Received April 4, 2019, accepted April 18, 2019, date of publication April 29, 2019, date of current version

May 14, 2019.

Digital Object Identifier 10.1109/ACCESS.2019.2913850

Improved Homomorphic Discrete Fourier

Transforms and FHE Bootstrapping
KYOOHYUNG HAN , MINKI HHAN, AND JUNG HEE CHEON
Seoul National University, Seoul 151-742, South Korea
Corresponding author: Kyoohyung Han ([email protected])
This work was supported in part by the Institute for Information and Communications Technology Promotion (IITP) Grant funded by the
Korea Government (MSIT) under Grant 2017-0-00616, and in part by the Development of Lattice-Based Post-Quantum Public-Key
Cryptographic Schemes.

ABSTRACT Homomorphic encryption (HE), which enables computation on ciphertexts without any
leakage, rise as a most promising solution for privacy-preserving data processing, including secure machine
learning and secure out-sourcing computation. Despite the extensive applicability of HE, the current con-
structions are sometimes considered as impractical due to its inefficiency. In this paper, we propose improve-
ments on the linear transformation in bootstrapping, a technique allowing the infinite number of operation
for HE, and homomorphic discrete Fourier transformation (DFT) using batch homomorphic encryption.
We observe that the multiplication of a sparse diagonal matrix and ciphertext of a vector can be done within
O(1) homomorphic computations. This observation induces the faster algorithm for linear transformation
in bootstrapping and homomorphic DFT. To achieve this, we use Cooley-Tukey matrix factorization and
construct a new recursive factorization of the linear transformation
√ in bootstrapping. Our method with radix r
only requires O(r logr n) constant vector multiplication and O( r logr n) rotations by consuming O(logr n)
depth when the input vector size is n. The previous method used in the library, √ a library that implements
homomorphic encryption for approximate computation, requires O(n) and O( n), respectively. To show the
performance improvement, we implement our method on top of the library. Our implementation, along with
further few techniques, of these algorithms show the significant improvements compared to the previous
algorithm. New homomorphic DFT with length 214 only takes about 8s which results 150 times faster than
the previous method. Furthermore, the bootstrapping takes about 2 minutes for C32768 plaintext space with
8-bit precision, which takes 26 hours with same bit precision using the previous method.

INDEX TERMS Cryptography, data privacy, encryption, public key.

I. INTRODUCTION
Homomorphic encryption (HE) is an encryption scheme
which allows computation of ciphertexts without decryption.
The decryption of this resulting ciphertext matches to the
value as if the operations had been performed on plaintexts.
If the HE supports arbitrary operations, it is called as fully
homomorphic encryption (FHE). FHE has a plenty of appli-
cations for data processing when it requires security of data.
In particular, FHE can directly initiates a secure cloud sys-
tem; the cloud cannot obtain any information of ciphertexts
encrypted by FHE while it still supports any computation data
provider wants.
The associate editor coordinating the review of this manuscript and
approving it for publication was Giacomo Verticale.
The first FHE was suggested by Gentry [1]. After then,
following Gentry’s blueprint, various schemes and techniques
have been suggested for efficient FHE schemes [2]–[6].
One of the most important techniques for FHE is to
encrypt multiple messages in one ciphertext, called packing.
Homomorphic operation between packed ciphertexts or sin-
gle instruction multiple data (SIMD) allows the entry-wise
operation of packed ciphertexts.
Because a large number of messages can be encrypted in
single ciphertext as a vector, applying linear transformations
on packed ciphertext is an important task for homomor-
phic encryption. For this reason, many studies have been
done to improve the efficiency of general linear transforma-
tions [7], [8]. However, while the discrete Fourier transform
(DFT) and linear transformations in bootstrapping have in

2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 7, 2019 Personal use is also permitted, but republication/redistribution requires IEEE permission. 57361
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

common a special structure that has been overlooked. There
is a previous work about using structure of Benes permutation
network which has similar structure with DFT [9]. However,
no previous study has exploited this structure for linear trans-
formation on packed ciphertext.
Bootstrapping, the only known way to refresh the noise
in the ciphertext without decryption, is crucial in evaluating
large depth circuit or unlimited number of operations. Linear
transformations which convert between coefficient and slot
representations serve as a central role in the bootstrapping
procedure. When the number of slots is large, homomorphic
evaluation of the linear transformation becomes a bottleneck
for the performance of bootstrapping. For this reason, our
goal is to build an improved method for homomorphic evalu-
ation of these two linear transformations.
The DFT is a widely used tool in various fields; digital data
processing, data compression, partial differential equations,
etc. For example, it is often used to remove noise sound with
small frequency. However, in many applications, the DFT is
applied to the private data such as face, voice, and bioinfor-
mation data. Therefore, homomorphic evaluation of DFT is
necessary for data processing with privacy preserving.
A. OUR RESULTS
In this paper, we study the fast linear transformations for
special structured matrices. First, we propose a new way to
evaluate discrete Fourier transformation for a given packed
ciphertext. Our method only needs O(log n) number of
homomorphic
√ operations while the previous method requires
O( n) rotations and O(n) constant vector multiplications for
n the length of input vector.
We factorize the DFT matrix into log2 n sparse block
diagonal matrices using the Cooley-Tukey factorization with
radix 2. We observe that each factor has only three diagonal
vectors, and each r consecutive multiplication of those factors
has (2r − 1) diagonal vectors. Therefore, homomorphic DFT
evaluation is converted to logr n number of homomorphic
matrix multiplications for matrix with (2r − 1) diagonal
vectors for an arbitrary integer r dividing n.
From SIMD operation of HE schemes, evaluating matri-
ces with√d diagonal vector in encrypted state can be done
with O( d) homomorphic rotations and d homomorphic
constant vector multiplications using the baby-step algo-
rithm. So,√we obtain a homomorphic DFT algorithm which
needs O( r log n) number of homomorphic rotations and
O(r log n) number of homomorphic constant vector multipli-
cations with O(logr n) constant vector multiplication depth.
In addition, we can obtain a trade-off between depth and
complexity by adjusting r.
Second, we apply the same matrix decomposition strat-
egy into sparse diagonal matrices to improve the linear
transformations in bootstrapping for HEAAN. We decom-
pose corresponding matrices recursively, similarly to the
Cooley-Tukey algorithm. As a result we obtain the same
improvement
√ in the linear transformations in bootstrapping:
O( r log n) homomorphic rotations and O(r log n) homo-
57362
K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping
morphic constant vector multiplications with O(logr n) con-
stant vector multiplication depth for plaintext vector length n.
We also implement our method using the approximate
homomorphic encryption library [10] to show the improve-
ments. Our implementation shows that the homomorphic
DFT with length 213 only takes about 8 seconds when r = 2.
This results shows a more than 150× performance improve-
ment compared to previous works on homomorphic DFT
(or FFT) [11]–[13]. On the other hand, the bootstrapping
procedure for HEAAN using our linear transformation algo-
rithm only takes 2 minutes for C32768 plaintext space with
8-bit precision. This result yields an amortized rate per bits
of 0.45ms, less than one millisecond. The previous algorithm
takes 26 hours in the same setting, which is only realistic for
a small number of slots.
B. RELATED WORKS
Due to the importance of DFT (or FFT), there are several
works that perform DFT on encrypted domains. In [9], they
proposed algorithm to evaluate Benes permutation network
on encrypted state. Note that this permutation has same data
flow with FFT algorithm. In [14], [15], the authors present
works on homomorphic FFT using the Paillier encryption
algorithm. In [12], [13], the authors used homomorphic
encryption library named HElib with different encoding
method for real (or complex) messages. In [11], the authors
implemented homomorphic evaluation of multiple FFTs
using approximate homomorphic encryption scheme.
All of those previous works encrypt each element of
input vector in different ciphertext. For this reason, the pre-
vious algorithms require as least O(n log n) ciphertext and
homomorphic operations, which worsens performance on
the DFT and on bootstrapping. If they put several messages
in one ciphertext using packing, these works can achieve
O(log n) homomorphic operation complexity only in amor-
tized sense [11].
Homomorphic encryption schemes with packed message
use the linear transformations in bootstrapping, which con-
vert the slots of messages and coefficients of polynomial.
For this linear transformation part, a general linear transfor-
mation method which is called the baby-step giant-step √ is
usually used [7], [16], [17]. This method needs O( n) key-
switchings for the length of plaintext vector n. Especially,
when the underlying ring is the (tensor) product of two rings,
the linear transformation in bootstrapping can be decomposed
into transformations in each factor ring. In this case, the num-
√ √
ber of key-switching is O( n1 + n2 ) where the factor rings
are of dimension n1 , n2 .
C. ROAD MAP
In Section II, we define the standard notations and briefly
introduce the approximate homomorphic encryption scheme.
We figure out that the structure of linear transformation in
bootstrapping with the structure of DFT. For this reason,
we will explain about DFT first which is more convenient for
explanation. We then introduce homomorphic DFT algorithm
VOLUME 7, 2019
K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

