Homomorphic Computation in Reed-Muller

Codes?

Jinkyu Cho1 , Young-Sik Kim2 , and Jong-Seon No1

1
Seoul National University, Republic of Korea
2
Chosun University, Republic of Korea

Abstract. With the ongoing developments in artificial intelligence (AI),

big data, and cloud services, fully homomorphic encryption (FHE) is be-
ing considered as a solution for preserving the privacy and security in
machine learning systems. Currently, the existing FHE schemes are con-
structed using lattice-based cryptography. In state-of-the-art algorithms,
a huge amount of computational resources are required for homomorphic
multiplications and the corresponding bootstrapping that is necessary to
refresh the ciphertext for a larger number of operations. Therefore, it is
necessary to discover a new innovative approach for FHE that can reduce
the computational complexity for practical applications. In this paper,
we propose a code-based homomorphic operation scheme. Linear codes
are closed under the addition, however, achieving multiplicative homo-
morphic operations with linear codes has been impossible until now.
We strive to solve this problem by proposing a fully homomorphic code
scheme that can support both addition and multiplication simultane-
ously using the Reed-Muller (RM) codes. This can be considered as a
preceding step for constructing code-based FHE schemes. As the order
of RM codes increases after multiplication, a bootstrapping technique
is required to reduce the order of intermediate RM codes to accomplish
a large number of operations. We propose a bootstrapping technique
to preserve the order of RM codes after the addition or multiplication
by proposing three consecutive transformations that create a one-to-one
relationship between computations on messages and that on the corre-
sponding codewords in RM codes.

Keywords: Error-correcting codes (ECCs), fully homomorphic encryption (FHE),

homomorphic computation, post-quantum cryptography (PQC), Reed-Muller
(RM) codes.

1 Introduction
Error-correcting codes (ECCs) are being used in diverse application areas. They
have been developed for wireless communication systems in noisy channels and
?
This work was supported by Institute for Information & Communications Technology
Promotion (IITP) grant funded by the Korea government (MSIT) (R-20160229-
002941, Research on Lightweight Post-Quantum Crypto-systems for IoT and Cloud
Computing).
2 J. Cho et al.

digital storage systems [1, 2]. They are also widely used in other areas such as
distributed computing systems or public-key cryptography, also known as code-
based cryptography. The security of code-based cryptography is based on the
fact that the decoding problem of a random linear code is an NP-complete prob-
lem [3]. Especially, code-based cryptography is one of the candidates for post-
quantum cryptography that can resist attacks using operations over quantum
computers.
Recently, machine learning has become popular in many areas and a few
applications that employ this technology require the privacy of input data to
be maintained. For the security of machine learning, differential privacy and
fully homomorphic encryption (FHE) are considered as candidates. In the case
of differential privacy, the information on the individuals in the dataset is not
disclosed even though the entire dataset is available. However, when it comes to
FHE, both multiplication and addition can be performed for encrypted messages.
Thus, confidential messages can be securely manipulated on the untrusted cloud
server. In FHE, the encryption schemes can support both addition and multi-
plication without any limitations on the number of operations.
As Gentry proposed the first generation FHE in 2009 [4], there has been
extensive research on homomorphic encryption schemes based on lattice-based
hard problems [5–10]. The most promising recent research works on lattice-based
homomorphic encryption schemes are the homomorphic encryption for the arith-
metic of approximate numbers scheme, called the Cheon-Kim-Kim-Song (CKKS)
scheme [6] and the fast FHE over the torus (TFHE) scheme [7]. Despite sub-
stantial progress since Gentry’s first FHE scheme, the computational complexity
of FHEs is still too high to be used in privacy-preserving machine learning sys-
tems. For example, it takes almost 30 seconds for one bootstrapping operation
while using the CKKS library. As more than 105 bootstrappings are necessary
to sort hundreds of data packets, several days are needed for the homomorphic
sorting operation [10]. Therefore, we need to discover a new innovative approach
to achieve more efficient FHE.
Along with the extremely fast-growing data and computation sizes, the size
of distributed computing systems has also grown increasingly larger with time.
During computing, a certain amount of unpredictable system noise or straggler
nodes that cause delays cannot be avoided. To reduce these problems, we fre-
quently use coded computation, which is a method of using coding theoretic
techniques in distributed systems. In this regard, the first known study was
conducted on the computing matrix multiplication problem using erasure codes
and minimum distance separable codes [11]. Later, more studies with diverse
approaches to increase the speed of coded computations also appeared [12–14].
System components, such as sensors, are required to working efficiently even in
noisy conditions, such as high temperature. To ensure this, we need a coding
technique with high error tolerance, such as Reed-Muller (RM) codes, because
they can correct random erasures and errors with high probability [15].
Besides, we also expect these results to be used in quantum computing. There
are numerous studies on the application of ECCs in quantum computing [16–19].
 Homomorphic Computation in Reed-Muller Codes 3

