Ideal Lattice-based Fully Homomorphic Encryption

• Ideal Lattice-based FHE is a cryptographic scheme that uses ideal lattices in polynomial quotient rings to support secure, unbounded computations over encrypted data.
• Recent advancements recast bootstrapping as an algebraic projection, reducing multiplicative depth and enhancing practical efficiency.
• Techniques like CRT decomposition and algebraic folding effectively manage noise while ensuring post-quantum security and scalability.

Ideal Lattice-based Fully Homomorphic Encryption (FHE) encompasses a family of algebraic and algorithmic methodologies that leverage the structure of ideal lattices in polynomial quotient rings to enable secure, unbounded computation on encrypted data. This paradigm is foundational to modern cryptographic schemes aiming for post-quantum security and practical efficiency in privacy-preserving computation. Recent advances introduce both geometric and ring-theoretic frameworks, refining the efficiency, asymptotics, and fundamental round complexity of key FHE operations such as bootstrapping, homomorphic multiplication, and ciphertext refreshing.

1. Algebraic Foundations: Ideal Lattices in Cyclotomic and General Polynomial Rings

Let $R = \mathbb{Z}[x]/(\phi(x))$, where $\phi(x)$ is an irreducible polynomial (often cyclotomic, e.g., $\Phi_N(x)$), and let $q$ denote a modulus parameter. The ring quotient $R_q = \mathbb{Z}_q[x]/(\Phi_N(x))$ is the standard domain for ciphertexts in many FHE schemes.

An ideal lattice is an ideal $I \subset R$, interpreted as a $\mathbb{Z}$-module (lattice in $\mathbb{Z}^n$), closed under the ring (convolution) product. Each such ideal admits a basis (e.g., Hermite Normal Form or CRT representation), which is critical for both security reductions and practical arithmetic. In cyclotomic contexts, $R_q$ supports highly efficient algorithms via the Number Theoretic Transform (NTT) and CRT decompositions.

2. Modeling Ciphertext Spaces and Noise Structure

The ciphertext space is modeled algebraically as the spectrum of the coordinate ring, $X_{ct} = \operatorname{Spec}(R_q)$, with ciphertexts as elements (or pairs) in $R_q$. Within this space, two distinguished loci are defined:

• Decryptable Subscheme $Z_{dec}$: Given noise-boundary polynomials $\mathcal{F}_\mathcal{P}$, the noise ideal $$I_{noise} = \langle \mathcal{F}_\mathcal{P} \rangle \subset R_q$$ denotes conditions under which decryption succeeds; its vanishing locus $Z_{dec} = \operatorname{Spec}(R_q/I_{noise})$ captures all decryptable ciphertexts.
• Fresh Subscheme $Z_{fresh}$: To enforce statistical indistinguishability from fresh encryptions, additional moment polynomials are imposed, generating the fresh ideal $I_{fresh}$. The fresh subscheme $Z_{fresh} = \operatorname{Spec}(R_q/I_{fresh})$ is strictly contained in $Z_{dec}$ and models the minimal-noise ciphertexts (Zhao, 29 Sep 2025).

3. Bootstrapping as Geometric Projection: The Morphism Paradigm

Traditional FHE bootstrapping evaluates a decryption circuit homomorphically, incurring cost proportional to the decryption circuit's multiplicative depth $L_{dec}$. The “Bootstrapping as a Morphism” approach reframes bootstrapping as a direct geometric projection (morphism) from the decryptable locus to the fresh locus:

• Algebraic Morphism: The surjection $$\pi_{alg}: R_{dec} = R_q/I_{noise} \to R_{fresh} = R_q/I_{fresh}$$ arises from the ideal containment $I_{noise} \subset I_{fresh}$.
• Geometric Morphism: Functoriality of Spec yields the corresponding morphism of schemes, $\pi_{geom}: Z_{fresh} \to Z_{dec}$, which algebraically “refreshes” any decryptable ciphertext into its nearest fresh representative (Zhao, 29 Sep 2025).

The geometric viewpoint eliminates circuit evaluation in favor of a direct algebraic operation, bypassing the dependency on $L_{dec}$.