including previous approach in Section III. We apply our subsection gives scheme description and function definition
new method in bootstrapping for approximate homomorphic for HEAAN scheme (for more information about this scheme
encryption in Section IV. Each sections includes implemen- refer to [11], [17]).
tation results of homomorphic DFT and bootstrapping. Let R = Z[X ]/(X N + 1) and Rq = Zq [X ]/(X N + 1) for
ciphertext modulus q and power of two N . For the given σ >
II. PRELIMINARY 0, DG(σ 2 ) denotes distribution on R that each coefficient
In this section, we will define notations and introduce discrete follows discrete Gaussian distribution over Z with standard
Fourier transformation and HEAAN scheme briefly. deviation σ . For this given h > 0, HWT (h) denotes a
uniform distribution on a set of R with signed binary {±1}
A. NOTATIONS coefficients and hamming weight exactly h. For a real 0 ≤
Column vectors are written by bold and lower case letters ρ ≤ 1, ZO(ρ) denotes a distribution on R such that each
and matrices are written by bold and upper case letters. The coefficients is +1 with probability ρ/2, −1 with probability
entries of bold face is denoted as Ev = (v0 , v1 , · · · , vn−1 )T ρ/2, and 0 with probability 1 − ρ.
and M = (Mi,j )1≤i,j≤n . We sometimes take modular n for • KeyGen(1λ )
indices of vector or matrices, and omit the transpose operator - Let qi = pi for i = 1, . . . , L. Using the given
T . The entry-wise multiplication of two vectors Ev1 and Ev2 is the security parameter λ, we choose a power-of-two
denoted by Ev1 Ev2 which is called Hadamard multiplication. integer N , an integer h, an integer P > qL , and a real
For the given vector Ev with length n, diagi (Ev) is n by n matrix number σ > 0 to achieve λ-bit security level.
M such that Mj,j+i = vj for 0 ≤ j < n and all other entries - Sample s(x) ← HWT (h), a(x) ← U (RqL ) and
are zero. We will omit the index i of diag when i = 0. On e(x) ← DG(σ 2 ). Set the secret key sk = (1, s(x))
the other hand, for n by n matrix M, diagi (M) denotes a and the public key for encryption as pkenc ←
length n vector (M0,i , M1,1+i , · · · , Mn−1,n−1+i ). roti (Ev) is left (b(x), a(x)) ∈ R2qL where b(x) ← −a(x) · s(x) +
shifted vector with index i, this means that the result vector w E e(x) ∈ RqL
is (vi , vi+1 , . . . , vi−1 ). When the index i is negative, it means
• KeySwitchGen(s0 (x), sk)
right shifting with index −i.
We sometimes use the special order of indices called bit- - Sample a0 (x) ← U (RP·qL ) and e0 ← DG(σ 2 ). Set
reversal order. It is defined by ordering the indices in increas- the public key for key switching as (b0 (x), a0 (x)) ∈
ing order of the reverse of binary representations that are RP·qL where b0 (x) = −a0 (x)·s(x)+e0 (x)+P·s0 (x) ∈
padded so that each of these binary representation has the RP·qL .
same length. For example, bit-reversal order of the given - The method for encoding can be understood as
array (a0 , a1 , a2 , a3 ) is (a0 , a2 , a1 , a3 ) (because bit-reversed negacyclic DFT and the group Z× M is generated by 5
index is follows: (00(2) , 10(2) , 01(2) , 11(2) ) = (0, 2, 1, 3)). and 2 for M = 2N (see [17]). For this reason, three
public keys for homomorphic multiplication and
B. DISCRETE FOURIER TRANSFORMS rotation and conjugation are generated as follows:
The discrete Fourier transform (DFT) is a linear transforma- pkmult = KeySwitchGen(s2 (x), sk),
tion DFTn : Cn → Cn which maps a vector xE = (x1 , · · · , xn ) idx
into another vector Ey = (y1 , · · · , yn ) where pkidx
rot = KeySwitchGen(s(x
5
), sk),
n−1 pkconj = KeySwitchGen(s(x 2 ), sk).
X
ym = xk · wkm
n • Encode(m)
E
k=0
- Let
for wn = e2πi/n . The inverse of discrete
P Fourier−km transform  
iDFTn has a similar form as xm = 1 n n−1 y · w , which 1 w0 w20 ··· w0N −1
k=0 k n
1 w1 w21 ··· w1N −1
 
also can be expressed by DFTn as iDFTn = DFTn (Ex )/n (here 
 ..
U = .. .. .. .. 
division and xE means element-wise division and conjugation). . . . . .