Researchers have also succeeded in mapping the ECCs of classical computers

into new quantum codes called “stabilizer codes.” Several trials on using alge-
braically defined codes, such as Hamming codes, Bose-Chaudhuri-Hocquenghem
codes, RM codes, and Golay codes have been accomplished. Moreover, methods
for using sparse-graph codes such as low-density parity-check codes are also be-
ing studied. The goal of all these studies is to achieve fault-tolerant quantum
computation. In the future, we expect homomorphic computation to be an im-
portant component in quantum computers, and therefore our contribution to
creating a homomorphic computation method for RM codes may turn out to be
useful in RM-code-based quantum error correction.
In this paper, we propose a code-based homomorphic computation scheme
using RM codes that can support simultaneous addition and multiplication op-
erations. Addition can be performed freely in linear codes due to the nature of
the linearity. However, no such method of multiplication exists for codewords,
that is, it is not possible to obtain a valid codeword just by multiplying two valid
codewords. Therefore, we propose a linear transformation that can map the mul-
tiplication result of any pair of valid codewords to a valid codeword. As the order
of the codewords monotonically increases during the multiplication in the RM
codes, there is a certain limitation on the number of multiplications. To resolve
this problem, we propose a bootstrapping method to reduce the RM codewords
of the second-order to that of the first-order after codeword multiplication.
The paper is organized as follows: We present the preliminaries in Section
II, where we describe the basic concepts of the original RM codes, and set a few
notations. Moreover, we present the fundamental definition of FHE. Our main
results are presented in Section III. We define the addition and multiplication
operations on the message and codeword domains, respectively, and also propose
the main scheme used in our bootstrapping technique for RM codes. Finally, we
conclude our paper and mention future works in Section IV.

2 Preliminaries

2.1 RM codes

In this subsection, we briefly introduce the fundamental notions and properties

of RM codes. An RM code, RM(r, m) is defined with integers r and m, where r is
m
the order P
of the code
and n = 2 is the code length. The dimension of RM(r, m)
r m m−r
is kr = i=0 i and the minimum distance is d min = 2 . Further, we
can express RM(r, m) with r-th order linear combinations of Boolean functions
v0 = 1, v1 , · · · , vm . Thus, the generator matrix Gr of the r-th order RM code,
RM(r, m) can be expressed as
4 J. Cho et al.

 
v0
 v1
..
 
 

 .



 vm 


 v1 v2 

 v1 v3 
..
 
 
Gr = 
 . ,
 (1)
 vm−1 vm 
 

 .
..


 

 v1 · · · vr 

v1 · · · vr−1 vr+1 
 
 .. 
 . 
vm−r+1 · · · vm

where, vi vj denotes the component-wise multiplication of vi and vj [1,2,20–23].

The columns of the generator matrix are evaluated by each Boolean function of
each row with every m-tuple binary vector from (1, 1, · · · , 1) to (0, 0, · · · , 0) in
the reverse lexicographical order.
The generator matrix G of the first-order RM codes is constructed from
{v0 , v1 , · · · , vm } in (1), and the generator matrix of the second-order RM codes
is created from {v0 , v1 , · · · , vm , v1 v2 , v1 v3 , · · · , vm−1 vm }. The first-order RM
code has a dimension of k = m + 1 and can be represented with linear combina-
tions of v0 , · · · , vm .
The message can be expressed with a polynomial of degree m, a(x), or with
a (m + 1)-tuple vector a as
m
X
a(x) = ai xi
i=0
a = (a0 , a1 , · · · , am ).

