouples data movement from computation, as demand
misses during frequent key-switches would tank performance; and
(2) implements a large amount of on-chip storage (over 32 MB in
our example) to allow reuse across entire homomorphic operations
(e.g., reusing the same key-switch hints across many homomorphic
multiplications).
Moreover, the FHE accelerator must be designed to use the mem-
ory system well. First, scheduling data movement and computation
is crucial: data must be fetched far ahead of its use to provide de-
coupling, and operations must be ordered carefully to maximize
reuse. Second, since values are large, excessive parallelism can in-
crease footprint and hinder reuse. Thus, the system should use
relatively few high-throughput functional units rather than many
low-throughput ones.
Functionality requirements: Programmable FHE accelerators
must support a wide range of parameters, both # (polynomial/vec-
tor sizes) and ! (number of RNS polynomials, i.e., number of 32-bit
prime factors of &). While # is generally �xed for a single program,
! changes as modulus switching sheds o� polynomials.
Moreover, FHE accelerators must avoid overspecializing in order
to support algorithmic diversity. For instance, we have described
an implementation of key-switching, but there are others [34, 45]
with di�erent tradeo�s. For example, an alternative implementation
requires much more compute but has key-switch hints that grow
with ! instead of ! 2 , so it becomes attractive for very large ! (⇠20).
F1 accelerates primitive operations on large vectors: modular arith-
metic, NTTs, and automorphisms. It exploits wide vector processing
to achieve very high throughput, even though this makes NTTs
and automorphisms costlier. F1 avoids building functional units for
coarser primitives, like key-switching, which would hinder algo-
rithmic diversity.
Limitations of prior accelerators: Prior work has proposed sev-
eral FHE accelerators for FPGAs [20, 21, 27, 52, 53, 65, 66, 71]. These
systems have three important limitations. First, they work by accel-
erating some primitives but defer others to a general-purpose host
processor, and rely on the host processor to sequence operations.
This causes excessive data movement that limits speedups. Second,
these accelerators build functional units for �xed parameters # and
! (or log & for those not using RNS). Third, many of these systems
build overspecialized primitives that limit algorithmic diversity.
Most of these systems achieve limited speedups, about 10⇥ over
software baselines. HEAX [65] achieves larger speedups (200⇥ vs.
a single core). But it does so by overspecializing: it uses relatively
low-throughput functional units for primitive operations, so to
achieve high performance, it builds a �xed-function pipeline for
key-switching.
2.5 FHE schemes other than BGV
We have so far focused on BGV, but other FHE schemes provide
di�erent tradeo�s. For instance, whereas BGV requires integer
plaintexts, CKKS [17] supports “approximate” computation on
5
...
Automorphism
On-chip network
x x
... Mod mult x
(3 16x16 crossbars)
... x x
... Mod mult x
+ +
... Mod add +
Compute clusters
Mod add
(x16) + +
... +
Figure 2: Overview of the F1 architecture.
�xed-point values. B/FV [13, 28] encodes plaintexts in a way that
makes modulus switching before homomorphic multiplication un-
necessary, thus easing programming (but forgoing the e�ciency
gains of modulo switching). And GSW [35] features reduced, asym-
metric noise growth under homomorphic multiplication, but en-
crypts a small amount of information per ciphertext (not a full
# /2-element vector).
Because F1 accelerates primitive operations rather than full ho-
momorphic operations, it supports BGV, CKKS, and GSW with the
same hardware, since they use the same primitives. Accelerating
B/FV would require some other primitives, so, though adding sup-
port for them would not be too di�cult, our current implementation
does not target it.
3 F1 ARCHITECTURE
Fig. 2 shows an overview of F1, which we derive from the insights
in Sec. 2.4.
Vector processing with specialized functional units: F1 fea-
tures wide-vector execution with functional units (FUs) tailored to
primitive FHE operations. Speci�cally, F1 implements vector FUs
for modular addition, modular multiplication, NTTs (forward and
inverse in the same unit), and automorphisms. Because we leverage
RNS representation, these FUs use a �xed, small arithmetic word
size (32 bits in our implementation), avoiding wide arithmetic.
FUs process vectors of con�gurable length # using a �xed num-
ber of vector lanes ⇢. Our implementation uses ⇢ =128 lanes and
supports power-of-two lengths # from 1,024 to 16,384. This covers
the common range of FHE polynomial sizes, so an RNS polynomial
maps to a single vector. Larger polynomials (e.g., of 32K elements)
can use multiple vectors.
All FUs are fully pipelined, so they achieve the same throughput
of ⇢ =128 elements/cycle. FUs consume their inputs in contiguous
chunks of ⇢ elements in consecutive cycles. This is easy for element-
wise operations, but hard for NTTs and automorphisms. Sec. 5
details our novel FU implementations, including the �rst vector
implementation of automorphisms. Our evaluation shows that these
FUs achieve much higher performance than those of prior work.
This is important because, as we saw in Sec. 2.4, having fewer high-
throughput FUs reduces parallelism and thus memory footprint.
Compute clusters: Functional units are grouped in compute clus-
ters, as Fig. 2 shows. Each cluster features several FUs (1 NTT,
1 automorphism, 2 multipliers, and 2 adders in our implementa-
tion) and a banked register �le that can (cheaply) supply enough
operands each cycle to keep all FUs busy. The chip has multiple
clusters (16 in our implementation).
Memory system: F1 features an explicitly managed memory hier-
archy. As Fig. 2 shows, F1 features a large, heavily banked scratch-
pad (64 MB across 16 banks in our implementation). The scratchpad
interfaces with both high-bandwidth o�-chip memory (HBM2 in
our implementation) and with compute clusters through an on-chip
network.
F1 uses decoupled data orchestration [60] to hide main memory
latency. Scratchpad banks work autonomously, fetching data from
main memory far ahead of its use. Since memory has relatively
low bandwidth, o�-chip data is always staged in scratchpads, and
compute clusters do not access main memory directly.
The on-chip network connecting scratchpad banks and compute
clusters provides very high bandwidth, which is necessary because
register �les are small and achieve limited reuse. We implement
a single-stage bit-sliced crossbar network [58] that provides full
bisection bandwidth. Banks and the network have wide ports (512
bytes), so that a single scratchpad bank can send a vector to a
compute unit at the rate it is consumed (and receive it at the rate
it is produced). This avoids long staging of vectors at the register
�les.
Static scheduling: Because FHE programs are completely regular,
F1 adopts a static, exposed microarchitecture: all components have
�xed latencies, which are exposed to the compiler. The compiler
is responsible for scheduling operations and data transfers in the
appropriate cycles to prevent structural or data hazards. This is in
the style of VLIW processors [30].
Static scheduling simpli�es logic throughout the chip. For ex-
ample, FUs need no stalling logic; register �les and scratchpad
banks need no dynamic arbitration to handle con�icts; and the
on-chip network uses simple switches that change their con�gura-
tion independently over time, without the bu�ers and arbiters of
packet-switched networks.
Because memory accesses do have a variable latency, we assume
the worst-case latency, and bu�er data that arrives earlier (note that,
because we access large chunks of data, e.g., 64 KB, this worst-case
latency is not far from the average).
Distributed control: Though static scheduling is the hallmark of
VLIW, F1’s implementation is quite di�erent: rather than having a
single stream of instructions with many operations each, in F1 each
component has an independent instruction stream. This is possible
because F1 does not have any control �ow: though FHE programs
may have loops, we unroll them to avoid all branches, and compile
programs into linear sequences of instructions.
This approach may appear costly. But vectors are very long, so
each instruction encodes a lot of work and this overhead is mini-
mal. Moreover, this enables a compact instruction format, which
encodes a single operation followed by the number of cycles to
wait until running the next instruction. This encoding avoids the
low utilization of VLIW instructions, which leave many operation
slots empty. Each FU, register �le, network switch, scratchpad bank,
and memory controller has its own instruction stream, which a
control unit fetches in small blocks and distributes to components.
Overall, instruction fetches consume less than 0.1% of memory
tra�c.
6
Architecture numClusters = 10;
numBanks = 16;
Description
FHE DSL Homomorphic Data
Cycle-Level
Operation Movement
x = InputCT() Scheduler
y = InputCT() Compiler 1 Scheduler 2
prod = Mul(x, y) Instruction DFG Data Mov. DFG
1 tmp
2 Static Schedule
ADD
MUL load
Cycle 37:
move RF1[0] <- B3[2]
NTT store issue NTT3 (RF3[2])
Figure 3: Overview of the F1 compiler.