−1
This algorithm is known to be computed in O(n log n) opera- 1 wN /2−1 w2N /2−1 ··· wN
N /2−1
tions using so-called fast Fourier transform (FFT).
i
for wi = w5 and w =Pexp (2π i/M ) for M = 2N .
C. APPROXIMATE HOMOMORPHIC ENCRYPTION N −1 i E =
- Output f (x) = i=0 fi X such that f
In our paper, we will focus on the DFT on complex 1 T T
(fi )0≤i<N = N (U · m E + U · m). E
field. For this reason, we need homomorphic encryption
• Decode(f (x))
for complex arithmetic. At 2017, homomorphic encryp-
tion scheme for approximate number arithmetic is pro- - Output P E = U · fE such that fE = (fi )0≤i<N for
m
−1
posed by Cheon et al. [11] which is called HEAAN. The f (x) = N i
i=0 fi X .
plaintext structure of this scheme is CN /2 for polynomial • Encrypt(m E ∈ CN /2 , pk , pkenc )
ring dimension N , and it is suitable for our purpose. This - Let m(x) = Encode(m). E

VOLUME 7, 2019 57363


- For pkenc = (b(x), a(x)), output c = (bpk · m(x)e +
v(x) · b(x) + e1 (x), v(x) · a(x) + e2 (x)) for v(x) ←
ZO(ρ) and e1 (x), e2 (x) ← DG(σ 2 ).
• Decrypt(c, pk , sk)
- For c = (b(x), a(x)) ∈ R2qi , compute
h(b(x), a(x), ski = M (x) ∈ Rqi .
- Output m E = Decode(M (x)/pk ∈ R[X ]/(X N + 1)).
• Add(c1 , c2 )
- For c1 = (b1 (x), a1 (x)) ∈ R2qi and c2 =
(b2 (x), a2 (x)) ∈ R2qi , output c3 = (b1 (x) +
b2 (x), a1 (x) + a2 (x)) ∈ R2qi .
• CMult(m E ∈ CN /2 , c, pk )
- Let m(x) = Encode(m). E there is no specialized algorithm for homomorphic DFT.
- For c = (b(x), a(x)) ∈ R2qi , output c0 = (m0 (x) ·
b(x), m0 (x) · a(x)) ∈ R2qi for m0 (x) = bpk · m(x)e.
• Mult(c1 , c2 , pkmult )
- For c1 = (b1 (x), a1 (x)) ∈ R2qi and c2 = (b2 (x),
a2 (x)) ∈ R2qi , compute (d0 (x), d1 (x), d3 (x)) =
(b1 (x) · b2 (x), b1 (x) · a2 (x) + b2 (x) · a1 (x), a1 (x) ·
a2 (x)) ∈ R3qi .
- For pkmult = (B(x), A(x)) ∈ RP·qi , output c3 =
(d0 (x) + bP−1 · d2 (x) · B(x)e, d1 (x) + bP−1 · d2 (x) ·
A(x)e) ∈ R2qi (here d2 (x) · A(x) and d2 (x) · B(x) are
operations in RP·qi ).
• LeftRotate(c, idx, pkrot )
- For c = (b(x), a(x)) ∈ Rqi , compute c0 =
idx idx
(b0 (x), a0 (x)) = (b(x 5 ), a(x 5 )).
idx
- For pkrot = (B(x), A(x)) ∈ RP·qi , output c00 =
(bP−1 ·b0 (x)·B(x)e, a0 (x)+bP−1 ·b0 (x)·A(x)e) ∈ R2qi
(here b0 (x) · A(x) and b0 (x) · B(x) are operations in
RP·qi ).
• Conj(c, pkconj )
- For c = (b(x), a(x)) ∈ Rqi , compute c0 =
(b0 (x), a0 (x)) = (b(x 2 ), a(x 2 )).
- For pkconj = (B(x), A(x)) ∈ RP·qi , output c00 =
(bP−1 ·b0 (x)·B(x)e, a0 (x)+bP−1 ·b0 (x)·A(x)e) ∈ R2qi
(here b0 (x) · A(x) and b0 (x) · B(x) are operations in
RP·qi ).
• Rescale(c, pk )
- For c = (b(x), a(x)) ∈ R2qi , output (bp−k ·
b(x)e, bp−k · a(x)e) ∈ R2qi−k .
Note that we need to multiply pk to convert real polynomial
to integer polynomial. For this reason, we also need to do
Rescale after homomorphic multiplication between constant
vector and encrypted vector. Each Rescale consumes one
level, so we will regard that CMult as depth 1 computation
in our paper. Furthermore, right rotation in encrypted state
is obtained from left rotation, we just need to use index
(N /2 − idx).
III. HOMOMORPHIC DISCRETE FOURIER TRANSFORMS
In this section, we briefly review the previous approach
to evaluate DFT with homomorphic encryption (HE) and
57364
K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping
describe our new homomorphic DFT algorithm. We propose
new homomorphic DFT algorithm and also hybrid algorithm
that combines our new method with previous approach.
A. PREVIOUS APPROACH
In [7], they proposed faster linear transformation (' NTT) for
bootstrapping when the input size of φ(m) (here m is prod-
uct of co-prime integers mi ). They understand one variable
polynomial ring as multivariate with special basis which is
called powerful basis. This approach shows that DFT with
dimension m can be split to several number of DFT with mi
for co-prime mi s.
On the other hand, in the case of power of prime dimension,
Previously known approaches apply a general homomorphic
linear transform with DFT matrix to the ciphertext [11], [16].
We review the key ideas of these approaches. HE schemes
support Hadamard multiplication and rotation for the plain-
text vector. The following equation shows a representation
of matrix-vector multiplication via Hadamard multiplications
and rotations.
n
X
M · Ev = diagi (M) roti (Ev)
i=0
X` Xk
= diagki+j (M) rotki+j (Ev)
i=0 j=0
 