And codeword of the first-order RM codes, RM(1,m), can be expressed with

a polynomial of degree n − 1, c(x), or with a n-tuple vector c by multiplying the
k × n generator matrix G in (1) to message as

n−1
X
c(x) = ci x i
i=0
m
X
c = (c0 , c1 , · · · , cn−1 ) = aG = ai vi , (2)
i=0

where we abuse the vector and polynomial notations.

 Homomorphic Computation in Reed-Muller Codes 5

2.2 Fully homomorphic encryption

Homomorphic encryption plays a crucial part in ensuring privacy because it does

not expose the original data in computing environments such as machine learning
or cloud services [4]. An encryption scheme is said to be “homomorphic” with
respect to an operation ♦ on plaintext space P if it satisfies

Decrypt(Encrypt(m1 ) ∗ Encrypt(m2 ))
= Decrypt(Encrypt(m1 ♦m2 ))
= m1 ♦m2

for an operation ∗ on ciphertext space C. The operation ♦ is usually an addition

or multiplication.
An encryption scheme is called “somewhat homomorphic” if it satisfies only
a limited number of operations because of its inability to perform decryption
after a certain number of operations. The scheme is called “fully homomorphic”
if it can perform an infinite number of homomorphic operations for addition and
multiplication [5].

3 Homomorphic computation of RM(1,m)

3.1 Addition and multiplication in RM codes

Homomorphic operations are executed both on the message and codeword do-
mains. Although addition is performed identically in both the domains, the mul-
tiplication of the codewords must be defined as a new codeword of a message
that is defined as a polynomial multiplication with modulo xk − 1.
In our proposed scheme, we only consider the first-order RM codes for homo-
morphic operations because they have the maximum Hamming distance 2m−1
and can be efficiently used for related homomorphic computations. As described
in Subsection 2.1, the RM codes can be described as polynomials. Therefore,
for the homomorphic addition of two codewords, we perform a component-wise
addition ⊕ between the coefficients of the same order of the polynomial terms.
In the case of homomorphic multiplication, the codewords can be multiplied
by performing some multiplication , which corresponds to the codeword of
multiplication of two message polynomials of the order m, a(x) and a0 (x), as
a(x)a0 (x) mod (xm+1 − 1), as given in Table 1.
In the case of addition, it is evident that the computation on the message
domain and codeword domain are directly related because the RM codes are
linear. However, while multiplying two corresponding codewords, c(x) and c0 (x),
or c and c0 , we have two fundamental problems. The first problem is that just
multiplying c and c0 component-wisely does not completely match the codeword
corresponding to the multiplied message. Therefore, we need to apply the lin-
ear transformation for correctly matching the message and the code domains.
The second problem is that the multiplied codeword is a second-order RM code
6 J. Cho et al.

instead of the first one. To fix the relationship between the two domains and
reduce the order of codeword, we need a linear transformation of the multiplied
codewords. This linear transformation is described in the next subsection.

Table 1: Addition and multiplication with messages and codewords.

Computation Messages Codewords

Addition a(x) + a0 (x) mod (xm+1 − 1) c ⊕ c0
Multiplication a(x)a0 (x) mod (xm+1 − 1) c c0

3.2 Bootstrapping technique in RM codes

The two problems encountered during the homomorphic multiplications of RM

code can be resolved by using the bootstrapping technique that will be intro-
duced in this subsection. The first-order RM code is represented with linear
combination of {v0 , v1 , · · · , vm }. The multiplied codewords are of the second-
order, which is RM (2,m). Therefore, we need to reduce the order of the RM
code for further operations.
Let c and c0 be two distinct codewords of the first-order RM code for two
messages a(x) and a0 (x). The multiplication of a(x) and a0 (x) is expressed as

m
X X
a(x)a0 (x) mod (xm+1 − 1) = ( ai a0j )xl . (3)
l=0 i+j=l mod (m+1)