4. Closest Vector Problem (CVP) on Ideal Lattices: Computational Core

Bootstrapping reduces to solving a structured CVP instance:

$$c' = \underset{v \in \Lambda(I_{fresh})}{\operatorname{argmin}} \|c - v\|_2,$$

where $\Lambda(I_{fresh})$ is the ideal lattice associated to $I_{fresh}$ under the canonical embedding. The unique closest lattice vector $v$ corresponds precisely to the projection required by the bootstrapping morphism, ensuring all algebraic constraints for freshness are satisfied (Zhao, 29 Sep 2025).

5. Efficient Algorithms: Algebraic Folding and CRT Decomposition

The intractability of CVP in high dimensions is circumvented via an “algebraic folding” algorithm that exploits the CRT decomposition afforded by the cyclotomic structure:

• CRT Factorization: The polynomial $\Phi_N(x)$ is factored modulo a carefully chosen set of small primes $\{p_t\}$, yielding subproblems of bounded dimension ($\ell = O(\log^c q)$).
• Parallel Low-dimensional CVP: For each prime, the CVP is solved in the corresponding low-dimensional component using LLL and Babai’s nearest-plane, both efficient for such dimensions.
• CRT Recombination: The partial solutions are recombined via the inverse CRT (computable in $O(d\log d)$), producing the bootstrapped ciphertext (Zhao, 29 Sep 2025).

The overall complexity of algebraic folding is $O(d\,\mathrm{polylog}(q))$, fully eliminating any dependence on $L_{dec}$. The setup phase (e.g., generating ideal and moment polynomials) is amortized and negligible over multiple bootstrapping operations.

6. Noise-free and Unbounded FHE: CRT-based Ideal Lattice Schemes

An alternate approach, exemplified by the Zheng–Liu–Tian construction, achieves unbounded and noise-free FHE via CRT over ideal lattices (Zheng et al., 2023):

• Key Generation: Public keys consist of CRT coefficients $\{A_i\}$ selected with respect to a set of pairwise coprime ideal lattices $\{I_i\}$. The secret key is the set of corresponding HNF bases.
• Encryption: Messages are mapped to standard representatives of $\mathbb{Z}_{t_i}$ and lifted to $\mathbb{Z}^n$ via a “coordinate-zero” embedding. Ciphertexts are produced as CRT-reductions.
• Decryption: Decoding involves reduction modulo the secret lattice bases, extracting plaintexts from prescribed coordinates of standard representatives.
• Evaluation: Addition and multiplication exploit the ring structure and CRT, with decryption operating as a ring homomorphism. Crucially, ciphertext noise does not increase with homomorphic evaluation, and there is no need for bootstrapping (Zheng et al., 2023).

Security is based on the inhomogeneous SIS problem over ideal lattices, which admits standard worst-case to average-case reductions.

7. Security, Parameterization, and Practical Implications

Parameter selection involves choosing cyclotomic order $N$ (e.g., so $\varphi(N) = d \approx 2^k$), modulus $q$, and statistical moment order $k$. Security reduction is to the decisional Ring-LWE problem in the geometric approach (Zhao, 29 Sep 2025) and the SIS-type lattice problem in the CRT scheme (Zheng et al., 2023).

Performance comparisons highlight the elimination of bootstrapping’s previous bottlenecks:

Scheme/Method	Bootstrapping Complexity	Noise Growth	Security Basis
BFV/BGV/CKKS (traditional)	$O(L_{dec}\,d\log d)$	Yes	Ring-LWE
Geometric/CVP (arithmetic geometry)	$O(d\,\mathrm{polylog}(q))$	Controlled via moments	Ring-LWE
CRT-based, unbounded (ZLT)	Not required (noise-free)	No	Ideal lattice SIS

The geometric-CVP paradigm enables FHE bootstrapping in quasi-linear time in $d$, with all deep circuit evaluation replaced by structured lattice projection. CRT-based ideal lattice FHE achieves truly unbounded computation without bootstrapping or noise management.

A plausible implication is that these approaches suggest a new design paradigm for practical FHE, decoupling computational cost from circuit depth and leveraging ideal lattice structure for both security and efficiency (Zhao, 29 Sep 2025, Zheng et al., 2023).