` k
X X
= rotki  rot−ki (diagki+j (M)) rotj (Ev)
i=0 j=0
The first line gives a simple way to compute homomorphic
matrix-vector multiplication which requires O(n) rotations
and Hadamard multiplications. Based on the third line of
the equation, we can achieve an algorithm so-called baby-
step
√giant-step (BSGS) to matrix-vector multiplication with
O( n) rotations of ciphertexts.
B. OUR METHOD
Now we will introduce our method for fast homomorphic
DFT. In this section, we will mainly consider DFT with bit-
reversed output DFTNR and its inverse (the letter NR stands for
normal to reversal). In addition, we will describe the method
to extend our method to input bit-reversed case and its inverse
in the last part of this section. We focus on the power-of-
two dimension case while our method can be generalized
to other power of prime dimensions, because power-of-two
cases are appropriate to our applications and, moreover, easy
to describe.
The starting point of our method is to observe that the
multiplication between matrix and encrypted vector can be
much faster when the matrix only has the small number of
non-zero {diagi (M)}0≤i<n . Bit-reversed order DFT matrix
can be decomposed to sparse matrices, and this property is
used to fasten the discrete Fourier transform. Our observation
VOLUME 7, 2019
K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

is that those sparse matrices have small number of non-zero Algorithm 1 Homomorphic DFTNR Algorithm
{diagi (·)}0≤i<n (exactly two or three non-zero vectors). Require: Ciphertext ctxt such that Dec(ctxt, sk) = m
E ∈
Cn
1) THE DFT MATRIX FACTORIZATION for all 1 ≤ i ≤ log2 n do
Let DFTNRn be a matrix coressponding to the DFT algorithm
(n)
ctxt0 ← CMult(diag0 (D2i ), ctxt)
with input length n with bit-reversed output. See equation (1), ctxt1 ← LeftRotate(ctxt, n/2i )
as shown at the top of the next page, that the matrix rep- ctxt2 ← RightRotate(ctxt, n/2i )
resentation of recursive FFT Cooley-Tukey algorithm [18] (n)
ctxt1 ← CMult(diagn/2i (D2i ), ctxt1 )
n/2−1
where the matrix W n/2 = diag(1, ωn , ωn2 , · · · , ωn ) and (n)
ctxt2 ← CMult(diagn−n/2i (D2i ), ctxt2 )
ωn = e 2πi/n .
ctxt ← Add(ctxt0 , ctxt1 )
If we adapt this equation repeatedly, we can decompose
ctxt ← Add(ctxt, ctxt2 )
the DFT matrix DFTNR n to log2 n number of matrices. See
end for
equation (2), as shown at the top of the next page, illustrates
the specific form of matrices in the recursive formula which
has k/2 number diagonal blocks. The recursive equation
above implies In each loop of the Algorithm 1, there are two homomor-
(n) (n)
phic rotations and three homomorphic constant vector multi-
DFTNR
n = Dn · Dn/2 · · · · · D2 .
(n)
(3) plications. Furthermore, left rotation by n/2 and right rotation
Remark 1: As noted above, decomposing DFT matrices by n/2 is same. For this reason, we do not need to compute
into sparse diagonal matrices is possible for other power- right and left rotations for i = 1 case. This will reduce
of-prime cases and this induces a fast homomorphic DFT one homomorphic rotation. As a result, our algorithm needs
algorithm for power-of-prime dimension. This fact can be (2 log2 n − 1) number of homomorphic rotation and (3 log2 n)
obtained by using general Cooley-Tukey algorithm. number of homomorphic constant vector multiplications.

2) HOMOMORPHIC DFT 3) TRADE-OFF BETWEEN DEPTH AND COMPLEXITY

We recall the representation of matrix and vector multiplica- While our method is fairly efficient with respect to the num-
tion via Hadamard multiplication and vector shifting: ber of operations, the required depth with respect to constant
n
multiplication is also increased by O(log2 n). In this respect,
X we adapt additional parameter r which is called radix to gen-
M · Ev = diagi (M) roti (Ev).
eralize our method. Our generalized method gives trade-off
i=0
between the number of steps and complexity of homomorphic
The matrix-vector multiplication algorithm based on this DFT.
form is especially efficient for the matrix M with only small Assume that log2 n is even and recall the matrix decompo-
number of non-zero diagonal vector. Namely, diagi (M) is a sition of DFT matrix:
non-zero vector only for small number of i’s. We call this
(n) (n) (n) (n) (n)
matrix by sparse-diagonal matrix. For sparse diagonal matrix DFTNR (n)
n = Dn · Dn/2 · Dn/4 · · · D8 · D4 · D2
M, we don’t need to compute roti (Ev) for those i’s satisfying (n) (n) (n) (n) (n)
diagi (M) = 0.E Therefore, the required number of shifting in = (D(n)
n · Dn/2 ) · (Dn/4 · Dn/8 ) · · · (D4 · D2 ).
naive approach is at most the number of non-zero diagonal This equation give a factorization of DFT matrix into log4 n
vectors that the matrix M has. number of matrices of the form
(n)
Lemma 1: diagk (D2i ) is nonzero only for k = 0, ±n/2i .
Proof: See Equation (2).  (n;4) (n) (n)
Di = (D22i · D22i−1 ) for 1 ≤ i ≤ log4 n.
(n)
From Lemma 1, multiplication between matrix D2i and
vector Ev can be represented as follows: We also can define similar term for r = 2k by
(n) (n) (n;r) (n) (n) (n)
D2i · Ev = diag0 (D2i ) Ev Dj = Dr j · Dr j /2 · · · · · Dr j−1 ·2
(n)
+ diagn/2i (D2i ) rotn/2i (Ev)
for 1 ≤ j ≤ logr n and k| log2 n. This factorization allows
(n)
+ diagn−n/2i (D2i ) rot−n/2i (Ev). us to compute DFT in a new way. To analyse the efficiency,
we observe some properties of these matrices.
Therefore, DFTNR · Ev can be computed recursively as Lemma 2: The multiplication of i-th diagonal matrix and
Qlog2 n (n)
i=1 D2i · Ev, where each multiplication can be done with j-th diagonal matrix is i + j-th diagonal matrix. More pre-
O(1) number of Hadamard multiplication and shifting. The cisely, the following equation holds
overall number of operations is O(log n) homomorphic shift-
ings and Hadamard multiplications with constant plaintext E = diagi+j (Ea
diagi (Ea) · diagj (b) E
roti (b)).
vectors. The Algorithm 1 shows our homomorphic DFT algo-
rithm in detail with notations in Section II-C. Proof: Trivial. 