Thus, the corresponding codeword of a(x)a0 (x) mod (xm+1 − 1) is given as

m
X X
( ai a0j )vl . (4)
l=0 i+j=l mod (m+1)

However, the direct multiplication of the two corresponding codewords is given

as

m
X m
X
( ai vi )( a0j vj ). (5)
i=0 j=0

Therefore, (4) and (5) are not the same even though they represent the same
message. Notably, (5) is a second-order RM code. Therefore, (5) should be mod-
ified to fit (4). This process is called bootstrapping in this paper.
The bootstrapping process comprises three steps as follows.
 Homomorphic Computation in Reed-Muller Codes 7

RM(1,𝑚)
𝑎(𝑥) 𝒄
Bootstrapping technique
RM(1,𝑚) Step 1, Step 2, Step 3
𝑎′(𝑥) 𝒄′

𝒄𝒏𝒆𝒘 = Encoding ( 𝑎(𝑥)𝑎′ 𝑥 mod (𝑥 𝑚+1 − 1) )

in RM(1,𝑚)

Fig. 1: Bootstrapping process in the first-order RM codes.

1. Step 1: Represent the coefficients ai a0j +aj a0i of vi vj in (5) as the components
of the codewords c = (c0 , c1 , · · · , cn−1 ) and c0 = (c00 , c01 , · · · , c0n−1 ), whose
transformation is denoted by (nP + m) × (k2 + m) matrix V .
2. Step 2: Derive the coefficients i+j=l mod (m+1) ai a0j of xl in (3) by using
coef(vi vj ), whose transformation is denoted by (k2 + m) × k matrix X.
3. Step 3: Find the codeword cnew of the message a(x)a0 (x) mod (xm+1 − 1)
in RM(1,m) by using the generator matrix G.
The proposed bootstrapping procedure for homomorphic multiplication in
RM (1, m) code is depicted in Fig. 1, where notations of polynomials and vectors
are abused. Notably, the above three steps can be combined into an (n + m) × n
linear transformation V XG. We can do this as many times as necessary to finish
the arbitrary homomorphic computations. To perform Steps 1 and 2, we need
the following theorem and corollary.

Theorem 1. In the first-order RM code, RM(1,m), we have

m
X
cn−1−Pm
i=1 αi 2
i−1 = a0 + αi ai ,
i=1

where the
Ptranspose of (α0 , α1 , · · · , αm ) denotes the p-th column of G with p =
m
n − 1 − i=1 αi 2i−1 .

Proof: From (2), we have

cp = (a0 , a1 , · · · , am )(p-th column of G)

Xm
= ai gip ,
i=0

where gip denotes the (i, p) element of G. Clearly, the first row of G is all-one
vector, that is, α0 = 1, and thus every cp includes a0 . Then, for the remaining
rows of G, we should add ai if the (i + 1)-th component of p-th column of G is
’1’.
8 J. Cho et al.

It can be observed that the p-th column of the generator matrix of RM(1,m)
except the first row, is the one’s complement of the binary representation of p.
Let , α2 , · · · , αm )T be the p-th column of G. Then, we have p = 2m − 1 −
Pm (1, α1i−1
i=1 αi 2 . Thus, the theorem is proved.

From Theorem 1, it is straightforward to obtain the following corollary.
Corollary 1. In the first-order RM code, RM(1,m), we have
c0 + c2s−1 = as , s = 1, 2, · · · , m.
The three steps of the bootstrapping are explained in detail as follows.
Step 1: Coefficient mapping from c and c0 to the coef(vi vj )
Here, we will represent the coefficients of vi vj in (5) by using the components
of the codewords, c = (c0 , c1 , · · · , cn−1 ) and c0 = (c00 , c01 , · · · , c0n−1 ) as follows. In
another variation explained later, the coefficient of vi vj is denoted as a function
fij of components of c and c0
coef(vi vj ) = fij (c0 , c1 , · · · , cn−1 , c00 , c01 , · · · , c0n−1 ).
The coefficient of vi vj can be determined by considering the following four
cases.
Case 1-1) i 6= j and i, j 6= 0:
From (5), the coefficient of vi vj becomes ai a0j + aj a0i . We can express this as