Register �le (RF) design: Each cluster in F1 requires 10 read ports
and 6 write ports to keep all FUs busy. To enable this cheaply, we
use an 8-banked element-partitioned register �le design [5] that
leverages long vectors: each vector is striped across banks, and
each FU cycles through all banks over time, using a single bank
each cycle. By staggering the start of each vector operation, FUs
access di�erent banks each cycle. This avoids multiporting, requires
a simple RF-FU interconnect, and performs within 5% of an ideal
in�nite-ported RF.
4 SCHEDULING DATA AND COMPUTATION
We now describe F1’s software stack, focusing on the new static
scheduling algorithms needed to use hardware well.
Fig. 3 shows an overview of the F1 compiler. The compiler takes
as input an FHE program written in a high-level domain speci�c
language (Sec. 4.1). The compiler is structured in three stages. First,
the homomorphic operation compiler orders high-level operations
to maximize reuse and translates the program into a computation
data�ow graph, where operations are computation instructions
but there are no loads or stores. Second, the o�-chip data move-
ment scheduler schedules transfers between main memory and the
scratchpad to achieve decoupling and maximize reuse. This phase
uses a simpli�ed view of hardware, considering it as a scratchpad
directly attached to functional units. The result is a data�ow graph
that includes loads and stores from o�-chip memory. Third, the
cycle-level scheduler re�nes this data�ow graph. It uses a cycle-
accurate hardware model to divide instructions across compute
clusters and schedule on-chip data transfers. This phase determine
the exact cycles of all operations, and produces the instruction
streams for all components.
This multi-pass scheduling primarily minimizes o�-chip data
movement, the critical bottleneck. Only in the last phase do we
consider on-chip placement and data movement.
Comparison with prior work: We initially tried static scheduling
algorithms from prior work [7, 12, 37, 50, 57], which primarily
target VLIW architectures. However, we found these approaches
ill-suited to F1 for multiple reasons. First, VLIW designs have less-
�exible decoupling mechanisms and minimizing data movement
is secondary to maximizing compute operations per cycle. Second,
prior algorithms often focus on loops, where the key concern is to
�nd a compact repeating schedule, e.g., through software pipelin-
ing [47]. By contrast, F1 has no �ow control and we can schedule
each operation independently. Third, though prior work has pro-
posed register-pressure-aware instruction scheduling algorithms,
they targeted small register �les and basic blocks, whereas we must
manage a large scratchpad over a much longer horizon. Thus, the
 1 p = Program (N = 16384)
2 M_rows = [ p.Input(L = 16) for i in range (4) ]
3 output = [ None for i in range (4) ]
4 V = p. Input(L = 16)
5 M[1] ciphertext (16K slots)
6 def innerSum (X):
7 for i in range(log2(p.N)):
8 X = Add(X, Rotate (X, 1 << i))
9 return X
10
11 for i in range (4):
12 prod = Mul( M_rows [i], V)
13 output [i] = innerSum (prod)
Listing 2: (4 ⇥ 16 ) matrix-vector multiply in F1’s DSL.
algorithms we tried either worked poorly [37, 50, 57] or could not
scale to the sizes required [7, 10, 70, 77].
For example, when considering an algorithm such as Code Sched-
uling to Minimize Register Usage (CSR) [37], we �nd that the sched-
ules it produces su�er from a large blowup of live intermediate
values. This large footprint causes scratchpad thrashing and re-
sults in poor performance. Furthermore, CSR is also quite computa-
tionally expensive, requiring long scheduling times for our larger
benchmarks. We evaluate our approach against CSR in Sec. 8.3.
We also attempted to frame scheduling as a register allocation
problem. E�ectively, the key challenge in all of our schedules is data
movement, not computation. Finding a register allocation which
minimizes spilling could provide a good basis for an e�ective sched-
ule. However, our scratchpad stores at least 1024 residue vectors
(1024 at maximum # = 16 , more for smaller values of # ), and
many of our benchmarks involve hundreds of thousands of instruc-
tions, meaning that register allocation algorithms simply could not
scale to our required sizes [7, 10, 70, 77].
4.1 Translating the program to a data�ow
graph
We implement a high-level domain-speci�c language (DSL) for
writing F1 programs. To illustrate this DSL and provide a running
example, Listing 2 shows the code for matrix-vector multiplication.
This follows HELib’s algorithm [38] , which Fig. 4 shows. This toy
4⇥16 matrix-vector multiply uses input ciphertexts with # = 16 .
Because accessing individual vector elements is not possible, the
code uses homomorphic rotations to produce each output element.
As Listing 2 shows, programs in this DSL are at the level of
the simple FHE interface presented in Sec. 2.1. There is only one
aspect of the FHE implementation in the DSL: programs encode
the desired noise budget (! = 16 in our example), as the compiler
does not automate noise management.
4.2 Compiling homomorphic operations
The �rst compiler phase works at the level of the homomorphic
operations provided by the DSL. It clusters operations to improve
reuse, and translates them down to instructions.
Ordering homomorphic operations seeks to maximize the reuse
of key-switch hints, which is crucial to reduce data movement
(Sec. 2.4). For instance, the program in Listing 2 uses 15 di�erent
sets of key-switch hint matrices: one for the multiplies (line 12),
and a di�erent one for each of the rotations (line 8). If this pro-
gram was run sequentially as written, it would cycle through all 15
7
Matrix V Dot-products
M[0] V
M[0] ciphertext (16K slots)
ciphertext (16K slots)
.
M[0].V
M[1].V.
Vector
Rotate(1)
M[2] ciphertext (16K slots) M[2].V. …
…
Rotate(14)
M[3] ciphertext (16K slots) M[3]. V.
Figure 4: Example matrix-vector multiply using FHE.
key-switching hints (which total 480 MB, exceeding on-chip stor-
age) four times, achieving no reuse. Clearly, it is better to reorder
the computation to perform all four multiplies, and then all four
Rotate(X, 1), and so on. This reuses each key-switch hint four
times.
To achieve this, this pass �rst clusters independent homomorphic
operations that reuse the same hint, then orders all clusters through
simple list-scheduling. This generates schedules with good key-
switch hint reuse.
Translation: Each homomorphic operation is then compiled into
instructions, using the implementation of each operation in the
target FHE scheme (BGV, CKKS, or GSW). Each homomorphic
operation may translate to thousands of instructions. These instruc-
tions are also ordered to minimize the amount of intermediates.
The end result is an instruction-level data�ow graph where every
instruction is tagged with a priority that re�ects its global order.
The compiler exploits algorithmic choice. Speci�cally, there are
multiple implementations of key-switching (Sec. 2.4), and the right
choice depends on !, the amount of key-switch reuse, and load
on FUs. The compiler leverages knowledge of operation order to
estimate these and choose the right variant.
4.3 Scheduling data transfers
The second compiler phase consumes an instruction-level data�ow
graph and produces an approximate schedule that includes data
transfers decoupled from computation, minimizes o�-chip data
transfers, and achieves good parallelism. This requires solving an
interdependent problem: when to bring a value into the scratchpad
and which one to replace depends on the computation schedule;
and to prevent stalls, the computation schedule depends on which
values are in the scratchpad. To solve this problem, this scheduler
uses a simpli�ed model of the machine: it does not consider on-
chip data movement, and simply treats all functional units as being
directly connected to the scratchpad.
The scheduler is greedy, scheduling one instruction at a time.
It considers instructions ready if their inputs are available in the
scratchpad, and follows instruction priority among ready ones. To
schedule loads, we assign each load a priority
? (load) = max{? (D)|D 2 DB4AB (load)},
then greedily issue loads as bandwidth becomes available. When
issuing an instruction, we must ensure that there is space to store
its result. We can often replace a dead value. When no such value
exists, we evict the value with the furthest expected time to reuse.
We estimate time to reuse as the maximum priority among unissued
users of the value. This approximates Belady’s optimal replacement
policy [8]. Evictions of dirty data add stores to the data�ow graph.