VOLUME 7, 2019 57365

 K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

" # 
DFTNR E

n/2 0 I n/2 I n/2
h i
DFTNR = DFTNR DFTNR DFTNR · W n/2 − DFTNR · W n/2 = · (1)
0E DFTNR
n n/2 n/2 n/2 n/2 W n/2 − W n/2
n/2
  
I n/k I n/k
 W n/k −W n/k 0 ··· 0 
   
 I n/k I n/k 
 0 ··· 0 
Dk
(n)
=
 W n/k −W n/k  ∈ Cn×n .

(2)
.. .. .. .
.
. . . .
 
 
  
 I n/k I n/k 
0 0 0
W n/k −W n/k

 
1 −1
kX k2
Lemma 3: Let Dk be a multiplication of k consecutive X
matrices in Equation 3: = rotlk2 i  rot−lb2 i (m
E ik2 +j ) rot`j (Ev)
i=0 j=1
(n) (n) (n)
Dk = D2s+k · D2s+k−1 · · · · · D2s+1 .
where m E i = diag`i (M) and k1 k2 = t.
Then at most 2k+1 − 1 diagonals of D is nonzero vector.
In this BSGS method we can obtain a matrix multiplication
Further, the indices of nonzero diagonals form arithmetic
M · Ev by O(k1 + k2 ) rotations and O(t) constant multipli-
progression.
cations. We remark that we can vary the choice of k1 and
Proof: Lemma 2 clearly holds. To show Lemma 3,
(n) (n) (n) k2 by increasing t and add zero diagonals.√ For this reason,
we decompose D2t into diag−n/2t (D2t ) + diag0 (D2t ) +
(n)
we can say that the hybrid method needs O( t) homomorphic
diagn/2t (D2t ) as in Lemma 1. By Lemma 2, the index of Dk rotations and O(t) number of homomorphic constant vector
that is non-zero is of the form multiplications. The Table 1 shows comparison our methods
n n n with other techniques.
es+1 · s+1 + es+2 · s+2 + · · · + es+t · s+t ,
2 2 2
where ei ∈ {−1, 0, 1} for s + 1 ≤ i ≤ s + t. These indices are TABLE 1. Comparison: homomorphic operation number and depth
multiple s+t , and the absolute value of it is bounded by consume for homomorphic DFT.
Ps+t of n/2 j t s+t .
j=s+1 n/2 = (2 − 1)n/2 
According to Lemma 3, the number of nonzero diagonal of
(n;r)
Dj is 2 r − 1 for j > 1 and r for j = 1. Thus the required
number of homomorphic multiplication and slot shifting to
(n;r)
compute multiplication of encryption of Ev and Dj is less
than 2 r − 1 = O(r) for radix r, respectively. By recursively
(n;r)
multiplying Dj to Ev, we obtain a new algorithm to compute
Remark 2: Another advantage of our method is that it
homomorphic DFT which requires O(r logr n) homomor-
highly reduces the size of public key for
√ operations. While
phic rotations and constant vector multiplications while has
the previous BSGS method requires O( n) rotation key, our
O(logr n) depth. Overall, we obtain depth-efficiency trade-off
method only needs O(r logr n) number of rotation key.
using larger radix. We note that we assumed that the used
radix is a divisor of log2 n, but this condition can be removed
by considering dynamic radices for each recursive step. D. EXTENSION TO INVERSE AND DIFFERENT ORDERS
1) HOMOMORPHIC INVERSE DFT
C. HYBRID METHOD Now we describe the computation of inverse DFT (iDFT) in
An interesting observation in Lemma 3 is that the indices homomorphic way. Note that our homomorphic DFT algo-
of Dj
(n;r)
forms an arithmetic progression. We call this prop- rithm computes the bit-reversal DFT values, so we should
erty regular. Here we show that this property yield a hybrid compute iDFT from the bit-reversal order input to regular
method of our homomorphic DFT algorithm and baby- order output. The matrix representation of iDFT with bit-
step giant-step (BSGS) algorithm. To do this, we apply reversal order is
a BSGS matrix-vector multiplication method for sparse  −1
diagonal matrix M with arithmetic progression indices as iDFTRN
n := DFT NR
n
follows:
(n) −1
 
(n)
t 1 −1 X
kX k2 = D(n)
n · Dn/2 · · · · · D2
X
Ei
m rot`i (v) = E ik2 +j
m rot`·(ik2 +j) (Ev) 
(n) −1
 
(n) −1
  −1
i=1 i=0 j=1
= D2 · D4 · · · · · D(n)
n .

57366 VOLUME 7, 2019

K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

These matrices are decomposed into the certain form of repository [19] (see HEAAN/app/homomorphic_dft
matrices with useful property as follows: folder).
 −1   The following HEAAN parameter setting is what we used
I n/k I n/k 1 I n/k W n/k
= . in the experiment for our homomorphic DFT algorithm.
W n/k −W n/k 2 I n/k −W n/k
• qL = 2440 : the largest ciphertext modulus.
In other words, for the divisor 2i of n, the equation • N = 215 : the dimension of polynomial ring R.
1 (n) T • 1 = pk = 230 : scaling factor which is used to make
(n) −1
 
D2 i = D2 i integer polynomial in encryption and constant vector
2
multiplication both.
(n)
holds. This equation implies that diagk ((D2k )−1 ) is nonzero • σ = 3.2, ρ = 0.5, and h = 64: distribution related
only for two or three k’s as in Lemma 1. Therefore iDFTRN n
parameters.
matrix can also be decomposed into sparse diagonal matrices Note that the expected security of this parameter setting is
as DFTNR
n , and it induces the fast homomorphic iDFT algo- about 128 bit following the LWEestimator [20].
rithm. We remark that we also obtain a useful equation The Figure 1 shows timing results for various setting.
1 T In case of the first one, radix varies from 2 to 16 with the
iDFTRN
n = nDFTNR
n . fixed dimension of input vector 212 . In case of the second
one, dimension varies from 26 to 212 with the fixed radix 4.
2) DFTRN
n AND iDFT
NR

Let R is the bit-reversal permutation matrix. We know that

(n)
DFT RN
n = R · DFT NR 2
n · R and R = I . If we use D̃2i =
(n) (n)
R · D2i · R instead of D2i , we can get an matrix factorization
of DFT RNn :
(n) (n) (n) (n) (n) (n)
DFT RN
n = D̃n · D̃n/2 · D̃n/4 · · · D̃8 · D̃4 · D̃2 .