coef(vi vj ) = ai a0j + aj a0i

= (a0 + ai + aj )(a00 + a0i + a0j )
+ (a0 + ai )(a00 + a0i ) + (a0 + aj )(a00 + a0j )
+ a0 a00
and from Theorem 1, we have
coef(vi vj ) = cn−1−2i−1 −2j−1 c0n−1−2i−1 −2j−1
+ cn−1−2i−1 c0n−1−2i−1
+ cn−1−2j−1 c0n−1−2j−1
+ cn−1 c0n−1 .

Case 1-2) i 6= 0, j = 0:
From (5), the coefficient of vi v0 = vi becomes ai a00 + a0 a0i . We can express
this as
coef(vi ) = ai a00 + a0 a0i
= (a0 + ai )(a00 + a0i )
+ a0 a00
+ ai a0i
 Homomorphic Computation in Reed-Muller Codes 9

and from Theorem 1 and Corollary 1, we have

coef(vi ) = cn−1−2i−1 c0n−1−2i−1
+ cn−1 c0n−1
+ (c0 + c2i−1 )(c00 + c02i−1 ).
This case is very similar to Case 1-1), but we cannot use Theorem 1 when j = 0.
Thus, we separate this from Case 1-1) and use Corollary 1.
Case 2-1) i = j 6= 0:
From (5), we can express the coefficient as
coef(vi 2 ) = ai a0i
and from Corollary 1, we have
(c0 + c2i−1 )(c00 + c02i−1 ).
It should be noted that the Boolean function vi 2 is actually equal to vi .
However, we have separated these two cases because coef(vi ) corresponds to
coef(xi ) and coef(vi 2 ) corresponds to coef(x2i mod(m+1) ).
Case 2-2) i = j = 0:
From (5), we can express the coefficient as
coef(v0 ) = a0 a00
and from Theorem 1, we have
cn−1 c0n−1 .
By merging the above four cases, we can make a binary (n + m) × (k2 + m)
matrix V , which is a linear transformation from
(c0 c00 , c1 c01 , · · · , cn−1 c0n−1 , (c0 + c20 )(c00 + c020 ),
(c0 + c21 )(c00 + c021 ), · · · , (c0 + c2m−1 )(c00 + c02m−1 ))
to
(coef(v0 ), coef(v1 ), · · · coef(vm ),
coef(v1 v2 ), coef(v1 v3 ), · · · coef(vm−1 vm ),
coef(v1 2 ), coef(v2 2 ), · · · , coef(vm 2 )).

Step 2: Message mapping

We will derive the coefficient i+j=l mod (m+1) ai a0j of xl in (3) with a func-
P
tion gl as
X
coef(xl ) = ai a0j
i+j=l mod(m+1)

= gl (coef(vi vj )). (6)

We can determine gl as given in the following theorem.
10 J. Cho et al.

Theorem 2. In the first-order RM code, RM(1,m), coef(xl ) in (3) is given as

X
coef(xl ) = coef(vi vj ).
i+j=l mod(m+1)

Proof: It can be easily observed that (5) can be rewritten as

m
X X
( ai a0j vi vj ). (7)
l=0 i+j=l mod(m+1)

Focusing on the coefficients of vi vj in (7), when i + j = l mod (m + 1), the sum

of coef(vi vj ) is the sum of ai a0j . And this result equals the coefficients of xl also
from (6). Thus, the theorem is proved. 
Now, by using Theorem 2, we can perform a linear transformation from

(coef(v0 ), coef(v1 ), · · · , coef(vm ),

coef(v1 v2 ), coef(v1 v3 ), · · · , coef(vm−1 vm ),
coef(v1 2 ), coef(v2 2 ), · · · , coef(vm 2 ))

to

(coef(x0 ), coef(x1 ), · · · , coef(xm ))

m m m




denoted by (k2 + m) × k matrix X, where k2 = 0 + 1 + 2 .
After merging Steps 1 and 2, we obtain

coef(xl ) = gl (fij (c0 , c1 , · · · , cn−1 , c00 , c01 , · · · , c0n−1 )).