When evicting a value, we add spill (either dirty or clean) and �ll Input Permute column
Permute row
Transpose (i.e., transposed column) Transpose
instructions to our data�ow graph. 12 8 4 0 12 8 4 0 1 2 3 0 1 6 11 0 4 8 12 0
13 9 5 1 15 11 7 3 5 6 7 4 13 2 7 12 15 3 7 11
4.4 Cycle-level scheduling 14 10 6 2 14 10 6 2 9 10 11 8 9 14 3 8 10 14 2 6
15 11 7 3 13 9 5 1 13 14 15 12 5 10 15 4 5 9 13 1
Finally, the cycle-level scheduler takes in the data movement sched-
Figure 5: Applying f3 on an RNS polynomial of four 4-
ule produced by the previous phase, and schedules all operations
element chunks by using only permutations local to chunks.
for all components considering all resource constraints and data de-
pendences. This phase distributes computation across clusters and banking scheme, some automorphisms will map many consecutive
manages their register �les and all on-chip transfers. Importantly, elements to the same bank.
this scheduler is fully constrained by its input schedule’s o�-chip We contribute a new insight that makes vectorizing automor-
data movement. It does not add loads or stores in this stage, but it phisms simple: if we interpret a residue polynomial as a ⌧ ⇥ ⇢
does move loads to their earliest possible issue cycle to avoid stalls matrix, an automorphism can always be decomposed into two inde-
on missing operands. All resource hazards are resolved by stalling. pendent column and row permutations. If we transpose this matrix,
In practice, we �nd that this separation of scheduling into data both column and row permutations can be applied in chunks of
movement and instruction scheduling produces good schedules in ⇢ elements. Fig. 5 shows an example of how automorphism f3 is
reasonable compilation times. applied to a residue polynomial with # = 16 and ⇢ = 4 elements/-
This stage works by iterating through all instructions in the cycle. Note how the permute column and row operations are local
order produced by the previous compiler phase (Sec. 4.3) and deter- to each 4-element chunk. Other f: induce di�erent permutations,
mining the minimum cycle at which all required on-chip resources but with the same row/column structure.
are available. We consider the availability of o�-chip bandwidth, Our automorphism unit, shown in Fig. 6, uses

Permute columns
sign flip
scratchpad space, register �le space, functional units, and ports. this insight to be both vectorized (consuming ⇢ =
During this �nal compiler pass, we �nally account for store 128 elements/cycle) and fully pipelined. Given a aut!
bandwidth, scheduling stores (which result from spills) as needed. residue polynomial of # = ⌧ · ⇢ elements, the au- cyclic shift
In practice, we �nd that this does not hurt our performance much, tomorphism unit �rst applies the column permu-
as stores are infrequent across most of our benchmarks due to tation to each ⇢-element input. Then, it feeds this transpose

our global schedule and replacement policy design. After the �nal
schedule is generated, we validate it by simulating it forward to
ensure that no clobbers or resource usage violations occur.
It is important to note that because our schedules are fully static,
our scheduler also doubles as a performance measurement tool. As
illustrated in Fig. 3, the compiler takes in an architecture description
�le detailing a particular con�guration of F1. This �exibility allows
us to conduct design space explorations very quickly (Sec. 8.4).
5 FUNCTIONAL UNITS
In this section, we describe F1’s novel functional units. These in-
clude the �rst vectorized automorphism unit (Sec. 5.1), the �rst
fully-pipelined �exible NTT unit (Sec. 5.2), and a new simpli�ed
modular multiplier adapted to FHE (Sec. 5.3).
5.1 Automorphism unit
Because F1 uses ⇢ vector lanes, each residue polynomial is stored
and processed as ⌧ groups, or chunks, of ⇢ elements each (# =
⌧ · ⇢). An automorphism f: maps the element at index 8 to index
:8 mod # ; there are # automorphisms total, two for each odd : <
# (Sec. 2.2). The key challenge in designing an automorphism unit
is that these permutations are hard to vectorize: we would like this
unit to consume and produce ⇢ =128 elements/cycle, but the vectors
are much longer, with # up to 16 K, and elements are permuted
across di�erent chunks. Moreover, we must support variable # and
all automorphisms.
Standard solutions fail: a 16 K⇥16 K crossbar is much too large; a
scalar approach, like reading elements in sequence from an SRAM,
is too slow (taking # cycles); and using banks of SRAM to in-
crease throughput runs into frequent bank con�icts: each automor-
phism “spreads” elements with a di�erent stride, so regardless of the
8
Permute rows
to a transpose unit that reads in the whole residue
aut!
polynomial interpreting it as a ⌧ ⇥ ⇢ matrix, and
produces its transpose ⇢ ⇥ ⌧. The transpose unit transpose
outputs ⇢ elements per cycle (outputting multiple
rows per cycle when ⌧ < ⇢). Row permutations Figure 6: Au-
are applied to each ⇢-element chunk, and the re- tomorphism
verse transpose is applied. unit.
Further, we decompose both the row and col-
umn permutations into a pipeline of sub-permutations that are �xed
in hardware, with each sub-permutation either applied or bypassed
based on simple control logic; this avoids using crossbars for the
⇢-element permute row and column operations.
Transpose unit: Our quadrant-swap transpose unit transposes an
⇢ ⇥ ⇢ (e.g., 128 ⇥ 128) matrix by recursively decomposing it into
quadrants and exploiting the identity
 T  T
A B A CT
= .
C D BT DT
The basic building block is a ⇥ quadrant-swap unit, which
swaps quadrants B and C, as shown in Fig. 7(left). Operationally,
the quadrant swap procedure consists of three steps, each taking
/2 cycles:
(1) Cycle i in the �rst step reads A[i] and C[i] and stores them
in top[i] and bottom[i], respectively.
(2) Cycle i in the second step reads B[i] and D[i]. The unit
activates the �rst swap MUX and the bypass line, thus storing
D[i] in top[i] and outputing A[i] (by reading from top[i])
and B[i] via the bypass line.
(3) Cycle i in the third step outputs D[i] and C[i] by reading
from top[i] and bottom[i], respectively. The second swap
MUX is activated so that C[i] is on top.
 Transpose Unit Crucially, we are able to support all values of # using a single
top 4x4
swap if N == 64 four-step NTT pipeline by conditionally bypassing layers in the sec-
buffer
ond NTT butter�y. We use the same transpose unit implementation
Swap?

8x8 Quadrant Swap

bottom Swap? as with automorphisms.
4x4 0
swap if N >= 32 Our four-step pipeline supports negacyclic NTTs (NCNs), which
buffer
1 4x4 4x4 are more e�cient than standard non-negacyclic NTTs (that would
Bypass line
Quadrant Quadrant require padding, Sec. 2.3). Speci�cally, we extend prior work [49,
Swap Swap 62, 67] in order to support both forward and inverse NCNs using
A B the same hardware as for the standard NTT. Namely, prior work
8x8
Quadrant
A C swap if N >= 16
shows how to either (1) perform a forward NCN via a standard
2x2 2x2 2x2 2x2
C D Swap
B D QS QS QS QS decimation-in-time (DIT) NTT pipeline, or (2) perform an inverse
NCN via a standard decimation-in-frequency (DIF) NTT pipeline.
Figure 7: Transpose unit (right) and its component quadrant-
The DIF and DIT NTT variants use di�erent hardware; therefore,
swap unit (left).
this approach requires separate pipelines for forward and inverse
x12 x8 x4 x0
NCNs. Prior work [49] has shown that separate pipelines can be
f12 f8 f4 f0
Twiddle avoided by adding a multiplier either before or after the NTT: doing
Transpose

x13 x9 x5 x1
Multiply
DIT NTT

f13 f9 f5 f1
DIF NTT

SRAM an inverse NCN using a DIT NTT requires a multiplier unit after
x14 x10 x6 x2 f14 f10 f6 f2
the NTT, while doing a forward NCN using a DIF NTT requires a
x15 x11 x7 x3 Inverse? f15 f11 f7 f3 multiplier unit before the NTT.