In addition, we can use same technique as Section III-D.1 to

obtain matrix factorization of iDFT RN
n . For that, we prove that
(n) (n)
this matrices D̃2i has same structure with Dn/2i .
 
(n)
Lemma 4: diagk R · D2i · R is nonzero only for k =
0, ±2i .
Proof: First, we know that (i,
j)-th element of R · M · R
is a n by n matrix is mrev(i),rev(j) . And, Following equation
hold:
rev(i + 2k ) = rev(i) + rev(2k ) if k-th bit of i is 0.
(n)
The equation 2 shows that the nonzero term of D2i is in
(k, k) or (k, k ± n/2i ) ,and elements with index (k, k ± n/2i )
for bk/(n/2i )c = 0 mod 2 are zero. This means that we only
need to consider elements with index (k, k) and (k 0 , k 0 ±n/2i )
for (log2 n − i)-th bit of k 0 is 0. For all k 0 that satisfies the
condition, R(k 0 ± n/2i ) = R(k 0 ) ± R(n/2i ) = R(k 0 ) ± 2i . 
(n)
Above Lemma shows that D̃2i also has three diagonals
(n)
diagk (D̃2i ) for k = 0, ±2i . For this reason, our method can
be applied to those linear transformations.

E. IMPLEMENTATION
We implemented our DFT algorithm using HEAAN
library [10]. HEAAN library supports batch encod-
ings, or encoding for vectors, for complex plaintext space
thus it is suitable for our target; discret Fourier transform.
All of experiments in this paper are done at the PC having
32 number of Intel(R) Xeon(R) CPU E5-2620 v4 2.10 GHz FIGURE 1. Implementation results for our homomorphic DFT algorithm.
CPU (each CPU has 8 cores) and 64GB RAM. We used multi- (a) Timming results for various radix setting with dimension n = 212 .
threding with 8 number of threads. Our code is in github (b) Timming results for various dimension setting with radix r = 4.

VOLUME 7, 2019 57367

 K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

T
By the effect of baby-step giant-step method, the left one Note that i · U 0 = U 1 and U −1 2
0 = N · U 0 hold. Using this,
of the Figure 1 shows that timing does not increase a lot when we can obtain that
we increase the radix. And, the right figure shows that timing 1  T 
increase linearly to logarithm of the dimension n. Therefore, Evk = U k · Ez + U Tk · Ez for k = 0, 1.
N
we can get a homomorphic DFT algorithm which is signifi-
This equation corresponds to CoeffToSlot map.
cantly faster and similar depth consume. In our experiment,
we compare the result with DFT on un-encrypted vector.
B. IMPROVED LINEAR TRANSFORMATION IN
We use average of |ai − bi | for all 0 ≤ i < n as difference
E The difference between BOOTSTRAPPING
between two length n vector aE and b.
We now describe a modified linear transforms for bootstrap-
DFT on encrypted and un-encrypted state in our experiment
ping. We mainly focus on how to decompose the matrix U
is 2−9 to 2−10 . We can reduce this difference by using larger
into sparse diagonal matrices. To obtain this, the bit-reversal
1 = pk .
permutation matrix R works a central role in this method.
There are a few previous implementation results about
Note that the order of the slots after CoeffToSlot does not
homomorphic DFT. In [12], there homomorphic DFT takes
play any role in the bootstrapping. For this reason, we replace
about 22 minutes for n = 213 with 8-bit precision. In [11],
U k to V k which is row permuted by R:
it takes about 22 minutes with same length. But these works
focus on amortized time by put each element of the input V k = U k · R for k = 0, 1.
vector in different ciphertext. We note that our results shows
about 200 times faster than previous one. As in U, the relation V 1 = i · V 0 holds. For this reason,
we focus on the matrix decomposition of V 0 using recursive
relation; this induces the decomposition of V 1 . Let revn (i)
IV. IMPROVED BOOTSTRAPPING FOR APPROXIMATE HE
denotes bit-reversal permutation of i with size n.
In this section, we explain about linear transformations  i
5 ·rev (j)
in bootstrapping for approximate homomorphic encryption Lemma 5: Let St = ω4t t . Then, V 0 = SN /2
0≤i,j<t
scheme. And, we give an improved transformation algorithms and following equation holds:
for such linear transform using our homomorphic DFT which 
I Wt
 
S 0

provides an improved bootstrapping procedure for approxi- St = · t/2
I −W t 0 St/2
mate homomorphic encryption.
5)i
for W t = diag(ω4t 0≤i<t .
A. LINEAR TRANSFORMATION IN BOOTSTRAPPING Proof: V 0 = SN /2 is clear by definition. Let’s start the
The bootstrapping procedure for approximate homomorphic proof with the following claim. Here v2 (a) is the maximal
encryption in [17] can be divided as following steps: integer k such that 2k is a divisor of integer a.
Claim: v2 (5e − 1) = v2 (e) + 2 holds for a positive integer e.
1. Put polynomial coefficients in plaintext slots, Proof: This claim can be proven using the mathematical
2. Evaluate exponent function, induction on v2 (e). 
3. Extract Imaginary part, To prove the recursive formula, it suffices to show the
4, Switch back to the coefficient representation. following equation:
The transformations in the first and the last step are 
S W t · St/2