Step 3: Re-encoding of RM(1,m)

Here, the k × n generator matrix G is multiplied with V X to obtain a new
codeword of the first-order RM code that corresponds to the resulting codeword
obtained for the multiplication of the two messages, a(x)a0 (x) mod xm+1 − 1.
Combining Steps 1–3
In case of addition, clearly, the codeword of the message a(x) + a0 (x) is c ⊕ c0 .
However, for multiplication, it is divided into three steps called bootstrapping.
Let

z = (c0 c00 , c1 c01 , · · · , cn−1 c0n−1 , (c0 + c20 )(c00 + c020 ),

(c0 + c21 )(c00 + c021 ), · · · , (c0 + c2m−1 )(c00 + c02m−1 )).

Then, the new codeword cnew in RM(1,m), corresponding to a(x)a0 (x) mod
xm+1 − 1, is given as

cnew = z · V · X · G.
 Homomorphic Computation in Reed-Muller Codes 11

Finally, we can determine the codeword cnew in RM(1,m), corresponding to

the message a(x)a0 (x) mod xm+1 − 1, by using c, c0 , and the (n + m) × n matrix,
T = V · X · G.
Note: In fact, there exist a few all-zero rows in V for some row indices.
This is because we do not use every case listed in Theorem 1 in Step 1. Only
cn−1−2i−1 −2j−1 c0n−1−2i−1 −2j−1 , cn−1−2i−1 c0n−1−2i−1 , cn−1−2j−1 c0n−1−2j−1 , and cn−1 c0n−1
are used for Cases 1-1), 1-2), 2-1), and 2-2). Thus, for the rest of ci and c0i , we
have all-zero rows in V and we add (c0 + c20 )(c00 + c020 ), (c0 + c21 )(c00 + c021 ), · · · ,
and (c0 + c2m−1 )(c00 + c02m−1 ) to the last m elements in z.

3.3 Example

To help understand the homomorphic computation of the first-order RM codes,

RM(1,m), we present an example of an RM(1,4) code. First, we determine the
matrix V as

 
000000000000000
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0
 
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
 
0 0 0 0 1 0 0 1 0 1 1 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0
V =
 .
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0

0 0 0 1 0 0 1 0 1 0 1 0 0 0 0
 
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0
 
0 0 1 0 0 1 0 0 1 1 0 0 0 0 0
 
0 1 0 0 0 1 1 1 0 0 0 0 0 0 0
 
1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
 
0 1 0 0 0 0 0 0 0 0 0 1 0 0 0
 
0 0 1 0 0 0 0 0 0 0 0 0 1 0 0
 
0 0 0 1 0 0 0 0 0 0 0 0 0 1 0
000010000000001

This matrix is obtained by merging Cases 1-1), 1-2), 2-1), and 2-2), whose size
is 20 × 15. In this example, the 0, 1, 2, 4, and 8-th rows are ’0s.’
12 J. Cho et al.

Then, in Step 2, we can obtain the relations between coef(xl ) and coef(vi vj )
as

coef(x0 ) = coef(v0 2 ) + coef(v1 v4 ) + coef(v2 v3 )

coef(x1 ) = coef(v0 v1 ) + coef(v2 v4 ) + coef(v3 2 )
coef(x2 ) = coef(v0 v2 ) + coef(v1 2 ) + coef(v3 v4 )
coef(x3 ) = coef(v0 v3 ) + coef(v1 v2 ) + coef(v4 2 )
coef(x4 ) = coef(v0 v4 ) + coef(v1 v3 ) + coef(v2 2 ).

From Theorem 2, the corresponding matrix X is given as

 
10000
0 1 0 0 0
 
0 0 1 0 0
 
0 0 0 1 0
 
0 0 0 0 1
 
0 0 0 1 0
 
0 0 0 0 1
 
1 0 0 0 0 ,
X= 
1 0 0 0 0
 
0 1 0 0 0
 
0 0 1 0 0
 
0 0 1 0 0
 
0 0 0 0 1
 
0 1 0 0 0
00010

where the matrix size is 15 × 5. For Step 3, we obtain the 5 × 16 generator matrix
G from (1) as

 
1111111111111111
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
 
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 .
G= 
1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0
1111111100000000
 Homomorphic Computation in Reed-Muller Codes 13

Then, by multiplying these three matrices, we obtain a matrix T with size of

20 × 16 as
 
0000000000000000
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0
 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
 
0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 1
 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
T = 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 .