16-element NTT/Inverse NTT
We now show that both the forward and inverse NCN can be done
Figure 8: Example of a four-step NTT datapath that uses 4- in the same standard four-step NTT pipeline, with no additional
point NTTs to implement 16-point NTTs. hardware. This is because the four-step NTT already has a multiplier
and two NTTs in its pipeline. We set the �rst NTT to be decimation-
Note that step 3 for one input can be done in parallel with step 1 in-time and the second to be decimation-in-frequency (Fig. 8). To
for the next, so the unit is fully pipelined. do a forward NTT, we use the forward NCN implementation via
The transpose is implemented by a full ⇢ ⇥ ⇢ quadrant-swap DIT NTT for the �rst NTT; we modify the contents of the Twiddle
followed by log2 ⇢ layers of smaller transpose units to recursively SRAM so that the multiplier does the pre-multiplication necessary
transpose A, B, C, and D. Fig. 7 (right) shows an implementation for to implement a forward NCN in the second NTT (which is DIF and
⇢ = 8. Finally, by selectively bypassing some of the initial quadrant thus requires the pre-multiplication). Conversely, to do an inverse
swaps, this transpose unit also works for all values of # (# = ⌧ ⇥ ⇢ NTT, we modify the Twiddle SRAM contents to do the post-multi-
with power-of-2 ⌧ < ⇢). plication necessary to implement an inverse NCN in the �rst NTT
Prior work has implemented transpose units for signal-processing (which is DIT); and we use the inverse NCN implementation via
applications, either using registers [76, 78] or with custom SRAM DIF NTT for the second NTT.
designs [68]. Our design has three advantages over prior work: The NTT unit is large: each of the 128-element NTTs requires
it uses standard SRAM memory, so it is dense without requiring ⇢ (log(⇢) 1)/2=384 multipliers, and the full unit uses 896 multi-
complex custom SRAMs; it is fully pipelined; and it works for a pliers. But its high throughput improves performance over many
wide range of dimensions. low-throughput NTTs (Sec. 8). This is the �rst implementation of a
fully-pipelined four-step NTT unit, improving NTT performance
5.2 Four-step NTT unit by 1,600⇥ over the state of the art (Sec. 8.1).
There are many ways to implement NTTs in hardware: an NTT is
like an FFT [19] but with a butter�y that uses modular multipliers. 5.3 Optimized modular multiplier
We implement # -element NTTs (from 1K to 16K) as a composi-
Modular multiplication computes 0 · 1 mod @. This is the most ex-
tion of smaller ⇢=128-element NTTs, since implementing a full
pensive and frequent operation. Therefore, improvements to the
16K-element NTT datapath is prohibitive. The challenge is that
modular multiplier have an almost linear impact on the computa-
standard approaches result in memory access patterns that are hard
tional capabilities of an FHE accelerator.
to vectorize.
Prior work [51] recognized that a Montgomery multiplier [55]
To that end, we use the four-step variant of the FFT algorithm [6],
within NTTs can be improved by leveraging the fact that the possi-
which adds an extra multiplication to produce a vector-friendly
ble values of modulus @ are restricted by the number of elements the
decomposition. Fig. 8 illustrates our four-step NTT pipeline for ⇢ =
4; we use the same structure with ⇢ = 128. The unit is fully pipelined
and consumes ⇢ elements per cycle. To compute an # = ⇢ ⇥ ⇢ NTT, Multiplier Area [`m2 ] Power [mW] Delay [ps]
the unit �rst computes an ⇢-point NTT on each ⇢-element group, Barrett 5, 271 18.40 1,317
multiplies each group with twiddles, transposes the ⇢ groups, and Montgomery 2, 916 9.29 1,040
computes another ⇢-element NTT on each transpose. The same NTT-friendly 2, 165 5.36 1,000
NTT unit implements the inverse NTT by storing multiplicative
FHE-friendly (ours) 1, 817 4.10 1,000
factors (twiddles) required for both forward and inverse NTTs in a
small twiddle SRAM. Table 1: Area, power, and delay of modular multipliers.
9
NTT is applied to. We notice that if we only select moduli @8 , such Component Area [mm2 ] TDP [W]
that @8 = 1 mod 216 , we can remove a mutliplier stage from [51];
this reduces area by 19% and power by 30% (Table 1). The additional NTT FU 2.27 4.80
restriction on @ is acceptable because FHE requires at most 10s of Automorphism FU 0.58 0.99
moduli [34], and our approach allows for 6,186 prime moduli. Multiply FU 0.25 0.60
Add FU 0.03 0.05
Vector RegFile (512 KB) 0.56 1.67
6 F1 IMPLEMENTATION Compute cluster 3.97 8.75
We have implemented F1’s components in RTL, and synthesize them (NTT, Aut, 2⇥ Mul, 2⇥ Add, RF)
in a commercial 14/12nm process using state-of-the-art tools. These Total compute (16 clusters) 63.52 140.0
include a commercial SRAM compiler that we use for scratchpad
and register �le banks. Scratchpad (16⇥4 MB banks) 48.09 20.35
We use a dual-frequency design: most components run at 1 GHz, 3⇥NoC (16⇥16 512 B bit-sliced [58]) 10.02 19.65
but memories (register �les and scratchpads) run double-pumped at Memory interface (2⇥HBM2 PHYs) 29.80 0.45
2 GHz. Memories meet this frequency easily and this enables using Total memory system 87.91 40.45
single-ported SRAMs while serving up to two accesses per cycle. Total F1 151.4 180.4
By keeping most of the logic at 1 GHz, we achieve higher energy
Table 2: Area and Thermal Design Power (TDP) of F1, and
e�ciency. We explored several non-blocking on-chip networks
breakdown by component.
(Clos, Benes, and crossbars). We use 3 16⇥16 bit-sliced crossbars [58]
(scratchpad!cluster, cluster!scratchpad, and cluster!cluster).
Table 2 shows a breakdown of area by component, as well as
dataset [46]. LoLa-MNIST includes two variants with unencrypted
the area of our F1 con�guration, 151.4 mm2 . FUs take 42% of the
and encrypted weights; LoLa-CIFAR is available only with unen-
area, with 31.7% going to memory, 6.6% to the on-chip network,
crypted weights. These three benchmarks use relatively low ! val-
and 19.7% to the two HBM2 PHYs. We assume 512 GB/s bandwidth
ues (their starting ! values are 4, 6, and 8, respectively), so they are
per PHY; this is similar to the NVIDIA A100 GPU [18], which has
less memory-bound. They also feature frequent automorphisms,
2.4 TB/s with 6 HBM2E PHYs [56]. We use prior work to estimate
showing the need for a fast automorphism unit.
HBM2 PHY area [24, 63] and power [32, 63].
DB Lookup is adapted from HELib’s BGV_country_db_lookup [41].
This design is constrained by memory bandwidth: though it has
A BGV-encrypted query string is used to traverse an encrypted
1 TB/s of bandwidth, the on-chip network’s bandwidth is 24 TB/s,
key-value store and return the corresponding value. The original
and the aggregate bandwidth between RFs and FUs is 128 TB/s. This
implementation uses a low security level for speed of demonstra-
is why maximizing reuse is crucial.
tion, but in our version, we implement it at ! =17, # =16K for
realism. We also parallelize the CPU version so it can e�ectively
7 EXPERIMENTAL METHODOLOGY use all available cores. DB Lookup is both deep and wide, so running
Modeled system: We evaluate our F1 implementation from Sec. 6. it on F1 incurs substantial o�-chip data movement.
We use a cycle-accurate simulator to execute F1 programs. Because Bootstrapping: We evaluate bootstrapping benchmarks for BGV
the architecture is static, this is very di�erent from conventional and CKKS. Bootstrapping takes an ! = 1 ciphertext with an ex-
simulators, and acts more as a checker: it runs the instruction hausted noise budget and refreshes it by bringing it up to a chosen
stream at each component and veri�es that latencies are as expected top value of ! = !<0G , then performing the bootstrapping compu-
and there are no missed dependences or structural hazards. We tation to eventually obtain a usable ciphertext at a lower depth (e.g.,
use activity-level energies from RTL synthesis to produce energy !<0G 15 for BGV).
breakdowns. For BGV, we use Sheri� and Peikert’s algorithm [3] for non-
Benchmarks: We use several FHE programs to evaluate F1. All packed BGV bootstrapping, with !<0G = 24. This is a particu-
programs come from state-of-the-art software implementations, larly challenging benchmark because it features computations at
which we port to F1: large values of !. This exercises the scheduler’s algorithmic choice
Logistic regression uses the HELR algorithm [40], which is based component, which selects the right key-switch method to balance
on CKKS. We compute a single batch of logistic regression train- computation and data movement.
ing with up to 256 features, and 256 samples per batch, starting at For CKKS, we use non-packed CKKS bootstrapping from HEA-
computational depth ! = 16; this is equivalent to the �rst batch of AN [16], also with !<0G = 24. CKKS bootstrapping has many
HELR’s MNIST workload. This computation features ciphertexts fewer ciphertext multiplications than BGV, greatly reducing reuse
with large log & (! = 14, 15, 16), so it needs careful data orchestra- opportunities for key-switch hints.
tion to run e�ciently. Baseline systems: We compare F1 with a CPU system running
Neural network benchmarks come from Low Latency CryptoNets the baseline programs (a 4-core, 8-thread, 3.5 GHz Xeon E3-1240v5).