called CoeffToSlot and SlotToCoeff respectively. In [17], St = t/2
St/2 −W t · St/2 .
the authors use the index i of slots corresponding to 5k
k 5i ·rev (j)
(mod 2N ) for 0 ≤ k ≤ N /2 by considering w52N as in Let St = (si,j )0≤i,j<t , i.e. si,j = ω4t n . The following
Encode map. To transform coefficients of polynomial rep- equations show the above equation. Note that 4t is a power
resentation of plaintext into slots, we should construct two of two integer.
encodings since there are only N /2 slots while the number of 1) si,j = si+t/2,j for all i and for 0 ≤ j < t/2: this is
coefficients is N . equivalent to 4t|(5(i+t/2) · revt (j) − 5i · revt (j)). By the
Let t(x) = t0 + t1 x + · · · tN −1 x N −1 be a polynomial rep- claim v2 (5t/2 − 1) = v2 (t/2) + 2 = v2 (2t) holds and
resentation of encoding with messages Ez = (z0 , · · · , zN /2−1 ) revt (j) is even for j < t/2. Combining this we obtain
in slots, and let Ev = (t0 , · · · , tN −1 ) = (Ev0 , Ev1 ) be its vec- the desired result is induced.
tor representation. Suppose that U be the encoding matrix 2) si,j = −si+N /2,j for all i and for t/2 ≤ j < t: as
defined in Section 2.2 and parsed into [U 0 |U 1 ] for N /2 by in the above, it is equivalent to v2 (5(i+t/2) · revt (j) −
N /2 matrices U k ’s. Then the following equation holds by 5i · revt (j)) = v2 (2t). It is showed by v2 (5t/2 − 1) =
definition of encoding map, which yields the SlotToCoeff v2 (t/2) + 2 = v2 (2t) and revt (j) is odd for j ≥ t/2.
map, 5i for all i and 0 ≤ j < t/2: this is
3) si,j+N /2 = si,j · ω4t
clear by definition of revt .
 
Ev If we combine these cases, we can easily show that the
Ez = U · 0 = U 0 · Ev0 + U 1 · Ev1 .
Ev1 recursive relation of S holds. 

57368 VOLUME 7, 2019

K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

  
I n/k W n/k
 I n/k 0 ··· 0
 −W n/k  


 I n/k W n/k 
 0 ··· 0 
Ek
(n)
=
 I n/k −W n/k  ∈ Cn×n .

(4)
.. .. .. ..
. . . .
 
 
  
 I n/k W n/k 
0 0 0
I n/k −W n/k

By adapting Lemma 5 repeatedly, we can decompose V 0 (with recently release version v2.1). The PC infor-
to log2 (N /2) number of matrices as in Equation 3. The matrix mation is same as the previous implementation in
in Equation (4), as shown at the top of this page illustrates the Section III-E. Our code is in github repository [19] (see
specific form of matrices in the recursive formula. Note that HEAAN/app/improved_bootstrapping folder).
(N /2)
Ek has k/2 number diagonal blocks. Lemma 5 implies • q0 = 241 : the smallest ciphertext modulus (before boot-
(N /2) (N /2) (N /2) (N /2) strapping).
V 0 = E2 · E4 · E8 · · · EN /2 . • qL = 21240 : the largest ciphertext modulus.
These factor matrices have exactly the same structure with • N = 216 : the dimension of polynomial ring R.
(n)
Dk for n = N /2, so we can apply our method in previous • 1 = pk = 231 : scaling factor which is used to make
section (from radix to hybrid method). Furthermore, we can integer polynomial in encryption and constant vector
also multiply the inverse of V 0 in encrypted state, as in the multiplication both.
same way to the inverse DFT matrix case. • σ = 3.2, ρ = 0.5, and h = 64: distribution related
Now we will describe two linear transformations, parameters.
CoeffToSlot and SlotToCoeff, using V 0 , V −1 • T = 7 which is the number of iteration in sin evaluation.
0 and its conju-
gations. As we noted above, V 1 = i · V 0 and further V −1 k =
The Table 2 shows implementation result of bootstrapping
2 T using our linear transformation and previous method. To
N kV hold as in the case of U for k = 0, 1. Therefore,
maximize the effect of our method, we used number of slots
CoeffToSlot with bit-reversed result and SlotToCoeff with
as the largest one (= N /2).
bit-reversed input are computed as follows for Etk = R · vk for
k = 0, 1:
TABLE 2. Timing of Bootstrapping with comparison for C32768 plaintext
1  −1 
lClEt0 = V 0 · Ez + V −1 0 · E
z , space. Here amortized time means that bootstrapping time per one
complex element. Both works gives about 2−7 additive error while
2
bootstrapping.
1  
Et1 = − i V −1 0 · E
z − V −1
0 · E
z ,
2
Ez = V 0 · (Et0 + i · Et1 ).

1) OPTIMIZATION.
We can further improve the efficiency of the bootstrapping
in light of hoisting, i.e. by computing the common part
first or last. More precisely, for CoeffToSlot, compute V −1
0 ·E z
first and compute other parts using conjugation. Therefore, Et0
√
and Et1 can be computed from Ez in 2 r logr (N /2) homomor-
phic operations for the radix r. For SlotToCoeff, we compute
(Et√
0 + i · Et1 ) first and multiply V 0 . This also needs only
2 r logr (N /2) number of homomorphic operations.
Remark 3: Our technique can be applied for bootstrap-
ping of (n/2)-sparsely packed ciphertext in [17]. The plain-
text space of sparse packed ciphertext is Z[Y ]/(Y n + 1) for
Y = X N /n . So, we just need to replace ω2N to ω2n .
C. IMPLEMENTATION
Use one of the parameter sets which is in the previous
work [17] for easier comparison. And, we run the
previous method which is implemented in HEAAN
library [10] in the same machine for fare comparison
The timing results for linear transformation time shows
about 700 times faster result than previous one. We use
radix 32 which means each linear transformation consumes
3 (= log32 215 ) constant vector multiplication depth. As a
result, the modulus of the return ciphertext is 468 bits which
means 14 depth computation can be done after bootstrapping.
In the previous method, the modulus of the return ciphertext
is 632 bits which means 19 depth computation can be done
after bootstrapping.
Another advantage of our method is key generation time.
Key generation includes public key generation for various
rotations and pre-encodings for diagonal vectors. In the previ-
ous method, they need to encode for N /2(= 32768) number
of constant vectors for each
√ linear transformation. The num-
of rotation key is 2 N /2 which is quite large compare
ber √
to 2 r logr N /2 in our case. In the experiment, this problem
makes their key generation time slower and the size of pre-