 
0 0 1 1 1 1 0 0 1 1 0 0 0 0 1 1
 
1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0
 
0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1
 
0 1 0 1 1 0 1 0 1 0 1 0 0 1 0 1
 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
 
0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0
 
0 0 1 1 0 0 1 1 1 1 0 0 1 1 0 0
 
0 1 0 1 1 0 1 0 0 1 0 1 1 0 1 0
0000111111110000

Now, we obtain a new codeword cnew of the first-order RM code by multi-

plying T on the right of the vector z. Thus, cnew corresponds to the codeword
of the message multiplication polynomial a(x)a0 (x) mod x5 − 1 in RM(1,4), as
given in Table 2, where we have presented three examples.

Table 2: Examples with RM(1,4) code

Example 1) Example 2) Example 3)

a (01000) (00010) (00011)
a0 (01000) (00010) (00011)
c (1010101010101010) (1111000011110000) (0000111111110000)
c0 (1111000011110000) (1111111100000000) (1100110000110011)
apm (00001) (00100) (11101)
(1010000010100000 (1111000000000000 (0000110000110000
z
0000) 0000) 0001)
anew (00001) (00100) (11101)
cnew (1111111100000000) (1100110011001100) (1010010110100101)

For message vectors a and a0 , we have c and c0 . Then, we determine a

vector z and perform Steps 1 and 2, which are the matrices V and X. Thus,
14 J. Cho et al.

we obtain a new message vector ”anew ” and this corresponds to the polynomial
multiplication of two messages, a(x)a0 (x) mod x5 − 1, also denoted as ”apm .”
Finally, we obtain a new codeword cnew of the first-order RM code from the
generator matrix G.

4 Conclusion and future works

In this paper, we suggested a transformation method, called bootstrapping,

which facilitates the homomorphic multiplication of the first-order RM codes
while preserving the order of the RM codes after the computation (addition and
multiplication). Furthermore, we created a relation between the proposed code-
word multiplication c c0 and the multiplication of two messages. We employed
three steps for performing the bootstrapping. In Step 1, we expressed the coeffi-
cients of vi vj as the components of the codewords c0 , c1 , · · · , cn−1 , c00 , c01 , · · · , and
c0n−1 . In Step 2, we represented the coefficients of xl by the coefficients of vi vj .
Thus, by merging these two steps, we constructed a relation between the code-
word components and coefficients of xl , which are the components of message
polynomial multiplication. We encoded this process by multiplying the generator
matrix in Step 3 to obtain the corresponding codeword as the first-order RM
code.
As future works, we will consider the homomorphic computation of higher-
order RM codes. Moreover, we plan to implement the computation in the pres-
ence of noise, which can be useful in homomorphic cryptography.

References

1. S. Lin and D. Costello, Error Control Coding, 2nd ed. Upper Saddle River, NJ,
USA: Prentice-Hall, 2001, pp. 105–118.
2. F. J. Macwilliams and N. J. A. Sloane, The Theory of Error Correcting Codes. vol.
16, New York, NY, USA: Elsevier/North-Holland Inc., 1977, pp. 370–479.
3. R.J. McEliece, “A public-key cryptosystem based on algebraic coding theory,” DSN
Progress Report, pp. 114–116, Jan. 1978.
4. C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dissertation, Dept.
Comput. Sci., Stanford Univ., Stanford, CA, USA, 2009.
5. R. Meissen, “A mathematical approach to fully homomorphic encryption,” Ph.D.
dissertation, Worcester Polytechnic Institute, 2012.
6. J. H. Cheon, A. Kim, M. Kim, and Y. Song, “Homomorphic encryption for arith-
metic of approximate numbers,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Sec.
New York, NY, USA: Springer, 2017, pp. 409–437.
7. I. Chillotti, N. Gama, M. Georgieva, and M. Izabachene, “TFHE: Fast fully ho-
momorphic encryption over the torus,” Journal of Cryptology, vol. 33, no. 1, pp.
34–91, 2020.
8. H. Chen, I. Chillotti, and Y. Song, “Improved bootstrapping for approximate ho-
momorphic encryption,” Int. Assoc. Cryptol. Res., Tech. Rep. 2018/1043, 2018.
[Online]. Available: https://eprint.iacr.org/2018/1043.
 Homomorphic Computation in Reed-Muller Codes 15