(LoLa) [15]. This work uses B/FV, an FHE scheme that F1 does not Since prior accelerators do not support full programs, we also in-
support, so we use CKKS instead. We run two neural networks: clude microbenchmarks of single operations and compare against
LoLa-MNIST is a simple, LeNet-style network used on the MNIST HEAX [65], the fastest prior accelerator.
dataset [48], while LoLa-CIFAR is a much larger 6-layer network
(similar in computation to MobileNet v3 [42]) used on the CIFAR-10
10
 Execution time (ms) on CPU F1 Speedup
LoLa-CIFAR Unencryp. Wghts. 1.2 ⇥ 106 241 5, 011⇥
LoLa-MNIST Unencryp. Wghts. 2, 960 0.17 17, 412⇥
LoLa-MNIST Encryp. Wghts. 5, 431 0.36 15, 086⇥
Logistic Regression 8, 300 1.15 7, 217⇥
DB Lookup 29, 300 4.36 6, 722⇥
BGV Bootstrapping 4, 390 2.40 1, 830⇥
CKKS Bootstrapping 1, 554 1.30 1, 195⇥
gmean speedup 5, 432⇥
∗ LoLa’s
release did not include MNIST with encrypted weights, so
we reimplemented it in HELib.
Table 3: Performance of F1 and CPU on full FHE bench-
marks: execution times in milliseconds and F1’s speedup.

8 EVALUATION
8.1 Performance
Benchmarks: Table 3 compares the performance of F1 and the
CPU on full benchmarks. It reports execution time in millisec-
onds for each program (lower is better), and F1’s speedup over the
CPU (higher is better). F1 achieves dramatic speedups, from 1,195⇥
to 17,412⇥ (5,432⇥ gmean). CKKS bootstrapping has the lowest
speedups as it’s highly memory-bound; other speedups are within
a relatively narrow band, as compute and memory tra�c are more
balanced.
These speedups greatly expand the applicability of FHE. Consider
deep learning: in software, even the simple LoLa-MNIST network
takes seconds per inference, and a single inference on the more
realistic LoLa-CIFAR network takes 20 minutes. F1 brings this down
to 241 milliseconds, making real-time deep learning inference prac-
tical: when o�oading inferences to a server, this time is comparable
to the roundtrip latency between server and client.
Microbenchmarks: Table 4 compares the performance of F1, the
CPU, and HEAXf on four microbenchmarks: the basic NTT and
automorphism operations on a single ciphertext, and homomorphic
multiplication and permutation (which uses automorphisms). We
report three typical sets of parameters. We use microbenchmarks
to compare against prior accelerators, in particular HEAX. But
prior accelerators do not implement automorphisms, so we extend
each HEAX key-switching pipeline with an SRAM-based, scalar
automorphism unit. We call this extension HEAXf .
Table 4 shows that F1 achieves large speedups over HEAXf ,
ranging from 172⇥ to 1,866⇥. Moreover, F1’s speedups over the
(a) (b)
Figure 9: Per-benchmark breakdowns of (a) data movement
and (b) average power for F1.
CPU are even larger than in full benchmarks. This is because mi-
crobenchmarks are pure compute, and thus miss the data movement
bottlenecks of FHE programs.
8.2 Architectural analysis
To gain more insights into these results, we now analyze F1’s data
movement, power consumption, and compute.
Data movement: Fig. 9a shows a breakdown of o�-chip memory
tra�c across data types: key-switch hints (KSH), inputs/outputs,
and intermediate values. KSH and input/output tra�c is broken into
compulsory and non-compulsory (i.e., caused by limited scratchpad
capacity). Intermediates, which are always non-compulsory, are
classi�ed as loads or stores.
Fig. 9a shows that key-switch hints dominate in high-depth work-
loads (LogReg, DB Lookup, and bootstrapping), taking up to 94%
of tra�c. Key-switch hints are also signi�cant in the LoLa-MNIST
variants. This shows why scheduling should prioritize them. Sec-
ond, due our scheduler design, F1 approaches compulsory tra�c
for most benchmarks, with non-compulsory accesses adding only
5-18% of tra�c. The exception is LoLa-CIFAR, where intermedi-
ates consume 75% of tra�c. LoLa-CIFAR has very high reuse of
key-switch hints, and exploiting it requires spilling intermediate
ciphertexts.
Power consumption: Fig. 9b reports average power for each bench-
mark, broken down by component. This breakdown also includes

# = 212 , log & = 109 # = 213 , log & = 218 # = 214 , log & = 438
F1 vs. CPU vs. HEAXf F1 vs. CPU vs. HEAXf F1 vs. CPU vs. HEAXf
NTT 12.8 17,148⇥ 1,600⇥ 44.8 10,736⇥ 1,733⇥ 179.2 8,838⇥ 1,866⇥
Automorphism 12.8 7,364⇥ 440⇥ 44.8 8,250⇥ 426⇥ 179.2 16,957⇥ 430⇥
Homomorphic multiply 60.0 48,640⇥ 172⇥ 300 27,069⇥ 148⇥ 2,000 14,396⇥ 190⇥
Homomorphic permutation 40.0 17,488⇥ 256⇥ 224 10,814⇥ 198⇥ 1,680 6,421⇥ 227⇥
Table 4: Performance on microbenchmarks: F1’s reciprocal throughput, in nanoseconds per ciphertext operation (lower is
better) and speedups over CPU and HEAXf (HEAX augmented with scalar automorphism units) (higher is better).

11
 For the FU experiments, our goal is to show the importance of
having high-throughput units. Therefore, the low-throughput vari-
ants use many more (NTT or automorphism) FUs, so that aggregate
throughput across all FUs in the system is the same. Also, the sched-
uler accounts for the characteristics of these FUs. In both cases,
performance drops substantially, by gmean 2.6⇥ and 3.3⇥. This is
because achieving high throughput requires excessive parallelism,
which hinders data movement, forcing the scheduler to balance
both.
Finally, the scheduler experiment uses register-pressure-aware
scheduling [37] as the o�-chip data movement scheduler instead,
Figure 10: Functional unit and HBM utilization over time for operating on the full data�ow graph. This algorithm was proposed
the LoLa-MNIST PTW benchmark. for VLIW processors and register �les; we apply it to the larger
scratchpad. The large slowdowns show that prior capacity-aware
Benchmark LT NTT LT Aut CSR schedulers are ine�ective on F1.
LoLa-CIFAR Unencryp. Wghts. 3.5⇥ 12.1⇥ —∗
LoLa-MNIST Unencryp. Wghts. 5.0⇥ 4.2⇥ 1.1⇥ 8.4 Scalability
LoLa-MNIST Encryp. Wghts. 5.1⇥ 11.9⇥ 7.5⇥ Finally, we study how F1’s per-
Logistic Regression 1.7⇥ 2.3⇥ 11.7⇥ formance changes with its area
DB Lookup 2.8⇥ 2.2⇥ —∗ budget: we sweep the number
BGV Bootstrapping 1.5⇥ 1.3⇥ 5.0⇥ of compute clusters, scratchpad
CKKS Bootstrapping 1.1⇥ 1.2⇥ 2.7⇥ banks, HBM controllers, and
network topology to �nd the
gmean speedup 2.5⇥ 3.6⇥ 4.2⇥
most e�cient design at each
∗ CSR
is intractable for this benchmark. area. Fig. 11 shows this Pareto
Table 5: Speedups of F1 over alternate con�gurations: LT NT-
frontier, with area in the G-
T/Aut = Low-throughput NTT/Automorphism FUs; CSR =
axis and performance in the
Code Scheduling to minimize Register Usage [37].
~-axis. This curve shows that,
as F1 scales, it uses resources Figure 11: Performance vs.
e�ciently: performance grows area across F1 con�gurations.
o�-chip memory power (Table 2 only included the on-chip compo- about linearly through a large range of areas.
nent). Results show reasonable power consumption for an accelera-
tor card. Overall, computation consumes 20-30% of power, and data 8.5 Functional Simulation
movement dominates.