VOLUME 7, 2019 57369

 K. Han et al.: Improved Homomorphic DFT and FHE Bootstrapping

encoded vector and public keys to be huge. Previous method
need 800GB to save them and 7GB for ours.
V. CONCLUSION
In this paper, we presented improved homomorphic linear
transformations for DFT and bootstrapping. Our algorithm
takes
√ O(r logr n) homomorphic constant multiplications and
O( r logr n) homomorphic rotations for radix r with input
vector size n (message vector size in the case of boot- √
strapping). Previously, the complexity was O(n) and O( n)
respectively. As a result, our implementation shows huge
improvement in timing. Homomorphic DFT with length 214
only takes about 8 seconds which is 150 times faster than
previous one. In the case of bootstrapping, the timing reduced
from 26 hours to 2 minutes.
Since this is the first work that makes use of the structure
of linear transformation, we plan to extend our method for
more wide range of linear transformations. We also hope that
our technique can be exploited in several areas such as signal
processing to protect the privacy.
[17] J. H. Cheon, K. Han, A. Kim, M. Kim, and Y. Song, ‘‘Bootstrapping for
approximate homomorphic encryption,’’ in Proc. Annu. Int. Conf. Theory
Appl. Cryptograph. Techn. Springer, 2018, pp. 360–384.
[18] J. W. Cooley and J. W. Tukey, ‘‘An algorithm for the machine calculation
of complex Fourier series,’’ Math. Comput., vol. 19, no. 90, pp. 297–301,
1965.
[19] K. Han. (2019). Faster Homomorphic DFT and Improved FHE Bootstrap-
ping. [Online]. Available: https://github.com/HanKyoohyung/ImprovedLT
[20] M. R. Albrecht, R. Player, and S. Scott, ‘‘On the concrete hardness of
learning with errors,’’ J. Math. Cryptol., vol. 9, no. 3, pp. 169–203, 2015.
KYOOHYUNG HAN received the B.S. and
Ph.D. degrees in mathematical sciences from
Seoul National University, Seoul, South Korea,
in 2013 and 2019, respectively, where he is
currently a Postdoctoral Researcher. His current
research interests include homomorphic encryp-
tion, application of homomorphic encryption, and
bootstrapping techniques.

REFERENCES
[1] C. Gentry, ‘‘Fully homomorphic encryption using ideal lattices,’’
in Proc. STOC, vol. 9, 2009, pp. 169–178.
[2] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, ‘‘(Leveled) fully homo-
morphic encryption without bootstrapping,’’ in Proc. 3rd Innov. Theor.
Comput. Sci. Conf., 2012, pp. 309–325.
[3] J. Fan and F. Vercauteren, ‘‘Somewhat practical fully homomorphic
encryption,’’ Cryptol. ePrint Arch., Tech. Rep. 2012/144, 2012.
[4] Z. Brakerski, ‘‘Fully homomorphic encryption without modulus switching
MINKI HHAN received the B.S. degree from
from classical GapSVP,’’ in Proc. CRYPTO, 2012, pp. 868–886.
the Department of Mathematical Science, Seoul
[5] L. Ducas and D. Micciancio, ‘‘FHEW: Bootstrapping homomorphic
National University, in 2016, where he is currently
encryption in less than a second,’’ in Proc. Adv. Cryptol.—EUROCRYPT.
Springer, 2015, pp. 617–640. pursuing the Ph.D. degree, under the supervision
[6] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, ‘‘Faster fully of Prof. J. H. Cheon. His main research interests
homomorphic encryption: Bootstrapping in less than 0.1 seconds,’’ in Proc. are about the theoretical aspects of cryptography
22nd Int. Conf. Theory Appl. Cryptol. Inf. Secur. (ASIACRYPT), Hanoi, including graded encoding schemes, obfuscations,
Vietnam: Springer, Dec. 2016, pp. 3–33. and functional encryptions.
[7] S. Halevi and V. Shoup, ‘‘Bootstrapping for HElib,’’ in Advances in
Cryptology—EUROCRYPT. Springer, 2015, pp. 641–670.
[8] S. Halevi and V. Shoup, ‘‘Faster homomorphic linear transformations in
HElib,’’ Cryptol. ePrint Arch., Tech. Rep. 2018/244, 2018.
[9] C. Gentry, S. Halevi, and N. P. Smart, ‘‘Fully homomorphic encryption
with polylog overhead,’’ in Proc. Annu. Int. Conf. Theory Appl. Crypto-
graph. Techn. Springer, 2012, pp. 465–482.
[10] A. Kim. (2018). HEAAN. [Online]. Available: https://github.com/
kimandrik/HEAAN
[11] J. H. Cheon, A. Kim, M. Kim, and Y. Song, ‘‘Homomorphic encryption JUNG HEE CHEON received the B.S. and Ph.D.
for arithmetic of approximate numbers,’’ in Proc. Int. Conf. Theory Appl.
degrees in mathematics from the Korea Advanced
Cryptol. Inf. Secur. Springer, 2017, pp. 409–437.
Institute of Science and Technology, in 1991 and
[12] A. Costache, N. P. Smart, and S. Vivek, ‘‘Faster homomorphic evaluation of
1997, respectively.
discrete Fourier transforms,’’ in Proc. Int. Conf. Financial Cryptogr. Data
Secur. Springer, 2017, pp. 517–529. Before joining Seoul National University
[13] A. Costache, N. P. Smart, S. Vivek, and A. Waller, ‘‘Fixed-point arithmetic
(SNU), he worked for ETRI, Brown University,
in SHE schemes,’’ in Proc. Int. Conf. Sel. Areas Cryptogr. Springer, 2016, and ICU. He is currently a Professor with the
pp. 401–422. Department of Mathematical Sciences and the
[14] T. Bianchi, A. Piva, and M. Barni, ‘‘Comparison of different FFT imple- Director of the Cryptographic Hard problems
mentations in the encrypted domain,’’ in Proc. 16th Eur. Signal Process. Research Initiatives (CHRI), SNU. His research
Conf., Aug. 2008, pp. 1–5. focuses on computational number theory, cryptology, and their applications
[15] T. Bianchi, A. Piva, and M. Barni, ‘‘On the implementation of the discrete to practical problems.
Fourier transform in the encrypted domain,’’ IEEE Trans. Inf. Forensics Dr. Cheon has served as a Program Committee Member for Crypto,
Security, vol. 4, no. 1, pp. 86–97, Mar. 2009. Eurocrypt, and Asiacrypt. He received the Best Paper Award at Asiacrypt
[16] H. Chen and K. Han, ‘‘Homomorphic lower digits removal and improved 2008 and Eurocrypt 2015. He was the PC Co-Chair of the ANTS-XI and
fhe bootstrapping,’’ in Proc. Annu. Int. Conf. Theory Appl. Cryptograph. Asiacrypt 2015/2016. He is an Associate Editor of the DCC and JCN.
Techn. Springer, 2018, pp. 315–337.

57370 VOLUME 7, 2019