9. K. Han and D. Ki, “Better bootstrapping for approximate homomorphic encryp-

tion,” Cryptographers’ Track at the RSA Conference, Springer, Cham, Feb. 2020,
pp. 364–390.
10. J.-W. Lee, Y.-S. Kim, and J.-S. No, “Analysis of modified Shell sort for fully
homomorphic encryption,” Cryptology ePrint Archive, 2019/1497.
11. K. Lee, M. Lam, R. Pedarsani, D. Papailiopoulos, and K. Ramchandran, “Speeding
up distributed machine learning using codes,” IEEE Trans. Inf. Theory, vol. 64,
no. 3, pp. 1514–1529, Mar. 2018.
12. K. Lee, C. Suh, and K. Ramchandran, “High-dimensional coded matrix multiplica-
tion,” 2017 IEEE International Symposium on Information Theory (ISIT), 2017,
pp. 2418–2422.
13. S. Dutta, V. Cadambe, and P. Grover, “Short-dot: Computing large linear trans-
forms distributedly using coded short dot products,” IEEE Trans. Inf. Theory, vol.
65, no. 10, pp. 6171–6193, Oct. 2019.
14. R. Tandon, Q. Lei, A. G. Dimakis, and N. Karampatziakis, “Gradient coding,”
arXiv preprint arXiv:1612.03301, 2016.
15. E. Abbe, A. Shpilka, and A. Wigderson, “Reed-Muller codes for random erasures
and errors,” IEEE Trans. Inf. Theory, vol. 61, no. 10, pp. 5229–5252, Oct. 2015.
16. A. R. Calderbank, E. M. Rains, P. M. Shor, and N. J. A. Sloane, “Quantum error
correction via codes over GF(4),” IEEE Trans. Inf. Theory, vol. 44, no. 4, pp.
1369–1387, Jul. 1998.
17. D. MacKay, G. Mitchison, and P. McFadden, “Sparse-graph codes for quantum
error correction,” IEEE Trans. Inf. Theory, vol. 50, no. 10, pp. 2315–2330, Oct.
2004.
18. C. Y. Lai, Y. C. Zheng, and T. A. Brun, “Fault-tolerant preparation of stabi-
lizer states for quantum Calderbank-Shor-Steane codes by classical error-correcting
codes,” Phys. Rev. Lett., 95, 032339, 2017.
19. F. Lacerda, J. Renes, and R. Renner, “Classical leakage resilience from fault-
tolerant quantum computation,” Journal of Cryptology, vol. 32, no. 4, pp. 1071–
1094, 2019.
20. I. Reed, “A class of multiple-error-correcting codes and the decoding scheme,”
Transactions of the IRE Professional Group on Information Theory, vol. 4, no. 4,
pp. 38–49, Sep. 1954.
21. D. E. Muller, “Application of Boolean algebra to switching circuit design and
to error detection,” Transactions of the I.R.E. Professional Group on Electronic
Computers, vol. EC-3, no. 3, pp. 6–12, Sep. 1954.
22. W. Lee, J.-S. No, and Y.-S. Kim, “Punctured Reed–Muller code-based McEliece
cryptosystems,” IET Commun., vol. 11, no. 10, pp. 1543–1548, Jul. 2017.
23. Y. Lee, W. Lee, Y.-S. Kim, and J.-S. No, “A modified pqsigRM: RM code-based
signature scheme,” Cryptology ePrint Archive, Report 2019/678, 2019.