Here we describe our software simulation e�orts for F1. Currently,
Utilization over time: F1’s average FU utilization is about 30%.
we have a functional simulator written in C++ on top of Shoup’s
However, this doesn’t mean that fewer FUs could achieve the same
performance: benchmarks have memory-bound phases that weigh Number Theory Library.† This simulator measures input-output
down average FU utilization. To see this, Fig. 10 shows a break- correctness and calls to functional units throughout a computation.
down of FU utilization over time for LoLa-MNIST Plaintext Weights. The underlying algorithms are not the same as F1’s functional units,
Fig. 10 also shows o�-chip bandwidth utilization over time (black but they match common methods used in software (i.e., HElib’s
line). The program is initially memory-bound, and few FUs are algorithms). This allows one to verify correctness of FHE algo-
active. As the memory-bound phase ends, compute intensity grows, rithms and to create a data�ow graph. The simulator has all our
utilizing a balanced mix of the available FUs. Finally, due to decou- functional units implemented in software: modular additions, mod-
pled execution, when memory bandwidth utilization peaks again, ular multiplications, automorphisms, and NTTs. We then build
F1 can maintain high compute intensity. The highest FU utilization ciphertext-level operations by calls to these algorithms: ciphertext
happens at the end of the benchmark and is caused by processing addition, ciphertext multiplication, rotations, modulus-switching,
the �nal (fully connected) layer, which is highly parallel and already and a simpli�ed bootstrapping procedure, for non-packed cipher-
has all inputs available on-chip. texts. Our functional simulator works for the parameter ranges
discussed throughout the paper: polynomial/ring dimension # as
8.3 Sensitivity studies an arbitrary power of 2 (usually 1024-16384 for security) and RNS
moduli where each is an NTT-friendly prime, @8 ⌘ 1 mod 2# ,
To understand the impact of our FUs and scheduling algorithms,
roughly 24 bits long. Further, each moduli is sampled randomly,
we evaluate F1 variants without them. Table 5 reports the slowdown
similarly to other FHE RNS implementations.
(higher is worse) of F1 with: (1) low-throughput NTT FUs that
follow the same design as HEAX (processing one stage of NTT 9 RELATED WORK
butter�ies per cycle); (2) low-throughput automorphism FUs using
a serial SRAM memory, and (3) Goodman’s register-pressure-aware We now discuss related work not covered so far.
scheduler [37]. † https://libntl.org/

12
FHE accelerators: Prior work has proposed accelerators for indi-
vidual FHE operations, but not full FHE computations [20, 21, 22,
27, 52, 53, 65, 66, 71]. These designs target FPGAs and rely on a
host processor; Sec. 2.4 discussed their limitations. Early designs
accelerated small primitives like NTTs, and were dominated by
host-FPGA communication. State-of-the-art accelerators execute
a full homomorphic multiplication independently: Roy et al. [66]
accelerate B/FV multiplication by 13⇥ over a CPU; HEAWS [71]
accelerates B/FV multiplication, and uses it to speed a simple bench-
mark by 5⇥; and HEAX [65] accelerates CKKS multiplication and
key-switching by up to 200⇥. These designs su�er high data move-
ment (e.g., HEAX does not reuse key-switch hints) and use �xed
pipelines with relatively low-throughput FUs.
We have shown that accelerating FHE programs requires a di�er-
ent approach: data movement becomes the key constraint, requiring
new techniques to extract reuse across homomorphic operations;
and �xed pipelines cannot support the operations of even a single
benchmark. Instead, F1 achieves �exibility and high performance
by exploiting wide-vector execution with high-throughput FUs.
This lets F1 execute not only full applications, but di�erent FHE
schemes.
Hybrid HE-MPC accelerators: Recent work has also proposed
ASIC accelerators for some homomorphic encryption primitives in
the context of oblivious neural networks [44, 64]. These approaches
are very di�erent from FHE: they combine homomorphic encryp-
tion with multi-party computation (MPC), executing a single layer
of the network at a time and sending intermediates to the client,
which computes the �nal activations. Gazelle [44] is a low-power
ASIC for homomorphic evaluations, and Cheetah [64] introduces
algorithmic optimizations and a large ASIC design that achieves
very large speedups over Gazelle.
These schemes avoid high-depth FHE programs, so server-side
homomorphic operations are cheaper. But they are limited by client-
side computation and client-server communication: Cheetah and
Gazelle use ciphertexts that are up to ⇠ 40⇥ smaller than those used
by F1; however, they require the client to re-encrypt ciphertexts
every time they are multiplied on the server to prevent noise blowup.
CHOCO [72] shows that client-side computation costs for HE-MPC
are substantial, and when they are accelerated, network latency
and throughput overheads dominate (several seconds per DNN
inference). By contrast, F1 enables o�oading the full inference
using FHE, avoiding frequent communication. As a result, a direct
comparison between these accelerators and F1 is not possible.
F1’s hardware also di�ers substantially from Cheetah and Gazelle.
First, Cheetah and Gazelle implement �xed-function pipelines (e.g.,
for output-stationary DNN inference in Cheetah), whereas F1 is
programmable. Second, Cheetah, like HEAX, uses many FUs with
relatively low throughput, whereas F1 uses few high-throughput
units (e.g., 40⇥ faster NTTs). Cheetah’s approach makes sense for
their small ciphertexts, but as we have seen (Sec. 8.3), it is impracti-
cal for FHE.
GPU acceleration: Finally, prior work has also used GPUs to ac-
celerate di�erent FHE schemes, including GH [74, 75], BGV [73],
and B/FV [1]. Though GPUs have plentiful compute and band-
width, they lack modular arithmetic, their pure data-parallel ap-
proach makes non-element-wise operations like NTTs expensive,
and their small on-chip storage adds data movement. As a result,
13
GPUs achieve only modest performance gains. For instance, Badawi
et al. [1] accelerate B/FV multiplication using GPUs, and achieve
speedups of around 10⇥ to 100⇥ over single-thread CPU execution
(and thus commensurately lower speedups over multicore CPUs,
as FHE operations parallelize well).
10 CONCLUSION
FHE has the potential to enable computation o�oading with guar-
anteed security. But FHE’s high computation overheads currently
limit its applicability to narrow cases (simple computations where
privacy is paramount). F1 tackles this challenge, accelerating full
FHE computations by over 3-4 orders of magnitude. This enables
new use cases for FHE, like secure real-time deep learning inference.
F1 is the �rst FHE accelerator that is programmable, i.e., capa-
ble of executing full FHE programs. In contrast to prior accelera-
tors, which build �xed pipelines tailored to speci�c FHE schemes
and parameters, F1 introduces a more e�ective design approach:
it accelerates the primitive computations shared by higher-level
operations using novel high-throughput functional units, and hard-
ware and compiler are co-designed to minimize data movement, the
key bottleneck. This �exibility makes F1 broadly useful: the same
hardware can accelerate all operations within a program, arbitrary
FHE programs, and even multiple FHE schemes. In short, our key
contribution is to show that, for FHE, we can achieve ASIC-level
performance without sacri�cing programmability.
ACKNOWLEDGMENTS
We thank the anonymous reviewers, Maleen Abeydeera, Hyun Ry-
ong Lee, Quan Nguyen, Yifan Yang, Victor Ying, Guowei Zhang, and
Joel Emer for feedback on the paper; Tutu Ajayi, Austin Rovinski,
and Peter Li for help with the HDL toolchain setup; Shai Halevi, Wei
Dai, Olli Saarikivi, and Madan Musuvathi for email correspondence.
This research was developed with funding from the Defense Ad-
vanced Research Projects Agency (DARPA) under contract number
Contract No. HR0011-21-C-0035. The views, opinions and/or �nd-
ings expressed are those of the author and should not be interpreted
as representing the o�cial views or policies of the Department of
Defense or the U.S. Government. Nikola Samardzic was supported
by the Jae S. and Kyuho Lim Graduate Fellowship at MIT.
REFERENCES
[1] A. Q. A. Al Badawi, Y. Polyakov, K. M. M. Aung, B. Veeravalli, and K. Rohlo�,
“Implementation and performance evaluation of RNS variants of the BFV homo-
morphic encryption scheme,” IEEE Transactions on Emerging Topics in Computing,
vol. 9, no. 2, 2021.
[2] M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi,
J. Ho�stein, K. Laine, K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison,
A. Sahai, and V. Vaikuntanathan, “Homomorphic encryption security standard,”
HomomorphicEncryption.org, Tech. Rep., 2018.
[3] J. Alperin-Sheri� and C. Peikert, “Practical bootstrapping in quasilinear time,” in
Annual Cryptology Conference, 2013.
[4] D. Altavilla, “Intel and Microsoft Collaborate on DARPA Program that Pioneers
A New Frontier Of Ultra-Secure Computing,” https://www.forbes.com/sites/
davealtavilla/2021/03/08/intel-and-microsoft-collaborate-on-darpa-program-
that-pioneers-a-new-frontier-of-ultra-secure-computing/?sh=60db31567c1a
archived at https://perma.cc/YYE6-5FT4, 2021.
[5] K. Asanovic, “Vector microprocessors,” Ph.D. dissertation, EECS Department,
University of California, Berkeley, 1998.
[6] D. H. Bailey, “FFTs in external of hierarchical memory,” in Proceedings of the 1989
ACM/IEEE conference on Supercomputing, 1989.
[7] G. Barany, “Register reuse scheduling,” in 9th Workshop on Optimizations for DSP
and Embedded Systems (ODES-9), 2011.
 [8] L. A. Belady, “A study of replacement algorithms for a virtual-storage computer,”
IBM Systems journal, vol. 5, no. 2, 1966.
[9] F. Bergamaschi, “IBM Releases Fully Homomorphic Encryption Toolkit for Ma-
cOS and iOS,” https://www.ibm.com/blogs/research/2020/06/ibm-releases-fully-
homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-
coming-soon/ archived at https://perma.cc/U5TQ-K49C, 2020.
[10] D. A. Berson, R. Gupta, and M. L. So�a, “URSA: A Uni�ed ReSource Allocator for
Registers and Functional Units in VLIW Architectures,” in Proceedings of the IFIP
WG10.3 Working Conference on Architectures and Compilation Techniques for Fine
and Medium Grain Parallelism (PACT’93), 1993.
[11] M. Blatt, A. Gusev, Y. Polyakov, and S. Goldwasser, “Secure large-scale genome-
wide association studies using homomorphic encryption,” Proceedings of the
National Academy of Sciences, vol. 117, no. 21, 2020.
[12] G. E. Blelloch, P. B. Gibbons, and Y. Matias, “Provably e�cient scheduling for
languages with �ne-grained parallelism,” Journal of the ACM (JACM), vol. 46,
no. 2, 1999.
[13] Z. Brakerski, “Fully homomorphic encryption without modulus switching from
classical GapSVP,” in Annual Cryptology Conference, 2012.
[14] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(leveled) fully homomorphic
encryption without bootstrapping,” ACM Transactions on Computation Theory
(TOCT), vol. 6, no. 3, 2014.
[15] A. Brutzkus, R. Gilad-Bachrach, and O. Elisha, “Low latency privacy preserving
inference,” in Proceedings of the International Conference on Machine Learning
(ICML), 2019.
[16] J. H. Cheon, K. Han, A. Kim, M. Kim, and Y. Song, “Bootstrapping for approximate
homomorphic encryption,” in Annual International Conference on the Theory and
Applications of Cryptographic Techniques, 2018.
[17] J. H. Cheon, A. Kim, M. Kim, and Y. Song, “Homomorphic encryption for arith-
metic of approximate numbers,” in International Conference on the Theory and
Application of Cryptology and Information Security, 2017.
[18] J. Choquette, W. Gandhi, O. Giroux, N. Stam, and R. Krashinsky, “Nvidia a100
tensor core gpu: Performance and innovation,” IEEE Micro, vol. 41, no. 2, 2021.
[19] J. W. Cooley and J. W. Tukey, “An algorithm for the machine calculation of
complex Fourier series,” Mathematics of computation, vol. 19, no. 90, 1965.
[20] D. B. Cousins, K. Rohlo�, and D. Sumorok, “Designing an FPGA-accelerated
homomorphic encryption co-processor,” IEEE Transactions on Emerging Topics in
Computing, vol. 5, no. 2, 2017.
[21] D. B. Cousins, J. Golusky, K. Rohlo�, and D. Sumorok, “An FPGA co-processor im-
plementation of homomorphic encryption,” in Proceedings of the IEEE Conference
on High Performance Extreme Computing (HPEC), 2014.
[22] D. B. Cousins, K. Rohlo�, C. Peikert, and R. Schantz, “An update on SIPHER
(Scalable Implementation of Primitives for Homomorphic EncRyption) - FPGA
implementation using Simulink,” in Proceedings of the IEEE Conference on High
Performance Extreme Computing (HPEC), 2012.
[23] DARPA, “DARPA Selects Researchers to Accelerate Use of Fully Homomorphic
Encryption,” https://www.darpa.mil/news-events/2021-03-08 archived at https:
//perma.cc/6GHW-2MSN, 2021.
[24] S. Dasgupta, T. Singh, A. Jain, S. Na�ziger, D. John, C. Bisht, and P. Jayaraman,
“Radeon RX 5700 Series: The AMD 7nm Energy-E�cient High-Performance
GPUs,” in Proceedings of the IEEE International Solid-State Circuits Conference
(ISSCC), 2020.
[25] R. Dathathri, B. Kostova, O. Saarikivi, W. Dai, K. Laine, and M. Musuvathi, “EVA:
An encrypted vector arithmetic language and compiler for e�cient homomorphic
computation,” in Proceedings of the 41st ACM SIGPLAN Conference on Programming
Language Design and Implementation, 2020.
[26] R. Dathathri, O. Saarikivi, H. Chen, K. Laine, K. Lauter, S. Maleki, M. Musuvathi,
and T. Mytkowicz, “CHET: an optimizing compiler for fully-homomorphic neural-
network inferencing,” in Proceedings of the 40th ACM SIGPLAN Conference on
Programming Language Design and Implementation, 2019.
[27] Y. Doröz, E. Öztürk, and B. Sunar, “Accelerating fully homomorphic encryption
in hardware,” IEEE Trans. Computers, vol. 64, no. 6, 2015.
[28] J. Fan and F. Vercauteren, “Somewhat practical fully homomorphic encryption.”
IACR Cryptol. ePrint Arch., 2012.
[29] A. Feldmann, N. Samardzic, A. Krastev, S. Devadas, R. Dreslinski, C. Peikert, and
D. Sanchez, “F1: A fast and programmable accelerator for fully homomorphic
encryption,” in Proceedings of the 54th annual ACM/IEEE International Symposium
on Microarchitecture, 2021.
[30] J. A. Fisher, “Very long instruction word architectures and the ELI-512,” in Pro-
ceedings of the 10th annual international symposium on Computer architecture,
1983.
[31] H. L. Garner, “The residue number system,” in Papers presented at the the March
3-5, 1959, Western Joint Computer Conference, 1959.
[32] W. Ge, M. Zhao, C. Wu, and J. He, “The design and implementation of ddr
phy static low-power optimization strategies,” in Communication Systems and
Information Technology, 2011.
[33] C. Gentry et al., A fully homomorphic encryption scheme. Stanford University,
2009, vol. 20, no. 9.
14
[34] C. Gentry, S. Halevi, and N. P. Smart, “Homomorphic evaluation of the AES
circuit,” in Annual Cryptology Conference, 2012.
[35] C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with
errors: Conceptually-simpler, asymptotically-faster, attribute-based,” in Annual
Cryptology Conference, 2013.
[36] R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing,
“Cryptonets: Applying neural networks to encrypted data with high throughput
and accuracy,” in Proceedings of the International Conference on Machine Learning
(ICML), 2016.
[37] J. R. Goodman and W.-C. Hsu, “Code scheduling and register allocation in large
basic blocks,” in Proceedings of the 2nd International Conference on Supercomputing
(ICS), 1988.
[38] S. Halevi and V. Shoup, “Algorithms in HElib,” in Annual Cryptology Conference,
2014.
[39] K. Han, S. Hong, J. H. Cheon, and D. Park, “E�cient logistic regression on large
encrypted data,” IACR Cryptol. ePrint Arch., 2018.
[40] K. Han, S. Hong, J. H. Cheon, and D. Park, “Logistic regression on homomorphic
encrypted data at scale,” in Proceedings of the AAAI Conference on Arti�cial
Intelligence, vol. 33, no. 01, 2019.
[41] HElib, “HElib country lookup example,” https://github.com/homenc/HElib/tree/
master/examples/BGV_country_db_lookup archived at https://perma.cc/U2MW-
QLRJ, 2019.
[42] A. Howard, M. Sandler, G. Chu, L.-C. Chen, B. Chen, M. Tan, W. Wang, Y. Zhu,
R. Pang, V. Vasudevan et al., “Searching for mobilenet v3,” in Proceedings of the
IEEE/CVF International Conference on Computer Vision, 2019.
[43] IBM, “Cost of a Data Breach Report,” Tech. Rep., 2020.
[44] C. Juvekar, V. Vaikuntanathan, and A. Chandrakasan, “GAZELLE: A low latency
framework for secure neural network inference,” in 27th USENIX Security Sympo-
sium (USENIX Security 18), 2018.
[45] M. Kim, Y. Song, S. Wang, Y. Xia, and X. Jiang, “Secure logistic regression based
on homomorphic encryption: Design and evaluation,” JMIR medical informatics,
vol. 6, no. 2, 2018.
[46] A. Krizhevsky, “Learning multiple layers of features from tiny images,” University
of Toronto, Tech. Rep., 2009.
[47] M. S. Lam, “Software pipelining,” in Proceedings of the ACM SIGPLAN Conference
on Programming Language Design and Implementation (PLDI), 1988.
[48] Y. Lecun, L. Bottou, Y. Bengio, and P. Ha�ner, “Gradient-based learning applied
to document recognition,” Proceedings of the IEEE, vol. 86, no. 11, 1998.
[49] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with er-
rors over rings,” in Annual International Conference on the Theory and Applications
of Cryptographic Techniques, 2010.
[50] L. Marchal, B. Simon, and F. Vivien, “Limiting the memory footprint when dy-
namically scheduling dags on shared-memory platforms,” Journal of Parallel and
Distributed Computing, vol. 128, 2019.
[51] A. C. Mert, E. Öztürk, and E. Savaş, “Design and implementation of a fast and
scalable NTT-based polynomial multiplier architecture,” in 2019 22nd Euromicro
Conference on Digital System Design (DSD), 2019.
[52] A. C. Mert, E. Öztürk, and E. Savaş, “Design and Implementation of Encryp-
tion/Decryption Architectures for BFV Homomorphic Encryption Scheme,” IEEE
Transactions on Very Large Scale Integration (VLSI) Systems, 2019.
[53] V. Migliore, C. Seguin, M. M. Real, V. Lapotre, A. Tisserand, C. Fontaine, G. Gog-
niat, and R. Tessier, “A high-speed accelerator for homomorphic encryption using
the karatsuba algorithm,” ACM Trans. Embedded Comput. Syst., vol. 16, no. 5s,
2017.
[54] R. T. Moenck, “Practical fast polynomial multiplication,” in Proceedings of the
third ACM symposium on Symbolic and algebraic computation, 1976.
[55] P. L. Montgomery, “Modular multiplication without trial division,” Mathematics
of computation, vol. 44, no. 170, 1985.
[56] NVIDIA, “NVIDIA DGX station A100 system architecture,” https://images.
nvidia.com/aem-dam/Solutions/Data-Center/nvidia-dgx-station-a100-system-
architecture-white-paper.pdf archived at https://perma.cc/3CSS-PXU7, 2021.
[57] E. Ozer, S. Banerjia, and T. M. Conte, “Uni�ed assign and schedule: A new ap-
proach to scheduling for clustered register �le microarchitectures,” in Proceedings
of the 31st annual ACM/IEEE International Symposium on Microarchitecture, 1998.
[58] G. Passas, M. Katevenis, and D. Pnevmatikatos, “Crossbar NoCs are scalable
beyond 100 nodes,” IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, vol. 31, no. 4, 2012.
[59] C. Peikert, “A decade of lattice cryptography,” Foundations and Trends in Theoret-
ical Computer Science, vol. 10, no. 4, 2016.
[60] M. Pellauer, Y. S. Shao, J. Clemons, N. Crago, K. Hegde, R. Venkatesan, S. W. Keck-
ler, C. W. Fletcher, and J. Emer, “Bu�ets: An e�cient and composable storage idiom
for explicit decoupled data orchestration,” in Proceedings of the Twenty-Fourth
International Conference on Architectural Support for Programming Languages and
Operating Systems, 2019.
[61] Y. Polyakov, K. Rohlo�, and G. W. Ryan, “Palisade lattice cryptography library
user manual,” Cybersecurity Research Center, New Jersey Institute ofTechnology
(NJIT), Tech. Rep, vol. 15, 2017.
[62] T. Pöppelmann, T. Oder, and T. Güneysu, “High-performance ideal lattice-based
cryptography on 8-bit atxmega microcontrollers,” in International Conference on
Cryptology and Information Security in Latin America, 2015.
[63] Rambus Inc., “White paper: HBM2E and GDDR6: Memory solutions for AI,” 2020.
[64] B. Reagen, W. Choi, Y. Ko, V. Lee, G.-Y. Wei, H.-H. S. Lee, and D. Brooks, “Cheetah:
Optimizations and methods for privacy preserving inference via homomorphic
encryption,” in Proceedings of the 27th IEEE international symposium on High
Performance Computer Architecture (HPCA-27), 2021.
[65] M. S. Riazi, K. Laine, B. Pelton, and W. Dai, “HEAX: An architecture for computing
on encrypted data,” in Proceedings of the 25th international conference on Architec-
tural Support for Programming Languages and Operating Systems (ASPLOS-XXV),
2020.
[66] S. S. Roy, F. Turan, K. Järvinen, F. Vercauteren, and I. Verbauwhede, “Fpga-
based high-performance parallel architecture for homomorphic computing on
encrypted data,” in Proceedings of the 25th IEEE international symposium on High
Performance Computer Architecture (HPCA-25), 2019.
[67] S. S. Roy, F. Vercauteren, N. Mentens, D. D. Chen, and I. Verbauwhede, “Compact
ring-LWE cryptoprocessor,” in International workshop on cryptographic hardware
and embedded systems, 2014.
[68] Q. Shang, Y. Fan, W. Shen, S. Shen, and X. Zeng, “Single-port sram-based transpose
memory with diagonal data mapping for large size 2-d dct/idct,” IEEE Transactions
on Very Large Scale Integration (VLSI) Systems, vol. 22, no. 11, 2014.
[69] Z. M. Smith, E. Lostri, and J. A. Lewis, “The Hidden Costs of Cybercrime,” Center
for Strategic and International Studies, Tech. Rep., 2020.
15
[70] S.-A.-A. Touati, “Register saturation in instruction level parallelism,” International
Journal of Parallel Programming, vol. 33, 2005.
[71] F. Turan, S. Roy, and I. Verbauwhede, “HEAWS: An Accelerator for Homomorphic
Encryption on the Amazon AWS FPGA,” IEEE Transactions on Computers, 2020.
[72] M. van der Hagen and B. Lucia, “Practical encrypted computing for iot clients,”
arXiv preprint arXiv:2103.06743, 2021.
[73] W. Wang, Z. Chen, and X. Huang, “Accelerating leveled fully homomorphic
encryption using gpu,” in Proceedings of the IEEE International Symposium on
Circuits and Systems (ISCAS), 2014.
[74] W. Wang, Y. Hu, L. Chen, X. Huang, and B. Sunar, “Accelerating fully homo-
morphic encryption using gpu,” in Proceedings fo the IEEE conference on High
Performance Extreme Computing (HPEC), 2012.
[75] W. Wang, Y. Hu, L. Chen, X. Huang, and B. Sunar, “Exploring the feasibility of
fully homomorphic encryption,” IEEE Transactions on Computers, vol. 64, no. 3,
2013.
[76] Y. Wang, Z. Ma, and F. Yu, “Pipelined algorithm and modular architecture for
matrix transposition,” IEEE Transactions on Circuits and Systems II: Express Briefs,
vol. 66, no. 4, 2018.
[77] W. Xu and R. Tessier, “Tetris: a new register pressure control technique for VLIW
processors,” ACM SIGPLAN Notices, vol. 42, no. 7, 2007.
[78] B. Zhang, Z. Ma, and F. Yu, “A novel pipelined algorithm and modular architecture
for non-square matrix transposition,” IEEE Transactions on Circuits and Systems
II: Express Briefs, 2020.